07561 708181
07561 708181
A system-based framework for responsible security operations
Effective date: 1 January 2026
Owner: Ethics & Compliance
Review cadence: Annual (minimum)
Integrity is our constant and duty is our compass. We work at the junction of law, risk, and human dignity, where calibrated judgment—frequently under time pressure—prevents harm, preserves trust, and stabilizes critical functions of society. This Code is our commitment to a system of ethics, not a collection of slogans. It binds legal obligations to the deeper values that give security its meaning, aligning restraint with proportionality, precision with empathy, and discipline with respect.
Read this document as you would an operations manual for a mission‑critical system: understand its logic, practice its application, and internalize its cadence so it becomes procedural memory. When uncertainty arises, pause, consult appropriate expertise, weigh relative risks, and choose the route that is lawful, ethically defensible, and operationally proportionate. The leadership accepts the burden of example and the discipline of review. Hold us—and each other—to the same standard that we set for the organization.
This Code applies to every director, employee, agency worker, subcontractor, and third party acting for or on behalf of In Force Security Ltd, across all jurisdictions and operational contexts. It is designed to be technology‑agnostic and jurisdiction‑aware, so it remains valid when platforms, suppliers, or legal frameworks evolve. It functions alongside local law, client requirements, and recognized industry standards; when expectations diverge, the stricter requirement prevails. The Code’s role is not merely normative but architectural: it specifies how principles are translated into controls, how controls become habits, and how habits are evidenced in records and assurance reports.
Interpretation follows three rules. First, substance over form: behavior that meets the intent of the standard is required even when the formal rule is silent. Second, risk proportionality: stronger controls and enhanced documentation accompany higher‑risk activities, geographies, and counterparties. Third, traceability: significant decisions and deviations must be explicable after the fact through contemporaneous notes, approvals, and data that demonstrate reasoning, authority, and timing.
The Code is effective only when embedded in daily practice. Every colleague completes induction and annual re‑certification; managers are accountable for converting written expectations into operational fluency. That conversion requires timely briefings, scenario walkthroughs, and explicit checks for understanding, not merely attendance records. The organization maintains an Ethics & Compliance advisory desk for fast, documented guidance on ambiguous situations, and a risk‑acceptance protocol for carefully bounded exceptions, approved at the appropriate level, time‑limited, and recorded with rationale and compensating controls.
When local custom, a post order, or a legacy practice conflicts with this Code or with law, the correct sequence is identify → escalate → regularize → execute. Personnel do not improvise fixes in the field that create a second, undocumented standard. Translations are issued centrally; the English master prevails in case of doubt. The Code is integrated with Standards, SOPs, and Work Instructions so that the “what and why” here are mirrored by the “how” in line‑of‑business procedures; version control and distribution lists ensure personnel operate on the current baseline.
Compliance is both a rule set and a mapping exercise. We maintain a legal register that translates applicable obligations—public‑order and private‑security frameworks; lawful use of force; employment, equality, and safeguarding; health and safety; data protection and privacy; anti‑bribery and corruption; competition/antitrust; sanctions and export controls; permits and licensing—into control statements with named owners. Where laws have extraterritorial reach, we adopt the stricter standard to avoid conflicts and to simplify training. Regulatory horizon scanning and periodic counsel reviews keep the register current; operational changes trigger legal impact assessments so controls evolve with service models.
During inspections, inquiries, or lawful data requests, we cooperate professionally while preserving confidentiality, legal privilege, and data‑minimization principles. Deviations—whether discovered internally or raised by a regulator—are addressed through a documented corrective‑action plan with deadlines, accountability, and evidence of completion. We reject the normalization of deviance; repetition never converts a non‑conformity into policy.
Ethical culture is engineered through tone, design, and evidence. The Board sets risk appetite for conduct and safety, reviews leading indicators of culture (reporting rates, case cycle times, root‑cause patterns, quality of corrective actions), and holds executives accountable for how outcomes are achieved, not only what outcomes are reported. Executives propagate expectations through strategy, resource allocation, and role modeling; middle managers convert policy into work routines, enforce standards consistently, and remove obstacles rather than rationalize them. Psychological safety is a performance control: teams that can raise concerns early prevent large failures later. Accountability is two‑way—leaders explain decisions and accept review; colleagues engage with candor and discipline. Culture is audited not by sentiment but by stability of standards across shifts, sites, and contractors.
