Module 1.4: ISC2 Code of Ethics

Learning Objectives

By the end of this module, you will:

Recite the four canons of the ISC2 Code of Ethics in priority order
Apply ethical reasoning to conflict scenarios
Understand consequences of ethics violations
Answer scenario-based ethics exam questions correctly

---

The ISC2 Code of Ethics

All ISC2 certified professionals (including CC holders) must adhere to the Code of Ethics. Violation can result in revocation of certification.

The Four Canons (MEMORIZE in this order)

| Priority | Canon | Key Focus | |----------|-------|-----------| | 1st (Highest) | Protect society, the common good, necessary public trust and confidence, and the infrastructure | PUBLIC SAFETY | | 2nd | Act honorably, honestly, justly, responsibly, and legally | INTEGRITY | | 3rd | Provide diligent and competent service to principals | PROFESSIONAL DUTY | | 4th (Lowest) | Advance and protect the profession | THE PROFESSION |

Canon 1: Protect Society (HIGHEST PRIORITY)

What it means:

Public safety comes FIRST, always
Protect critical infrastructure
Maintain public trust in cybersecurity
Consider broader societal impact of your actions
Act in the interest of public welfare

When Canon 1 applies:

You discover a vulnerability that puts the public at risk → disclose appropriately
Your employer asks you to do something that harms the public → refuse
You learn of a breach affecting customers → support proper notification
A decision improves company profits but harms public safety → choose safety

Canon 2: Act Honorably and Legally

What it means:

Follow all applicable laws and regulations
Be honest in all professional dealings
Don't engage in deception or dishonesty
Take responsibility for your actions
Don't engage in illegal activities (even if technically possible)

When Canon 2 applies:

You're asked to hide evidence of a breach → refuse
You could access a system without authorization → don't
You made a mistake → own it, don't cover it up
You're asked to falsify audit results → refuse

Canon 3: Provide Competent Service

What it means:

Serve your employer/clients (principals) diligently
Only offer services within your competence
Maintain and improve your professional skills
Communicate clearly and honestly about capabilities
Protect confidential information of your principals

When Canon 3 applies:

You're assigned a task beyond your skills → communicate honestly and seek help
A client asks for your professional opinion → provide honest assessment
You discover waste or inefficiency → report to appropriate management
You're given confidential information → protect it

Canon 4: Advance the Profession (LOWEST PRIORITY)

What it means:

Don't bring disrepute to the profession
Mentor and help others enter the field
Advance cybersecurity knowledge
Support professional development activities
Don't undermine other security professionals unfairly

---

The Priority Rule

> 🎯 CRITICAL: When canons CONFLICT, the higher-numbered canon WINS.

This means:

Public safety (1) > Personal integrity (2) > Employer loyalty (3) > Profession (4)
You would break confidentiality to an employer (Canon 3) to protect the public (Canon 1)
You would refuse an employer's request (Canon 3) if it requires dishonesty (Canon 2)
You would sacrifice professional reputation (Canon 4) to act honestly (Canon 2)

---

Ethical Scenarios (Exam-Style)

Scenario 1: Employer Breaking the Law

Situation: You discover your employer is deliberately hiding a data breach from regulators and affected customers.

Analysis:

Canon 3 says: serve your employer
Canon 2 says: act legally and honestly
Canon 1 says: protect the public

Answer: Report through appropriate channels. Canon 1 (public protection) and Canon 2 (acting legally) override Canon 3 (employer loyalty). Follow internal escalation first, then external if necessary.

Scenario 2: Colleague Cover-Up

Situation: A colleague accidentally caused a security incident and asks you to help cover it up.

Answer: Refuse to participate in the cover-up. Report the incident through proper channels. Canon 2 (honesty) requires you to act with integrity. Covering up violates trust and could harm others.

Scenario 3: Unauthorized Access for "Testing"

Situation: Your manager asks you to access a production system to "test security" without authorization from the system owner.

Answer: Refuse unless proper authorization is obtained. Even if the intent is good, unauthorized access violates Canon 2 (act legally) and potentially Canon 1 (could disrupt critical services). Get written authorization first.

Scenario 4: Vulnerability Outside Your Scope

Situation: While performing authorized work on a client's web application, you accidentally discover a critical vulnerability in their payment processing system, which is outside your engagement scope.

Answer: Inform the client about the vulnerability through proper channels. Canon 1 (protect the public) requires you to disclose—customer financial data is at risk. However, do NOT exploit or further investigate the vulnerability (stay within your scope). Document and report professionally.

