Twelve weeks is enough time for a CISSP study plan if you already have a few years of broad security experience and can put in 10-12 hours a week. It isn't enough if you're trying to learn security from scratch, and no amount of study technique fixes that — it's just how this exam works.
This is the 12-week CISSP study plan I'd actually build if I were sitting for the exam this quarter. Not the idealized one with perfect seven-day weeks. The one that assumes you have a full-time job, you'll lose a weekend to something you didn't plan for, and somewhere around Week 6 or 7 you'll hit a stretch where you're just tired.
One caveat before the weekly schedule: what's below is scaffolding, not gospel. Adjust the depth based on your diagnostic results. If Domain 4 is already a strength because you've spent a decade in networking, don't grind through ten hours there just because the plan says so.
Before Week 1: the unglamorous prep that actually matters
A lot of people skip this phase and then spend Weeks 3 through 5 realizing their resources are wrong, their study time isn't actually on the calendar, or they never booked the exam. Don't be that person.
Four things to get done before you open a book:
- Take a diagnostic test so you know your per-domain baseline. If you haven't looked at the exam outline in a while, the CISSP domain guide is a useful primer.
- Get your materials sorted. The Sybex Official Study Guide, a question bank you'll actually use, and somewhere to take notes. If you like video, Destination Certification and Pete Zerger are the two I point people at most often.
- Put study time on the calendar as blocks. Not vague intentions — actual meetings-with-yourself you won't move.
- Book the exam for 12 weeks out.
That last one is the step people resist. They want to wait until they "feel ready" to book. That usually means booking it three weeks later than they should have, and the extra time doesn't help anyone — it just extends the anxiety.
Week 1: Domain 1 — Security and Risk Management
Domain 1 is 16% of the exam, the largest single domain, and the week where the governance-first mindset starts getting trained into you. Spend the full 10-12 hours. This is also where candidates with strong technical backgrounds tend to underprepare because governance feels "soft" compared to crypto or networking. That's a mistake the exam punishes consistently.
Days 1-3 are for reading: CIA triad, security governance, legal and regulatory topics, policies, and risk management. Days 4-5 go deep on risk terminology (threat vs. vulnerability vs. risk vs. exposure) and the quantitative risk math — SLE, ARO, ALE. Day 6 covers personnel security, supply chain, and the high-level BCP/DRP concepts. Day 7 is your first real practice-question day: 50-75 domain-specific questions, and review every miss — not just the ones you got wrong by a little.
If you finish Week 1 able to explain why a CISO answers to the board and not the CTO, you're in good shape. If you can't, reread the governance section before moving on.
Week 2: Domain 2 — Asset Security
Domain 2 is a 10% domain and mostly formulaic. Data classification, data roles (owner, controller, processor, custodian), lifecycle, retention, destruction. Eight to ten hours, not twelve.
Read the chapter across days 1-2. Spend days 3-4 on controls — encryption at rest, DLP, data remanence, and the distinctions between wiping, degaussing, and physical destruction. Day 5 is retention and standards selection (ISO 27001, NIST). Reserve the weekend for 50 practice questions and note review.
The usual Domain 2 trap is the owner vs. custodian distinction. The exam will hand you a scenario where both roles sound plausible and expect you to pick the governance role over the operational one. If you're missing those in Week 2, the fix is usually more Week 1 review, not more Week 2.
Week 3: Domain 3, Part 1 — Models and Design
Domain 3 is the dense one. You're going to spend two weeks here and still feel like you haven't covered everything. Normal.
This week is the conceptual half. Start with secure design principles — defense in depth, least privilege, fail-safe defaults, separation of duties. From there, into the security models: Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash. Memorize the rules. You will get tested on which model enforces no-read-up versus no-write-up, and the exam doesn't forgive guessing. Then into system security capabilities and the vulnerabilities that come with different environments — client-side, server-side, cloud, IoT, ICS/SCADA, mobile.
End the week with 50 practice questions on design and models. If you miss more than 30% of them, slow down. Don't move into Week 4 until the models are solid, because Week 4 stacks cryptography on top.