We are a merit‑based organization that recruits, develops, and promotes on capability and character. Professional courtesy, clear communication, and SQEP (Suitable, Qualified, and Experienced Person) competence are the operational minimum. Our OSH system aligns to ISO 45001 principles: hazard identification; risk assessment; selection of controls; competence management; worker participation; incident and near‑miss reporting; investigation and continual improvement. Safe Systems of Work, permit‑to‑work where applicable, dynamic risk assessment at the point of task, and fatigue management form our baseline.
Safety is governed by design and discipline. Pre‑shift checks verify equipment readiness; radios are tested, PPE is inspected, and site‑specific risks are refreshed. Equipment leaves service when unsafe and returns only after documented remediation. Investigations distinguish human error, at‑risk behavior, and reckless disregard, applying proportionate learning and sanctions. Health includes psychology: exposure to distress, aggression, or traumatic events is managed through confidential support and structured decompression protocols. Safety performance is measured by leading and lagging indicators and reviewed at regular cadence with corrective actions tracked to closure.
We respect internationally recognized human rights in every jurisdiction. We reject forced labor, child labor, human trafficking, unlawful detention, degrading treatment, and any use of force that is not necessary, proportionate, and lawful. Salient risks in security operations—privacy, freedom of movement, freedom of association, humane treatment in custody contexts—are managed through policy, training, and supervision, and through transparent grievance channels that are accessible, fair, and protective against retaliation.
Human‑rights due diligence follows the UN Guiding Principles cycle. We identify and assess risks by geography, client sector, and service line; we integrate preventive measures into SOPs; we track effectiveness using indicators such as incident types, response times, and remediation rates; we communicate with stakeholders in a manner that is accurate and respectful of confidentiality. Where the organization causes or contributes to harm, we enable remedy promptly and proportionately, documenting corrective actions so learning migrates across sites and suppliers rather than remaining local lore.
Trafficking often hides in administrative normality. We train personnel to recognize indicators—confiscated identification, recruitment debt, coached answers, coercive control, abnormal movement restrictions, or dependence on an intermediary—and we define escalation routes that protect the individual and the evidence. The employer‑pays principle is mandatory: no party may charge a worker recruitment fees, directly or indirectly, for labor supplied to us. Worker contracts are issued in a language understood; wages are paid in full, on time, through traceable channels; accommodation, where provided, is safe and sanitary.
Supply‑chain assurance is risk‑weighted. Higher‑risk categories (uniforms/PPE, electronics, labor providers) face enhanced screening, contract clauses, and periodic verification that may include document review and, where lawful and appropriate, confidential worker interviews by independent auditors. Findings lead to time‑bound remediation plans with responsible owners; persistent non‑conformity results in disengagement and, where required, regulator notification. Grievances raised by or about workers are handled through accessible channels with translation support and anti‑retaliation guarantees.
Force is a last resort governed by necessity, proportionality, and legality. De‑escalation is prioritized in training and practice. Where body‑worn video is authorized, activation rules are clear, tampering is prohibited, and evidence is preserved under chain‑of‑custody with strict access controls and retention schedules. Post‑incident obligations include immediate safety and aftercare, notification to client and—where required—authorities, and comprehensive reporting that captures threat assessment, alternatives considered, sequence of actions, injuries, and remedial steps.
Weapons and less‑lethal tools require explicit authorization, current competence, and licensing. Armoury controls and shift hand‑overs are recorded; loss or theft triggers immediate escalation, documented searches, and corrective measures. Unauthorized modifications, off‑duty carriage without approval, or possession of non‑issued ammunition or devices are prohibited. Supervisory reviews evaluate not only compliance but tactical decision‑making quality, reinforcing learning loops rather than merely closing files.
