The CISSP 90-Day Study Plan (Without Burning Out)

TL;DR

• The 90-day plan is the most-recommended CISSP study cadence for working professionals: ~135 hours total, ~1.5–2 hrs/day, six days/week.
• Weeks 1–8 are domain study; weeks 9–11 are full-exam practice + weakness remediation; week 12 is review and rest.
• Three weekly checkpoints prevent slippage: Sunday review (60 min), Wednesday quiz (30 min), Saturday timed block (90 min).
• Most failed CISSP attempts share one pattern: too much reading, not enough question-bank practice. Aim for at least 2,000 practice questions worked over the 90 days.

Who this plan is for

You have a full-time job, 1.5–2 hours of daily study budget on weekdays, and a bit more on weekends. You have at least 2–3 years of cybersecurity-adjacent experience. You want to pass on the first try without burning out at week 6.

If your context is different, adapt: experienced senior engineers can compress this into 60 days; folks new to several domains may want 120. The structure stays the same.

The materials assumed by this plan

• Official (ISC)² CISSP Study Guide (the OSG, current edition) — primary text.
• One quality question bank — Boson ExSim, Pocket Prep, or the OSG question bank app. ~2,000+ questions total inventory.
• A spaced-repetition flashcard app — Anki deck or equivalent.
• One YouTube refresher series for week 12 — Pete Zerger's exam-cram playlist is the community standard.

Total cost: ~$200 for everything if you buy new. Less if you split the OSG with a study buddy.

The 12-week schedule

Weeks 1–2: Domain 1 — Security and Risk Management (16% weight)

Two weeks for the biggest domain. Read OSG Chapter 1 thoroughly. This is also where you absorb the "think like a manager" mindset that the rest of the exam expects.

• Mon–Fri (1.5h/day): Read 30–40 OSG pages, take notes on every acronym (BCM, DRP, BIA, RTO, RPO, MTD, NDA, SLA).
• Sat (90 min): Work 50 Domain 1 questions. Review every wrong answer, even the close ones.
• Sun (60 min): Re-read your notes from the week.

Weeks 3: Domain 2 — Asset Security (10% weight)

Shortest domain. Data classification, data lifecycle, data states (at rest / in transit / in use), retention, destruction, privacy roles. Should feel almost easy after Domain 1.

Weeks 4–5: Domain 3 — Security Architecture and Engineering (13% weight, HARD)

Two weeks because this is consistently the most-failed domain. Covers security models (Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash), trusted computing base, cryptography (symmetric, asymmetric, hashing, PKI, digital signatures), and security capabilities of information systems.

• Cryptography alone deserves 4–5 days. The exam will test specific algorithm strengths, key sizes, and use cases.
• The security models can feel abstract — pair each with a real-world example (BLP = military classification; Biba = financial integrity; Clark-Wilson = banking transactions).

Week 6: Domain 4 — Communication and Network Security (13% weight)

OSI model, TCP/IP stack, common protocols and ports, segmentation, VPNs, wireless security, SDN basics, and network attack categories. If you have a networking background this is your easy week. If you don't, double-down on the OSI model — many Domain 4 questions hinge on identifying which layer an attack or control operates at.

Week 7: Domain 5 — Identity and Access Management (13% weight)

Authentication factors, SSO, federation (SAML, OAuth, OIDC), RBAC vs ABAC vs MAC vs DAC, identity provisioning lifecycle, privileged access. The IAM market has matured so fast that Domain 5 has become more vocabulary-heavy than reasoning-heavy — make flashcards for every protocol and standard.

Week 8: Domain 6 — Security Assessment and Testing (12% weight)

Audit strategies (internal vs external vs third-party), penetration testing methodology, vulnerability assessment, log review, account management testing, code review, breach attack simulation. Half is technical, half is governance — both styles of questions appear.

Week 9: Domain 7 — Security Operations (13% weight)

Incident management (detection, response, mitigation, reporting, recovery, remediation, lessons learned), patch and vulnerability management, change management, BC/DR, physical security, investigations (digital forensics, evidence handling, chain of custody), operational policies, threat intelligence. The single biggest reasoning-style domain.

