What is ISO 31030?
ISO 31030:2021 is the first international standard specifically addressing travel risk management. Published by the International Organization for Standardization in September 2021, it provides guidance for organizations to identify, assess, and manage risks associated with business and work-related travel. The standard covers the full travel lifecycle -- from pre-trip planning and risk assessment through real-time in-travel monitoring to post-trip review and organizational learning. ISO 31030 establishes the framework for demonstrating duty of care to traveling employees, defining what "reasonable steps" means in the context of international business travel. It applies to organizations of all sizes and sectors that send people to work in other countries, from Fortune 500 corporations to small NGOs deploying staff to conflict zones.
Before ISO 31030, there was no international benchmark for travel risk management. Organizations relied on a patchwork of national labor laws, industry best practices, and the general risk management framework in ISO 31000. Courts and regulators had no standardized reference point for evaluating whether an employer had met its duty of care obligations to traveling employees. ISO 31030 changed that. It provides the specific, detailed framework that courts, insurers, donors, and auditors now reference when assessing whether an organization's travel risk management program is adequate.
This matters because the consequences of inadequate travel risk management are not abstract. When an employee is harmed during business travel and the employer cannot demonstrate that it took reasonable steps to identify and mitigate foreseeable risks, the legal and financial exposure is substantial. Duty of care lawsuits, insurance coverage disputes, regulatory penalties, donor funding revocation, and reputational damage are all real outcomes that ISO 31030 compliance is designed to prevent.
ISO 31030 Is Guidance, Not Certification
Unlike ISO 9001 (quality management) or ISO 27001 (information security), ISO 31030 is a guidance standard. Organizations cannot be formally "certified" to ISO 31030 by an accredited certification body. Instead, organizations align their programs with the standard's requirements and document that alignment. Auditors, insurers, and courts assess compliance based on documented evidence of alignment -- not a certificate on the wall.
Who Needs ISO 31030 Compliance?
Technically, ISO 31030 applies to any organization that sends employees, contractors, or volunteers to work in locations other than their normal workplace -- including international and domestic travel. In practice, the pressure to demonstrate ISO 31030 alignment is concentrated in four sectors where the combination of high-risk destinations, legal exposure, and stakeholder scrutiny makes compliance a practical necessity rather than a theoretical aspiration.
NGOs and Humanitarian Organizations
International development organizations, humanitarian aid agencies, and their implementing partners face the most acute compliance pressure. Major donors -- USAID, DFID (now FCDO), the European Commission, SIDA, NORAD, and others -- increasingly require documented duty of care compliance as a condition of grant funding. For NGOs operating in conflict-affected regions (the Sahel, South Sudan, Afghanistan, Syria, Yemen, DRC), demonstrating ISO 31030 alignment is rapidly shifting from "best practice" to "funding prerequisite."
The challenge for NGOs is that they deploy staff to the highest-risk destinations on earth with budgets that cannot support enterprise security programs costing $200,000+ per year. They need ISO 31030 compliance at a price point that does not consume their entire security budget. This is where the gap between enterprise travel risk management solutions and NGO operational reality is widest.
Mining and Extractive Industries
Mining companies, oil and gas operators, and other extractive industry firms send geologists, engineers, and operations staff to remote sites in politically unstable regions -- often with limited infrastructure, medical facilities, and emergency evacuation options. A safety incident at a remote mine site in the Sahel or Central Asia is not just a human tragedy. It is a regulatory investigation, an insurance claim, a shareholder lawsuit, and a reputational crisis.
ISO 31030 compliance provides extractive companies with a defensible framework: we identified the risks, we briefed the travelers, we monitored conditions, we had emergency response pre-positioned, and here is the documentation proving all of it. Without that framework, the company's defense in any legal proceeding reduces to "we did our best" -- which courts have consistently found inadequate.
Oil and Gas Operations
Oil and gas companies face similar exposure to mining firms but with additional complexity: pipeline routes cross multiple jurisdictions, offshore platforms require specialized evacuation capabilities, and the geopolitics of energy production create security threats unique to the sector. ISO 31030 compliance is particularly important for oil and gas operators because their insurance programs often explicitly require documented risk management aligned with international standards.
