Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Contributor III

Why does ISC2 feel it needs to compete with instead of cooperate with ISACA?

I read the blog post at and it comes across as a sales pitch. ISC2 = good, ISACA = not as good.

I don't think it is good for our profession for two professional organizations to be trying to campaign against one another for the almighty certification dollar. 


I wish the Board had discussed this new CC certification with the membership before proceeding. But since the Board doesn't contribute in any way, shape, or form on these Community pages, that would explain why that didn't happen.

3 Replies
Community Champion

It's not accurate either (3 should be security operations & response) but I would assume there were some questions asked about the difference and they might have figured it would be easier to write a quick blog on it.


Your post did make me think back to "Infinite Game", by Simon Sinek, on Simon telling an Apple Exec about how great the Zune was.




Community Champion

For years, the management of (ISC)2 has done studies of the differences in certification (some from ISACA, some from CompTIA, etc.) and it looks like Marketing are now taking full advantage of the materials.


I can remember these comparisons being discussed with the Boards and sometimes pieces of them being used in Marketing.


Maybe just maybe the CC is not catching on the way that they thought?


Too bad that their fact checking is WRONG (2 and 3)


  1. Information Security Fundamentals (27%)
  2. Information Security Fundamentals (27%)

Another example of sloppiness when the organization is posting something.


Really sad.




Defender I

As a point of history, it was ISACA that started the competition.

Sometime in the mid-2000's ISACA  introduced a new management certification, intended for managers who supervised CISA auditors. It was designed to be an enhancement for  a CISA who wanted to move up from auditor to audit manager, and also for experienced managers who were not CISA but were selected to supervise CISA auditors.


During the initial year for CISM, they had a grandfathering process, so holders of CISSP who also had five years of management experience could become CISM without taking the CISM test. If you examined the CISM requirements, they had a very high overlap with the CISSP domains. The CISM was essentially a direct competitor to the CISSP, focused for audit organizations.

At the time, the only (ISC)2 certifications were CISSP and SSCP.


Within a short time (ISC)2 responded to this CISM threat by creating the Associate of (ISC)2 status. They removed the experience requirement to take the CISSP exam, and said anyone who passed the CISSP exam without the required experience for certification became an Associate of (ISC)2. This status was not a membership in (ISC)2, just a lead-in to membership once the experience was documented and they could become certified CISSP, and an (ISC)2 member

Important to note that at the time this Associate status was only for CISSP, not for SSCP. 

The idea was to capture young infosec workers into the (ISC)2 path before they found out about ISACA and the CISA or CISM.


Over the years since, (ISC)2 has introduced a variety of other certifications, and added the Associate status to cover test-passed/inadequate experience for many of those, as for the CISSP.


Confused yet?



D. Cragin Shelton, DSc
My Blog
My LinkeDin Profile
My Community Posts