Revision:0810

Date:16.08.10

MCA NUMBER MSIS 37

INSTRUCTIONS FOR THE GUIDANCE OF SURVEYORS

ON
ps
shi
s4
eg
R
by
d
ce
du
ro

MCA AUDITING PROCESS

ep
R

(covering ISM Code, ISPS Code, ISO 9001 and ISO 14001)
CHAPTER 0

TABLE OF CONTENTS

PAGE REV.
CHAPTER 0 TABLE OF CONTENTS 2 0810
CHAPTER 1 PURPOSE 4 0810
1.1 Legal Basis and Authority for the Audit Programmes 4
1.2 International Safety Management (ISM) Code 4
1.3 International Ship and Port facility Security (ISPS) Code 5
1.4 External ISO 9001:2008 5
1.5 External ISO 14001:2004 5
CHAPTER 2 TYPES OF AUDIT AND FREQUENCY 7 0810
2.1 International Safety Management (ISM) Code 7
Table 1 ISM Code Audits 7
2.2 International Ship and Port Facility Security (ISPS) 8
Code
Table 2 ISPS Code Verifications (Audits) 8
2.3 External ISO 9001:2008 9
Table 3 External ISO 9001:2008 Audits 9
2.4 External ISO 14001:2004 10
ps
hi

Table 4 External ISO 14001:2004 Audits 10

s
s4
eg
R
by

CHAPTER 3 RESPONSIBILITIES 11 0810

d
ce
du
ro
ep

Table 5 Audit Policy Managers 11

R

CHAPTER 4 ACTIONS 12 0810

4.1 Audits 12
4.2 Managing the Audit Programme 17
4.3 Audit Preparation 17
4.4 Fees Estimation 18
4.5 Reviewing Previous Audit Documentation 19
4.6 Appointing Audit Team 19
4.7 Document Review 20
4.8 Establishing Initial Contact with Client 20
4.9 Pre-audit Team Briefing 21
4.10 Travel Arrangements 21
4.11 Conducting On-site Audits 21
4.11.1 Audit opening meeting 21
4.11.2 Conduct of audits 21
4.11.3 Communication during audit 22
4.11.4 Roles and responsibilities of guides and 22
observers
4.11.5 Collecting and verifying information – 23
generating audit evidence
4.11.6 Generating audit findings 23
4.11.7 Drafting non-conformity notes 24

MSIS 37/REV 0810 Page 2 of 37

 4.11.8 Preparing audit conclusions 25
4.11.9 Conducting the closing meeting 26
4.11.10 Endorsement of certification 26
4.12 Post Audit Activities 26
4.12.1 Audit report 26
4.12.2 Certificate issue 27
4.12.3 Follow-up action 28
4.12.4 Withdrawing certification 29
Table 6 Decision-makers for withdrawing certification 29
4.12.5 Appeals and disputes 29
4.12.6 Process control 30
Table 7 File requirements 30
4.13 Monitoring and Measuring the Audit Programme 30
4.14 Review for Continual Improvement 30
CHAPTER 5 DOCUMENTATION AND CERTIFICATION 32 0810
5.1 Current Documentation 32
Table 8 Form Availability 32
5.2 Documentation Made Obsolete by this Process 34
CHAPTER 6 NON-TECHNICAL REFERENCES 35 0810
6.1 Technical Requirements and Guidance 35
Table 9 Technical Guidance 35
6.2 Process References 35
Table 10 Process References 35
ps
shi
s4
eg

Annex A Completed Non-Conformity Note 38

R
by
d
ce
du
ro
ep
R

MSIS 37/REV 0810 Page 3 of 37

CHAPTER 1

PURPOSE

Key Changes
This is a new document (therefore has no highlighting of new text) that contains
instructions to surveyors on the ‘Audit Process’ which has been made common.
It complements the existing technical instructions to surveyors which will have
any sections on the audit process deleted.

