ISO/PAS 28007:2012

PUBLICLY ISO/PAS
AVAILABLE 28007
SPECIFICATION
First edition
2012-12-15
Ships and marine technology —
Guidelines for Private Maritime
Security Companies (PMSC) providing
privately contracted armed security
personnel (PCASP) on board ships
(and pro forma contract)
Navires et technologie maritime — Guide destiné aux sociétés privées
de sécurité maritime (PMSC) fournissant des agents de protection
armés embarqués sous contrat privé (PCASP) à bord de navires (et
contrat pro forma)
Reference number
©
ISO 2012
© ISO 2012
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any
means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the
address below or ISO’s member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2012 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Security management system elements for Private Maritime Security Companies .3
4.1 General requirements . 3
4.2 Planning . 7
4.3 Resources .11
4.4 Training and awareness .12
4.5 Communication and awareness .15
4.6 Documented information and records .16
5 Operation .17
5.1 Operational planning and control .17
5.2 Command and control of security personnel including security team, size, composition
and equipment .18
5.3 Guidance on Rules for the Use of Force (RUF) .19
5.4 Incident management and emergency response.19
5.5 Incident monitoring, reporting and investigation .20
5.6 Scene management and protection of evidence .20
5.7 Casualty management.21
5.8 Health safety environment .21
5.9 Client complaints, grievance procedures and whistleblowing .21
6 Performance evaluation .22
6.1 Monitoring, measurement analysis and evaluation .22
6.2 Internal audit .22
6.3 Management review .23
6.4 Nonconformity and corrective action .23
6.5 Continual improvement .23
Annex A (informative) BIMCO GUARDCONContract for Employment of Security Guards on Vessels
and Guidance on Rules for the Use of Force (RUF) by Privately Contracted Armed Security
Personnel in Defence of a Merchant Vessel, April 2012 .24
Bibliography .25
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International
Standards adopted by the technical committees are circulated to the member bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the member bodies
casting a vote.
In other circumstances, particularly when there is an urgent market requirement for such documents, a
technical committee may decide to publish other types of normative document:
— an ISO Publicly Available Specification (ISO/PAS) represents an agreement between technical
experts in an ISO working group and is accepted for publication if it is approved by more than 50 %
of the members of the parent committee casting a vote;
— an ISO Technical Specification (ISO/TS) represents an agreement between the members of a
technical committee and is accepted for publication if it is approved by 2/3 of the members of the
committee casting a vote.
An ISO/PAS or ISO/TS is reviewed after three years in order to decide whether it will be confirmed for
a further three years, revised to become an International Standard, or withdrawn. If the ISO/PAS or
ISO/TS is confirmed, it is reviewed again after a further three years, at which time it must either be
transformed into an International Standard or be withdrawn.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/PAS 28007 was prepared by Technical Committee ISO/TC 8, Ships and marine technology.
iv © ISO 2012 – All rights reserved

Introduction
ISO 28000 is the certifiable security management system for organizations which has been developed
from other quality management systems (ISO 9001 and ISO 14001) with the same management system
requirements.
In effect ISO 28000 is a risk based quality management system for the security of operations and
activities conducted by organizations. ISO 28007 sets out the guidance for applying ISO 28000 to Private
Maritime Security Companies (PMSC)
PUBLICLY AVAILABLE SPECIFICATION ISO/PAS 28007:2012(E)
Ships and marine technology — Guidelines for Private
Maritime Security Companies (PMSC) providing privately
contracted armed security personnel (PCASP) on board
ships (and pro forma contract)
1 Scope
This Publicly Available Specification gives guidelines containing additional sector-specific
recommendations, which companies (organizations) who comply with ISO 28000 can implement to
demonstrate that they provide Privately Contracted Armed Security Personnel (PCASP) on board ships.
To claim compliance with these guidelines, all recommendations (“shoulds”) should be complied with.
Compliance with this Publicly Available Specification can be by first, second and third party (certification).
