Executive Assistant (EA) Philippines — Calendar, Inbox, Travel + Security SOPs
Audience & Intent
Founders, COOs, and revenue leaders (US/UK/AU) who want a Philippines-based Executive Assistant (EA) to manage calendar, inbox, and travel with hardened Security SOPs—so communications are fast, schedules are airtight, and sensitive data stays protected.
Author: Martin English — CEO & Founding Partner
Date Published: November 7, 2025
Date Updated: November 7, 2025
TL;DR
- Calendar: lock a single source of truth, enforce buffers, and run a daily T-24 sweep with reschedule scripts.
- Inbox: triage by rules, star the “CEO Five,” and ship same-day summaries; templates cover intros, follow-ups, and declines.
- Travel: standardized briefs (visa/loyalty/seat map), pre-approved fare rules, and a same-day change protocol.
- Security: enforce 2FA, delegated inbox, least-privilege access, password manager, and device controls; keep an audit trail.
- Hiring model: start with a pilot; move to EOR for stable hours, payslips + remittances (audit-ready), and strong PII/device policies.
What Your EA Owns (Comparison by Workstream)
| Workstream | Core Tasks | SLAs (starter) | Tools to Wire | Risks | Controls (SOP) |
| Calendar | T-24/T-72 sweeps, buffers, reschedules, board packs | Conflicts fixed <4h; board packs T-24 | Google/Microsoft Calendar, Calendly, Loom | Double-booking; no-shows | 25–50 min buffers; color codes; escalation rule for VIPs |
| Inbox | Triage, drafts, intros/follow-ups, end-of-day digest | FRT ≤4h, Zero Inbox by EOD | Gmail/Outlook rules, canned responses, Superhuman/Shortcuts | Missed priority; wrong tone | “CEO Five” list, templates, sender verification on wire-like requests |
| Travel | Flights/hotels/visas, changes, receipts | Options <24h; change handling same day | GDS/OTA, TripIt/Concur, airline apps | Last-minute fees; lost receipts | Fare rules; corporate card; receipt OCR; backup flight matrix |
| Meetings | Agendas, notes, actions, follow-ups | Notes in 24h; actions assigned same day | Notion/Docs, Slack, CRM | Lost decisions | Agenda templates; decision log; DRI tagging |
| Security | Access, 2FA, device policy, vendor checks | New access <24h; revoke <2h | Admin console, MDM, password manager | PII leak; account takeover | Least-privilege; 2FA; joiner/mover/leaver; audit log exports |
Calendar Mastery (buffers, sweeps, and scripts)
- Single source of truth: the EA manages the exec’s primary calendar; secondary calendars subscribe only.
- Buffers & blocks: 25/50-minute meetings, travel holds, and deep-work blocks locked weekly.
- Daily T-24 sweep: confirm links, attendees, and materials; send “running late” macros if needed.
- Reschedule playbook: 3 options with timezone math; keep the thread, never spawn a new one.
Inbox Operations (the “CEO Five” + daily digest)
- CEO Five (pin/star): (1) Revenue/Board, (2) People/Legal, (3) Strategic Partner, (4) Customer Escalation, (5) Personal/Finance.
- Rules & labels: sender domain, keywords (e.g., “invoice,” “NDA”), and VIP routing; bulk-archive low-signal newsletters.
- Templates library: intro, decline, reschedule, “nudge after 3 days,” and “send docs.”
- EOD digest: top 5 decisions, deadlines, blockers, and tomorrow’s first three priorities.
Travel That Doesn’t Break (briefs, rules, changes)
- Travel brief: destination(s), loyalty/status, window/aisle, aircraft seat map, hotel profile, local transport, time-to-venue.
- Fare rules: pre-approved cabin caps, preferred carriers, min connection time, “no red-eye unless approved.”
- Change protocol: when the exec pings “change”—EA offers 2–3 same-day options, moves calendar, notifies attendees, and re-books ground.
Security SOPs (tight by default)
- Delegated access (never share raw passwords); EA works via delegation.
- 2FA on all accounts; backup codes in the password manager vault.
- Password manager (org-level); shared vault for travel/booking vendors.
- Least-privilege access; revoke within 2 hours on role change.
- Device policy: full-disk encryption, screen lock ≤5 min, no local PII dumps; mobile with MDM.
- PII handling: mask ID numbers; use secure links (no attachments where avoidable).
- Vendor verification: call-back or verified portal for payment/billing changes (no email-only changes).
- Inbox rules hygiene: quarterly audit of auto-forward/filters and third-party app tokens.
- Travel documents: store visas/passports in encrypted vault, not email.
- Audit trail: monthly export of access logs and device compliance report.
Onboarding Plan: Seat an EA in 2–10 Business Days
- D0–D2: Access (calendar, inbox delegation, travel tools), policy pack (PII/device), templates & color codes.
- D3–D4: Shadow week + dry-runs: scheduling, inbox triage, a mock trip.
- D5: Go-live on limited scope; daily 15-min stand-ups.
- D6–D10: Expand access; enable escalation tree; first monthly security audit export.
KPIs & Review Rhythm
- Calendar: conflict resolution time; no-show rate; buffer adherence.
- Inbox: FRT, EOD zero rate, template use %, decision latency.
- Travel: on-time departure %, change handling SLA, receipt compliance.
- Security: 2FA coverage, access revocation time, audit log freshness.
Hiring Model: When to Use an EOR in the Philippines
- Pilot with a contractor/agency to validate the working cadence.
- Switch to EOR when hours are stable and access deepens: get payslips + SSS/PhilHealth/Pag-IBIG remittances, 13th-month handled, and enforce joiner/mover/leaver + device recovery policies.
Term Clusters
- Calendar: buffers, sweeps, reschedule scripts, board packs
- Inbox: rules, “CEO Five,” digest, templates
- Travel: briefs, fare rules, change protocol, receipts
- Security: delegation, 2FA, password manager, device, vendor verification, audit logs
- Onboarding & KPIs: timelines, metrics, review cadence
- Hiring/EOR: compliance evidence and controls
FAQ
How do I keep exec calendars conflict-free across time zones?
Use T-24/T-72 sweeps with timezone math, fixed buffers, and a hard rule that all invites route through one primary calendar.
What belongs in the EOD digest?
Top 5 decisions, deadlines, blockers, plus tomorrow’s three anchors—with links to threads/events.
What’s the quickest way to harden security for an EA today?
Turn on 2FA, move to delegated inbox, roll out a password manager, and audit third-party tokens/auto-forwards.
How do we handle urgent reschedules without chaos?
Offer three slots, keep the original thread, and move all dependent events (briefing, transport) in one go.
When is EOR worth it for an EA?
When the role is retained with deeper PII/system access and you need payroll proof, benefits, and device/off-boarding control.
Want a calendar that runs itself, an inbox that decides fast, and travel that never wobbles—securely?
Request our EA Starter Pack (calendar color codes, inbox templates, travel brief, Security SOPs) and a 2–10 day seat plan. We’ll staff, train, and keep your audit trail clean from day one.
Credible Sources
- Google Workspace Admin — 2-Step Verification & Admin controls: https://support.google.com/a
- Microsoft 365 Admin — Security defaults & MFA: https://learn.microsoft.com/microsoft-365/admin
- NIST — Digital Identity & Authentication (SP 800-63): https://www.nist.gov
- IATA — Timatic (travel documentation & visas): https://www.iata.org
- U.S. TSA — ID & screening guidance: https://www.tsa.gov