Dignity at work is non‑negotiable. Bullying—overt or subtle—and harassment, including sexual harassment, are prohibited on company premises, client sites, online, and off duty where organizational reputation is engaged. Inclusion is operational: diverse teams with psychological safety detect risks earlier and resolve conflict more efficiently. Managers are trained to recognize micro‑aggressions, status abuse, and retaliatory patterns; they intervene promptly, protect those who raise concerns, apply fair processes to all parties, and maintain confidentiality consistent with a proper inquiry. Anti‑retaliation is absolute and enforced. We do not trade short‑term staffing convenience for long‑term cultural damage.
Operational safety requires unimpaired performance. Illegal substances, alcohol misuse, and unsafe medication practices are incompatible with our work. Random and for‑cause testing may be conducted where lawful, using certified laboratories and documented chain‑of‑custody. The organization encourages early self‑declaration and offers support; however, public safety prevails. Refusal to cooperate with lawful testing, obstruction of testing, or a positive result without legitimate explanation can result in removal from site or termination. Confidentiality and privacy are protected; results are shared strictly on a need‑to‑know basis, and records are retained and disposed of according to schedule.
We maintain a zero‑tolerance stance. We neither offer nor accept bribes, kickbacks, or facilitation payments, and we do not instruct intermediaries to do so. Controls operate before, during, and after transactions. Third‑party due diligence is risk‑segmented, verifying beneficial ownership, sanctions exposure, service legitimacy, and commercial reasonableness of pricing and commissions.
Books‑and‑records controls ensure transactions are accurate, complete, and timely, preventing slush funds and disguised payments.
Gifts and hospitality are permitted only when modest, infrequent, clearly related to a legitimate business purpose, appropriately timed relative to tenders, and recorded in a central register that enables pattern analysis. Interactions with public officials are subject to stricter thresholds and usually require prior written Compliance approval; in many cases abstention is correct. Charitable contributions and sponsorships are allowed only with a documented rationale, vetting of recipients, and prohibitions on quid pro quo. Training emphasizes red‑flag recognition, including round‑number invoices, vague scopes of work, and routing through unrelated entities.
Conflicts—actual, potential, or perceived—erode trust and distort decision quality. Personnel must declare relationships, outside employment, investments, and family interests that intersect with organizational duties, including supervisory chains and vendor selection. Declarations are recorded in a COI register, reviewed periodically, and updated when circumstances change. Mitigation includes recusal from decisions, enhanced oversight, separation of duties, or divestment; non‑disclosure is a breach in its own right. Procurement operates under independence and segregation principles to reduce self‑dealing risk, and audits test for anomalies and pattern concentration.
We compete on merit. We do not agree prices, divide markets, rig bids, exchange competitively sensitive information, or coordinate boycotts. Clean‑room protocols apply to legitimate benchmarking and consortia work. Trade associations are approached with caution: agendas should be pre‑read, counsel sought where necessary, and exits recorded if discussions drift into restricted topics. Dawn‑raid preparedness and document‑hold protocols are maintained so the organization can respond lawfully and calmly to unannounced inspections, preserving rights and cooperation simultaneously.
Financial integrity is the narrative of credibility. Transactions are recorded accurately, completely, and on time; reconciliation disciplines are enforced; and unusual journal entries receive enhanced scrutiny.
Procure‑to‑Pay controls prevent unauthorized commitments, duplicate payments, and vendor conflicts; Order‑to‑Cash controls ensure revenue recognition aligns to contract terms and delivered services. Asset management covers uniforms, radios, body‑worn video, vehicles, and specialized equipment with periodic inventory checks. Fraud—fabricated invoices, false expenses, ghost employees, diverted inventory, manipulated KPIs—is escalated immediately through Speak Up or Compliance; evidence is preserved, and inquiries remain confidential until concluded to protect fairness and the integrity of findings.
We will not be a conduit for criminal property or the financing of violence. Know‑Your‑Customer procedures verify identity and beneficial ownership proportionate to risk; screening against sanctions lists and adverse‑media databases is performed at onboarding and on a periodic schedule. Red flags—unusual cash payments, opaque structures, trans‑shipment through high‑risk jurisdictions, or transactions without clear economic purpose—are escalated immediately. Suspicious‑activity reporting follows the statutory process precisely; tipping‑off prohibitions are respected. Export‑control compliance covers classification of controlled items, end‑use and end‑user due diligence, license acquisition, and record retention.
