Liston vs. Clay
King vs Riggs
I suppose the question is "How does CISSP-ISSMP differs from CISM certification?". Below are some of the differences:
ISSMP is not a standalone certification, rather it's a specialization exam for CISSP holder
Domain coverage:
CISM -- 5 domains (used to be 4)
CISSP-ISSMP 8+6 =14 in total
ISSMP requires additional year of experience in one of the 6 domains (on top of CISSP).
CISM covers Information Security Program Development and Management, something that does not get covered by CISSP or CISSP-ISSMP domains explicitly.
Given that you have covered experience requirements, it will take you longer to get CISSP-ISSMP than CISM (time needed for CISSP exam + time to endorsement + time to CISSP-ISSMP exam vs time to CISM exam)
CISM is less known than CISSP but CISSP-ISSMP has less visibility than CISM
Individuals who work in the field related to information security surely find it intriguing that there are just too many certifications, which one should obtain just to become qualified in the position that they are hopelessly striving for. There is the major award called CISSP as well as the ISSAP, which is a concentration of the CISSP. These two certifications are administered by the International Information Systems Security Certification Consortium (ISC)2.
CISM means higher earning potential and career advancement. Recent independent studies consistently rank CISM as one of the highest paying and sought after IT certifications.
I suspect that you will find people who are successful in the field are, have or will be successful regardless of whatever credentials after their names. Carrying the CISM or CISSP-ISSAP has little to do with the actual success or lack thereof concerning one's career.
Take survey results with a grain of salt unless you truly believe that the people who are paying for such research are doing so for strictly altruistic reasons. Outside of selling you something, of course. In this case - more certifications.
The field is completely awash in certifications such as certified threat hunter and the like. The message is so blurred that we have lost focus trying to see the bigger picture.
@sarita_basnet commented that there are "too many certifications, which one should obtain just to become qualified in the position ..."
Please consider that no certification qualifies us for any position. Knowledge, skills, and experience qualify us for positions. Certifications only help us get past the filtering step of HR resume-screeners in order to reach the professional staff who will actually evaluate our knowledge, skills, and experience, not simply confirm a checklist of certifications. A certification only signals that we may possibly have some subset of the knowledge, skills, and experience they are looking for.
There is at least one case (can be many more) where CISSP and CSSLP are listed explicitly as job qualification requirement. If you review https://www.ftc.gov/system/files/documents/cases/140207trendnetdo.pdf or any similar FTC court order you will see the government asking for those 2 type of certifications (or similar qualifications). Private companies usually don't go for trying to get individuals with similar qualifications for this kind of job since it's too much burden to establish that individual is sufficiently qualified and his qualifications are "similar enough".
@yevgeng referred to jobs "where CISSP and CSSLP are listed explicitly as job qualification requirement."
At this point we must parse the word "qualification" to distinguish between "qualified to be hired" and "qualified to perform the job duties."
To reinforce my point, such certification requirements, also found for all U.S. Department of Defense cybersecurity jobs (per DODD 8140.01 and DoD Manual 8570.01-M, https://iase.disa.mil/iawip/Pages/index.aspx) are administrative qualifications required to get past the HR filter for hiring eligibility. None of the listed certifications in either the DoD or FTC list mean you have the knowledge, skills, and experience needed to actually perform a particular job.
Using myself as an example, I have been a CISSP since 2002, with solid experience since 1998 in the following CBK domains:
• Security and Risk Management
• Security Architecture and Engineering
• Communication and Network Security
• Identity and Access Management (IAM
The CISSP makes me eminently qualified to be hired for DoD Infosec / IA / Cybersec jobs, and have, in fact been doing them since 1997. Howsoever, I do not have the knowledge and experience to work in penetration testing, operating system hardening, malware analysis, or security operations center jobs for DOD or anyone else.