1 The Maritime Safety Committee at its seventy-seventh session (28 May to 6 June 2003), bearing in mind the provisions of section 4.3 of Part A and sections 4.3 to 4.7 of part B of the International Ship and Port Facility Security Code (ISPS) on Recognized Security Organization (RSO), developed the attached Interim guidelines for the authorization of recognized security organizations acting on behalf of the administration and/or designated authority of a contracting government.

2 The interim guidelines may be revised, based on the experience gained on the implementation of the new SOLAS chapter XI-2 and the ISPS Code and, in particular, with the designation of RSOs after 1 July 2004.

3 Member Governments and international organizations concerned are recommended to bring this circular to the attention of all parties concerned.

INTERIM GUIDELINES FOR THE AUTHORIZATION OF RECOGNIZED SECURITY ORGANIZATIONS ACTING ON BEHALF OF THE ADMINISTRATION AND/OR DESIGNATED AUTHORITY OF A CONTRACTING GOVERNMENT

General

1 Under the provisions of SOLAS regulation I/6 and, inter alia , SOLAS regulation XI-2/1.16 "Special measures to enhance maritime security", Recognized Security Organization (RSOs) may be delegated specific functions on behalf of the Administration and/or the Designated Authority of the Contracting Government. The following functions may be delegated in whole or in part to RSOs:
.1 approval of ships security plans;
.2 verification for ships
.3 issuance and endorsement of International Ship Security Certificates; and
.4 development of port facility security assessments.

2 In no instance may the RSO approve, verify, or certify a work product that it has developed (e.g. preparation ship security assessments, preparation ship security plans or of amendments under review).

3 Control in the assignment of such authority is needed in order to promote uniformity of assessments, verification, approval and certification activities required by SOLAS chapter XI-2 or by part A of the International Ship and Port Facility Security (ISPS) Code. Therefore, any delegation of authority to RSO, should:
.1 determine that the security organization has adequate resources in terms of technical, managerial and operational capabilities to accomplish the tasks being assigned, in accordance with the interim guidelines for RSOs acting on behalf of the Administration and/or Designated Authority as set out in Appendix 1;
.2 have a formal written agreement between the Administration or Designated Authority and the RSO being authorized;
.3 specify instructions detailing actions to be followed in the event that a ship is found not in compliance with the relevant provisions of international requirements for which the RSO has been delegated authority;
.4 provide the RSO with all appropriate instruments of national law giving effect to the provisions of the conventions or specify whether the Administration.s and/or Designated Authority.s standards go beyond convention requirements in any respect; and
.5 specify that the RSO maintain records that can provide the Administration and/or Designated Authority with data to assist in interpretation and implementation of specific convention regulations.

Verification and monitoring

4 The Administration and/or Designated Authority should establish a system to ensure the adequacy of work performed by the RSOs authorized to act on its behalf. Such a system should, inter alia , include the following items:
.1 procedures for communication with the RSO;
.2 procedures for reporting from the RSO and processing of reports by the Administration and/or Designated Authority;
.3 additional ship and port facility inspections and audits by the Administration and/or Designated Authority or other delegated organizations;
.4 the Administration.s and/or Designated Authority's evaluation/acceptance of the certification of the RSO.s quality system by an independent body of auditors recognized by the Administration and/or Designated Authority; and
.5 the Administration and/or Designated Authority should monitor and verify the activities related to security delegated to the RSO as appropriate. The Administration and/or Designated Authority maintain the ultimate authority continue or revoke delegations to RSOs.

INTERIM GUIDELINES FOR AUTHORIZATION OF RECOGNIZED SECURITY ORGANIZATIONS ACTING ON BEHALF OF THE ADMINISTRATION AND/OR DESIGNATED AUTHORITY OF A CONTRACTING GOVERNMENT

A Security Organization may be recognized by the Administration and/or Designated Authority to perform statutory work on its behalf subject to compliance with the following interim guidelines for which the recognised security organization (RSO) should submit complete information and substantiation.

General

1 The relative size, structure, experience and capability of the RSO commensurate with the type and degree of authority intended to be delegated thereto should be demonstrated.

2 The RSO should be able to document capability and experience in performing security assessments, developing risk assessments, conducting maritime verification, approval and certification activities for ships and/or for port facilities and their ancillary equipment, as appropriate.

Specific Provisions

3 The following should apply for the purpose of delegating authority to perform port facility security assessment and ship verification, and certification services of a statutory nature in accordance with regulatory instruments which require the ability to integrate ship and port interface operational considerations with maritime security threats, and to develop, verify and audit specific requirements:

3.1 The RSO should provide for the publication and systematic maintenance of procedures in the English language for the conduct of activities to ensure compliance with delegated authorities pursuant to SOLAS chapter XI-2. Updating of these procedures should be done on a periodic basis at intervals acceptable to the Administration.

