Nearly 1,400 professionals participated in developing the ISC2 Code of Professional Conduct, which is intended to provide guidance to cybersecurity experts.
ISC² is a nonprofit membership organization for cybersecurity professionals that published the Code of Professional Conduct. This document, which is the first of its kind, codifies the duties and responsibilities of the profession. It aims to provide guidance when technological developments overwhelm traditional regulations.
The document was created in response to the growing number of situations that cybersecurity experts face for which there are no clear precedents. Artificial intelligence, disinformation campaigns, and an accelerating threat landscape demand decisions that go far beyond technical expertise. The new code aims to establish a universal ethical framework that professionals can refer to regardless of their location, level of experience, or certification.
The code was developed through an elaborate participatory process. A working group of volunteers from various countries was established to regularly discuss professional challenges and develop possible guidelines. Nearly 1,400 cybersecurity specialists contributed in total. The ISC² Professional Conduct (Ethics) Committee reviewed the results before the ISC² Board formally adopted the code.
Particular emphasis was placed on broad representation. Contributors ranged from beginners with the “Certified in Cybersecurity” (CC) certification to experts with the “Certified Information Systems Security Professional” (CISSP) credential. This ensured that the code would remain applicable to all career levels.
The code is based on two fundamental pillars: ethics and professional conduct.
In terms of content, the code is divided into two main categories. The first section, which addresses ethics, covers integrity, confidentiality, compliance with legal requirements, public safety, and the societal impacts of digital decisions. The second section, which covers professional conduct, includes topics such as responsibility, accountability, teamwork, skill development, and the duty to report problems and deficiencies.
ISC² CEO Scott Beale emphasized that the code establishes a shared foundation, which is particularly important in an era of transformative technologies like AI. Today, security decisions are being made in ways that raise fundamental ethical questions about how organizations operate.
There is a particular focus on artificial intelligence. As AI systems become more integrated into cybersecurity processes and business operations, the code provides specific guidelines for their ethical implementation. ISC² member and volunteer Panos Vlachos (CCSP) explained that the goal is to ensure AI and other transformative innovations align with ethical principles, thereby minimizing risks during implementation.
Volunteer Srija Reddy Allam (CISSP, CCSP) described the code as a tool for navigating the gray areas of everyday professional life. In a field where not every situation is covered by clear rules, the code helps professionals make decisions with integrity and embed accountability throughout their work.
A living document with room for updates
ISC² explicitly understands the code as a “living document” that will be supplemented and adjusted as the field develops. By doing so, the association positions itself alongside established professions, such as accounting, finance, healthcare, and law, which have comparable professional codes. The code clarifies that cybersecurity is a fully-fledged, ethically reflective profession, not just a technical discipline.
The complete “ISC² Code of Professional Conduct” is available at www.isc2.org/about/code-of-professional-conduct.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de