How to study for the CISSP in 12 weeks

12 weeks is enough time to pass the CISSP if you treat preparation like a job: short, daily, deliberate. Cramming a thousand pages the weekend before will not get you to a passing score. What works is small, repeated exposure to the eight Common Body of Knowledge domains, combined with honest self-assessment and a steady ramp of practice questions.

This plan assumes you can give the exam about ten hours per week. If you can give more, compress the schedule. If you can give less, expand it, but resist stretching past 16 weeks, since retention starts working against you.

Before week 1: set the runway

A weekend of setup pays back tenfold once you start.

1. Read the official ISC2 CISSP Exam Outline cover to cover. This is the contract. Every question on test day maps to an objective in this document. Print it. Mark anything that is unfamiliar.
2. Pick one primary book. The Official Study Guide (Sybex, Chapple/Stewart/Gibson) is the most thorough. The All-in-One Exam Guide (Harris/Maymí) is denser and faster. Pick one and finish it. Owning both and reading neither is the most common failure mode.
3. Schedule your exam. Sign up at a Pearson VUE center for a date 84 days out. A real deadline is the single biggest predictor of passing.
4. Set up a question bank. You will need at least 1,500 practice questions over the next three months. TierOne Defense Academy, the official ISC2 practice tests, and Boson ExSim are the banks most candidates rely on.

The weekly rhythm

The schedule below is built on a simple repeating week.

• Monday through Friday: 30 minutes of flashcards in the morning, 60 minutes of focused reading or video in the evening.
• Saturday: a 50-question quiz on the current domain, followed by a 30-minute review of every question you missed.
• Sunday: rest, or a 25-question mixed-domain review to keep prior weeks warm.

Spaced repetition matters more than time spent. A daily 30-minute flashcard session beats a single three-hour Sunday cram every week of the year. The forgetting curve is unforgiving, and the CISSP exam rewards stable long-term recall, not short-term peak intensity.

Week-by-week plan

Weeks 1 and 2: Security and Risk Management (Domain 1, 16%)

The heaviest domain by weight and the foundation for everything else. Spend two weeks here.

Focus topics: the CIA triad, governance versus management, risk management frameworks (NIST RMF, ISO 27005), the difference between policies, standards, procedures, and guidelines, business continuity and disaster recovery planning, professional ethics (the ISC2 Code of Ethics is testable verbatim), and the legal landscape (GDPR, HIPAA, PCI-DSS, intellectual property).

Pitfall to avoid: do not memorize control names without understanding control categories. Know why a detective control is different from a deterrent control, and be ready to classify an unfamiliar control by its effect.

Week 3: Asset Security (Domain 2, 10%)

A short but high-yield domain. Cover data classification, ownership roles (data owner, data custodian, system owner, user), data lifecycle stages, data states (at rest, in transit, in use), retention and destruction, and the role of metadata in protecting sensitive data.

The information lifecycle and the data-roles taxonomy are the two areas you will see again and again.

Weeks 4 and 5: Security Architecture and Engineering (Domain 3, 13%)

The most technical domain. Two weeks is realistic for most candidates.

Week 4: secure design principles (least privilege, defense in depth, fail-secure, separation of duties), security models (Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash), the trusted computing base, and common architectures (client-server, cloud, IoT, ICS).

Week 5: cryptography end to end. Symmetric versus asymmetric, hashing, digital signatures, PKI and certificate hierarchies, key management, attacks on cryptosystems, and the roles of the certificate authority and registration authority.

If your math background is light, do not panic. CISSP cryptography is conceptual, not arithmetic. You need to know what each primitive does and where it fits, not how to perform AES round operations by hand.

Week 6: Communication and Network Security (Domain 4, 13%)

The OSI and TCP/IP models are the spine of this domain. You should be able to map any protocol to its layer in your sleep. Beyond that, focus on secure network design (segmentation, zoning, microsegmentation), common protocols and their secure variants (HTTP/HTTPS, FTP/SFTP/FTPS, DNS/DNSSEC), wireless security (WPA2 vs WPA3, common attacks), and the modern realities of zero-trust networking and software-defined networking.

