Study TimelineCISSPISC2 · Professional

How Long to Study for the CISSP Exam?

Most people need 60 to 250 hours — roughly 10 to 16 weeks — depending on how much real security experience they bring across the eight domains. Here is the honest timeline by experience level, a week-by-week plan that walks all eight domains, and what makes prep faster or slower.

Updated June 202613 min readLevel: ProfessionalBy ExamCert Team
60–250 hrsTotal study time
10–16 wksTypical timeline
12–15 hrsPer week
100–150 Q / 3 hr CATExam length
700/1000Pass score
How long to study for the CISSP exam timeline by experience level across the eight domains

01 The short answer

Plan for 60–250 hours of focused study, spread across 10–16 weeks. An experienced security professional who already works across several domains daily can be ready in around 60–100 hours. A typical candidate usually needs 150–250 hours, and someone genuinely new to security should budget 300 hours or more. At a sustainable 12–15 hours per week, the middle of that range lands most people at a 12–16 week plan.

The CISSP is famously a mile wide and an inch deep: a management-level exam that spans eight domains, from risk management and cryptography to network security, identity, and secure software development. Because it tests breadth-of-understanding rather than deep memorisation, raw study hours matter less than whether you can think like a security manager — choosing the best risk-based answer, not the most technical one. The 2026 exam is a computer adaptive test (CAT) of roughly 100–150 items in up to three hours, and almost every question asks for the best response among several that all look reasonable. That is why scenario practice eats more of your hours than reading ever will.

Don’t forget the experience requirement. Full CISSP certification needs five years of cumulative paid work experience in two or more of the eight domains (a relevant degree or an approved credential can waive one year, bringing it to four). If you don’t yet have the experience you can still sit the exam and become an Associate of ISC2, then earn the experience within six years. The study timeline below is the same either way — only your post-exam paperwork differs.

02 How long it takes by experience level

Your starting point matters more than any other factor. Find the lane that sounds most like you — the bar shows roughly how much ground you have to cover across the eight domains.

Experienced security engineer

60–100 hrs

You already work across security operations, architecture, and risk, and you speak the language of controls and governance. You mostly need to map your hands-on knowledge onto ISC2’s manager-level framing and shore up one or two thin domains.

Pace: ~6–9 weeks at 10–12 hrs/week

IT or sysadmin moving into security

150–250 hrs

You run systems, networks, or infrastructure and understand the technology, but governance, risk frameworks, and the security-management mindset are newer. This is the most common starting point — and it rewards a steady, domain-by-domain plan.

Pace: ~12–16 weeks at 12–15 hrs/week

New to security

300+ hrs

You are transitioning in from another field, so much of the vocabulary — cryptography, access models, secure design principles — is unfamiliar. Budget extra time and consider the Associate of ISC2 path while you build the required experience.

Pace: ~20+ weeks at 12–15 hrs/week
Use a calculator, not a guess. Plug your weekly availability into the study-time calculator to turn an hours estimate into a real finish date before you book.

03 A week-by-week plan

This is the “IT moving into security” track — the most common starting point. Compress it toward 8–10 weeks if you are an experienced security engineer, or stretch it past 20 if security is brand new. The order matters: build the risk-management mindset first, since it frames how you answer every other domain.

WK
1–2

Domain 1 & 2: Risk and asset security

Security and risk management is the spine of the whole exam — governance, risk frameworks, policies, the CIA triad, and legal/compliance. Pair it with asset security (data classification, ownership, retention). Learn to answer from a manager’s, risk-first viewpoint here and the rest gets easier.

~30–35 hrs
WK
3–5

Domain 3: Architecture, engineering & crypto

Secure design principles, security models, and the dreaded cryptography section — symmetric vs asymmetric, PKI, hashing, key management. This is the most technical, time-hungry domain. Drill scenario questions instead of memorising algorithm internals.

~35–40 hrs
WK
6–7

Domain 4: Communication & network security

The OSI and TCP/IP models, secure protocols, segmentation, and network attacks. Sysadmins move fast here; newcomers should slow down and connect each control back to the risk it mitigates.

~22–26 hrs
WK
8–9

Domain 5: Identity & access management

Authentication, authorisation, access-control models (DAC, MAC, RBAC, ABAC), federation, and the identity lifecycle. High-yield and very testable — expect a lot of “which model fits this scenario” questions.

