CISSP Study Plan Questions

Whether you’re planning a war or buying a house, you need a strategy.  A plan of attack.  The same goes for studying for the CISSP exam, you gotta have a study plan.

A reader asked me recently for a solid study plan.  He is planning on taking the exam in 6 -7 months.

That’s plenty of time to study and ace the exam!  Below are some of his questions along with some of my suggestions.



1. How many hours per day or week should be dedicated to studying for the CISSP?

This really varies at which stage you are at in your studies.

Month 1 and Month 2

Did you just receive a 1000-page Shon Harris Study Guide and have only read the first page?  In this case, take it easy and take your time!  There’s no need to just rush in and start memorizing everything on every page.  The first two months of your studies you should start to familiarize yourself with the different domains and the materials contained within.

Read through the pages with leisure, without full intent on memorizing, because memorization will occur automatically later.

Try to dedicate at least 1 -2 hours per day browsing through the book, or a total of 10 hours per week.  Remember, you’re not super focusing on material right now, you’re just getting a “feel” for the information.  This is the time where you will decide if the exam is for you or not, whether you can maintain the dedication to go through with it.

Also, try not to take any practice exam questions just yet.  I say this because your results won’t truly reflect your knowledge of the domains.  You may even get discouraged or humbled by scoring a 60% on a domain you THOUGHT you knew really well!  The truth is, you have to read a domain over and over and over again to get a “feel” for it.

Month 3 and Month 4

By now you should have fully committed to taking the exam, letting nothing else get in your way.  This is a big part of the CISSP study process, your allegiance.

You’ve read through the entire study guide, you have started to take a few practice exam questions, and starting to know what is your strongest domain and what is your weakest domain.

Now, instead of spending 1-2 hours per day browsing the entire study guide, try to spend 1-2 hours on a particular domain, like Asset Security or Software Development Security.  Don’t just focus on the chapters you are weak on just yet, try to devote 1-2 hours on each and every chapter.

Take some practice exam questions and see how you do, but don’t be discouraged by the results.  If you get answers wrong, try to do research as to why it was wrong, and why the correct answer was right.

Month 5 and Month 6

The last few months are the most important.  You want to really tell yourself “Hey, it’s been 5 months of studying, what domain am I doing really well on? And for what domain am I still weak?”

Now is when you should be churning out and trying to get at least a 80% on practice exam questions.  Now is the time when you know your weakest domains, and you start to spend 1-2 hours per day on those chapters.

You should be doing more practice exam questions than reading.  Your reading should be linked to what practice exam questions you got wrong.  If you didn’t know what the Tranquility Principle is, time to read up on the Identity and Access Management domain.  If you didn’t know what the Wassenaar Arrangement is, time to hit up the Security Engineering domain.  

In these last few months you should be fairly confident of the material, but trust me, you’ll still get things wrong in practice exam questions, but you’ll feel less bad about it.  You might’ve eliminated 2 answers, and had a 50% chance of getting the answer right.  If this is the case, you’re on a good track to take the exam.

2. Which domains should we really focus and spend more time on?

This is a tough question, and I’ve asked this question many times during my studies.  In my notes I had read somewhere on a CISSP forum that this was the breakdown:

1. Security and Risk Management
2. Identity and Access Management
3. Security Assessment and Testing
4. Communications and Network Security
5. Security Engineering
6. Software Development Security
7. Security Operations
8. Asset Security

If you want to know how these map to the old domains, click here!

The official answer would be “Study all the domains, because you just don’t know how many questions you are going to get from each domain.”

That’s the official answer.

The BEST strategy is to start studying the domain you are LEAST familiar with, for me it was the Software Development Security domain and the Security and Risk Management domain.

3. How many hours should we spend on each domain?

This depends on what kind of person you are.

Are you obssessive over a topic? Or can you detach and move onto the next topic?