3.2 The RSO should allow participation in the development of its procedures by representatives of the Administration and/or Designated Authority and other parties concerned.

3.3 The RSO should be established with:
.1 an adequate technical, managerial and support staff capable of developing and maintaining its procedures; and
.2 a qualified professional staff to provide the required service representing an adequate geographical coverage as required by the Administration and/or Designated Authority.

3.4 The RSO should be governed by the principles of ethical behaviour, which should be contained in a Code of Ethics and as such recognize the inherent responsibility associated with a delegation of authority to include assurance as to the adequate performance of services as well as the confidentiality of related information as appropriate.

3.5 The RSO should demonstrate the technical, administrative and managerial competence and capacity to ensure the provision of quality services in a timely fashion.

3.6 The RSO should be prepared to provide relevant information to the Administration and/or Designated Authority, as necessary.

3.7 The RSO's management should define and document its policy and objectives for, and commitment to, quality and ensure that this policy is understood, implemented and maintained at all levels in the RSO.

3.8 The RSO should be subject to certification of its quality system by an independent body of auditors recognized by the Administration and/or Designated Authority. The Administration and/or Designated Authority may serve as the auditor.

3.9 The RSO should develop, implement and maintain an effective internal quality system based on appropriate parts of internationally recognized quality standards no less effective than the ISO 9000-2000 series, and which, inter alia, ensures that:
.1 the RSO.s procedures are established and maintained in a systematic manner;
.2 the RSO.s procedures are complied with;
.3 the requirements of the statutory work for which the RSO is authorized, are satisfied;
.4 the responsibilities, authorities and interrelation of personnel whose work affects the quality of the RSO.s services, are defined and documented;
.5 a supervisory system is in place that monitors the actions and work carried out by the RSO;
.6 a system for qualification of assessors, surveyors, and auditors and continuous updating of their knowledge is implemented;
.7 records are maintained, demonstrating achievement of the required standards in the items covered by the services performed, as well as the effective operation of the quality system;
.8 a comprehensive system of planned and documented internal audits of the quality related activities in all locations is implemented;
.9 the RSO has established a process and procedures to assess and monitor at periodic intervals the trustworthiness of its personnel;
.10 the RSO has established processes and procedures to ensure that appropriate measures are in place to avoid unauthorized disclosure of, or access to, security sensitive materials relating to ship security assessments, ship security plans, port facility security assessments and port facility security plans, and to individual assessments or plans; and
.11 a procedure for providing feed back and information, as appropriate, to its customers.

4 The following should, in addition, apply for the purpose of delegating authority to perform certification services of a statutory nature in accordance with regulatory instruments.
.1 the provision and application of proper procedures to assess the degree of compliance of the applicable shipboard maritime security measures and management systems:
.2 the provision of a systematic training and qualification regime for its professional personnel engaged in the maritime security management system certification process to ensure proficiency in the applicable quality and security management criteria as well as adequate knowledge of the technical and operational aspects of maritime security management; and
.3 the means of assessing through the use of qualified professional staff the application and maintenance of the security management system both shore based as well as on board ships intended to be covered in the certification.

Specialized expertise

5 Each RSO shall be able to demonstrate by means of established process, procedures, and relevant documentation the following minimum capabilities following the guidance in paragraph 4.5 of part B of the ISPS Code:
.1 expertise in relevant aspects of security;
.2 appropriate knowledge of ship and port operations, including knowledge of ship design and construction if providing services in respect of ships and port design and construction if providing services in respect of port facilities;
.3 their capability to assess the likely security risks that could occur during ship and port facility operations including the ship/port interface and how to minimize such risks;
.4 their ability to maintain and improve the expertise of their personnel;
.5 their ability to monitor the continuing trustworthiness of their personnel;
.6 their ability to maintain appropriate measures to avoid unauthorized disclosure of, or access to, security-sensitive material;
.7 their knowledge of the requirements of SOLAS chapter XI-2 and part A of the ISPS Code and the guidance contained in part B of the Code and relevant national and international legislation and security requirements;
.8 their knowledge of current security threats and patterns;
.9 their knowledge of recognition and detection of weapons, dangerous substances and devices;
.10 their knowledge of recognition, on a non-discriminatory basis, of characteristics and behavioural patterns of persons who are likely to threaten security;
.11 their knowledge of techniques used to circumvent security measures; and
.12 their knowledge of security and surveillance equipment and systems and their operational limitations.