IAISP Code of Professional Ethics
Member Violation Complaints and Appeals Policy
Last Updated August 1, 2024
IAISP Ethics Manager
International Association of Information Security Professionals (IAISP)
700 12th Street, N.W. Suite 700
Washington, DC 20005
IAISP helps individuals and organizations worldwide keep pace with the changing technology landscape.
All IAISP members are required to comply with IAISP’s Code of Professional Ethics, which guides their professional conduct.We all benefit from a strong professional membership association that empowers us to perform our duties with the highest of professional care.
An important aspect of IAISP membership is having in place a code of professional ethics and a policy that enables individuals or organizations to alert IAISP to a potential violation of the by an IAISP member and for IAISP to take remedial actions when appropriate.
This policy (the “Policy”) has been put in place by IAISP to ensure a simple, fair, and transparent way of maintaining our core values and evaluating allegations that an IAISP member has violated the Code of Professional Ethics.
This Policy also describes the criteria for submission of the allegation and the administrative requirements and forms utilized in the review process. IAISP reviews and investigates each allegation that meets the eligibility criteria to determine whether it has merit. If an allegation that a member has violated the Code of Professional Ethics has merit, the member who is the subject of the allegation will be provided with notice of the allegation and an opportunity to respond.
Volunteer members of IAISP review allegations of member violations of the Code of Professional Ethics that have been deemed to have merit and assess corrective actions, if applicable. An IAISP member can appeal the imposition of corrective actions under limited circumstances.
Any questions about this Policy can be submitted to the Ethics Manager at ethics@iaisp.org
IAISP Code of Professional Ethics
IAISP sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its certification holders.
Members and IAISP certification holders shall:
- Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective governance and management of enterprise information systems and technology, including audit, control, security and risk management.
- Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards.
- Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character, and not discrediting their profession or the Association.
- Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
- Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the necessary skills, knowledge and competence.
- Inform appropriate parties of the results of work performed including the disclosure of all significant facts known to them that, if not disclosed, may distort the reporting of the results.
- Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including audit, control, security and risk management.
Definitions
Appeal – A submission by the Subject appealing a Corrective Action imposed pursuant to a Review Panel Determination using the process defined in this Policy.
Appeal Panel – A volunteer group of IAISP members that meet to review a Subject’s Appeal pursuant to the Policy.
Appeal Panel Determination – A decision by the Appeal Panel as to whether the original Review Panel Determination should be amended and if so, including a determination on the removal or alteration of the Corrective Action originally imposed.
Code of Professional Ethics – IAISP’s code of professional ethics that governs the professional and personal conduct of IAISP Members.
Corrective Action – An action assessed by the Review Panel that affects the membership status of the Subject. It is included in the Review Panel Determination when the Review Panel has determined that a violation of the Code of Professional Ethics has occurred.
Ethics Manager – The IAISP staff member primarily responsible for receiving, investigating and processing Reports of Alleged Violation and communicating with the Reporter and Subject, as needed. The Ethics Manager directs the Review Panel and the Appeal Panel and gives notice to the Subject of their determinations.
Investigation Summary – A document completed by the Ethics Manager including the Report of Alleged Violation Form and any relevant additional information collected from the Reporter, Subject, IAISP staff members, Witnesses or other third parties in order to determine if a Report of Alleged Violation has merit.
IAISP Member – An individual who is registered as an active member of IAISP, with dues paid in full for the current membership year.
Panel – A Review Panel or Appeals Panel.
Report of Alleged Violation – A submission to IAISP using the process defined in this Policy that describes the details and circumstances in which an IAISP Member is believed to have violated the Code of Professional Ethics.
Reporter – The individual or entity, including IAISP, that submits a Report of Alleged Violation.
Review Panel – A volunteer group of IAISP members that meet to review a Report of Alleged Violation that is deemed to have merit as set forth in this Policy and pursuant to the Policy.
Review Panel Determination – A decision by the Review Panel upon review of an Investigation Summary as to whether an IAISP Member has violated the Code of Professional Ethics, and if so, what Corrective Action should be assessed.
Review Panel and Appeal Panel Guidelines – The guidance document attached as Annex A to the Policy and incorporated by reference into the Policy, which includes the process for selecting the Review and Appeal Panels as well as the guidelines for how the Review and Appeal Panels operate.
Subject – The IAISP Member that is alleged to have violated the Code of Professional Ethics in a Report of Alleged Violation.
Witness – An individual who has first-hand knowledge of the activities described in the Report of Alleged Violation Form and may be contacted during IAISP’s investigation.
