How to Build a Corporate Security Programme: A Practical Guide

Most organisations build their corporate security programme reactively. An incident triggers a review. A near-miss prompts a policy update. A board member asks an uncomfortable question after a competitor’s executive is targeted. The resulting programme is typically a patchwork of responses to past events rather than a structured system designed to address current and future risks.

This guide describes how to build a corporate security programme from the foundation up, with the structural components that practitioners in mature security programmes apply as standard.

The foundation: threat assessment

No security programme is useful without a current, documented understanding of the threats the organisation faces. This means:

A threat inventory by category. Who or what might seek to harm the organisation’s people, assets, or operations? The categories are: criminal (opportunistic and organised), terrorism and extremism, insider threat, state-sponsored activity, and activist or protest targeting. Not all categories will be relevant for every organisation. A retail company does not face the same state-sponsored espionage risk as a defence contractor.

A geography map. Where do employees travel? Where are offices, sites, and assets located? The threat picture in Singapore is not the same as in Lagos. A threat assessment that averages across all locations is not useful. Location-specific assessment is the correct level of granularity.

A principal profile. Who are the highest-risk individuals in the organisation? C-suite executives with media profiles, board members, significant shareholders, and employees working in sensitive sectors or high-risk locations have different threat profiles from general staff. Identifying the highest-risk principal cohort is a prerequisite for proportionate resource allocation.

For the threat assessment methodology and the risk framework that converts threat data into a protection posture, see our security risk assessment explained.

Risk tiering: the operational architecture

A risk tiering system is the practical mechanism through which a threat assessment drives operational decisions. The standard approach uses a five or six-level scale:

Level 1-2: Standard destinations with no elevated risk. Normal travel procedures apply.

Level 3: Destinations with elevated crime or terrorism risk. Pre-travel country briefing required. Emergency contacts provided. Travel registration with HR or security function.

Level 4: High-risk destinations. Pre-travel security briefing from security team or approved provider. Vetted airport transfers required. Hotel selection guidelines apply.

Level 5: Very high-risk destinations. Individual risk assessment for each trip. Security driver required. Security provider pre-engagement required. Specific emergency protocol issued.

Level 6: Exceptional risk. Senior leadership approval required. Active security programme for the duration. Continuous monitoring. Defined extraction protocols.

The precise level definitions will vary by organisation. What matters is that they are documented, applied consistently, and reviewed against current intelligence at least annually.

ISO 31030:2021 provides the international framework for this structure. Organisations that implement a tiered system aligned with the standard can demonstrate systematic duty of care in any HR or legal proceeding involving employee harm during business travel.

Governance: who owns security

A security programme without a named accountable owner is not a programme. It is a collection of policies that will be applied inconsistently. The governance question is: who in the organisation is responsible for travel security decisions, and what authority do they have?

In large organisations, this is typically a Global Security Director or Chief Security Officer with direct board access. In smaller organisations, security responsibility may sit with the COO, HR Director, or Legal Counsel. What matters is not the title but the clarity: one named role with documented authority, accountable for programme design, provider relationships, incident response, and policy review.

The reporting line matters. A security function that reports into HR will make different decisions under pressure than one that reports to the CEO or COO. Security decisions occasionally require overriding business convenience for risk-based reasons. That requires organisational authority.

Provider selection

Provider selection is where many corporate security programmes introduce their most significant quality variable. Common failure modes:

Selecting based on price alone. Security is not a commodity. The difference between a provider with a rigorous operator vetting process and one who deploys available personnel on the day is not visible in a proposal document. It only becomes visible when something goes wrong.

Selecting based on brand recognition alone. Large international providers have the infrastructure for global coordination, but their on-the-ground quality in a specific city depends on their local network and vetting processes. The brand at the top does not guarantee quality at the operator level.

Selecting based on existing vendor relationships. Finance, legal, and facilities teams often prefer to add security to existing vendor relationships. The security function should evaluate providers on security-specific criteria: operator vetting standards, regulatory compliance, insurance, incident response capacity, and specific city expertise.

A documented provider evaluation framework should cover: regulatory compliance in relevant jurisdictions, operator vetting standards (does the provider do direct employment history checks or rely on self-certification?), insurance coverage (type and limits), incident response track record, and reference checks from existing clients in comparable risk environments.

For the operator vetting standards that distinguish professional providers from the rest, see our security vetting and background checks guide.

Travel policy integration

A security programme that operates in parallel with the corporate travel policy creates gaps. The integration points are:

Booking process. Does the travel booking system flag Level 4+ destinations automatically to the security function? If security briefings are only triggered when the employee or manager remembers to ask, they will be missed.

