2.1.1. ISC2 Code of Ethics and Organizational Codes
💡 First Principle: Professional ethics codes exist because technical knowledge alone creates dangerous power without constraint. The ISC2 Code of Ethics establishes that security professionals owe duties first to society, then to their principals (employers and clients), and then to the profession — in that order. When these conflict, society comes first.
The ISC2 Code of Ethics has four canons, listed in priority order. This order is not arbitrary — it is the tiebreaker when canons appear to conflict:
| Canon | Statement | What It Means in Practice |
|---|---|---|
| 1 — Protect society | Protect society, the common good, necessary public trust and confidence, and the infrastructure | Disclose a critical vulnerability even if employer says not to; report illegal activity |
| 2 — Act honorably | Act honorably, honestly, justly, responsibly, and legally | Never misrepresent skills; don't take on work you can't do; admit mistakes |
| 3 — Provide competent service | Provide diligent and competent service to principals | Stay current; do the job you were hired to do to the best of your ability |
| 4 — Advance the profession | Advance and protect the profession | Don't bring the field into disrepute; mentor others; support the community |
Critical exam scenario pattern: An employer instructs you to conceal a breach from affected individuals. What do you do?
- Canon 1 (protect society) requires you to advocate for disclosure to affected parties and regulators
- Canon 2 (act honorably) prohibits deception
- Canon 3 (serve your principal) says follow employer instructions
Canon 1 and 2 outrank Canon 3. The correct answer: advocate for proper disclosure, escalate internally, consult legal counsel, and if ordered to participate in illegal concealment, document and potentially refuse.
Organizational codes of ethics exist at the company level and typically extend ISC2's principles into specific business contexts (financial services, healthcare, government). When organizational codes conflict with ISC2's code, the ISC2 Code governs — you cannot ethically follow an organizational policy that requires violating a higher-level canon.
💡 Key Point: The CISSP exam tests principled escalation, not blind obedience or unilateral action. The correct answer in ethical dilemmas is almost never "do it anyway" (obedience) or "go directly to the press" (unilateral action). It is: refuse the specific unethical action, document, escalate through proper channels, and if all internal channels fail and illegal harm is occurring, consider external reporting as a last resort.
⚠️ Exam Trap: Questions sometimes present scenarios where "following orders" and "protecting society" conflict. The ISC2 Code unambiguously puts society first — but the mechanism is orderly escalation, not vigilante action. The exam will never reward going outside the organization without first exhausting internal channels, unless illegal activity is occurring and the organization is complicit.
Reflection Question: You discover your employer has been concealing a breach affecting 50,000 customer records for six months without notifying affected individuals, as required by applicable law. You have escalated to your CISO and General Counsel, both of whom have told you to stay silent. What is your ethical obligation under the ISC2 Code of Ethics, and what actions are available to you?