Forms
The following forms must be utilized by the Reporter and Subject to submit or respond to a Report of Alleged Violation or an Appeal. The location of the forms may be changed at IAISP’s discretion.Report of Alleged Violation Form – The document required to submit a Report of Alleged Violation. Details can be found on Form and submitted at ethics@iaisp.org or other location specified by IAISP.
Response Form – The document completed and submitted by a Subject upon notification of a Report of Alleged Violation detailing any information the Respondent would like included in the Ethics Complaint Investigation Summary that will be reviewed by the Review Panel. Details can be found on Form and submitted at ethics@iaisp.org or other location specified by IAISP.
Appeal Form – The document completed and submitted by a Subject to appeal a Corrective Action imposed by the Review Panel. Details can be found on Form and submitted at ethics@iaisp.org or other location specified by IAISP.
Who May Submit a Report of Alleged Violation?
Any individual, group or organization may submit a Report of Alleged Violation. In the event of a group or organization submission, a single individual must be designated to receive correspondence related to the Report of Alleged Violation.
The Reporter may submit a Report of Alleged Violation anonymously by following the submission instructions in the Report of Alleged Violation Form.
IAISP may submit a Report of Alleged Violation against an IAISP Member.
Confidentiality
All information exchanged pursuant to this Policy shall be deemed confidential and shall be used only for the purposes of investigating and reviewing the Report of Alleged Violation. IAISP reserves the right to copy, discuss, disclose and disseminate this information to members of the Review Panel, relevant IAISP staff, external counsel and the Subject for the purposes of investigating the Report of Alleged Violation.
IAISP shall make reasonable efforts to maintain the confidentiality of relevant materials. IAISP reserves the right to withhold from or redact evidence sent to other parties (including Subjects) that would disclose information such as a Reporter’s identity, identifying evidence of witnesses, investigative methods or proprietary materials. IAISP may respond to inquiries at any time from other parties regarding the existence of a Report of Alleged Violation.
All parties involved who are IAISP Members must operate in a manner consistent with all applicable IAISP policies regarding conflicts of interest.
Submission of a Report of Alleged Violation
A Reporter must submit a Report of Alleged Violation by completing and electronically submitting the Report of Alleged Violation Form according to the instructions provided in the form and in this Policy.
The completed Report of Alleged Violation Form must include detailed factual allegations and clearly explain how the Subject violated the Code of Professional Ethics.
The electronic form can be found at https://www.iaisp.org/code-of-professional-ethics or other location specified by IAISP.
- The Subject must be an active IAISP
- The subject matter of the Report of Alleged Violation must relate to a specific violation of the Code of Professional
- The violation of the Code of Professional Ethics alleged must be a reasonable concern and not frivolous or
- The information provided in support of the Report of Alleged Violation must be detailed and reliable enough to allow for further investigation.
- Complaints against an IAISP employee
- Customer service, account or billing issues
- IAISP product or content issues
Deadline for Submission
Reports of Alleged Violation relating to activities that occurred more than two years prior to the date of submission of the relevant Report of Alleged Violation will not be considered.
Simultaneous Litigation or Other Proceedings
The Report of Alleged Violation Form must include all information known to the Reporter regarding civil or criminal litigation or other proceedings substantially related to the Report of Alleged Violation that are before a court, regulatory agency or other governmental body or if the matter is being pursued through another IAISP process or before another professional body, unless such disclosure is prohibited under applicable law or court or government order.
The Ethics Manager may choose to suspend or reject the Report of Alleged Violation if civil litigation or other legal proceedings related to the subject matter of the Report of Alleged Violation exist and whether the Report of Alleged Violation will be reopened and investigated once the litigation or other proceedings have concluded. Such determinations will be at the sole discretion of the Ethics Manager.
Subjects that Hold an IAISP Certification
If the Subject of a Report of Alleged Violation holds an IAISP certification, the Ethics Manager will make a determination as to whether the subject matter of the Report of Alleged Violation relates to obtaining and/or maintaining an IAISP certification. If the Ethics Manager determines that the subject matter of the Report of Alleged Violation relates to obtaining and/or maintaining an IAISP certification, the Ethics Manager will forward the Report of Alleged Violation to be reviewed by the Certification Working Group pursuant to the Certification Complaints and Appeals Policy, within 15 days of receipt. If the Subject is found to have violated the Code of Professional Ethics under the Certification Complaints and Appeals Policy, the Certification department will submit a Report of Alleged Violation under this Policy detailing the violation of the Code of Professional Ethics.
