CISSP Academy · Spaced repetition edition
Pass the CISSP — and never forget it.
A science-backed, spaced repetition study system that builds durable memory across all 8 CISSP domains. Designed for working security professionals.
16
Week program
8
Domains
250–300
Exam questions
700
Passing score
Step 1 — Understand the method
Why most CISSP students fail — and how to avoid it
Cramming produces short-term recall. Spaced repetition builds durable knowledge that survives the exam and your career. Every session in this program is structured around four evidence-based learning principles.
Spaced repetition
Review material at increasing intervals: Day 1 → Day 3 → Day 7 → Day 14 → Day 30. Each review resets the forgetting curve at a higher retention baseline, compounding over 16 weeks.
Interleaving
Mix domains within sessions instead of marathon single-domain blocks. Interleaving forces deeper retrieval and strengthens cross-domain reasoning — critical for the CISSP manager-perspective questions.
Active recall
Close the book, then write what you know. Answer practice questions before re-reading. Retrieval practice is 50–80% more effective than passive re-reading for long-term retention.
Sleep consolidation
Cap sessions at 90 minutes. Sleep is when the hippocampus transfers short-term memory into long-term cortical storage. Rest is not optional — it is a core study technique.
Exam tip
Active recall beats passive re-reading: close the book, write what you remember, then verify. The exam rewards judgment built on durable recall — not recognition from having seen the same paragraph twice.
Step 2 — Follow the spaced timeline
16-week roadmap: four phases
The program introduces domains sequentially, then revisits them at scientifically optimal intervals. By Phase 3 you are interleaving all 8 domains simultaneously — the exact cognitive mode the exam demands.
Phase 1 · Weeks 1–4
Foundation
Introduce Domains 1–4. Establish flashcard habits. Build first mindmap. No practice exams yet — encode first.
Phase 2 · Weeks 5–8
Architecture
Introduce Domains 5–8. Begin first review cycle of D1–D4. Start weekly 25-question domain quizzes.
Phase 3 · Weeks 9–12
Integration
All 8 domains interleaved. First full 250-question mock exam. Error journal analysis. Weak domain targeting.
Phase 4 · Weeks 13–16
Mastery
3× full-length CAT mocks. Surgical weak-spot remediation. Week 16: light cards only, protect sleep.
Weekly detail
Expand each phase, then tick rows as you complete them — progress is saved in this browser.
Weekly detail Phase 1 — Weeks 1–4 Foundation: introduce Domains 1–4, build habits, encode before heavy testing.
| Completed | Week | Primary | Key topics | Review | Techniques | Hrs |
|---|---|---|---|---|---|---|
| week 1 | D1 Security & Risk | CIA triad, governance frameworks, BCP basics, legal & regulatory | read mindmap flashcard | 10h | ||
| week 2 | D2 Asset Security | Data classification, ownership, privacy regs (GDPR, CCPA), retention Review: ↺ D1 | recall test 25 Qs | 10h | ||
| week 3 | D3 Security Architecture | Security models (Bell-LaPadula, Biba), cryptography, PKI, evaluation criteria Review: ↺ D1 D2 | teach-back Q bank | 12h | ||
| week 4 | D4 Comms & Network | OSI/TCP models, VPN, firewalls, wireless security, network attacks, SDN Review: ↺ D2 D3 | diagrams protocol labs | 12h |
Weekly detail Phase 2 — Weeks 5–8 Architecture: Domains 5–8 on board, spiral review of earlier domains.
| Completed | Week | Primary | Key topics | Review | Techniques | Hrs |
|---|---|---|---|---|---|---|
| week 5 | D5 Identity & Access Mgmt | IAM lifecycle, SSO, federation, OAuth/OIDC, PAM, zero trust, JML Review: ↺ D1 D3 | scenario Qs Anki deck | 12h | ||
| week 6 | D6 Security Assessment | Vuln management, pen testing phases, audit types, SOC operations, SIEM Review: ↺ D2 D4 | mock test gap analysis | 12h | ||
| week 7 | D7 Security Operations | IR lifecycle, forensics, DRP, physical security, patch mgmt, threat intel Review: ↺ D3 D5 | tabletop drill teach-back | 14h | ||
| week 8 | D8 Software Dev Security | SDLC, DevSecOps, OWASP Top 10, code review, API security, supply chain Review: ↺ D4 D6 | code review ex. Q bank | 12h |
Weekly detail Phase 3 — Weeks 9–12 Integration: interleave all domains, full mocks, error journal.