Where certification is used, it is recommended the certificate contains the words: “This certification
has been prepared using the full guidelines of ISO PAS 28007 as a Private Maritime Security Company
providing Privately Contracted Armed Security Personnel”.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO 28000, Specification for security management systems for the supply chain
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
Private Maritime Security Company
PMSC
organization which provides security personnel, either armed or unarmed or both, on board for
protection against piracy
Note 1 to entry: Henceforth throughout this document, the word “organization” refers to the PMSC.
3.2
Privately Contracted Armed Security Personnel
PCASP
armed employee or subcontractor of the PMSC
3.3
area of high risk of piracy
area identified as having an increased likelihood of piracy
3.4
guidance on the Rules for the Use of Force (RuF)
clear policy drawn up by the PMSC for each individual transit operation which sets out the circumstances
in which lethal force in the delivery of maritime security services may be used in taking account of
international law and the law of the flag state
3.5
International Code of Conduct for Private Security Service Providers (ICoC) (9 November 2010)
code that identifies a set of principles and processes for private security providers related to support for
the rule of law and respect for human rights in the context of self-regulation by private security companies
Note 1 to entry: IMO has stated that ICoC is not directly applicable to the peculiarities of deploying armed guards
at sea to protect against piracy since it is written in the context of self-regulation for land companies only.
3.6
interested party
person or organization that can affect, be affected by or perceive themselves to be affected by a
decision or activity
Note 1 to entry: This denotes but is not limited to clients (ship-owners, charterers), the shipping community
including seafarers, flag, coastal and port states, international organizations, P and I clubs and insurers, and
security training companies, certification bodies.
3.7
maritime security services
services which range from intelligence and threat assessment to ship hardening and the guarding and
protection of people and property (whether armed or unarmed) or any activity for which the Company
Personnel may be required to carry or operate a firearm in the performance of their duties
3.8
Montreux document
document which reaffirms the obligations on states to ensure that private military and security
companies operating in armed conflicts comply with international humanitarian and human rights law
Note 1 to entry: IMO has similarly stated that because Montreux applies in situations of armed conflict, it is not
relevant to the operations of piracy and armed robbery at sea.
3.9
personnel
persons working for a PMSC whether as a full time or part time employee or under a contract, including
its staff, managers and directors
3.10
risk assessment
overall process of risk identification, risk analysis and risk evaluation
[SOURCE: ISO Guide 73, definition 3.4.1]
3.11
firearms
portable barrelled weapon from which projectile(s) can be discharged by an explosion from the confined
burning of a propellant and the associated ammunition, related ancillaries, consumables, spare parts
and maintenance equipment used by security personnel at sea
3.12
security
process to pre-empt and withstand intentional, unauthorised act(s) designed to cause harm, damage
or disruption
3.13
home state
state of nationality of a PMSC, i.e. where a PMSC is domiciled, registered or incorporated
3.14
coastal state
state of nationality of the area of transit within coastal waters, including nationality of ports visited
2 © ISO 2012 – All rights reserved

3.15
security management objective
specific outcome or achievement required of security in order to meet the security management policy
3.16
security management policy
overall intentions and direction of an organization, related to the security and the framework for
the control of security-related processes and activities that are derived from and consistent with the
organization’s policy and legal and regulatory requirements
3.17
security related equipment
protective and communication equipment used by security personnel at sea
3.18
supernumerary
status of PCASP contracted by PSMCs at sea that are neither regular crew nor passengers, are directed
by a team leader and are under the overall authority of the Master of the ship
Note 1 to entry: Supernumeraries should be declared as such on a crew list.
