Standard 1. Travel advice

The traveller should review appropriate travel advice prior to deployment.

The traveller should review the following sources of information on safety and security in the destination country:

• Traveller’s government travel advisory/warnings

• Employer’s government travel advisory/warnings

• Overseas Security Advisory Council (OSAC) crime and safety report

• Centers for Disease Control and Prevention (CDC) traveller’s health advice

• Insurer-provided or subscription-based risk portal, if available

The traveller should remember that travel advice is not static, and is subject to change at short notice. Also, the traveller should check for planned demonstrations, public holidays, elections or other events that will occur during their deployment and may temporarily elevate the threat due to political, religious or social tensions around the occasion or the likelihood of drunkenness, violence or crackdowns.

Standard 2. Record of emergency data

The traveller should leave a record of emergency data (RED) with their employer or a trusted third party.

A record of emergency data (RED) contains among other things information about the travel plans and the contact information of the person(s) that the traveller desires to be notified in case of emergency. A Personal Security Profile (PSP) is available from Open Briefing to meet this need.

If travelling to a high-threat country, the traveller should also complete proof of life and security declaration forms. The answers to proof of life questions should not be easy to guess or discernible from open sources, such as social media. Questions should not be related to sensitive issues (e.g. politics or religion) but should help trigger a positive memory and instil hope for the traveller. It is also important that the distress code word can be easily incorporated into conversation.

The security declaration is an important way of demonstrating that the employer has secured the traveller’s informed consent.

Standard 3. Check-in schedule

The traveller should check-in with their line manager or other point of contact according to a pre-agreed schedule.

The check-in schedule should be in line with the organisation’s travel security procedure or proportionate to the threat in the absence of such a procedure:

• Low: Once a day (evening)

• Medium: Twice a day (morning/evening)

• High: Twice a day (morning/evening), departure/arrival during in-country travel

• Critical: Three times a day (morning/lunchtime/evening), departure/arrival and every 30 minutes during travel

The organisation should have pre-agreed and tested monitoring, escalation and response procedures in place for missed check-ins or panic alerts. This should include a crisis management plan.

Standard 4. Travel medical insurance

The traveller should obtain suitable travel medical insurance from a reputable provider.

The insurance should provide cover for:

• The country travelling to (including if against government travel advice)

• The full duration of the deployment

• War and terrorism

• The type of visa travelling on

The policy should also allow:

• Direct billing

• Incidental holidays (if relevant)

Standard 5. Mobile/cell phone

The traveller should take a mobile/cell phone that will work on the GSM carrier frequency ranges in the country to be visited and with local network SIM cards.

The traveller should check the coverage of the areas to be visited with the proposed network or a mobile analytics company.

Note that calls may be weakly encrypted between handsets and cell phone towers; however, conversations are vulnerable to interception by phone companies and governments as they travel through the phone network. If required, the easiest way to ensure that voice calls are encrypted is to use a service that offers end-to-end encrypted calls, such as Signal.

All mobile phones can be tracked. The usual advice to turn phones off and remove batteries (if possible) may itself create risks when others attending the same meetings might also disconnect from the network in the same way at similar times. This allows automated analysis to identify patterns that can be further scrutinised by security forces in order to potentially identify individuals that the traveller is interacting with. Instead, travellers should leave phones in their hotel or residence during sensitive meetings or at other times when the risks of being surveilled outweigh the need to carry a communication device for safety or convenience.

Standard 6. Basic first aid kit

The traveller should take a basic first aid kit and know how to use the contents.

The first aid kit should include:

• Bandages, dressings, plasters, wound closure strips

• Antiseptic cleansing wipes, antiseptic cream, eye wash

• Tweezers, scissors, thermometer, examination gloves

• Anti-diarrhoeal medicine, oral rehydration solution

• Antihistamines, hydrocortisone cream

• Painkillers, anti-inflammatories, personal medication

The traveller should note that narcotic drugs and psychotropic substances (italicised in the list above) are under the scope of international law, and their importation may be regulated. This includes analgesic opioids and their derivatives (e.g. codeine) and medications used to treat a range of mental health disorders. Some countries also regulate medications used to treat neurological conditions, such as Parkinson’s disease and epilepsy, and others include sedating antihistamines on their banned list.

Travellers taking medication should ensure that they have a medical prescription and potentially a certificate issued by a competent authority in the country of departure and/or a permit issued by a competent authority in the country of destination.

Standard 7. Secure mobile devices

The traveller should ensure that all work and personal mobile devices and peripherals that they take on deployment are secured to the appropriate level to meet the information security threat in that country.

This standard applies to all laptops, tablets and smartphones as well as any USB flash drives and other removable media or storage devices.

