Security governanceIntermediate22 min read

What Is Code of ethics? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

A code of ethics is a formal document that lists the rules and values that IT professionals agree to follow. It helps them make good decisions when facing tricky situations at work. This code covers things like being honest, protecting people's privacy, and not abusing their access to systems. Following it builds trust between IT workers, their employers, and the public.

Commonly Confused With

Code of ethicsvsSecurity policy

A security policy is a formal document created by an organization that defines specific rules and procedures for protecting information assets. A code of ethics is a broader set of principles that guides professional behavior and is enforced by a certification body, not the employer. The policy is about what to do; the code is about how to be.

A security policy says "passwords must be 12 characters long." A code of ethics says "act honestly and responsibly." You can follow the policy but still violate the code if you abuse your access privileges.

Code of ethicsvsAcceptable use policy (AUP)

An AUP is a specific type of policy that defines how employees may use company resources like the internet and email. A code of ethics is broader, covering all aspects of professional conduct, not just resource usage. The AUP is about resource management; the code is about moral character.

An AUP might prohibit streaming video at work. A code of ethics might require you to report a coworker who is using the company network to share illegal content. The AUP is about efficiency; the code is about integrity.

Code of ethicsvsProfessional standards

Professional standards are often technical benchmarks (like ISO 27001) that define how to do a job correctly. A code of ethics is about moral and ethical behavior, not technical specifications. Standards tell you "how" to do something; the code tells you "why" and "if" you should do it.

A professional standard might detail how to conduct a risk assessment. A code of ethics would require you to be honest about the findings, even if they are embarrassing to your boss.

Must Know for Exams

The code of ethics is a central topic in the (ISC)² CISSP exam, especially within Domain 1: Security and Risk Management. Candidates must not only memorize the four canons of the (ISC)² Code of Ethics but also understand their application in complex scenarios. The exam will present situations where two canons might conflict, and the candidate must choose the action that aligns with the highest priority canon. For example, a question might describe a situation where a security analyst discovers that their CEO is using company resources for illegal activities. Canon 3 says to be loyal to your employer, but Canon 1 says to protect society. The correct answer is to follow Canon 1, because it holds the highest precedence.

The exam also tests the understanding of the code's purpose within governance. Questions may ask why a code of ethics is important for security governance. The answer is that it provides a baseline for professional behavior and supports due care. Candidates should know that the code is enforceable, not just advisory. It is a condition of certification.

In the CISSP exam, ethical scenarios appear as "best answer" questions. You might be given four possible actions in a gray-area situation. The correct answer will always align with the (ISC)² Code of Ethics. The wrong answers might be technically correct but unethical, or they might violate a lower canon when a higher one applies.

The code of ethics also appears in other certification exams, such as CompTIA Security+ (which covers ethical behavior in its governance section) and CISA (ISACA's Code of Professional Ethics). For the CISSP specifically, the code is so important that it is one of the first things candidates must agree to when they pass the exam. You cannot be a CISSP without signing the code.

A key exam objective is to recognize that the code applies even outside of work. For example, a CISSP holder who posts offensive content on social media could be sanctioned for violating Canon 2 (act honorably). The code governs your professional life at all times. Exam takers should also know the structure: the preamble, the four canons in order, and the fact that the code is enforced by a formal ethics committee.

Simple Meaning

Think of a code of ethics as the "promise" that a doctor makes to always help patients, but for people who work with computers and technology. In everyday life, we have rules like "don't steal" or "treat others how you want to be treated." A code of ethics for IT professionals is a written set of similar promises, but specifically for their work with computers, data, and networks.

For example, imagine you are a system administrator and you have access to everyone's emails. Without a code of ethics, you might be tempted to read your coworker's emails out of curiosity. The code of ethics says, "No, you must respect privacy and confidentiality." It acts like an internal compass that helps you choose the right path even when no one is watching.