3.19
team leader
designated leader of the personnel contracted to provide security services aboard the ship
3.20
threat assessment
assessment by the client, by the PMSC or by international experts and organizations on the potential
risks from piracy or other dangers to a specific transit or to operations more generally
3.21
top management
person or group of people who direct and control an organization at the highest level
4 Security management system elements for Private Maritime Security Companies
4.1 General requirements
4.1.1 Understanding the PMSC and its context
The organization should determine and document relevant external and internal factors. These include
the international and national legal and regulatory environment including licensing and export/import
requirements, the political, the natural and physical environment, the role, perceptions and risk
tolerance of the client and other interested parties as well as key international developments and trends
in the home state, flag and coastal states and areas of operation. The organization should also evaluate
and document elements that might impact on its management of risk including its own organization and
lines of authority for operations, its capabilities in delivering objectives and policies, and the contribution
of partners and subcontractors. The evaluation should include the particular circumstances of each
operation or transit and the attendant risk factors for the organization.
The organization should also incorporate and take notice and actions as necessary on the significant
elements in the risk analysis of the ship-owner which has prompted consideration of the use of PCASP,
and the legal requirements of the flag state and the need for prior approval to deploy PCASP. The
organization should determine how this applies to its planning needs and expectations and that it is
reflected in its own risk assessment. The organization should demonstrate its understanding of the
interaction of these elements within its context.
4.1.2 Understanding the needs and expectations of interested parties
The organization should identify and maintain a register of the interested parties that are relevant to
the organizations’ operations and the related legal and regulatory requirements, taking account of the
perceptions, values, needs, interests and risk tolerance of the interested parties.
It is important for the PMSC to understand that before contracting for their services, a ship-owner will
have carried out a “risk assessment”. The PMSC should then determine how this applies to them and
demonstrate how it impacts on needs and expectations.
The organization should consider risk criteria that may impact on interested parties as follows:
a) the overall risk policy of the organization, and of the client, and their risk tolerance;
b) the inherent uncertainty of operating at sea in an area with high risk of piracy;
c) the nature of the likely threats and consequences of an incident on its operations, reputation
and business;
d) the impact of an incident; and
e) the impact of the combination of a number of risks.
4.1.3 Determining the scope of the security management system
The organization should determine the boundaries and applicability of the security management system
to establish its scope.
The scope should be available as documented information.
In addition to the security management systems requirements specified in ISO 28000, the organization
should determine the scope of the security management system, including coverage of any subordinate
bodies, regional bodies or subcontracted entities.
4.1.4 Security management system
The organization should establish, implement, maintain and continually improve a risk based security
management system.
4.1.5 Leadership and commitment
Top management should demonstrate leadership and commitment with respect to the security
management system by:
a) ensuring that the security policy and security objectives are established and are compatible with
the strategic direction of the organization;
b) ensuring the integration of the security management system requirements into the organization’s
business processes;
c) providing sufficient resources to deliver, implement, review and continually improve the security
management system;
d) communicating the importance of effective security management and of conforming to the security
management system requirements;
e) compliance with legal and regulatory requirements and other requirements to which the
organization subscribes;
f) ensuring that the security management system achieves its intended outcome(s);
g) directing and supporting persons to contribute to the effectiveness of the security management system;
4 © ISO 2012 – All rights reserved

h) promoting continual improvement;
i) supporting other relevant management roles to demonstrate their leadership as it applies to their
areas of responsibility.
NOTE Reference to “business” in this Publicly Available Specification should be interpreted broadly to mean
those activities that are core to the purposes of the organization’s existence.
4.1.6 Competence
Top management should demonstrate and document the skills and experience, and professional
capability to provide the leadership and play their roles in oversight of security operations at sea and
specifically the protection of persons aboard the ship against unlawful attack, using only that force
which is strictly necessary, proportionate and reasonable. The organization should:
a) determine the necessary competence on the basis of qualifications, training and relevant and
appropriate experience of person(s) doing work under its control that affects its security performance;
b) have established and documented procedures as regards leadership, chain of authority, change in
command in the event of illness or incapacity of a key operational figure including the team leader
and as regards life saving;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness
of the actions taken;
d) have established procedures to develop guidance for the use of force based on the consideration of
several scenarios and providing a graduated response plan;
e) have a documented, robust and auditable health, safety and environmental policy;
f) have written testimonials from previous clients relating to the organization’s delivery of its security
performance at sea and/or in other relevant circumstances, where the company has a history of
related service delivery;
g) have a process for post incident actions to support state authority investigations/prosecutions
should a formal investigation be required and;
h) retain appropriate documented information as evidence of competence.