Approval workflow. Level 5 and Level 6 trips should require security function sign-off, not just manager approval. The manager’s role is business need. The security function’s role is risk assessment and control measures.

Duty of care documentation. For each high-risk trip, the security programme should generate and retain documentation of: the risk assessment completed, the briefing provided, the controls in place, and the employee’s acknowledgment. This documentation is the evidence of a managed duty of care process.

For the ISO 31030:2021 framework as it applies to corporate travel policy specifically, see our corporate travel security policy guide.

Crisis response planning

A security programme must include a crisis response protocol that is tested before it is needed. The components:

Incident reporting chain. Who does an employee call when something goes wrong? The 24/7 contact number should be in the employee’s phone before departure, not on a sheet of paper in their briefing pack.

Escalation criteria. What categories of incident require immediate escalation to senior leadership? Detention by authorities, hospitalisation, active attack in the employee’s location, and kidnapping all require different response protocols.

External resource activation. Which crisis management consultancy, K&R insurer, or specialist provider has a pre-agreed service agreement? An untested cold relationship with an incident response provider is not an operational asset. Pre-agreed retainer relationships allow immediate activation.

Media and communications protocol. Who is authorised to make statements about a security incident involving company employees? The security function, HR, and communications team need a coordinated protocol that prevents contradictory external statements.

For the crisis management framework applicable during an active incident, see our corporate crisis management guide.

Technology and monitoring

Monitoring tools augment the security programme but do not replace the human elements. The category of tools that a mature programme uses:

Travel tracking. Software that maintains a real-time record of where employees are travelling, against which destination risk ratings are applied automatically. International SOS, Crisis24, and similar platforms provide this.

Intelligence feeds. Automated alerts for significant security events in the destinations where employees are located or travelling to. These are subscription services that aggregate OSAC, FCDO, and regional intelligence reporting.

Communication continuity. What communication channel is available if the employee’s phone is lost, stolen, or otherwise unavailable? A secondary contact protocol, a satellite communication option for extreme environments, and a regular check-in schedule for high-risk destinations are all components of a mature programme.

Programme review cycle

A security programme that was appropriate three years ago may not be appropriate today. The review cycle should be:

Annual full review. Threat inventory updated, risk tier definitions reviewed, provider assessments updated, policy aligned with current standards.

Event-triggered review. Any significant incident involving a company employee, any material change in a destination’s risk level, or any change to the organisation’s travel footprint triggers an interim review.

Post-trip reporting. High-risk trip debrief reports feed back into the programme. What actually happened on the ground? What worked? What would have been done differently?

The security programme is a living management system, not a policy document that sits in a folder. Its value is in the quality of the decisions it enables and the incidents it prevents or manages. For the intelligence methodology that keeps the programme current, see our protective intelligence guide. For the insider threat controls that should be an explicit component of any corporate security programme, see our insider threat and corporate security guide. For organisations with data centre or critical infrastructure assets, physical security for those environments requires specific standards – see our data centre and critical infrastructure security guide. For organisations looking to align their physical and digital security functions into a single programme, see our guide to physical and cyber security convergence.

For active incident response protocols that every corporate security programme should document – including active shooter response, Run-Hide-Fight procedures, and lockdown infrastructure requirements – see the active shooter and workplace violence response guide. For the premises security assessment that validates whether physical controls are meeting the programme standard, see our physical security assessment guide. For the employee security awareness programme that should sit within a mature corporate security programme, see our security awareness training guide. For the social engineering protocol and verification training that executive PAs and EAs require as a distinct component of the awareness programme – covering vishing, BEC, and physical access requests – see our security briefing for executive PAs and EAs guide. For the specific security risks that arise when the organisation exhibits at or attends trade exhibitions – competitive intelligence collection from stand staff, device security at international events, VIP protection on the exhibition floor, and Martyn’s Law compliance at major venues – see our security at trade exhibitions and business events guide. For organisations with premises in financial districts and CBDs – covering HVM standards, access control under BS EN 50131 and PD 6662:2017, Martyn’s Law obligations for large commercial buildings, and counter-surveillance in high-footfall environments – see our security in financial districts and CBDs guide.

Source: ISO 31030:2021 Travel Risk Management. ASIS International: Security Management Standard (PSC.1-2012). OSAC Corporate Security Programme Best Practices 2024. UK Home Office: Duty of Care Guidance for Employers of Overseas Workers. Control Risks: Corporate Security Benchmarking Report 2024.

For the security requirements of corporate fraud investigations and whistleblower cases – investigation team operational security, PIDA 1998 and SEC whistleblower programme protections, digital evidence chain of custody, and counter-investigation risk – see our security for whistleblowers and corporate investigators guide.