The traveller should consider applying the following to all mobile devices prior to deployment:

• Full disk encrypted (or set to automatically lock after a short delay with user account(s) secured by a password or passcode)

• Latest operating system and app updates and security patches

• An asset tracking app that allows remote tracking, locking and wiping (e.g. Find My)

When the information security threat is assessed to be high, the traveller should consider only taking a burner phone and sanitised laptop containing and with access to the absolute minimum necessary information assets and services.

Standard 8. Online security

The traveller should take steps to protect the privacy and security of their online activities during the deployment.

The traveller should consider installing the following on their mobile devices prior to deployment:

• VPN

• Personal firewall

• Anti-virus

The traveller should also ensure that the correct privacy and security settings are enabled for all online services that they will use during their deployment, including:

• Strong, unique passwords

• Two-factor authentication (2FA/2SV)

The traveller should ensure that they are connecting to websites over HTTPS where available. For online browsing that must remain private, the traveller might also use:

• Tor browser

Standard 9. Secure communications

The traveller should only use end-to-end encrypted communication tools for sensitive or confidential conversations during their deployment.

Examples of recommended end-to-end encrypted communications tools at this time include:

• Signal for chat and voice and video calls

• FaceTime for video conferencing on Apple devices

• ProtonMail for email

Note that end-to-end encryption only prevents the content of communications from being exposed; metadata, including sender and recipient information and the dates and times when messages are sent and received, is much more difficult to hide, and can reveal much about social networks and communication patterns.

Standard 10. Correct paperwork and permissions

The traveller should ensure that they have the correct visas, permits and other travel permissions prior to travel.

Violation of immigration, work and residence laws can result in severe penalties, including imprisonment, fines, deportation, a travel ban and/or an exclusion order, for example. This can present an immediate threat to the traveller, and also undermine the viability of the current assignment and the organisation’s ongoing work in the country.

However, there may be times when obtaining a business visa, for example, would draw unwanted attention from authorities and increase the risk to the traveller and/or local partners. On the basis of a risk assessment, it may therefore sometimes be necessary to travel on a tourist visa, for example.

The traveller should note that their travel insurance policy may not cover being detained for having incorrect visas or permits. The traveller should discuss this with their insurer, and take out an alternative policy that does cover covert travel if required.

Standard 11. Risk assessment

The traveller should complete a travel risk assessment using their organisation’s standard risk assessment form.

The assessment should cover threats to their safety, security and health, including:

• Crime

• Kidnap

• Political violence

• Civil unrest

• Armed conflict

• Environment

• Infrastructure

• Medical/health

• Surveillance and monitoring

• Information security

• Wellbeing and mental health

The traveller can use the Security Risk Assessment Tool (SRAT) from Open Briefing if their organisation does not have a standard form.

Standard 12. Contingency plans

The traveller should create primary and alternative hibernation, relocation and evacuation plans.

Hibernation is a shelter-in-place plan; relocation is a move to a safer location within the same country; evacuation is a move across an international border. The traveller should ensure that their primary and alternative options for each do not rely on the same transport mode or hub (e.g. road travel or international airport).

The traveller can use the travel contingency plans template from Open Briefing if their organisation does not have a standard form.

Standard 13. Personal security training

The traveller should have completed in the last three years, or will complete prior to deployment, personal security training with a reputable provider that is appropriate and proportionate to the threats present in the operating environment.

Travellers can complete different levels of security training dependent on the threat rating of the country that they are deploying to:

• Medium: Personal/travel security (2-3 days)

• High: Hostile environment awareness training (HEAT, 4-5 days)

While syllabuses vary from provider to provider, all levels of security training should include sessions on:

• Risk assessment

• Communications

• Civil unrest and demonstrations

• Building security (office, residence and/or hotel)

• Sexual harassment and assault

• Wellbeing and resilience

• Basic first aid, including basic life support

HEAT training should include the modules set out above, plus additional training on:

• Vehicle convoys

• Official and unofficial checkpoints/roadblocks

• Direct and indirect fire

• Kidnap and hostage survival

• Conflict de-escalation and self-defence

• Intermediate first aid, including catastrophic bleeding

For remote and/or violent environments where pre-hospital emergency care is not readily available, travellers should complete a separate advanced first aid training course (5 days) to FREC 3/FPOS-I standard or higher.

Standard 14. Crisis response insurance

The traveller should obtain suitable crisis response insurance from a reputable provider.

The insurance should provide:

• A response consultant with sector-specific experience

• Unlimited consultant fees and expenses

• The ransom cover required by the organisation’s policy on ransom payments

Standard 15. Individual trauma kit

The traveller should take an individual trauma kit and know how to use the contents.

