CISSP.app Blog › Study Guide
CISSP 90-Day Study Plan Timeline 2026

CISSP Study Plan: How to Pass in 90 Days (2026 Guide)

Updated March 2026 · 13 min read

The CISSP is one of the most respected certifications in cybersecurity — and one of the most demanding. The exam covers 8 domains, uses adaptive testing with 100–150 questions, and demands you think like a risk-aware security leader rather than a technical operator. Most candidates who fail do so not because they lacked knowledge, but because they lacked a structured, domain-weighted study plan.

This 90-day CISSP study plan is designed for working professionals who can commit 1–2 hours on weekdays and 3–4 hours on weekends — roughly 200–250 total study hours. It's built around the official exam domain weights, so you spend more time on domains that account for more questions.

✅ What This Plan Covers A week-by-week schedule across all 8 domains, daily study routines, recommended resources, practice exam milestones, and an exam-day strategy — everything you need to sit the CISSP with confidence.

📋 Table of Contents

  1. CISSP Exam Overview: Know What You're Preparing For
  2. Domain Weights & Study Time Allocation
  3. Before You Start: Baseline Assessment
  4. Phase 1 (Days 1–30): Foundation — Domains 1–4
  5. Phase 2 (Days 31–60): Advanced — Domains 5–8
  6. Phase 3 (Days 61–90): Integration, Practice & Exam Prep
  7. Daily Study Routine That Actually Works
  8. Best CISSP Study Resources for 2026
  9. Exam Day Strategy
  10. Frequently Asked Questions

CISSP Exam Overview: Know What You're Preparing For

Before you open a single textbook, you need to understand the target. The CISSP exam in 2026 is delivered as a Computerized Adaptive Test (CAT) for English-language candidates. Here's what that means in practice:

Exam Format

  • FormatCAT (Computerized Adaptive)
  • Questions100–150 items
  • Time Limit3 hours
  • Passing Score700 out of 1000
  • DeliveryPearson VUE test centers only

Eligibility

  • Experience5 years in 2+ domains
  • Education waiver1 year waived with 4-year degree
  • No experience?Associate of ISC2 path available
  • EndorsementRequired after passing
  • CPEs required120 over 3-year cycle

The CAT format is important to understand: the exam adapts in real time to your performance. It stops when the algorithm is statistically confident you're above or below the passing threshold — which means stopping at 100 questions is not a sign of failure. It can mean you did exceptionally well. For a deep dive into how the adaptive algorithm works, see our guide to the CISSP CAT exam format.

⚠️ The Mindset Shift Most Candidates Miss The CISSP doesn't test what you know — it tests how you think. The exam wants you to answer as a risk-aware security manager, not a hands-on technician. When two answers both seem correct, the right one is usually the one that prioritizes risk management, policies, and people over purely technical solutions. Practice this mindset from Day 1.

Domain Weights & Study Time Allocation

The ISC2 publishes official domain weights for the CISSP exam. These weights directly determine how many questions come from each domain — so a domain worth 15% will generate roughly 15–22 questions in a 150-question exam. Use this to allocate your study time proportionally.

# Domain Exam Weight Study Days (90-day plan)
1 Security and Risk Management 15% 14 days
2 Asset Security 10% 7 days
3 Security Architecture & Engineering 13% 10 days
4 Communication & Network Security 13% 10 days
5 Identity and Access Management (IAM) 13% 10 days
6 Security Assessment and Testing 12% 9 days
7 Security Operations 13% 10 days
8 Software Development Security 11% 8 days

The remaining ~12 days across the 90-day plan are reserved for review, practice exams, and exam-day preparation in Phase 3.

Before You Start: Baseline Assessment

Don't begin Day 1 without taking a diagnostic exam. A 50-question diagnostic across all 8 domains will reveal your strongest and weakest areas before you invest 90 days of study. This matters because:

📊 Baseline Benchmark Take a 50-question diagnostic before Day 1. Score below 55%? Stick to the full 90-day plan. Score 60–70%? You can compress Phase 1 and spend more time in Phase 3. Score above 70%? Consider a 60-day accelerated plan.

Phase 1 (Days 1–30): Foundation — Domains 1–4

Phase 1 builds the conceptual foundation that every other domain rests on. Domain 1 (Security and Risk Management) is the largest domain and sets the intellectual framework for how to think on the CISSP exam. Do not rush it.

