A S I S I N T E R N A T I O N A L

Quality Assurance and Security Management

for Private Security Companies Operating at
Sea - Guidance

ANSI/ASIS PSC.4-2013

AMERICAN NATIONAL
STANDARD
1625 Prince Street
Alexandria, Virginia 22314-2818
USA
+1.703.519.6200
Fax: +1.703.519.6299
www.asisonline.org
ASIS International (ASIS) is the preeminent
organization for security professionals, with more
than 38,000 members worldwide. Founded in 1955,
ASIS is dedicated to increasing the effectiveness and
productivity of security professionals by developing
educational programs and materials that address
broad security interests, such as the ASIS Annual
Seminar and Exhibits, as well as specific security
topics. ASIS also advocates the role and value of the
security management profession to business, the
media, governmental entities, and the general public.
By providing members and the security community
with access to a full range of programs and services,
and by publishing the industry’s number one
magazine, Security Management, ASIS leads the way
for advanced and improved security performance.
For more information, visit www.asisonline.org.
 ANSI/ASIS PSC.4-2013
an American National Standard

QUALITY ASSURANCE AND SECURITY MANAGEMENT FOR

PRIVATE SECURITY COMPANIES OPERATING AT SEA –
GUIDANCE

A management systems approach for maritime private security service

providers operating at sea

Approved January 29, 2013

American National Standards Institute, Inc.

ASIS International

Abstract
This Standard provides guidance for the implementation of the ANSI/ASIS PSC.1-2012, Management System for Quality
of Private Security Company Operations - Requirements with Guidance and/or the ISO 9001:2008, Quality management
systems – Requirements or the ISO 28000:2007, Specification for security management systems for the supply chain standards.
The guidance enables Private Maritime Security Companies (PMSCs) to implement these management systems
which contain auditable criteria for private security company operations at sea. This Standard enables organizations
operating at sea to implement the auditable requirements of the ANSI/ASIS PSC.1 and/or the ISO 9001 or ISO 28000
based on the Plan-Do-Check-Act model for third-party certification of PMSCs working for any client.
 ANSI/ASIS PSC.4-2013

NOTICE AND DISCLAIMER

The information in this publication was considered technically sound by the consensus of those who engaged in the
development and approval of the document at the time of its creation. Consensus does not necessarily mean that
there is unanimous agreement among the participants in the development of this document.

ASIS International standards and guideline publications, of which the document contained herein is one, are
developed through a voluntary consensus standards development process. This process brings together volunteers
and/or seeks out the views of persons who have an interest and knowledge in the topic covered by this publication.
While ASIS administers the process and establishes rules to promote fairness in the development of consensus, it
does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of
any information or the soundness of any judgments contained in its standards and guideline publications.

ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its
members or anyone else. ASIS does not accept or undertake a duty to any third party because it does not have the
authority to enforce compliance with its standards or guidelines. It assumes no duty of care to the general public,
because its works are not obligatory and because it does not monitor the use of them.

ASIS disclaims liability for any personal injury, property, or other damages of any nature whatsoever, whether
special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of,
application, or reliance on this document. ASIS disclaims and makes no guaranty or warranty, expressed or implied,
as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that
the information in this document will fulfill any person’s or entity’s particular purposes or needs. ASIS does not
undertake to guarantee the performance of any individual manufacturer or seller’s products or services by virtue of
this standard or guide.

In publishing and making this document available, ASIS is not undertaking to render professional or other services
for or on behalf of any person or entity, nor is ASIS undertaking to perform any duty owed by any person or entity to
someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate,
seek the advice of a competent professional in determining the exercise of reasonable care in any given
circumstances. Information and other standards on the topic covered by this publication may be available from other
sources, which the user may wish to consult for additional views or information not covered by this publication.

ASIS has no power, nor does it undertake to police or enforce compliance with the contents of this document. ASIS
has no control over which of its standards, if any, may be adopted by governmental regulatory agencies, or over any
activity or conduct that purports to conform to its standards. ASIS does not list, certify, test, inspect, or approve any
practices, products, materials, designs, or installations for compliance with its standards. It merely publishes
standards to be used as guidelines that third parties may or may not choose to adopt, modify or reject. Any
certification or other statement of compliance with any information in this document should not be attributable to
ASIS and is solely the responsibility of the certifier or maker of the statement.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any
form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written
consent of the copyright owner.

Copyright © 2013 ASIS International

ISBN: 978-1-934904-46-6

ii
 ANSI/ASIS PSC.4-2013

FOREWORD
The information contained in this Foreword is not part of this American National Standard (ANS) and has not been
processed in accordance with ANSI’s requirements for an ANS. As such, this Foreword may contain material that has
not been subjected to public review or a consensus process. In addition, it does not contain requirements necessary
for conformance to the Standard.
ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory
requirements are designated by the word shall and recommendations by the word should. Where both a mandatory
requirement and a recommendation are specified for the same criterion, the recommendation represents a goal
currently identifiable as having distinct compatibility or performance advantages.

About ASIS
ASIS International (ASIS) is the preeminent organization for security professionals, with more than 38,000 members
worldwide. ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing
educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and
Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management
profession to business, the media, government entities, and the public. By providing members and the security
community with access to a full range of programs and services and by publishing the industry’s No. 1 magazine –
Security Management – ASIS leads the way for advanced and improved security performance.

The work of preparing standards and guidelines is carried out through the ASIS International Standards and
Guidelines Committees and governed by the ASIS Commission on Standards and Guidelines. An ANSI accredited
Standards Development Organization (SDO), ASIS actively participates in the International Organization for
Standardization. The Mission of the ASIS Standards and Guidelines Commission is to advance the practice of security
management through the development of standards and guidelines within a voluntary, nonproprietary, and consensus-based
process, utilizing to the fullest extent possible the knowledge, experience, and expertise of ASIS membership, security
professionals, and the global security industry.

Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince
Street, Alexandria, VA 22314-2818, USA.

Commission Members
Charles A. Baley, Farmers Insurance Group, Inc.
Jason L. Brown, Thales Australia
Michael Bouchard, Sterling Global Operations, Inc.
John C. Cholewa III, CPP, Mentor Associates, LLC
Cynthia P. Conlon, CPP, Conlon Consulting Corporation
William J. Daly, Control Risks Security Consulting
Lisa DuBrock, Radian Compliance
Eugene F. Ferraro, CPP, PCI, CFE, Business Controls, Inc.
F. Mark Geraci, CPP, Purdue Pharma L.P., Chair
Bernard D. Greenawalt, CPP, Securitas Security Services USA, Inc.
Robert W. Jones, Socrates Ltd
Glen Kitteringham, CPP, Kitteringham Security Group, Inc.
Michael E. Knoke, CPP, Express Scripts, Inc., Vice Chair
Bryan Leadbetter, CPP, Bausch & Lomb

iii
 ANSI/ASIS PSC.4-2013

Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative

Jose M. Sobrón, United Nations
Roger D. Warwick, CPP, Pyramid International
Allison Wylde, London Metropolitan University Business School

At the time it approved this document, the PSC.4 Standards Committee, which is responsible for the development of
this Standard, had the following members:

Committee Members
Committee Chairman: Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative
Committee Secretariat: Susan Carioti, ASIS International

Frank Amoyaw, LandMark Security Limited

Deborah Avant, Consultant
Jonathan Bellish, Consultant
Brian Bewley, Tactical Solutions International, Inc.
Dennis Blass, CPP, PSP, Children's of Alabama
Michael Bouchard, CPP, Security Dynamics Group LLC
James Browning, Consultant
Anne-Marie Buzatu, Geneva Centre for the Democratic Control of Armed Forces (DCAF)
Phillip Cable, Maritime Asset Security and Training
Sékou Camara, Ministry of Foreign Affairs
John Casas, PSP, John Casas & Associates, L.L.C.
Stuart Casey-Maslen, Geneva Academy of International Humanitarian Law and Human Rights
Ioannis Chapsos, Centre for Peace and Reconciliation Studies (CPRS)
Andrew Clapham, Geneva Academy of International Humanitarian Law and Human Rights
Eric Davoine, Consultant
Renee de Nevers, Maxwell School, Syracuse University
Bill DeWitt, CPP, SSA Marine, Inc.
Bobby Dominguez, CPP, CISSP, PMP, CRISC, GSLC, PSCU Financial Services, Inc.
Debborah Donnelly, International Association of Maritime Security Professionals (IAMSP)
Jack Dowling, CPP, PSP, JD Security Consultants, LLC
Tanawah Downing, CPP, PSP, PMP, Global Government Services
André du Plessis, Geneva Centre for the Democratic Control of Armed Forces (DCAF)
Johan Du Plooy, CPP, Temi Group
Lisa DuBrock, CPA, CBCP, MBCI, RABQSA-RES, Radian Compliance, LLC
Michael Edgerton, CPP, Good Harbour International
Glynne Evans, Ph.D., Olive Group Ltd
Dimitris Fakiolas, Consultant
Richard Ferraro, Centanni Maritime, Inc.
Windom Fitzgerald, Fitzgerald Technology Group
Bruce Gray, Hornsby de Gray

iv
 ANSI/ASIS PSC.4-2013

Laura Hains, CPP, Consultant

Stuart Hattersley, Consultant
Thomas Haueter, Geneva Centre for the Democratic Control of Armed Forces (DCAF)
Alan Hunter, Centre for Peace and Reconciliation Studies
Mark Knight, Montreux Solutions Geneva
Timothy Lindsey, CPP, Sidwell Protection Services
Anthony Macisco, CPP, The Densus Group
Duncan MacLeod, CPP, Battelle Memorial Institute
Nick Maroukis, Triton Risk MSS
Paul McCarthy, Consultant
Allan McDougall, PCIP, CMAS, CISSP, CPP, CSO, PFSO, SSO, Evolutionary Security Management
Oona Muirhead, Security in Complex Environments Group, ADS UK
Vicki Nichols, RABQSA-RES, Consultant
Henri Nolin, CPP, Sun State Specialty K9S Inc.
Rodney Pettus, The Jones Group
Russ Phillips, MMTS Group
Werner Preining, CPP, CMAS, Interpool Security Ltd
William Prentice, Marine Security Initiatives, Inc.
Erik Quist, EOD Technology, Inc. (EODT)
Ian Ralby, Ph.D., I.R. Consilium
James Rapp, 3rg Security
David Reindrop, Ministry of Defence
Chris Rossis, Argonaut Security LTD
Michael Segkos, Sea Guardian (SG) Ltd.
Samantha Sheridan, Triton International Ltd
Jeffrey Slotnick, CPP, PSP, Setracon, Inc.
Leslie Smith, Securewest International
J. Stewart, Intelsat
Laurie Thomas, University of Findlay
Jonathan Tipton, Triskelion
Ilijana Todorovic, Consultant
Lloyd Uliana, Bosch Security Systems, Inc.
Roger Warwick, CPP, UNI
Jerry Williams, Aegis Defence Services Ltd

Working Group Members

Working Group Co-Chairs:
Co-Chair: Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative
Co-Chair: Ian Ralby, Ph.D., I.R. Consilium

Frank Amoyaw, LandMark Security Limited

v
 ANSI/ASIS PSC.4-2013

Dennis Blass, CPP, PSP, Children's of Alabama

Michael Bouchard, CPP, Security Dynamics Group LLC
John Casas, PSP, John Casas & Associates, L.L.C.
Bill DeWitt, CPP, SSA Marine, Inc.
Michael Edgerton, CPP, Good Harbour International
Glynne Evans, Ph.D, Olive Group Ltd
Windom Fitzgerald, Fitzgerald Technology Group
Stuart Hattersley, Consultant
Mark Knight, Montreux Solutions Geneva
Anthony Macisco, CPP, The Densus Group
Duncan MacLeod, CPP, Battelle Memorial Institute
Allan McDougall, PCIP, CMAS, CISSP, CPP, CSO, PFSO, SSO, Evolutionary Security Management
Russ Phillips, MMTS Group
Werner Preining, CPP, CMAS, Interpool Security Ltd
Erik Quist, EOD Technology, Inc. (EODT)
Ian Ralby, Ph.D., I.R. Consilium
James Rapp, 3rg Security
Jeffrey Slotnick, CPP, PSP, Setracon, Inc.
Laurie Thomas, University of Findlay
Jonathan Tipton, Triskelion

vi
 ANSI/ASIS PSC.4-2013

TABLE OF CONTENTS
0. INTRODUCTION ............................................................................................................................................... XI
0.1 GENERAL .............................................................................................................................................................. XI
0.2 RESPECT FOR HUMAN RIGHTS AND LEGAL OBLIGATIONS............................................................................................... XII
0.3 AUTHORITIES, OBLIGATIONS, AND RESPONSIBILITIES OF SHIP MASTER AND CLIENTS ......................................................... XIV
0.4 PMSCS OBLIGATIONS AND RESPONSIBILITIES ............................................................................................................ XVI
0.5 MANAGEMENT SYSTEMS APPROACH .......................................................................................................................XVII
1. SCOPE............................................................................................................................................................... 1
2. NORMATIVE REFERENCES ................................................................................................................................ 2
3. TERMS AND DEFINITIONS ................................................................................................................................. 2
4. GENERAL PRINCIPLES ....................................................................................................................................... 6
5. ESTABLISHING THE FRAMEWORK ..................................................................................................................... 6
5.1 GENERAL ...............................................................................................................................................................6
5.2 CONTEXT OF THE ORGANIZATION ...............................................................................................................................7
5.2.1 Internal Context..........................................................................................................................................7
5.2.2 External Context .........................................................................................................................................7
5.2.3 Supply Chain and Subcontractor Node Analysis .........................................................................................8
5.3 NEEDS AND REQUIREMENTS ......................................................................................................................................8
5.4 DEFINING RISK CRITERIA ...........................................................................................................................................9
5.5 SCOPE OF THE MANAGEMENT SYSTEM ........................................................................................................................9
6. LEADERSHIP ................................................................................................................................................... 10
6.1 GENERAL .............................................................................................................................................................10
6.2 MANAGEMENT COMMITMENT ................................................................................................................................10
6.3 POLICY ................................................................................................................................................................10
6.4 ORGANIZATIONAL ROLES, RESPONSIBILITIES, AND AUTHORITIES .....................................................................................11
6.5 CLIENT’S POLICY ...................................................................................................................................................11
7. PLANNING ...................................................................................................................................................... 11
7.1 LEGAL AND OTHER REQUIREMENTS ..........................................................................................................................11
7.2 RISK ASSESSMENT .................................................................................................................................................12
7.2.1 Internal and External Risk Communication and Consultation ..................................................................14
7.3 RISK MANAGEMENT OBJECTIVES AND PLANS TO ACHIEVE THEM ....................................................................................14
7.4 ACTION TO ADDRESS RISK ISSUES AND CONCERNS .......................................................................................................15
8. STRUCTURAL REQUIREMENTS ........................................................................................................................ 15
8.1 ORGANIZATIONAL STRUCTURE .................................................................................................................................16
8.2 INSURANCE ..........................................................................................................................................................16
8.3 OUTSOURCING AND SUBCONTRACTING .....................................................................................................................17
8.4 DOCUMENTED INFORMATION..................................................................................................................................18
8.4.1 General .....................................................................................................................................................18
8.4.2 Records .....................................................................................................................................................18
8.4.3 Control of Documented Information ........................................................................................................18
9. OPERATION AND IMPLEMENTATION.............................................................................................................. 19
9.1 OPERATIONAL CONTROL.........................................................................................................................................19
9.1.1 General .....................................................................................................................................................19

vii
 ANSI/ASIS PSC.4-2013

9.1.2 Establishing Norms of Behavior and Codes of Ethical Conduct ................................................................19

