Published by Vertex Security Services | March 2026

On February 22, a military operation in Jalisco, Mexico, killed the leader of the most powerful drug cartel in the Western Hemisphere. Within hours, retaliatory violence shut down highways, grounded flights, and trapped thousands of American and Canadian tourists in Puerto Vallarta and Guadalajara. The U.S. State Department issued a shelter-in-place order. Airlines canceled flights. Roads burned. Travelers watched burning roadblocks from hotel balconies with no plan, no exit, and no one to call.

Six days later, the United States and Israel launched strikes against Iran that killed Supreme Leader Ali Khamenei. The FBI is now investigating a mass shooting in Austin, Texas — two dead, fourteen wounded — as a potential act of terrorism linked to those strikes. DHS has warned of asymmetric retaliation threats against the U.S. homeland. Intelligence firms assess that the risk of lone-actor attacks and state-sponsored operations on Western soil is at its highest level in a generation.

This is the world your employees, your executives, and your clients are traveling through right now. Not this summer. Not next quarter. Today.

There is an international standard — ISO 31030 — that was built for exactly this moment. It tells organizations precisely how to manage travel risk, fulfill their duty of care, and protect their people when they leave the country. Most companies have never heard of it. The ones that have are the ones whose employees come home safe.

What ISO 31030 Is and Why It Matters Right Now

ISO 31030:2021 is the international standard for travel risk management, published by the International Organization for Standardization. It provides a comprehensive framework for organizations of any size and any industry to develop, implement, evaluate, and maintain a travel risk management program. It covers everything from pre-trip threat assessments to in-transit monitoring to emergency response and post-incident review.

The standard is voluntary — no regulator will fine you for ignoring it. But voluntary does not mean optional. ISO 31030 exists because organizations have a legal and ethical duty of care to protect the health, safety, and well-being of their employees during business travel. That duty of care does not pause because a trip involves a sporting event instead of a client meeting. It does not pause because the employee volunteered for the trip. It does not pause because the destination was "fine last time."

Failure to meet duty of care obligations exposes organizations to legal liability, reputational harm, and — most importantly — to situations where employees are harmed in ways that could have been prevented. The travelers stranded in Jalisco two weeks ago were not victims of unforeseeable violence. They were victims of foreseeable violence that their travel plans did not account for. The U.S. State Department has maintained a Level 3 advisory for Jalisco for years. The Jalisco New Generation Cartel has been the dominant criminal organization in the region for over a decade. The information was there. The plans were not.

ISO 31030 is the framework that closes that gap.

What ISO 31030 Requires — In Plain Language

The standard is detailed, but the core framework can be understood by anyone responsible for sending people on business travel. Here is what it asks organizations to do.

Establish a travel risk management policy. Not a paragraph in the employee handbook. A formal, documented policy that defines the organization's approach to travel risk, assigns roles and responsibilities, sets risk tolerance thresholds, and is communicated to every employee who travels. The policy should address domestic and international travel, cover all levels of the organization, and be reviewed and updated regularly.

Conduct destination-specific risk assessments before every trip. Before an employee books a flight, someone in the organization should be evaluating the threat environment at the destination — political stability, crime rates, health risks, transportation infrastructure, natural disaster exposure, and the current security situation. For a trip to Mexico right now, that assessment would need to account for cartel presence, the possibility of retaliatory violence, airport and highway vulnerabilities, and the medical infrastructure available in an emergency. For a trip to the Middle East or the Gulf, it would need to account for the active Iran conflict and the risk of escalation. For a trip to Colombia, it would need to account for ongoing kidnapping patterns targeting foreign nationals. Every destination carries a distinct risk profile, and that profile can change between the day a trip is booked and the day the employee lands.

Implement pre-trip preparation. Employees should receive a destination-specific briefing before departure. They should know the location of the nearest U.S. Embassy or consulate, have emergency contact numbers saved in their phone, carry copies of critical documents, understand the organization's communication protocol, and know what to do if the security situation changes while they are in-country. They should be enrolled in the State Department's Smart Traveler Enrollment Program.

