It's hard to say how seriously (ISC)2 takes its code of ethics. Clearly, it gives the impression that it is taken seriously, but there's not much evidence to support that. On a purely personal level, I don't think it is taken seriously at all. I've written on this issue several times for Information Security magazine. Once in an article entitled "Smoke and mirrors certifications," and again for an article called "Security certifications' ethics programs merely window-dressing."
The articles go into more detail, but essentially, the point is that it's hard to believe (ISC)2 is genuinely concerned with ethics when it doesn't discuss ethics issues in its trainings, it doesn't require any regular review of a certificate holder's adherence to the code of ethics as part of the CPE process, nor does it even require resigning the code of ethics as part of the CPE cycle. When looked at through that lens, it seems to me that (ISC)2 has the requirement because it thinks it should have one, not because it thinks it has value.
Furthermore, (ISC)2 also has a complete lack of transparency about how many potential ethics violations it has investigated and how many members have been warned or expelled. For that matter, I haven't even heard unofficially of anyone losing his or her cert due to ethics violations.
So while by no means do I condone unethical behavior by any security practitioner, I would be surprised to hear that someone lost his or her CISSP certification strictly because of an ethics violation.
For more information:
This was first published in September 2009