Review and Investigation
The Ethics Manager will confirm receipt of the Report of Alleged Violation Form by email response to the Reporter within 10 calendar days of receipt. The Ethics Manager will further communicate with the Reporter if IAISP has questions or needs further information or clarification from the Reporter.
Otherwise, the Ethics Manager will not communicate further with the Reporter and will not notify the Reporter of the result of the Report of Alleged Violation.
The Ethics Manager will review the Report of Alleged Violation Form and determine if it is eligible for review under the Policy. If the Ethics Manager determines that the Report of Alleged Violation is eligible for review under the Policy, the Ethics Manager will conduct an investigation to confirm the facts related in the Report of Alleged Violation Form and draft an Investigation Summary. The scope of the investigation is at the sole discretion of the Ethics Manager.
Notice to Subject
If the Report of Alleged Violation is eligible for review under this Policy and the Ethics Manger has determined that it has merit, the Subject will be notified and provided with the Investigation Summary. The Subject has the option to complete the Report of Alleged Violation Response Form if the Subject would like to provide additional information (see Timeline). The Report of Alleged Violation Response Form must be submitted within 30 days of the Subject’s receipt of the Investigation Report from the Ethics Manager.
Once the submission deadline for the Report of Alleged Violation Response Form has passed (see Timeline), the Ethics Manager will conduct any additional investigation that is needed, update the Investigation Summary and present it to the Review Panel. Once the Review Panel makes a determination, the Review Panel will complete the Review Panel Determination detailing any Corrective Action assessed, and the Ethics Manager will include it with the notice to the Subject.
The Ethics Manager will provide all notices to the Subject via email to the email address of the Subject’s IAISP account. Notice of the Report of Alleged Violation (if needed) and the final notice of the Review Panel Determination will also be sent by mail or courier to the address indicated as the preferred address in the Subject’s IAISP account.
If the Report of Alleged Violation is not eligible for review under the Policy or is found to be without merit after the initial investigation, the Subject will not be notified that the Report of Alleged Violation was submitted.
IAISP will make reasonable efforts to follow the time requirements noted in this Policy. However, IAISP’S failure to meet a time requirement will not prohibit the final resolution of any Report of Alleged Violation or otherwise prevent IAISP from acting under this Policy.
IAISP recognizes there may be extenuating circumstances. The Subject may provide a written request for an extension of the deadline to submit the Report of Alleged Violation Response Form or for a reasonable accommodation related to matters of language, custom or geographic location. IAISP may grant such requests at its sole discretion.
Review Panel
The Review Panel consists of volunteers appointed by IAISP for a one-year period for the purpose of reviewing Reports of Alleged Violation to determine whether the Subject violated the Code of Professional Ethics and if so, to assess appropriate Corrective Actions. The five-member panel consists of active members of IAISP. Two alternate members will be utilized on an as-needed basis.
If the Ethics Manager has determined that a report of Alleged Violation has met the Submission Criteria, the Ethics Manager will notify the Review Panel and provide it with the Investigation Summary within 14 days of the submission of the Report of Alleged Violation Response Form. The Review Panel will then convene to discuss the Report of Alleged Violation and make a determination based on the Investigation Summary.
The Review Panel will complete the Review Panel Determination and the Ethics Manager will notify the Subject of the Review Panel Determination within 30 calendar days of receipt of the Investigation Summary.
Corrective Action
If the Review Panel finds that the Subject has violated the Code of Professional Ethics, the Review Panel may assess a Corrective Action against the Subject, which will be included in the Review Panel Determination.
Corrective Actions will be assessed based on the:
- Severity of the violation
- Number of times the Subject violated the Code of Professional Ethics
- How the violation impacted the IAISP community and the general public
- Whether the Subject has a history of violations, warnings or Corrective Actions regarding the Code of Professional Ethics
- Whether the Subject has received a revocation of an IAISP certification as a result of the actions described in the Report of Alleged Violation
The Corrective Actions that may be assessed by the Review Panel are as follows:
- Warning Letter – A formal rebuke in writing for a violation of the Code of Professional Ethics that could lead to more severe Corrective Actions if subsequent violations
- Probation – A temporary period of time (normally one year) during which, if additional violation(s) of the Code of Professional Ethics occur, a Suspension or Revocation of IAISP membership will
- Suspension – A temporary revocation of IAISP membership status for one During this time, the Subject will be prohibited from participation in all membership-related activities and benefits.