Procedure MCA 525 – ISM Audits is replaced

1.0.1. These instructions set out the process to be followed when carrying out
audits in MCA. The technical requirements and guidance for different audit types
is covered in separate instructions (see Chapter 6).

1.0.2. This document is relevant to all those involved in undertaking an audit.

The common process is based on the guidelines for quality and/or environmental
management systems auditing1 and has variations to meet the requirements of the
different standards to be audited.
ps
shi
s4
eg
R
by

1.1. Legal Basis and Authority for the Audit Programmes

d
ce
du
ro
ep
R

1.2. International Safety Management (ISM) Code

1.2.1. ISM Code audits are carried out under the authority (sections 13-15 of
the ISM Code) given in Regulation 336/2006/EC which transposes the
International Convention for Safety of Life at Sea 1974, as amended (SOLAS)
Chapter IX and the ISM Code into UK law.

1.2.2. Anyone appointed as a surveyor of ships under section 256 of Merchant

Shipping Act 1995 has the authority to carry out an audit to verify compliance
with the ISM Code from: Regulation 4(1)(a) of ‘The Merchant Shipping (ISM
Code) (Ro-Ro Passenger Ferries) Regulations 1997’ (SI 1997:3022) and
Regulation 16(1)(a) of ‘The Merchant Shipping (International Safety Management
(ISM) Code) Regulations 1998’ (SI 1998 1561). These two Statutory Instruments
are currently (February 2010) being revised. MCA management controls restrict
auditors to those who have been certified as competent through the Surveyors
Customised Award Scheme.

1
ISO 19011:2002

MSIS 37/CH1/REV 0810 Page 4 of 37

1.2.3. The timing of the audits is usually at the client’s request for the issue or
endorsement of statutory certification. MCA can also request an audit should
sufficient grounds exist.

1.3. International Ship and Port facility Security (ISPS) Code

1.3.1. ISPS Code verifications are carried out under the authority (section
A/19 of the ISPS Code) given in Regulation 725/2004/EC which transposes
SOLAS Chapter XI-2 and the ISPS Code into UK law.

1.3.2. Anyone appointed as an inspector or surveyor under section 256 of

Merchant Shipping Act 1995 has the authority to carry out an audit to verify
compliance with the ISPS Code from Regulation 6(1) of The Ship and Port
Facility (Security) Regulations 2004 (SI 2004:1495), as amended (SI 2005:1434).
MCA management controls restrict auditors to those who have been certified as
competent through the Surveyors Customised Award Scheme.

1.3.3. The timing of the audits is usually at the client’s request for the issue or
endorsement of statutory certification. MCA can also request an audit should
sufficient grounds exist.

1.4. External ISO 9001:2008

ps
shi
s4
eg

1.4.1. MCA Quality Assurance’s (MCAQA) accreditation to ISO 17021:2006,

R
by
d
ce
du

‘Requirements for bodies providing audit and certification of management

ro
ep
R

systems’ requires in section 9, ‘Process requirements’, audit processes that

comply with ISO 19011:2002 (Guidelines for quality and/or environmental
management systems auditing). MCAQA has contracts with clients to provide
audits to certificate their Quality Management Systems’ ISO 9001:2008.

1.4.2. The ISO Quality Manager appoints competent persons as auditors.

1.4.3. The Quality Manager approves an audit schedule that has been
compiled in accordance with MCA QA8: Procedure for Assessing Audit Duration
and Frequency. It may be necessary to conduct short-notice audits as outlined in
MCA QA5: Procedure for Certification Assessments to ISO 9001:2008 and
ISO 14001:2004 Standards.

1.5. External ISO 14001:2004

1.5.1. MCA Quality Assurance’s accreditation to ISO 17021:2006,

‘Requirements for bodies providing audit and certification of management
systems’ (ISO 9001:2008) requires in section 9, ‘Process requirements’, audit
processes that comply with ISO 19011:2002 (Guidelines for quality and/or
environmental management systems auditing). MCAQA has contracts with

MSIS 37/CH1/REV 0810 Page 5 of 37

clients to provide audits to certificate their Environmental Management Systems
to ISO 14001:2004.

