HomeD1: Security & Risk Mgmt › ISC2 Professional Ethics
Domain 1 · Lesson 1 of 10

ISC2 Professional Ethics

Đạo đức Nghề nghiệp ISC2

ISC2 Code of Ethics — 4 Canons

The ISC2 Code of Ethics governs how CISSP holders must behave. The four canons are listed in priority order — when canons conflict, the lower-numbered canon always wins.

1
Protect society, the common good, necessary public trust and confidence, and the infrastructure
Highest priority. Public welfare supersedes all other obligations.
2
Act honorably, honestly, justly, responsibly, and legally
Personal integrity. Even if your employer asks you to act otherwise.
3
Provide diligent and competent service to principals
Principals = clients and employers. Serve them well, but not above society.
4
Advance and protect the profession
Lowest priority. Support ISC2, mentor others, uphold the field's reputation.

Key Ethical Principles

  • Canon priority rule: When canons conflict, lower-numbered canon wins. Society (1) beats client loyalty (3) every time.
  • Reasonable person standard: Would a reasonable, competent security professional make the same decision in the same context?
  • Ethics vs legal: Something can be legal but unethical (e.g., selling user data legally but without consent disclosure). CISSP requires ethical behavior beyond the legal minimum.
  • Organizational code of ethics: Companies should have their own code of ethics aligned with ISC2's canons — not weaker.
  • Duty to report: Security professionals must report illegal activity even if it harms their organization or their own employment.

Key Terms

TermTiếng ViệtMeaning
Code of EthicsBộ quy tắc đạo đứcPrinciples governing professional behavior for all ISC2 members
CanonĐiều khoảnEach of the 4 priority-ordered ethical principles in ISC2's code
PrincipalĐối tác / Khách hàngClients and employers who rely on the security professional's services
Reasonable Person StandardTiêu chuẩn người hợp lýWould a typical, competent professional act the same way in this situation?
Duty to ReportNghĩa vụ báo cáoObligation to disclose illegal or seriously unethical activity — even to authorities
Exam Tips
  1. 1. Canon ORDER matters — Society (Canon 1) always comes before client loyalty (Canon 3). This is the #1 tested concept in ethics questions.
  2. 2. Classic scenario: "An ISC2 member discovers their employer is violating privacy laws." The answer is always: member must report/escalate, even if it harms the company. Canon 1 overrides Canon 3.
  3. 3. "What should a CISSP do first" with an ethical conflict → protect society, then be honest. Never cover up violations to protect the employer.
  4. 4. Ethics vs legal trap: Just because something is legal doesn't make it ethical. CISSP requires the higher ethical standard.
Work Application — FinTech Company X

Apply Canon 1 at FinTech Company X: if you discover a partner integration (e.g., a new data enrichment vendor) leaks customer PII to a third party without consent, you must escalate — even if it disrupts the partnership or delays a product launch. The Decree 13/2023 obligation and customer trust supersede business relationships.

Practical action: Document the finding in writing, escalate to CTO and Legal, and require a remediation plan before resuming the integration. Silence or delay would violate Canon 1 (society) and Canon 2 (honesty). If the employer refuses to act, the CISSP's duty to report may extend to regulatory authorities (SBV/MPS for VN, NPC for PH).

Practice Questions

Q1. A CISSP working at a fintech discovers their company is selling customer transaction data to a marketing firm without user consent — which is technically legal under current contracts but violates user expectations. What should the CISSP do?

A) Report the practice to management and demand it be stopped, even if it risks the CISSP's employment
Rationale: Canon 1 (protect society) takes priority over Canon 3 (serve the employer). Even if the practice is legally permitted, it is ethically wrong. The CISSP must escalate internally and, if not remediated, consider external reporting. The "reasonable person standard" supports this action.

Q2. A security engineer discovers the company is violating banking regulations in how it stores transaction logs. The CEO tells the engineer to stay quiet until after the next funding round. What is the engineer's duty?

A) Must report the violation — Canon 1 and Canon 2 require honesty and societal protection over employer loyalty
Rationale: Duty to report illegal activity is explicit in the ISC2 code. Canon 1 (protect society/infrastructure) and Canon 2 (act legally and honestly) both override Canon 3 (serve principals). Staying quiet at the CEO's request violates multiple canons.

Q3. Which ISC2 Canon covers providing skillful and diligent service to clients and employers?

A) Canon 3 — Provide diligent and competent service to principals
Rationale: Canon 3 covers service to "principals" — a term that includes both clients and employers. It requires competence (being skilled), diligence (working hard), and confidentiality of client information. However, it is subordinate to Canon 1 and Canon 2.

Q4. A CISSP must make a judgment call on whether to disclose a minor security vulnerability to a client. Which standard best guides this decision?

A) The Reasonable Person Standard — would a typical competent security professional make the same choice?
Rationale: The Reasonable Person Standard asks whether another skilled, prudent security professional would make the same decision in the same context. It is the ethical benchmark when explicit rules don't cover a situation. Generally, disclosure of known vulnerabilities aligns with this standard.

Q5. A company's legal team confirms that sharing user behavioral data with advertisers is fully compliant with local law. A CISSP objects. Which of the following best justifies the objection?

A) Something can be legal but still unethical — ISC2 requires ethical behavior that goes beyond the legal minimum
Rationale: The ISC2 Code of Ethics explicitly holds members to a higher standard than mere legal compliance. Canon 1 includes protecting "public trust and confidence" — not just obeying the law. A CISSP can and should object to practices that are legal but undermine user trust or societal welfare.
← D1 Overview 02 CIA Triad →