- Revocation – Permanent revocation of IAISP membership, which includes a prohibition from participating in IAISP-associated activities at any level, including testing and credentialing.
If the Review Panel determines that the Subject has violated the IAISP Code of Professional Ethics, the Subject will receive the following:
- The Policy
- Review Panel Determination, which will include any Corrective Action assessed to the Subject
- Link to the Appeal Form
In the case that the Review Panel Determination imposes Suspension of Revocation of membership, any membership fees paid by the Subject will not be refunded.
Appeals may only be submitted by a Subject that has received a Corrective Action other than a Warning Letter.
Submission of an Appeal
The Subject must submit an Appeal by completing and electronically submitting the Appeal Form, according to the instructions provided in the form and in this Policy.
The electronic form can be found at https://www.iaisp.org/code-of-professional-ethics or other location as specified by IAISP.
Criteria for Submission
- To be eligible for review under the Policy an Appeal must assert at least one of the following
bases (“Appeal Criteria”):
- Procedural Error: IAISP did not follow the procedures outlined in the Deviation from the timelines outlined in the Section: Report of Alleged Violation Timeline or elsewhere in the Policy does not meet the criteria for an appeal.
- Factual Error: The Subject can show that the facts outlined in the Investigation Summary are not true, and this evidence was not available at the time of the Review Panel’s original If the basis for an Appeal is Factual Error, the Appeal Form must include evidence that that the facts outlined in the Investigation Summary are not true, and this evidence was not available at the time of the Review Panel’s original decision.
- Severity of Corrective Action: The Corrective Action was too severe or not congruent with the violation, or extenuating circumstances exist.
Deadline for Submission
The Subject must submit the Appeal Form to the Ethics Manager at ethics@iaisp.org within 45 calendar days of the notice date of the Review Panel Determination.
Review of Submission
The Ethics Manager will confirm receipt of the Appeal Form by responding to the Subject’s email submission. The Ethics Manager will further communicate with the Subject if IAISP has questions or needs further information or clarification regarding the submission.
The Ethics Manager will confirm the Appeal Form meets the Appeal Criteria within 14 calendar days of receipt of Subject’s completed Appeal Form. If the Ethics Manager determines that the Appeal Form does not meet the Appeal Criteria, the Ethics Manager will advise the Subject such and that the Appeal has been rejected.
If the Ethics Manager determines that the Appeal Criteria has been met, the Ethics Manager will submit the Appeal Form to the Appeal Panel.
Appeal Panel
The Appeal Panel consists of volunteers appointed by IAISP for a one-year period for the purpose of reviewing appeals submitted by a Subject that has received a Corrective Action other than a Warning Letter and issuing an Appeal Determination. The five-member panel consists of active members of IAISP. Two alternate members will be utilized on an as-needed basis.
Within 30 calendar days of the Appeal Panel’s receipt of the Appeal Form, the Appeal Panel will convene and determine whether there was a Code of Professional Ethics violation and, if so, whether the Corrective Action imposed by the Review Panel Determination was appropriate, and then issue an Appeal Panel Determination.
The Ethics Manager will then send the Appeal Panel Determination to the Subject.
Referral for Certification Holders
If the Respondent holds an IAISP certification, the Ethics Manager may refer the Ethics Complaint to the Certification Working Group for review pursuant to the Certification Complaints and Appeals Policy.
Changes to the Policy
All suggestions for changes to this Policy should be made to the Ethics Manager who will facilitate appropriate review by IAISP staff and possible submission to the IAISP Governance and Nominating Committee for approval. All changes are made at IAISP’s discretion.