Multinationals and Professional Services
Consulting firms, accounting firms, law firms, and multinational corporations that send employees to emerging markets face growing duty of care scrutiny. The 2024 UK Supreme Court ruling that extended employer liability for foreseeable travel risks sent a clear signal: organizations that send employees to high-risk destinations without documented risk management programs face significant legal exposure. ISO 31030 is the framework that demonstrates "we took reasonable steps."
The "We Didn't Know" Defense Is Dead
Courts have consistently held that ignorance is not a defense in duty of care cases. If a threat was publicly available in any language and the organization failed to monitor for it, that constitutes a breach. This has profound implications for organizations that rely on English-only intelligence feeds while sending employees to regions where threats surface in French, Arabic, Dari, Swahili, or local languages. ISO 31030's requirement for "current" risk assessments implicitly requires monitoring in the languages where threats actually appear.
Daily Intelligence Briefings for ISO 31030 Compliance
Documented daily monitoring is the cornerstone of ISO 31030 compliance. Region Alert delivers structured intelligence briefings at 6 AM every morning -- creating the audit trail you need.
No spam. Unsubscribe anytime. Your email stays private.
Key Requirements of the Standard
ISO 31030 is structured around seven core requirement areas that together define what a complete travel risk management program must include. Understanding these requirements is essential for any organization seeking to align its program with the standard.
1. Policy and Governance (Clause 5)
Organizations must establish a formal, documented travel risk management policy endorsed by top management. The policy must define the scope of coverage (who is protected -- employees, contractors, volunteers, dependents), assign clear roles and responsibilities, establish accountability structures, and commit the organization to providing adequate resources. The policy must be communicated to all relevant stakeholders and reviewed at planned intervals.
2. Risk Assessment (Clause 6.3)
Risk assessments must be current, location-specific, and conducted before travel is approved. ISO 31030 explicitly states that static quarterly or annual country reports are insufficient. Assessments must reflect the current threat environment at the specific destination and along the specific routes the traveler will use. This is the clause that effectively mandates continuous monitoring -- a quarterly PDF cannot satisfy a requirement for "current" risk assessment when the traveler departs three months after the report was written.
3. Pre-Travel Preparation (Clause 6.4)
Before departure, travelers must receive a briefing on current threats at their destination, medical fitness for travel must be assessed, insurance coverage must be verified and adequate for the destination, communication plans must be established and tested, and all pre-travel decisions must be documented. This creates a paper trail demonstrating that the organization identified risks and communicated them before the traveler departed.
4. In-Travel Monitoring (Clause 6.5)
Organizations must maintain continuous surveillance of the threat environment at the traveler's destination for the duration of travel. This includes monitoring for security incidents, natural disasters, health emergencies, infrastructure disruptions, and political developments that could affect the traveler's safety. Monitoring must be capable of detecting threats in real-time or near-real-time, with defined triggers for escalation and traveler notification.
5. Communication Protocols (Clause 6.6)
Communication protocols must be documented, tested (not just written), and accessible to all parties. Can the traveler reach the crisis management team at 3 AM local time? Has that been verified? Are backup communication channels established for when primary channels fail? ISO 31030 requires that communication protocols be regularly tested -- a phone number that nobody answers is not a communication protocol.
6. Incident Response (Clause 6.7)
Organizations must pre-arrange medical and security support for high-risk destinations, maintain evacuation plans with primary and alternate routes, establish relationships with local emergency services and security providers, and define clear escalation procedures from field level to executive management. Response capabilities must be proportionate to the risk level of the destination.
7. Post-Travel Review (Clause 7)
After travel completion, organizations must conduct debriefs, log any incidents, capture lessons learned, and feed traveler feedback back into the risk assessment process. Post-travel review is where institutional knowledge compounds -- each trip makes the next trip's risk assessment more accurate. Organizations that skip this step are condemned to repeat the same intelligence failures.