Another way to think about it is like the rulebook for a sport. In soccer, players agree not to use their hands to touch the ball. In IT, professionals agree not to misuse their technical power. They promise to be competent, to keep learning, to protect confidential information, and to avoid conflicts of interest. The code doesn't tell you exactly what to do in every single situation, but it gives you a framework to figure out the ethical choice.

In the real world, companies and certification bodies like (ISC)² create these codes. When you earn a certification like the CISSP, you must sign an agreement to follow the (ISC)² Code of Ethics. If you break that code, you can lose your certification and your job. So it is not just a nice idea, it is a binding professional promise.

Full Technical Definition

In the context of IT security governance, a code of ethics is a formal, documented set of principles and standards that defines acceptable professional behavior for individuals working in information security and technology. It serves as a foundational element of security governance, providing a moral and professional baseline for decision-making. The (ISC)² Code of Ethics, which is directly relevant to the CISSP exam, is one of the most prominent examples. It consists of four mandatory canons: Protect society, the common good, necessary public trust and confidence, and the infrastructure; Act honorably, honestly, justly, responsibly, and legally; Provide diligent and competent service to principals; and Advance and protect the profession.

These canons are not merely suggestions; they are enforceable rules. Adherence to the code is a condition of certification. The code is hierarchical, meaning that if two canons conflict, the one higher in the order (Canon 1) takes precedence over the lower ones. For instance, protecting society (Canon 1) might override the duty to an employer (Canon 3) in a situation where an employer is engaged in illegal activities that could harm the public.

The code of ethics functions as part of the broader security governance framework, which includes policies, standards, procedures, and guidelines. While policies are specific and mandatory, the code of ethics is broader and principle-based. It guides the interpretation of policies and helps fill in gaps where specific rules do not exist. In a real IT implementation, a company might adopt the (ISC)² Code of Ethics as part of its employee handbook or security awareness training. New hires are required to read and acknowledge it. It is also referenced during incident response, when a professional must decide whether to report a coworker's violation. Violations of the code can lead to disciplinary actions from the certifying body, including revocation of certification, which effectively ends a professional's career in many security roles.

The code also supports the concept of "due care" and "due diligence" in security governance. By following a recognized code of ethics, an organization demonstrates that it is taking reasonable steps to ensure its employees act professionally and ethically. This can be a critical factor in legal proceedings or compliance audits. The code is not static; it is periodically reviewed and updated to reflect changes in technology and society, such as concerns around artificial intelligence, data privacy, and surveillance.

Real-Life Example

Imagine you are a bus driver. You have a license that allows you to drive a large vehicle carrying dozens of people. You have a set of rules: stop at red lights, follow speed limits, and don't drive while tired or distracted. These rules are like a code of ethics for driving. They exist to keep your passengers, other drivers, and pedestrians safe. If you break these rules, you could cause a crash, hurt people, and lose your job and your license.

Now, think of an IT security professional as a bus driver for a company's data and systems. Instead of a bus, they manage servers, networks, and databases full of sensitive information. Their code of ethics is like the driving rules. It tells them: don't look at private files unless you have permission (respect privacy), don't sell company data to a competitor (act responsibly), and don't install unauthorized software that could create a security hole (be competent).

Let me map this directly to the (ISC)² Code of Ethics. Canon 1 (Protect society) is like the rule to never run a red light, because you could injure many people. Canon 2 (Act honorably) is like not using your bus to run personal errands on company time. Canon 3 (Provide diligent service) is like keeping your bus in good repair and driving safely for your employer. Canon 4 (Advance the profession) is like mentoring a new driver to ensure the next generation is just as skilled and responsible.

If a bus driver ignores the rules, they can cause a tragedy. If an IT professional ignores their code of ethics, they can cause a data breach, financial loss, or harm to thousands of customers whose personal information is exposed. The code of ethics is the invisible line they must not cross, no matter how tempting or convenient it might be.

Why This Term Matters

In practical IT, a code of ethics matters because it is the difference between being a skilled technician and being a trusted professional. You can have all the technical skills in the world, but if you cannot be trusted, you are a liability to any employer. Companies handle huge amounts of sensitive data: customer credit cards, medical records, trade secrets. They need to know that the people they hire will not steal, leak, or abuse that data.