🔵 Phase 1: Foundation (Days 1–30) — Domains 1–4
  • Week 1–2
    (Days 1–14)
    Domain 1: Security and Risk Management
    CIA triad, governance frameworks (ISO 27001, NIST RMF, COBIT), risk management lifecycle, threat modeling, legal and regulatory requirements (GDPR, HIPAA, SOX), ethics and professional conduct. Focus on understanding risk concepts — quantitative (ALE, SLE, ARO) and qualitative methods. This domain sets the "manager mindset" that pervades the entire exam.
  • Week 3
    (Days 15–21)
    Domain 2: Asset Security
    Data classification, data ownership (owner vs. custodian vs. user), data lifecycle management, data retention policies, privacy protection, data handling standards. Shorter domain but foundational — know the data classification schemes (government vs. commercial) cold.
  • Week 4
    (Days 22–30)
    Domain 3: Security Architecture & Engineering
    Security models (Bell-LaPadula, Biba, Clark-Wilson), cryptography fundamentals (symmetric, asymmetric, hashing, PKI), secure design principles, hardware security (TPM, HSM), cloud architecture, and physical security. Cryptography is heavily tested — understand concepts over memorizing algorithms.

Phase 1 Milestones

⚠️ Domain 4 in Phase 1? Domain 4 (Communication & Network Security) starts in Phase 2, Day 31. If you have a strong networking background (CCNA-level knowledge), you can preview Domain 4 concepts in the last few days of Phase 1 and compress Phase 2 accordingly.

Phase 2 (Days 31–60): Advanced — Domains 5–8

Phase 2 covers the remaining four domains and begins integrating what you've learned. By Day 60, you should have touched all 8 domains and be ready to shift from learning to reinforcing.

🟢 Phase 2: Advanced (Days 31–60) — Domains 4–8
  • Days 31–40
    Domain 4: Communication & Network Security
    OSI and TCP/IP models, network topologies, secure protocols (TLS/SSL, IPsec, SSH, HTTPS), firewalls, IDS/IPS, VPNs, wireless security (WPA3), network segmentation, and cloud networking. Know the OSI model layer-by-layer and what attacks target each layer. Understand VLANs, DMZs, and micro-segmentation concepts.
  • Days 41–50
    Domain 5: Identity and Access Management (IAM)
    Authentication factors (MFA, biometrics), authorization models (DAC, MAC, RBAC, ABAC), identity federation (SAML, OAuth, OpenID Connect), privileged access management, Zero Trust principles, and directory services. IAM is deeply practical — connect concepts to real-world enterprise scenarios.
  • Days 51–57
    Domain 6: Security Assessment and Testing
    Vulnerability assessments vs. penetration testing, audit types, log review, SAST/DAST, test coverage, and reporting. Lighter domain — focus on understanding what each test type is appropriate for and who should conduct it (internal vs. third-party).
  • Days 58–67
    Domain 7: Security Operations
    Incident response lifecycle, evidence handling (chain of custody), BCP/DR concepts, change management, patch management, and physical/environmental security. BCP vs. DRP terminology is heavily tested — know RTO, RPO, MTBF, and MTTR cold.
  • Days 68–75
    Domain 8: Software Development Security
    SDLC models (Waterfall, Agile, DevSecOps), security in the development process, OWASP Top 10, code review techniques, API security, and database security. If you're not a developer, focus on the management concepts — when to conduct security reviews, not how to write secure code.

Phase 2 Milestones

💡 The Mid-Point Reality Check Most candidates hit a wall around Day 45–55. You'll feel like you're forgetting earlier domains as you learn new ones. This is normal. Schedule 30-minute daily review of one previous domain concept to keep retention high. Spaced repetition flashcard tools help enormously here.

Phase 3 (Days 61–90): Integration, Practice & Exam Prep

Phase 3 is where most candidates either cement their pass or doom themselves by continuing to read new material instead of practicing. Stop learning new content by Day 75. Phase 3 is about retrieval practice, weakness remediation, and building exam confidence.