Week 7: Identity and Access Management (Domain 5, 13%)

Identity is the new perimeter, and the exam reflects that. Cover authentication factors and methods (something you know, have, are, do, or somewhere you are), federated identity (SAML, OIDC, OAuth, and the difference between authentication and authorization), single sign-on patterns and their tradeoffs, access control models (DAC, MAC, RBAC, ABAC, rule-based), the identity lifecycle, and credential management.

Common point of confusion: OAuth is authorization, not authentication. OIDC is the authentication layer built on top.

Week 8: Security Assessment and Testing (Domain 6, 12%)

The shortest leap from theory to practice. Focus on assessment versus testing versus auditing (the distinctions are testable), vulnerability assessments, penetration testing types (black, gray, white box), security control testing, log review and SIEM, code review approaches (static, dynamic, manual, interactive), and the structure of an audit (internal, external, third-party attestation like SOC 2).

Week 9: Security Operations (Domain 7, 13%)

A grab bag. Cover incident response phases (preparation, detection, response, mitigation, reporting, recovery, lessons learned), digital forensics fundamentals (chain of custody, order of volatility), logging and monitoring, change and configuration management, patch management, the difference between BCP and DRP and how RTO, RPO, MTD, and WRT relate, and physical security (CPTED, fire suppression classes, environmental controls).

The incident response phase order and the BCP/DRP metric definitions are heavily tested. Know them cold.

Week 10: Software Development Security (Domain 8, 10%)

The smallest domain by weight, but easy points if you are not a developer.

Cover the SDLC and where security fits at each phase, common SDLC models (waterfall, agile, DevSecOps), secure coding practices, the OWASP Top 10, software vulnerability types (injection, deserialization, race conditions, buffer overflows), code repositories and version control as security controls, and supply chain risks (SBOM, dependency scanning).

If you write code, this week will feel easy. If you do not, focus on the OWASP categories and the SDLC phases.

Week 11: First full-length mock plus weak-domain triage

This is the inflection week. Block off a Saturday morning, set a six-hour timer, and take a full 150-question mock exam under realistic conditions: no notes, no breaks except the ones the real CAT exam allows, no phone.

When you finish, do not look at your score yet. Mark every question you were unsure about, even the ones you got right. Then score the test and review every wrong answer and every unsure answer. Tag each one with its domain.

You now have your triage list. Spend the rest of week 11 on the two or three lowest-scoring domains. Reread your notes for those domains. Run 50-question targeted drills. Use spaced-repetition flashcards to lock in the specific facts you missed.

Week 12: Final review and exam day

Stop reading new material. The last week is consolidation, not acquisition.

• Days 1 through 3: 11th Hour CISSP (Eric Conrad) cover to cover. It is short, dense, and built exactly for this week.
• Days 4 and 5: one more full mock exam. Aim for 75% or better. If you score below 70%, postpone the exam. Your Pearson VUE booking can be moved up to 24 hours before your slot.
• Day 6: light review. Go for a walk. Sleep eight hours.
• Day 7 (exam day): eat normally, arrive early, bring two forms of ID. Read each question twice before looking at the answers. The CAT format ends between 100 and 150 questions. Do not panic when it shuts off early in either direction.

Mock exam strategy

You will take three full-length mocks during the 12 weeks: one at the end of week 8 to gauge midpoint readiness, one at the end of week 11 for triage, and one in week 12 as your final readiness check.

A passing mock-exam score is not 700, it is 75% or higher on a quality bank. Mock exams should be slightly harder than the real thing. If your bank is too easy, you will walk into the test center overconfident.

What to do if you fall behind

Life happens. The plan absorbs roughly one lost week without major changes. If you lose more than that, do not try to make it up by doubling Saturdays. Push your exam date out by the number of weeks you lost and resume the plan from where you stopped. The credential will still be there when you are ready.

A final note

The CISSP is a mile wide and an inch deep. You are not being asked to be the world's leading expert in any of these eight domains. You are being asked to think like a senior security manager who can reason across all of them. When two answers look correct, pick the one that a manager would defend in a board meeting: the one that protects life first, then assets, then convenience.

12 weeks of small, daily, deliberate work, and the credential is yours.