The (ISC)2 Code of Ethics: A Binding Requirement for Certification
(ISC)2 Code Of Ethics
Interested in earning your CISSP certification from (ISC)2? It’s the gold standard when it comes to information security professionals and can open the door to many positions within companies, organizations, and government agencies around the world. In order to earn your certification, you’ll need to study and then pass an exhaustive examination. However, there’s more to it than just paying your fee and passing the test.
(ISC)2 is committed to ensuring that all members of the organization behave in an ethical manner. According to (ISC)2, “They are expected to make difficult ethical decisions and to support one another in doing so.” In order to do that, you’ll need to commit to supporting the (ISC)2 code of ethics. Not only is the code covered on the CISSP exam, but you will be expected to adhere to these canons during your career as an information security specialist, and even to report those who breach the code to the organization. So, what should you know about the (ISC)2 code of ethics for CISSP certification?
What Is the (ISC)2 Code of Ethics?
(ISC)2 states in its preamble to the actual code of ethics, “The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this code is a condition of certification.”
Essentially, the (ISC)2 code of ethics is a collection of requirements that apply to how you act, interact with others (including employers), and make decisions as an information security professional. The code is designed to “give assured reliance on the character, ability, strength, or truth of a fellow (ISC)2 member, and it provides a high level of confidence when dealing with a peer member.”
Essentially, these are rules that apply to your behavior and that of all other (ISC)2 certification holders at a high level. The code itself only includes four mandatory canons, but the organization does offer further guidance on those canons and how to apply them in your professional life.
How Does the (ISC)2 Code of Ethics Affect Those Certified?
You’ll find that the (ISC)2 code of ethics affects you and other certificate holders in a number of ways. First, you’ll need to understand the code and its ramifications in order to pass the CISSP exam (and all other certification exams offered by the organization). You’ll need to do more than just identify the canons – you must identify how those canons are applied in various ways in a professional setting.
Another way that the code of ethics will affect you and other certificate holders is that, if you breach the code and it is observed by another certificate holder, they must file a complaint against you with the (ISC)2 ethics committee. The organization says, “Members who violate any provision of the code will be subject to action by a peer review panel, which may result in the revocation of certification.” In short, if you do not follow the code of ethics, the organization can pull your certification, leaving you without your credentials.
What Are the (ISC)2 Code of Ethics Canons?
There are four canons within the (ISC)2 code of ethics. They are relatively brief, but the organization offers further guidance on each. In addition, (ISC)2 understands that these four canons are not equal, and there is the potential for conflict between them. If such conflict arises, you need to be able to solve the issue by using the canons in order (they’re ranked in order of importance below).
The official four canons are as follows:
- Protect society, the commonwealth, and the infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principals.
- Advance and protect the profession.
Those probably seem a little broad and it can be difficult to recognize how they might apply to your professional life as a certificate holder. Thankfully, (ISC)2 offers a little further direction on applying these principles.
For example, under the first canon, “Protect society, the commonwealth, and the infrastructure,” (ISC)2 expands by listing further guidance as:
- Promote and preserve public trust and confidence in information and systems.
- Promote the understanding and acceptance of prudent information security measures.
- Preserve and strengthen the integrity of the public infrastructure.
- Discourage unsafe practices.
Under the second canon, “Act honorably, justly, responsibly and legally,” they broaden the scope by adding:
- Tell the truth; make all stakeholders aware of your actions on a timely basis.
- Observe all contracts and agreements, express or implied.
- Treat all members fairly. In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order.
- Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence.
- When resolving different laws in different jurisdictions, give preference to the laws of the jurisdiction in which you render your service.
Under the third canon, “Provide diligent and competent service to principals,” they offer this guidance:
- Preserve the value of their systems, applications and information.
- Respect their trust and the privileges that they grant you.
- Avoid conflicts of interest or the appearance thereof.
- Render only those services for which you are fully competent and qualified.
Under the final canon, “Advance and protect the profession,” (ISC)2 offers this guidance:
- Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these canons. Avoid professional association with those whose practices or reputation might diminish the profession.
- Take care not to injure the reputation of other professionals through malice, or indifference.
- Maintain your competence; keep your skills and knowledge current. Give generously of your time and knowledge in training others.
