Technology20 min read

CISSP Study Plan: 3-Month Schedule + Hours (2026)

How long to study for CISSP? 150-400+ hours depending on experience. Free 3-month study plan with corrected 2024 domain weights, weekly targets, and practice questions.

Ran Chen, EA, CFP®February 25, 2026

Key Facts

  • The CISSP exam uses Computerized Adaptive Testing with 100 to 150 items and a 3-hour time limit (ISC2 Exam Outline).
  • The CISSP passing score is 700 on a 0 to 1000 scaled score (ISC2 Exam Outline).
  • The CISSP exam fee is 749 USD in the Americas, set by ISC2 (ISC2 Candidate Information Bulletin).
  • ISC2 requires 5 years of cumulative paid full-time work experience in 2 or more of the 8 CISSP domains (ISC2).
  • Domain 1 Security and Risk Management is the highest-weighted CISSP domain at 16 percent of the exam (ISC2 Exam Outline).
  • The current CISSP Exam Content Outline took effect April 15, 2024, moving Domain 8 Software Development Security from 11 percent to 10 percent (ISC2).
  • Candidates who pass CISSP without the 5-year experience requirement become an Associate of ISC2 with 6 years to earn the experience (ISC2).
  • CISSP holders pay a 135 USD annual maintenance fee and earn 40 CPE credits per year (ISC2).
  • The CISSP endorsement application must be submitted within 9 months of passing the exam (ISC2 Candidate Information Bulletin).
  • CISSP is delivered at Pearson VUE test centers only and offers no online proctoring option (ISC2).

📺 Watch the Video

CISSP in 2026: Your Complete 3-Month Study Plan

The CISSP (Certified Information Systems Security Professional) is the most respected credential in cybersecurity and one of the most challenging. At $749 per attempt with 8 broad domains to master, you need a clear plan before you start studying.

This guide answers the #1 question CISSP candidates ask: "How long do I actually need to study?" — then gives you a week-by-week, domain-by-domain study plan with target hours to get there. All exam facts reflect the current ISC2 CISSP Exam Content Outline (effective April 15, 2024) and the 2024 Candidate Information Bulletin.

free CISSP practice questionsPractice questions with detailed explanations

CISSP Exam Quick Facts (2026)

DetailInfo
Certification bodyISC2
Exam formatComputerized Adaptive Testing (CAT) — all languages
Questions100-150 (adaptive; exam ends at 95% confidence)
Time limit3 hours
Passing score700/1000 (scaled)
Exam fee$749 USD (Americas; flat fee, no member/non-member split)
Experience requirement5 years paid cumulative work in 2+ of 8 domains (or 4 years + waiver)
Associate pathwayPass first, then 6 years to earn the experience
DeliveryPearson VUE test centers only (no online proctoring)
LanguagesEnglish, Chinese, German, Japanese, Spanish
Chinese availabilityMarch, June, September, December windows only
Endorsement window9 months from exam date
AMF (full member)$135/year
AMF (Associate)$50/year
Retake waits30 / 60 / 90 days; max 4 attempts per 12 months
Reschedule / cancel$50 reschedule, $100 cancellation
Recertification3-year cycle, 120 CPE credits, $135 AMF annually
Outline effectiveApril 15, 2024

How Long to Study: Realistic Timelines by Experience

Not everyone starts from the same place. Here is what to expect based on your background, with weekly hour targets that feed the 3-month plan below.

Your backgroundStudy hoursTimelineDaily studyWeekly hours
Security professional (5+ yrs)150-250 hours2-3 months2-3 hrs/day15-20 hrs
General IT professional (3-5 yrs)250-350 hours3-4 months2-3 hrs/day18-22 hrs
IT professional, limited security exposure300-400 hours4-5 months2-3 hrs/day18-22 hrs
Career changer or early-career350-400+ hours5-6 months2-3 hrs/day18-22 hrs

Key insight: Total hours matter less than understanding the CISSP mindset. This is not a technical exam — it is a management exam. You must think like a CISO advising the board, not a security engineer configuring a firewall.


Start With a Baseline Diagnostic (Week 0)

Before Week 1, take a 25-question mixed-domain diagnostic under timed conditions. Your baseline score determines how aggressively you compress the plan:

  • Below 45% — extend to the 4-5 month timeline; you have knowledge gaps across most domains.
  • 45-60% — follow the full 3-month plan below (most common path).
  • 60-75% — compress to a 60-day plan, front-loading your 2-3 weakest domains.
  • Above 75% — focus on practice exams and mindset drills; you may be ready in 30-45 days.