Timeline
| Action | Due Date |
| Reporter electronically submits a Report of Alleged Violation Form. | Date of submission |
The Ethics Manager · Confirms receipt to Reporter of the Report of Alleged Violation Form · Confirms the Report of Alleged Violation Form meets the criteria for submission | Within 10 calendar days of receipt |
The Ethics Manager conducts a preliminary investigation and determines either: (a) The Report of Alleged Violation does not have merit and closes the Report of Alleged Violation (b) The Report of Alleged Violation does have merit to be presented to the Review Panel, and provides notice to the Subject, which includes: 1. A copy of the Policy 2. A link to the Report of Alleged Violation Response Form | Within 30 calendar days of receipt of the Report of Alleged Violation Form |
| Subject may choose to complete and electronically submit the Report of Alleged Violation Response Form to the Ethics Manager. | Within 30 calendar days of notice to Subject |
Ethics Manager: · Reviews the Subject’s Report of Alleged Violation Response Form · Conducts further investigation as needed · Completes the Investigation Summary and sends it to the Review Panel | Within 14 calendar days of receipt of Subject’s completed Report of Alleged Violation Response Form or expiration of the 30-day period, whichever is first |
Review Panel convenes to: · Review the Investigation Summary · Determine whether the Subject violated the Code of Professional Ethics · Assess a Corrective Action, if applicable · Issue a Review Panel Determination
Ethics Manager notifies the Subject and provides the Review Panel Determination. | Within 30 calendar days of receipt of the Investigation Summary |
| Subject may submit an Appeal of the Review Panel Determination by electronically submitting an Appeal Form. | Within 45 calendar days of notice to Subject of the Review Panel Determination |
Ethics Manager will determine if the Appeal meets the Appeal Criteria. Then: (a) If the Ethics Manager determines that the Appeal does not meet the Appeal Criteria, the Ethics Manager will reject the Appeal and notify the Subject of the rejection. (b) If the Ethics Manager determines that the Appeal does meet the Appeal Criteria, then the Ethics Manager will notify Appeal Panel and send them a copy of the Appeal Form. | Within 14 calendar days of receipt of Subject’s completed Appeal Form |
Appeal Panel convenes to: · Review the Appeal Form · Based on the information in the Appeal Form, determine whether there was a Code of Professional Ethics violation and, if so, whether the Corrective Action imposed by the Review Panel Determination was appropriate · Issue an Appeal Panel Determination
The Ethics Manger will notify the Subject and provide the Appeal Panel Determination. | Within 30 calendar days of receipt of Subject’s completed Appeal Form |
Form Appendix
Form – Report of Alleged Violation Form (Download Here)
Form – Response Form (Download Here)
Form – Appeal Form
To be submitted at ethics@IAISP.org
Annex A
Review Panel and Appeal Panel Guidelines
Panel Structure
- There will be two panels, with the Review Panel reviewing a Report of Alleged Violation that is deemed to have merit and the Appeal Panel reviewing a Subject’s Appeal pursuant to the policy.
- Each panel will consist of five full-time IAISP members and an additional two alternate members.
- Panel Members will be recruited through the IAISP Volunteer Program, and a slate of proposed members will be provided to the Governance and Nominating Committee for approval.
- Panel members will serve one-year terms and can serve up to five terms.
- Panel members may be removed by a resolution of the Governance and Nominating Committee; If a member is removed, one of the two alternate members will assume the vacated position.
- Panel members will receive 10 hours of CPE for each year of Alternate Panel Members will not receive CPE unless they assume a vacated spot and will receive 10 hours regardless of the time served for the year.
- All Panelists must:
- Be an IAISP member in good standing (i.e., having no outstanding invoices or violations of the Code of Professional Ethics)
- Show long-standing knowledge and service with IAISP through membership
- The IAISP Volunteer Program will seek Panel Members who provide regional and gender representation, but there is no requirement or minimum number of Panel Members that must represent a specific region or gender.
Panel Member Guidelines
- Each of the members of the Review Panel and the Appeal Panel must familiarize themselves with the facts of the case.
- If a Panel member finds that a specific case creates a conflict of interest for them, they must disclose any conflict of interest to the panel and recuse themselves if necessary.
- The Panel members must act in good faith and be consistent with the Code of Professional Ethics, complete business within the timelines provided in the policy, and keep information in strict confidence.
- If the Panel needs advice or information, the Ethics Manager can assist as needed.
Meeting Cadence and Voting Procedures
- Panel meetings can occur in person, via conference call, or online and will occur on an ad hoc schedule based on the Reports of Alleged Violation or Appeals submitted.
- There must be a quorum of at least three Panel members for a valid Panel meeting.
- Decisions will be made by a majority vote of those Panel members present at a meeting at which a quorum is present.
Review Panel
- The Review Panel must schedule time to meet within 30 calendar days of receiving the Subject’s completed Report of Alleged Violation Response Form, which will be provided by the Ethics Manager.
- The Review Panel will complete the Review Panel Determination, and the Ethics Manager will notify the Subject of the Review
- Panel Determination.
Appeal Panel
- The Appeal Panel must schedule time to meet within 30 calendar days of receiving the Subject’s
completed Appeal Form, which will be provided by the Ethics Manager.
- The Appeal Panel will issue an Appeal Determination and the Ethics Manager will notify the Subject.
Any panel responsibilities that are not explicitly described in this policy are assumed to be the decision of the Ethics Manager