4.1.7 Organizational roles, responsibilities and authorities
Roles, responsibilities and authority in the organization should be established and documented from
top management to command and control of the PCASP, with a pre- established progression in lines of
authority taking account of any possible absence or incapacity.
In providing maritime security, for personnel and assets as detailed in a contract, such as in Annex A or
similar, such roles for the organization may include:
a) risk assessment and security advice for the client as to the most effective deterrent, whether armed
personnel, ship hardening and/or technology or a combination of measures, whether in general or
for a specific transit;
b) an intelligence assessment as to the evolving situation in the proposed area of operations;
c) observation and monitoring of activity in the operating area, including advice to the Master on
routeing in the light of an evolving threatening situation;
d) deployment of PCASP;
e) responsibility for the embarkation, inventory, and secure storage of firearms and ammunition
associated with the deployment of a PCASP;
f) security advice to the Master and under his authority, training of (non PCASP) personnel aboard in
emergency procedures response to a threat, including recourse to a citadel;
g) first aid and casualty care and help with evacuation;
h) preservation of evidence and protecting a crime scene as far as practicable;
i) supporting the Master in reports to international liaison and flag state authorities;
j) supporting the master in reports to the client;
k) collation of post incident reports and the response made as a contribution to lessons learned;
l) robust arrangements for the provision of visas, travel documents and security identity
documentation, as well as any necessary licences required.
All roles carried out by the organization and its PCASP should be as defined in the relevant documentation.
4.1.8 Culture and ethics
The organization should:
a) have an accessible, written Code of Business Ethics and Code of Conduct;
b) be able to demonstrate that personnel are conversant with its ethical policies, procedures and plans
and that these are regularly reviewed and updated.
4.1.9 Structure of the organization
The organization should have a clearly defined management structure showing control and accountability
at each level of the operation which should:
a) define and document ownership and a place of registration of the organization;
b) identify and document top management and their past history and relevant experience;
c) define and document that the organization is registered as a legal entity or part of a legal entity, and
where appropriate, the relationship between the organization and other parts of that same legal entity;
d) define and document any subordinate bodies, regional offices, joint venture partners and their
places of incorporation and relationship to the overall management structure; and
e) define and document any operational bases, logistics or storage facilities used in support of the operations
of the organization and the jurisdiction that applies and/or whether they are on the high seas.
4.1.10 Financial stability of the organization
The organization should be able to demonstrate its financial stability, debt profile, any unserved criminal
or fraud charges by its top management or other history that might impact on its operations and on
interested parties.
The organization should be able to document its financial stability by way of:
a) latest financial accounts supplemented with management accounts;
b) banker’s references or similar national equivalents as required;
c) company structure and place of registration;
d) company ownership.
6 © ISO 2012 – All rights reserved

4.1.11 Outsourcing and subcontracting
The organization should have a clearly defined and documented process to explain the circumstances
under which it outsources activities, functions or operations and its supply chain. The organization
should take responsibility for activities outsourced to another entity and have a legal enforceable
agreement covering such arrangements including:
a) commitment by a subcontracted entity to abide by the same obligations, legal, regulatory and ethical
as the organizations, including those under this Publicy Available Specification;
b) confidentiality and conflict of interest agreements;
c) the identification and documentation of its logistics chain and the risk potential from that logistics
chain including arrangements for the licensing and export/import of firearms and security material.
4.1.12 Insurance
The organization should demonstrate that it has sufficient insurance to cover risks and associated
liabilities arising from its operations and activities, consistent with contractual requirements. An
example is shown in Annex A. When outsourcing or subcontracting services, activities or functions,
or operations, the organization should ensure the subcontracted or outsourced entity has appropriate
insurance cover for those activities.
