New ISO Standard for Private Maritime Security Companies Reflects Some Progress on Human Rights

In a previous Human Rights in Complex Environments blog, we argued that the ISO/PAS 28007:2012 Ships and marine technology – Guidelines for Private Maritime Security Companies (PMSC) providing privately contracted armed security personnel (PCASP) on board ships (and pro forma contract) – ISO/PAS 28007 in short – could not be described as a “security and human rights” standard. At the time, the Publicly Available Specification was being developed into a full ISO standard. That standard, ISO 28007-1: 2015, is now completed and available. While some improvements have been made in terms of clarifying the human rights responsibilities of PMSCs providing armed security on board ships, shortcomings remain.

What ISO-28007-1 is and is not

ISO 28007-1 suffers from a bit of an identity crisis. It is a set of informative guidelines for organizations implementing ISO 28000: Specification for security management systems for the supply chain. In other words, it is additional guidance for organizations wanting to assure security in their supply chains, which is different from the management of private security operations and the responsible provision of armed security services – something that standards like ANSI/ASIS PSC.1:2012 Management system for quality of private security company operations – Requirements with guidance (PSC.1) and its accompanying guidance specific to private maritime security, ANSI/ASIS PSC.4-2013: Quality Assurance and Security Management for Maritime Private Security Companies – Guidance (PSC.4), do explicitly address. While the Introduction to ISO 28007-1 states that, “[i]n effect, ISO 28000 is a risk-based quality management system for the security of operations and activities conducted by organizations,” in reality ISO 28000 is not a quality management system and the word quality appears nowhere in the main body of ISO 28000.

Furthermore, it should be noted that ISO 28007-1 is specific to the provision of security services on board ships. The evolving industry is largely unaddressed by the standard, and it does not cover newer activities, such as offshore installation protection, littoral work, and seismic survey work, which are more likely to put PMSCs in a position where human rights might become an issue.

Improved human rights provisions

As noted in our previous blog, human rights were almost wholly absent from the ISO/PAS 28007. The Universal Declaration of Human Rights (UDHR) was not listed as an informative document in the bibliography, and in the entire standard human rights were only correctly referenced twice: once in conjunction with health and safety stating that the organization should have guidelines for disciplinary offenses involving human rights abuses, and the second time to state that the organization should develop procedures to identify applicable international law to include human rights obligations. While the UDHR still is not referenced in the bibliography and the term international human rights law appears nowhere in the ISO 28007-1, the Introduction now explicitly references the UN Guiding Principles on Business and Human Rights (UNGPs), which reflect the current international norm for responsible business conduct with relation to the human rights impacts of companies. Specifically, the Introduction states: “Organisations seeking to be certified to this International Standard should respect the human rights of those affected by the organisations [sic] operations within the scope of this International Standard, including by conforming with relevant legal and regulatory obligations and the UN Guiding Principles on Business and Human Rights.” This is a marked improvement over the ISO/PAS 28007. However, choosing to reference the UNGPs only in the Introduction and not integrating them and elaborating on their relevant provisions in the main body of the guidance weakens the expectation that companies conform to the UNGPs. The drafters could have cited the UNGPs as a normative reference, as was done with the ISO 18788 Management system for private security operations – which is the international standard based on PSC.1 – but that path was not taken. Furthermore, the definition provided of the UNGPs is incomplete and only discusses the human rights responsibilities of companies, i.e. Pillar II, and not the accompanying human rights obligations of States and the need for both States and companies to provide effective access to remedy for victims of human rights abuses linked to economic activities.

That being said, referencing the UNGPs is not the only improvement in the ISO 28007-1’s human rights provisions. Noteworthy are the following additions:

  • The term stakeholders is now used and impacted communities have been added as a relevant stakeholder.
  • As part of the risk assessment process, organizations are advised to carry out meaningful consultation with relevant stakeholders, including those directly affected by their operations.
  • Organizations should have a human rights policy, alongside a Code of Ethics.
  • In addition to minimum age requirements for PCASPs, there is also now a commitment not to employ child labor and referencing of relevant ILO conventions.
  • The provisions on complaints and grievance procedures have been improved and now reference protection of whistle-blowers, procedures to assess effectiveness of complaints and grievance mechanisms, and procedures to protect complainants from retribution.


It is also noteworthy that remarks in the definitions section which stated that the International Maritime Organization does not believe that the International Code of Conduct for Private Security Service Providers (ICoC) or the Montreux Document are applicable to maritime security operations were removed. The ICoC and Montreux Document have been added to the bibliography.

Still room for more improvement

While these additions warrant recognition, there is still room for strengthening the human rights provisions of the IS0 28007-1 if it is to truly reflect the UNGPs. Additional improvements should entail:

  • Recommending that organizations carry out a human rights due diligence process, to include conducting a human rights risk and impact assessment to identify, address, and mitigate actual and potential negative human rights impacts.
  • Clarifying that when organizations systematically evaluate and prioritize risk controls, management, mitigation, and treatments that they should prioritize addressing human rights risks based on their scope and severity. Not addressing actual or potential severe human rights risks raises legal liability concerns, and not just considerations of reputation and cost effectiveness. Severe human rights risks linked to an organizations’ operations must be addressed even if risk treatment is not cost effective per se.
  • Adding provisions that explicitly state that negative human rights impacts should be remediated.
  • Using past involvement in human rights violations as a screen for vetting PCASPs.
  • Requiring that PCASPs receive relevant human rights training.


Thankfully ISO standards are reviewed on a regular basis, so there will be opportunities in the future to include human rights experts in the review process and address these shortcomings.