Menu
The 100-day CISSP study plan

CISSP Success Toolkit — The 100-Day CISSP Study Plan

Every other CISSP book tells you what to know. This one tells you what to do — today, tomorrow, and for the next hundred days.

If you have already bought two CISSP books and read neither past Domain 3, the problem was never you. It was that nobody handed you a plan. This is the plan: one hundred numbered days, all eight domains, twenty to forty-five minutes a day, and a coach's voice on every page telling you exactly what to open next.

Written by Manoj Sharma — CISSP · CISM · CISA · CEH · ISO 27001 Lead Auditor. Also available in paperback.

Kindle
Paperback ×2
CISSP Success Toolkit book by Manoj Sharma — 100-day CISSP study plan, available on Kindle and paperback
100Numbered days
8CBK domains
20–45Minutes a day
8Day exam sprint
The real problem

You do not have a knowledge problem. You have a plan problem.

Let me say the thing most study guides will not. You are not failing to start because you are lazy, and you are not stalling in Domain 3 because you are not clever enough. You are stalling because you opened a nine-hundred-page book on a Tuesday night after a full day of work, read fourteen pages about security models, and had absolutely no idea whether that was enough, too little, or the wrong chapter entirely.

That is not a knowledge gap. That is a structure gap. And no amount of extra content fixes a structure gap — it makes it worse. Every book you add to the pile is one more thing you are behind on.

So here is the honest diagnosis. Most capable CISSP candidates who never sit the exam did not run out of ability. They ran out of sequence. They never knew what today was for.

What it is

What the CISSP Success Toolkit book is

The CISSP Success Toolkit is a 100-day, day-by-day CISSP exam preparation book by Manoj Sharma — founder of Cybernous Infosec Consulting and a CISSP, CISM, CISA, CEH and ISO 27001 Lead Auditor. It covers all eight domains of the (ISC)² CISSP Common Body of Knowledge, structured as one hundred numbered daily units rather than as reference chapters.

Each Learning Day takes 20 to 45 minutes and ends with an Exam Focus section. Revision Days consolidate each week and each domain; the final eight days are an Exam Sprint that trains question-reading and decision-making rather than new content. It is built for the CISSP's Computerised Adaptive Test (CAT) format — which measures judgment, not recall — so it teaches you to answer as a senior security manager, not a technician. Available as a Kindle ebook and a two-volume paperback on Amazon.

TitleCISSP Success Toolkit
AuthorManoj Sharma — CISSP, CISM, CISA, CEH, ISO 27001 Lead Auditor
PublisherCybernous Infosec Consulting LLP
ISBN978-93-6012-722-0
FormatKindle ebook · Paperback (2 volumes)
Structure100 daily units — Learning, Revision, Rest, Exam Sprint
CoverageAll 8 (ISC)² CISSP CBK domains
Daily commitment20–45 minutes (Learning Days)
Exam format trainedCISSP CAT — judgment-based, adaptive
Best forSelf-studying working professionals
PriceAffordable for every budget — see Amazon
Also includedKindle Unlimited free for the first 90 days
Guide vs plan

The difference between a CISSP study guide and a CISSP study plan

Think about how you learned to drive. Nobody handed you a manual on internal combustion and wished you luck — someone told you what to practise each day. The content matters; the sequence is what gets you a licence.

Every other CISSP bookCISSP Success Toolkit
Organised byDomain and topicDay number
Answers the question"What do I need to know?""What do I do tonight?"
You open it and findA chapterToday's twenty-five minutes
When you fall behindYou cannot tell that you haveDay 34 tells you immediately
RevisionYour job to scheduleBuilt in and dated
TrainsRecall of the CBKJudgment under CAT conditions
Ends withAn indexAn exam date

Both kinds of book are legitimate. If you want the most concise possible reference to the CBK, buy a reference — there are excellent ones, and I will name them further down this page. But if what has beaten you so far is starting on Monday and still being on Domain 1 in March, no reference will save you. You need a plan with your name on it.

The whole plan, ungated

Visualise the 100-Day CISSP Success Plan, encoded in the book

No email gate, no "download the sample" — the map is the product's honest claim, so you can see the whole thing before you spend anything.