The organization should provide documentary evidence that they consider and provide insurance or
equivalent as appropriate to the contract, for the duration of the contract in the proposed areas of
operations, as follows:
a) general liability insurance for third party claims of bodily injury or property damage;
b) professional liability insurance for negligent acts arising from professional loss, bodily injury or
property damage;
c) employers liability (including maritime employers liability). The organization should establish with
the client and underwriters the need to review all provisions in their own property and liability
insurance policies to cover the deployment of a PCASP and firearms aboard;
d) workers compensation as applicable;
e) personal accident insurance (tropical disease, accidental death, temporary or permanent disability)
with medical and evacuation expenses; and
f) any other coverage as indicated by the risk assessment.
As firearms and other security related equipment are to be part of the contracted plan, the organization
should ensure their personnel to carry and use firearms on such voyages for accident, injury and damage
arising from the use of firearms, and for liability that might arise from the carriage and/or intentional
use or negligent misuse of firearms.
The organization may also consider other liabilities.
4.2 Planning
4.2.1 Security management policy
The organization should operate a security management system such as ISO 28000 or similar.
The organization should establish and be able to demonstrate ongoing evaluation of its compliance with
the security management system and the need for continual improvement.
Top management should define and document:
a) the organization’s commitment to a security management policy;
b) the organization’s ability to provide services to meet client needs in conformity with applicable and
relevant international and national law and regulatory requirements;
c) its commitment to a risk management approach to business planning.
The security management policy should also:
1) be available to all interested parties;
2) allow a client reasonable scope to perform due diligence for the management of the services retained;
3) be communicated publicly so all interested parties have easy access to it within the organization;
4) comply with applicable and relevant international and national laws, codes and regulatory
requirements.
4.2.2 Actions to address risks and opportunities
The organization should consider risk criteria that may impact its operations as follows:
a) identify risks from predictable and unpredictable threats which can impact on the activities,
business and reputation of the business or those of interested parties;
b) systematically evaluate and prioritize risk controls, management, mitigation and treatments and
their cost effectiveness;
c) be kept under review and regularly updated in the light of the context of operations of the
organization;
d) continually evaluate the effectiveness of risk treatment options post incident and after training
or exercises;
e) ensure that the risk assessment is taken into account in carrying through the security
management system;
f) identify applicable risk requirements for any subcontracted entities.
The organization should also formally record its objectives and targets for the management of risk by
preventing and deterring threats. This should include commitments to:
1) minimize risk by adequate preparation and resilience;
2) provision of security for employees and contracted or sub contracted personnel and as set out in a
contract and under the authority of the Master for crew and passengers against external threats;
3) comply with legal and other regulatory requirements;
4) protect tangible and intangible assets as provided for in a contract;
5) continued improvement.
4.2.3 Security objectives and plans to achieve them
The organization should establish security objectives at relevant functions and levels, with the aim of
managing risk by reducing the probability of events, minimising the effects of incidents and mitigating
the consequences by adequate preparation and resilience. Legal and regulatory requirements should be
identified and incorporated into the security objectives.
8 © ISO 2012 – All rights reserved

The security objectives should:
a) be consistent with the security management policy;
b) be measurable (wherever practicable);
c) take into account applicable requirements;
d) be monitored;
e) be communicated; and
f) be updated as appropriate.
The organization should retain documented information on the security objectives.
When planning how to achieve its security objectives, the organization should determine:
1) what will be done;
2) what resources will be required;
3) what jurisdictions will be covered;
4) who will be responsible;
5) when it will be completed;
6) how the results will be evaluated.
4.2.4 Legal, statutory and other regulatory requirements
The organization should identify and incorporate into the security management system all legal and
regulatory requirements, as well as any applicable Codes and Conventions. These should form part of
contract negotiations with a client to take account of differing jurisdictions and statutory requirements
as between home, flag, coastal and port states. An example of a contract is given in Annex A.
