Ethics is the centerstone of professionalism in the ever-changing Information Security (IS) field. The (ISC)2 Code of Ethics serves as a lighthouse, pointing professionalism toward ethical behavior. Let’s tour its canons, what exactly it is, guidelines for IS professionals, and how to file a complaint. So, let’s get going.

What are the (ISC)2 Code of Ethics Canons?

“The safety & welfare of society and the common good, a duty to our principles and to reach others, requires what we adhere to, and be seen to adhere to, to the highest ethical standard of behavior,” according to (ISC)2 in the introduction to the real code of Ethics. Therefore, certification requires rigorous adherence to this code.

The (ISC)2 Code of Ethics is an essential set of guidelines that govern your behavior, interaction with others, and decision-making as an Information Security professional. The code is intended to “provide a high degree of confidence when dealing with a peer member, and it gives assured reliance on the character, ability, strength, or truth of a fellow (ISC)2 member.”

These are essentially high-level guidelines that govern both your behavior and that of every other (ISC)2 certified individual. There are 4 required canons in the code itself, but the organization provides additional assistance on how to implement those canons in your professional life.

Guidelines for Information Security (IS) Professionals

1. Preserve the Infrastructure, Society, Common Good, and Essential Public Trust: The need to protect society and its vital systems is at the center of our existence. This includes protecting sensitive information, thwarting cyberattacks, and bolstering vital services. Envision a critical infrastructure system vulnerability being found by an IS analyst.
2. Be Honest, Fair, Responsible, and Law Abiding: Integrity is the centerstone of this field. Therefore, we must respect integrity and behave morally while abiding by the law. Imagine a situation where a security consultant is offered a bribe to ignore security vulnerabilities found during a penetration test. They must exhibit strong moral values by rejecting the bribe and reporting the occurrence.
3. Give Principals Skillful & Diligent Service: It is crucial for us to always cooperate with diligence & competence while dealing with clients, employers, and other stakeholders. Also, we should aim for perfection and stay up-to-date with the finest practices in the business. Imagine a company receiving assistance from a certified IS security professional to put strong access controls in place. They maintain the highest levels of service delivery due to their commitment to lifelong learning & expertise.
4. Promote & Preserve the Profession: As the profession’s stewards, we must foster its integrity & expansion. This means promoting moral norms, mentoring up-coming talent, and exchanging knowledge. A member of (ISC)2 embodies this canon through active participation at industry conferences, writing incisive papers, and mentoring young professionals on their ethical path.

It is critical to understand that these canons are not strict rules, but some guiding ideas. Making ethical decisions requires balancing complicated & opposing interests. As a result, practitioners must respect these guiding principles while using good judgment.

How Do I Go About Filing a Complaint?

There are precise steps you must take to register a complaint about another credentialed member violating the (ISC)2 code of Ethics. Now through this section, we’ll go over what you should know about it.

Can You File This Complaint?

You should confirm if you can file a complaint before doing it. Only eligible parties may register complaints with their Ethics committee. What is meant by that? Ultimately, it boils down to the four canons and the people they apply to.

Is Your Complaint Confidential?

The (ISC)2 Code of Ethics committee will work to maintain the process's confidentiality and won't release your name or the identity of the offending party to the public.

Try to be Specific in Your Complaint

The committee lacks the time and resources to look into possible violations of the code of Ethics. This implies that you should be as precise and detailed as possible in your complaint. Make sure to specifically include the canon in your complaint as the committee will only consider it if it has a direct bearing on the violation of that canon.

The Ethics committee can provide you with guidance if you're not sure. That being said, your complaint will be rejected if there isn't any convincing proof that a canon—or canons—has been violated.

Submit Your Complaint in Writing

First and foremost, be aware that any complaints need to be submitted in writing and that the (ISC)2–specific affidavit form needs to be used. Don't forget to fill in the country, province/state, and county, if relevant. Ensure that the date and your name show.

The group goes to considerable pains to make sure that members are aware that the Ethics committee lacks the authority to look into complaints and is not an investigative body. This implies that you will have to make sure your complaint is as thorough as possible and includes every piece of evidence that can be found to support the offense.

Provide as Much Evidence as Possible

List the relevant facts (who, what, where, when, etc.) at the outset of your written affidavit. More information, supporting papers, or proof of the violation are then provided. Once more, be as detailed as you can be because the committee won't act if there is insufficient proof.

Where Do You Send Your Complaint?

At the bottom of the page, sign the affidavit. It will also require notarization. Once completed, the affidavit needs to be mailed to the following address:

1. Ethics Complaint
2. (ISC)² Corporate
3. 311 Park Place Blvd., Suite 400
4. Clearwater, FL 33759 USA

What Happens When You File Your Complaint?

The committee will review the material and suggest a course of action to the board if there is sufficient evidence to establish a prima facie case.

To ascertain the true situation, the committee may hear additional evidence or even request verification & counter negotiation if there’s a disagreement over the facts. Sometimes, this could lead to the complaint being dropped.

Regarding these circumstances, the (ISC)2 committee states that neither the board nor its committee is an investigative body and neither has the power to compel testimony. Only voluntary evidence presented to us may be taken into consideration. This proof might not be enough in many situations to justify taking any action. Only when there is a prima facie case can we move forward. The committee will close the complaint without prejudice to either party if no such case is made.

The committee will forward its suggestion to the board upon reaching a decision. But be aware that the "most limited and conservative" course of action will be suggested. The board will decide what happens next. Before the board takes any action, you and the respondent will be informed, and you will have 14 days to comment on the committee's recommended course of action.

You will both be notified within 30 days of the board's decision, which may involve the respondent's certification being revoked. The board's judgments are final and cannot be challenged.

The Bottom Line

Use our in-depth guide to explore the (ISC)2 Code of Ethics. Discover the four main tenets that information security experts adhere to safeguarding people & vital infrastructure, operating honorably and legally, offering prompt assistance, and developing the field. Examine actual instances that demonstrate these ideas in action. With the help of this succinct summary, you may better comprehend ethical behavior in the information security industry.