The 100-day map — hover any day for its topicPin it to the wall.
1Day 01Professional Ethics
2Day 02Security Concepts (CIA)
3Day 03Security Governance Principles
4Day 04Control & Risk Frameworks
5Day 05Legal, Regulatory & Compliance
6Day 06Privacy & Investigation Types
7Day 07Weekly Revision — D1 Wk1
8Day 08Policies, Standards & BC
9Day 09Personnel Security
10Day 10Risk Management Concepts
11Day 11Threat Modeling
12Day 12Supply Chain Risk (SCRM)
13Day 13Security Awareness & Training
14Day 14Domain 1 Revision
15Day 15Classification & Asset Management
16Day 16Data Governance Roles
17Day 17Data Lifecycle & Sanitization
18Day 18Retention & End-of-Life
19Day 19Data States & Encryption
20Day 20Obfuscation, DRM & CASB
21Day 21Domain 2 Revision
22Day 22Secure Design & Zero Trust
23Day 23Security Models (BLP, Biba…)
24Day 24C&A & Evaluation Criteria
25Day 25Rest Day
26Day 26System Security Capabilities
27Day 27Architecture Vulnerabilities
28Day 28Weekly Revision — D3 Wk1
29Day 29Virtualization & Cloud
30Day 30Cryptography Foundations
31Day 31Ciphers, Symmetric/Asymmetric
32Day 32PKI & Digital Certificates
33Day 33Digital Signatures & Key Mgmt
34Day 34Cryptanalytic Attacks
35Day 35Weekly Revision — D3 Wk2
36Day 36Physical Security: Site
37Day 37Physical: HVAC, Fire, Power
38Day 38Information System Lifecycle
39Day 39Rest Day
40Day 40Domain 3 Revision
41Day 41OSI Model (L7–L5) & DNS
42Day 42OSI Layers 4–1
43Day 43IP, Subnetting & NAT
44Day 44Multilayer Protocols & VoIP
45Day 45Rest Day
46Day 46Network Architecture & Topologies
47Day 47Segmentation & Micro-seg
48Day 48Wireless Security
49Day 49Weekly Revision — D4 Wk1
50Day 50Cellular, CDN & SDN
51Day 51VPC & Network Monitoring
52Day 52NAC, Endpoint & MDM
53Day 53Secure Network Components
54Day 54Proxies, Load Balancers & Email
55Day 55Secure Comms Channels
56Day 56Domain 4 Revision
57Day 57Identity & Access Controls
58Day 58SSO & Federated Identity
59Day 59Authorization Mechanisms
60Day 60Provisioning Lifecycle
61Day 61Privileged Access Mgmt
62Day 62RADIUS, DIAMETER, TACACS+
63Day 63Domain 5 Revision
64Day 64Assessment & Vuln Strategies
65Day 65Pen Testing & Log Reviews
66Day 66Software Testing
67Day 67Collect Security Process Data
68Day 68Analyze & Report Test Output
69Day 69Security Audits
70Day 70Domain 6 Revision
71Day 71Ops Foundations (Least Priv, SoD)
72Day 72Change & Config Management
73Day 73Resource Protection & Patching
74Day 74Rest Day
75Day 75Detection & Preventive Measures
76Day 76Logging & Monitoring
77Day 77Weekly Revision
78Day 78Incident Management
79Day 79Investigations
80Day 80Rest Day
81Day 81Recovery Strategies
82Day 82Disaster Recovery
83Day 83BCP & Personnel Safety
84Day 84Domain 7 Revision
85Day 85Security in the SDLC
86Day 86Agile, DevSecOps & CI/CD
87Day 87Dev Ecosystem Controls
88Day 88Dev Ecosystem Controls (2)
89Day 89Software Security & Acquired
90Day 90Secure Coding Standards
91Day 91Secure Coding, APIs & DB
92Day 92Domain 8 Revision
93Day 93Codebreaker Reading Method
94Day 94The Lookalike Lexicon
95Day 95BEST Answer Playbook
96Day 9650 Most-Tested Concepts
97Day 97The CISSP English Trap
98Day 98Am I Ready?
99Day 99Exam-Eve Prep
100Day 100Exam Day
LearningRevisionRestExam Sprint

The four kinds of day

Learning Days

Most of the hundred. A focused block of CBK content in a coach's voice, then the Exam Focus section. Twenty to forty-five minutes.

