The ISC2 code of ethics: A binding requirement for certification

Interested in earning your CISSP certification from ISC2? It’s the gold standard when it comes to information security professionals and can open the door to many positions within companies, organizations and government agencies around the world. To earn your certification, you’ll need to study and then pass an exhaustive CISSP certification exam. However, there’s more to it than just paying your fee and passing the test. 

ISC2 is committed to ensuring that all members of the organization behave ethically. This means you’re expected to make difficult ethical decisions and, as certified professionals, support one another in doing so. To do that, you’ll need to commit to supporting the ISC2 code of ethics. Not only is the code covered on the CISSP exam, but you will be expected to adhere to it during your career as an information security specialist — and even to report those who breach the code to the organization. 

Read on to learn what you should you know about the code of ethics for CISSP and other ISC2 certifications? 

For more CISSP exam tips, get our free CISSP exam tips ebook, or watch our free one-hour CISSP exam prep course with an instructor whose students have a 95% pass rate. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

What is the ISC2 code of ethics? 

ISC2 states in its preamble to the actual code of ethics, “The safety and welfare of society and the common good, duty to our principals, and duty to each other, require that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this code is a condition of certification.” 

Essentially, the ISC2 code of ethics is a collection of requirements that apply to how you act, interact with others (including employers) and make decisions as an information security professional. The code is designed to attest to the character, ability, strength or truth of a fellow ISC2 member, which results in a high level of confidence on the part of those dealing with other members. 

Essentially, these rules apply to your behavior and that of all other ISC2 certification holders at a high level. The code only includes four mandatory canons, but the organization offers further guidance on how to apply them in your professional life. 

How does the ISC2 code of ethics affect those certified? 

You’ll find that the ISC2 code of ethics affects you and other certificate holders in several ways. First, you’ll need to understand the code and its ramifications to pass the CISSP exam (and all other certification exams offered by the organization). You’ll need to do more than just identify the canons — you must identify how those canons are applied in various ways in a professional setting. 

Another way the code of ethics will affect you and other certificate holders is that if you breach the code and another certificate holder observes the breach, they must file a complaint against you with the ISC2 ethics committee. The organization says, “Members who intentionally or knowingly violate any provision of the Code will be subject to action by a peer review panel, which may result in the revocation of certification.” 

In short, if you do not follow the code of ethics, the organization can pull your certification, leaving you without your credentials. 

What are the ISC2 code of ethics canons? 

There are four canons within the ISC2 code of ethics. They are relatively brief, but the organization offers further guidance on each. In addition, ISC2 understands that these four canons are not equal, and there is potential for conflict between them. If such conflict arises, you need to be able to solve the issue by using the canons, giving more importance to those with a higher rank. 

The official four canons are as follows, listed in order of importance: 

• Canon 1: Protect society, the commonwealth and the infrastructure. 
• Canon 2: Act honorably, honestly, justly, responsibly and legally. 
• Canon 3: Provide diligent and competent service to principals. 
• Canon 4: Advance and protect the profession. 

Those probably seem a little broad, and it can be difficult to recognize how they might apply to your professional life as a certificate holder. Thankfully, ISC2 offers a little further direction on applying these principles. 

For example, under the first canon, “Protect society, the commonwealth, and the infrastructure,” ISC2 expands by listing further guidance as: 

• Promote and preserve public trust and confidence in information and systems. 
• Promote the understanding and acceptance of prudent information security measures. 
• Preserve and strengthen the integrity of the public infrastructure. 
• Discourage unsafe practices. 

Under the second canon, “Act honorably, justly, responsibly and legally,” the ISC2 broadens the scope by adding: 

• Tell the truth; make all stakeholders aware of your actions on a timely basis. 
• Observe all contracts and agreements, express or implied. 
• Treat all members fairly. In resolving conflicts, consider public safety and duties to principals, individuals and the profession in that order. 
• Give prudent advice; avoid raising unnecessary alarms or giving unwarranted comfort. Take care to be truthful, objective, cautious and within your competence. 
• When resolving different laws in different jurisdictions, give preference to the laws of the jurisdiction in which you render your service. 

Under the third canon, “Provide diligent and competent service to principals,” the ISC2 offers this guidance: 

• Preserve the value of their systems, applications and information. 
• Respect their trust and the privileges that they grant you. 
• Avoid conflicts of interest or the appearance thereof. 
• Render only those services for which you are fully competent and qualified. 

Under the final canon, “Advance and protect the profession,” ISC2 provides this guidance: 

• Sponsor for professional advancement the most qualified people. All other things equal, prefer those who are certified and who adhere to these canons. Avoid professional association with those whose practices or reputation might diminish the profession. 
• Take care not to injure the reputation of other professionals through malice or indifference. 
• Maintain your competence; keep your skills and knowledge current. Give generously of your time and knowledge in training others. 