The single most common failure in ISO 31030 compliance is the gap between clauses 6.3 and 6.5 -- organizations conduct a pre-trip risk assessment but then stop monitoring once the traveler departs. A pre-trip briefing based on Tuesday's intelligence does not protect the traveler from Thursday's crisis.
How to Implement: 5-Step Framework
Implementing ISO 31030 does not require a six-figure consulting engagement or a 12-month project timeline. It requires clear thinking about five things, executed in sequence. Here is a practical framework that works for organizations from 50-person NGOs to 5,000-person multinationals.
Gap Assessment: Where Are You Today?
Map your current travel risk management practices against ISO 31030's seven requirement areas. For each area, document what you do today and where the gaps are. Most organizations discover they have some elements in place (usually a travel policy and basic insurance) but critical gaps in real-time monitoring, documented risk assessments, tested communication protocols, and post-travel review. The gap assessment takes 2-3 days for a mid-size organization and produces a prioritized action plan.
Maps to: All clausesWrite the Policy and Assign Responsibilities
Draft a travel risk management policy that covers: scope (who is protected), risk rating categories (how destinations are classified), approval workflows (who signs off at each risk level), monitoring requirements (what intelligence feeds are mandated), communication protocols (check-in schedules and escalation triggers), and incident response roles. The policy does not need to be 50 pages. A clear, concise document that people actually read is worth more than a comprehensive document that collects dust. Assign specific individuals to each role -- "the security team" is not accountability; "Jane Smith, Director of Security" is.
ISO 31030 Clause 5: Leadership & CommitmentEstablish Continuous Monitoring
This is the step that separates genuine ISO 31030 compliance from paperwork compliance. The standard requires "current" risk assessments and real-time in-travel monitoring. That means you need a monitoring platform that covers the languages and geographies where your people operate. If you send teams to French-speaking West Africa, you need French and local-language monitoring. If you operate in Central Asia, you need Russian, Tajik, and Kyrgyz coverage. English-only monitoring creates a documented blind spot that undermines your entire compliance posture. Deploy monitoring before the next trip, not after the next incident. See our travel risk management guide for detailed platform selection criteria.
ISO 31030 Clauses 6.3, 6.5: Risk Assessment & MonitoringBuild the Response Framework
For every destination classified as HIGH or CRITICAL: identify and vet local security providers, confirm the nearest trauma-capable medical facility (and verify it answers its phone), establish primary and alternate evacuation routes, pre-position satellite communication devices if cell network reliability is uncertain, and document safe haven locations. Run a tabletop exercise for your two highest-risk destinations within 30 days of establishing the framework. Test all emergency contacts quarterly. Our emergency operations planning guide provides a complete template.
ISO 31030 Clauses 6.6, 6.7: Communication & Incident ResponseClose the Loop: Document Everything
ISO 31030 compliance is proven through documentation. Every pre-trip risk assessment must be recorded. Every traveler briefing must be documented. Every monitoring alert and response action must be logged. Every post-trip debrief must be captured and its findings fed back into the risk assessment database. This is not bureaucracy -- it is the evidence trail that demonstrates duty of care in any legal proceeding, donor audit, or insurance claim. Build documentation into your workflow from day one. Automated daily briefings with timestamps and audit trails (like those from Region Alert) create this evidence automatically.
ISO 31030 Clause 7: Review & ImprovementTimeline: 30-60 Days to Basic Compliance
A focused organization can achieve baseline ISO 31030 alignment in 30-60 days: Week 1-2 for gap assessment and policy drafting, Week 3-4 for monitoring deployment and response framework, Week 5-8 for training, tabletop exercises, and documentation system setup. Full maturity takes 6-12 months of operational experience and iterative improvement. The key is to start with the highest-risk travel first and expand coverage as the program matures.
How Region Alert Supports ISO 31030 Compliance
ISO 31030 compliance rests on two pillars: documented processes and current intelligence. The processes are your organization's responsibility -- policy, governance, training, response planning. The intelligence is where Region Alert fits.