9.2 RESOURCES, ROLES, RESPONSIBILITY, AND AUTHORITY .................................................................................................20
9.2.1 Personnel ..................................................................................................................................................20
9.2.1.1 Identification – Uniforms and Markings .................................................................................................21
9.2.2 Selection, Background Screening, and Vetting of Personnel ....................................................................21
9.2.3 Selection, Background Screening and Vetting of Subcontractors ............................................................22
9.2.4 Financial and Administrative Procedures .................................................................................................22
9.2.5 Procurement and Management of Firearms and Other Weapons, Hazardous Materials, and Munitions
............................................................................................................................................................................22
9.3 COMPETENCE, TRAINING, AND AWARENESS ...............................................................................................................24
9.4 COMMUNICATION .................................................................................................................................................26
9.4.1 Operational Communications ..................................................................................................................26
9.4.2 Command and Control of Onboard Security Team...................................................................................26
9.4.3 Risk Communications ...............................................................................................................................27
9.4.4 Communicating Complaint and Grievance Procedures ............................................................................27
9.4.5 Whistleblower Policy .................................................................................................................................27
9.5 PREVENTION AND MANAGEMENT OF UNDESIRABLE OR DISRUPTIVE EVENTS .....................................................................27
9.5.1 Respect for Human Rights ........................................................................................................................27
9.5.2 Rules for Use of Force and Use of Force Training .....................................................................................28
9.5.2 Environmental, Health, and Safety...........................................................................................................29
9.5.3 Performance of Security Functions ...........................................................................................................29
9.5.4 Incident Management ..............................................................................................................................30
9.5.5 Incident Monitoring, Reporting, and Investigations .................................................................................30
9.5.6 Disposition of Unauthorized Persons........................................................................................................31
9.5.7 Search of Unauthorized Persons ..............................................................................................................31
9.5.8 First Aid and Casualty Care ......................................................................................................................31
9.5.9 Internal and External Complaint and Grievance Procedures ....................................................................32
10. PERFORMANCE EVALUATION ....................................................................................................................... 32
10.1 MONITORING AND MEASUREMENT ........................................................................................................................33
10.2 EVALUATION OF COMPLIANCE ...............................................................................................................................33
10.3 EXERCISES AND TESTING .......................................................................................................................................33
10.4 NONCONFORMITIES, CORRECTIVE, AND PREVENTIVE ACTION ......................................................................................33
10.5 INTERNAL AUDIT .................................................................................................................................................34
10.6 MANAGEMENT REVIEW .......................................................................................................................................34
10.6.1 General ...................................................................................................................................................34
10.6.2 Review Input ...........................................................................................................................................35
10.6.3 Review Output ........................................................................................................................................35
11. IMPROVEMENT ............................................................................................................................................ 35
11.1 CHANGE MANAGEMENT.......................................................................................................................................35
11.2 OPPORTUNITIES FOR IMPROVEMENT .......................................................................................................................36
11.3 CONTINUAL IMPROVEMENT ..................................................................................................................................36
A GUIDANCE ON SHIP PROTECTION MEASURES ................................................................................................. 37
A.1 ANTICIPATION, AVOIDANCE, AND PREVENTION...........................................................................................................37
A.2 AWARENESS, ALARMS, AND MONITORING ................................................................................................................37
A.3 ELECTRONIC MEASURES .........................................................................................................................................37
A.4 PHYSICAL PROTECTION...........................................................................................................................................38
A.5 ARMED PROTECTION .............................................................................................................................................38
B BIBLIOGRAPHY ................................................................................................................................................ 39
B.1 REFERENCES.........................................................................................................................................................39

viii
 ANSI/ASIS PSC.4-2013

B.2 MARITIME SPECIFIC REFERENCES .............................................................................................................................39

B.3 ASIS INTERNATIONAL PUBLICATIONS ........................................................................................................................40
B.4 ISO STANDARDS PUBLICATIONS ...............................................................................................................................40
B.5 UNITED NATIONS AND INTERNATIONAL HUMAN RIGHTS PUBLICATIONS ..........................................................................40
B.6 OTHER REFERENCES ..............................................................................................................................................40

TABLE OF FIGURES
FIGURE 1: PDCA MODEL................................................................................................................................................. XVIII
FIGURE 2: QUALITY ASSURANCE AND SECURITY MANAGEMENT SYSTEM (QASMS) FLOW DIAGRAM ............................................... XX
FIGURE 3: PROCESS FOR MANAGING RISK ............................................................................................................................13

ix
 ANSI/ASIS PSC.4-2013

This page intentionally left blank.

x
 ANSI/ASIS PSC.4-2013

0. INTRODUCTION

0.1 General
Crime and piracy at sea has become a global menace that threatens not only international trade
but the delivery of vital humanitarian aid to people affected by natural and manmade disasters.
Maritime Private Security Service Providers including Private Maritime Security Companies
(collectively “PMSCs”) are playing an important role in protecting sea-bound assets in
conjunction with the public and private sectors1. Ships at sea and offshore installations are
inherently subject to a number of threats and, as part of a variety of legal, regulatory, and
operational requirements, take steps to protect their personnel, assets, and operations. PMSCs
may be engaged to assist in these efforts. PMSCs provide a range of essential services from
assessing risk and providing advice on ship hardening, to the provision of armed guards
aboard ships in high risk areas. The nature of the security services provided are intended to
operate within the context of a protective measure and not a measure that is intended to project
the will of the international community or state(s). This guidance Standard is applicable for any
type of PMSC providing security services and operating at sea. The purpose of this guidance
Standard is to improve and demonstrate the quality of services provided by PMSCs while
maintaining the safety and security of their operations and clients (ship owner and/or charterer)
within a framework that aims to ensure compliance with applicable and relevant international
law (including human rights law), international maritime law, and law of the sea, flag and
coastal state laws (civil and criminal), and commitments under the International Code of Conduct
(ICoC) to respect human rights. This guidance draws on the International Maritime
Organization (IMO) Circulars 1405, 1406, and 1443 which provide interim guidance regarding
the use of private maritime security companies.
This Standard builds on the requirements found in the ANSI/ASIS PSC.1-2012, Management
System for Quality of Private Security Company Operations - Requirements with Guidance and/or the
ISO 9001:2008, Quality management systems – Requirements or ISO 28000:2007, Specification for
security management systems for the supply chain standards. This guidance Standard used in
conjunction with either the ANSI/ASIS PSC.1-2012 and/or the ISO 9001:2008 or ISO 28000:2007
provides a means against which independent third-party auditors and certification bodies can
assess whether a PMSC is fit to provide security services at sea and has a management system
in place to prevent, inhibit, monitor, and mitigate incidents and patterns of behavior aboard
ships at sea that might impact adversely on shipping operations or bring the industry into
disrepute by breaches of applicable and relevant laws and commitments under the ICoC.

1 This standard follows IMO procedure in using the acronym PMSC for Private Maritime Security Companies. This

should not be confused with the same acronym PMSC that has been used by the UN for many years to describe
Private Military and Security Companies and is used inter alia by the General Assembly, the Human Rights Council
and a specialist Intergovernmental Working Group on Private Military and Security Companies. This standard does
not apply to private military companies.

xi
 ANSI/ASIS PSC.4-2013

PMSCs have become important elements for supporting clients in the prevention and
suppression of piracy and other threats. PMSCs are companies that provide security services on
ships during transits and voyages and other critical times. PMSC operations face a certain
amount of risk due to their need to address threats related to criminal acts against ships, those
on board, and cargo during attempts to damage, board, or control the ship. Furthermore,
PMSCs operate in a unique and complex operating environment which includes international
laws and regulations, the movement between different coastal state jurisdictions, and the legal
issues surrounding operations on the high seas. The challenge is to determine how to cost-
effectively manage risk while meeting the organization’s strategic and operational objectives
within a framework that protects the safety and security of internal and external stakeholders
including clients. PMSCs need to conduct their business and provide services in a manner that
complies with international, national, coastal and flag state laws and local statutory and
regulatory law, as well as the authority of the Master. PMSCs and their clients have an
obligation to carry out due diligence to prevent incidents, mitigate and remedy the
consequences of incidents, document and report them when they occur, and take corrective and
preventive actions to avoid a reoccurrence.
Organizations seeking independent third-party certification can use the guidance in this
Standard in conjunction with the requirements of either the ANSI/ASIS PSC.1-2012 and/or
ISA9001:2008 or ISO 28000:2007, to demonstrate to clients, flag states, and national authorities
that the PMSC is in conformance with the ANSI/ASIS PSC.1-2012 and/or ISA9001:2008 or ISO
28000:2007 standards. The guidance of this Standard is intended to be incorporated into any
organization’s management system based on the Plan-Do-Check-Act (PDCA) model; it is not
intended to promote a uniform approach to all organizations. The design and implementation
of quality assurance plans, procedures, and practices should take into account the particular
requirements of each organization and their clients.

0.2 Respect for Human Rights and Legal Obligations

PMSCs assist clients by providing deterrence and protective measures for the protection of
personnel as well as the ship and its operations in accordance with the contract. In addition to
the role played by PMSCs, state forces are involved in the suppression of piracy and counter-
piracy operations, including the detainment and prosecution of pirates. Armed response or use
of firearms and other weapons as a response should be avoided in preference to protective and
deterrence measures, including those described in current good management practices for
ships, which are applicable wherever piracy and armed assault present a threat. Appropriate
protective and defensive measures by onboard PMSCs is paramount, with less-than-lethal or
non-lethal options used first, and the use of firearms and other weapons or armed response
being used as a measure of last resort.
In providing protection, the PMSC is governed by various laws, regulations, and ethical norms
associated with the use of force. PMSCs should take account of the relevant and applicable
international, national, coastal and flag state laws and local statutory and regulatory law, in
establishing their rules for the use of force, recognizing the individual's inherent right to self-
defense. Because clients and their security teams have the obligation to comply with legal and

xii
 ANSI/ASIS PSC.4-2013

regulatory requirements, the provisions for rules for the use of force should be set out in the
contract between the client and the PMSC, which should also specify the unambiguous rules to
apply for a specific transit in terms of the laws of the flag and coastal states of the ship which
are relevant to the ship’s operations. The contract should specify that measures to assure the
safety and security of the ship and those on board must be proportionate, that primary
emphasis should be placed on deterrence and if force is necessary, there should be a graduated
approach. Provisions in the contract should consider:
a) Compliance with applicable and relevant provisions of international law, international
maritime law, and law of the sea;
b) Laws and regulations of national, coastal and flag states; and
c) International employment law and conventions.
The ANSI/ASIS PSC.1-2012 makes reference to the Montreux Document (2008) which
encapsulates relevant rules of international law and good practices for PSC operations during
armed conflicts The ICoC provides principles for PSCs to abide by in regions of weakened
governance and disaster areas. Though the ICoC does not specifically address the maritime
environment, the principles on which it rests, including respect for human rights, are applicable
in the maritime environment. Therefore, clients and PMSCs have a shared responsibility to
assure conformance with the principles on which the ICoC rests 2. Therefore, in applying this
Standard, key concepts should be considered as follows:
a) Respect for human rights;
b) Respect for relevant and applicable principles of international maritime law and law of
the sea, as well as the relevant and applicable principles articulated in international
humanitarian and human rights law;
c) Respect for the applicable and relevant international, national, coastal and flag state, and
local statutory and regulatory laws associated with the ship, those on board the ship, its
cargo and the legitimate and appropriate employment of persons;
d) Measures to assure the security and safety of the ship and those on board are
proportional to the level of risk;
e) Non-violent and non-lethal measures should be applied first; and
f) When taking steps to deter or dissuade hostile action against the ship or those on board,
such responses should use the minimum force necessary.
This standard, used in conjunction with the ANSI/ASIS PSC.1-2012, can help PMSCs to
demonstrate to clients that they can provide services that are reliable, professional, and
consistent with the ICoC. Furthermore, it provides a framework for PMSCs to define their
operations within the maritime environment where legal requirements are complex.

