CISSP Study Plan


Congratulations on starting your journey to achieve the gold standard CISSP certification from ISC2.

If you are reading this, you already know the value of CISSP and are looking for a study plan and resources to refer.This post talks about study plan from an information security professional perspective in 2 months time frame along with the resources that you’ll need to do so. The objective of 2 months is assuming you already have good understanding of Information Security Concepts and are aware with the eight domains associated.

The study guide can be best used with converting the below table by adding columns to achieve following sequence – Date, Start Time, End Time, Total Hours Spent, Source, Domain, Module, Completion Status, Score for each Mock Test, Comments.
The above approach will help you keep track of time spent on each module and scores earned against it in each mock test.

Credits to the awesome CISSP Community & champions who have published tons of resources for any seeker. Key folks who must be mentioned are – Rob W, Adam G, Thor P, Luke A, Wentz Wu, Prabh N, Kelly H, Mike C, Larry G, Eric C, Shon H & many more…

All the best for your journey. Keep visiting for more content and domain specific notes.

PS – This post will evolve over a period of time, keep checking for updates.

Nick Mitropoulos6 weeks study guideStrategy, Sources
Thor TeachesFree Prep GuidanceStrategy, Sources
Kelly HanderhanWhy you will Pass CISSPStrategy
Larry GreenblattCISSP 2020 Exam TipsStrategy
Prabh NairCISSP 2021 Strategybook & exam engine, last 2 weeks
Adam GordonCISSP StrategyGetting Started with CISSP
ISC2CISSP Course OutlineCurriculam Understanding
InfoSecTrainCISSP 2018 vs 2021Impact Analysis & books
Rob Witcher1. Security & Risk ManagementSecurity & Risk Management
InfoSecTrain1. Security Risk & Governance 
Primary BookISC2 or Exam GuideRead the book
Rob Witcher2. Asset SecurityAsset Classification
Rob Witcher2. Asset SecurityPrivacy
InfoSecTrain2. Asset Security 
Primary BookISC2 or Exam GuideRead the book
Rob Witcher3. Sec. Architecture & Engi.Models & Frameworks
Rob Witcher3. Sec. Architecture & Engi.Evaluation Criteria
Rob Witcher3. Sec. Architecture & Engi.Trusted Computing Base
Rob Witcher3. Sec. Architecture & Engi.Vulnerabilities in Systems
Rob Witcher3. Sec. Architecture & Engi.Cloud
Rob Witcher3. Sec. Architecture & Engi.Cryptography
Rob Witcher3. Sec. Architecture & Engi.Digital Certs, Signatures & PKI
Rob Witcher3. Sec. Architecture & Engi.Cryptanalysis
Rob Witcher3. Sec. Architecture & Engi.Physical Security
InfoSecTrain3. Sec. Architecture & Engi. 
Primary BookISC2 or Exam GuideRead the book
Rob Witcher4. Comm & Network SecurityOSI Model
Rob Witcher4. Comm & Network SecurityNetworking
Rob Witcher4. Comm & Network SecurityNetwork Defense
Rob Witcher4. Comm & Network SecurityRemote Access
InfoSecTrain4. Comm & Network Security 
Primary BookISC2 or Exam GuideRead the book
Rob Witcher5. IAMAccess Control Overview
Rob Witcher5. IAMSSO & Federated Identity Mgmt
InfoSecTrain5. IAM 
Primary BookISC2 or Exam GuideRead the book
Rob Witcher6. Security Assessment & TestingOverview
Rob Witcher6. Security Assessment & TestingVA & PT
Rob Witcher6. Security Assessment & TestingLogging & Monitoring
InfoSecTrain6. Security Assessment & Testing 
Primary BookISC2 or Exam GuideRead the book
Rob Witcher7. Security OperationsInvestigations
Rob Witcher7. Security OperationsIncident Response
Rob Witcher7. Security OperationsMalware
Rob Witcher7. Security OperationsPatching & Change Management
Rob Witcher7. Security OperationsRecovery Strategies
Rob Witcher7. Security OperationsBusiness Continuity Management
InfoSecTrain7. Security Operations 
Primary BookISC2 or Exam GuideRead the book
Rob Witcher8. Software Development SecuritySecure Software Development
Rob Witcher8. Software Development SecurityDatabses
InfoSecTrain8. Software Development Security 
Luke Ahmed8. Software Development SecuritySystem Development Lifecycle
Primary BookISC2 or Exam GuideRead the book
Luke Ahmed4. Comm & Network SecurityDifferent types of Cabling
Luke Ahmed3. Sec. Architecture & Engi.Symmetric Key Encryption
Luke Ahmed4. Comm & Network SecurityPort Address Translation
Luke Ahmed4. Comm & Network SecurityTCP/IP Handshake
Luke Ahmed4. Comm & Network SecurityFirewall Deployment Architecture 1
Luke Ahmed4. Comm & Network SecurityFirewall Deployment Architecture 2
Luke Ahmed Internet of Things
Luke Ahmed4. Comm & Network SecurityTransport Layer Security
Luke Ahmed4. Comm & Network SecurityOSI Model
Luke Ahmed4. Comm & Network SecurityResponsibilities in the Cloud
Luke Ahmed4. Comm & Network SecurityPublic Cloud
Luke AhmedNew TopicKerberoasting
Luke Ahmed User & Entity Behavior Analysis
Practice ExamsMcGraw HillSolve Exams
IT DojoQuestion of the dayAll domains
Adam GordonAdam Gordon’s Question of the dayRead all these
11th Hour CISSPRevision before ExamRead the book
Luke AhmedHow to think Like a ManagerRead the book
FlashcardsRob WitcherAndroid
Test EngineMock Test 1Mock Test
Test EngineMock Test 2Mock Test
Test EngineMock Test 3Mock Test
Test EngineMock Test 4Mock Test
Test EngineMock Test 5Mock Test

OWASP Top 10 – XSS

  • Sending untrusted data to system
  • sending text based attack scripts to exploit interpreter in browser


  • session hijacking
  • defacement
  • insert hostile content
  • redirect user


  • escape all untrusted data
  • whitelisting
  • input validation
  • server-side validation
  • For rich content – auto sanitation library ex. OWASP Anti-SAMY

OWASP Top 10 – XML External Entities (XXE)

This causes

  • Data extraction
  • Remote  code execution
  • Scan internal systems
  • Perform Denial of Service.

Your application is vulnerable if it uses SAML for identity processing and your XML Processor parses

  • Untrusted XML Acceptance
  • Untrusted XML Uploads
  • Inserting untrusted data in XML


  • sanitize input
  • SOAP 1.2
  • Patch and upgrade XML  processor

DISABLE XML External Entity and DTD Processing in all XML Parsers in applications.

OWASP Top 10 – Sensitive Data Exposure

Data Security at Rest, In Transit and In Client Browser.


  • Encryption – Key Rotation, Storage, Split Knowledge
  • Data Masking
  • No hard-coded credentials
  • Disable Page caching (This comes in handy in case of permission changes)
  • Re-verification of identity, object.
  • no plain text data exchange
  • no weak algorithms
  • Discard sensitive data (from session/memory/cache etc.) ASAP.
  • Preferably encrypt data even when it is in memory (performance overhead).

OWASP Top 10 – Broken Authentication

  • Dictionary attack
  • leaked credentials
  • attacker gains access then causes identity theft, frauds, money, card, data frauds.


  1. Confirm users identity and session management
  2. implement multi-factor authentication.
  3. no default credentials ( or credential standards)
  4. Implement weak password checks
  5. length, complexity, history check,
  6. limit failed logins
  7. log every activity regardless of success or failure


Probably implement something using