| Completed | Week | Primary | Key topics | Review | Techniques | Hrs |
|---|---|---|---|---|---|---|
| week 9–10 | Phase 3 — all 8 domains interleaved | Cross-domain scenario questions. Manager-lens reasoning drills. Review: ↺ All D1–D8 | 250-Q mock timed CAT sim | 16h/wk | ||
| week 11–12 | Practice analysis + weak-domain deep dives | Error journal review. Teach-back sessions on weakest 3 domains. Review: ↺ Weakest 3 D | error journal re-teach | 14h/wk |
Weekly detail Phase 4 — Weeks 13–16 Mastery: CAT mocks, remediation, taper before exam day.
| Completed | Week | Primary | Key topics | Review | Techniques | Hrs |
|---|---|---|---|---|---|---|
| week 13–15 | 3× full-length CAT mocks + targeted remediation | Debrief every wrong answer. Track domain %. Target sub-70% domains only. Review: ↺ All domains | full CAT debrief protocol | 14h/wk | ||
| week 16 | Final prep — light review only | 20 Anki cards/day max. No new content. Exam logistics confirmed. Review: ↺ Quick cards | rest mindset prep | 4h |
Step 3 — Know your domains by weight
All 8 CISSP domains
Allocate study energy proportionally to exam weight. Domains 1, 3, 4, 5, and 7 are the heaviest, each accounting for 13–16% of the exam. Together they represent over 68% of questions.
Domain 01
Security & Risk Management
16%
Exam weight
Ethics, governance, compliance, legal & regulatory frameworks, risk management, BCP, threat modeling, privacy
Domain 02
Asset Security
10%
Exam weight
Data classification, ownership models, privacy regs (GDPR, CCPA, HIPAA), data lifecycle management, secure disposal
Domain 03
Security Architecture & Engineering
13%
Exam weight
Security models (Bell-LaPadula, Biba, Clark-Wilson), cryptography, PKI, cloud architecture, hardware security, secure design
Domain 04
Communication & Network Security
13%
Exam weight
OSI/TCP-IP models, DNS, VPN types, firewall architectures, wireless (WPA3), network attacks, SDN, microsegmentation
Domain 05
Identity & Access Management
13%
Exam weight
IAM lifecycle, MFA, SSO, federation, RBAC/ABAC, PAM, zero trust, provisioning governance, Joiner-Mover-Leaver
Domain 06
Security Assessment & Testing
12%
Exam weight
Vulnerability assessments, pen testing phases, audit types, SOC operations, SIEM, log management, metrics
Domain 07
Security Operations
13%
Exam weight
IR lifecycle, digital forensics, BCP/DRP, physical security, patch & change mgmt, threat intelligence, SOAR
Domain 08
Software Development Security
10%
Exam weight
SDLC models, DevSecOps, OWASP Top 10, static/dynamic code analysis, API security, software supply chain risks
Capstone
Final Mock Exam — CISSP Mastery
30 scenario-style questions across all domains, instant feedback, readiness gauge, and results summary.
Step 4 — Structure your day
Daily study block template
Two hours per weekday with structured Saturday review. This tempo gives you encoding time, sleep consolidation, and retrieval practice — the trifecta for long-term memory formation.
Exam tip
Treat sleep as part of the protocol: consolidation happens offline. Cramming past 90 minutes has diminishing returns; protect the block before your morning recall sprint.