2 The Montreux document restates rules of international law and provides a set of good practices for States and their

obligations to ensure that private military and security companies operating in circumstances of armed conflict
comply with international humanitarian and human rights law. Though the Montreux document does not address
the maritime environment, the good practices for contracting states, described in Part Two of the Montreux
Document, should be considered as guidance by clients in their contracting practices with PMSCs.

xiii
 ANSI/ASIS PSC.4-2013

0.3 Authorities, Obligations, and Responsibilities of Ship Master and

Clients
The shipmaster (Master) has the ultimate responsibility for the security and safety of the ship,
those on board, its cargo, and command of the ship. The decisions of the Master are expected to
be guided by those that possess appropriate knowledge, skills, experience, and training.
Therefore, the Master has the overall authority and responsibility to make decisions with
respect to the safety and security of the ship and to request the assistance of PMSCs, clients,
and/or naval forces as may be necessary. According to Safety of Life at Sea (SOLAS) the Master
retains authority over the PMSC and its use of force, in accordance with the contract.
Individuals within PMSC security teams retain their inherent right of self-defense.
The Master ensures that the ship complies with international, national, coastal and flag state,
and local statutory and regulatory laws, in addition to company policies, and compliance with
the ship's security plan as required by the ISPS Code. The Master is also ultimately responsible,
under SOLAS, for aspects of operation such as the security and safe navigation of the ship,
assuring seaworthiness of the ship, management of all personnel and crew, appropriate
handling of all cargo, inventory of ship's cash and stores, and maintaining the ship's certificates
and documentation.
The Master and designated Ship Security Officer (SSO), Company Security Officer (CSO),
and/or Vessel Security Officer (VSO), in accordance with the International Ship and Port Facility
(ISPS) Code are responsible for:
a) Implementation and maintenance of a Ship Security Plan;
b) Managing and monitoring ship’s security systems and processes; and
c) Training and motivating crew to perform security duties.
The client (owner or operator of the vessel) is responsible for informing the flag state,
underwriters, charterers, and the protection and indemnity club that it will be engaging the
services of PMSCs and whether they will be unarmed or armed. The Master serving as the
client’s “agent of necessity” is directed (as part of the instructions of the client) as to whether or
not PMSCs will be on board.
The client, or Master on his behalf, is responsible to:
a) Obtain the latest information regarding potential deliberate, accidental, or natural
threats to the ship, those on board, its cargo, and its operations. This includes contacting
reporting centers that are involved in activities associated with the protection of
commercial shipping in the route of the transit (e.g., Maritime Security Centre Horn of
Africa and NATO Shipping Center), as well as other relevant information sources;
b) Review the Ship Security Assessment and preparation and implementation of the Ship
Security Plan as required by the ISPS Code;
c) Based on the current threat assessment, set the appropriate security level in accordance
with the ship security plan, company guidelines, or at the direction of the relevant legal
authority;

xiv
 ANSI/ASIS PSC.4-2013

d) Prepare an Emergency Communication Plan including emergency contact numbers and

prepared message;
e) Ensure the Ship Security Plan is in place for the passage through high risk areas at the
designated security level;
f) Plan the route through the high risk areas, based on the risk assessment;
g) As applicable to the service being provided, to ensure that it has clearly delineated in the
contract any parameters associated with the loading, embarking, issuance, control, use
(including under the rules for the use of force), disembarkation, and – if necessary –
emergency destruction of any weapons brought on board;
h) Provide a safe and secure location for the storage of firearms, other weapons, and
ammunition, as well as relevant optics and ancillaries onboard the ship;
i) Verify the inventory of firearms and other weapons. Keep a copy in a safe place;
j) Conduct training and briefing of those on board and security operatives that reflects
both the specific circumstances of the transit and the nature of the contract and
respective roles, and attention to the obligations for respect for human rights;
k) Conduct debriefing sessions post transit;
l) Ensure that guidance and advice associated with good management practices (and other
guidance as appropriate) is considered as a baseline requirement and incorporated to
the extent possible without compromising the safety or security of those on board. This
does not preclude the need for other security measures to be implemented where
warranted by the risk assessment;
m) Ensure the size of the security team is consistent with the risk assessment and the total
number of persons on board should not exceed the ship’s safe manning certificate;
n) Establish an incident reporting mechanism consistent with legal requirements; and
o) Continuous oversight, monitoring, assessment, and improvement.
The Master has overall authority and responsibility for safety of the ship, its cargo, and those on
board. This includes the authority and responsibility:
a) To authorize the use of force to protect those on board from the threat of crime or piracy;
b) For the safety, well-being, and legal treatment of any unauthorized persons including
stowaways or pirates that have been apprehended;
c) For the safe navigation of the ship;
d) To abide by applicable and relevant international, national, coastal and flag state, and
local statutory and regulatory laws including UNCLOS and SOLAS;
e) The apprehension and detention of persons pursuing criminal acts against the ship and
its human and physical assets;
f) Incident reporting and preservation of evidence;
g) To determine whether the ship will respond to a distress signal; and
h) To follow good management practices for addressing the threat of crime and piracy,
including ensuring the ship is sufficiently hardened, any citadel is fit for service and has
ample supplies and HVAC controls, and that the ship appropriately communicates to
relevant authorities regarding its presence in any high risk areas, as well as any threats
perceived or delivered in that area.

xv
 ANSI/ASIS PSC.4-2013

Defined and documented procedures for the use of force, in accordance with international,
national, coastal and flag state, and local statutory and regulatory laws, should be agreed in
advance between the PMSC and the client, for specific transits. The Master cannot order PMSC
personnel to open fire outside the agreed upon rules for the use of force or jurisdictional law.
The Master’s authority to order the PMSC to cease-fire does not negate the individual’s right to
self-defense in accordance with national and international laws. PMSC personnel have the right
to use force, proportional to the threat presented, in order to prevent loss of life or serious injury
to themselves or others.

0.4 PMSCs Obligations and Responsibilities

PMSCs also have specific obligations and responsibilities that should be considered when
applying this standard. Obligation and responsibilities of PMSCs include:
a) Ensuring that the PMSC and persons working on its behalf abide by applicable and
relevant international, national, coastal and flag state, and local statutory and regulatory
laws at all times;
b) Ensuring the PMSC operates in accordance with the contract and persons working on its
behalf on board the ship operate at all times under the authority of the Master;
c) Ensuring persons working on its behalf are adequately screened/vetted;
d) Ensuring persons working on its behalf are appropriately trained and equipped;
e) Advising the Master in a timely fashion regarding threats to the ship and recommending
countermeasures, including:
i. Preparing the ship, with the participation and contribution of the ship's crew,
against threats and potential or actual disruptive incidents in accordance with
the contract;
ii. Agreeing and documenting in advance precise lines of authority and procedures
in the event of a threat or disruptive incident;
iii. Advising possible routing changes in the light of evolving intelligence reports
and international liaison; and
iv. Ensuring all incidents are appropriately documented and reported, particularly
in the use of force or escalation of force.
f) The legal transport and handling of firearms and other weapons, including the
maintenance of inventory documents and evidence of compliance with export control
and counter proliferation regulations;
g) Ensuring all relevant licenses – including those for the security personnel and firearms
and other weapons – are in place and are consistent with the law of the coastal and flag
state;
h) Ensuring that their personnel respect and do not violate human rights;
i) Validating a threat, where practicable, before applying appropriate use of force;
j) Ensure that all of the rights and legal protections of security teams are respected; and
k) Abiding by good practices applicable to the industry.
The size and composition of the security team and equipment used by the PMSC should be
determined in consultation with the shipowner. Considerations should include:

xvi
 ANSI/ASIS PSC.4-2013

a) A security risk assessment for the ship’s voyage, type of ship, threat environment of
passage route, and necessary redundancies in the case of injury or illness;
b) Based on the risk assessment, and in consultation with the shipowner and Master, a
decision regarding necessary protective measures for the voyage, including the need for
armed security and equipment;
c) A clear hierarchy within the security team;
d) An appropriate skill and experience mix to address the tasks set out in the contract,
including competence in risk assessments, protection measures, relevant languages, and
medical aid;
e) Appropriate medical equipment and expertise to provide medical aid;
f) The appropriate type, carriage, and use of firearms and all other weapons to allow for a
graduated level of deterrence when the decision is made to deploy armed security; and
g) Appropriate equipment, procedures, and training for the documentation and
preservation of evidence in the event of an incident.

0.5 Management Systems Approach

The management systems approach encourages organizations to analyze organizational and
stakeholder requirements and define processes that contribute to success. A management
system provides the framework for continual improvement to increase the likelihood of
enhancing the quality of services while assuring the respect for human rights. It provides
confidence to both the organization and its clients that the organization is able to manage its
safety, security, and legal obligations.
The management systems approach considers how local policies, culture, actions, or changes
influence the state of the organization as a whole and its environment. The component parts of
a system can best be understood in the context of relationships with each other, rather than in
isolation. Therefore, a management system examines the linkages and interactions between the
elements that compose the entirety of the system. The management systems approach
systematically defines activities necessary to obtain desired results and establishes clear
responsibility and accountability for managing key activities. This management systems
standard provides guidance for establishing, implementing, operating, monitoring, reviewing,
maintaining, and improving an organization's management system for quality assurance of
private security services.
The management system will enable PMSCs to analyze the requirements of clients and
international obligations and define the processes that contribute to success. It also provides the
framework for continual improvement in safety and security in order to enhance the quality of
services the PMSC can deliver while meeting its legal obligations. The PMSCs which have
adopted other management systems such as ANSI/ASIS SPC.1-2009, ANSI/ASIS PSC.1-2012,
ISO 9001:2008, ISO 14001:2004, ISO/IEC 27001:2005, ISO 28000:2007, or OHSAS 18001:2007 can
use their existing management system as a foundation for this security management system.
The management systems approach presented in this Standard encourages its users to
emphasize the importance of:

xvii
 ANSI/ASIS PSC.4-2013

a) Understanding an organization’s risk, security, safety, legal and human rights

requirements;
b) Establishing a policy and objectives to manage risks;
c) Implementing and operating controls to manage an organization’s risk and security
requirements within the context of applicable and relevant international, national,
coastal and flag state, and local statutory and regulatory laws, and the respect for human
rights as articulated in the principles of the ICoC;
d) Monitoring and reviewing the performance and effectiveness of the Management
System, administratively and operationally; and
e) Continual improvement based on objective measurement.
This Standard adopts the PDCA model, which is applied to structure the quality assurance
processes. Figure 1 illustrates how a management system takes as input the quality assurance
and security management requirements and expectations of the stakeholders, and through the
necessary actions and processes produces quality assurance and risk management outcomes
that meet those requirements and expectations. Figure 1 also illustrates the links in the
processes presented in this Standard.

Stakeholders Plan Stakeholders

and Interested Define & Analyze a and
Parties Problem and Identify Interested
the Root Cause Parties

Do
Act
Devise a Solution
Standardize Solution
Continual Develop Detailed Action
Review and Define Improvement
Next Issues Plan & Implement It
Systematically

Quality assurance Check

management Confirm Outcomes Managed
requirements Against Plan Quality
and expectations Identify Deviations Assurance and
and Issues Risk

Figure 1: PDCA Model

xviii
 ANSI/ASIS PSC.4-2013

PLAN Establish management system policy, objectives, processes, and procedures relevant to
(establish the managing quality and improving risk management to deliver results in accordance with
management system) an organization’s overall policies and objectives.

DO
Implement and operate the management system policy, controls, processes, and
(implement and operate procedures.
the management system)

CHECK
Assess and measure process performance against management system policy,
(monitor and review the objectives, and practical experience and report the results to management for review.
management system)

ACT Take corrective and preventive actions, based on the results of the internal management
(maintain and improve system audit and management review, to achieve continual improvement of the
the management system) management system.

The PDCA model is a clear, systematic and documented approach to:

a) Set measurable objectives and targets;
b) Monitor, measure, and evaluate progress;
c) Identify, prevent, or mitigate problems as they occur;
d) Assess competence requirements and train persons working on the organization’s
behalf; and
e) Provide top management with a feedback loop to assess progress and make appropriate
changes to the management system.
Furthermore, it contributes to information management within the organization, thereby
improving operational efficiency.
Conformance with this Standard can be verified by an auditing process that is compatible and
consistent with the methodology of ANSI/ASIS SPC.1-2009, ANSI/ASIS PSC.1-2012, ISO
9001:2008, ISO 14001:2004, ISO/IEC 27001:2005, ISO 28000:2007, OHSAS 18001:2007, and the
PDCA Model.

xix
 ANSI/ASIS PSC.4-2013

Figure 2 illustrates the management systems approach used in ANSI/ASIS PSC.1-2012 and this
Standard.

Figure 2: Quality Assurance and Security Management System (QASMS) Flow Diagram

xx
AN AMERICAN NATIONAL STANDARD ANSI/ASIS PSC.4-2013

Quality Assurance and Security Management for

Private Security Companies Operating at Sea –
Guidance

1. SCOPE
This Standard provides guidance for PMSCs to implement the ANSI/ASIS PSC.1-2012,
Management System for Quality of Private Security Company Operations – Requirements with
Guidance and/or the ISO 9001:2008, Quality management systems – Requirements or the ISO
28000:2007, Specification for security management systems for the supply chain standards. It provides
the guidance for a Quality Assurance and Security Management System (QASMS) for Maritime
Private Security Service Providers including Private Maritime Security Companies (collectively
“PMSCs”) to provide quality assurance in all security related activities and functions while
demonstrating accountability to law and respect for human rights.
This Standard provides a framework for establishing, implementing, operating, monitoring,
reviewing, maintaining, and improving the management of their products and services. It is
particularly applicable for any type of PMSC operating in a high risk environment at sea.
This Standard is applicable to any PMSC that needs to:
a) Establish, implement, maintain, and improve a QASMS;
b) Assess its conformity with its stated quality assurance and security management policy;
c) Demonstrate its ability to consistently provide services that meet client needs and are in
conformance with applicable international, national, coastal and flag state, and local
statutory and regulatory laws , as well as respect for human rights as articulated in the
principles in the ICoC;
d) Provide a means whereby PMSC clients can conduct their own due diligence for the
management of services retained from PMSCs;
e) Demonstrate conformity with the ANSI/ASIS PSC.1-2012 and/or ISO 9001:2008 or ISO
28000:2007 by:
1) Making a self-determination and self-declaration;
2) Seeking confirmation of its conformance by parties having an interest in the
organization (such as clients);
3) Seeking confirmation of its self-declaration by a party external to the
organization; or
4) Seeking certification/registration of its QASMS by an independent and accredited
external organization3.

3Organizations seeking third-party certification must do so with a certification body accredited to the ISO/IEC
17021:2011 Conformity assessment – Requirements for bodies providing audit and certification of management systems and the
ANSI/ASIS PSC.2--2012, Conformity Assessment and Auditing Management Systems for Quality of Private Security
Company Operations.

1
 ANSI/ASIS PSC.4-2013

The generic principles and requirements of the ANSI/ASIS PSC.1-2012, Management System for
Quality of Private Security Company Operations - Requirements with Guidance and/or ISO 9001:2008,
Quality management systems – Requirements or ISO 28000:2007, Specification for security
management systems for the supply chain standards are intended to be incorporated into any
organization’s management system based on the PDCA model; it is not intended to promote a
uniform approach to all organizations in all sectors. The design and implementation of quality
assurance plans, procedures, and practices should take into account the particular requirements
of each organization: its objectives, context, culture, structure, resources, operations, processes,
products, and services.

2. NORMATIVE REFERENCES
The following documents contain information which, through reference in this text, constitutes
foundational knowledge for the use of this American National Standard. At the time of
publication, the editions indicated were valid. All material is subject to revision, and parties are
encouraged to investigate the possibility of applying the most recent editions of the material
indicated below.
a) ANSI/ASIS PSC.1-2012, Management System for Quality of Private Security Company
Operations - Requirements with Guidance.4
b) ISO 9001:2008, Quality management systems – Requirements.5
c) ISO 28000:2007, Specification for security management systems for the supply chain.5
d) International Code of Conduct for Private Security Service Providers (ICoC)6 (11/2010).
e) International Convention for the Safety of Life at Sea (SOLAS) 7 (1974), including the ISPS
code.
f) United Nations Convention on the Law of the Sea (UNCLOS)8 (1982).

Additional guidance documents are included in the bibliography, including IMO circulars that
provide interim guidance for the use and provision of services of private maritime security companies,
which includes information that has been integrated into this document.

3. TERMS AND DEFINITIONS

The terms and definitions given in the ANSI/ASIS PSC.1-2012, Management System for Quality of
Private Security Company Operations - Requirements with Guidance, and/or ISO 9001:2008, Quality

4 Available at < www.asisonline.org >.

5This document is available from the International Organization for Standardization.
< http://www.iso.ch/iso/en/prods-services/ISOstore/store.html >
6 Available at

< http://www.icoc-psp.org/uploads/INTERNATIONAL_CODE_OF_CONDUCT_Final_without_Company_Names.pdf >.