1.5.2. The ISO Quality Manager appoints competent persons as auditors.

1.5.3. The Quality Manager approves an audit schedule that has been
compiled in accordance with MCA QA8: Procedure for Assessing Audit Duration
and Frequency. It may be necessary to conduct short-notice audits as outlined in
MCA QA5: Procedure for Certification Assessments to ISO 9001:2008 and ISO
14001:2004 Standards.

Author P White Branch Security Policy

Approved P Owen Branch Ship Safety
Authorised by P Coley Branch Seafarers and Ships
ps
shi
s4
eg
R
by
d
ce
du
ro
ep
R

MSIS 37/CH1/REV 0810 Page 6 of 37

CHAPTER 2

TYPES OF AUDIT AND FREQUENCY

Key Changes

This is a new document and therefore has no highlighting of new text

2.1. International Safety Management (ISM) Code

2.1.1. The ISM Code requires that separate audits are undertaken of the
Company (resulting in the issue or endorsement of a Document of Compliance
(DOC)), and ships (resulting in the issue or endorsement of a Safety
Management Certificate (SMC)) to verify the implementation of their Safety
Management System (SMS).

2.1.2. The competence requirements for ISM auditors is defined in the annex
to the Revised Guidelines on the Implementation of the International Safety
Management (ISM) Code by Administrations (Resolution A.913(22)) and
interpreted by MCA in Surveyor Customised Award 2 unit 4, OAN 412 and
OAN 557.
ps
shi
s4
eg

Table 1 – ISM Code Audits

R
by
d
ce
du
ro
ep
R

Type When conducted Scope Validity

SMS Document Prior to the Interim period ISM Code Normally only
Review Part A once
Interim DOC When a company is newly Intent and Valid for
established or when new ability to maximum of
ship types are added implement 12 months
Initial DOC Before end of Interim Thorough Valid for
period sample of maximum five
processes years
Annual DOC Between three months Sample of n/a
before or after certificate’s processes
anniversary date
Renewal DOC Usually up to three Thorough Maximum five
months before certificate sample of years from
expiry processes renewal date

MSIS 37/CH2/REV 0810 Page 7 of 37

 Type When conducted Scope Validity
Interim SMC When a new ship is Intent and Valid for six
delivered or when a ability to months, may
Company takes on implement be extended
responsibility for operation SMS for further six
of a ship which is new to months
the Company or when a
ship changes flag
Initial SMC Before end of Interim Thorough Valid for
period sample of maximum five
processes years
Intermediate Between two and three Sample of n/a
SMC years before certificate processes
expiry
Renewal SMC Usually up to three Thorough Maximum five
months before certificate sample of years from
expiry processes renewal date
Additional SMC When significant non- As required As required
compliance with ISM
Code is suspected or to
close out a non-
conformity
ps
shi
s4
eg
R
by

2.2. International Ship and Port Facility Security (ISPS) Code

d
ce
du
ro
ep
R

2.2.1. The ISPS Code requires that the implementation of the Ship Security
Plan (SSP) is verified (audited).

2.2.2. There are no internationally recognised competence requirements for

ISPS Code Auditors. MCA has interpreted the competence requirements for
Recognised Security Organisations defined in ISPS Code B/4.5 in Surveyor
Customised Award 2 unit 4, OAN 412 and OAN 557.

