How long does it take to study for CISSP?

Most candidates need 120–180 hours over three to six months. The challenge is breadth across eight domains, not depth in any one.

What is the CISSP 'manager mindset'?

ISC2 expects you to answer as a risk-focused security manager: prioritise governance, risk and people over the immediate technical fix. Many questions hinge on it.

Can I take CISSP without five years of experience?

You can pass the exam and become an Associate of ISC2, then earn the required experience within six years to gain full CISSP status.

Study guide

CISSP (ISC2): Study Guide

By The Exam Atlas Editorial Team · Verified 2026-05-29

A suggested study plan

Month 1	Domains 1–2: Security and Risk Management, Asset Security. Build the risk-based 'manager mindset' early.
Month 2	Domains 3–4: Security Architecture and Engineering (incl. cryptography), Communication and Network Security.
Month 3	Domains 5–6: Identity and Access Management, Security Assessment and Testing.
Month 4	Domains 7–8: Security Operations, Software Development Security; then full-length timed reviews.

CISSP is famously “a mile wide and an inch deep”. It covers eight domains at the level a security manager needs, not the depth a specialist engineer needs. The single most important habit to build is the manager mindset: for any scenario, choose the risk-based, governance-first action rather than the quickest technical fix. This guide is study guidance only and contains no real or simulated exam questions.

The eight domains, and how to study each

1. Security and Risk Management (16%)

The heaviest and most important domain. Master the CIA triad, governance, security policies, legal and regulatory concepts, and above all the risk management lifecycle. Most of the exam’s judgement questions trace back to here.

2. Asset Security (10%)

Data classification, ownership roles (owner, custodian, processor), data lifecycle, and protecting data at rest, in transit and in use.

3. Security Architecture and Engineering (13%)

Security models (Bell-LaPadula, Biba), secure design principles, and a substantial cryptography section: symmetric vs asymmetric, hashing, PKI, and key management.

4. Communication and Network Security (13%)

The OSI and TCP/IP models, secure network components and protocols, and secure network design. Keep it at design level, not deep packet detail.

5. Identity and Access Management (13%)

The access control models (DAC, MAC, RBAC, ABAC), identity lifecycle, authentication factors, and federation and single sign-on.

6. Security Assessment and Testing (12%)

Assessment and audit strategies, vulnerability and penetration testing, log reviews, and how to interpret and report results.

7. Security Operations (13%)

Investigations, logging and monitoring, incident management, disaster recovery and business continuity (BIA, RTO, RPO, MTD), and physical security.

8. Software Development Security (10%)

Security across the software development lifecycle, secure coding concepts, and assessing the security of acquired software.

Build the manager mindset

As you practise scenarios, pause on each “best answer” and ask why it beats the alternatives. The winning answer usually addresses root cause, follows policy, and reflects risk management — not the fastest technical patch. Training this instinct matters more than memorising facts.

Final preparation

In your last few weeks, switch to full-length, timed reviews to build stamina for the computerised adaptive test, and revisit Domains 1 and 3, which carry the most weight. Avoid any “real questions” sites — they breach ISC2 policy and copyright.

Key concepts to master

Think like a manager: CISSP answers favour the risk-based, governance-first choice over the hands-on technical fix. Ask 'what should a security manager do first?'
Risk management: Identify, assess, respond (avoid/transfer/mitigate/accept), monitor. The exam is risk-driven throughout.
Access control models: DAC, MAC, RBAC, ABAC and rule-based — know when each applies.
Security models: Bell-LaPadula (confidentiality: no read up, no write down) vs Biba (integrity: no write up, no read down).
BCP vs DRP: Business Continuity keeps the business running; Disaster Recovery restores IT. Know BIA, RTO, RPO and MTD.
Defense in depth & least privilege: Layered controls and minimal necessary access — recurring themes across all eight domains.

Common mistakes to avoid

Studying too deep on technical detail; CISSP is a mile wide and an inch deep, at manager level.
Answering with the technical fix instead of the risk-based, governance-first choice.
Underestimating the breadth: all eight domains are fair game, including software and operations.
Forgetting the experience requirement: you can pass and become an Associate, but full certification needs five years.

Free study resources

FAQ

How long does it take to study for CISSP?: Most candidates need 120–180 hours over three to six months. The challenge is breadth across eight domains, not depth in any one.
What is the CISSP 'manager mindset'?: ISC2 expects you to answer as a risk-focused security manager: prioritise governance, risk and people over the immediate technical fix. Many questions hinge on it.
Can I take CISSP without five years of experience?: You can pass the exam and become an Associate of ISC2, then earn the required experience within six years to gain full CISSP status.

Sources

ISC2 — CISSP ↗