Daily Briefings = Documented Duty of Care
Region Alert delivers structured intelligence briefings at 6 AM every morning covering your specific operating regions. Each briefing is timestamped, archived, and available as an audit trail. When an auditor, insurer, or court asks "what monitoring did you conduct for this destination during this period?", you can produce daily intelligence briefings with specific threat assessments, severity ratings, and source citations for every day your team was in-country.
This directly satisfies ISO 31030 Clause 6.3 (current risk assessment) and Clause 6.5 (in-travel monitoring). A daily briefing is infinitely more defensible than a quarterly country report that was written three months before the trip.
100+ Languages = No Blind Spots
ISO 31030 requires that monitoring be adequate for the destination. Courts have held that "adequate" means monitoring in languages where threats actually surface -- not just English. Region Alert monitors 1,000+ local-language sources across 100+ languages, including the community channels, local media, and regional social media where threats in high-risk regions appear first. This eliminates the language blind spot that undermines the compliance posture of organizations relying on English-only platforms.
Flash Alerts = Real-Time Response Capability
When a critical event occurs -- a coup, an earthquake, an armed attack, a border closure -- Region Alert delivers a flash alert within minutes of detection. This satisfies ISO 31030's requirement for real-time monitoring with defined escalation triggers. The alert includes event type, location, severity assessment, and recommended actions, giving your crisis management team the information needed to make immediate decisions about traveler safety.
$499/Month = Accessible Compliance
Enterprise travel risk management platforms that satisfy ISO 31030's monitoring requirements cost $50,000 to $500,000+ per year. Region Alert provides the same monitoring capability -- broader language coverage, faster delivery, structured daily briefings -- at $499/month with no annual contract. This makes ISO 31030 compliance financially accessible to mid-market companies, NGOs, and regional operators that cannot justify six-figure annual commitments.
Start ISO 31030 Compliance This Week
Request a sample intelligence briefing for your operating regions. See what documented daily monitoring looks like -- and what it would mean for your duty of care posture.
Request Sample BriefingOr email [email protected] directly.
ISO 31030 vs Other Standards
ISO 31030 does not exist in isolation. It sits within a broader ecosystem of risk management, business continuity, and security standards. Understanding how it relates to other standards helps organizations integrate travel risk management into their existing compliance frameworks rather than building a parallel system.
| Standard | Focus | Certifiable? | Relationship to ISO 31030 |
|---|---|---|---|
| ISO 31030:2021 | Travel risk management | No (guidance) | The standard itself -- travel-specific risk management framework |
| ISO 31000:2018 | General risk management | No (guidance) | Parent framework. ISO 31030 is a domain-specific extension of ISO 31000's principles |
| ISO 22301:2019 | Business continuity management | Yes | Complementary. ISO 22301 covers organizational continuity; ISO 31030 covers traveler safety. Both require risk assessment and incident response |
| ISO 27001:2022 | Information security management | Yes | Tangential. Travelers carry data and devices; ISO 27001 addresses information security risks that ISO 31030 does not |
| ISO 45001:2018 | Occupational health and safety | Yes | Complementary. ISO 45001 covers workplace safety including travel as a work activity. ISO 31030 provides the travel-specific detail |
ISO 31030 vs ISO 31000
ISO 31000 is the general risk management framework that ISO 31030 extends. If your organization already follows ISO 31000, ISO 31030 fits within that framework as a domain-specific application. You do not need to rebuild your risk management system -- you extend it to cover travel. ISO 31000 provides the principles (risk identification, assessment, treatment, monitoring, review). ISO 31030 tells you how to apply those principles specifically to the risks associated with sending people to work in other locations.
Organizations with mature ISO 31000 implementations typically find ISO 31030 alignment straightforward because the governance structures, risk assessment methodologies, and documentation practices already exist. The gap is usually in travel-specific elements: real-time monitoring, traveler communication protocols, and destination-specific response planning.