The code of ethics also provides a clear framework for handling conflicts. For example, a penetration tester might find a critical vulnerability in a client's system. Ethically, they must report it. But the client might not want to hear bad news. The code gives the tester the backbone to do the right thing and explain why it is mandatory. Without the code, the tester might be pressured to stay quiet, which is dangerous for everyone.

the code of ethics is a tool for risk management. When a company requires all IT staff to follow a professional code, it reduces the risk of insider threats, which are some of the most costly and difficult-to-detect security incidents. It also helps with compliance. Many regulations, like the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA), require organizations to ensure their employees behave ethically. A documented code of ethics is evidence of that commitment.

Finally, it matters for the individual's career. Holding a certification like the CISSP is a mark of excellence. Keeping that certification requires maintaining ethical behavior. If a CISSP holder is found to have violated the code, they can be publicly sanctioned, which destroys their professional reputation. In a field where trust is the ultimate currency, the code of ethics is the foundation of that trust.

How It Appears in Exam Questions

On the CISSP exam, questions about the code of ethics are typically scenario-based. You are presented with a narrative of a professional dilemma and asked to select the most appropriate ethical response. The questions rarely ask you to recite the canons directly. Instead, they test your ability to apply the canons.

One common pattern is the "conflict of interest" question. For example: "A security consultant is asked to audit a company where their spouse works as the CFO. What should the consultant do?" The ethical answer is to disclose the conflict and recuse themselves from the audit, aligning with Canon 2 (act honorably) and Canon 3 (provide diligent service by avoiding bias).

Another pattern involves reporting a violation. For instance: "An analyst discovers that their manager has been bypassing security controls to access confidential data. The analyst has reported it internally, but no action was taken. What should the analyst do next?" The correct answer is to escalate the issue through other internal channels or to the appropriate authority, following Canon 1 (protect society) which is higher than Canon 3 (loyalty to employer).

There are also questions about the code's enforcement. A question might ask: "What is the potential consequence of violating the (ISC)² Code of Ethics?" The answer includes revocation of certification and public censure. Another question might ask: "Which canon takes precedence if there is a conflict?" The answer is Canon 1.

Finally, questions may test your understanding of the code's role in governance. For example: "How does a code of ethics contribute to security governance?" The correct answer would be that it establishes a baseline for professional behavior and demonstrates due care on the part of the organization.

Study CISSP

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Sarah is a newly certified CISSP working as a security analyst for a hospital. Her job is to protect patient records. One day, her friend, who is a nurse, asks Sarah to look up the medical records of her neighbor, who is also a patient at the hospital. The nurse is worried about the neighbor's health and just wants to make sure they are okay. Sarah has the technical ability to access the records easily, and no one would know. She feels pressure because she wants to help her friend.

Sarah pauses and thinks about the (ISC)² Code of Ethics. She remembers Canon 1: Protect society, the common good, necessary public trust and confidence, and the infrastructure. Public trust in the hospital depends on Sarah keeping patient data private. If she looks up the records, she violates that trust. She also thinks about Canon 2: Act honorably, honestly, justly, responsibly, and legally. Looking up someone's medical records without authorization is illegal under HIPAA. It is also dishonorable.

Sarah explains to her friend that she cannot do it because it violates her professional ethics and the law. She offers to help the friend find other ways to check on the neighbor that do not break rules. Sarah's decision protects the patient's privacy, upholds the public's trust, and keeps her certification and job secure. Had she done it, she could be fired, sued, and lose her CISSP certification. This scenario shows how the code of ethics guides a professional to make the right choice, even when it is difficult.

Common Mistakes

Thinking the code of ethics is just a suggestion or a nice-to-have document.

It is a mandatory, enforceable agreement. Violation can lead to loss of certification and professional sanctions.

Treat the code as a binding contract that you must follow at all times, both at work and in your personal professional conduct.