Scenario 5: Employer vs Public Interest

Situation: Your company manufactures IoT devices. You discover a serious security flaw that could allow attackers to spy on customers. Management says fixing it would be too expensive and delays the product launch.

Answer: Advocate strongly for fixing the flaw. If management refuses, escalate to the highest levels. Canon 1 (public safety) clearly overrides Canon 3 (serving your employer). If internal escalation fails, consider appropriate external disclosure.

---

Professional Conduct Requirements

DO:

✅ Follow all applicable laws and regulations
✅ Report security breaches through proper channels
✅ Maintain confidentiality of information entrusted to you
✅ Be honest about your qualifications and expertise
✅ Maintain your professional competence (continuing education)
✅ Treat all people fairly and with respect
✅ Give appropriate credit for others' work
✅ Act in good faith

DON'T:

❌ Access systems without authorization
❌ Use information for personal gain inappropriately
❌ Conceal security incidents or vulnerabilities
❌ Misrepresent your qualifications
❌ Harm others through action or inaction when you could prevent it
❌ Engage in conflicts of interest without disclosure
❌ Violate the trust placed in you by your organization or clients
❌ Discriminate unfairly

---

Consequences of Ethics Violations

If you violate the ISC2 Code of Ethics: 1. Complaint filed with ISC2 Ethics Committee 2. Investigation conducted 3. Possible outcomes:

No action (complaint unfounded)
Letter of admonishment
Suspension of certification
Revocation of certification (most severe)

4. Decision may be appealed

---

Exam Strategy for Ethics Questions

1. Read carefully - Ethics questions often have multiple "acceptable" answers. Choose the BEST one. 2. Apply the canon priority - When answers seem equally valid, choose the one that serves the higher canon. 3. Protect the public first - If an answer protects society/public, it's likely correct. 4. Legal > convenient - Following the law trumps convenience or employer wishes. 5. Escalate internally first - Unless internal channels are compromised. 6. Don't "do nothing" - Inaction when action is required is itself unethical. 7. Document - When in doubt, document and report through channels.

---

Practice Questions

1. You discover your employer is violating data privacy laws. What is your FIRST action?

A) Notify law enforcement immediately
B) Quit your job in protest
C) Report through internal channels/management ✅
D) Contact the media

2. Which ISC2 canon has the HIGHEST priority?

A) Provide competent service
B) Act honorably
C) Protect society ✅
D) Advance the profession

3. Your manager asks you to bypass security controls to meet a deadline. You should:

A) Do it because your manager asked
B) Do it but document your objection
C) Refuse and explain the security risks ✅
D) Report your manager to the CEO immediately

4. A client asks you to perform a penetration test. Before starting, you should FIRST:

A) Begin scanning their network
B) Obtain written authorization and scope ✅
C) Check if they have any known vulnerabilities
D) Inform their employees about the test

5. You accidentally access a file you're not authorized to see containing evidence of fraud. You should:

A) Ignore it - you weren't authorized to see it
B) Report it to your supervisor/appropriate authority ✅
C) Investigate further to gather more evidence
D) Confront the person committing fraud

6. Which canon is violated if you lie on your resume about certifications you hold?

A) Protect society
B) Act honorably ✅
C) Provide competent service
D) Advance the profession

7. Your employer's security policy conflicts with a government regulation. You should:

A) Follow employer policy (they sign your paycheck)
B) Follow the regulation (law overrides policy) ✅
C) Follow whichever is stricter
D) Ignore both and use best judgment

8. A colleague shares a copyrighted security tool without a license. According to the code of ethics:

A) This is acceptable for educational purposes
B) This violates acting honestly and legally ✅
C) This is fine if the vendor won't notice
D) Only wrong if you get caught

9. You're offered a job by a competitor while working on a sensitive project. The ethical approach is:

A) Take confidential materials to impress your new employer
B) Give proper notice, fulfill obligations, and don't share confidential info ✅
C) Stay indefinitely out of loyalty
D) Immediately quit without notice

10. The canons of the ISC2 Code of Ethics, from highest to lowest priority, are:

A) Profession, Society, Honesty, Service
B) Society, Honesty, Service, Profession ✅
C) Honesty, Society, Profession, Service
D) Service, Society, Profession, Honesty

---

*End of Module 1.4 - Next: 1.5 Governance*