If you are aware of a credentialed member breaking these canons, it is your responsibility to report them to the ethics committee. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

How do I go about filing a complaint? 

If you need to file a complaint involving another credentialed member breaking the ISC2 code of ethics, you’ll need to follow a very specific set of procedures. Below, we’ll outline what you should know. 

Can you file this complaint? 

Before you attempt to file a complaint, you’ll need to make sure that you’re able to do so. The ethics committee will only hear complaints from those qualified to file them. What does that mean? It really comes down to the four canons and to whom those canons apply. 

For instance, anyone at all can bring a complaint involving canons one and two, including the general public. However, only employers and other “principals” can bring a complaint involving canon three, and only other certificate holders can bring a complaint involving the fourth canon. If your situation does not align with one of those requirements, you most likely cannot file a complaint at all. Contact the ethics committee for further clarification. 

Is your complaint confidential? 

The ISC2 code of ethics committee will strive to keep the process as confidential as possible and will not publish your name or the name of the person in violation of the code to the public. 

With that being said, the committee does tell the respondent (the individual breaking the code of ethics) your name as the complainant (the bringer of the complaint). The organization stresses that you and the respondent should maintain confidentiality to protect the profession and adhere to its code of ethics. 

Be as specific in your complaint as possible 

The committee does not have the time or resources to conduct an investigation into code of ethics breaches. That means your complaint needs to be as specific and accurate as possible. The committee will only consider a complaint that relates directly to a specific canon being broken, so make sure you identify it in your complaint. 

If you’re not entirely sure, the ethics committee can guide you. With that being said, if there is no clear evidence that a canon (or canons) has been broken, your complaint will be dismissed. 

Submit your complaint in writing 

First, understand that all complaints must be made in writing, and they must be made using the ISC2-specific affidavit form, which you can download here. Make sure to fill in all areas, including country, province/state and county, if applicable. Also, make sure your submission includes both your name and the date. 

The organization goes to great lengths to inform members that the ethics committee is not an investigative body and that they do not have the resources to investigate complaints. That means you’ll need to ensure that your complaint is as detailed as possible and contains all the evidence of the infraction. 

Provide as much evidence as possible 

Your written affidavit should begin with a list of facts concerning the situation (who, what, where, when, etc.). This is followed by further facts, documentation or evidence of the infraction. Again, be as specific as possible, as too little evidence will result in the committee taking no action. 

Where do you send your complaint? 

At the bottom of the document, sign the affidavit. You’ll need to have it notarized as well. When the affidavit is complete, you must send it by mail to the following address: 

Ethics Complaint ISC2 Corporate 311 Park Place Blvd., Suite 400 Clearwater, FL 33759 USA 

If you have questions regarding filing an ethics complaint, you can email them to Legal@ISC2.org. 

What happens after you file your complaint? 

If there is enough evidence to make this a prima facie case, the committee will consider the facts and make a recommendation to the board. 

However, if there is a disagreement about the facts, the committee may hear further evidence or even invite corroboration and rebuttals to determine the actual situation. In some instances, this may result in the complaint being dismissed. 

The ISC2 committee has this to say about such situations: “Neither the board nor its committee is an investigative body, and neither has the authority to compel testimony. We can consider only evidence submitted to us voluntarily. There may be many cases where this evidence is not sufficient to support any action. We can proceed only where a prima facie case is made. Where no such case is made, the committee will close the complaint without prejudice to either party.” 

Once it reaches a decision, the committee will send its recommendation to the board. However, understand that the “most limited and conservative” action will be recommended. What occurs next is up to the board. Both you and the respondent will be notified before the board takes action. 

When the board takes action, which can include everything up to revocation of the respondent’s certification, they will notify both of you within 30 days. All decisions of the board are final and cannot be appealed. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

ISC2 code of ethics and the exam 

The ISC2 code of ethics is a vital guide for making decisions in today’s information security world. It also works as a North Star regarding how you comport yourself with principals, the general public and other certificate holders. 

Breaking any of the four canons expressed within the code of ethics can lead to serious ramifications, so it’s crucial that you not only understand those canons but also how you should apply them in real-world situations. In fact, this is exactly what ISC2 is looking for when you answer questions about the code of ethics on the CISSP exam. 

To learn more about CISSP exam tips and tricks, check out our ebook, which offers CISSP advice from students and instructors. Many also find our CISSP training hub helpful because it’s packed with useful information to help you better understand the certification. And if you’re pivoting to cybersecurity mid-career, you’ll appreciate the guidance available in Cybersecurity certifications and skills: A roadmap for mid-career professionals. This ebook covers the CISSP and other in-demand certifications.