Ethics of an Information Security Auditor
ISACA (Information Systems Audit and Control Association) sets forth this Code of Professional Ethics to guide the
professional and personal conduct of members of the association and/or its certification holders.
Members and ISACA certification holders shall:

  1. Support the implementation of, and encourage compliance with, appropriate standards and procedures for the
    effective governance and management of enterprise information systems and technology, including: audit, control,
    security and risk management.
  2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional
    standards.
  3. Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and
    character, and not discrediting their profession or the Association.
  4. Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is
    required by legal authority. Such information shall not be used for personal benefit or released to inappropriate
    parties.
  5. Maintain competency in their respective fields and agree to undertake only those activities they can reasonably
    expect to complete with the necessary skills, knowledge and competence.
  6. Inform appropriate parties of the results of work performed including the disclosure of all significant facts known
    to them that, if not disclosed, may distort the reporting of the results.
  7. Support the professional education of stakeholders in enhancing their understanding of the governance and
    management of enterprise information systems and technology, including: audit, control, security and risk
    management.
    Failure to comply with this Code of Professional Ethics can result in an investigation into a member’s or certification
    holder’s conduct and, ultimately, in disciplinary measures.
    What Makes an Information Security Auditor?
    • At minimum, a bachelor’s degree
    • Certification is often highly recommended and may be required by some employers prior to hiring.
    • A Certified Information Systems Auditor or CISA is an independent expert who is qualified to perform information
    systems audit. This has uplifted the status of the CISA designation, which is often a mandatory qualification for an
    information systems auditor.