7Available at < http://www.imo.org/OurWork/Security/Instruments/Pages/ISPSCode.aspx >.
8 Available at < http://www.un.org/Depts/los/convention_agreements/texts/unclos/unclos_e.pdf >.

2
 ANSI/ASIS PSC.4-2013

management systems – Requirements or ISO 28000:2007, Specification for security management

systems for the supply chain, standards apply.

NOTE: The reader is encouraged to read through the terms and definitions prior to reading the body of the
document.

Term Definition

3.1 client Organization or person that receives a product or service.

NOTE: In this standard, client refers to the ship owner and/or
charterer.
(ANSI/ASIS PSC.1-2012)
3.2 event An occurrence or change of a particular set of circumstances. [ISO Guide
73:2009]
NOTE 1: Nature, likelihood, and consequence of an event cannot
be fully knowable.
NOTE 2: An event can be one or more occurrences, and can
have several causes.
NOTE 3: Likelihood associated with the event can be
determined.
NOTE 4: An event can consist of a non-occurrence of one or
more circumstances.
NOTE 5: An event with a consequence is sometimes referred to
as “incident”.
3.3 firearm Any portable barreled weapon from which a projectile can be discharged
by an explosion from the confined burning of a propellant.
NOTE: All references to firearms include the associated
ammunition, consumables, spare parts, and maintenance
equipment for their use.
3.4 human rights Integrity of persons and their rights and fundamental freedoms under
international and national law and consistent with the principles of the
ICoC, as well as relevant IMO Circulars.

3.5 less-lethal weapons Weapons, devices, and munitions that continue to pose a great risk of
lethal injury but the intent is not to cause death or bodily harm and do not
measure up to the definition of “likely” in a court environment.
3.6 non-lethal weapons Weapons, devices, and munitions that are explicitly designed and
primarily employed to immediately incapacitate targeted personnel or
materiel, while minimizing fatalities, permanent injury to personnel, and
undesired damage to property in the target area or environment. Non-
lethal weapons are intended to have reversible effects on personnel and
material.
3.7 organization Group of people and facilities with an arrangement of responsibilities,
authorities, and relationships. [ISO 9000:2005]
NOTE 1: An organization can be a government or public entity,
company, corporation, firm, enterprise, institution, charity, sole
trade or association, or parts or combinations thereof.
NOTE 2: In this standard, the organization refers to the private
maritime security company (PMSC).

3
 ANSI/ASIS PSC.4-2013

Term Definition

3.8 piracy Piracy consists of any of the following acts:

a) any illegal acts of violence or detention, or any act of

depredation, committed for private ends by the crew or the
passengers of a private ship or a private aircraft, and directed:

i. On the high seas, against another ship or aircraft, or

against persons or property on board such ship or
aircraft;

ii. Against a ship, aircraft, persons, or property in a place

outside the jurisdiction of any State;

b) Any act of voluntary participation in the operation of a ship or of

an aircraft with knowledge of facts making it a pirate ship or
aircraft;
c) Any act of inciting or of intentionally facilitating an act described
in subparagraph (a) or (b).9
NOTE 1: Crews or passengers of a private ship or aircraft
refers to a ship not under the control of the state.
NOTE 2: Acts of violence in the maritime environment,
including intentional and unlawful acts against ships, those
on board and its cargo – as well as armed robbery and
attempts to board and control the ship – conducted in areas
that are beyond the territorial waters or effective jurisdiction
of any state, as well as against offshore installations and
other maritime interests.
NOTE 3: For purposes of this standard, armed robbery at
sea and terrorist acts are considered acts of piracy.
3.9 quality assurance and Systematic and coordinated activities and practices through which an
security management system organization manages its operational and security risks, and the
(QASMS) associated potential threats and impacts therein; consistent with respect
for human rights, legal obligations, and good practices.

3.10 quality assurance and Ongoing management and governance process supported by top
security management management, resourced to ensure that the necessary steps are taken to
program identify the root causes of potential undesirable and disruptive events to
minimize their likelihood and consequences; maintain viable adaptive,
proactive, and reactive strategies and plans; and promulgate safety and
security of their operations and clients within a framework that aims to
ensure respect for international, national, coastal and flag state, and local
statutory and regulatory laws, and human rights; thorough planning,
exercising, testing, training, maintenance, and assurance.

9 < http://www.un.org/Depts/los/convention_agreements/texts/unclos/closindx.htm >

4
 ANSI/ASIS PSC.4-2013

Term Definition

3.11 risk Effect of uncertainty on objectives. [ISO Guide 73:2009]

NOTE 1: An effect is a deviation from the expected – positive
and/or negative.
NOTE 2: Objectives can have different aspects such as financial,
health, safety, and environmental goals and can apply at
different levels – such as strategic, organization-wide, project,
product, and process.
NOTE 3: Risk is often characterized by reference to potential
events, consequences, or a combination of these and how they
can affect the achievement of objectives.
NOTE 4: Risk is often expressed in terms of a combination of the
consequences of an event or a change in circumstances, and the
associated likelihood of occurrence.
3.12 risk treatment Process to modify risk. (ISO Guide 73:2009)
NOTE 1: Risk treatment can involve:
 Avoiding the risk by deciding not to start or continue
with the activity that gives rise to the risk;
 Taking or increasing risk in order to pursue an
opportunity;
 Removing the risk source;
 Changing the likelihood;
 Changing the consequences;
 Sharing the risk with another party or parties (including
contracts and risk financing); and
 Retaining the risk by informed choice.
NOTE 2: Risk treatments that deal with negative consequences
are sometimes referred to as “risk mitigation”, “risk elimination”,
“risk prevention”, and “risk reduction”.
NOTE 3: Risk treatment can create new risks or modify existing
risks.
3.13 self-defense The use of reasonable force in defense of oneself or others. [ANSI/ASIS-
PSC.1-2012]
NOTE: Deadly force should only be used in self-defense or the
defense of others, when it reasonably appears necessary to
prevent the commission of a serious offense involving violence
threatening death or serious bodily harm.
3.14 ship Any man-made vessel or structure capable of being manned, of any size
or type, built for navigation or buoyancy on, over, or under water.

3.15 top management Person or group of people who directs and controls an organization at the
highest level. [ISO 9000:2005]

5
 ANSI/ASIS PSC.4-2013

Term Definition

3.16 use of force continuum The force applied may be increased or decreased as a continuum relative
to the response of the adversary, using the amount of force required to
compel compliance. [ANSI/ASIS-PSC.1-2012]
NOTE 1: The amount of force used should be the minimum
amount needed to eliminate the threat presented, thereby
minimizing the risk and severity of any injury that may occur.
NOTE 2: Escalation/de-escalation of force response with a level
of force should be appropriate to the situation at hand,
acknowledging that the response may move from one part of the
continuum to another in a matter of seconds.
3.17 weapon Any legal, licensed, or authorized instrument or device capable of
inflicting bodily harm or physical damage or for coercive influencing of
behavior used for the protection of the ship in self-defense.
NOTE: Security-related equipment includes protective and
communication equipment for use by PMSC.

4. GENERAL PRINCIPLES
The goal of a QASMS is to support the provision of security services in a maritime environment
in a manner that enhances human safety and security as well as the protection of assets (both
tangible and intangible) while complying with international, national, coastal and flag state, and
local statutory and regulatory laws, as well as respecting human rights. PMSCs need to conduct
operations – and achieve client’s objectives – by managing risks to all stakeholders, including all
persons working on its behalf, persons on board the ship, and their clients. The intent is to
minimize the likelihood and consequences of a disruptive or undesirable event (e.g., any event
that has the potential to cause loss of life, harm to tangible or intangible assets, or negatively
impact human rights and fundamental freedoms of internal or external stakeholders) by
prevention, when possible; mitigating the impact of an event; through effective and efficient
response, documentation, and reporting when an event occurs; by maintaining an agreed level
of performance; by assuring accountability after the event; and by implementing measures to
prevent a recurrence.
The general principles described in the ANSI/ASIS PSC.1-2012, Management System for Quality of
Private Security Company Operations are relevant to the implementation of this Standard.

5. ESTABLISHING THE FRAMEWORK

5.1 General
The organization should establish, document, implement, maintain, and continually improve a
QASMS in accordance with the requirements of ANSI/ASIS PSC.1-2012, Management System for
Quality of Private Security Company Operations - Requirements with Guidance and/or ISO 9001:2008,

6
 ANSI/ASIS PSC.4-2013

Quality management systems – Requirements or ISO 28000:2007, Specification for security

management systems for the supply chain, and determine how it will fulfil these requirements. The
organization should continually assess and improve its effectiveness in accordance with those
requirements.
Where the organization chooses to subcontract or outsource any process or an activity that
affects the conformity with the requirements of ANSI/ASIS PSC.1-2012 and/or ISO 9001:2008 or
ISO 28000:2007, the organization should ensure and accept control and accountability over the
operations of subcontractors in the performance of such processes. Control of such
subcontracted or outsourced processes or activities should be identified and managed within
the QASMS. Subcontractors of outsourced processes or services are also responsible and
accountable for all client, legal, regulatory, ethical, and industry obligations.
NOTE: Subcontracting or outsourcing of any process or activity requires the explicit knowledge and
approval of the client.

5.2 Context of the Organization

The design and implementation of a management system framework is based on an
understanding of the organization and its internal and external context of operation. Therefore,
the organization should define and document its internal and external context, including its
supply chain and subcontractors. These factors should be taken into account when establishing,
implementing, and maintaining the organization’s QASMS, and assigning priorities.
The organization should evaluate internal and external factors that can influence the way in
which the organization will manage risk.

5.2.1 Internal Context

The organization should identify, evaluate, and document its internal context, including:
a) Assets, activities, functions, services, products, and partnerships;
b) Governance and organizational structure;
c) Capabilities in terms of resources and knowledge (e.g., capital time, people, processes,
systems, and technologies);
d) Information systems, information flows, and decision making processes (both formal
and informal);
e) Intangible assets (brand, reputation, and proprietary information); and
f) Policies and objectives and the strategies to achieve them.

5.2.2 External Context

The organization should define and document its external context, including:
a) Client requirements, relationships, and commitments;
b) The cultural, political, legal, regulatory, technological, economic, natural, and
competitive environment;
c) Contractual agreements, including other organizations within the contract scope;
d) Operational interdependencies;

7
 ANSI/ASIS PSC.4-2013

e) Supply chain, and sub-contractor relationships and commitments;

f) Key issues and trends that may impact on objectives of the organization;
g) Perceptions, values, needs, and interests of stakeholders (e.g., ship owners, insurers,
underwriters, coastal and flag states, international organizations – such as the
International Maritime Organization and the media); and
h) External operational forces and lines of authority.
In establishing its external context, the organization should ensure that the objectives and
concerns of external stakeholders are considered when developing quality assurance and
security management criteria.

5.2.3 Supply Chain and Subcontractor Node Analysis

Managing risks in the supply chain, including subcontractors, requires an understanding of the
PMSC’s culture and environment as well as the context of the global environment of its supply
chain. Each node of the organization’s supply chain involves a set of risks and management
processes.
The organization should identify and document its upstream and downstream supply chain,
particularly its use of subcontractors, to identify significant risks and the potential to cause an
undesirable or disruptive event. Managing supply chain risk should be included in an
organization’s overall quality assurance and security management program where significant
risks have been identified and there is a potential to cause an undesirable or disruptive event.
The organization should define and document the tiers in its supply chain and subcontractors
to include in their quality assurance and security management program.
To manage risks in a supply chain or with subcontractors, the organization needs to know how
each node has the potential to contribute to the risk profile of the organization. Therefore, the
risk factors throughout the supply chain need to be understood and controlled for successful
implementation of the QASMS.

5.3 Needs and Requirements

Top management should ensure that client requirements are identified, evaluated, and met to
achieve the objectives of its contracts and minimize risks.
When identifying client needs and requirements, the organization should determine:
a) Requirements specified by the client;
b) International, national, coastal and flag state, and local statutory and regulatory laws
requirements applicable to the services;
c) Principles and good practices articulated in maritime good practices and the ICoC;
d) Impact and interactions of other PMSCs and client operations;
e) Records and documentation requirements for delivery of services and non-
conformances; and
f) Risk management requirements.

8
 ANSI/ASIS PSC.4-2013

5.4 Defining Risk Criteria

The organization should define and document criteria to evaluate the significance of risk. The
risk criteria should reflect the organization’s values, objectives, and resources. When defining
the risk criteria, the organization should consider:
a) Critical activities, functions, services, products, and stakeholder relationships;
b) The operating environment and inherent uncertainty in operating in a maritime
environment;
c) The potential impact related to a disruptive or undesirable event;
d) Legal and regulatory requirements and other requirements (e.g., contractual obligations,
commitments to principles of the ICoC) to which the PMSC adheres;
e) Insurance and liability implications;
f) The PMSC’s overall risk management policy;
g) Risk criteria of the clients;
h) The nature and types of threats and consequences that can occur to its assets, business,
and operations;
i) How the likelihood, consequences, and level of risk will be determined;
j) Views of and impacts on stakeholders, particularly life, safety, and human rights
obligations;
k) Reputational and perceived risk;
l) Level of risk tolerance or risk aversion of the PMSC and its clients; and
m) How combinations and sequence of multiple risks will be taken into account.

5.5 Scope of the Management System

The PMSC should define and document the scope of its QASMS including the boundaries of the
organization to be included in the QASMS – i.e., the whole organization, or one or more of its
constituent parts. The scope of the QASMS should be defined in terms of and appropriate to its
size, nature, and complexity from a perspective of continual improvement.
In defining the scope, the organization should consider:
a) The organization’s objectives, activities, internal and external obligations (including
those related to stakeholders), and legal responsibilities, and adherence to other codes
such as the ICOC; and
b) The uncertainty in achieving its objectives, including factors that could adversely affect
the operations and activities of the organization within the context of their potential
likelihood and consequences.
The PMSC should define the scope consistent with the need to respect human rights and legal
and regulatory requirements, while protecting and preserving the integrity of the organization,
including relationships with stakeholders.
Where an organization chooses to subcontract or outsource any process that affects conformity,
the organization should ensure that such processes are controlled. The controls and

9
 ANSI/ASIS PSC.4-2013

responsibilities of such outsourced processes should be identified within the scope of the
QASMS.

6. LEADERSHIP

6.1 General
Top management should provide evidence of active leadership for the QASMS by overseeing
its establishment and implementation and motivating individuals to integrate quality assurance
and security management as a central part of the mission of the organization and its culture.