If you are aware of a credentialed member breaking these canons, it is your responsibility to report them to the ethics committee.
How Do I Go About Filing a Complaint?
If you need to file a complaint involving another credentialed member breaking the (ISC)2 code of ethics, you’ll need to follow a very specific set of procedures. Below, we’ll outline what you should know.
Can You File This Complaint: Before you attempt to file a complaint, you’ll need to make sure that you’re actually able to do so. The ethics committee will only hear complaints from those qualified to file them. What does that mean? It really comes down to the four canons and whom those canons apply to.
For instance, anyone at all can bring a complaint involving canons one and two, including the general public. However, only employers and other “principals” can bring a complaint involving canon three, and only other certificate holders can bring a complaint involving the fourth canon. If your situation does not fit those requirements, you most likely cannot file a complaint at all. Contact the ethics committee for further clarification.
Confidential, Sort of: The (ISC)2 code of ethics committee will strive to keep the process as confidential as possible, and will not publish your name or the name of the person in violation of the code to the public.
With that being said, the committee does tell the respondent (the individual breaking the code of ethics) your name as the complainant (the bringer of the complaint). The organization stresses that in order to protect the profession and adhere to its code of ethics, both you and the respondent should maintain confidentiality.
Be as Specific as Possible: The committee does not have the time or resources to conduct an investigation into code of ethics breaches. That means your complaint needs to be as specific and accurate as possible. The committee will only consider a complaint that relates directly to a specific canon being broken, so make sure you identify it in your complaint.
If you’re not completely sure, the ethics committee can guide you. With that being said, if there is no clear evidence that a canon (or canons) has been broken, your complaint will be dismissed.
In Writing: First, understand that all complaints must be made in writing, and they must be made using the (ISC)2-specific affidavit form, which can be downloaded here. Make sure to fill in all areas, including country, province/state and county if applicable. Make sure your name appears, as well as the date.
The organization goes to great length to inform members that the ethics committee is not an investigative body and that they do not have the resources to investigate complaints. What that means is you’ll need to ensure that your complaint is as detailed as possible and contains all the evidence available of the infraction.
Provide as Much Evidence as Possible: Your written affidavit should begin with a list of facts concerning the situation (who, what, where, when, etc.). This is followed by further facts, documentation, or evidence of the infraction. Again, be as specific as possible, as too little evidence will result in the committee taking no action.
Notarize and Mail It: At the bottom of the document, sign the affidavit. You’ll need to have it notarized as well. When the affidavit is complete, you must send it by mail to the following address:
311 Park Place Blvd., Suite 400
Clearwater, FL 33759 USA
If you have questions regarding filing an ethics complaint, you can email them to Legal@ISC2.org.
What happens after you file your complaint? If there is enough evidence to make this a prima facie case, the committee will consider the facts and make a recommendation to the board.
However, if there is a disagreement about the facts, the committee may hear further evidence or even invite corroboration and rebuttals in order to determine the actual situation. In some instances, this may result in the complaint being dismissed.
The (ISC)2 committee has this to say about such situations: “Neither the board nor its committee is an investigative body and neither has the authority to compel testimony. We can consider only evidence submitted to us voluntarily. There may be many cases where this evidence is not sufficient to support any action. We can proceed only where a prima facie case is made. Where no such case is made, the committee will close the complaint without prejudice to either party.”
Once it reaches a decision, the committee will send its recommendation to the board. However, understand that the “most limited and conservative” action will be recommended. What occurs next is up to the board. Both you and the respondent will be notified before the board takes action, and there is a 14-day period during which you can both make comments on the committee’s recommended course of action.
When the board takes action, which can include everything up to revocation of the respondent’s certification, you will both be notified within 30 days. All decisions of the board are final and cannot be appealed.
The (ISC)2 code of ethics is meant to be a vital guide for making decisions in today’s information security world, as well as for how you comport yourself with principals, the general public, and other certificate holders.
Breaking any of the four canons expressed within the code of ethics can lead to serious ramifications, so it is crucial that you not only understand those canons, but how they should be applied in real-world situations. In fact, this is exactly what (ISC)2 is looking for when you answer questions about the code of ethics on the CISSP exam.