Record your per-domain breakdown. You will use it again at the Week 6 reality check.


The CISSP Mindset: Why This Matters More Than Hours

The #1 reason experienced security professionals fail the CISSP is thinking too technically. The CISSP tests management-level decision-making.

Technical mindset (WRONG for CISSP):

"The server was compromised. I need to isolate it, capture a memory dump, and analyze the malware."

CISSP mindset (CORRECT):

"The server was compromised. What is the business impact? What do we tell stakeholders? Is our incident response plan being followed? What is the risk to customer data? Do we have regulatory notification obligations?"

Practice this shift from Day 1. When reviewing practice questions, always ask: "What would a security manager recommend?" — not "What would I technically do?"


The 8 CISSP Domains (April 2024 Outline Weights)

The current weights took effect April 15, 2024. Two weights changed versus the prior 2021 outline: Domain 1 rose from 15% to 16%, and Domain 8 fell from 11% to 10%. All other weights are unchanged.

DomainWeightTopics
1. Security & Risk Management16%Risk management, governance, compliance, ethics, BCP, emerging tech (AI, blockchain)
2. Asset Security10%Data classification, ownership, privacy, retention
3. Security Architecture & Engineering13%Secure design, cryptography, system lifecycle, SASE, QKD
4. Communication & Network Security13%Network architecture, secure protocols, microsegmentation, edge networks
5. Identity & Access Management (IAM)13%Authentication, authorization, AAA, password-less, PDP/PEP
6. Security Assessment & Testing12%Vulnerability assessment, pen testing, audits, SOC reports
7. Security Operations13%Incident management, forensics, DRP, continuous monitoring
8. Software Development Security10%SDLC, DevSecOps, SCA, OWASP, managed/cloud services

The domains are weighted relatively evenly (10-16%), so you cannot skip any of them. But Domain 1 is the heaviest and sets the management tone for the entire exam — study it first and most deeply.


What Changed: April 2024 Exam Outline Refresh

The April 15, 2024 refresh is the most significant CISSP content update in several years. Three structural changes plus targeted content additions:

Structural changes

  • Domain 1 weight raised to 16% (from 15%)
  • Domain 8 weight cut to 10% (from 11%)
  • Linear exam eliminated — all languages now use the CAT format (previously German, Japanese, and Spanish were linear-only)

Content additions by domain

  • Domain 1: 5 Pillars of Information Security, specific privacy laws (GDPR, CCPA, PIPL, POPIA), FedRAMP, emerging tech (AI, cryptocurrency, blockchain)
  • Domain 3: New system lifecycle section (3.10), secure access service edge (SASE), quantum key distribution
  • Domain 4: Transport architecture, microsegmentation, edge networks, VPC; removed FCOE and Li-Fi; added Bluetooth
  • Domain 5: Password-less authentication, PDP/PEP access policy enforcement, service accounts; removed OIDC, SAML, Kerberos, RADIUS/TACACS+ subtopics
  • Domain 6: On-premise/cloud/hybrid location considerations, red/blue/purple team examples
  • Domain 7: Continuous monitoring and tuning, data-at-rest/in-transit protection, 2FA fatigue examples
  • Domain 8: Scaled Agile Framework, software composition analysis, separated managed and cloud services
CISSP practice questionsPractice questions with detailed explanations

April 2026 Experience Waiver Change (Plan Around It)

Separate from the exam content, ISC2 changed the experience waiver credential list effective April 1, 2026. The approved list was cut from roughly 50 credentials to about 25.

Removed from the waiver list: CEH, CISA, CRISC, OSCP/E, CIA, CPP, CCSK, most GIAC certifications (GCIH, GCFA, GSEC, GCIA, GCED), Cisco CyberOps, INE eCPPT/eJPT, Microsoft AZ-500, and others.

Still on the waiver list: CompTIA Security+, CompTIA CySA+, CompTIA CASP+/SecurityX, CISM, CCSP, CGRC, CSSLP, SSCP, HCISPP, CCIE Security, CCNA, CCNP Security, AWS Certified Security - Specialty, GICSP/GISF/GISP/GSLC, and Microsoft Certified Cybersecurity Architect.

ISC2's pattern: governance and program-management credentials survived; specialized technical and audit credentials were cut. The one-year waiver maximum still applies (you cannot stack a degree and a credential for two years), and the 4-year degree waiver is unchanged.