If you are an obsessive person, then you are like me.  You will decide to spend time on the Cryptography domain, and not only read it, but make sure you KNOW it.  This means while reading a domain, you have your web browser open Googling terms and definitions on the Internet for extra knowledge.  For example, while reading about general cryptography, I Googled “World War 2 Enigma Machine”.  Study guides just barely mention the history of the Enigma machine, but the Internet has a whole history from inception, to how it was finally broken by Alan Turing in England.  I even watched the movie “The Imitation Game” for further research, because I’m an obsessive person and want to know everything about a topic to be confident during the exam.

Side Note: I wrote a post about the “Top Secret” military classification label that talks about Alan Turing and the Enigma, if you want to check it out, click here:
Military Classification Labels: Top Secret

If you can detach from your chapters, then you are not an obsessive person.  You can read the Cryptography domain through once, take the practice exams, and move onto the next chapter.  You will most likely come back to the Cryptography domain in order to study it more at a later time.

Both of these strategies are good, so it’s difficult to say how much time you should time you should spend on a domain, it all depends on you!

Personally, I spent about 2-3 hours on each domain per week, with a total of about 24 hours per week for all the domains combined.  This doesn’t just include reading the book, it includes writing about topics on this blog, watching videos, reading other sources, and discussing with my peers at work.

4. Any other helpful tactics or strategies for a strong study plan?

The blog reader who asked all the questions above is also starting a WhatsApp group.  This is a FANTASTIC idea!

Why? Because sometimes you just can’t do it alone, and it helps to have others in the same boat as you.  Working with others can give you motivation to keep up on your studies, and hold you accountable.

Starting and writing a blog about the CISSP topics helps too : )

Please let me know if you have any other questions, I will gladly answer them.

Thanks for reading!


  • Robert Scott

    I have discovered, through experience and other certs, people often wonder how long, how many months etc, to study for any exam. Having taken and passed A+, Security+, Network+, MCITP, CAPM from that experience I will say with a good amount of confidence for each hour allowed on the time limit of the exam testing time, allow at least that many months. For example, if an exam allows 1 hour testing time, at least 1 month of solid DEDICATED study, if test allows 3 hours, at least 3 months of solid DEDICATED study, etc. That said, for CISSP, allow at least 6 months of solid dedicated study. Have a plan, such as the one given here. Hope this helps.

    • studynotesandtheory

      Wow so sorry for the late response Robert!! I don’t know how I missed this comment.

      That’s an accurate description of the study plan in comparison to the length of the exam. I also have the Sec/Net+ which took about a month of study, and the exam time was about 1.5 hrs.

      Same with CCNA and CCNA Security, although a bit more technical in nature, took about 3 months of study.

      The CISSP though, even being 6 hours, I took a complete year to study, instead of 6 months.

  • Pingback: The Only 2 Books I Used for the CISSP Exam | Study Notes and Theory()

  • I started August but i wasn’t that dedicated due to work and other commitments, My initial target was June 2017 but I will be in touch!

    • studynotesandtheory

      Thank you@kchimwanda:disqus for commenting! The site and the study group will be here for you whenever you are ready!

  • Suyash Kaushik

    This post is very helpful for creating a strong study plan for CISSP.

    is in my mind since long time, I took my first step towards it when i
    bought the Sybex Book in Oct and started studying chapter by chapter.
    Now i have completed 9 chapters. Second step i took is to join the
    facebook group and whatsapp group( 2 weeks ago ).

    Since i joined Whatsapp group now to achieve CISSP is in my mind 24*7 and i want to see myself achieving it.
    many others I too stuck with many personal and financial commitments.
    But I will not let it increase the distance between me and CISSP. Soon i
    will make sure to increase my efforts and try to give exam by April

    • hemant Mittal

      Hi Suyash, please share your mobile number so that I can add you in CISSP whatsApp group. There are other aspirant too who willing to pass the exam

      • Derek Lewinson

        Please PM me on Facebook (derek lewinson). I would like to be added to the whatsapp group also.

    • Derek Lewinson

      “I will not let it [life’s challenges] increase the distance between me and CISSP” I LOVE this! Inspiring! Thanks!