ISO 31030 vs ISO 22301
ISO 22301 is the business continuity management standard. Where ISO 31030 asks "how do we protect the person?", ISO 22301 asks "how does the organization continue operating when a disruption occurs?" They are complementary, not competing. A security incident that endangers a traveler (ISO 31030) may simultaneously disrupt business operations (ISO 22301). Organizations that implement both standards create a comprehensive framework that protects both people and operations.
The practical overlap is in incident response and crisis management. Both standards require documented response procedures, communication protocols, and regular testing. Organizations can design a single crisis management framework that satisfies both standards, with travel-specific protocols extending the business continuity framework rather than duplicating it.
Get the Monitoring ISO 31030 Requires
Daily intelligence briefings in 100+ languages, delivered at 6 AM. The documented, current monitoring that satisfies duty of care obligations.
No spam. Unsubscribe anytime. Your email stays private.
Frequently Asked Questions
Is ISO 31030 mandatory?
ISO 31030 is not legally mandatory in most jurisdictions. It is a guidance standard, not a regulation. However, it is increasingly treated as the benchmark for what constitutes "reasonable" duty of care for traveling employees. Courts in the UK, EU, and Australia have referenced ISO 31030 when evaluating employer liability in cases involving traveler safety failures. Major donors including USAID and DFID increasingly require documented travel risk management compliance aligned with ISO 31030 as a condition of grant funding for NGOs and contractors operating in high-risk regions. While not technically mandatory, the gap between "voluntary guidance" and "practical requirement" is closing rapidly -- particularly for organizations operating in high-risk environments. For more on duty of care obligations, see our travel risk management guide.
How much does ISO 31030 certification cost?
There is no formal ISO 31030 certification. Unlike ISO 9001 or ISO 27001, ISO 31030 is a guidance standard -- organizations demonstrate alignment, not certification. The cost of aligning with ISO 31030 depends on your starting point. Organizations with existing travel risk management programs may need only documentation updates and process formalization ($5,000-$20,000 in consulting time). Organizations building from scratch face $20,000-$100,000+ depending on scope and complexity. The standard itself costs approximately $200 to purchase from BSI or ISO. The ongoing cost is primarily the monitoring platform: enterprise solutions run $50,000-$500,000+/year, while Region Alert starts at $499/month.
What is duty of care in travel risk management?
Duty of care is the legal and ethical obligation employers have to protect their employees from foreseeable harm during work-related travel. In practice, this means organizations must take reasonable steps to: identify threats at the destination before travel, communicate known risks to the traveler, provide adequate preparation and training, monitor conditions continuously during travel, and maintain emergency response capabilities. The critical legal standard is "foreseeable" -- if a threat was publicly known or discoverable through reasonable monitoring, and the organization failed to identify it, that constitutes a breach. ISO 31030 provides the most comprehensive framework for defining and demonstrating what "reasonable steps" means. For sector-specific guidance, see our pages on NGO security and mining security.
How do you prove duty of care compliance?
Proving duty of care compliance requires documented evidence across five areas: (1) a written travel risk management policy with clear roles and responsibilities, (2) documented risk assessments showing current threat data was reviewed before each trip or for each destination, (3) records of traveler briefings and training provided, (4) evidence of continuous monitoring during travel -- including the intelligence sources used, alerts generated, and response actions taken, and (5) post-trip reviews and incident documentation. The key word is "current." ISO 31030 requires that risk assessments reflect current conditions, not historical baselines. Daily intelligence briefings with audit trails, such as those provided by Region Alert, create documented evidence that monitoring was conducted every day of travel -- which is precisely what auditors, insurers, and courts look for. For a broader overview, see our travel risk management companies comparison.
Sources & Official References
This guide references these authoritative sources:
- ISO 31030:2021 Travel Risk Management -- The international standard (available from ISO and BSI)
- BSI ISO 31030 Overview -- British Standards Institution summary and purchase
- ASIS International -- Global security management professional association
- International Crisis Group (ICG) -- Independent conflict analysis and prevention
- ISO 31000:2018 Risk Management -- Parent risk management framework
- ISO 22301:2019 Business Continuity -- Complementary business continuity standard