6.2 Management Commitment

Top management of the PMSC should provide evidence of its mandate and commitment to the
development and implementation of the QASMS and continually improving its effectiveness
by:
a) Establishing the quality assurance policy;
b) Communicating to the organization the importance of meeting quality assurance and
security management objectives and conforming to the QASMS policy, its legal
responsibilities, and the need for continual improvement;
c) Providing sufficient resources to establish, implement, operate, monitor, review,
maintain, and improve the QASMS. Resources include people with specialized skills,
equipment, internal infrastructure, technology, information, and financial resources;
d) Ensuring those responsible for the QASMS have the authority and competence to be
accountable for the implementation and maintenance of the management system; and
e) Conducting, at planned intervals, management reviews of the QASMS.

6.3 Policy
Top management should establish a quality assurance and security policy. The policy should:
a) Provide a commitment to avoid, prevent, and reduce the likelihood and consequences of
disruptive or undesirable events;
b) Be consistent with the PMSCs other policies, including respect for human rights;
c) Provide a framework for setting and reviewing quality assurance and security
management objectives, targets, and programs;
d) Recognize the overall authority of the Master of the ship;
e) Provide a commitment to comply with applicable, international, national, coastal and
flag state, and local statutory and regulatory laws, as well as IMO guidance circulars;
f) Be documented, implemented, and maintained;
g) Be communicated to all appropriate people working for or on behalf of the organization;
h) Be available to stakeholders;
i) Be visibly endorsed by top management;
j) Include a commitment to continual improvement; and

10
 ANSI/ASIS PSC.4-2013

k) Be reviewed at planned intervals and when significant changes or events occur.

6.4 Organizational Roles, Responsibilities, and Authorities

Top management should ensure that the responsibilities and authorities for relevant QASMS
roles are assigned and communicated within the organization.
The organization should appoint one or more individuals within the organization who,
irrespective of other responsibilities, have defined competencies, roles, responsibilities, and
authority for:
a) Ensuring that a QASMS is established, communicated, implemented, and maintained in
accordance with the requirements of this Standard;
b) Identifying and monitoring the needs and expectations of the PMSCs internal and
external stakeholders, and take appropriate action to manage these needs and
expectations;
c) Ensuring that adequate resources are made available;
d) Promoting awareness of QASMS requirements throughout the organization; and
e) Reporting on the performance of the QASMS to top management for review and as a
basis for continuous improvement.

6.5 Client’s Policy

Top management should document and communicate to persons working on its behalf the
client’s policy for the contracted security services. The policy should:
a) Be reviewed and confirmed by the client and Master;
b) Reconfirm the role and authority of the Master and SSO in risk environments;
c) Clearly define the parameters for the provision of security services including protective,
non-lethal, and lethal security measures; and
d) Articulate the rules for the use of force.

7. PLANNING

7.1 Legal and Other Requirements

The organization should establish, implement, and maintain procedures to:
a) Identify legal, regulatory, and other requirements to which the organization subscribes
related to its activities, functions, and stakeholders, including the principles articulated
in the ICoC;
b) Identify relevant international agreements and codes which include but are not limited
to the:
1) Requirements of International Maritime Law/Law of the Sea;
2) Voyage-relevant flag and coastal state and applicable nationality laws;
3) International Convention for the Safety of Life at Sea (SOLAS);

11
 ANSI/ASIS PSC.4-2013

4) International Maritime Organization (IMO) Codes;

5) United Nations Conventions (e.g., UN Convention on Law of the Sea and the
ILO Maritime Labour Convention) and other relevant international codes
relating to human rights; and
6) Laws relating to bribery, corruption, and graft.
c) Determine how these requirements apply to its operations.
The organization should document this information and keep it up to date. It should
communicate relevant information on legal and other requirements to persons working on its
behalf and other relevant third parties, including subcontractors.
Any legal and regulatory requirements applicable to the organization’s activities should be
identified and incorporated into the management of the organization’s activities. Statutory
requirements will vary between countries and jurisdictions. The PMSC should ensure that
applicable legal, regulatory, and other requirements to which the organization subscribes are
considered in developing, implementing, and maintaining its QASMS.
Specific legal obligations vary by jurisdiction, as well as geographic location and the type and
nature of operations, as well as the location, type, and nature of the organization’s customers.
Therefore, it is important that the organization be aware of its obligations within the context of
its operating environment, and effectively communicates those requirements to persons
working on its behalf.

7.2 Risk Assessment

The organization should establish, implement, and maintain a formal and documented risk
assessment process for risk identification, analysis, and evaluation, in order to:
a) Identify tactical and operational risks due to intentional, unintentional, and natural
threats that have a potential for direct or indirect consequences on the PMSC’s activities,
assets, operations, functions, and stakeholders, as well as its ability to abide by its
commitment to respect human rights (threat, vulnerability, and criticality analysis);
b) Systematically analyze risk (likelihood and consequence analysis);
c) Determine those risks that have a significant impact on activities, functions, services,
products, supply chain, subcontractors, the environment, and internal and external
stakeholders (significant risks and impacts), and
d) Systematically evaluate and prioritize risk controls and treatments and their related
costs.
The organization should:
a) Document and keep this information up to date and secure;
b) Periodically review whether the quality assurance and security management scope,
policy, and risk assessment are still appropriate given the organization’s internal and
external context;

12
 ANSI/ASIS PSC.4-2013

c) Re-evaluate risks within the context of changes within the organization or made to the
organization’s operating environment, procedures, functions, services, partnerships, and
supply chains;
d) Evaluate the direct and indirect benefits and costs of options to manage risk and
enhance reliability and resilience;
e) Evaluate the actual effectiveness of risk treatment options post-incident and after
exercises;
f) Ensure that the prioritized risks and impacts are taken into account in establishing,
implementing, and operating its QASMS; and
g) Evaluate the effectiveness of risk controls and treatments.
The risk assessment should identify activities, operations, and processes that need to be
managed, outputs should include:
a) A prioritized risk register identifying treatments to manage risk;
b) Justification for risk acceptance;
c) Identification of critical control points (CCP); and
d) Requirements for supplier and contractor controls.
The organization should apply the ISO 31000:2009, Risk Management – principles and guidelines on
implementation (see Figure 3, based on ISO 31000:2009).

The External Context

The Internal Context Establishing the
The Risk Management Context Context
Develop Criteria and Define the Structure
Risk Assessment
Communications & Consultation

What can happen, when, where, how & why Risk Identification
Monitor and Review
Identify Existing Controls
Determine Likelihood Risk Analysis
Determine Consequences
Determine Level of Risk
Compare the Criteria – Set the priorities Risk Evaluation

NO
Treat Risk
Identify Options YES
Assess Options
Risk Treatment
Prepare and Implement Treatment Options
Analyze & Evaluate Residual Risk

Figure 3: Process for Managing Risk

13
 ANSI/ASIS PSC.4-2013

7.2.1 Internal and External Risk Communication and Consultation

The organization should establish, implement, and maintain a formal and documented
communication and consultation process consistent with operational security with internal and
external stakeholders in the risk assessment process to ensure that:
a) Operational objectives and interests of the client (including the persons, organizations,
infrastructure, and/or activities being protected) are understood and clearly defined;
b) Risks are adequately identified and communicated;
c) Interests of other internal and external stakeholders are understood;
d) Dependencies and linkages with subcontractors and within the supply chain are
understood;
e) Quality assurance risk assessment process interfaces with other management disciplines;
and
f) Risk assessment is being conducted within the appropriate internal and external context
and parameters relevant to the organization and its contractors and supply chain.

7.3 Risk Management Objectives and Plans to Achieve Them

The organization should establish, implement, and maintain documented objectives and targets
to manage risks in order to anticipate, avoid, prevent, deter, mitigate, respond to, and recover
from disruptive or undesirable events. Documented objectives and targets should establish
internal and external expectations for the organization, its contractors, and supply chain, which
are critical to mission accomplishment, product and service delivery, and functional operations.
Objectives should be derived from and consistent with the quality assurance and security
management policy and risk assessment, including the commitments to:
a) Respect the overall authority of the Master of the ship;
b) Minimize risk by reducing likelihood and consequence;
c) Provide for the security of persons, assets, and operations in accordance with the
contract;
d) Prevent damage to the natural environment from their operations;
e) Comply with applicable international, national, coastal and flag state, and local statutory
and regulatory laws while conducting the contracted task;
f) Respect for human rights; and
g) Continual improvement.
When establishing and reviewing its objectives and targets, an organization should consider its
financial, operational, and business requirements; the legal, regulatory, and other requirements
(e.g., respect for human rights); its significant risks; its technological options; and the views of
stakeholders.
Targets should be measurable qualitatively and/or quantitatively. Targets should be derived
from and be consistent with the quality assurance and security management objectives and
should be:
a) To an appropriate level of detail;

14
 ANSI/ASIS PSC.4-2013

b) Commensurate to the risk assessment;

c) Specific, measurable, achievable, relevant, and time-based (where appropriate);
d) Communicated to all appropriate persons (e.g., individuals working on behalf of the
PMSC, client, the Master, SSO and other security personnel, crew, passengers,
subcontractors, and supply chain partners) with the intent that these persons are made
aware of their individual obligations; and
e) Reviewed periodically to ensure that they remain relevant and consistent with the
quality assurance and security management objectives and amended accordingly.

7.4 Action to Address Risk Issues and Concerns

The organization should establish, implement, and maintain quality assurance and security
programs for achieving its objectives and risk treatment goals. The programs should be
optimized and prioritized in order to control and treat risks associated with its operations. The
organization should establish, implement, and maintain a formal and documented risk
treatment process, which considers:
a) Removing the risk source, where possible;
b) Removing or minimizing the likelihood of harm;
c) Removing or mitigating harmful consequences;
d) Sharing the risk with other parties, including risk insurance;
e) Accepting risk through informed decision; and
f) Avoiding activities that give rise to the risk.
Top management should:
a) Assess the benefits and costs of options to remove, reduce, or retain risk;
b) Evaluate its quality assurance and security programs to determine if these measures
have introduced new risks; and
c) Periodically review the risk treatment to reflect changes to the external environment,
including legal, regulatory, and other requirements, and changes to the organization's
policy, facilities, information management system(s), activities, functions, products,
services, and supply chain.
Strategies should be dynamic and continually monitored and modified when risk and
operational parameters change. Top management should review strategies with the client
and/or Master to confirm that the determination of quality assurance and security strategies has
been properly undertaken, that they have addressed the likely causes and effects of an
undesirable or disruptive event, and that the chosen strategies are appropriate to meet the
organization’s and client’s objectives within both their risk appetites.

8. STRUCTURAL REQUIREMENTS
The organization should be a legal entity or a defined part of a legal entity, with transparent
ownership such that it can be held legally accountable for all its activities.

15
 ANSI/ASIS PSC.4-2013

8.1 Organizational Structure

A clearly defined management structure should identify roles, responsibilities, authorities, and
accountabilities for its operations and services. The organization should:
a) Document its organizational structure, showing duties, responsibilities, and authorities
of management; and
b) Define and document if the organization is a defined part of a legal entity and the
relationship to other parts of the same legal entity.

8.2 Insurance
The organization should demonstrate that it has sufficient insurance to cover risks and
associated liabilities and contractual indemnities arising from its operations and activities,
consistent with its risk assessment. When outsourcing or subcontracting services, activities,
functions, or operations, the organization should ensure sufficient insurance coverage for the
subcontracted activities.
The organization should provide documentary evidence, furnished upon request to the client,
that they maintain insurances for the duration of the contracted operations, unless to do so
would invalidate the policy. When seeking insurance coverage, the organization should
consider:
a) The policies and limits to be held by the organization should be specified in the contract;
b) The jurisdiction of the policy in the event of a dispute;
c) The territorial limitations;
d) Limitations of indemnity;
e) Coverage of all activities, including use of firearms and other weapons;
f) Medical coverage and treatment of persons working on behalf of the organization and
impacted communities;
g) Repatriation costs;
h) Activities of subcontractors; and
i) Protection of the client.
Types and levels of coverage should be consistent with the risk assessment. Examples of types
of coverage that may be considered include (but not limited to):
a) Professional indemnity insurance;
b) Public and employers liability;
c) Workers compensation;
d) Accident and bodily harm;
e) Property damage;
f) Special crimes;
g) Accident, injury, and damage arising from the use of firearms and other weapons;
h) Liability for any claim that might arise from the carriage and/or use of firearms and
other weapons; and
i) Keyman.

16
 ANSI/ASIS PSC.4-2013

All policies should state clearly that the use of firearms and other weapons is specifically
covered for armed vessel protection operations. Other considerations for these policies and
liabilities include:
a) Any knock for knock agreements;
b) Hold harmless agreements;
c) Any waived rights of subrogation;
d) Worldwide territorial limits; and
e) Cargo and those on board defined as third parties.
The organization should demonstrate that it has sufficient insurance to cover risks, associated
liabilities, and contractual indemnities arising from its operations and activities consistent with
contractual requirements and advice from insurance professionals. When outsourcing or
subcontracting services, activities, functions, or operations, the organization should ensure
sufficient insurance coverage for the subcontracted activities. When seeking insurance coverage,
the organization should ensure sufficient levels of coverage, commensurate with the risk,
industry good practice, and/or as specified by the contract for:
a) General liability insurance for third party claims of bodily injury or property damage;
b) Professional liability insurance for negligent acts arising from financial loss, bodily
injury, or property damage;
c) Employers’ liability (including maritime employers’ liability);
d) Personal accident insurance (accidental death, permanent disability);
e) Kidnap and ransom insurance to fully cover persons working on behalf of the
organization and as agreed and defined in the contract in coordination with the client;
and
f) Temporary total disablement, medical and evacuation expenses.

8.3 Outsourcing and Subcontracting

The organization should have a clearly defined process wherein it describes the conditions
under which it outsources activities, functions, or operations. The organization should take
responsibility for all activities outsourced to another entity. The organization should have a
legally enforceable agreement covering outsourcing arrangements including:
a) Commitment by subcontractors to abide by the same obligations as held by the
organization and as described in this Standard;
b) Confidentiality and conflict of interest agreements;
c) Process for documenting and reporting of risks, as well as the occurrence and response
to undesirable and disruptive events;
d) Definition of the support relationship between the contractor and the subcontractor;
e) Clear definition and description of services provided and performed by subcontractor
personnel; and
f) Conformance to the applicable provisions of this Standard.

17
 ANSI/ASIS PSC.4-2013

8.4 Documented Information

8.4.1 General
The QASMS documentation should include:
a) The quality assurance and security policy, objectives, and targets;
b) A description of the scope of the QASMS;
c) A description of the main elements of the QASMS and their interaction, and reference to
related documents;
d) Documented information required for the effective implementation and operation of the
QASMS; and
e) Documents, including records, required by this Standard.

