Creating the Perfect (ISC)2 CISSP Study Plan

Security. It's on everyone's mind. CTO Magazine rated security as the #1 issue facing CIOs today. That means security represents a great career opportunity for experienced IT professionals looking for a change.

The Certified Information Systems Security Professional (CISSP) from the International Information System Security Certification Consortium, or (ISC)², is recognized as among the most valuable — and toughest — security certifications.

In their current guide to the CISSP, (ISC)² claims that CISSP-certified professionals earn an average salary of more than $130,000. The CyberSeek interactive cybersecurity supply/demand map of job postings showed that the CISSP was the most requested security certification.

Earning CISSP certification is no walk through the park. That's why we've laid out a study plan to help you be ready on exam day.

Proceed with Caution

CISSP is not for newbies. If you're looking for a way to kick-start your cybersecurity career, the Systems Security Certified Practitioner (SSCP) from (ISC)2 and CompTIA's Security+ are both good vendor-neutral entry-level certifications. Both also are U.S. Department of Defense (DOD) Directive 8570.1 baseline certs for Level II Information Assurance Technician (IAT) jobs. SSCP is also approved for Level I jobs.

CISSP, on the other hand, is a certification for experienced security professionals. In many large organizations, CISSP certification is required for career progression. For the U.S. government, it's a baseline cert for Level III IA Technician jobs — as well as for jobs at Level II or III Information Assurance Manager (IAM) and Level I and II IA System Architects and Engineers (IASAE).

The CISSP covers eight domains, from Security and Risk Management to Software Development Security. To be certified as a CISSP, you need to pass the CISSP exam AND have documented five years of paid, full-time employment in two or more of these domains. There are other ways to count CISSP experience, but you still need serious security work experience under your belt to qualify.

CISSP Exam Breakdown

As mentioned before, the exam covers the eight domains of security with the following weightings:

1. Security and Risk Management: 15%

2. Asset Security: 10%

3. Security Architecture and Engineering: 13%

4. Communication and Network Security: 14%

5. Identity and Access Management (IAM): 13%

6. Security Assessment and Testing: 12%

7. Security Operations: 13%

8. Software Development Security: 10%

The CISSP exam is available worldwide. The English language version of the exam lasts three hours and features between 100 and 150 multiple-choice and scenario-based questions. A passing grade is 700 or more points out of a possible 1,000 points. You also must take the exam at an authorized testing center.

Since 2018, the English language exam uses a more precise testing technology called Computerized Adaptive Testing (CAT). While you don't have to answer as many questions, you get half the time to complete the exam. CISSP exams in other languages do not use CAT, last six hours, and consist of 250 questions.

Using CBT Nuggets to Get CISSP Certified

CBT Nuggets provides a full range of training to help prepare you for CISSP certification. In fact, Keith Barker, Ben Finkel, and Bob Salmans — three of our expert trainers — worked together to create a video-training course specifically for CISSP certification. This course includes 11 skills covering the eight domains associated with the exam. It adds up to 114 CBT Nuggets videos and 11 hours of training.

To help reinforce and validate your learning, each skill includes both in-video and post-video quiz questions. In addition, the course has 1 full practice exam. Dip your toes into the course by watching Keith Barker's free video on how to solve identity management (IdM) on our Youtube channel.

Your CISSP Study Plan

So, you've decided to pull the trigger and study for your CISSP certification? There are eleven hours of CBT Nuggets CISSP training. You can watch a little over an hour of videos a week and get through our entire training in 9 weeks. But there's more to learning than just watching videos. You learn better if you reinforce your understanding through practical lab exercises — and test your retention with practice exams.

Everybody learns in their own way, so your CISSP study journey needs to be personalized to your particular needs. We've put together a 9-week CISSP certification study plan to get started. It leans heavily on CBT Nuggets CISSP training, combined with practice exams and other resources. In building this plan, we aimed to include about an hour of video training per week — more or less.

How Long Should You Study?

