Professional development

Best information security management certifications

May 15, 2019 by Kurt Ellzey

Back in the day, if you asked someone in tech if they were certified, you would usually get one of two answers: “Yes, I just got my Cisco/A+/Microsoft cert” or “No, but I’m working on it.” There were fewer certifications then, and the ones that existed were considered fundamental.

Now, however, IT certifications exist in a myriad of topics, complexities and levels. The higher up the chain you get, the more paradoxical these certifications become: on the one hand, they get significantly more specialized, but at the same time they also expand out to cover additional, not necessarily technical, topics.

For this article, we’re looking at the top five information security management certifications. IS certifications are already pretty specialized when it comes to technical skills, but once you start getting into management-level items, you’re also expected to understand how to deal with multiple departments, multiple disciplines and C-level executives.

These certifications are among the best of the best at what they do and can prepare you for a wide variety of situations. However, these certifications are designed to go beyond just “If A, then B” type scenarios — they excel at teaching concepts which can then be adapted to new circumstances beyond what you were explicitly trained for.

So, in no particular order, here are the top five information security management certifications.

1. CISSP — Certified Information Systems Security Professional

Certification Body: (ISC)2

The Certified Information Systems Security Professional (CISSP) exam covers an enormous amount of material across multiple domains, and as a result is an excellent certification for consideration by persons going into IS management. Many times, it’s considered a capstone certification because it already expects you to be familiar with multiple technical and security fields and builds up from there. Even the Certification Body (the International Information System Security Certification Consortium, or ISC2) is aware of this and says right on the official description page that it’s “not for everyone.”

The CISSP certification is exceptionally strong, however, and the community that surrounds it is one of the best in the world. If you choose to go for this certification, you will be challenged, but you will not be disappointed in the results.

After passing your exam, you will be asked for a personal endorsement from an existing person certified by (ISC)2 . This is to verify that the exam taker has the experience required to receive the certification. Therefore, it is strongly recommended that you make contact with others that have passed these exams in the past so that they may get to know you and know for certain that you have the required specifications.

2. CISSP-ISSMP — Information Systems Security Management Professional

Certification Body: (ISC)2

Because the CISSP does cover so much material, it can be difficult to focus in on one particular aspect of it. Once you have your CISSP, if you have a particular section that you need to dial in on, (ISC)2 has what they call “concentrations” — additional training and certifications that go above and beyond the standard CISSP.

The CISSP-ISSMP (and yes that is a mouthful) focuses on the Management” section of information security as opposed to the other two concentrations (Architecture and Engineering.) While the concentration exams are still challenging, they are not as difficult as the standard CISSP. (ISC)2 has designed this Concentration to be for professionals who “specialize in establishing, presenting, and governing information security programs, and demonstrate management and leadership skills.”


3. CISM — Certified Information Security Manager

Certification Body: ISACA

While the CISSP is usually targeted towards technical or security persons advancing forward towards management, the Certified Information Security Manager certification (CISM) is designed more for people that are already in management working on security strategies. This is visible in the requirements for the certification itself, as the Information Systems Audit and Control Association (ISACA) requires a minimum of three years of information security management work experience (among other things) to obtain this certification, though there are some substitution options available.

If you choose to go for this exam, it is strongly recommended to sign up for the Official ISACA CISM Exam Study Community to assist in your preparations alongside your regular studying practices.

4. CISA — Certified Information Systems Auditor

Certification Body: ISACA

It’s safe to say that information security management revolves almost entirely around compliance and policies. Without confirmation that your organization is following these rules, a crisis could prove catastrophic.

While the CISM is recommended for persons already in a management position, the Certified Information Systems Auditor (CISA) was a “mandatory qualification to be promoted to the manager level.”  

5. CCISO — Certified Chief Information Security Officer

Certification Body: EC-Council

The International Council of Electronic Commerce Consultants (EC-Council) may be best known for their Certified Ethical Hacker (CEH) certification. However, they have since expanded their offerings to multiple other categories. According to them, the Certified CISO program “was developed by sitting CISOs for current and aspiring CISOs.” They call the certification a “Leadership Course for experienced InfoSec professionals.” While experience is required to sit the exam, the exact amount of experience varies depending on whether or not you have taken an associated training course.

Regardless of which certification you choose, you will be learning a great deal which will help tremendously for your career goals. Not every certification is best for every person, so please be sure to take the time and study your options — weigh the pros and cons, the costs, time and support you may be receiving for each option. Talk to people that have taken and passed the exams, see which ones have helped them in the real world and make an informed decision on which one is best for you.

Sources and further information

Posted: May 15, 2019
Kurt Ellzey
View Profile

Kurt Ellzey has worked in IT for the past 12 years, with a specialization in Information Security. During that time, he has covered a broad swath of IT tasks from system administration to application development and beyond. He has contributed to a book published in 2013 entitled "Security 3.0" which is currently available on Amazon and other retailers.

Leave a Reply

Your email address will not be published.