Week 10: Domain 8 — Software Development Security (10% weight, HARD)

SDLC models (waterfall, agile, DevSecOps), security in CI/CD, source code review, SAST/DAST/IAST/SCA, OWASP Top 10, secure coding practices, database security, runtime protection. The second consistently-failed domain. Non-developers find it abstract — work more practice questions here than your time budget suggests.

Week 11: Full-length practice exams

This is where most candidates discover their actual gaps.

• Sat Week 11: Take a 125-question, 3-hour timed practice exam under test conditions (no phone, no notes, water only). Score yourself by domain.
• Mon–Fri Week 11: 90 min/day re-studying your two weakest domains.
• Sun Week 11: Take a second 125-question timed exam. Aim for 75%+ across all domains.

If you score below 70% on any single domain, push the exam back 1–2 weeks and address it. Better to delay 14 days than to fail and wait 30 to retest.

Week 12: Refresher + rest

• Mon–Wed (1 hr/day): Watch Pete Zerger's exam-cram videos. Take light notes.
• Thu: Review your own domain notes. No new material.
• Fri: Light review only. Stop studying by 6pm. Watch Kelly Handerhan's "Why You Will Pass the CISSP".
• Sat morning: Sit the exam.

The three weekly checkpoints

1. Sunday review (60 min)

Re-read every note you took during the week. Don't add new material. The goal is to re-encode short-term recall into longer-term memory. Skip this and the early domains fade by week 8.

2. Wednesday quiz (30 min)

Take a 25-question quiz on whatever domain you're currently studying. Don't look up answers as you go. Score it, and add anything you missed to flashcards.

3. Saturday timed block (90 min)

Sit a 50-question mixed quiz drawn from every domain studied to date. This is the most important habit in the entire plan — it forces cross-domain pattern recognition, which is what the actual CAT-format exam tests.

What to do when life happens

You will miss a week. Maybe two. Real plan, real life. Here's the priority order when you fall behind:

1. Never skip the Saturday timed block. It's the diagnostic.
2. Skip OSG reading first, not questions. If you have 30 minutes today, do questions, not reading. Questions teach test-taking; reading teaches material.
3. Push the exam back, don't skip domains. Pearson VUE lets you reschedule for ~$25 up to 24 hours before. Failing because you rushed costs more than $25.
4. Keep the flashcards going daily. 10 minutes minimum, every day. Spaced repetition is the one thing that survives a chaotic schedule.

What if you're not seeing 75%+ on practice tests by Week 11?

Two scenarios. One: your scores are 65–74% and trending up. You're probably fine — the actual CAT exam often feels harder than third-party banks and most candidates still pass. Two: your scores are below 65% and not trending up. Reschedule 2–4 weeks out, re-study your two weakest domains, then re-test. Don't push through and hope.

Frequently asked questions

Can I really do this in 90 days while working full-time?

Yes — thousands of people do every year. The plan above totals about 135 hours, which is 1.5 hrs/day × 6 days × 12 weeks. It's real work, but it's not impossible work.

What if I have less time per day?

Stretch to 120 or 150 days. Don't cut content. The 8 CBK domains cannot be skimmed.

Should I take a boot camp instead?

Only if your employer pays. A $3,000+ five-day boot camp can't replace the actual study time you need — it accelerates exposure but not retention. Most candidates who attend a boot camp still do 60+ hours of self-study before passing.

Do I need to memorize every NIST publication number?

No. Know the headline publications and what they govern: SP 800-53 (US federal controls), SP 800-171 (CUI for contractors), CSF 2.0 (cybersecurity framework), SP 800-30 (risk assessment), SP 800-37 (RMF), SP 800-115 (testing). The exam doesn't expect granular recall.

How important is the official ISC2 question bank vs third-party?

Use both. Third-party banks (Boson) are excellent for breadth and difficulty. The official ISC2 questions are closest to the actual exam tone and answer-pattern logic. Save the official bank for weeks 10–11 — they're your best dress rehearsal.

Next steps

• Read the domain-by-domain breakdown to know what you're signing up for.
• Read the CISSP salary data for 2026 to know what passing unlocks.
• When you pass, browse GRC jobs and US cyber jobs.