CBT Nuggets training should not be your only resource to prepare for the CISSP. This is a tough exam. It's not a technical exam. It's a management exam. Like the PMP or ITIL, the CISSP validates whether you can look at security issues through the lens of (ISC)2 methodologies. Nine weeks is a good starting point, but you'll likely need more time. How much time? That's dependent on what you already know, and how long you've been on the job.

Let's get started.

Week 1: Evaluate Your Knowledge

Take a practice exam. It's good to establish what you do and don't know from the get-go. So, your first step should be to take a practice exam. You can either buy the Official (ISC)² CISSP Practice Tests book or use the Kaplan® IT Training practice exams that are included with a CBT Nuggets subscription. Your practice exam results will help you establish a knowledge baseline, whichever route you take.

With your practice exam completed, you should get started on the Information Security: Security and Risk Management skill. Watch Nuggets videos one through 11. In these modules, CBT Nuggets trainer Keith Barker introduces the overarching concepts of security and risk management, including:

• Confidentiality, integrity, and availability

• Security governance and compliance

• Establishing and maintaining security awareness and education

• Identifying business continuity requirements.

After each video, reinforce your learning by answering the practice questions for the modules in either the (ISC)2 or Kaplan® IT Training practice exams. The latter, of which again, are included with a CBT Nuggets subscription.

Weekly time commitment: 4 hours. The Kaplan® IT Training practice exam should take you about two hours. The 11 video Nuggets are 50 minutes long.

Week 2: Security and Risk Management & Asset Security

Start this week by watching the final four video Nuggets from the Information Security: Security and Risk Management skill. They cover intellectual property and licensing, threat modeling, supply chain risk management, and policy lifecycle.

Next, watch the Information Security: Asset Security skill. Keith covers the critical issues of asset security, including privacy protection, asset retention, and data security controls.

Weekly time commitment: 1 hour. The Asset Security skill includes seven videos for a total of 35 minutes. Combined with the four Security and Risk Management videos, week 2's training should take 58 minutes.

Week 3: Security Architecture

Once you've got the Asset Security skill under your belt, watch the first 12 Nuggets of Information Security: Security Architecture and Engineering. You'll be delving into the following skills in these videos:

• Designing with security in mind

• The various security models and their purposes

• Requirements for system security

• Security capabilities of hardware and firmware

• Security vulnerabilities and how to assess them in web-based systems, mobile systems, and embedded devices

• Symmetric and asymmetric encryption and keys.

Weekly time commitment: 1 hour. These 12 video Nuggets consist of a total 62 minutes.

Week 4: Security Architecture & Network Security

This week, you'll round out the Information Security: Security Architecture and Engineering skill by watching videos 13 through 17. You'll learn how to mitigate vulnerabilities in web-based systems, mobile systems, and embedded devices. You'll also learn how to apply cryptography.

Once you're satisfied that you've mastered these topics, move on to the Information Security: Communication and Network Security skill. You'll gain an understanding of the following topics:

• Secure design principles in network architectures

• Network components, such as Network Access Control (NAC)

• Secure communication channels, such as remote access.

Weekly time commitment: 1 hour. The Communication and Network Security skill includes six videos that total 38 minutes. Combined with the five Security Architecture and Engineering videos, the Week 4 videos will take a total of 59 minutes.

Week 5: IAM (and Test Your Knowledge)

You're now at the midway point of the CISSP security domains. It's time to take your second practice exam. Although you could just test on the first four domains, we recommend you take the complete exam. You'll get a better idea of how well you're learning all the content. The exam results will also help you determine which domains might need a little more attention a second time around.

Okay, mock exam completed? You did better than you expected? Great. Let's move on to Information Security: Identity and Access Management (IAM) skill. Keith will help you understand identity and access management (IAM), while covering the following skills:

• Physical and logical access to assets

• Identification and authentication of people, devices, and services

• Authorization mechanisms, such as role-based access control (RBAC) and mandatory access control (MAC).

Weekly time commitment: 4 hours. The nine IAM video Nuggets total 50 minutes. If you tack on another full-length practice exam, add three hours to this week's studies.

Week 6: Security Assessment and Operations

This week has you finishing up the Information Security: Security Assessment and Testing skill. You're also going to take your first bite out of Information Security: Security Operations skill.

