Below, there is a brief introduction of what is the new standard ISO/PAS 28007. The increase in piracy led to increase of the use of PMSCs and therefore it created the necessity to standardize this industry. In December 2012 a new ISO Standard was issued, the ISO/PAS 28007, which belongs to the greater family of ISO 28000, the Supply Chain Security Standard. The title of this new standard is "Guidelines for Private Maritime Security Companies (PMSC) providing privately contracted armed security personnel (PCASP) on board ships (and pro forma contract)".

The ISO/PAS 28007 follows the standard ISO structure:

  1. Scope, describing the applicability of the standard
  2. Normative references (only ISO 28000 is referenced)
  3. Terms and definitions
  4. Security management system elements for Private Maritime Security Companies
  5. Operation
  6. Performance evaluation


Annex A - BIMCO GUARDCON - example contract

The three last parts contain the requirements that have to be implemented and could be audited. It follows the structure of all the Management System Standards concerning Planning, Operation and Performance Evaluation.


Section 4 - Security management system elements for Private Maritime Security Companies (PMSC)

It contains 6 clauses:

4.1 General requirements .Understand the context of the PMSC, the needs of interested parties (the shipping company and the marine community in general), the scope of the management system, requirements about the leadership, the commitment, the competence, the responsibilities and authorities, the culture and ethics, the structure, the financial stability requirements, the insurance provisions.

4.2 Planning. The planning requires a policy to be developed, a Risk Assessment to be conducted, the objectives, targets and plans, consideration of legal requirements, requirements regarding licensing of fire arms and other security equipment.

4.3 Resources. Requirements about selection, screening, vetting of security personnel and subcontractors used.

4.4 Training and awareness

4.5 Communication and awareness

4.6 Documented information and records


Section 5 - Operation

According to the Operation Requirements of the Standard, the PMSC has to establish and document procedures for the following clauses:

5.1 - Operational planning and control

5.2 - Command and control of security personnel, size and composition of teams

5.3 - Guidance on the Rules for the Use of Force (RUF)

5.4 - Incident management and emergency response

5.5 - Incident monitoring, reporting and investigation

5.6 - Scene management and protection of evidence

5.7 - Casualty management

5.8 - Health safety environment

5.9 - Client complaints, grievance procedures and whistleblowing


Examples of operational delivery for the SMS include description of duties, briefings, SOP's & "Actions On", Incident response guidelines and procedures.


Section 6 - Performance evaluation

The last part is the checking requirements and contains 5 clauses:

6.1 Monitoring, measurement analysis and evaluation. The organization should determine what, when and how is needed to be monitored, measured and analyzed.

6.2 Internal audit. As in all management systems the organization needs to have procedures and to carry out at regular intervals internal audits. Also, the organization has to check the legal and regulatory requirements compliance.

6.3 Management review. To be conducted at planned intervals.

6.4 Nonconformity and corrective action. Handling of NCs and initiating of corrective action in order to prevent recurrences.

6.5 Achievement of Continual improvement. This is the aim of all dynamic management systems, which is to improve the suitability, the adequacy, the effectiveness of the system.


The certification requirements regarding ISO/PAS 28007

In order for a company to be certified against ISO/PAS 28007, they have to have in place a Security Management System according to the basic requirements of ISO 28000, which as previously mentioned, is the generic supply chain security management system standard. This means that the company must have provisions for Security Policy, Risk Assessments, Security Objectives, Security Targets, Security Programs, Implementation & Operation, Checking & Corrective actions, Management Review and thus achieving the Continual Improvement and a Secure Supply Chain.


To conclude, it is clear that the rising threat of piracy in high-risk areas led to the increase of the need for PMSCs in order to provide their services to shipping companies. It is estimated that there are now around 400-450 PMSCs operating globally, almost have of them in the UK. The necessity for standardization of the industry led to issuing ISO/PAS 28007. As the market becomes mature, the organizations are trying to differentiate. Therefore achieving accredited certification against this standard gives an advantage to a PMSC in order to differentiate, reduce the complexity of the regulations as well as to manage the security risks which is the ultimate aim. Lloyd's Register Quality Assurance Limited (LRQA) is offering this certification scheme to PMSCs and is currently undergoing a pilot with UKAS to get the ISO28007 accreditation.

Above article is an edited version of Dr. Kyrikos Faraklas's presentation during 2013 SAFETY4SEA Athens Forum

You may view relevant video by clicking here