Table 2 – ISPS Code Verifications (audits)

Type When conducted Scope Validity

Interim When a new ship is Intent and Valid for six
delivered or when a ability to months only
Company takes on implement no extension
responsibility for operation SSP allowed
of a ship which is new to
the Company or when a
ship changes flag
SSP Approval During Interim period and ISPS Code Five-years
before renewal A/9 and
B/9.2

MSIS 37/CH2/REV 0810 Page 8 of 37

 Type When conducted Scope Validity
Initial Before end of Interim Thorough Valid for
period sample of maximum five
processes. years from
All technical date of audit
equipment
Intermediate Between two and three Sample of n/a
years before certificate processes
expiry All technical
equipment
Renewal Usually up to three Thorough Maximum five
months before certificate sample of years from
expiry processes renewal date
All technical
equipment
Additional When significant non- As required As required
compliance with ISPS
Code is suspected or to
close out a non-
conformity

2.3. External ISO 9001:2008

ps
shi
s4
eg
R

Table 3 – External ISO 9001:2008 Audits

by
d
ce
du
ro
ep
R

Type When conducted Scope Validity

When new client applies
Application for certification or wishes
Review to change scope of
certification
Document
Review
See See
Stage 1 Initial
MCAQA 5 MCAQA 8
Audit
Stage 2 Initial See MCAQA 8
Audit
Surveillance
Audits
Renewal Audits

MSIS 37/CH2/REV 0810 Page 9 of 37

2.4. External ISO 14001:2004

Table 4 – External ISO 14001:2004 Audits

Type When conducted Scope Validity

When new client applies
Application for certification or wishes
Review to change scope of
certification
Document
Review
See See
Stage 1 Initial
MCAQA 5 MCAQA 8
Audit
Stage 2 Initial See MCAQA 8
Audit
Surveillance
Audits
Renewal Audits

Author P White Branch Security Policy

Approved P Owen Branch Ship Safety
ps
hi

Authorised by P Coley Branch Seafarers and Ships

s
s4
eg
R
by
d
ce
du
ro
ep
R

MSIS 37/CH2/REV 0810 Page 10 of 37

CHAPTER 3

RESPONSIBILITIES

Key Changes

This is a new document and therefore has no highlighting of new text

3.1 Individual responsibilities are clearly explained in Chapter 4 either in the

flowchart or descriptive text. The responsibility for defining MCA’s requirements
for an audit programme has been assigned to an Audit Policy Manager (see
Table 5 below) who has a general understanding of: audit principles; the
competence of auditors’; the application of audit techniques; and has
management skills as well as technical and business understanding of the
relevant activities of the audit programme.

Table 5 – Audit Policy Managers

Audit Programme Audit Policy Manager

1 International Safety Management
ISM/ISO Policy Manager
(ISM) Code
2 International Ship and Port facility
ps
shi

Security Policy Manager

s4
eg
R

Security (ISPS) Code

by
d
ce
du

3 External ISO 9001:2008 ISM/ISO Policy Manager

ro
ep
R

4 External ISO 14001:2004 ISM/ISO Policy Manager

5 Internal ISO 17021:2006 ISM/ISO Policy Manager

3.2 For ISM Code and ISPS Code audits the responsibility for supervising the
audit team and verifying the consistency of the work lies with the Lead Auditor’s
Line Manager.

Author P White Branch Security Policy

Approved P Owen Branch Ship Safety
Authorised by P Coley Branch Seafarers and Ships

MSIS 37/CH3/REV 0810 Page 11 of 37

CHAPTER 4

ACTIONS

Key Changes

This is a new document and therefore has no highlighting of new text

4.1 Audits

Definition

4.1 Auditing is defined as the systematic, independent and documented set of

interrelated or interacting activities (this process) for obtaining statements of fact
or other information (meaningful data), the audit evidence, and evaluating it
objectively to determine the extent to which audit criteria (set of policies,
procedures or requirements) are fulfilled2.

4.2 The ISPS Code uses the term verification for the Administration ensuring
the security system meets the requirements and is considered an audit for these
instructions.
ps
shi
s4
eg

Process Maps
R
by
d
ce
du
ro
ep
R

4.3 The required actions are described on the following process maps, which
have been split into three sub processes, and amplified in later paragraphs.