Week 4: Domain 3, Part 2 — Cryptography and Physical Security
Cryptography is where a lot of candidates either thrive or get buried. It's not about memorizing every algorithm — it's about knowing when to use what and recognizing common attacks. If you need a refresher on the fundamentals, the cryptography primer for CISSP covers the concepts the exam actually tests.
Two days on symmetric crypto (AES, 3DES, block modes, stream ciphers). Two days on asymmetric (RSA, ECC), hashing, digital signatures, and PKI — especially PKI, which shows up across multiple domains. Day 5 hits cryptanalytic attacks and physical security (site selection, HVAC, fire suppression — yes, fire suppression is on the exam). Day 6 is Domain 3 review. Day 7, a 75-question practice set across the full domain.
One pattern worth noting: candidates who do well on crypto questions tend to be the ones who built a mental map of "this kind of problem → this kind of solution" rather than memorizing algorithm names. The exam rarely asks "what is AES-256?" It asks which cryptographic approach fits a scenario.
Week 5: Domain 4 — Communication and Network Security
If you don't have a networking background, Week 5 is going to hurt. Budget the full 12 hours and don't try to rush it.
Start with the OSI model. Don't just memorize the layers — understand what attacks target each layer and what controls operate at each layer. This is the framework everything else hangs off of. From there, secure network design (VLANs, segmentation, DMZ, zero trust), then the secure protocols (TLS, IPsec, SSH, Kerberos, RADIUS, TACACS+), then wireless (WPA2, WPA3, 802.1X).
Seventy-five practice questions on day 7. If networking is already a strength, scale this week down and bank the extra hours for Week 8.
Week 6: Domain 5 — Identity and Access Management
IAM is one of the most-tested domains, and the access control models are where questions concentrate. DAC, MAC, RBAC, ABAC — know the scenarios for each, not just the definitions. The CISSP IAM concepts guide is a useful complement to the Sybex chapter.
Federation (SAML, OAuth, OIDC) and MFA are the other heavy hitters. Give yourself time to work through real scenarios — which protocol does a partner integration use, which factors combine for true MFA, what breaks if you remove one. Memorize the identity lifecycle (provisioning, review, deprovisioning) because it shows up in both IAM and Operations questions.
Seventy-five questions at week's end. Expect IAM to feel familiar but still trip you up on edge cases.
Week 7: Domain 6 — Security Assessment and Testing
Lighter domain, 10%, eight to ten hours.
The distinction that matters most here is vulnerability assessment vs. penetration testing. They are not the same thing, the exam will not let you conflate them, and you will see at least one question that turns on that difference. Learn it cold.
Spend days 3-4 on white/gray/black box testing. Days 5-6 on log reviews, synthetic transactions, code review, and audit report types — SOC 1 vs. SOC 2 Type I vs. Type II comes up often enough that it deserves explicit flashcards. Day 7, 50 questions.
Week 8: Domain 7 — Security Operations
Operations is sequential content. Incident response has a lifecycle. Disaster recovery has stages. Both have to be memorized in order, because the exam will hand you a scenario mid-process and ask what comes next.
Days 1-2 on investigations, evidence handling, chain of custody, and digital forensics basics. Days 3-4 on the incident response lifecycle: preparation, detection, analysis, containment, eradication, recovery, lessons learned. Memorize the order. Days 5-6 on business continuity and disaster recovery, with particular attention to the recovery metrics — BIA, RTO, RPO, MTD, WRT. Know how they relate. You will see a question where someone's proposed RTO exceeds MTD, and you need to recognize that as wrong on sight.
Seventy-five questions on day 7. Operations is the second-largest domain after Domain 1 and leans on memorization more than judgment, so the effort pays off directly.
Week 9: Domain 8 — Software Development Security
SDLC models, secure coding practices, OWASP Top 10 at a conceptual level, and application security testing (SAST, DAST, IAST, RASP). Database security makes a brief appearance.
Eight to ten hours is usually enough unless you have zero development background, in which case budget twelve. The testing method distinctions matter — SAST is static, DAST is dynamic, and the exam will ask you when to use which. Fifty practice questions on day 7.