8.4.2 Records
The organization should establish and maintain records to demonstrate conformity to the
requirements of its QASMS. Records include, but are not limited to:
a) Records required by this Standard;
b) Personnel screening;
c) Training records;
d) Process monitoring records;
e) Inspection, maintenance, and calibration records;
f) Pertinent subcontractor and supplier records;
g) Lifecycle records of weapons, ammunition, and hazardous materials;
h) Incident reports;
i) Records of incident investigations and their disposition;
j) Records of complaints and grievances and their disposition;
k) Audit results;
l) Management review results;
m) External communications decisions;
n) Records of applicable legal requirements;
o) Records of significant risk and impacts;
p) Records of management systems meetings;
q) Security, quality assurance, and human rights performance information; and
r) Communications with stakeholders.
The organization should establish, implement, and maintain procedures to protect the
sensitivity, confidentiality, and integrity of records including access to, identification, storage,
protection, retrieval, retention, and disposal of records. Records should be retained for a
minimum of seven years or as otherwise required or limited by law.

8.4.3 Control of Documented Information

Documents required by the QASMS and by this Standard should be controlled. The organization
should establish, implement, and maintain procedures to:
a) Approve documents for adequacy prior to issue;

18
 ANSI/ASIS PSC.4-2013

b) Protect sensitivity and confidentiality of information;

c) Review, update as necessary, and re-approve documents;
d) Record amendments to documents;
e) Make updated and approved documents readily available;
f) Ensure that documents remain legible and readily identifiable;
g) Ensure that documents of external origin are identified and their distribution controlled;
h) Prevent the unintended use of obsolete documents; and
i) Ensure the appropriate, lawful, and transparent destruction of obsolete documents.
Organizations should ensure the integrity of documents by rendering them securely backed-up,
accessible only to authorized personnel, and protected from unauthorized disclosure,
modification, deletion, damage, deterioration, or loss.

9. OPERATION AND IMPLEMENTATION

9.1 Operational Control

9.1.1 General
The organization should identify the activities that are associated with the identified significant
risks and consistent with its quality assurance and security management policy, risk
assessment, objectives, and targets, in order to ensure that they are carried out under specified
conditions, which will enable it to:
a) Comply with legal and other regulatory requirements of the maritime sector;
b) Accomplish the mission while protecting the client’s reputation;
c) Comply with applicable voyage relevant port, flag and coastal state, national and
international laws, including maritime laws and the law of the sea, as well as other
obligations as described in this Standard;
d) Respect for human rights;
e) Provide for the security of persons working on its behalf as well as crew and passengers
aboard ships (within the context of the authority of the Master);
f) Implement risk management controls to minimize the likelihood and consequences of a
disruptive or undesirable event; and
g) Achieve its quality assurance and security objectives and targets.
The organization should establish, implement, and maintain documented procedures to control
situations where their absence could lead to deviation from the QASMS policy, objectives, and
targets.

9.1.2 Establishing Norms of Behavior and Codes of Ethical Conduct

The organization should establish, implement, and maintain a Code of Ethical Conduct for
persons working on its behalf. The Code of Ethical Conduct should clearly communicate respect
for human rights and the dignity of human beings, as well as the prohibition of bribery,
conflicts of interest, corruption, and other crimes. The Code of Ethical Conduct should ensure

19
 ANSI/ASIS PSC.4-2013

that all persons working on behalf of the organization understand their responsibilities to abide
by all relevant and applicable laws, and report any abuses of human rights.
The organization should clearly communicate and provide training on the Code of Ethical
Conduct to all persons working on behalf of the organization. The organization should
document and maintain records of communication and training.

9.2 Resources, Roles, Responsibility, and Authority

Top management should make available resources essential to establish, implement, maintain
and improve the QASMS. Resources should include information, management tools, and
human resources – including people with specialist skills and knowledge, and financial
support.
Roles, responsibilities, and authorities should be defined, documented, and communicated in
order to facilitate effective quality assurance and security management, including control,
coordination, and command responsibility with a defined line of succession.
The organization should clearly define and document the roles, responsibilities, and authorities
of the client and Master recognizing persons working on behalf of the PMSC should be
considered as supernumerary crew. The organization should ensure that the command
structure between the client, Master, ship’s officers, and the PMSC team is clearly defined and
documented. The command structure and rules for the use of force to apply for any transit
should be agreed and documented between the client and the PMSC at the time of negotiation
of the contract, and be clear to all parties before embarkation. The Master’s role in relation to the
rules for the use of force should be documented and communicated to all appropriate
personnel. Master, SSO, and crew should be fully briefed by the PMSC Team Leader about the
security team's role aboard, the responsibilities and concept of operations.
To effectively deal with disruptive and undesirable events, the organization should establish
planning, security, incident management, response and/or recovery team(s) with defined roles,
appropriate authority, adequate resources including effective and safe equipment, and
rehearsed operational plans and procedures.

9.2.1 Personnel
The organization should retain sufficient personnel with the appropriate competence to fulfill
its contractual obligations. Personnel should be provided with adequate pay and remuneration
including insurance, commensurate to their responsibilities. The organization should protect
the confidentiality of this information as appropriate and provide personnel with relevant
documents in language that is readily comprehensible for all parties.
The organization should maintain documented information on all personnel:
a) As required by legal and contractual obligations;
b) To maintain contact with individuals and their immediate families;
c) To assist in personnel recovery in event of an incident; and
d) Needed for next of kin notification of injury or death.

20
 ANSI/ASIS PSC.4-2013

The company should protect the personnel records as highly sensitive information and develop
appropriate procedures for their safe and secure storage and retention for a period of seven
years, or as required by law.

9.2.1.1 Identification – Uniforms and Markings

Consistent with the security of their clients and the requirements of law, the organization
should use uniforms and markings to identify its personnel and means of transport as
belonging to the PMSC organization whenever they are carrying out activities in fulfillment of
their contract. This identification should be visible and distinguishable from those used by
others onboard the ship. The organization should establish and document procedures for use of
uniforms and markings, as well as procedures for determining and documenting when such
identification would be inconsistent with the requirements of this clause.

9.2.2 Selection, Background Screening, and Vetting of Personnel

The organization should establish, document, implement, and maintain procedures for
background screening and vetting of all persons working on its behalf to ensure they are fit and
proper for the tasks they will conduct. The organization should establish a verifiable system
ensuring the continued suitability for employment of their personnel (on-going vetting
procedures) consistent with local law. Wherever possible, the screening should include:
a) Consistency with legal and contractual requirements;
b) Identity, minimum age, and personal history verification;
c) Education and employment history review;
d) Military and security services records check;
e) Review of possible criminal records;
f) Review reports of human rights violations;
g) Evaluation for substance abuse;
h) Physical and mental evaluation for fitness with assigned activities; and
i) Evaluation for suitability to carry weapons as part of their duties (including
documentary evidence of relevant experience and specific certification in the use and
carriage of any firearms and other weapons to be deployed).
Minimum age requirements may be set by local law, laws applicable in the organization’s legal
domicile, or may be required of or by the client. In no case, however, should any person
younger than eighteen years of age be employed in duties that require them to use a firearm or
other weapon.
Screening should include a statement by personnel that nothing in their circumstances would
be in contravention of the organization’s code of ethics, or adherence to the clauses of this
Standard.
Background screening involves the disclosure of highly sensitive information; therefore, the
organization should develop procedures to appropriately and strictly secure the confidentiality
of information both internally and externally. Records should be maintained consistent with
relevant statutes of limitations.

21
 ANSI/ASIS PSC.4-2013

Selection of qualified personnel should be based on defined competency criteria including

knowledge, experience, skills, abilities, and attributes. Both the screening and selection
measures should be consistent with legal and contractual requirements, as well as the principles
contained in the ICoC. The organization should establish a procedure to provide and verify
security identity documentation, and travel documents and visas.

9.2.3 Selection, Background Screening and Vetting of Subcontractors

When the organization subcontracts activities, functions, and operations on a temporary or
continuing basis, this work should be placed with a competent subcontractor. The organization
is responsible for the subcontractor’s work and is liable, as appropriate and within applicable
law, for the conduct of these subcontractors. The organization should:
a) Ensure appropriate written contractual agreements with the subcontractor;
b) Advise the client of the arrangement in writing, and—when appropriate—obtain
approval of the client;
c) Maintain a register of all subcontractors it uses;
d) Communicate the responsibilities of this Standard to the subcontractor; and
e) Maintain a record of evidence of conformance with this Standard for work
subcontracted.

9.2.4 Financial and Administrative Procedures

The organization should develop financial and administrative procedures to support quality
assurance and security management program before, during, and after a disruptive or
undesirable event. Procedures should be:
a) Established to ensure that fiscal decisions can be expedited;
b) In accordance with established authority levels and accounting principles; and
c) Established in consultation and coordination with the client.
Procedures should be established and documented to ensure transparency with regard to
authorizations, consistent with generally accepted accounting procedures, and industry good
practices.

9.2.5 Procurement and Management of Firearms and Other Weapons, Hazardous

Materials, and Munitions
The organization should establish documented procedures and records for procurement and
management of firearms and other weapons, hazardous materials, explosives, and munitions,
based on relevant international, national, coastal and flag state, and local statutory and
regulatory laws, mission objectives, and risks identified. Procedures for separate and secure
onboard stowage, deployment, designated onboard areas of carriage, loading and unloading of
firearms and other weapons, and safe areas should be defined under the authority of the
Master. Procedures for firearms and other weapons, hazardous materials, and munitions
should include, but are not limited to:
a) Compliance with registrations, certifications, and permits;

22
 ANSI/ASIS PSC.4-2013

b) Acquisition;
c) Secure storage;
d) Controls over their identification, issue, use, maintenance, return, and loss;
e) Records regarding to whom and when firearms and other weapons are issued;
f) Identification and accounting of all ammunition and weapons (inventory should detail
make, model, caliber, serial number and company end user certificate, and proof of
purchase of all weapons and accessories, as well as details of ammunition and amount);
and
g) Proper disposal with verification.
The organization should establish, maintain, and document procedures that ensure it:
a) Acquires its munitions and equipment – in particular, its firearms and other weapons –
lawfully;
b) Can identify and account for all ammunition;
c) Uses munitions and equipment, in particular firearms and other weapons, that are not
prohibited by international law;
d) Sets criteria for the use of equipment, materials, firearms, and other weapons,
appropriate for the task and operations, within the context of use for self-defense or the
defense of others;
e) Establishes a system of traceability for equipment, materials, firearms, and other
weapons;
f) Creates appropriate provision for the secure storage, issue, maintenance, and use of
equipment, materials, firearms, and other weapons; and
g) Has complied with contractual provisions concerning return and/or disposition of
firearms and other weapons and ammunition.
Possession and use of firearms and other weapons need to be authorized by the organization,
and its subcontractors, as specified in the contract. For persons working on behalf of the
organization, there should be a record of:
a) Proof of authorization to carry firearms and other weapons;
b) A current record of firearms and other weapons training, qualification, and competence;
c) Firearms and other weapons maintenance and testing; and
d) Firearms and other weapons usage.
In developing its procedures the organization should address:
a) Compliance with relevant international, national, coastal and flag state, and local
statutory and regulatory laws pertaining to the transport, carriage and provision of
firearms and other weapons, hazardous materials, explosives, and munitions from
embarkation to disembarkation;
b) Provision of appropriate containers for firearms and other weapons, hazardous
materials, explosives, munitions, and security equipment at the point of transfer to and
from the ship, in compliance with coastal and flag state law;

23
 ANSI/ASIS PSC.4-2013

c) Effective control procedures for separate and secure onboard stowage and deployment
of firearms and other weapons, hazardous materials, explosives, munitions, and security
equipment;
d) Clearly defined and agreed areas aboard where weapons may or may not be carried;
e) Dynamic procedures for the state of weapon readiness (unloaded and magazine off,
magazine on, and firearms and weapon ”made safe”, etc.) and safe areas (“loading
bays” or ”clearing stations”) for the loading/unloading of weapons;
f) Conditions under which firearms and other weapons may be loaded and made ready for
use;
g) Inventory of firearms and other weapons, hazardous materials, explosives, munitions,
and security equipment for reconciliation on disembarkation; and
h) Clear definition of the Master’s authority and position as final arbiter.

9.3 Competence, Training, and Awareness

The organization should ensure that all persons performing tasks on its behalf, including
employees and subcontractors, have adequate and appropriate training procedures in place to
demonstrate competence in their allocated tasks and activities. Records of that training should
give confidence that the on-board team has been provided with the proper skill set. The
organization should maintain comprehensive, detailed, and auditable records of initial and
ongoing training.
The organization should identify competencies and training needs associated with quality
assurance and security management, particularly the performance of each individual’s
functions, consistent with respect for legal obligations and human rights. It should provide
training or take other action to meet these needs, and should retain associated records.
The organization should establish, implement, and maintain procedures, consistent with the
contract between the PMSC and the client, to ensure all persons performing tasks on its behalf
are aware of:
a) Their roles as supernumerary crew to the ship’s Master and arming of personnel is at the
discretion of the Master;
b) The roles of Master, SSO, and the PMSC’s security team leader;
c) Parameters of performance of their functions;
d) Significant hazards, threats and risks, and potential impacts associated with their work;
e) Applicable voyage relevant international, national, coastal and flag state, and local
statutory and regulatory, including relevant codes on shipping and safety of life at sea;
f) Principles and good practices related to respect for human rights;
g) Procedures to reduce the likelihood and/or consequences of a disruptive or undesirable
event, including procedures to respond to and report events;
h) Communications protocols and procedures, including a clear chain of command and
understanding of the role of the Master as the final arbiter;
i) Ship familiarization and relevant voyage information;

24
 ANSI/ASIS PSC.4-2013

j) Lifesaving, safety (first aid including trauma training), firefighting requirements, and
appropriate medical procedures to a recognized national or international standard;
k) Relevant navigation methods, ship security systems, and physical defense arrangements
(e.g., ship hardening, use of citadels);
l) Arrangements for storage, maintenance, and inventory of firearms and other weapons
and ammunition;
m) Rules for the appropriate use of force;
i. Principles and guidelines recognized by the contract, coastal and flag states, and
specific to the voyage;
ii. The right of self-defense;
iii. The circumstances under which firearms and other weapons may be loaded and
made ready for use;
iv. Appropriate use of specific firearms and other weapons and other security
equipment deployed on the ship; and
v. Any incidents involving the use of arms are to be fully logged.
n) Incident response and reporting, including procedures for contingencies in event of
capture of the vessel;
o) Environmental, health, and safety policy of the ship;
p) Ship type and where that ship will be trading, and what legal/practical implications that
might have for their deployment, and in the provisions of the contract with the client as
well as relevant maritime codes and good practices;
q) The company has a documented, robust, and auditable health safety security
environment policy with regard to incident investigation;
r) The importance of conformity with the QASMS policy and procedures, and with the
requirements of the QASMS;
s) Their roles and responsibilities in achieving conformity with the requirements of the
QASMS; and
t) The potential consequences of departure from specified procedures.
In accordance with flag state and national laws, the organization should provide physical,
mechanical, and live fire training and evaluation for all personnel authorized to carry lethal, less
lethal, or non-lethal weapons in the performance of their duties. A documented level of
competence should be demonstrated with the specific weapons authorized as specified by the
organization, or to a higher level as required by law or contractual obligations.
The organization should build, promote, and embed a quality assurance and security
management culture within the organization that:
a) Ensures the quality assurance and security management culture and respect for human
rights becomes part of the organization’s core values and governance;
b) Makes stakeholders aware of the quality assurance and security management policy and
their role in any plans; and
c) The benefits of improved personal performance.

