ISC2 · IT Certification
Use this 16-week roadmap to focus on the exam domains that matter most, choose a strong core course, and turn your prep into a weekly plan.
Use the free PrepPath plannerCISSP (Certified Information Systems Security Professional) rewards consistent, blueprint-led practice. Start by learning the highest-weighted domains, then use practice results to rebalance your time before exam day.
How long to study
A 16-week CISSP (Certified Information Systems Security Professional) study plan gives most learners enough room for first-pass learning, targeted review, and at least one full practice pass. If you are already strong in the fundamentals, compress the early lessons and reserve the final weeks for weak domains and timed practice.
Blueprint breakdown
| Domain | Weight |
|---|---|
| Security and Risk Management |
16%
|
| Asset Security |
10%
|
| Security Architecture and Engineering |
13%
|
| Communication and Network Security |
13%
|
| Identity and Access Management (IAM) |
13%
|
| Security Assessment and Testing |
12%
|
| Security Operations |
13%
|
| Software Development Security |
10%
|
What's on the exam
Covers governance, compliance, ethics, risk management, threat modeling, business continuity, and personnel security.
Covers information and asset classification, ownership, privacy, retention, data states, and secure handling requirements.
Covers secure architecture models, cryptography, physical security, system design, vulnerabilities, and engineering controls.
Covers secure network architecture, transmission methods, network components, secure channels, and communication protection.
Covers identity lifecycle, authentication, authorization, access control attacks, federation, and identity as a service.
Covers security control testing, audits, vulnerability assessment, penetration testing, log review, and test-result reporting.
Covers investigations, logging, incident response, disaster recovery, resource protection, monitoring, and operational resilience.
Covers secure SDLC, development methods, software security testing, code repositories, APIs, and software supply-chain risk.
Suggested timeline
This is a blueprint-led default — front-load the heaviest domains, then convert weak spots from your mock results into targeted review. The free planner turns it into exact dates.
| When | Focus |
|---|---|
| Weeks 1–7 Foundations |
Security and Risk Management, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management (IAM) First-pass learning on the heaviest-weighted domains: read the guide, watch the core course, and start active-recall questions. |
| Weeks 8–13 Breadth |
Security Operations, Security Assessment and Testing, Asset Security, Software Development Security Cover the remaining domains and sit your first full, timed mock to expose weak areas. |
| Weeks 14–16 Review & mocks |
Weakest domains + full mocks Re-test with timed mocks, drill the domains your scores flag, then a light rest-and-logistics day before the exam. |
Recommended prep kit
FTC affiliate disclosure: this recommendation may contain a sponsored affiliate link. PrepPath may earn a commission at no extra cost to you.
Study guideFTC affiliate disclosure: this recommendation may contain a sponsored affiliate link. PrepPath may earn a commission at no extra cost to you.
CourseFTC affiliate disclosure: this recommendation may contain a sponsored affiliate link. PrepPath may earn a commission at no extra cost to you.
Practice examsFTC affiliate disclosure: this recommendation may contain a sponsored affiliate link. PrepPath may earn a commission at no extra cost to you.
GearFree PrepPath planner
Enter your exam date and weak domains, then PrepPath generates the day-by-day schedule.
FAQ
A typical CISSP (Certified Information Systems Security Professional) study plan takes about 16 weeks. Shorten that if you already score well on practice tests, or extend it if the official objectives are new to you.
The best course for CISSP (Certified Information Systems Security Professional) is one that maps lessons to the current exam domains and includes practice questions. This page recommends CISSP Certification Complete Course — All Domains as the core course to review first.
Start with Security and Risk Management, because it carries about 16% of the exam blueprint, then move through lower-weight domains while tracking weak areas.
PrepPath turns your exam date, daily study hours, and confidence by domain into a calendar you can follow, then adjusts your focus after practice scores.
Most candidates do well with about 1–2 focused hours on study days across a 16-week plan, ramping up in the final weeks for timed practice. Consistency beats marathon sessions — PrepPath spaces each domain out so you revisit it instead of cramming.
Aim for at least 2–3 full, timed mock exams: one early to set a baseline, then more in the final third of your plan. Review every wrong answer and tag the domain it came from so PrepPath can rebalance your remaining days toward your real weak spots.