CISSP.app Blog
In This Guide
Most CISSP study resources tell you to "spend more time on Domain 1 because it's 16% of the exam." That's true — and almost useless as actionable advice. The real question is: given your total available study hours and your professional background, how many hours should you spend on each domain specifically?
That's what this guide answers. We'll take the official ISC2 domain weights, translate them into question counts at both the minimum and maximum CAT exam length, build a proportional hours calculator for four common total-study-time scenarios, and show you how to adjust for your background — so you're not spending 30 hours on networking fundamentals you've been doing professionally for a decade.
ISC2 updated the CISSP domain weights effective April 15, 2024. Domain 1 increased from 15% to 16%; Domain 8 decreased from 11% to 10%. No further changes are in effect for 2026 exam takers. Unless ISC2 announces a new Job Task Analysis (JTA), these weights are current.
Official CISSP Domain Weights for 2026
The eight domains of the CISSP Common Body of Knowledge each carry a published weight. These are not approximate — ISC2 publishes them as the official exam outline, updated after each Job Task Analysis. The current outline has been in effect since April 2024.
A few structural observations before we go further. Five domains tie at 12–13% — Domains 3, 4, 5, 7 at 13% and Domain 6 at 12%. Combined, those five represent 64% of your exam. Domain 1 adds 16%. That means the first seven domains account for 90% of all questions. Domains 2 and 8 split the remaining 20%.
For a full breakdown of what each domain actually covers — specific subtopics, common traps, and study tips — see our CISSP 8 Domains Explained guide. This article focuses entirely on the strategic use of those weights.
Translating Weights into Question Counts
The CISSP CAT exam delivers between 100 and 150 questions. The algorithm stops when it achieves statistical confidence in your performance — which means the question count varies. Here's what the weights translate to at both endpoints:
| Domain | Weight | At 100 Questions | At 125 Questions | At 150 Questions |
|---|---|---|---|---|
| D1: Security & Risk Management | 16% | ~16 | ~20 | ~24 |
| D2: Asset Security | 10% | ~10 | ~12–13 | ~15 |
| D3: Security Architecture & Engineering | 13% | ~13 | ~16 | ~19–20 |
| D4: Communication & Network Security | 13% | ~13 | ~16 | ~19–20 |
| D5: Identity & Access Management | 13% | ~13 | ~16 | ~19–20 |
| D6: Security Assessment & Testing | 12% | ~12 | ~15 | ~18 |
| D7: Security Operations | 13% | ~13 | ~16 | ~19–20 |
| D8: Software Development Security | 10% | ~10 | ~12–13 | ~15 |
The numbers above are estimates derived from applying the official percentages to expected exam lengths. ISC2 does not publish the exact question count per domain for any given exam session. Treat these as planning guides, not guarantees.
The Study-Time Calculator
The single most actionable thing you can do with domain weights is convert them into study hours. The principle is straightforward: allocate your available study time proportionally to each domain's exam weight, then adjust up or down based on your background.
Here's the baseline proportional allocation for four common total-study scenarios. These numbers assume zero prior knowledge advantage in any domain — we'll handle adjustments in the next section.
| Domain | Weight | 100 hrs | 150 hrs | 200 hrs | 250 hrs |
|---|---|---|---|---|---|
| D1: Security & Risk Mgmt | 16% | 16h | 24h | 32h | 40h |
| D2: Asset Security | 10% | 10h | 15h | 20h | 25h |
| D3: Security Architecture | 13% | 13h | 19.5h | 26h | 32.5h |
| D4: Network Security | 13% | 13h | 19.5h | 26h | 32.5h |
| D5: IAM | 13% | 13h | 19.5h | 26h | 32.5h |
| D6: Assessment & Testing | 12% | 12h | 18h | 24h | 30h |
| D7: Security Operations | 13% | 13h | 19.5h | 26h | 32.5h |
| D8: Software Dev Security | 10% | 10h | 15h | 20h | 25h |
Most working professionals land in the 150–250 hour range over a 3–6 month prep window. The 200-hour plan is the sweet spot for candidates with 5–10 years of security experience who haven't studied for a formal exam in a few years. If you're newer to security, budget 250 hours. If you're a senior architect or CISO who lives this material daily, 100–150 hours may be sufficient.
The table above gives you a proportional baseline. The next section shows you how to redistribute hours based on where you already have professional depth — the most important adjustment most candidates skip.