Believing that loyalty to the employer (Canon 3) always comes first.

The canons are hierarchical. Canon 1 (protect society) and Canon 2 (act honorably) take precedence over Canon 3. You must report illegal or harmful actions even if it hurts your employer.

Remember the order: protect society first, then act honorably, then serve your employer, then advance the profession.

Assuming the code only applies during work hours or when on the job.

The code governs all professional conduct, including behavior on social media, in public forums, or in your personal life if it reflects on the profession.

Understand that your ethical obligations as a certified professional are 24/7. Avoid any behavior that could damage public trust in IT professionals.

Confusing the code of ethics with a security policy.

A security policy is specific, detailed, and enforced by the employer. A code of ethics is broad, principle-based, and enforced by a professional body. They serve different but complementary roles.

A policy tells you what to do in a specific situation at work. The code tells you how to think about ethical dilemmas in a broader sense.

Thinking you can ignore the code if your manager tells you to do something unethical.

You are personally responsible for your actions. "I was following orders" is not a defense against an ethics violation.

If asked to do something unethical, you must refuse and escalate the issue. Your certification and integrity are your responsibility.

Exam Trap — Don't Get Fooled

{"trap":"A question describes a situation where an IT professional discovers a minor security vulnerability in a system used by a charity. The professional is asked to fix it immediately but is also offered a paid consulting job to do the fix. The trap is choosing the option that accepts the paid job, thinking it is a win-win."

,"why_learners_choose_it":"Learners think it is okay because the professional is providing a service and getting paid fairly. They do not see the conflict of interest.","how_to_avoid_it":"Remember that accepting payment to fix a vulnerability you discovered while on the job or in a trusted position creates a conflict of interest.

You should report the vulnerability through proper channels and not profit personally from fixing it. The ethical choice is to fix it without additional personal compensation if it is within your job duties, or to ensure full transparency."

Step-by-Step Breakdown

1

Awareness and Acknowledgment

The first step is becoming aware of the specific code of ethics that applies to you. For CISSP candidates, this is the (ISC)² Code of Ethics. You must read it, understand it, and sign an agreement to follow it as a condition of certification. This step formalizes your commitment.

2

Identify the Ethical Dilemma

When faced with a difficult decision, you must recognize that an ethical dilemma exists. This often involves a conflict between two or more canons or a conflict between a canon and a personal or business interest. Identifying the dilemma is the first step to resolving it correctly.

3

Apply the Hierarchical Order

Once you identify the dilemma, you apply the hierarchical order of the canons. Canon 1 (protect society) is the most important. If Canon 1 is at stake, it overrides the others. This step ensures that the most critical ethical obligation is prioritized.

4

Consider the Broader Impact

Before making a decision, consider the impact on all stakeholders: the public, the employer, the profession, and yourself. Ask yourself what the outcome will be for each group. This step aligns with Canon 1 (protect society) and Canon 4 (advance the profession).

5

Make and Implement the Decision

After applying the hierarchy and considering the impact, make a clear decision and act on it. Document your reasoning if possible. This step is about taking responsibility for your actions and standing by your ethical choice, even if it is unpopular.

6

Report and Escalate if Necessary

If the ethical violation involves illegal activity or systemic problems, you may need to report it to a higher authority, such as a regulatory body or law enforcement. This step follows Canon 1 even if it conflicts with Canon 3 (loyalty to employer). You must be prepared to escalate when internal channels fail.

Practical Mini-Lesson

Let's dive into how a code of ethics works in practice for an IT professional, especially one holding a CISSP certification.

First, you need to know that the code is not a checklist. It is a framework for ethical reasoning. In your daily work, you will face situations where there is no clear policy or rule. For example, suppose you are a security auditor and you discover that your company is using a software license that has expired. The software still works, and buying a new license would cost a lot of money. Your manager says to ignore it because no one will know. Your code of ethics says you must act honorably (Canon 2) and protect the profession (Canon 4). The correct action is to report the violation and push for compliance, even if it costs money. This might seem like the hard path, but it is the ethical one.