.1 Audit preparation activities

.2 On-site activities
.3 Post audit activities

2
Adopted from ISO 9000:2005 paragraph 3.9.1

MSIS 37/CH4/REV 0810 Page 12 of 37

Audit Instructions to Surveyors

PLAN DO CHECK ACT

Review for
Audit Programme Audit Preparation Monitor and
continual
Defined Activities Measure Process
Improvement
(See 4.2) (See Flowchart 2) (See 4.13)
(See 4.14)

On-Site Audit
Activities
(See Flowchart 3)

Post Audit
Activities
(See Flowchart 4)
ps
hi
s
s4
eg
R
by
d
ce
du
ro
ep
R

MSIS 37/CH4/REV 0810 Page 13 of 37

 Flowchart 2:
Audit Preparation Activities
Client

Participates in
Identifies requirement Completes MSF
application/
and applies for audit 5100
transfer review
Administrator

Receives and Organises travel

Receives request processes fees
Recalls files arrangements
and processes
(see 4.10)
Audit Process

s
ip
sh
s4
Manager

Defines resource

eg
Approves overseas

R
by
requirements,

d
Provides advice travel

ce
du
appoints Lead

ro
as needed arrangements

ep
Auditor, delegates

R
tasks (see 4.3.2-4)
Lead Auditor

Undertakes audit
For ISO audits preparation: Ensure team have
Informs client of Briefs audit team,
undertakes Fee estimate file and document required PPE and If overseas,
agreed assigns work to
application or to client review, audit that initial H&S Risk completes MSF
arrangements auditors
transfer review (see 4.4) team, audit plan, assessment is 5215 (See 4.10)
(see 4.8) (see 4.9)
(see 4.3.5-7) time and location completed
(see 4.5-7)
Audit Team

Familiarise self
To On-Site Audit
with MCA
Activities flowchart
documentation

MSIS 37/CH4/REV 0810 Page 14 of 37

 Flowchart 3:
On Site Audit Activities

Attend
Client

opening Provides audit Attends

meeting information closing
meeting
Administrator
Audit Process

s
Manager

ip
sh
s4
Provides Provides Provides

eg
R
by
advice as advice as advice as

d
ce
du
needed needed needed

ro
ep
R
Lead Auditor

Conducts Collects and Conducts

Re-assesses Generates Prepares audit Endorse on
opening verifies audit closing
Travel to site H&S risk audit findings conclusions site certificate
meeting information meeting
including PPE (see 4.11.6-7) (see 4.11.8) (see 4.11.10)
(see 4.11.1-4) (see 4.11.5) (see 4.11.9)
Audit Team

Collects and
Attends Contributes Contributes to Attends
verifies audit To Post Audit
opening to audit audit closing
information Activities flowchart
meeting findings conclusions meeting
(see 4.11.5)

MSIS 37/CH4/REV 0810 Page 15 of 37

 Flowchart 4:
Post Audit Activities

For ISM & ISO; File returned or

undertakes review put away

Receives audit
Closes out follow
report and
up actions
certificate

For ISM & ISO;

Prepares new Distributes audit
Files audit papers sends completed

s
ip
certificate report and

sh
(see 4.12.6.1) file to HQ for

s4
eg
(see 4.12.2) certificate

R
review

by
d
ce
du
ro
ep
R
Conducts
Signs certificate Technical Review
(see 4.12.6.2)

Handles Certificate
Approves audit Conducts audit withdrawal or
Prepares audit
report; signs follow up appeals and
report (see 4.12.1)
declaration (see 4.12.3) disputes (See
4.12.4-5)

Contributes to Assists with audit

audit report follow up

MSIS 37/CH4/REV 0810 Page 16 of 37

4.2 Managing the Audit Programme

4.2.1 The extent of the audit programmes covered by this process have been
summarised in Chapter 2. The overall objectives of the audit programmes are to:

• Verify compliance with the requirements for certification to a

management or statutory standard;
• Obtain and maintain confidence in the capability of the client;
• Contribute to the improvement of the management system;
• Analyse performance monitoring, measuring, reporting and reviewing
against key performance objectives and targets;
• Evaluate the operational control of client’s processes;
• Evaluate internal auditing and management review;
• Evaluate the management’s responsibility for client’s policies; and
• Review links between the standard’s requirements, policy, performance
objectives and targets, any applicable legal requirements,
responsibilities, competence of personnel, operations, procedures,
performance data and internal audit findings and conclusions.

4.2.2 Further objectives or requirements may be set by the Audit Policy

Manager or Line Manager either for generic requirements in the technical
guidance or specifically to cover individual circumstances.
ps
shi
s4
eg
R
by

4.3 Audit Preparation

d
ce
du
ro
ep
R

Initial inquiries

4.3.1 Potential clients may be provided with information concerning the audit
requirement on request by the Administrator. Clients should be invited to
complete the application form, and for ISO auditing the questionnaires, if
applicable. For ISO the Administrator should follow up enquiries if the potential
client does not make contact within one month of the initial inquiry being
received.

Defining Resource Requirements

4.3.2 Upon receipt of a completed application the Line Manager (or someone
with delegated authority) quantifies the requirements for the audit. There are
usually two aspects to this quantification: calculating the number of audits
required; and calculating the audit duration. Any deviation from the technical
guidance provided is to be justified.

MSIS 37/CH4/REV 0810 Page 17 of 37

4.3.3 For ISO audits the feasibility of carrying out the audit must also be
considered. Where it is judged not feasible alternative arrangements are to be
considered in consultation with the client. These may include, depending on
circumstances:

• Transferring audit to an alternative site;

• Transferring audit to an alternative date;
• Delegating the audit to an alternative auditing body; or
• Cancelling the audit.

Appointing the Lead Auditor

4.3.4 The Line Manager (or someone with delegated authority) appoints a
Lead Auditor for the assessment who is responsible for ensuring the audit is
conducted in accordance with the requirements. The selection is based upon the
information gathered regarding to the requirements of the client and the
competence, training, qualifications and experiences of the available Lead
Auditors. Consideration is also given to the previous contact the Lead Auditor
may have had with the client, e.g. other audits. The following are to be taken into
consideration when selecting the Lead Auditor:

• Knowledge of applicable regulations, standards, guidance etc;

ps

• Knowledge of assessment methods and certification procedures and

shi
s4
eg
R
by

associated documents;
d
ce
du
ro

• Technical knowledge of the systems being audited;

ep
R

• Competencies required by the activity being assessed;

• Any potential conflicts of interest; and
• Ability to communicate orally and in writing with client.

Undertaking application or transfer review

4.3.5 The Lead Auditor is responsible for undertaking any application or

transfer review which might be required by Certification Assessments for ISO
9001:2008 and ISO 14001:2004.

4.3.6 Any request regarding the ISM Code for recognition of foreign DOCs for
use on UK ships is to be referred to ISM/ISO Policy Branch who will conduct the
assessment and issue documentation.

4.3.7 Any request regarding the ISPS Code for initial approval of Ship
Security Plan at the flag-in stage is to be referred to the Security Liaison Officer.

4.4 Fees Estimation

4.4.1 The lead Auditor is responsible for calculating the fees and informing
the client of the estimate. For chargeable work the Lead Auditor must ensure

MSIS 37/CH4/REV 0810 Page 18 of 37

that the fees have been received and an appropriate job number raised before
work commences. The Administrator is responsible for processing the fees
received.

ISM Audits

4.4.2 ISM Audits are charged at the standard hourly fee rate. VAT is not
charged on the fee as statutory audits are exempt form VAT.