The organization should establish, implement and maintain procedures to:
a) identify applicable and relevant international and national legal, regulatory and other
requirements related to its activities and those of any subcontractors, functions, clients, contracts
and areas of operations;
b) identify relevant and applicable international and national laws and agreements which include but
are not limited to the:
1) applicable and relevant requirements of UNCLOS and maritime law;
2) laws and regulations of the home states and flag and coastal states, recognizing that any
decision whether to allow a PCASP aboard is the prerogative of the flag state;
NOTE Article 92 of UNCLOS refers to the flag state’s exclusive jurisdiction on the high seas and article 94
refers to “duties of the flag state”.
3) applicable national laws relating to the procurement, carriage including export and import
licensing, storage, use and disposal of firearms and security related equipment;
4) conventions and laws relating to bribery, corruption and graft;
5) employment law and human rights obligations and any other commitments to which the
organization may subscribe.
The organization should ensure that its procedures provide for the following and consider how these
requirements apply to its operations, including the availability of specialist maritime legal advice on a
24 h basis, and in particular:
i) appropriate prior approval from the flag state as regards the deployment of PCASP;
ii) appropriate prior approval and any licence necessary as regards deployment of PCASP from the
home state;
iii) appropriate prior approval as regards the deployment of PCASP from countries in which operations
are conducted or managed, or countries through which PCASP may transit;
iv) appropriate prior approval and licences for the transport, carriage, storage of firearms and security
related equipment from, into or through a state;
v) specific prior approval and licence for the storage of firearms and security related equipment from
the flag state aboard for any period longer than a single transit.
The organization should record this information and keep it up to date. Relevant information on legal
and regulatory requirements should be communicated to persons working on its behalf and who are
part of the supply chain and/or subcontracted.
4.2.5 Authorization and licensing of firearms and security related equipment
The organization should establish and document its processes for compliance with home state, local
and flag state laws as regards the procurement, licensing and transhipment of firearms for each transit.
Processes should also be established and documented for the licensing of individuals to use such firearms
in the areas of operations where this is required under home, flag state or local national state (e.g. port,
transit) laws. These processes should include a detailed plan of this process for provision to the client.
The organization should:
a) acquire and maintain legal authorisations for the possession, export and transhipment of firearms
and ammunition required by applicable national and international law;
b) ensure documentary evidence is available to prove that firearms are procured, transported,
embarked and disembarked legally;
c) ensure that where firearms are to be transported across international boundaries, or where they
are being held on board ship (in accordance with the laws of the relevant flag states), between
coastal and port states they are in possession of all the required authorisations covering all
elements of the operation;
d) have a central record of all firearms and ammunition held, by type, serial number and location
detailing movement, issue, receipt, maintenance, modification, usage and disposal history;
e) have robust and legally compliant arrangements for the safe and secure storage and movement of
firearms when not in use. This should include written agreements for storage ashore, with military,
naval or law enforcement bodies of recognized state governments;
f) comply with any home or flag state or local requirements in respect of identifying and licensing
individuals who will use such firearms, including “end user certificates” where national laws apply;
g) secure the necessary written authority from the flag state and where appropriate, the coastal state,
for holding stocks of firearms and ammunition on the high seas or offshore.