Revision Days

Weekly on Days 7, 28, 35, 49 and 77. Domain-end on Days 14, 21, 40, 56, 63, 70, 84 and 92. Week-in-Review, mind maps, twenty rapid-fire recall questions, ten CAT-format scenarios, and a closing message. Sixty to ninety minutes. These are the checkpoints — skipping one means you will not know what you do not know.

Rest Days

Days 25, 39, 45, 74 and 80. Five deliberate breaks. No quizzes, no targets. Rest is not a gap in the plan; it is part of how you pass, and the plan says so out loud.

Final Exam Sprint

Days 93–100. No new content. The question-reading method, the decision playbook, mock debriefs, and exam-day preparation. Day 100 is the night before your exam.

Inside each day

What's inside the book, every single day

The concept explained the way it gets explained in a live class — the why before the what, an everyday analogy for anything abstract, and an honest admission when a topic is genuinely difficult. Then, at the end of every Learning Day, the Exam Focus block: five fixed parts, zero overlap.

Quick Recall

The bare must-know facts from today. Nothing else.

Easy to Confuse

The vocabulary pairs the exam uses to trap you, side by side in a table.

Think Like a CISSP

One scenario, reframed from a manager's chair. No facts — just the shift.

Exam Trap Alerts

The wrong-answer mechanics. "If you see X, don't pick Y, because Z."

Key Terms

Exam-ready one-line definitions.

The mind maps

Every Revision Day carries concept mind maps — a whole week of CBK compressed onto one page. Pre-exam revision gold.

The CAT-format questions

Scenario questions written the way the real exam writes them: all four options plausible, a correct answer that is best rather than merely true, and a full explanation of why the right answer is right and why each wrong answer is wrong.

Proof of work

Look inside — real pages from the CISSP book

No screenshots of marketing copy — real, selectable page content, so you can judge the writing before you buy.

Sample — Exam Focus, "Easy to Confuse" (Domain 1)

Often confusedConcept AConcept BThe exam's tell
Appetite vs ToleranceRisk appetite — the broad amount of risk an organisation is willing to accept in pursuit of its objectives. Set at board level.Risk tolerance — the acceptable deviation from that appetite, measured per risk.Appetite is the strategic figure; tolerance is the permitted wobble around it.
Care vs DiligenceDue care — doing the right thing. The act.Due diligence — knowing the right thing. The research.Diligence comes first (you investigate), care comes second (you act). If the stem says "researched", think diligence.
Qualitative vs QuantitativeQualitative — judgment, ratings, high/medium/low.Quantitative — mathematics and money. SLE = AV × EF; ALE = SLE × ARO.If the question hands you a number, it wants quantitative. If it hands you an opinion, it wants qualitative.

Sample — a CAT-format question (Domain 1)

Scenario. A newly appointed CISO discovers that a legacy application processing customer personal data cannot be patched: the vendor has ceased trading and the source code is unavailable. The application is essential to revenue. The board wants a decision within a week.

Which of the following should the CISO do FIRST?

A. Isolate the application on a segmented network with strict access controls.
B. Present the risk to the business owner with treatment options and their cost implications.
C. Formally accept the risk and record it in the risk register.
D. Initiate an emergency project to replace the application.

► Answer: B

Why B is correct. The security manager advises; the business owner decides. Before any treatment is selected, the risk must reach the person with the authority to accept it or fund it. Your job here is to inform the decision, not to make it.

Why A is wrong. Segmentation is a sensible compensating control and may well be the eventual answer — but choosing it now means implementing a treatment before the owner has expressed an appetite. You are acting before you have advised.

Why C is wrong. The CISO cannot accept this risk. Only the business or data owner can. This is the single most-tested boundary in Domain 1, and it catches strong technical candidates every time.