Another practical application is in incident response. When a breach happens, there is a temptation to downplay the damage or hide it from the public to protect the company's reputation. But Canon 1 (protect society) demands transparency. Affected customers must be notified so they can protect themselves. Failing to do so is a breach of ethics.

In terms of configuration context, the code influences how you set up controls. You should not configure logging to monitor specific employees without a legitimate business reason and proper authorization, because that would violate privacy and Canon 2. Similarly, you should not install backdoors into systems for your own access, even if "just in case" it is needed. That is a clear ethics violation.

What can go wrong? If you ignore the code, you risk not only your certification but also legal liability. For example, if you are a security professional and you knowingly allow a security flaw to remain because fixing it would cost too much, and that flaw leads to a data breach, you could be sued for negligence. The code of ethics protects you and your organization by providing a clear standard of care.

To keep your ethics sharp, read the code regularly. Many professionals keep a copy on their desk. Talk about ethical scenarios with your peers. When you study for the CISSP exam, practice applying the canons to the sample questions. This will train your brain to think ethically automatically.

In short, the code of ethics is a living document that should guide every significant decision you make as an IT security professional. It is your moral compass in a field full of gray areas and high stakes.

Memory Tip

Remember the four canons with the acronym 'SHAD': Society, Honor, Advance, Diligence. The order matters: Society (Canon 1) first, then Honor (Canon 2), then Advance (Canon 4), then Diligence (Canon 3), but note the order for the exam: 1, 2, 3, 4. Use SHAD for the initial letters of the first word of each canon: Society, Honor, Advance, Diligence.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What happens if I violate the (ISC)² Code of Ethics?

If you are found to have violated the code, you can face disciplinary action including a formal reprimand, suspension, or permanent revocation of your certification. Your name may also be published on a list of sanctioned professionals.

Do I need to follow the code of ethics if I am not yet certified?

It is strongly recommended. Employers and the public expect ethical behavior from all IT professionals. Following the code, even before certification, builds good habits and trust.

Is the code of ethics the same for every certification?

No. Different organizations have their own codes. For example, ISACA has a different code for CISA and CISM. However, there is significant overlap in the core principles of honesty, integrity, and responsibility.

What is the difference between a code of ethics and a code of conduct?

A code of ethics is a set of broad principles that guide professional behavior. A code of conduct is a more detailed, specific set of rules that often includes disciplinary procedures. Many organizations have both.

Can I lose my job for violating the code of ethics?

Yes. Many employers include adherence to professional codes of ethics in their employment contracts. Violating the code can lead to termination, especially if it also violates company policy or the law.

How does the code of ethics help in a real security incident?

It provides a clear framework for decision-making. For example, during a data breach, the code requires you to prioritize protecting the public (Canon 1) over protecting the company's reputation. This leads to transparent and responsible incident response.

Do I have to report a colleague who violates the code?

Yes, the code requires you to report violations. Failing to do so can be seen as complicity. The process usually involves reporting to your supervisor, then to the certifying body if internal channels are ineffective.

Summary

A code of ethics is a foundational document for any IT professional, especially those pursuing certifications like the CISSP. It is not a formality but a binding set of principles that guides your behavior in complex and high-stakes situations. The four canons of the (ISC)² Code of Ethics form a hierarchy, with protecting society as the highest priority. Following the code is a condition of certification, and violations can lead to severe professional consequences, including the loss of your certification and reputation.

In practice, the code helps you make the right decision when there is no clear policy, when you are under pressure, or when doing the right thing is difficult. It supports security governance by providing a baseline for professional conduct and demonstrating due care. On the CISSP exam, you will be tested on your ability to apply the canons to realistic scenarios, so understanding the hierarchy and the reasoning behind each canon is critical.

The key takeaway is that as an IT security professional, you are a steward of trust. The code of ethics is your promise to uphold that trust. By embracing it, you not only protect your career but also contribute to a safer digital world for everyone.