The article discusses the concept of organizational formation of the protected information system of a commercial enterprise. The content and classification of information resources, subject to the characteristics of the trading activities, information about customers, employees, communicative, general, financial and legal data have been given; the level of importance has been revealed. The basic principles of creating the protected information system in terms of specificity of a commercial enterprise (continuity, integrity, systemacy, legitimacy) have been formulated. Taking into account the specified principles, the thematic content of requirements to the protected information system has been determined: centralization, planning, preciseness, purposefulness, activity, reliability, flexibility, originality, openness, economic efficiency. There are given recommendations to building a secure information system, which include easy maintenance and transparency for users of the mechanisms of the information system protection; a minimum set of privileges for users; ability to disable the security mechanisms of information system in the critical circumstances; independence of protection mechanisms from the information system; assumptions about the worst intentions and potential users’ errors; minimization of information about existing mechanisms of information system protection. It has been determined that the information system protection includes two components: organizational and administrative (including the internal documents regulating the issues of protection) and technical (including the subsystems of anti-virus protection, back up and archiving, email security, intrusion detection, protection of data transmission channels, identification and authentication of users); their functional purpose being analyzed. The purpose and content of security policy of information system were determined as a theoretical basis of organizational and administrative components of the protection system. It has been inferred about the universality of the presented method providing secure communication for the users of a business.