Why D is wrong. An expensive treatment, chosen with no risk decision behind it and no budget owner in the room. "FIRST" also rules out the longest path on the board.

CISSP Mindset Note. Notice that every option is technically defensible. That is what a real CAT question feels like. The word that decides it is "FIRST", and the frame that decides it is the chair you are sitting in. You are not the person who fixes this. You are the person who tells the person who fixes this.

Real figures from the book — clear on any device

Every diagram is drawn for the small screen — genuine figures from the manuscript, readable on Kindle, tablet, phone or browser.

Sample page from the CISSP Success Toolkit showing the Defense in Depth layered model
Day 2 · Defense in Depth
Sample page from the CISSP Success Toolkit showing a risk heat map and risk appetite
Day 10 · Risk Heat Map
Sample page from the CISSP Success Toolkit showing the five goals of cryptography matrix
Day 30 · Goals of Cryptography
Sample page from the CISSP Success Toolkit explaining the birthday attack
Day 34 · The Birthday Attack
Sample page from the CISSP Success Toolkit showing the Kerberos ticket exchange
Day 58 · How Kerberos Works
Sample page from the CISSP Success Toolkit showing the NIST Risk Management Framework
Day 89 · NIST Risk Framework
All 8 domains

All eight CISSP domains, mapped to days

Domain 1 — Security and Risk Management (Days 1–14)

The (ISC)² Code of Ethics and its four canons. The CIA triad and security governance. Threats, vulnerabilities and risk. Qualitative and quantitative risk analysis — SLE, ALE, ARO, AV, EF. Risk response: accept, avoid, mitigate, transfer. The risk register. Compliance, legal and regulatory requirements. Due care and due diligence. Policies, standards, baselines, guidelines and procedures. Business continuity requirements. Personnel security and security awareness. The heaviest domain on the exam and the one that most rewards the manager mindset — which is why it gets a fortnight.

Domain 2 — Asset Security (Days 15–21)

Information and asset classification — government and commercial schemes, and why they must never be swapped. Data owners, custodians, stewards and processors. Data lifecycle and retention. Data remanence and media sanitisation: clearing, purging, destruction. Data states and protection methods. Privacy requirements.

Domain 3 — Security Architecture and Engineering (Days 22–40)

Secure design principles. Security models — Bell-LaPadula for confidentiality, Biba for integrity, Clark-Wilson, Brewer-Nash. Evaluation criteria and Common Criteria EAL levels. Cryptography: symmetric and asymmetric, hashing, PKI, digital signatures, key management. Kerckhoffs’s principle. Cryptanalytic attacks. Physical and environmental security. The largest and most feared domain — so it gets nineteen days and two revision checkpoints.

Domain 4 — Communication and Network Security (Days 41–56)

The OSI and TCP/IP models and protocol placement. TCP versus UDP. Secure network components. Firewall generations and what each one can actually see. IPSec transport and tunnel modes, AH and ESP. VPNs, wireless, and network attacks. Secure communication channels.

Domain 5 — Identity and Access Management (Days 57–63)

Identification, authentication, authorisation and accountability. The three authentication factor types, and what genuinely counts as multi-factor. Kerberos and its ticket sequence. RADIUS, TACACS+ and LDAP. Access control models — MAC, DAC, RBAC, ABAC and Rule-BAC, and why RBAC and Rule-BAC are not the same thing. Federated identity, SSO and the identity lifecycle.

Domain 6 — Security Assessment and Testing (Days 64–70)

Assessment, test and audit strategies. Vulnerability assessment versus penetration testing — what identifies and what exploits. Penetration testing phases. Black, white and grey box. Log reviews, synthetic transactions, code review and testing. Misuse case testing. SOC 1, SOC 2 and SOC 3 reports and the Trust Services Criteria. Security metrics and management review.

Domain 7 — Security Operations (Days 71–84)

Investigations and evidence — the types, the chain of custody, and the gap that breaks it. Logging and monitoring. Configuration and change management. Incident management through the NIST SP 800-61 phases, in order. Detective and preventative measures. Patch and vulnerability management. Backup strategies — full, differential and incremental, and their restoration orders. Disaster recovery, RTO and RPO. Business continuity. Physical security and personnel safety.

