// CLASSIFIED — OPERATIONAL BATTLE PLAN — EYES ONLY

CISSP Battle Plan

Eight domains. One exam. The certification that gates senior cybersecurity roles industry-wide. This is the live tactical roadmap I’m executing against — domain weights, study cadence, resource stack, and the cognitive tactics for endurance under a six-hour CAT exam window.

OBJECTIVE
CISSP — ISC2
DOMAINS
8 / CBK
EXAM FORMAT
CAT • 100–150 Q
TIME WINDOW
6 hours
$ ls ./cbk/domains/

The Eight Domains

01
Security & Risk Management
// governance • risk • compliance • ethics
WEIGHT 16%
// FOCUS AREAS
  • CIA + AAA + non-repudiation — internalize before all else.
  • Risk frameworks: NIST RMF, ISO 27005, FAIR — know when each is preferred.
  • Security governance: policies, standards, procedures, guidelines.
  • Legal & regulatory: GDPR, HIPAA, SOX, PCI DSS — trigger conditions.
  • Personnel security and BCP / DRP foundations.
// TACTICAL NOTES
  • Highest-weight domain. Sets the language ISC2 expects you to speak.
  • Manager-level questions live here — think “what does the BUSINESS need?”
  • Crucial for senior tier roles — understand risk treatment options cold.
  • Ethics canon must be memorized verbatim.
02
Asset Security
// classification • ownership • retention
WEIGHT 10%
// FOCUS AREAS
  • Data classification (Public, Internal, Confidential, Secret, TS) and handling.
  • Data lifecycle: create → store → use → share → archive → destroy.
  • Roles: data owner vs. custodian vs. processor vs. controller.
  • Retention, sanitization (NIST 800-88), and secure destruction.
  • Privacy concepts — PII, PHI, data minimization.
// TACTICAL NOTES
  • Smallest domain by weight, but high concept density.
  • Memorize the data lifecycle and roles — ISC2 LOVES role questions.
  • Sanitization methods (clear, purge, destroy) — know which fits which media.
  • Privacy regs link back to Domain 1.
03
Security Architecture & Engineering
// crypto • trusted systems • secure design
WEIGHT 13%
// FOCUS AREAS
  • Cryptography: symmetric, asymmetric, hashing, PKI, key mgmt.
  • Trusted Computing Base (TCB), reference monitor, security models.
  • Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash — know each scenario.
  • Secure design principles, hardware security, evaluation criteria.
  • Site / facility security, fire suppression, environmental controls.
// TACTICAL NOTES
  • Heavy crypto focus — this is where engineers shine.
  • Security models always appear — map them to integrity vs. confidentiality.
  • Don’t skip physical security — it WILL show up.
  • Build a one-page crypto cheatsheet (algorithms, key sizes, modes).
04
Communication & Network Security
// OSI • protocols • secure transport
WEIGHT 13%
// FOCUS AREAS
  • OSI + TCP/IP layers, ports, and protocols (memorize cold).
  • Secure protocols: TLS, IPSec, SSH, S/MIME, DNSSEC.
  • Network segmentation, firewalls, IDS / IPS, NAC, VPNs.
  • Wireless security: WPA3, EAP, 802.1X, rogue AP defense.
  • Modern: SDN, SD-WAN, micro-segmentation, zero trust networking.
// TACTICAL NOTES
  • Network+ N10-009 already gave me a head-start here.
  • OSI layer questions are gimmes if you have port + protocol mapping memorized.
  • Wireless / mobile sections trip many candidates — don’t skim them.
  • Tie everything back to defense-in-depth.
05
Identity & Access Management
// IAM • authn • authz • federation
WEIGHT 13%
// FOCUS AREAS
  • Identification, authentication, authorization, accountability.
  • Auth factors: knowledge, possession, inherence, location, behavior.
  • Federation: SAML, OAuth 2.0, OpenID Connect, Kerberos.
  • Access control models: DAC, MAC, RBAC, ABAC, RuBAC.
  • IAM lifecycle: provision → review → deprovision — with audit.
// TACTICAL NOTES
  • Practical operator domain — lean on ISA/ISSM experience.
  • Federation protocols are easy points if you can keep them straight.
  • MAC vs. RBAC vs. ABAC scenarios — know the discriminator.
  • SSO trade-offs (single point of failure) appear regularly.
06
Security Assessment & Testing
// audit • vuln • pen test
WEIGHT 12%
// FOCUS AREAS
  • Vulnerability scans vs. penetration tests vs. red team — distinguish clearly.
  • Audit types: internal, external, third-party, attestation.
  • Test strategies: black / white / gray box, static / dynamic.
  • Logging, monitoring, KPI / KRI design.
  • Disaster recovery and backup verification testing.
// TACTICAL NOTES
  • Lots of “which test fits this scenario” questions.
  • Know SOC 1 vs. SOC 2 vs. SOC 3 cold.
  • Tie testing back to RMF Assess step.
  • Practical RMF / POA&M experience translates here directly.
07
Security Operations
// IR • forensics • BCP • SOC
WEIGHT 13%
// FOCUS AREAS
  • Incident response lifecycle (NIST 800-61): prepare → detect → contain → eradicate → recover → lessons.
  • Digital forensics: chain of custody, evidence handling, volatility.
  • Logging, SIEM operations, threat intel, threat hunting.
  • BCP / DRP: BIA, RPO, RTO, MTD, hot / warm / cold sites.
  • Patch / vulnerability mgmt, configuration mgmt, change control.
// TACTICAL NOTES
  • HOME TURF — every job I’ve held has been this domain.
  • Lean on tactical NOC / SOC reflexes for scenario questions.
  • Know recovery objective acronyms and order cold (RPO < RTO < MTD).
  • Forensic principles translate from real cases I’ve worked.
08
Software Development Security
// SDLC • secure code • SCA
WEIGHT 10%
// FOCUS AREAS
  • Secure SDLC models: Waterfall, Agile, DevSecOps.
  • OWASP Top 10, CWE, secure coding principles.
  • Static (SAST), dynamic (DAST), interactive (IAST), software composition (SCA).
  • API security, supply chain, code signing, repository hygiene.
  • Maturity models: BSIMM, OpenSAMM, SAFECode.
// TACTICAL NOTES
  • Lowest weight but easy to undertrain on.
  • Memorize OWASP Top 10 + most-common CWEs.
  • Maturity models all do similar things — know the differences.
  • Tie DevSecOps back to ops experience to anchor concepts.
$ cat ./battle_plan/timeline.md

