usi-ua@usi-ua.com 
A company’s external protection does not depend only on guards, lawyers, or reputation
consultants. Very often, it begins with internal policies. These policies determine who the
company allows in, how it chooses partners, how it responds to threats, how it handles
information, and how it behaves in difficult situations.
The primary policy, of course, is the Security Policy. It forms the company’s “constitution”
for protecting all of its interests and establishes the basic approaches to building a strong
umbrella in the form of a comprehensive Security System.
Another essential policy for any legal entity is the Counterparty Due Diligence Policy. A
company must understand with whom it signs contracts, to whom it pays money, and who
gains access to its information, logistics, clients, or internal processes. Checking
registration data, ownership, litigation history, sanctions exposure, reputation, political ties,
criminal or hostile connections, and actual business history significantly reduces the risk of
fraud, losses, and reputational damage. For example, our company offers six levels of due
diligence depth for both Ukrainian and international counterparties.
The Information Security Policy is equally important. It defines who has access to data,
how documents are stored, how files are transferred, and how passwords, messaging
applications, email, cloud services, and personal devices are used. ISO/IEC 27001
describes information security as a management system that includes risk assessment
and risk treatment, rather than merely technical settings.
A Communications Policy is also highly advisable. It is usually needed when a company
faces a crisis, a public conflict, a media attack, an accusation, a data leak, or false
information. If there are no clear rules defining who speaks on behalf of the company, how
quickly an official position is prepared, who verifies the facts, and who approves the
message, an external threat quickly turns into chaos.
The Conflict of Interest Prevention Policy also deserves special attention. It merits a
separate article of its own, but in general it affects procurement, hiring, partnerships,
charitable projects, contractors, boards of directors, and senior management roles.
External protection weakens when hidden arrangements, family ties, personal interests,
kickbacks, or informal influence exist inside the company.
The next policy is critically important in today’s turbulent times: the Crisis Response and
Business Continuity Policy. ISO 22301 provides a framework for preparing an
organization for disruptive incidents, reducing their likelihood, and restoring operations
afterward. In practical terms, this means simple but vital things: who makes decisions, how
communication is maintained, how people are evacuated, and how the business continues
to function during shelling, cyberattacks, blocked accounts, or physical threats.
It should be said that there are many more policies that help establish security and
protection rules, but that is a topic for a separate discussion.
Policies should not be dead documents. They should not be drafted by officials who are
not practicing security professionals. The real strength of policies appears when leaders
follow them themselves, employees understand their purpose, and the company’s or
organization’s security function has the authority to apply the rules equally to everyone.
External protection begins to work when internal order leaves enemies, fraudsters, and
random outsiders with very little room to maneuver.
And what about your company?
Do you have policies governing security and protection processes?
And are they truly built for your business — or were they simply copied from the internet,
where they were posted by “authors” who have never actually worked in security?