Domain 8 — Software Development Security (Days 85–92)

Security in the SDLC. Development methodologies — waterfall, Agile, DevSecOps — and where security lives in each. Maturity models. Source code weaknesses. Static and dynamic analysis — SAST and DAST. The OWASP Top 10. Buffer overflows, stack and heap. Database security. Secure coding practices. Software acquisition security and source code escrow.

An honest answer

Is this CISSP book for you?

The list on the right costs us sales. It stays anyway — you are trusting me with a hundred days of your life, and that has to start with the truth about what this is.

Yes — if this sounds like you

  • You are working full time and studying in the gaps. Twenty-five focused minutes is realistic; three-hour sessions are a fantasy.
  • You have started before and stalled, and the shelf already has a book with a bookmark in Domain 3.
  • You know things but keep failing mocks. Your concepts are fine. Your judgment is untrained — this book treats that as a different problem.
  • You are self-studying without a cohort and nobody is checking whether you turned up today.
  • You want one clear next action, not a fifth reference.
  • You are in India or a price-sensitive market and ₹4,000 for a textbook is a genuine barrier.
  • You are starting from scratch and need someone to say "begin here" and mean it.

No — probably not, if this is you

  • You sit the exam in three weeks. This is a hundred-day plan. Take our free CISSP practice questions instead and use whatever reference you already own.
  • You want an encyclopaedic desk reference for the next decade. This is a consumable study plan, not a shelf book. Buy Sybex or All-in-One — they are excellent at being that, and this is not trying to be.
  • You already have a plan that is working. Do not break it. The worst thing you can do at Day 60 of something that works is buy something new and shake a confidence you earned.
  • You want video lessons. The book is standalone and complete, but it is a book. The paid coached CISSP programme is where the video lives.
Where it fits

Where this book sits in your study stack

I am going to do something a sales page does not normally do and tell you honestly what else is out there — because you will find out anyway, and I would rather you heard it from your coach.

ResourceWhat it is genuinely good atTypical India price
CISSP Success ToolkitThe daily plan. What to do tonight, for a hundred nights, and how to think like a manager while you do it.≈80–90% cheaper — affordable by all
Destination CISSPConcision. The tightest, best-designed summary of the CBK in print.~₹3,438
Sybex Official Study GuideBreadth and official alignment. The exhaustive reference.~₹4,270
CISSP All-in-One (Harris/Maymí)Depth. When you need a topic explained to the bottom.~₹5,597

Prices are indicative and should be re-checked on Amazon before purchase.

The honest recommendation: a plan and a reference do different jobs. If you can afford both, run this book as your daily spine and keep a reference on the desk for the nights a concept will not land. If you can afford one and you have already stalled once — buy the plan. The reference you did not read is not the one that failed you.

Manoj Sharma, CISSP CISM, author of the CISSP Success Toolkit
Meet your coach

Meet your coach — Manoj Sharma

CISSP · CISM · CISA · CEH · ISO 27001 Lead Auditor · Founder, Cybernous Infosec Consulting

Hello — I'm Manoj, and if you have read this far, we are already on this journey together.

I have spent more than two decades at the intersection of cybersecurity, risk management and professional development. I have sat on both sides of the exam table — as a candidate who knows exactly what a screenful of 150 questions does to your stomach, and as a coach who has watched thousands of professionals turn that feeling into a passing score.

This book was born out of a simple frustration. The available study resources were either too dense or too shallow, and neither works well for the CAT format, which tests judgment rather than recall. So I built something different: the Smart Notes I actually teach from — distilled from the CBK, from real exam feedback, and from hundreds of coaching sessions — written the way I speak in class. Directly, warmly, and with an honest admission when a topic is genuinely hard.