Operational urgency does not excuse environmental indifference. We measure Scope 1–2 emissions where material (fleet and energy) and assess material Scope 3 categories relevant to our model. Fleet programs target idling reduction, route optimization, preventative maintenance, and feasible transitions to lower‑emission vehicles; offices apply energy and water efficiency measures and responsible waste handling. A plan–do–check–act cycle governs target setting, implementation, performance tracking, and corrective actions; data quality is validated, and client reporting reflects conservative, evidence‑based figures rather than aspirational estimates.
We serve without fear or favor, protecting people, premises, and information. We escalate concerns early and candidly—even when inconvenient—and we decline assignments that would require us to breach law or this Code. Confidentiality is inviolable: access to information follows least‑privilege principles; operational details are not discussed in public or online; and transmission and storage use approved channels. Service‑level agreements and key performance indicators are reported accurately and in time; incident communications are factual, time‑stamped, and consistent with contractual obligations and privacy duties.
Suppliers are treated fairly and held to standards parity. Onboarding includes risk‑based due diligence; contracts embed obligations on labor standards, safety, environmental practices, anti‑corruption, privacy, and no recruitment fees. Performance monitoring is proportionate to risk and may include audits, site visits, and worker‑voice mechanisms. Non‑conformities trigger Corrective Action Plans with owners and timelines; persistent failure results in disengagement and, where necessary, notification to clients or authorities. Outsourcing does not outsource responsibility; the public reasonably judges us by the conduct of those who act for us.
We are guests in the communities we serve and, where invited, partners in their wellbeing. We recruit locally where practical; we support lawful initiatives that enhance safety and opportunity; and we cooperate with civic agencies and law enforcement to improve public order without overreach.
Community engagement is documented with objectives, outcomes, and lessons for future projects. The aim is not only the absence of harm but the positive presence of courtesy, competence, and reliability that sustains our social license to operate.
Information security follows a layered, risk‑based model aligned to recognized frameworks. Data is classified by sensitivity; access follows least‑privilege; strong authentication is required; encryption protects data at rest and in transit; and vendor access is tightly bounded by contract and technical controls. The organization enforces secure configuration baselines, patch management, vulnerability remediation, anti‑malware defenses, and logging/monitoring with defined retention and review cycles. Incident response has clear thresholds, roles, and recovery time objectives; testing includes tabletop exercises and post‑mortems that improve procedures rather than allocate blame.
Privacy practices follow data minimization, lawful basis for processing, transparency, accuracy, storage limitation, and security. Data Subject Rights are handled via defined workflows; cross‑border data transfers follow approved mechanisms; Data Protection Impact Assessments are performed for higher‑risk processing. Body‑worn video governance covers lawful activation, signage, access, redaction where required, retention schedules, and deletion protocols consistent with legal holds.
We use only approved digital tools and AI platforms. Confidential or personal data is not uploaded to unapproved systems. Human‑in‑the‑loop oversight is mandatory for consequential decisions; model deployment requires fitness‑for‑purpose testing, monitoring for bias and drift, audit logs for explainability, and defined rollback procedures. Dataset governance ensures provenance, legal rights to use data, and appropriate de‑identification where required. Vendor risk assessments cover security, privacy, licensing, and export‑control exposure. Technology augments professional judgment; it neither replaces nor excuses it.
Our brand is a performance promise to clients and the public. Logos, uniforms, credentials, and insignia are used only as authorized and are kept secure to prevent misuse. External communications on behalf of the organization are restricted to designated spokespeople trained in crisis communication, confidentiality, and regulatory considerations. Employees may hold personal opinions but must avoid statements that could reasonably be interpreted as official positions, especially when in uniform or otherwise identifiable as our personnel. Nothing in this Code restricts lawful whistleblowing or protected concerted activity; rather, it demands a careful separation between personal and organizational speech.