🟡 Phase 3: Integration & Exam Prep (Days 61–90)
  • Days 61–72
    Weakness Remediation + Mini-Domain Reviews
    Review your Phase 1 and 2 milestone quiz scores. Identify the 2–3 domains where you scored below 65%. Spend these 12 days doing deep dives into those specific weaknesses — not re-reading chapters, but doing targeted practice questions and reviewing explanations.
  • Days 73–80
    Full Practice Exams (Timed)
    Take two full 100-question timed practice exams under real conditions: no notes, no breaks beyond what you'd get in the real exam. Target 70%+ before booking your real exam. After each exam, spend equal time reviewing wrong answers as you did taking the exam.
  • Days 81–85
    Scenario & Manager Mindset Drills
    Focus specifically on scenario-based questions — the CISSP loves "which is the BEST first step?" and "which answer is MOST appropriate?" questions. Practice eliminating technically correct but managerially wrong answers. See our guide on thinking like a manager on the CISSP.
  • Days 86–89
    Light Review + Logistics
    Light review of key frameworks and acronyms (RTO, RPO, ALE, SLE, ARO). Confirm your Pearson VUE test center, ID requirements, and travel plan. No heavy studying. Sleep 8 hours.
  • Day 90
    Exam Day
    Arrive 30 minutes early. Bring valid ID. Breathe. Trust your preparation.

Practice Questions That Match the Real Exam

CISSP.app has thousands of adaptive practice questions with detailed explanations — organized by domain and calibrated to the CISSP's scenario-based format. Your 7-day free trial includes everything.

Start Free 7-Day Trial →

Daily Study Routine That Actually Works

Consistency beats cramming. The candidates who pass the CISSP are the ones who study regularly, not the ones who pull 12-hour marathon sessions the week before the exam. Here's a daily routine that's sustainable for working professionals:

Weekday Structure (60–90 minutes)

Weekend Structure (3–4 hours per day)

💡 The One Habit That Separates Passers from Failures Always read the explanation for every practice question — even the ones you got right. Understanding why an answer is correct (and why the others are wrong) builds the reasoning framework you need for the real exam's scenario questions.

Best CISSP Study Resources for 2026

You don't need every resource — you need the right ones. Here's what the community recommends for each phase:

Primary Study Material (pick one)

Practice Questions (essential)

For the Manager Mindset (critical)

Exam Day Strategy

You've done the work. Now execute cleanly.

Logistics

During the Exam

✅ After You Submit Results are typically delivered at the test center immediately after completion. If you pass, you'll see a preliminary result slip. Official results and the endorsement process from ISC2 follow within days. If you don't pass, wait times before a retake are 30 days (2nd attempt), 60 days (3rd), and 90 days (4th). Up to 4 attempts per year.

Frequently Asked Questions

How many hours do I need to study for the CISSP?

Most candidates report 200–350 hours of total preparation. This 90-day plan targets approximately 220 hours — 1.5 hours on weekdays and 3.5 hours on weekend days. Candidates with strong security backgrounds may need fewer hours; those newer to security should plan for the higher end.

Is 90 days enough to pass the CISSP?

Yes — for most candidates with 5+ years of security experience. The 90-day timeline assumes you already have the work experience and baseline knowledge. If you're starting from scratch, consider a 6-month plan. If you have an IT security background but not yet 5 years' experience, consider pursuing the Associate of ISC2 designation first.

Which domain is hardest on the CISSP?

Domain 1 (Security and Risk Management) is hardest for most candidates because it's the largest, the most conceptual, and sets the mindset for the entire exam. Domain 3 (Security Architecture) is technically dense. Domain 8 (Software Development Security) trips up candidates without a development background.

Can I pass CISSP without a boot camp?

Absolutely. Many candidates pass with self-study alone — a good textbook, quality practice questions, and the Kelly Handerhan manager mindset video are often sufficient. Boot camps help candidates who need accountability and structured time away from work. They are not required.

What score do I need to pass the CISSP?

700 out of 1000. The CAT exam uses scaled scoring, not a raw percentage. This means your performance on harder questions is worth more than easier ones. The algorithm adapts question difficulty in real time — so don't be surprised if questions feel very hard. That's often a good sign.

Should I also consider CCSP or CISM?

If your role involves cloud security, the CCSP pairs naturally with the CISSP. If you're moving into security management and strategy, the CISM is the most respected management-focused certification. Both are available through the same CISSP.app subscription.

📚 Related Guides

Ready to Start Preparing?

Practice with thousands of expert-verified CISSP questions. AI-powered gap analysis tells you exactly where to focus.

Start Free 7-Day Trial →