Why the ISO standard for maritime security – ISO/PAS 28007 – is not a security and human rights standard.

A recent blog on the Measuring Business and Human Rights website examines the wide range of codes of conduct and management system standards that have been developed in recent years to guide the responsible provision of security services, on land and at sea. However, the inclusion of an International Organization for Standardization (ISO) standard for maritime security in that list of codes and standards is erroneous. The ISO/PAS 28007:2012 Ships and marine technology – Guidelines for Private Maritime Security Companies (PMSC) providing privately contracted armed security personnel (PCASP) on board ships (and pro forma contract) – ISO/PAS 28007 in short – cannot be described as a “security and human rights” standard. ISO/PAS 28007 stands out from the other standards because of the lack of inclusivity and transparency in its drafting and for its failure to include human rights provisions.

To the first point, unlike the committee that drafted ANSI/ASIS PSC.1:2012 Management system for quality of private security company operations – Requirements with guidance (PSC.1 in short), which included academics and representatives from NGOs such as Human Rights First, Amnesty International USA, the Geneva Center for the Democratic Control of Armed Forces, and Fund for Peace, the Technical Committee that drafted the ISO/PAS 28007 did not include academics, civil society organizations, and other key interested parties and stakeholders.

Regarding human rights, the ISO/PAS 28007 cannot be described as contributing to the mutually reinforcing and complementary nature of the other standards. Two notes in the definitions section point out that the International Maritime Organization does not believe that the International Code of Conduct for Private Security Providers (ICoC) or the Montreux Document are applicable to maritime security operations. This will make it very challenging for the ICoC Association to consider recognizing certification to the ISO/PAS 28007 as meeting the principles and certification requirements of the ICoC.

The ICoC Association will also likely struggle with the fact that the ISO/PAS makes almost no reference to international human rights law. The Universal Declaration of Human Rights is not listed as an informative document in the bibliography, and in the entire standard human rights are only referenced twice: once in conjunction with health and safety stating that the organization should have guidelines for disciplinary offenses involving human rights abuses, and the second time to state that the organization should develop procedures to identify applicable international law to include human rights obligations. Human rights are erroneously mentioned a third time referring to possible limits under human rights law to screening personnel. International human rights law does not speak to this issue.

What is not addressed in the ISO/PAS 28007 that is covered in other standards like the ICoC and PSC.1? Two key issues neglected in the ISO/PAS 28007 are the responsibility of maritime security companies to respect human rights and to carry out human rights due diligence processes. There is also no mention of conducting human rights risk analyses or engaging with affected communities and stakeholders during that process. In fact, there is no mention that maritime security operations can potentially impact on human rights. Furthermore, there are no stipulations for human rights trainings for personnel, and the requirements for grievance mechanisms are inadequate. While there is a provision that no one under 18 should be employed to carry weapons, there is no reference to avoiding the worst forms of child labor or other gross human rights violations. The ISO/PAS 28007 is simply not a human rights standard.

Unfortunately, it also falls short in terms of what certification to the standard can hope to accomplish with regards to ensuring responsible provision of maritime security services. One important point about certification to the ISO/PAS 28007 needs to be clarified. Companies are not certified to the ISO/PAS 28007; as a Publicly Available Specification (PAS) this is not possible. Technically they are certified to ISO 28000: Specification for security management systems for the supply chain using ISO/PAS 28007 as guidance. Here there is a fundamental breakdown in the logic of what companies claim to be achieving through certification. The ISO 28000 is about addressing risks in the supply chain. It is not about addressing the risks of security operations, or about the quality of security operations – two things that PSC.1 does address.

Currently, the Technical Committee that created the ISO/PAS 28007 has submitted it for comments and voting as a Draft International Standard (DIS). If successful, this would turn the ISO/PAS into a full ISO international standard. The DIS has not been updated and is the PAS word for word – quite surprising considering that 22 maritime security companies have been certified to date. One would think that there would have been at least a few lessons learned that would indicate the need for some changes to the standard’s language. The DIS is currently open for comment until the end of October and the vote closes on November 19. Interested parties should take this opportunity to reach out to their national standards bodies and submit their comments and concerns. If the ISO 28007 wants to be in the company of the other security standards detailed in the Measuring Business and Human Rights blog, it must include human rights provisions.

For a detailed chart, comparing the provisions of the ICoC, PSC.1 and the Voluntary Principles on Security and Human Rights, see the recent briefing paper by Human Analytics.