Phased Battle Plan

PHASE 01
WEEKS 1–6
Foundation Sweep
Read the Official ISC2 CBK + Sybex study guide cover to cover. One pass, slow and deliberate. Goal is breadth, not retention. Note unfamiliar terms in a personal glossary. Sketch the eight-domain mind map. Daily cadence: 90 minutes pre-shift, 60 minutes post-shift, hard stop.
PHASE 02
WEEKS 7–10
Concept Anchoring
Second pass with focus on weak domains identified in Phase 1. Build flashcards for crypto algorithms, security models, recovery objectives, OSI mappings. Begin Boson + LearnZapp practice questions at 50/day. Track weak topics in a kill-list spreadsheet — highest miss rate gets daily review.
PHASE 03
WEEKS 11–14
Question Saturation
Move to Pocket Prep + 50 Test + Wannapractice. 100–150 questions per day, mixed-domain. Read every explanation, even on questions answered correctly. Score >75% across simulated full-length tests before advancing. Add Destination Cert MasterClass for any domain still under 70%.
PHASE 04
WEEKS 15–16
Manager Mindset Drill
CISSP penalizes technicians who pick the most technical answer. Switch to manager mode: read every question through the lens of “what does the BUSINESS need?” Practice with Thor Pedersen’s easy/medium/hard sets. Eliminate distractor instinct. Drill for endurance — simulate 3-hour question sittings without breaks.
PHASE 05
WEEK 17
Final Recon & Rest
Light review only. Re-read your own glossary and kill-list notes. Sleep, hydrate, eat well. Schedule the exam for early morning. Day before: short walk, no studying after lunch, exam-day ritual locked in. The fight is already won — walk in like it.
$ cat ./battle_plan/loadout.txt

The Loadout

// PRIMARY MATERIAL
Official ISC2 CBK (10th Ed.)The authoritative source. No shortcuts.
Sybex Official Study GuideChanchett & Stewart — best companion read.
Destination Cert MasterClassPete Zerger — visual mind maps that stick.
// QUESTION BANKS
Boson ExSim-MaxClosest to real exam difficulty.
Pocket Prep + LearnZappDaily mobile drilling for queue moments.
Thor Pedersen Practice SetsManager-mindset training questions.
// AUDIO / VIDEO
Mike Chapple LinkedIn LearningDomain-by-domain video series.
Kelly Handerhan SkillSetThe classic “why you will pass” talk.
Cyber Training CafeLong-form audio for commute reps.
$ cat ./battle_plan/tactics.txt

Cognitive Tactics

// THINK LIKE A MANAGER
When two answers seem correct, pick the one a CISO would defend in a board meeting — not the most technically clever one. Risk reduction beats clever every time.
// HUMAN LIFE IS ALWAYS FIRST
If a scenario involves life safety, the answer is always the option that protects people — even if it costs the system. This is reflex, not analysis.
// READ THE QUESTION TWICE
CAT exam questions are written to bait technicians. “FIRST,” “BEST,” “MOST IMPORTANT,” “LEAST” — these qualifiers change the right answer. Highlight them mentally before scanning options.
// ELIMINATE BEFORE SELECT
Strike out two wrong answers first. CISSP options are designed in pairs — a clearly wrong, a tempting wrong, and two reasonable. Eliminating shrinks the cognitive load.
// PACE FOR ENDURANCE
Six hours is a marathon. Calibrate to ~1 minute per question. Don’t agonize — mark and move. The CAT engine adapts; momentum and accuracy beat perfection on any single question.
// TRUST THE TRAINING
By exam day the reps are done. The brain knows the answers; the job is to let it work without second-guessing. Doubt is the only thing that fails this exam.
// MISSION STATUS: ACTIVE • LAST UPDATE: • OBJECTIVE: ISC2 CISSP CERTIFIED
Scroll to Top