Don’t Know Your Weak Domains Yet?
CISSP.app’s weak-area analysis runs a 50-question diagnostic across all 8 domains and shows you exactly where to invest your study hours before you spend a single minute on content you already know.
Find Your Weak Domains Free →No credit card required · Results in under 30 minutes
Role-Based Adjustments: Where You Already Have Credit
The proportional allocation above treats every domain as unfamiliar. That's wrong for most candidates. If you've spent five years as a network engineer, you're not starting Domain 4 from zero — you may need a week of exam-framing, not three weeks of content learning. Redistribute those saved hours into your genuine weak spots.
Here are role-specific adjustment guides for four common professional backgrounds:
Network / Infrastructure Engineer
- Cut Domain 4 (Network Security): Reduce by 30–50% — you already know the protocols
- Add to Domain 1 (Risk Management): Governance and risk frameworks are often new territory
- Add to Domain 3 (Architecture): Security models (Bell-LaPadula, Biba) and cryptography depth require focused study
- Add to Domain 6 (Assessment): Audit methodologies and DR testing types are outside typical network eng scope
GRC / Compliance Analyst
- Cut Domain 1 (Risk Management): Reduce by 30–40% — frameworks, risk quantification, and governance are your daily work
- Cut Domain 6 (Assessment): Audit and testing methodologies are already familiar
- Add to Domain 3 (Architecture): Cryptography and security models require technical depth beyond typical GRC work
- Add to Domain 4 (Network Security): OSI model, firewall types, and protocol-level security may be weak
Software Developer / AppSec Engineer
- Cut Domain 8 (Software Dev Security): Reduce by 40–60% — SDLC, OWASP, and code review are native territory
- Add to Domain 7 (Security Operations): Incident response, forensics, and change management may be unfamiliar
- Add to Domain 1 (Risk Management): Strategic governance and BCP/DRP framing are typically outside dev scope
- Add to Domain 5 (IAM): Directory services, PAM, and federation protocols deserve extra time
Security Operations (SOC / IR)
- Cut Domain 7 (Security Operations): Reduce by 40–50% — incident response and forensics are your daily workflow
- Cut Domain 6 (Assessment): Log review and SIEM work gives you a head start
- Add to Domain 1 (Risk Management): The governance and BCP/DRP layer is often thin for SOC analysts
- Add to Domain 3 (Architecture): Formal security models and physical security design require dedicated study
The underlying principle: never reallocate hours away from a domain without replacing them somewhere. Every hour you recover from a familiar domain should go to a domain where you'd otherwise be underprepared.
How the CAT Exam Compounds Domain Weakness
Understanding CISSP domain weighting isn't just a study-planning exercise — it directly affects your exam-day performance under the Computer Adaptive Testing format. Most candidates understand that CAT adjusts question difficulty. Fewer understand how domain weakness interacts with the algorithm in a way that can extend your exam and increase pressure.
Here's the mechanism: the CAT algorithm maintains a running estimate of your ability level in each domain. When your performance in a domain is ambiguous — you're getting some right and some wrong at the same difficulty level — the algorithm serves you more questions in that domain to resolve the uncertainty. This creates what practitioners call a "domain probe loop."
For a high-weight domain like Domain 1 (16%), a probe loop is especially costly: you'll receive more questions from the domain that already generates the most questions. The practical result is that Domain 1 weakness doesn't just affect 16 questions — it can pull 20, 22, or more Domain 1 questions into your session as the algorithm probes the edges of your performance.
You cannot afford to be "borderline competent" in Domain 1. A score of 55% in Domain 1 may generate more total questions than an identical score in Domain 8 — simply because Domain 1 carries more weight and the algorithm needs more data to form a confidence interval around your true ability. For a deep look at how the adaptive algorithm works, read our CISSP CAT exam format guide.
The counter-strategy is deliberate: study high-weight domains until you're genuinely comfortable, not just familiar. For Domain 1, aim for 75%+ on timed, difficulty-varied practice sets — not just 65% on easy questions. The goal isn't to hit the passing threshold; it's to be unambiguously above it so the algorithm resolves quickly and moves on.
Four Weighting Mistakes That Cause Failures
Mistake 1: Equal Time Across All Domains
This is the most common. Candidates open a study guide, work through Domains 1–8 chapter by chapter, and spend roughly equal time on each. The result: you've studied Domain 2 and Domain 8 (combined 20%) as thoroughly as Domain 1 (16%) alone. You've implicitly deprioritized the exam's heaviest domain.