6:00 – 6:20 AM
Morning recall sprint
Flashcard deck from the previous session — no notes, pure retrieval. Log gaps immediately. This surfaces your weakest concepts before new input overwrites them.
review6:20 – 7:20 AM
New domain content
Read one chapter or primary source section. Summarize in your own words — no highlighting. Draw a mini mindmap or outline. Create 10–15 new Anki cards before closing the book.
new7:20 – 7:40 AM
Practice questions
20–30 targeted questions from the current domain. Review every wrong answer — the goal is to understand the reasoning behind the correct choice, not memorize answers.
testEvening (optional)
Teach-back session
Explain today's concept out loud to a colleague, study partner, or even a rubber duck. The Feynman Technique: if you cannot explain it simply, you do not yet understand it.
reviewSaturday · 2h block
Cross-domain integration
Mix 2 prior domains in a 50-question interleaved quiz. Track your per-domain percentage. Update your study matrix — domains below 70% get extra Anki time next week.
reviewSunday
Rest + mindmap update
Update your master CISSP concept map with new connections discovered this week. Light card review only (20 cards max). No new content. Sleep is a core protocol step.
restStep 5 — Think like a manager
CISSP exam strategy: the senior manager mindset
The CISSP tests judgment, not memorization. ISC² measures your decision-making as a senior security leader. These six principles separate candidates who pass from technically strong candidates who fail.
Exam tip
Risk first, solution second
When two answers are technically correct, choose the one that best manages organizational risk. Ask: "What would a CISO recommend here?" not "What does the technician do?" Policy before procedure, strategy before tactic.
Exam tip
Senior authority principle
Questions about reporting, escalation, or authorization almost always point upward. Board › CISO › Manager. Data owner › data custodian. The senior-most role owns risk acceptance decisions. Always follow the accountability chain.
Exam tip
Root cause over symptoms
CISSP questions embed a symptom with multiple viable fixes. The best answer addresses the root cause or the most foundational preventive control — not the most expensive control or the one that reacts fastest.
Exam tip
Confidentiality wins tie-breakers
When security goals conflict, default to protecting confidentiality unless the scenario explicitly prioritizes availability (life-safety systems, emergency response). Security over usability is the CISSP default stance.
Exam tip
The "first step" pattern
"What should you do FIRST?" The answer is almost always: assess, identify, or classify before responding, implementing, or deploying. Analysis before action. This pattern appears in dozens of exam questions across all domains.
Exam tip
CAT exam behavior
The CISSP is adaptive. Early questions set your difficulty tier. If questions feel very hard — that signals you are in the high-scoring pool. Skipping is not possible. Slow and deliberate always beats fast and anxious. 125–175 questions, not 250.
Step 6 — Curated resources
Recommended study stack
Quality over quantity. Use fewer, better resources. Resource-hopping is a common failure pattern. This stack is lean, aligned with spaced repetition, and ranked by return on study time.
Primary textbook
ISC² CISSP Official Study Guide (OSG), 10th Ed.
Mike Chapple & James Stewart. The authoritative source — use as the spine of every study session. Read chapter → recall → flashcard. Do not substitute this with video alone.
Practice questions
Boson CISSP Practice Exams
Closest to real exam difficulty and explanation depth available. Use for weekly domain quizzes (Weeks 1–8) and full-length mocks (Weeks 13–15). Target 80%+ before exam day.
Flashcard & SRS
Anki + CISSP community decks
Anki's algorithm automates your spaced repetition intervals. Import a community CISSP deck, then add personal cards for every concept you study. 30 minutes of Anki daily compounds into mastery.
Video supplement
Thor Teaches CISSP (YouTube / Udemy)
Concept-first, exam-aligned delivery. Watch after each chapter to consolidate — not as a replacement for the OSG. Video supplements encoding; it does not replace it.
Visual learning
Miro or XMind — master concept map
Build a single growing CISSP concept map updated weekly. Visualizing cross-domain connections mirrors how the exam tests reasoning. Your map becomes your memory palace by Week 16.
Community
r/cissp + study partner network
Weekly public "study log" posts build external accountability. A study partner for teach-back sessions is the highest-ROI learning activity available. Teaching a peer outperforms solo review every time.