We operate independent, 24/7 multi‑language channels for reporting concerns by phone and web, with options for anonymity where lawful. All cases are acknowledged within a predictable window, triaged by severity, and investigated impartially by trained personnel with no conflict of interest. Confidentiality is protected to the extent compatible with a proper inquiry. Retaliation against good‑faith reporters, witnesses, or investigators is a separate, serious breach. For allegations implicating senior personnel or systemic risk, oversight is elevated and the Board is informed as appropriate. Trends and root‑cause analysis inform training, staffing, and control redesign.
Investigations are conducted with procedural fairness and respect. Allegations are separated from findings; evidence is preserved with chain‑of‑custody discipline for both physical and digital artifacts; interviews are documented; and the rationale for conclusions is recorded. Sanctions are proportionate to intent, impact, seniority, and precedent; where law requires, matters are referred to authorities.
Corrective actions have owners and deadlines; completion is verified and audited. Lessons learned are disseminated across sites to prevent recurrence, ensuring the investigation function produces system learning rather than isolated outcomes.
Training builds capability, not attendance statistics. Induction covers this Code, de‑escalation and lawful use of force, OSH fundamentals, data protection, ABC, and AML/CTF. Role‑specific modules address firearms/less‑lethal (where authorized), custody and safeguarding, control‑room operations, canine handling, procurement ethics, supervision, and leadership. A central learning management system tracks certification status and expiries; no one performs a specialized function without current competence.
Effectiveness is measured through scenario‑based assessments, observed practice, and post‑incident reviews that update the curriculum quickly when gaps are identified.
We operate the Three Lines Model. Management owns risks and controls; Risk & Compliance monitor, advise, and report; Internal Audit provides independent assurance. Key risk and performance indicators—reporting rates, case cycle times, corrective‑action closure, documentation quality, training completion with assessment scores, and stability of standards across shifts—are monitored and presented to leadership at defined cadence. Assurance focuses on control effectiveness, not only policy existence, and applies maturity scales to prioritize investment in areas of greatest residual risk.
Discipline is consistent, fair, and proportionate. It protects people, assets, and reputation while restoring standards. Measures range from coaching and written warnings to termination and referral to authorities, depending on intent, harm, and role expectations. Immediate removal from site may be necessary where safety or integrity is at risk; such actions protect investigations and individuals.
Remediation includes control redesign, targeted training, and where appropriate changes in process or personnel. Closure requires evidence, not aspiration, and learning is fed into the system so that the same breach does not reappear in a different uniform.
This Code sits at the top of the policy hierarchy. Standards, SOPs, and Work Instructions must align; conflicts are resolved in favor of this Code unless law requires otherwise. Waivers are rare, time‑bound, and documented with justification, risk assessment, compensating controls, and approvals at the correct level; material waivers are notified to the Board. Version control, distribution lists, and archival rules ensure personnel can identify the current, controlling document. Translations are issued centrally; where discrepancies arise, the English master governs. The Code is not an employment contract; it is a condition of continued engagement and a statement of required professional conduct.
“Necessary and proportionate” means no more force, restriction, or intrusion than is required to achieve a legitimate, lawful objective in the circumstances as reasonably assessed at the time. “Chain of custody” is the documented control of evidence, physical or digital, that preserves integrity and admissibility. “Know‑Your‑Customer” refers to risk‑based verification of identity and beneficial ownership to counter money laundering and terrorist financing. “Least privilege” means granting only the minimum access necessary to perform a role. “Employer‑pays principle” prohibits charging workers recruitment fees for labor supplied to us, directly or indirectly. “Material breach” is a non‑compliance of sufficient seriousness to justify escalated sanction, termination, or regulatory reporting. “Salient risk” denotes a human‑rights risk that is particularly severe in its potential impact, regardless of probability. “Sensitive personal data” describes categories of personal information that require heightened protection due to inherent risk to individuals.
Title: In Force Security – Global Code of Ethics 2026 (Academic–Technical “2× Enriched” Edition) Version: 1.0 • Effective: 1 January 2026 • Next review due: 31 December 2026
Owner: Ethics & Compliance • Contact: ethics@[your‑domain] • Whistleblowing Hotline (24/7): +44 [number] (multi‑language)