Mistake 2: Stopping When You Understand the Concepts
Conceptual understanding and exam performance under time pressure are different things. Domain 1's risk management math — ALE, SLE, ARO, residual risk calculations — needs to be automatic at exam speed. Understanding the formula isn't the same as getting scenario questions right in 90 seconds. Practice questions matter as much as content review. The manager mindset examples guide shows how conceptual knowledge translates to correct exam answers specifically.
Mistake 3: Treating All 13% Domains as Equal
Domains 3, 4, 5, and 7 all carry 13% — but they don't require equal study effort for every candidate. Domain 3's cryptography depth takes most people longer than Domain 5's IAM concepts. Within the same weight tier, difficulty varies significantly by background. Use free domain-specific practice questions to calibrate actual difficulty in each area before committing your hours.
Mistake 4: Ignoring the April 2024 Weight Changes
Study materials published before April 2024 — including some widely-used books — still list Domain 1 at 15% and Domain 8 at 11%. A 1% difference sounds small, but at 125 questions that's one to two additional Domain 1 questions you need to be prepared for. Always verify your resources reflect the current exam outline.
Build Your Personal Weighting Plan in 3 Steps
Here's a concise process for turning domain weights into a personal study allocation you can actually execute:
Step 1: Run a Diagnostic First
Before allocating a single study hour, take a 50-question diagnostic across all 8 domains. Score yourself. Any domain where you're below 60% accuracy gets a budget increase above the proportional baseline. Any domain where you're above 75% is a candidate for reduction. Don't guess at your baseline — measure it.
Step 2: Build Your Adjusted Hours Table
Take the proportional allocation from the calculator above, apply your role-based adjustments, then layer in your diagnostic results. Write the final hours per domain on paper. The constraint: your adjusted total must equal your original total — every hour you remove from one domain must be added somewhere else.
Step 3: Set Domain-Level Readiness Thresholds
Don't just study for hours — study until you hit a performance target. Recommended thresholds before moving to the next domain:
- High-weight domains (D1, D3, D4, D5, D7): 70%+ on timed, mixed-difficulty practice
- Standard domains (D2, D6, D8): 65%+ on timed practice
- Domain 1 specifically: 72%+ — the stakes are too high to pass with a thin margin
For a week-by-week schedule that implements this framework in a 90-day prep window, the 90-day CISSP study plan has the full timeline with daily hour targets and domain milestones.
FAQ: CISSP Domain Weighting
What are the official CISSP domain weights in 2026?
Domain 1 (Security and Risk Management): 16%. Domains 3, 4, 5, 7 (Architecture, Network, IAM, Operations): 13% each. Domain 6 (Assessment and Testing): 12%. Domains 2 and 8 (Asset Security, Software Dev Security): 10% each. These weights have been in effect since April 15, 2024.
How should I allocate my study hours based on the weights?
Start with a proportional allocation: 16% of your total hours to Domain 1, 13% each to Domains 3, 4, 5, and 7, 12% to Domain 6, and 10% each to Domains 2 and 8. Then adjust up or down based on your professional background and a diagnostic exam score. Every hour you reduce from a strong domain should be added to a weak one.
Did the CISSP domain weights change in 2024 or 2026?
ISC2 updated the weights effective April 15, 2024: Domain 1 increased from 15% to 16%, Domain 8 decreased from 11% to 10%. No changes are in effect for 2026. Any resource still listing Domain 1 at 15% is using pre-2024 data. Check that your study materials reflect the current exam outline.
Which domain gives the best return on study time?
Domain 5 (Identity and Access Management) typically offers the strongest points-per-hour return for candidates without deep IAM experience. At 13% of the exam, its scope is well-defined — access control models, authentication factors, federation protocols, biometrics — and most of its key concepts can be mastered in 15–20 focused hours. Domain 3's cryptography breadth requires more time for the same 13% weight.
Does the CAT exam test all domains equally within their weights?
The weights determine the proportion of questions per domain, but the CAT algorithm adapts within that weight. If you're performing ambiguously in a domain, the algorithm serves more questions at varying difficulties to establish confidence in your ability level. Domain weakness in a high-weight domain like Domain 1 can trigger an extended probe loop — more questions, higher difficulty, more pressure. Preparedness above threshold matters, not just passing the threshold.