~20–24 hrs
WK
10–11

Domain 6 & 7: Testing & security operations

Security assessment and testing (audits, pen-testing, log review) plus security operations (incident response, DR/BCP, forensics, monitoring). Two practical domains that reward connecting controls to day-to-day operational reality.

~26–30 hrs
WK
12

Domain 8: Software development security

Secure SDLC, the OWASP-style vulnerability classes, code review, and supply-chain risk. Smaller weighting, but easy marks if you understand where security fits into the development lifecycle.

~14–18 hrs
WK
13–14

Full-length mixed practice

Sit several long, mixed-domain question sets of 100-plus items that mimic the adaptive exam. Score each domain separately and pour your remaining time into whichever falls below 75%. This is where readiness is actually proven.

~25–30 hrs
WK
15–16

Final review & book

Light review of weak domains, re-read the risk-first principles, rest the day before, and sit the exam. Don’t cram new material in the last 48 hours — protect your recall and your judgement.

~12–16 hrs

04 What makes your timeline faster or slower

Two people with identical job titles can need wildly different hours. These are the factors that move the needle most.

▲ Speeds you up

  • Several years working across multiple security domains
  • Recent hands-on exposure to risk, IAM, or security operations
  • You already think in terms of controls, governance, and risk
  • A strong question bank and you test yourself early
  • You can study in long, focused blocks rather than scattered minutes

▼ Slows you down

  • No prior security or formal IT-governance background
  • Cryptography and networking are weak spots
  • You default to the most technical answer instead of the risk-based one
  • Studying 30–45 minutes at a time around a full-time job and family
  • Relying on reading and videos instead of practice questions
The most common timeline killer: passive studying. Re-reading a 1,000-page guide and re-watching videos feels productive but barely moves your score. Candidates who shift at least half their hours to mixed-domain scenario practice — and who learn to pick the manager’s answer — finish weeks sooner than those who read until exam day.

05 A realistic weekly schedule

Most people pass the CISSP while working full time. The trick is consistency, not heroics — this ~13-hour week is sustainable across the whole 12–16 weeks.

DayTimeFocus
Mon–Thu2 hrs (evening)Read one domain sub-topic, then answer 25–30 practice questions and review every miss for the “why”
FridayRestNo study — protect against burnout on a long campaign
Saturday3 hrsOne timed mixed-domain set (75–100 questions) plus a full review of wrong answers
Sunday2 hrsAttack your weakest domain and refresh flashcards on crypto, models, and acronyms
The 80% rule: don’t book the exam until you score a repeatable 80%+ across long, mixed-domain question sets, with no single domain below 75%. The CISSP is scored on a scaled 700/1000 you can’t see in advance, so a steady 80% on quality practice is the best proxy for “ready to pass.”

06 FAQ

How many hours do you need to study for the CISSP?

Most candidates need 60–250 hours of focused study. Experienced security professionals who work across several domains daily can be ready in roughly 60–100 hours; typical candidates usually need 150–250 hours, and people new to security often need 300 hours or more. Spread over a sustainable 12–15 hours per week, that is about 10–16 weeks.

Can you pass the CISSP in one month?

It is possible but only realistic for senior security practitioners who already work across most of the eight domains and can study full time. The CISSP is a mile-wide management-level exam, so a working professional studying 1–2 hours an evening cannot fairly cover all eight domains in a month. A 12–16 week plan is far safer and lets the concepts actually stick.

What is the passing score for the CISSP exam?

You need a scaled score of 700 out of 1000 to pass. That is not a straight percentage of questions correct: the CISSP is a computer adaptive test, so harder questions are worth more and the score reflects the difficulty level you sustained. As a practical readiness proxy, aim for a consistent 80% or higher on quality practice questions across every domain before you book.

How long before the exam should I take practice tests?

Do light topic-level practice questions from the start to learn how the CISSP frames think-like-a-manager scenarios, but reserve the final 2–3 weeks for long, mixed-domain question sets that mimic the adaptive exam. You want several sessions of 100-plus mixed questions with every domain above 75% before you schedule the real thing.

ExamCert
ExamCert TeamCertified security & cloud pros helping you pass faster.
More CISSP: 16-week CISSP study plan · How to pass the CISSP · CISSP practice questions