A realistic 16-week plan at roughly 8 to 10 hours per week. CISSP rewards breadth and judgement, so pair reading with scenario practice and keep reinforcing the risk-based “manager mindset” throughout.
| Weeks | Focus | Checkpoint |
|---|---|---|
| 1–3 | Domain 1: Security and Risk Management | You can walk through the risk management lifecycle |
| 4–5 | Domain 2: Asset Security | You can classify data and name the ownership roles |
| 6–7 | Domain 3: Architecture and Engineering (incl. cryptography) | You can contrast Bell-LaPadula and Biba |
| 8–9 | Domain 4: Communication and Network Security | You can describe a secure network design |
| 10–11 | Domain 5: Identity and Access Management | You can pick the right access control model for a scenario |
| 12 | Domain 6: Security Assessment and Testing | You can outline an assessment strategy |
| 13 | Domain 7: Security Operations (incl. BCP/DR) | You can define BIA, RTO, RPO and MTD |
| 14 | Domain 8: Software Development Security | You can describe secure-SDLC practices |
| 15–16 | Full-length timed reviews + weak-area revision | You consistently reason to the “manager” answer |
Tips for the final two weeks
The exam is a computerised adaptive test, so build stamina with full-length, timed practice. Revisit Domains 1 and 3 (the heaviest), and for every practice scenario, articulate why the best answer is risk-based rather than the quickest technical fix. Do not use “real exam questions” sites — they violate ISC2 policy and copyright.