What this means for you: If you hold a credential that qualifies under the current (pre-April 2026) rules, submit your CISSP endorsement application before April 1, 2026 to lock in the waiver. After that date, the shorter list applies to all new applications.


The 3-Month Study Plan (For IT Professionals)

This plan targets the most common CISSP candidate: an IT professional with 3-5 years of experience following the 3-4 month, 250-350 hour path at roughly 18-22 hours per week. Adjust the timeline using the table above. Each phase ends with a milestone quiz — do not advance until you hit the target.

Month 1: Foundation Domains (Weeks 1-4) — ~85 hours

Week 1-2: Domain 1 — Security & Risk Management (16%) — 35 hours

This is the most important domain. It establishes the vocabulary, frameworks, and thinking style for the entire exam, and it carries the heaviest weight.

  • Risk management: qualitative vs. quantitative analysis, ALE = SLE x ARO, residual risk
  • Governance: security policies, standards, procedures, guidelines, baselines
  • Compliance: GDPR, HIPAA, SOX, PCI-DSS, CCPA, PIPL, POPIA — scope and requirements
  • Business Continuity Planning: BIA, RPO, RTO, MTD, external dependencies
  • Ethics: ISC2 Code of Ethics (memorize the 4 canons, in priority order)
  • New: 5 Pillars of Information Security, AI governance, emerging tech trends

Milestone (end of Week 2): Score 65%+ on a 30-question Domain 1 quiz.

Week 3: Domain 2 — Asset Security (10%) — 15 hours

  • Data classification levels (government: Top Secret to Unclassified; commercial: Confidential to Public)
  • Data lifecycle: creation, storage, usage, sharing, archiving, destruction
  • Data ownership roles: owner, custodian, processor, controller
  • Privacy: data minimization, purpose limitation, consent management
  • Data retention and destruction policies

Week 4: Domain 3 — Security Architecture & Engineering (13%) — 20 hours

  • Security models: Bell-LaPadula (confidentiality), Biba (integrity), Clark-Wilson
  • Cryptography: symmetric vs. asymmetric, hashing, digital signatures, PKI
  • Secure system design: defense in depth, separation of duties, least privilege
  • New: system lifecycle (section 3.10), SASE, quantum key distribution
  • Physical security: site planning, environmental controls, fire suppression

Milestone (end of Week 4): Score 70%+ across a 50-question Domains 1-3 mixed quiz.


Month 2: Technical Domains (Weeks 5-8) — ~80 hours

Week 5: Domain 4 — Communication & Network Security (13%) — 20 hours

  • OSI and TCP/IP models (from a security perspective)
  • Network security: firewalls, IDS/IPS, VPNs, network segmentation
  • Secure protocols: TLS, IPsec, SSH, S/MIME
  • New: transport architecture, microsegmentation, edge networks, VPC, Bluetooth
  • Network attacks: DDoS, man-in-the-middle, DNS attacks, ARP poisoning

Week 6: Domain 5 — Identity & Access Management (13%) — 20 hours

  • Authentication factors: something you know, have, are, do, somewhere you are
  • New: password-less authentication, access policy enforcement (PDP/PEP)
  • Access control models: DAC, MAC, RBAC, ABAC, rule-based
  • Identity management: provisioning, federation, directories (LDAP, Active Directory), service accounts
  • Privileged access management (PAM)

Week 6 reality check: Around this point many candidates hit a "forgetting wall" — Domain 1 material feels stale. This is normal. Spend 2 hours of Week 6 on spaced-repetition review of Domains 1-2 flashcards before moving on.

Week 7: Domain 6 — Security Assessment & Testing (12%) — 18 hours

  • Vulnerability assessment: scanning, analysis, remediation prioritization
  • Penetration testing: black/white/gray box, rules of engagement, red/blue/purple teams
  • Security audits: internal vs. external, compliance audits, SOC reports
  • Log management, monitoring, KPIs and metrics
  • New: on-premise/cloud/hybrid location considerations

Week 8: Domain 7 — Security Operations (13%) — 20 hours

  • Incident response: preparation, detection, containment, eradication, recovery, lessons learned
  • Digital forensics: evidence collection, chain of custody, legal considerations
  • Disaster recovery: hot/warm/cold sites, DRP testing
  • New: continuous monitoring and tuning, data-at-rest/in-transit protection, 2FA fatigue
  • Threat intelligence and threat hunting

Milestone (end of Week 8): Score 72%+ on a 75-question Domains 1-7 mixed quiz, with no single domain below 65%.


