Date Entry Into Force: 07-05-2021
1 General introduction
Application of maritime security legislation (SOLAS Chapter XI-2, ISPS Code and EU Regulation (EC) No. 725/2004) and interpretations by Recognised Security Organisations (RSO’s) for vessels flying the flag of the Netherlands.
2 Regulatory framework
The regulatory framework consists of
Rectifying and communicating major non compliances
Major failures or Major Non-conformities (as defined and referred to in IACS Procedural requirement no. 24 (as amended) are considered as severe non-compliances of a specified requirement and when found during a verification are to be communicated to the Netherlands Shipping Inspectorate (NSI) immediately by e-mail (firstname.lastname@example.org).
A ship may decide to make up an equivalent security arrangement (ESA), in compliance with SOLAS Chapter XI-2, Regulation 13, sub 6.
Such security measures must be at least as effective as those prescribed in SOLAS Chapter XI-2 or the ISPS-code, Part A.
ESAs shall not allow SOLAS ships to avoid full compliance with the requirements of the Maritime Security Measures. The NSI reports an ESA to the International Maritime Organisation (IMO) by use of the Global Integrated Shipping Information System (GISIS).
3 Protection from unauthorized access or disclosure
The need to protect particular information (PI) must be considered on the content of that information. It includes the Ship Security Assessment (SSA), Ship Security Plan (SSP), and documents detailing the measures put in place.
Authorised Personnel of the RSO
- For authorised personnel of the RSO, which have access to PI, the conduct shall be specified in procedures or job descriptions.
- The Inspection of PI shall be conducted by authorized personnel of the RSO only. They shall be screened before starting their duties and the results are recorded, in accordance with the RSO procedures. Requirements for verification of the integrity of authorized personnel of the RSO are to be included in the internal quality procedures of the RSO, and this verification is to be carried out in accordance with such procedures.
Transport of information (physical and electronic)
- Transmission of PI (hard copy, CD-ROM, DVD, USB-stick or similar) by a company or by an RSO, shall be preferably done by courier or by registered post with tracking facility. Sender and receiver communicate time of dispatch and arrival of physical transport. Preparing for this shipment by authorized persons appointed in a neutral and sealed envelope.
- In case PI is forwarded through the e-mail it should be encrypted or password protected and passwords (if applicable) are to be sent separately via a different medium.
- If an RSO receives unencrypted PI by e-mail, they print it, save it on CD-ROM, DVD, USB-stick or similar and delete mails with PI from computers connected to the network. The sender will be requested to delete the e-mail with PI from their servers.
- Within own secure networks encryption is not required.
Physical security (buildings, workspace and cabinets)
- The office of an RSO has 24/7 access control at the individual level. Registration and identification of individuals in charge shall be done.
- Room with PI is lockable, no access to a room with PI by third parties without accompaniment of an authorised person.
- No PI is left unattended by the auditor at all. All PI (hardcopy, (un)encrypted information) and stamps for official documents are stored in a lockable compartment or safeguarded by the ISPS auditor.
- Information carriers (CD-ROM, DVD, USB-stick or the like) are used so that the information shall not be accessible to unauthorized persons (e.g. by using encryption).
- An auditor shall not make more reproductions (hard copy and electronic) than necessary for the review.
- After the review no PI or reproductions may be kept (hardcopy or electronically) and theyare to be deleted / shredded as appropriate.
- For archiving purposes the following information may be stored unprotected only: front page, table of contents, page revision (with stamps).
- The RSO will ensure that the NSI will be informed of security events and weaknesses related to information security (i.e. the unauthorized access, use or manipulation of information).
- The RSO is responsible for taking corrective action in time.
Please note that, besides this ItoR(S)O no. 25, there are further instructions for vessels in relation to Lay-up condition. Reference is made to ItoRO no. 23 – Lay Up.