10 © ISO 2012 – All rights reserved

The organization should also:
h) ensure that firearms issued to security teams are adequate for the task of deterring, and if necessary
1)
defending against Pirate Action Group attacks ;
i) have detailed procedures for regular and frequent checks of firearms, ammunition and other
security related equipment, and for investigating discrepancies;
j) ensure that where firearms and ammunition are being transported they are held in secure
containers, and procedures exist for the recovery of all firearms and ammunition at the conclusion
of the operation;
k) maintain records detailing the issuing and receipt of firearms, ammunition and equipment to
personnel, showing the individuals to whom issued; serial numbers of firearms and equipment and
the quantities and types of ammunition held;
l) have procedures to detail how ammunition is to be accounted for on deployed operations and
reconciled on completion of a transit;
m) have procedures that cover arrangements for the safe testing and zeroing of firearms and for live-
firing exercises on board prior to undertaking assigned security tasks;
n) ensure that their personnel only use licensed firearms and ammunition as stipulated in the contract;
o) have procedures for the regular maintenance of firearms and security equipment to ensure they
remain fit and safe for purpose;
p) establish and agree procedures with the Master as regards the designated areas aboard where
firearms may or may not be carried, together with further agreed procedures about the state of
firearms readiness;
q) establish and agree procedures with the Master as regards safe area loading and unloading of
firearms and security related equipment.
4.3 Resources
4.3.1 General
The resources available should include information, management tools, human resources including
people with relevant experience and specialist skills and knowledge, and financial support. In doing so,
it should ensure that it is complying with applicable and relevant legal and regulatory requirements and
meeting its designed objectives and targets.
4.3.2 Selection, background screening and vetting of security personnel
The organization should establish and document procedures for background screening and vetting of
all security related persons working on its behalf to ensure they are fit and proper and qualified for
the tasks they will carry out. Selection of qualified personnel should be based on specific competencies
and criteria defined by the organization including knowledge, applicable and relevant military, law
enforcement or equivalent experience, skills, abilities and attributes.
Wherever possible and legally permissible under human rights and data protection laws, the screening
should provide for:
a) consistency with both legal and contractual requirements;
b) identity, minimum age and personal history requirements;
1) Firearms should be high velocity and have sufficient effective range (minimum 500 m) and sights to allow
effective deterrence by the firing of warning shots, and be equipped with enough ammunition to enable the team to
defend the ship effectively. The minimum amount of ammunition allocated should be as per the risk assessment.
c) review of employment history;
d) criminal background checks;
e) military and security service background checks;
f) assessment of medical, physical and mental fitness of personnel (this may include psychometric
testing and/or written evidence from a health professional);
g) history of drugs or alcohol abuse;
h) ongoing vetting to establish continued suitability for security operations in high risk areas which
might involve the use of firearms;
i) assessment of fitness to carry firearms as part of assigned duties;
j) review of relevant experience and specific certification in the use of firearms to be deployed;
k) relevant documentation including for personnel deployed at sea such as a valid seafarer’s medical
certificate or national equivalent.
Other considerations:
1) minimum age requirements may be set by local, home or flag state law. In no circumstances should
any person younger than 18 years of age be employed in duties that might require the use of a firearm;
2) records of the screening process should be maintained, where legally permissible, on personnel files
under strict controls to keep them secure for at least seven years (or as required by local statute).
Contracts of employment should include a requirement for the individual to notify the organization
of any circumstances that might lead to a review of their screening status and possible suspension of
employment in accordance with applicable law.
4.3.3 Selection, background screening and vetting of sub-contractors
The organization is responsible for the work of any subcontractor and liable within applicable law for
their conduct. All subcontracting should be agreed with the client in advance.
The organization should:
a) provide for appropriate written contractual agreements with the subcontractor;
b) advise the client of any such arrangement in writing and where appropriate, obtain client approval;
c) provide written evidence of the chain of authority from the organization to the subcontractor;
d) ensure that full insurance coverage is provided for the activities of the subcontractors;
e) maintain a register of all subcontractors used;
f) maintain a record of subcontractor conformance with the requirements of this Publicly Available
Specification.
4.4 Training and awareness
4.4.1 General
Persons doing work under the organization’s control should be aware of the organization’s security
management policy and objectives, and the contribution they make to the effectiveness of that system
and the benefits of improvement performance as well as the adverse implications of not conforming
with the security system requirements.
12 © ISO 2012 – All rights reserved

4.4.2 Training standards
The organization should ensure that all persons performing tasks on its behalf
...