Month 3: Final Domain + Exam Readiness (Weeks 9-12) — ~80 hours

Week 9: Domain 8 — Software Development Security (10%) — 15 hours

  • SDLC: waterfall, agile, DevOps, DevSecOps, Scaled Agile Framework
  • Application vulnerabilities: OWASP Top 10 (SQL injection, XSS, CSRF, etc.)
  • Secure coding: input validation, output encoding, parameterized queries
  • New: software composition analysis, separated managed and cloud services
  • Database and API security

Week 10: Full Practice Exams + Weak-Domain Targeting — 25 hours

  • Take your first full-length, timed practice exam (150 questions, 3 hours, CAT-style if available)
  • Score yourself and identify your 2-3 weakest domains from the diagnostic report
  • Spend the rest of the week on targeted review of those domains

Week 11: Targeted Domain Review + Mindset Drills — 20 hours

  • Focus exclusively on your 2-3 weakest domains
  • Re-read material and do domain-specific practice questions
  • Spend 3 hours on scenario-based manager-mindset drills: for every practice question, write out the CISO-level reasoning before checking the answer
  • Create one-page cheat sheets for key formulas (ALE, RPO/RTO) and frameworks per domain

Week 12: Final Practice Exams + Exam Scheduling — 20 hours

  • Take 2 more full-length practice exams on different days
  • If scoring 75-80%+ consistently with no single domain below 75%, schedule your exam for the following week
  • Final review: ISC2 Code of Ethics, BCP/DRP terms, risk formulas, the 8 domain weights
  • Rest the day before — do not cram

Milestone (end of Week 12): 75-80%+ on two full practice exams, no domain below 75%.


The CAT Format: What You Need to Know

Since April 15, 2024, all CISSP exams use Computerized Adaptive Testing (CAT) — the linear 6-hour, 225-question version was eliminated. This affects every candidate in every language.

CAT featureWhat it means
Adaptive difficultyQuestions get harder as you answer correctly
100-150 questionsThe exam ends when it is 95% confident of your pass/fail status
No going backYou cannot return to previous questions or skip ahead
3-hour time limitMost candidates finish in 2-2.5 hours
Passing at 100If the exam stops at 100, you either clearly passed or clearly failed
Test center onlyNo online proctoring — Pearson VUE test centers only
Advanced item typesMultiple choice plus drag-and-drop and hotspot scenarios

The exam ends via one of three rules: the Confidence Interval Rule (ends at 100+ items if ability is determined with 95% confidence), the Maximum-Length Rule (at 150 items the final ability estimate is evaluated), or the Run-out-of-Time Rule (if time expires, ability is evaluated).

CAT strategy:

  1. Do not panic when questions get harder — harder questions mean you are doing well.
  2. Take your time on early questions — the first 25 questions heavily influence the difficulty curve.
  3. You cannot go back — make your best choice and commit; do not second-guess.
  4. If you reach 150 questions — the exam was close to the pass/fail line. This is common for successful candidates.

Exam Day Strategy

Logistics and in-exam tactics matter as much as study hours.

Before the exam:

  • Arrive 30 minutes early at the Pearson VUE center; bring two forms of ID.
  • Use the restroom before checking in — the clock does not pause for breaks.
  • Eat a light meal 90 minutes before; avoid heavy food that causes drowsiness.

During the exam:

  • Budget roughly 1 minute per question, but do not watch a countdown — the CAT interface does not show question numbers past 100.
  • Read every question twice; identify whether it asks for the BEST, FIRST, or MOST cost-effective action.
  • Eliminate the 2 clearly wrong options first, then choose the more management-oriented, comprehensive answer.
  • If a question seems to have two correct answers, pick the one a CISO would choose.
  • Do not spend more than 2 minutes on any single question — guess, commit, and move on.

After the exam:

  • You receive a pass/fail result immediately.
  • Failing candidates get a diagnostic report showing Below/Near/Above proficiency per domain.
  • If you pass, start your endorsement within days — the 9-month clock starts on exam day.

Retake Policy and Fees

If you do not pass, the path back is structured:

AttemptWaiting period
1st retake30 test-free days
2nd retake60 test-free days
3rd and all subsequent90 test-free days

You may attempt the CISSP up to 4 times in a 12-month period. Each retake requires paying the full $749 exam fee again. To reschedule a booked exam, ISC2 charges $50; to cancel, $100. Reschedule at least 48 hours before your appointment to avoid these fees.