Maintain real-time monitoring during travel. The organization should have the ability to know where its travelers are and to communicate with them during a trip — particularly when conditions change. The Jalisco crisis evolved from a normal Sunday to a shelter-in-place emergency in less than two hours. Organizations that had real-time traveler tracking and communication protocols in place could reach their people immediately. Organizations that did not had to wait and hope.

Have an emergency response plan — and know who executes it. If an employee is caught in a security incident, a medical emergency, or a natural disaster, who makes the decisions? Who contacts the employee? Who coordinates with local authorities or a security provider on the ground? Who communicates with the employee's family? ISO 31030 requires that these roles be defined, documented, and practiced before the trip — not improvised during a crisis.

Establish relationships with security and medical providers in the destination. This is the step that separates organizations that survive a crisis from organizations that are overwhelmed by one. A pre-existing relationship with a security provider who has personnel and contacts in the destination means the difference between a coordinated response and a phone tree that leads nowhere. For travel to any destination carrying a Level 3 or Level 4 State Department advisory — and there are currently more than 40 countries at those levels — this is not an optional enhancement. It is a core component of a compliant travel risk program.

Conduct post-trip and post-incident reviews. After every significant trip or incident, evaluate what worked, what didn't, and what needs to change. The organizations that learn from near-misses are the ones that avoid catastrophic failures.

The Duty of Care Problem Most Companies Are Ignoring

Here is the uncomfortable truth: most organizations that send employees on business travel — including international travel to destinations with active State Department advisories — do not have a travel risk management program that meets the ISO 31030 standard. Many do not have a formal program at all.

The reasons are predictable. Travel has always gone fine before. The destination is a "tourist area." The employee is experienced. The company has travel insurance. None of these are substitutes for a structured risk management program, and none of them will hold up in a legal proceeding if an employee is harmed in a foreseeable situation that the organization failed to plan for.

Duty of care is not just a moral principle. It is a legal obligation that extends across every jurisdiction an employee enters during business travel. If your organization sends an executive to a country with an active State Department advisory and that executive is caught in violence that was foreseeable based on publicly available information — and your organization had no risk assessment, no emergency plan, and no security provider on the ground — the liability exposure is significant. The Jalisco crisis, the Iran conflict, kidnappings in Colombia, civil unrest across multiple African and South American nations — none of these are surprises. The information is available. The question is whether your organization is acting on it.

ISO 31030 does not eliminate risk. No framework can. But it creates a documented, defensible process that demonstrates the organization took reasonable steps to anticipate, assess, and mitigate travel-related threats. That process protects employees. It also protects the organization.

The Destinations Your People Are Traveling To Have Changed. Has Your Program?

The threat environment for international business travel has shifted more in the past 12 months than in the previous decade. Mexico — the most popular international destination for American travelers — has experienced escalating cartel violence that reached resort cities previously considered safe. The Middle East and Gulf region are in an active military conflict with spillover risk to commercial aviation, energy infrastructure, and civilian areas. European capitals face elevated terrorism threat levels linked to the Iran conflict and ongoing domestic radicalization. Latin American countries including Colombia, Brazil, and Venezuela continue to present kidnapping, extortion, and civil unrest risks that change by the month.

And this is just the kinetic threat picture. Cyber risks to travelers — compromised hotel Wi-Fi networks, device theft, digital surveillance, and data exposure — add another layer that ISO 31030 explicitly addresses but most corporate travel programs do not.

If your organization sends people overseas — for client meetings, conferences, site visits, deal closings, or any other business purpose — this is the moment to either build or pressure-test your travel risk management program against the ISO 31030 framework.

The questions to ask are straightforward. Has a destination-specific risk assessment been conducted for each upcoming trip? Do traveling employees receive a pre-trip briefing that covers the current security environment, emergency contacts, communication protocols, and shelter-in-place procedures? Does the organization have real-time traveler tracking? Is there an emergency response plan with assigned roles? Does the organization have a relationship with a security provider who has personnel and contacts in the countries where your people travel?

If the answer to any of those questions is no, the program has gaps — and those gaps represent both human risk and organizational liability.

