Professional Ethics
Understand, adhere to, and promote professional ethics — ISC2 Code and organizational ethics
The ISC2 Code of Professional Ethics has four canons in strict priority order. When they conflict, the higher canon wins. No exceptions.
I. Protect society, the common good, public trust, and the infrastructure
II. Act honorably, honestly, justly, responsibly, legally
III. Provide diligent and competent service to principals
IV. Advance and protect the profession
Your organization's ethics code supplements the ISC2 code. It can add requirements but never override or weaken the canons. If they conflict, ISC2 wins.
At a company with a mature security program: The CISO reports to the board. Ethics training happens annually. There's a whistleblower hotline. When a junior analyst discovers marketing is sharing customer PII with an unauthorized analytics vendor:
- Report to the security team lead — internal escalation first
- Team lead escalates to the CISO — who has authority to stop the sharing
- CISO notifies legal and compliance — potential GDPR/CCPA exposure
- The practice stops — within days, not months
Canon I (protect the public) is served. Canon III (serve your employer) is also served — you just saved them from a regulatory fine. No conflict.
| Canon | Priority | Principle | When It's Tested |
|---|---|---|---|
| Canon I | Highest | Protect society, public trust, infrastructure | Employer asks you to cover up a breach |
| Canon II | Second | Act honorably, honestly, legally | You discover evidence of fraud |
| Canon III | Third | Provide competent service to principals | Client asks for advice outside your expertise |
| Canon IV | Lowest | Advance and protect the profession | Sharing knowledge, mentoring, not cheating |
Mnemonic: "Some Honorable Servants Profess" — Society, Honor, Service, Profession. When canons conflict, higher always wins. The exam will NEVER have a correct answer where Canon III overrides Canon I.
You're the only security person. You report to the IT Director, who reports to the CFO. There is no CISO. The marketing VP is a peer of your boss's boss.
The Analytics Vendor
Mid-size SaaS · 400 employees · No CISOWhen you can't get the ideal outcome immediately: (1) Document the risk in writing — email, not verbal. (2) Request a DPA from the vendor as a minimum. (3) Limit data fields shared — strip PII where possible. (4) Set a hard deadline: "90-day vendor security review." You've created a paper trail, reduced exposure, and established accountability.
What actually happens: The DPA takes 3 months. You deploy a proxy that strips email addresses. The marketing VP grudgingly accepts it because "we still get behavioral data." Not perfect, but it's Canon I progress without destroying Canon III. Incremental risk reduction with political awareness.
How you escalate matters as much as whether you escalate. Use established channels first — compliance hotlines, ethics committees, ombudsman offices. Document everything in writing with timestamps. Know your legal protections (SOX Section 806, EU Directive 2019/1937). The ISC2 Ethics Committee complaint process is a real mechanism, not just exam trivia.
On the exam: Choose Canon I. In practice: escalate through proper channels, document your recommendation, and ensure the right decision gets made — not unilaterally.
Six months later, the analytics vendor has a breach — 2M records, including your customers. Your IT Director says: "Don't report externally. Let legal handle it." GDPR requires notification within 72 hours. You have EU customers.
Follow IT Director's guidance
Let legal assess scope. Premature notification could cause unnecessary panic.
Escalate and push for 72-hour notification
Canon I requires protecting the public. The GDPR clock started when you became aware.
Option B is correct — but A isn't unreasonable
Option B: Canon I overrides Canon III. Escalate through established incident response channels — involve legal AND begin notification planning in parallel. Escalation doesn't mean going around leadership; it means ensuring the right people are informed.
Option A's kernel of truth: You should involve legal and assess scope. The error is using assessment to delay rather than inform the notification.
On the exam: "protect the public" always beats "involve legal" when both are options. In practice: escalate through channels, document, let the org act.
When you see employer vs. public safety: the exam answer is Canon I. Choose the answer that protects society, uses proper escalation, and documents the decision. The exam isn't testing whether you'd quit — it's testing whether you know which principle takes priority and how a professional handles the conflict through established processes.
- A Delete the logs — Canon III requires service to your employer
- B Delete them but keep a personal backup as insurance
- C Refuse and escalate — Canon I supersedes Canon III
- D Resign immediately to avoid complicity
Correct: C. Deleting evidence violates Canon I (infrastructure protection) and Canon II (act honestly/legally — this is likely obstruction). Canon III does NOT override higher canons. Resignation (D) doesn't protect the public. Personal backup (B) is still destroying official evidence.