Endorsement and the Associate of ISC2 Pathway

Passing the exam is not the last step.

Endorsement (9 months): After passing, you have 9 months from the exam date to complete the endorsement application. An active ISC2 member in good standing verifies that your work experience maps to at least 2 of the 8 domains and vouches for your professional conduct. If you do not know a CISSP personally, ISC2 can act as your endorser (allow 6+ weeks for processing). Missing the 9-month deadline voids your exam result — you would have to retake the exam. Start the application immediately after passing.

Associate of ISC2: If you pass without the 5 years of experience, you become an Associate of ISC2 rather than a fully certified CISSP:

  • You take the same exam as full CISSP candidates (no watered-down version)
  • You have 6 years from the exam date to accumulate the 5 years of required experience
  • Associate AMF is $50/year (versus $135 for full members), with 15 CPE credits per year
  • You can list "Associate of ISC2" on your resume and note you passed the CISSP exam, but you cannot call yourself a CISSP or use the post-nominal
  • Once you accumulate the experience, submit a new endorsement, pay the $85 upgrade AMF, and a new 3-year certification cycle begins

5 Critical Study Strategies for CISSP

1. Think Like a Manager, Not an Engineer

For every practice question, ask: "What would a CISO recommend?" The answer involving policy, process, risk assessment, or stakeholder communication is usually correct over the technically detailed answer.

2. Master the Vocabulary

The CISSP has its own language. Know the precise definitions of: risk, threat, vulnerability, exposure, safeguard, countermeasure, residual risk, due care, due diligence, and every other security term.

3. Learn the ISC2 Code of Ethics

The 4 canons, in priority order:

  1. Protect society, the common good, necessary public trust, and the infrastructure
  2. Act honorably, honestly, justly, responsibly, and legally
  3. Provide diligent and competent service to principals
  4. Advance and protect the profession

Ethics questions appear on every exam. If there is a conflict between canons, the lower-numbered canon takes priority.

4. Use the "Eliminate Two" Method

Most CISSP questions have 4 answers. Usually 2 are clearly wrong (too technical, too narrow, or factually incorrect). The challenge is choosing between the remaining 2. The more management-oriented or comprehensive answer is usually correct.

5. Do Not Over-Study One Domain

With 8 domains weighted 10-16%, you cannot ace 4 domains and bomb 4. The CISSP requires baseline competency across ALL 8 domains. Spread your study time, but double down on your weakest areas in the final month.


Start Your CISSP Preparation Today

The CISSP is challenging, but it is a career-defining certification worth the investment. Here is your action plan:

  1. This week: Take the 25-question baseline diagnostic and choose a timeline (2-6 months)
  2. Start with Domain 1 — Security & Risk Management (16%) sets the foundation
  3. Practice the management mindset from Day 1
  4. Use practice questions after each domain — not just at the end
  5. If you hold a waiver credential, submit your endorsement before April 1, 2026

Free CISSP Practice Questions

  • Exam-style questions covering all 8 CISSP domains
  • Detailed explanations including the management reasoning behind each answer
  • AI tutor to explain complex security concepts (10 free interactions per day)
  • Track your progress by domain
Start Free CISSP Practice →Practice questions with detailed explanations

Key Takeaways

  1. Study time varies by experience: 150-400+ hours depending on your background
  2. Domain weights changed in April 2024: Domain 1 is now 16%, Domain 8 is now 10%
  3. All languages now use CAT (100-150 questions, 3 hours) — the linear exam is gone
  4. Think like a manager, not an engineer — this is the #1 key to passing
  5. AI governance, zero trust, and supply chain topics are now on the exam
  6. Aim for 75-80%+ on practice exams before scheduling your $749 exam
  7. Start your endorsement immediately after passing — the 9-month window includes processing time

The CISSP is a marathon, not a sprint. Follow this plan, maintain consistency, and you will earn the most respected credential in cybersecurity.

Good luck with your CISSP!

Test Your Knowledge
Question 1 of 6

What is the passing score for the CISSP exam?

A
650/1000
B
700/1000
C
750/1000
D
800/1000
Learn More with AI

10 free AI interactions per day

CISSPISC2CybersecurityStudy PlanInformation SecurityIT CertificationCareer ChangeHow Long to Study

Related Articles

Stay Updated

Get free exam tips and study guides delivered to your inbox.

Free exam tips & study guides. Unsubscribe anytime.