Vertex Security Services: ISO 31030-Aligned Travel Risk Management

Vertex Security Services provides travel risk management services aligned with the ISO 31030 framework for organizations sending personnel to domestic and international destinations. Our services include destination-specific threat assessments, pre-trip security briefings, travel security protocols, secure transportation coordination, real-time monitoring support, emergency response planning, and on-the-ground security personnel when the risk level warrants it.

We work with corporate security directors, executive assistants, family offices, and organizational leaders to build travel risk programs that meet the ISO 31030 standard — or to evaluate existing programs against it. Whether the engagement is a single trip to a high-risk destination, a multi-country executive itinerary, or an enterprise-wide travel risk policy, we scale our approach to the organization's needs and risk tolerance.

Our team brings backgrounds in military special operations, federal law enforcement, and executive protection — professionals who have operated in the environments your travelers are entering and who understand that the best travel security is the kind that prevents problems before they start.

If you are responsible for the safety of people who travel for your organization — and you are not confident that your current program meets the standard that exists for exactly this purpose — we welcome that conversation.

📞 970-989-4610 📧 admin@vertexsecurityservices.com 🌐 www.vertexsecurityservices.com 📍 P.O. Box 8604, Aspen, CO

Frequently Asked Questions About ISO 31030 and Travel Risk Management

What is ISO 31030? ISO 31030:2021 is the international standard for travel risk management published by the International Organization for Standardization. It provides guidance for organizations of any size and industry on developing, implementing, and maintaining a program to manage the risks associated with business travel. The standard covers policy development, threat identification, risk assessment, pre-trip preparation, in-transit monitoring, emergency response, and post-incident review. It is voluntary but represents the internationally recognized benchmark for travel risk management best practices.

What is duty of care in the context of business travel? Duty of care is the legal and ethical obligation an organization has to protect the health, safety, and well-being of its employees during work-related activities — including business travel. This obligation extends across every jurisdiction an employee enters during a trip. Failure to meet duty of care obligations can result in legal liability, regulatory action, and reputational harm. ISO 31030 provides a structured framework for organizations to demonstrate they have taken reasonable steps to fulfill this obligation.

Does ISO 31030 apply to my company? ISO 31030 applies to any organization, regardless of size or industry, that sends personnel on domestic or international business travel. This includes corporations, nonprofits, educational institutions, government agencies, and any entity with employees who travel for work. The standard is scalable — a small company sending one employee to a conference can apply the same framework principles as a multinational corporation managing thousands of travelers.

How do I know if a destination is too risky for business travel? The U.S. State Department publishes travel advisories for every country, rated from Level 1 (Exercise Normal Precautions) to Level 4 (Do Not Travel), with region-specific breakdowns within each country. More than 40 countries currently carry Level 3 or Level 4 advisories. ISO 31030 does not dictate which destinations are too risky — that decision depends on your organization's risk tolerance, the purpose of the trip, and the mitigation measures in place. What the standard does require is that the decision be informed by a documented risk assessment, not by assumption or precedent. A destination that was safe last year may not be safe today, as the Jalisco crisis demonstrated in a matter of hours.

What does a travel risk assessment include? A travel risk assessment evaluates the specific threats and vulnerabilities associated with a particular trip or destination. It typically covers political stability and civil unrest potential, crime rates and patterns, terrorism threat levels, health risks and medical infrastructure, transportation safety, natural disaster exposure, the current security situation including any active advisories, and the traveler's personal risk profile. The result is a set of recommendations for mitigating identified risks, which may range from adjusting the itinerary to engaging security personnel on the ground.

How do I start building an ISO 31030-compliant travel risk program? Start with an honest assessment of what your organization currently has in place. Review your existing travel policies against the ISO 31030 framework. Identify gaps in risk assessment, pre-trip preparation, in-transit monitoring, emergency response, and post-trip review. Assign clear ownership of the travel risk management function within your organization. Establish relationships with security and medical providers for your most common and highest-risk destinations. And consider engaging a professional security firm to conduct a gap analysis and help build or strengthen your program.

Vertex Security Services is a woman-owned, Colorado-based security company headquartered in Aspen, providing executive protection, armed security, school security, event security, travel risk management, and threat vulnerability assessments nationwide.