The individual trauma kit should include at a minimum:

• Catastrophic bleed kit (C-A-T tourniquet, haemostatic gauze, Celox Applicator, emergency bandage – aka ‘Israel dressing’)

• Chest seal

• Nasopharyngeal and oropharyngeal airways

• Paramedic shears, examination gloves, resuscitation face shield

Standard 16. Wellbeing and resilience strategies

The traveller should adopt proactive wellbeing and resilience strategies before, during and after their deployment.

Operating in insecure and violent environments can increase the risks of stress and trauma, potentially leading to mental health problems, inappropriate coping mechanisms, poor decision making and burnout.

The key is for travellers to design their own personal resilience plans for how they will maintain their mental wellbeing before, during and after their deployment. Travellers should consider steps to achieve the following:

Physical health:

• Maintain good sleep hygiene, including establishing a regular nightly routine and a pleasant sleep environment, if possible.

• Eat regular meals and follow a healthy diet.

• Exercise or play sport.

Emotional health:

• Practice mindfulness, meditation or yoga.

• Seek appropriate help, including from friends, family, colleagues or health professionals, if health or wellbeing is deteriorating.

Social health:

• Keep in touch with friends and family.

For optimal resilience, travellers should try to avoid:

• Using drugs or alcohol as a way of coping.

• Failing to address physical illness or injury.

• Taking unnecessary risks.

• Withdrawing from people that could provide support.

Employers should also have formal wellbeing and resilience procedures in place, including details of any counselling support and Psychological First Aid training that will be offered to staff and line managers.

Standard 17. Reconsider travel

The traveller should not deploy if the risk assessment determines that the level of risk to the traveller sits above the organisation’s risk threshold.

The organisation should have a clearly articulated risk threshold that sets out what is, and is not, an acceptable level of risk to their staff. If it is determined that the risk to the traveller in-country is above this threshold, then the traveller should not deploy, unless the risk statement includes provision for accepting higher levels of risk under certain circumstances. If such an exception is in place and the circumstances are met, then the traveller will need to provide their informed consent and adopt further mitigation measures prior to deployment.

Standard 18. Sat phone

The traveller should take a sat phone on a satellite network that provides coverage of the country to be visited.

The traveller should check the network coverage of the areas to be visited. Note that while satellite phone networks encrypt voice traffic, the two main encryption algorithms used in sat phones are vulnerable to attacks that may allow eavesdropping on calls; therefore, sat phones should not be used for secure communications.

The traveller should note that sat phones are banned or restricted in some countries.

Standard 19. GPS tracker

The traveller should take a GPS personal tracker (and vehicle tracker if relevant to the deployment).

The traveller should be aware that while all trackers use GPS (and potentially GLONASS) to locate the user, some devices then use GSM (mobile/cell) to communicate that location to the online tracking platform while others use one of several satellite networks. The technology used will dictate whether the tracker will work effectively in the expected operating environment, as GSM will only work where there is cell coverage (so will be better suited to urban environments) and satellite communication may be poor indoors or in built-up environments (so will be better suited to rural locations).

Note that some trackers (e.g. the NAL Shout GSM) can communicate location data via both GSM and the Iridium network, but are considerably more expensive than GSM-only options.

Another factor to consider is that some devices and apps can geolocate and communicate with the tracking platform via wifi, and so may be more effective in compounds and residences/hotels, for example, than trackers without wifi capability.

Standard 20. Body armour

The traveller should wear a ballistic helmet and body armour configured for their mission and proportionate to the ballistic threat present in the operating environment.

The traveller will need an overt and/or a covert cover that contains soft armour panels, which are designed to protect against most handguns and small arms ammunition. If protection against high-calibre and armour-piercing rounds is required, the traveller will also need hard armour plates, which can be worn in pockets on the front and back of the cover or in a separate plate carrier. Hard armour plates tend to work in conjunction with the soft armour panels to achieve the desired level of ballistic protection.

The US National Institute of Justice (NIJ) body armour performance standards are:

Soft armour:

• Level IIA: 9mm FMJ RN; .40 S&W FMJ

• Level II: 9mm FMJ RN; .357Magnum JSP

• Level IIIa: .357 SIGFMJ FN; .44 Magnum SJHP

Hard armour:

• Level III: 7.62mm FMJ (M80)

• Level IV: .30 Cal AP (M2 AP) (Rifle)

For reference, soft armour panels rated at NIJ Level IIIa are designed to provide protection against most handgun rounds, submachinegun rounds and 12-gauge shotgun shells. With the addition of hard armour plates rated at NIJ Level III, the wearer should be protected against the 7.62mm rounds used in the ubiquitous AK-47 type assault rifles as well as against US military M80 rounds. Note that ballistic helmets tend to be rated to NIJ Level IIIa.

Note that some countries impose import restrictions or licensing requirements on body armour, as it may be treated as military equipment.