My promise is narrow and I will keep it. Follow the hundred days. Engage with the Exam Focus sections. Attempt every CAT question honestly. You will walk into your exam with the knowledge, the mindset and the confidence you need. Now — let's get to work. Hope you enjoy your CISSP Journey 😊

— Manoj Sharma

More about Manoj Sharma →contact@cybernous.com

Get the book

Get the book

Kindle ebookPaperback
PriceSee Amazon — affordable for every budget2 volumes — see Amazon
Read onKindle, phone, tablet, browserPrint
Best forThe daily commute — the format the book was designed aroundThe desk, and marking up
AvailableNowOn Amazon

Also enrolled in Kindle Unlimited for the first 90 days — if you are a member, it is included.

FAQ

Frequently asked questions

Is the CISSP Success Toolkit a study guide or a study plan?

It is a study plan. Most CISSP books are organised by domain and answer the question "what do I need to know?" This one is organised by day and answers "what do I do tonight?" It covers all eight CBK domains, but the organising axis is the hundred-day calendar, not the topic list.

How long does it take to study for the CISSP with this book?

One hundred days. Learning Days take 20–45 minutes; Revision Days take 60–90 minutes; five Rest Days ask nothing at all. At one unit a day you finish in a little over fourteen weeks, with time to spare before your exam date.

Can I use it if I only have 30 minutes a day?

Yes — that is precisely who it is built for. Every Learning Day is sized for a commute or a lunch break. The plan assumes you have a job, not a sabbatical.

Does it cover all eight CISSP domains?

Yes. All eight domains of the (ISC)² CISSP Common Body of Knowledge, mapped to specific days: Security and Risk Management (Days 1–14), Asset Security (15–21), Security Architecture and Engineering (22–40), Communication and Network Security (41–56), Identity and Access Management (57–63), Security Assessment and Testing (64–70), Security Operations (71–84), and Software Development Security (85–92). Days 93–100 are the final Exam Sprint.

Does it include practice questions?

Yes. Every Revision Day carries twenty rapid-fire recall items and ten CAT-format scenario questions with full explanations of why the correct answer is correct and why each incorrect answer is incorrect. Every Learning Day ends with an Exam Focus section. For higher volume, the free practice questions on cybernous.com and the Udemy 750-question bank sit alongside the book.

Is this enough on its own, or do I need another book?

It is designed to stand alone and it does. If you can afford a second resource, a concise reference beside it helps on the nights a concept will not land — but the plan is the part that gets you to Day 100.

Is it suitable for beginners?

Yes, if you meet the CISSP experience requirement. The book starts at first principles and explains the why before the what. It does not assume you have read the CBK already.

What is the CISSP CAT format, and how does this book prepare me for it?

The CISSP is a Computerised Adaptive Test: questions get harder as you answer correctly, and it measures judgment rather than recall. The book trains that judgment directly — the "Think Like a CISSP" block in every Exam Focus section reframes the day's topic from a senior security manager's chair, and every practice question is written all-true/one-best, the way the real exam writes them.

Why is it two volumes in paperback?

Amazon's print specification caps a single paperback's page count, and the full manuscript exceeds it. The Kindle edition is a single complete volume; the paperback is split across two. The content is identical.

How much does it cost?

The Kindle edition is priced to be affordable for every budget — a fraction of the cost of a standard CISSP reference, and included in Kindle Unlimited for the first ninety days. See the Amazon listing for current pricing in your marketplace.

Is Cybernous affiliated with (ISC)²?

No. Cybernous Infosec Consulting is an independent training and coaching organisation. CISSP® is a registered trademark of (ISC)², Inc. Cybernous is not affiliated with, endorsed by, or sponsored by (ISC)².

Start tonight

A hundred days from now, you will have done something.

The only question is whether it was this.

You are going to spend the next hundred days doing something — that part is not optional, the days are going to pass regardless. The choice in front of you is only whether they pass with a plan attached to them or without one.

Twenty-five minutes tonight. Day 1 is ethics, and it is genuinely one of the easier ones. Start there.

Hope you enjoy your CISSP Journey 😊  — Manoj

CISSP Success Toolkit book cover
CISSP® is a registered trademark of (ISC)², Inc. Cybernous Infosec Consulting is not affiliated with, endorsed by, or sponsored by (ISC)².