25
 ANSI/ASIS PSC.4-2013

9.4 Communication
Considering the sensitive nature of operational information and legal restrictions on
information sharing, the organization should establish, implement, and maintain procedures
for:
a) Communicating with staff and employees;
b) Communicating with external stakeholders including its clients, subcontractors,
shipping companies, insurance companies, coastal and flag states, and port authorities –
and the media;
c) Receiving, documenting, and responding to communications from internal and external
stakeholders;
d) Defining and assuring availability of the means of communication during atypical
situations and disruptions; and
e) Regular testing of communications system for normal and abnormal conditions.

9.4.1 Operational Communications

The organization should develop standardized communication procedures to share information
about the security team activity, location, operational and logistic status, relevant threat
information, and incident reporting to company management, clients, flag states, other PMSC
teams, and relevant civil and maritime authorities both on land and at sea. This should include
procedures in keeping with the Safety of Life at Sea Convention (SOLAS) for requesting
assistance, including emergency medical support, from other ships, maritime, and civil
authorities.
The organization should ensure that its security teams can communicate security information in
a manner which can be understood at all levels by other personnel aboard a ship, and that any
ensuing response is understood. The organization should provide a reasonable means for
secure transmission of information to protect its integrity.

9.4.2 Command and Control of Onboard Security Team

In agreement with the client, the organization should clearly define and document the
command structure between ship owner and operator, Master, ship's officers, SSO, and the
security team leader, which should be agreed before embarkation. In addition, the Master and
crew should be briefed about the PMSC’s onboard role, responsibilities, and concept of
operations. The command structure should be understood by all personnel onboard the ship
prior to entering a high risk area.
An explicit and documented command and control structure by the organization should
provide a:
a) Statement that at all times the Master remains in command and is the overriding
authority on board, subject to the individual inherent right of self-defense, and a defined
procedure in the event of the Master being unavailable;
b) Documented set of ship and voyage-specific governance procedures, including
procedures for the conduct of exercises and real incidents;

26
 ANSI/ASIS PSC.4-2013

c) List of duties, expected conduct, behavior of personnel onboard; and

d) Transparent protocols for communication and consultation, information flow, and
recognizable coordination and cooperation between the organization and the client,
charterer, Master, officers, and crew throughout deployment.
The organization should assure roles, responsibilities, command structure, and rules for the use
of force to apply for any transit are clearly defined in the contract. Before embarkation, the
PMSC Team Leader should request assurance that the Master, SSO, and crew are familiar with
the role of the onboard PMSC security team. Exercising with the crew prior to entering high
risk areas should reinforce the roles and command structure in order to counter malevolent
acts.

9.4.3 Risk Communications

The organization should decide, based on safeguarding life as the first priority and in
consultation with stakeholders, whether to communicate externally about significant risks and
impacts to stakeholders and document its decision. If the decision is to communicate, the
organization should establish and implement (a) method(s) for this external communication,
alerts, and warnings (including with the media).

9.4.4 Communicating Complaint and Grievance Procedures

Complaint and grievance procedures should be communicated to internal and external
stakeholders. Procedures should minimize obstacles to access caused by language, educational
level, or fear of reprisal, as well as consider needs for confidentiality and privacy.

9.4.5 Whistleblower Policy

The organization should communicate to people working on its behalf, who have reasonable
belief that a nonconformance of this Standard has occurred, their right to anonymously report
the nonconformance internally, as well as externally, to appropriate authorities. The
organization should not take any adverse action against any individual for the act of making a
report in good faith.

9.5 Prevention and Management of Undesirable or Disruptive Events

9.5.1 Respect for Human Rights
The organization should establish, implement, and maintain procedures to treat all persons
with dignity consistent with full respect for human rights, and to report any nonconformances
to appropriate authorities and as required by law. The organization should develop and
communicate to all persons working on its behalf procedures for conduct consistent with the
principles of respect for human rights, as well as any contractual, legal, and regulatory
requirement applicable to the organization’s activities.

27
 ANSI/ASIS PSC.4-2013

9.5.2 Rules for Use of Force and Use of Force Training

The organization should identify competencies and training needs associated with the use of
force, and firearms and weapon-specific training. It should provide ongoing training for the use
of force as well as training for personnel carrying firearms and other weapons. The
organization should verify competence and retain associated records.
The rules for the use of force should be:
a) Agreed and documented in the contract between the client, and the organization before
embarkation;
b) In compliance with international, national, coastal and flag state, and local statutory and
regulatory laws;
c) Consistent with the role of Master as ultimate authority; and
d) Consistent with respect for human rights.
It is essential that all persons working on behalf of the organization have an understanding of,
and fully comply with the rules for the use of force; therefore, use of force training should
include:
a) Reasonable steps to avoid the use of force;
b) Protective and nonviolent means should be applied first;
c) Use of force continuum to resolve threats with minimum necessary force;
d) Use of force complies with applicable international, national, coastal and flag state, and
local statutory and regulatory laws of the ship;
e) Use of force only in agreement with the Master, subject to the individual inherent right
of self-defense;
f) Use of force is proportionate to the threat and appropriate to the situation; and
g) Use of force against persons only in self-defense or defense of others against the
imminent threat of death or serious injury, or to prevent the perpetration of a
particularly serious crime involving grave threat to life, or defense of others in
accordance with the contract.
The organization should establish and provide training on a use of force continuum. At a
minimum, the continuum, or the graduated use of force should include, but not limited to:
a) Personnel presence – Presence as deterrence;
b) Warnings – Acoustic and visual warning devices to deter threat actors;
c) Passive measures – Use of physical deterrence measures (e.g., hoses, nets, obstacles);
d) Non-lethal and less-lethal methods – Use of technologies to gain control of a situation;
e) Threat of lethal force – Showing firearms or weapons and communicating the intent to use
them, (for example, firing warning shots); and
f) Lethal force – Use of lethal firearms and other weapons to gain control of a situation and
only where absolutely necessary to protect life or prevent serious injury. Use force in
self-defense to stop the threat only when necessary. Targeting should be with due
regard for the safety of bystanders and avoiding collateral damage.

28
 ANSI/ASIS PSC.4-2013

Delay of force, or sequential increase of force, is not required to resolve a situation or threat.
However, persons working on behalf of the organization should attempt to de-escalate applied
force if the situation and as soon as circumstances permit. Persons working on behalf of the
organization should warn adversaries and give them the opportunity to withdraw or cease
threatening actions when the situation or circumstances permit.
The organization should provide for:
a) A system of reporting whenever persons working on behalf of the organization use
weapons in the performance of their duty; and
b) Training to avoid, identify, and report non-conformances in the use of force including
the use of firearms and other weapons, as well as for the mitigation of consequences.

9.5.2 Environmental, Health, and Safety

The organization should establish, implement, and maintain procedures to promote a safe and
healthy working environment, including reasonable precautions to protect people working on
its behalf in hazardous or life threatening operations consistent with legal, regulatory, and
contractual obligations. Procedures should include:
a) Recognition of the Master’s responsibility in providing a safe and healthy working
environment onboard the ship;
b) Assessing occupational health and safety risks to people working on its behalf as well as
the risks to external parties;
c) Hostile environment training;
d) Provision of personal protective equipment, appropriate weapons, and ammunition;
e) Medical and psychological health awareness training, care, and support; and
f) Guidelines to identify and address workplace violence, misconduct, alcohol and drug
abuse, sexual harassment, and other improper behavior.

9.5.3 Performance of Security Functions

The organization should establish, implement, and maintain procedures to support the
performance of security related tasks, including:
a) Situational monitoring, observation, and reporting;
b) Protection of the ship from adversaries ;
c) Disarm and search of adversaries for the safety of personnel;
d) Actions on contact/react to direct or indirect fire;
e) First Aid, casualty care, and evacuation;
f) Incident reporting and evidence preservation; and
g) Other task and context specific functions required under the terms of a specific
requirement or otherwise required by client or competent authority.

29
 ANSI/ASIS PSC.4-2013

9.5.4 Incident Management

The organization should establish, implement, and maintain procedures to identify undesirable
and disruptive events that can impact the organization, its activities, services, stakeholders, and
the environment. The procedures should document how the organization will proactively
prevent, mitigate, and respond to events.
When establishing, implementing, and maintaining procedures to expeditiously prepare for,
mitigate, and respond to a disruptive event, the organization should consider each of the
following actions:
a) Safeguard life and assure the safety of internal and external stakeholders;
b) Respect human rights;
c) Prevent further escalation of the disruptive event;
d) Minimize disruption to operations;
e) Notification of appropriate authorities;
f) Protect image and reputation (of the organization and its client); and
g) Corrective and preventative actions.

9.5.5 Incident Monitoring, Reporting, and Investigations

The organization should establish, implement, and maintain procedures for incident monitoring
reporting, investigations, and disciplinary arrangements. Incidents involving use of force or
weapons, any casualties, physical injuries, allegations of abuse, loss of sensitive information or
equipment, substance abuse, or noncompliance to applicable laws and regulations, should be
reported and investigated with the following steps taken, including:
a) Documentation of the incident should include but is not limited to;
1) Time and location;
2) Events leading up to the incident;
3) Details and chronology of the incident;
4) Personnel involved;
5) Video and photographic evidence, when available;
6) Statements of all witnesses;
7) Human injuries;
8) Material damage; and
9) Tests for substance abuse.
b) Notification of appropriate authorities;
c) Steps taken to investigate the incident;
d) Lessons learned from the incident:
1) Identification of the root causes; and
2) Corrective and preventative actions taken.
e) Any compensation and redress given to the affected parties.
Upon completion of the investigation, the organization should produce in writing an incident
report including the above information, copies of which should be provided to appropriate
stakeholders (e.g., clients and jurisdictional authorities).

30
 ANSI/ASIS PSC.4-2013

Persons working on behalf of the organization should be aware of the responsibilities and
mechanisms for incident reporting, including evidence gathering and preservation. The
incident reporting program should be included in the organization’s training program.
The organization should assure all persons working on its behalf are aware of their
responsibilities and the mechanisms to monitor and report non-conformances and incidents.
Records of non-conformances and incidents should be maintained and retained for a minimum
of seven years or as specified by legal or regulation requirements.

9.5.6 Disposition of Unauthorized Persons

Organizations should provide training in the disposition of persons in the course of executing
the terms of the contract. This is normally limited to persons detained following an attack
against the ship under the organization’s protection; therefore, training should emphasize that
the responsibility for and the humane treatment of any unauthorized persons rests with the
Master and the client. This training should:
a) Recognize that unauthorized persons are the responsibility of the Master;
b) Stress that security team may disarm any adversary that has boarded the ship, but the
adversary should be handed forthwith to the Master and as rapidly as possible to
competent authorities ashore; and
c) Include measures for protecting the unauthorized person from attack or violence,
reporting to the client and proper authorities, and transferring unauthorized persons to
competent authority at the earliest opportunity10.
The organization should document the transfer of custody including the unauthorized person’s
identity, alleged offense, and to whom the individual was transferred.

9.5.7 Search of Unauthorized Persons

Organizations should establish standardized procedures for searching unauthorized persons
that are consistent with the dignity and humane treatment of persons being searched while
assuring the safety of clients, property under protection, and the safety of organization
personnel and bystanders. Training should consider the appropriate level of search to have
minimally invasive searches of persons.

9.5.8 First Aid and Casualty Care

All personnel should receive initial and recurrent training in first aid and casualty care with
special emphasis on immediate response to traumatic injury following an attack or accident.
Training should be conducted to an accepted standard. Minimally, training should include
casualty stabilization, preparation, and request for evacuation. Training should also include
prioritizing casualties for treatment based on severity of injury, without regard for

10 Pending practical transfer to the appropriate authorities, it is the obligation of the Master to ensure that any person

detained is given sufficient clothing, food, and water; treated humanely at all times; and given access to adequate
toilet and washing facilities.

31
 ANSI/ASIS PSC.4-2013

friendly/enemy status, race, ethnic background, or other discrimination. Organizations should

ensure that individuals and security teams are equipped with the materials necessary to
provide immediate treatment and stabilization of survivable traumatic injuries while awaiting
casualty evacuation.

9.5.9 Internal and External Complaint and Grievance Procedures

The organization should establish procedures to document and address grievances received
from internal and external stakeholders (including clients). The organization should investigate
allegations expeditiously and impartially, with due consideration to confidentiality and
restrictions imposed by local law. The organization should establish and document procedures
for:
a) Receiving and addressing complaints and grievances;
b) Establishing hierarchical steps for the resolution process;
c) The investigation of the grievances, including procedures to:
1) Cooperate with official external investigation mechanisms;
2) Prevent the intimidation of witnesses or inhibiting the gathering of evidence; and
3) Protect individuals submitting a complaint or grievance in good faith from
retaliation.
d) Identification of the root causes;
e) Corrective and preventative actions taken, including disciplinary action commensurate
with any infractions; and
f) Communications with appropriate authorities.
The procedure should state that the organization, or persons working on its behalf, may not
retaliate against anyone who files a grievance or cooperates in the investigation of a grievance.
Procedures should minimize obstacles to access caused by language or educational level, as
well as take account of the need for confidentiality and privacy.
Grievances alleging criminal acts, violations of human rights, or imminent danger to
individuals should be dealt with immediately by the organization, and other authorities as
appropriate (including notification and investigation by pertinent law enforcement agency of
any criminal act involving violence to a person).

10. PERFORMANCE EVALUATION

The organization should evaluate quality assurance and security management plans,
procedures, and capabilities through periodic assessments, testing, post-incident reports,
lessons learned, performance evaluations, and exercises. Significant changes in these factors
should be reflected immediately in the procedures.
The organization should keep records of the results of the periodic evaluations.

32
 ANSI/ASIS PSC.4-2013

10.1 Monitoring and Measurement

The organization should establish, implement, and maintain performance metrics and
procedures to monitor and measure, on a regular basis, those characteristics of its operations
that have material impact on its performance (including partnerships, subcontracts, and supply
chain relationships). The procedures should include the documenting of information to monitor
performance, applicable operational controls, and conformity with the organization’s quality
assurance and security management objectives and targets.
The organization should evaluate and document the performance of the systems which protect
its assets (human and physical), as well as its communications and information systems.

