This article from Attrition.org and InfoSecIsland.com is a good discussion about the ethical problems of CISSP/(ISC)². I thought I'd add my own 2 cents, since the ethics problem with the CISSP certification are pretty grave.
The article above only briefly mentions the more common complaint about the (ISC)², that they are technically incompetent, and thus not qualified to certify people. I would suggest that the two are intertwined: the cause of (ISC)²'s poor ethics is the need to cover up their lack of technical competence.
Other certifications, such as passing the bar to become a lawyer, publish past tests, or otherwise provide ways to judge their competence. In that way, those in the profession can judge for themselves whether passing the bar is an adequate measure of competence in the legal profession. If the bar itself proves incompetent, this will quickly become apparent in the published test questions.
No such accountability exists for (ISC)².There is no transparency in their tests. They keep the questions secret, which prevents outsiders from judging the quality of their tests. Moreover, their tests contain trial questions, which are not graded, but are being evaluated for official inclusion in future tests. When test takers point out obviously bogus questions, those are just dismissed as being trial questions.
This issue is doubly troublesome because of the roll "transparency" plays in cybersecurity. We would never trust an encryption algorithm that was not completely transparent. Yet, we are expected to trust a certification program shrouded in obscurity.
Like other professions, one of the chief concerns of professional ethics is protecting the profession. Whether you are a doctor, clergyman, lawyer, or journalist, you are expected to keep confidential information secret. This protects the profession: your patients won't confide their medical secrets with you if you blab about them, preventing you from being able to treat the patient. Your flock won't confess to you if you blab about it on your next sermon. Your client won't confide their legal secrets to you if you then confess them in court. Anonymous sources won't give you juicy stories if you reveal your source.
Curiously, though, that item isn't among the CISSP ethics. I guess it's implied ("respect their trust"), but there is nothing as explicit as in these other professions that says "you will not divulge the secrets your client confides in you". In particular, there is no guidance for real-world problems, such as "should I keep illegal activity by the customer secret?".
But, there is a lot of things in the CISSP ethics that aren't in those other professions. For example, according to the (ISC)², you should not professionally associate with or recognize criminals, amateurs, or the non-certified. This changes cybersecurity into a corrupt cartel, who shuns those who do not pay into the cartel. It's a lot like the licensing boards in states, where professionals have lobbied the government to enact barriers to competition, all in the name of "certification".
The model for certification in our industry shouldn't be the closed, obscure processes of the corrupt and incompetent, but the open processes we see in academia. The competency of physicists is judged by the papers they write. Of course, if you are new to cyberscurity, you aren't going to have a track record of published papers, but you will have blog posts, or at least posts to sites like http://security.stackexchange.com.
An example of this is the SANS GIAC certification. I know little about it, maybe it has even worse problems than (ISC)²'s CISSP. But, I can judge it in an open source way. Take the board of directors. The (ISC)² board is a bunch of people I've never heard of before, but I know everyone on the SANS board, not personally, but through the work they've published. Likewise, as part of certification, people publish papers on a narrow topic. My search results of cybersecurity topics is littered with GIAC papers. Finally, and most important, the professionals who carry GIAC are usually competent, whereas CISSP certified professionals rarely are. I can't find a record of past exams, but GIAC sample test questions display competence, whereas the sample CISSP test questions do not.
To be fair, the academics on the SANS board are different than industry professionals on ISC(2) board. But here's the thing: being a corporate executive only validates your leadership (or political) skills, not your technical skills. Like law and medicine, our field has a heavy academic component. You wouldn't put hospital administrators in charge of evaluating the skills of doctors, nor should you put managers in charge of certifying cybersec professionals.
The SANS ethics contain a lot less nonsense than the CISSP ethics. They are clearly about protecting the reputation of professionals, such as explicitly saying "don't divulge secrets", and there's none of the corrupt cartel-supporting ethics of the CISSP like "valuing the certificate". The SANS list provides guidance for the ethical questions cybersec professionals actually face, whereas the CISSP ethics appears to be written by somebody who has never experienced real world ethical questions.
Of particular interest is this one case where they disagree on ethics:
CISSP ethics: "Discourage unsafe practice" (translation: be more a security advocate)
SANS ethics: "I distinguish between advocacy and engineering" (translation: be less a security advocate)
The CISSP ethic is wrong. Outsiders distrust cybersec professionals because of our tireless advocacy against everything that is deemed unsafe. The reality is that cybersecurity is a tradeoff between costs and benefits. Our job is to accurately and dispassionately communicate the risks, but recognize that customers may choose risk over costs. This unrelenting advocacy is corrosive to our industry, and is the biggest reason for lack of trust in our profession, not the other ethical reasons (like divulging secrets) that one expects.
Now, I don't like all the items on the SANS ethics list. The last item forbidding "discrimination" is pointless. Yes, I suppose it's a good thing, but you could also include "be nice to children" and "don't kick puppies". They don't relate to cybersec. However, this nonsense just reflects the general stupidity of political correctness rather than calling into question their technical competency.
I could endlessly dump on the nonsense that is CISSP, but I leave you with one last ethical problem. Their ethics discourages "Professional recognition of or association with amateurs". The (ISC)² is clearly a bunch of amateurs. Therefore, by definition, you should neither recognize the CISSP certificate nor associate with (ISC)² people. I know this is a snide comment, but it reflects the real ethical quandary of whether it's ethical to recognize a certification that we know certifies the unqualified.