Weeks 10-11: Full-length exams and weak-area triage
This is the inflection point of the plan. Up through Week 9, you're building knowledge. From Week 10 onward, you're converting it into exam-ready judgment.
On day 1 of Week 10, sit for a full 4-hour CAT-style practice exam. Don't pause it. Don't check your phone. Don't look up a concept mid-exam. If you can't simulate real conditions at home, the practice exam won't tell you what you need to know.
The real work is days 2-7: review every missed question. Not "here's the right answer" — figure out why your pick was wrong and why the right answer was right. If you start seeing a pattern where you keep picking the technically correct answer over the governance-first answer, that's a mindset problem, and it's the single most common reason experienced engineers fail CISSP. I've watched this happen to candidates with 12+ years in network security — they score 85% on individual domain tests but miss 40% of the integration questions because they keep defaulting to "here's how I'd solve this" instead of "here's what a security leader would recommend." The fix isn't more content review. It's practice with that specific framing until it becomes the default.
Week 11 repeats the pattern: another full-length on day 1, targeted weak-area review for the rest of the week. If weak domains aren't moving between Week 10 and Week 11, add flashcards for the memorization-heavy topics (security models, crypto algorithms, recovery metrics) and keep pushing domain-specific question sets.
Another pattern I've noticed: people who skip the second full-length exam because they "don't feel ready yet" are usually the ones who also delay booking the real test. The full-length isn't a graduation — it's a diagnostic. Take it even if you'll score badly, because the score is what tells you where to work.
Week 12: Taper, don't cram
Week 12 is lighter on purpose. Eight to ten hours max, and some of those should be rest-adjacent — flashcards on your phone, skim reviews, one more timed exam if you're up for it.
Days 1-2: mixed-domain question sets, 50 a day. Days 3-4: review your own summary notes and the Sybex chapter summaries. Day 5: one more timed exam, two hours is fine if you're burning out. Day 6: light review. Day 7 — the day before the exam — study nothing. Sleep. Walk. Eat actual food. The people who pull all-nighters the night before rarely pass.
Your knowledge is set by Week 12. What you're managing now is stamina and mindset. The CAT exam format is adaptive — questions get harder as you answer correctly — so if the exam feels brutally hard, that's often a good sign, not a bad one.
Rules that apply every week of your CISSP study schedule
A few things aren't tied to any specific week but matter throughout.
Practice questions are how you build the judgment this exam tests. Reading alone won't get you there, no matter how many times you read the Sybex guide. Every week in this CISSP weekly schedule includes practice questions for a reason, and skipping them to read more is a trap that looks like studying.
When two answers both look correct, pick the broader, more governance-oriented one. The "think like a manager" heuristic is responsible for more passed exams than any other single piece of advice.
Don't overspend on favorite topics. Cryptography is fun. Networking is interesting. Domain 1 is not. The exam doesn't care what you find interesting — it's balanced across eight domains, and your study needs to match.
Sleep. Twelve weeks is a long time to sustain. Candidates who burn out in Week 9 and cram through Week 12 usually score worse than candidates who took real breaks.
When to stretch or compress this plan
The 12-week version assumes moderate-to-strong experience and 10-12 hours a week. It breaks if either of those assumptions is wrong.
Stretch to 16 weeks if your diagnostic came in below 50%, you have less than three years of security experience, you can only study 6-8 hours a week, or you have meaningful gaps in three or more domains.
Compress to 8-10 weeks if your diagnostic is above 70%, you have 8+ years of broad security experience (not just one specialty), you can put in 15+ hours a week, or you already hold CISM or CCSP.
If none of the above cleanly applies, stick with 12.
Starting your CISSP study plan
The plan above only works if it's calibrated to your baseline, not a generic starting point. Before you lock in 12 weeks of your life, figure out where you actually stand. Most people are wrong about their weak domains, and studying the wrong things for three weeks is a mistake you don't fully recover from.
The free CISSP diagnostic on LearnZapp covers all eight domains, takes about 30 minutes, and hands you a per-domain accuracy breakdown so you know which weeks need more time and which you can fly through. No signup.