Domain 1: Security and Risk Management Module 1 of 84

Professional Ethics and ISC2 Code

CISSP Domain 1 — Security and Risk Management A — Governance and Legal 8–10 minutes

What the Exam Is Really Testing

Your employer asks you to quietly delay notifying customers about a data breach to avoid quarterly earnings fallout. Your manager agrees. Legal hasn’t weighed in yet. What do you do?

As an ISC2 member, your obligation to society overrides your obligation to your employer — every time.

This module covers CISSP exam objective 1.1: understand, adhere to, and promote professional ethics. The exam will not ask you to recite the canons word for word. It will place you in situations where two reasonable-sounding options conflict, and the correct answer depends on knowing the priority order of the ISC2 Code of Ethics.

The ISC2 Code of Ethics

ISC2 requires all certified members to follow the Code of Ethics. Violations can result in credential revocation. The code has two components: the preamble and the four mandatory canons.

The preamble sets the context: safety and welfare of society, the common good, the duty to our principals, and to each other.

The four canons, in mandatory priority order:

  1. Protect society, the common good, necessary public trust and confidence, and the infrastructure. Society comes first. If an action harms the public — even at the direction of your employer — the code prohibits it.
  2. Act honorably, honestly, justly, responsibly, and legally. Personal integrity is the second priority. Even when acting in society’s interest, you must do so through honest and lawful means.
  3. Provide diligent and competent service to principals. Your duty to employers and clients ranks third. You owe competent work, but never at the expense of canons 1 or 2.
  4. Advance and protect the profession. Supporting the profession’s reputation matters, but it is the lowest priority if it conflicts with any higher canon.

The priority order is not a suggestion. On the exam, when two canons collide, the higher-numbered canon always yields to the lower one.

Ethical Decision-Making Hierarchy

When a scenario presents an ethical conflict, apply this decision framework:

  1. Does the action harm society or public infrastructure? If yes, the action violates canon 1 — full stop.
  2. Does the action require dishonesty or illegality? If yes, it violates canon 2 regardless of who benefits.
  3. Does the action betray your duty to your employer or client? If yes, it violates canon 3 — but only if canons 1 and 2 are satisfied.
  4. Does the action damage the profession? Consider this only after the first three pass.

The exam frequently tests this hierarchy by making the “serve your employer” option sound reasonable. The trap is choosing loyalty over public safety.

Reporting Obligations

ISC2 members have an obligation to report known violations of the Code of Ethics. This includes:

  • Reporting other ISC2 members who violate the code
  • Cooperating with ISC2 ethics investigations
  • Not retaliating against individuals who report violations

Complaints are submitted to the ISC2 Ethics Committee. The process is formal: complaints must be filed in writing, identify the specific canon violated, and include supporting evidence.

On the exam, reporting obligations appear in scenarios where a colleague is acting unethically. The correct answer is almost never “confront them privately and move on.” The code expects formal reporting.

Pattern Recognition

Ethics questions on the CISSP follow predictable patterns:

  • Society vs. employer — When these conflict, society wins. Always.
  • Honesty vs. convenience — When concealing a problem benefits the organization, the code requires disclosure.
  • Competence vs. assignment — If you lack the skills for a task, the code requires you to disclose that limitation rather than attempt the work.
  • Profession vs. self-interest — Actions that benefit you personally at the profession’s expense violate canon 4.

When two options both sound ethical, check which canon each satisfies. The answer that satisfies the higher-priority canon is correct.

Trap Patterns

Common wrong answers on ethics questions include:

  • “Follow your employer’s direction” — Wrong when the direction conflicts with public safety or honesty.
  • “Protect the profession’s reputation” — Wrong when protecting the profession means hiding a problem from the public.
  • “Handle it informally” — Wrong when the situation involves a code violation that requires formal reporting.
  • “Defer to legal counsel” — Legal advice matters, but the ISC2 code is independent of legal obligations. You can be legally compliant and still violate the code.

Scenario Practice

Question 1

You discover that your organization’s software product contains a vulnerability that could expose customer financial data. Your manager instructs you to delay the patch until after a major product launch next month.

What should you do?

A. Follow the manager’s instructions and patch after the launch
B. Escalate to senior leadership, emphasizing the risk to customers and the public
C. Quietly patch the vulnerability without telling anyone
D. Resign from the project to avoid personal liability

Answer & reasoning

Correct: B

Canon 1 requires protecting society and public trust. Delaying a patch that exposes customer data prioritizes the employer (canon 3) over the public (canon 1).

Escalating to senior leadership is the appropriate first step — it addresses the risk through proper channels while honoring your duty to the organization.

Question 2

A fellow ISC2-certified professional tells you they falsified audit results to make a client’s security posture appear stronger than it actually is. They ask you to keep it between the two of you.

What is your obligation?

A. Keep the information confidential as a professional courtesy
B. Confront the colleague and give them a chance to correct it
C. Report the violation to the ISC2 Ethics Committee
D. Notify the client directly about the falsified results

Answer & reasoning

Correct: C

Falsifying audit results violates canon 2 (honesty) and potentially canon 1 (public safety). ISC2 members are obligated to report known code violations to the Ethics Committee.

Informal confrontation (B) does not satisfy the reporting obligation, and direct client notification (D) bypasses the formal process.

Question 3

You are offered a contract to perform a penetration test on a system. During the scoping meeting, you realize the engagement requires deep expertise in cloud-native architectures — an area where you have minimal experience.

What should you do FIRST?

A. Accept the contract and research cloud-native testing techniques before the engagement
B. Accept the contract and subcontract the cloud portions to a specialist
C. Decline the engagement entirely
D. Disclose your limitation to the client and discuss options

Answer & reasoning

Correct: D

Canon 3 requires providing competent service to principals. Accepting work beyond your competence without disclosure violates this canon.

Disclosing the limitation allows the client to make an informed decision — they may still want you to lead the engagement with specialist support, or they may choose a different provider.

Key Takeaway

The ISC2 Code of Ethics is a ranked hierarchy, not a general set of values. When the exam puts you in a scenario where two principles collide, apply the canon order:

  1. Society and public trust
  2. Honor and legality
  3. Service to principals
  4. The profession

If you remember nothing else from this module: when your employer asks you to do something that puts the public at risk, the code says no. That single principle answers the majority of CISSP ethics questions.

Related Modules

CISM Domain 1 — Information Security Governance Organizational Culture CRISC Domain 1 — Governance Professional Ethics of Risk Management
Next Module Module 2: Core Security Concepts