10.2 Evaluation of Compliance

Consistent with its commitment to compliance, the organization should establish, implement,
and maintain procedures for periodically evaluating compliance with applicable legal,
regulatory, principles, and good practices articulated in maritime good practices and ICoC. The
organization should evaluate compliance with other requirements to which it subscribes. The
organization may wish to combine this evaluation with the evaluation of legal compliance
referred to above or to establish separate procedures.
The organization should keep records of the results of the periodic evaluations.

10.3 Exercises and Testing

The organization should use exercises and other means to test the appropriateness and efficacy
of its QASMS plans, processes, and procedures, including client, passenger, and crew
relationships as well as subcontractor interdependencies. Exercises should be designed and
conducted in a manner that limits disruption to operations and exposes people, assets, and
information to minimum risk.
Exercises should be conducted regularly, or following significant changes to the organization's
mission and/or structure, or following significant changes to the external environment. A
formal report should be written after each exercise. The report should assess the
appropriateness and efficacy of the organization’s QASMS plans, processes, and procedures –
including nonconformities --and should propose corrective and preventative action.
Post-exercise reports should form part of top management reviews.

10.4 Nonconformities, Corrective, and Preventive Action

The organization should establish, implement, and maintain procedures for dealing with
nonconformities and for taking corrective and preventive action. The procedures should define
requirements for:
a) Identifying and correcting nonconformities and taking actions to mitigate their
consequences;

33
 ANSI/ASIS PSC.4-2013

b) Evaluating the need for actions to prevent nonconformities and implementing

appropriate actions designed to avoid their occurrence;
c) Investigating nonconformities, determining their root causes, and taking actions in order
to avoid their recurrence;
d) Recording the results of corrective and preventive actions taken; and
e) Reviewing the effectiveness of corrective and preventive actions taken.
The organization should ensure that proposed changes are made to the QASMS documentation.

10.5 Internal Audit

The organization should establish, implement, and maintain a quality assurance and security
management audit program and ensure that internal audits of the QASMS are conducted at
planned intervals.
Internal audits should assess whether the QASMS:
a) Meets the requirements of this Standard;
b) Meets relevant legal, regulatory, human rights, and contractual obligations;
c) Has been properly implemented and maintained;
d) Performed as expected; and
e) Has been effective in achieving the organization’s QASMS policy and objectives.
The organization should:
a) Plan, establish, implement, and maintain an audit program(s), taking into consideration
the status and importance of the processes and areas to be audited, as well as the results
of previous audits;
b) Define the audit criteria, scope, frequency, methods, responsibilities, planning
requirements, and reporting;
c) Select auditors and conduct audits to ensure objectivity and the impartiality of the audit
process (e.g., Auditors should not audit their own work);
d) Ensure that the results of the audits are reported to the management responsible for the
area being audited; and
e) Retain relevant documented information as evidence of the results.
The management responsible for the area being audited should ensure that actions are taken
without undue delay to eliminate detected nonconformities and their causes. Follow-up
activities should include the verification of the actions taken and the reporting of verification
results.

10.6 Management Review

10.6.1 General
Management should review the organization’s QASMS at documented planned intervals to
ensure its continuing suitability, adequacy, and effectiveness. This review should include
assessing opportunities for improvement and the need for changes to the QASMS, including the

34
 ANSI/ASIS PSC.4-2013

QASMS policy and objectives. The results of the reviews should be clearly documented and
records should be maintained.

10.6.2 Review Input

The input to a management review should include:
a) Results of QASMS audits and reviews;
b) Feedback from stakeholders;
c) Techniques, products, or procedures that could be used in the organization to improve
the QASMS performance and effectiveness;
d) Status of preventive and corrective actions;
e) Results of exercises and testing;
f) Risks not adequately addressed in the previous risk assessment;
g) Incident reports;
h) Results from effectiveness measurements;
i) Follow-up actions from previous management reviews;
j) Any changes that could affect the QASMS;
k) Adequacy of policy and objectives; and
l) Recommendations for improvement.

10.6.3 Review Output

The outputs from top management reviews should include decisions and actions related to
possible changes to policy, objectives, targets, and other elements of the QASMS, with the aim
of promoting continuous improvement, including:
a) Improvement of the effectiveness of the QASMS;
b) Update of the risk assessment, and risk management plans;
c) Modification of procedures and controls that effect risks, as necessary, to respond to
internal or external events that may affect the QASMS;
d) Resource needs; and
e) Improvement of how the effectiveness of controls is being measured.

11. IMPROVEMENT

11.1 Change Management

The organization should establish a defined and documented quality assurance change
management program to ensure that any internal or external changes that impact the
organization are reviewed in relation to the QASMS. It should identify any new critical
activities that need to be included in the QASMS change management program.

35
 ANSI/ASIS PSC.4-2013

11.2 Opportunities for Improvement

The organization should monitor, evaluate, and exploit opportunities for improvement in
QASMS performance and eliminate the causes of potential problems, including:
a) Ongoing monitoring of the operational landscape to identify potential problems and
opportunities for improvement;
b) Determining and implementing action needed to improve quality assurance
performance; and
c) Reviewing the effectiveness of the action taken to improve performance.
Actions taken should be appropriate to the impact of the potential problems, and the
organization’s obligations and resource realities.
Top management should ensure that actions are taken without undue delay to exploit
opportunities for improvement. Where existing arrangements are revised and new
arrangements introduced that could impact on the quality management of operations and
activities, the organization should consider the associated risks before their implementation.
The results of the reviews and actions taken should be clearly documented and records should
be maintained. Follow-up activities should include the verification of the actions taken and the
reporting of verification results.

11.3 Continual Improvement

The organization should continually improve the effectiveness of the QASMS through the use
of the quality assurance and security management policy, objectives, audit results, analysis of
monitored events, corrective and preventive actions, and management review.

Further guidance information is provided in the informative annexes of ANSI/ASIS PSC.1-2012

Management System for Quality of Private Security Company Operations – Requirements with
Guidance.

36
 ANSI/ASIS PSC.4-2013

Annex A
(informative)

A GUIDANCE ON SHIP PROTECTION MEASURES

See Best Management Practices for Protection against Somalia Based Piracy (BMP4) and ASIS
International Protection of Assets for additional physical asset protection guidance.

A.1 Anticipation, Avoidance, and Prevention

In order to provide early warning protection a proper lookout, watch keeping and enhanced
vigilance should be implemented in risk areas:
a) Lookouts should be appropriately equipped to identify oncoming ships from a distance;
b) Use of electronic, enhanced, and night vision equipment is recommended; and
c) Deployment of dummies can give the impression of additional watches.
Where practical, the Master should practice maneuvering their ship to produce conditions
difficult for boarding. Maneuvers should be practiced prior to entering the risk area to
determine best possible speeds and anti-boarding maneuvers.
A visible presence can deter attacks. Having security team member, crew, and dummies visible
for the upper deck and bridge wings can deter potential attackers.

A.2 Awareness, Alarms, and Monitoring

Coordinated exercise between the security team and crew members produces an enhanced
awareness and enhances response times to incidents. Alarms alert the ship’s crew to a potential
attack, as well as disorient potential attackers.
Long range acoustic signals give warning to potential attackers that they have been spotted and
ship defenses have been activated.
Flares and lasers aimed at and over potential attackers also indicate to potential attackers that
the ships defenses have been activated.

A.3 Electronic Measures

Video-surveillance can be used for detection and monitoring from a less exposed position.
Video-surveillance should cover vulnerable areas of the ship with monitors in the bridge and
citadel. Video-surveillance also provides documentation of an incident. Video-surveillance
measures should be consistent with industry good practice.
Lighting can be used to warn potential attackers that they have been spotted and ship defenses
have been activated.

37
 ANSI/ASIS PSC.4-2013

A.4 Physical Protection

Physical protection measures serve as the first line of defense and should be designed based on
the vulnerability analysis conducted during the risk assessment. As with all physical asset
protection, a protection in depth strategy, with multiple layers of protection to detect, deter,
delay, and deny is most effective.
As the bridge is a primary target of capture and control of a ship, hardening of the bridge is
recommended. Personal protective equipment for persons on the bridge will provide an
increased level of protection. Access to the bridge should be controlled by securing doors and
hatches. Controlling access to accommodations, machinery spaces, and store rooms should also
be practiced. Bars and wires over windows and other openings can deny access even when the
glass is shattered.
Showing intent by using passive measures such as releasing objects to hinder the approach of
skiffs may discourage adversaries.
Physical barriers should be used to make it more difficult for adversaries to gain access to the
ship. Measures that increase the height or difficulty in climbing onboard the ship may deter
adversaries. Measures include:
a) Razor wire – Constructed outboard of the ship’s structure, properly secured, and
constructed of quality materials;
b) Spikes and angle barriers;
c) Electrified barriers – Should only be used on ships carrying non-volatile materials.
Signage should be deployed. Noted signage alone may deter adversaries; and
d) Water sprays and foam – Increases the difficulty for skiffs to approach the ship. Hoses,
water cannons, ballast pumps, foam, steam, and water spray rails all serve to delay and
deter adversaries. Remote control provides additional protection for the security team.
Safe muster points and citadels can provide physical protection for those on board. Use of safe
muster points and citadels should be practiced prior to entering the high risk area to assure that
those on board can retreat to safety.

A.5 Armed Protection

Armed protection should only be used as a last resort. It should be based on the risk
assessment and carefully planned and practiced, under the authority of the Master.
Firearms and other weapons should be appropriately stowed until required. If the threat
escalates to the need for the use of firearms and other weapons, the rules for the use of force
should be applied. The steps consistent with the continuum for the use of force should be
taken:
a) Warning shots – Fired to demonstrate an armed capacity using controlled, specifically
placed shots;
b) Disabling fire – Targeting the skiff’s engine or hull; and
c) Direct fire – Targeting the adversaries as a last resort where strictly necessary for self-
defense or for the protection of the life of others.

38
 ANSI/ASIS PSC.4-2013

Annex B
(informative)

B BIBLIOGRAPHY

B.1 References
International Code of Conduct for Private Security Service Providers (ICoC) (11/2010).
< http://www.icocpsp.org > Accessed 2013, January.
International Convention for the Safety of Life at Sea (SOLAS) (1974), including the ISPS code.11
Swiss Confederation, Federal Department of Foreign Affairs (2008), Montreux Document on
Pertinent International Legal Obligations and Good Practices for States related to Operations of Private
Military and Security Companies during Armed Conflict (9/2008). <
http://www.un.org/ga/search/view_doc.asp?symbol=A/63/467 > Accessed 2013, January.

B.2 Maritime Specific References

BIMCO GUARDCON Contract for the Employment of Security Guards on Vessels and guidance on
Rules for the Use of Force (RUF) by Privately Contracted Armed Security Personnel in Defence of a
Merchant Vessel, April 2012 < www.bimco.org >. Accessed 2013, January.
IMO-MSC.1/Circular 1405/Rev. 2 25 May 2012: Revised Interim Guidance to Shipowners, Ship
Operators, and Shipmasters on the Use of Privately Contracted Armed Security Personnel On Board
Ships in the High Risk Area. <
http://www.imo.org/OurWork/Security/PiracyArmedRobbery/Guidance/Documents/MSC.1-
Circ.1405-Rev2.pdf >. Accessed 2013, January.
IMO-MSC.1/Circular 1406/Rev.2 25 May 2012: Revised Interim Recommendations for Flag States
Regarding the Use of Privately Contracted Armed Security Personnel On Board Ships in the High Risk
Area. <
http://www.imo.org/OurWork/Security/PiracyArmedRobbery/Guidance/Documents/MSC.1-
Circ.1406-Rev.2.pdf >. Accessed 2013, January.
IMO-MSC.1/Circular 1408/Rev.1 2 25 May 2012: Revised Interim Recommendations for Port and
Coastal States Regarding the Use of Privately Contracted Armed Security Personnel On Board Ships in
the High Risk Area. <
http://www.imo.org/OurWork/Security/PiracyArmedRobbery/Guidance/Documents/MSC.1-
Circ.1408-Rev1.pdf >. Accessed 2013, January.

11 This document is available at < http://www.imo.org/OurWork/Security/Instruments/Pages/ISPSCode.aspx >/

39
 ANSI/ASIS PSC.4-2013

IMO-MSC.90/28 31 May 2012: Final Report of the Maritime Safety Committee on its Ninetieth Session.
< http://www.uscg.mil/imo/msc/docs/msc-90-report.pdf >. Accessed 2013, January.
IMO-MSC.1/Circ.1443 25 May 2012: Interim Guidance To Private Maritime Security Companies
Providing Privately Contracted Armed Security Personnel On Board Ships In The High Risk Area. <
http://www.imo.org/OurWork/Security/PiracyArmedRobbery/Guidance/Documents/MSC.1-
Circ.1443.pdf >. Accessed 2013, January.

B.3 ASIS International Publications12

ANSI/ASIS PSC.1-2012, Management System for Quality of Private Security Company Operations -
Requirements with Guidance.
ANSI/ASIS SPC.1-2009, Organizational Resilience: Security, Preparedness, and Continuity
Management Systems – Requirements with Guidance for Use.

B.4 ISO Standards Publications13

ISO 9000:2005, Quality management systems – Fundamentals and vocabulary
ISO 9001:2008, Quality management systems - Requirements
ISO 14001:2004, Environmental management systems – Requirements with guidance for use
ISO/IEC 27001:2005, Information technology – Security techniques – Information security management
systems – Requirements
ISO 28000:2007, Specification for security management systems for the supply chain.

B.5 United Nations and International Human Rights Publications

United Nations Convention on the Law of the Sea (UNCLOS) (1982).14
OHSAS 18001:2007, Occupational Health and Safety Assessment Series for health and safety
management systems
< http://www.ohsas-18001-occupational-health-and-safety.com/index.htm >

B.6 Other References

Authorized Economic Operator (AEO) Guidelines - < http://ec.europa.eu >
Customs -Trade Partnership Against Terrorism (C-TPAT) - < www.c-tpat.com >
Secure Trade Partnership (STP) -
< http://www.customs.gov.sg/leftNav/trad/Supply+Chain+Security.htm >

12 This document is available at < http://www.asisonline.org>.

13 This document is available at < http://www.iso.org >.
14 This document is available at < http://www.un.org/Depts/los/convention_agreements/texts/unclos/unclos_e.pdf >.

40
ASIS International (ASIS) is the preeminent
organization for security professionals, with more
than 38,000 members worldwide. Founded in 1955,
ASIS is dedicated to increasing the effectiveness and
productivity of security professionals by developing
educational programs and materials that address
broad security interests, such as the ASIS Annual
Seminar and Exhibits, as well as specific security
topics. ASIS also advocates the role and value of the
security management profession to business, the
media, governmental entities, and the general public.
By providing members and the security community
with access to a full range of programs and services,
and by publishing the industry’s number one
magazine, Security Management, ASIS leads the way
for advanced and improved security performance.
For more information, visit www.asisonline.org.