Problem solve Get help with specific problems with your technologies, process and projects.

How serious is (ISC)2 about its code of ethics?

One of the many security certification requirements for the CISSP is signing the (ISC)2 code of ethics, but how seriously does (ISC)2 take certificate holders' adherence to that code? David Mortman weighs in.

To receive any (ISC)2 certification, I have to comply with its code of ethics. Not that I intend to break the code, but how seriously does (ISC) 2 take this code; as in, has anyone you've known had his or her certification revoked, and under what circumstances?

It's hard to say how seriously (ISC)2 takes its code of ethics. Clearly, it gives the impression that it is taken seriously, but there's not much evidence to support that. On a purely personal level, I don't think it is taken seriously at all. I've written on this issue several times for Information Security magazine. Once in an article entitled "Smoke and mirrors certifications," and again for an article called "Security certifications' ethics programs merely window-dressing."

The articles go into more detail, but essentially, the point is that it's hard to believe (ISC)2 is genuinely concerned with ethics when it doesn't discuss ethics issues in its trainings, it doesn't require any regular review of a certificate holder's adherence to the code of ethics as part of the CPE process, nor does it even require resigning the code of ethics as part of the CPE cycle. When looked at through that lens, it seems to me that (ISC)2 has the requirement because it thinks it should have one, not because it thinks it has value.

Furthermore, (ISC)2 also has a complete lack of transparency about how many potential ethics violations it has investigated and how many members have been warned or expelled. For that matter, I haven't even heard unofficially of anyone losing his or her cert due to ethics violations.

So while by no means do I condone unethical behavior by any security practitioner, I would be surprised to hear that someone lost his or her CISSP certification strictly because of an ethics violation.

For more information:

This was last published in September 2009

Dig Deeper on Information security certifications, training and jobs