The Security Assessment and Testing skill is quite short — six video Nuggets totaling 29 minutes. Key topics you'll learn include vulnerability assessments, penetration testing, log reviews, and security audits.

The Security Operations skill is 27 videos long and will take more than two hours. For that reason, we've spread it over three weeks. This week, you'll watch the first nine videos covering that skill.

You'll develop an understanding of security operations, while learning the components of investigations, such as evidence collection and digital forensics tools. You'll also get a brief introduction to implementing disaster recovery and business continuity plans.

Weekly time commitment: Slightly more than 1 hour. The Security Assessment and Testing videos combined with the first nine Security Operations Nuggets, means Week 6's videos will take about 68 minutes to watch.

Week 7: More Security Operations

This week, you should continue with Information Security: Security Operations, watching Nuggets 10 through 22. You'll continue to develop your understanding of security operations while learning about the following:

• Incident response and handling

• Patch and change management

• Intrusion detection and intrusion prevention

• Firewalls

• Vulnerability scoring.

Weekly time commitment: 1 hour. These 13 Nuggets total 62 minutes.

Week 8: Even More Security Operations

This week, you'll complete Information Security: Security Operations skill, watching videos 23 – 27. You'll develop an understanding of security operations, specifically focused on business continuity (BC) and disaster recovery (DR). These modules cover the following:

• Fault tolerance for availability

• Disaster recovery and alternate sites

• Hardware and software planning for DR

• DR management and communications

• Personal safety and security in the event of a BCDR event

Once you're satisfied that you understand these topics, move on to the final CISSP domain — Software Development Security. This is also where Keith hands over teaching responsibilities to Ben Finkel, our software development expert.

Throughout the Information Security: Software Development Security skill, Ben will help you understand of software development security while covering topics including securing the software development life cycle (SDLC), assessing the security impact of acquired software, and applying coding standards.

Weekly time commitment: Slightly more than 1 hour. The final Security Operations videos, combined with the eight Software Development Security videos will take 72 minutes. It's a little more than an hour this week. But take a bow; your final week of study is complete!

Week 9: You're Finished with CBT Nuggets Training!

Following completion of all of the CBT Nuggets CISSP skills, it's time for another practice exam. Now, you will be able to fully assess what you've learned — and identify additional review areas before you sit for the official exam. Be sure to go back to individual videos as needed to reinforce or review your knowledge.

Weekly time commitment: 3 hours (at least). To sit for another full-length practice exam and give yourself at least three hours.

Week 10+: What's Next?

You can easily finish CBT Nuggets training in 9 weeks, but don't stop there. The CISSP is a tough exam with notoriously difficult questions. Keep studying until you're consistently passing CISSP practice exams and feel comfortable with the minutiae of the (ISC)2 methodologies.

What if You Don't Have the Experience?

If you choose to take the CISSP exam without the required five years experience (or four years with a college degree), you can pass it and be recognized as a CISSP Associate. You'll have up to six years to build up your required five years of domain experience.

Becoming a CISSP Associate might not help you get a job in the commercial sector. However, the CISSP Associate is accepted by the U.S. government for those IAT, IAM, and IASAE jobs we mentioned earlier.

Is CISSP for You?

CISSP certification may not be right for you. There are other security certification options that might serve you better, dependent on your role, your organization, or your career aspirations.

IT Security Certifications: The Breakdown has useful info on the range of vendor-neutral security certifications that are available — including CISSP.

If you're trying to decide whether CISSP certification makes sense for you, you should also review the (ISC)² Ultimate Guide to the CISSP. This will give you additional information on the steps to — and benefits of — becoming a CISSP.

For further information on the CISSP exam itself, download the CISSP Exam Outline and review in detail the exam topics covered under each of the security domains.

Final Thoughts

Becoming CISSP-certified is not a simple process. (ISC)2 has a lot of hurdles — work experience, exam, endorsement — that you must square away before you get your badge. If security is where you have earned your spurs and where you want to advance, acquiring your CISSP certification is a no-brainer.

It takes one push to get started on your (ISC)2 CISSP journey. Start with our (ISC)2 CISSP training and carve your path to certification today.