4.4.3 Guidance on the duration of ISM audits can be found on the Survey
Operations microsite.

ISPS Audits

4.4.4 ISPS audits are a non-chargeable activity which is usually conducted in

conjunction with an ISM audit. This means that MCA travel time and expenses
are covered by the ISM audit. In cases where the ISPS Audit is conducted
separately no charge for travel is made to the client.

4.4.5 Guidance on the duration of ISPS audits can be found in MSIS0025

Instructions to Surveyors on maritime security which can be found on Security
Policy microsite.
ps
shi
s4
eg
R
by
d
ce
du

External ISO 9001 and ISO 14001 audits

ro
ep
R

4.4.6 ISO audits are charged at the standard hourly fee rate plus VAT (these
audits are not exempted from VAT).

4.4.7 Guidance on the duration of ISO audits can be found in MCAQA 8,

Procedure for Assessing Audit Duration and Frequency, which can be found on
the ISM/ISO microsite.

4.5 Reviewing Previous Audit Documentation

4.5.1 The Administrator is responsible for recalling files and other

documentation containing previous audit documentation for the Lead Auditor to
review. The Lead Auditor will use the information obtained to draft the audit plan
and arrange the time and location of the audit.

4.6 Appointing Audit Team

4.6.1 If the circumstances of the audit warrant the Lead Auditor is responsible
for selecting, leading and managing the audit team, taking account of the
selection criteria in paragraph 4.3.2. The number of auditors required will
depend upon the size and nature of the client and the scope to be covered by the

MSIS 37/CH4/REV 0810 Page 19 of 37

audit. The Lead Auditor must ensure that the team has the collective
competence to perform an effective assessment of the client’s systems against
both the appropriate standard and the scope of certification. The Lead Auditor
should arrange for the preparation of any work documents (forms, aide memoires
etc) that the audit team will need to use.

4.7 Document Review

4.7.1 The document review is the first stage in the assessment process and
must be undertaken prior to the Initial Assessment. If applicable work on a
document review should not be undertaken until receipt of fees has been
confirmed.

4.7.2 The Lead Auditor should make contact with the client in order to make
introductions and to arrange for appropriate documentation to be forwarded so a
document review can be undertaken. If the client is not yet ready to undertake
the document review the Lead Auditor should discuss time scales for when the
client is likely to be ready. The Lead Auditor should keep in regular contact with
the client.

4.7.3 The ISM Code’s SMS, ISO 9001:2008 and ISO 14001:2004 document
reviews are undertaken by the Lead Auditor (or delegated to an appropriate
person) and consists of an examination of the client’s policy documents,
ps
shi
s4
eg

manuals, key procedures and any other necessary documents to ensure that
R
by
d
ce
du

these meet the requirements. Document Review aide memoires are available.
ro
ep
R

4.7.4 The ISPS Code’s approval of SSPs is undertaken by security liaison

officers. Details can be found on the Security Policy microsite.

4.7.5 Following the document review a report should be written to the client
outlining areas that do not meet the requirements of the standard, instances of
good practice should also be included in the report. Non-conformances are not
raised during this section of the certification process.

4.7.6 When satisfied that the documentation is adequate the Lead Auditor
must then make arrangements for the Initial Assessment. The information
gathered so far in the assessment process may be used in a confidential manner
to prepare for the on-site visit.

4.8 Establishing Initial Contact with Client

4.8.1 The Lead Auditor is responsible for establishing contact with the client
to:

• Establish communications channels with the client’s representative;

• Confirm authority to conduct the audit;

MSIS 37/CH4/REV 0810 Page 20 of 37

 • Provide information on the proposed audit plan and audit team
composition;
• Request access to relevant records;
• Determine the applicable site safety rules and ensure the audit team
have required Personnel Protective Equipment (PPE) and that the initial
Health and Safety (H&S) considerations are met;
• Make arrangements for the audit; and
• Agree the attendance of observers and the need for guides for the audit
team.

4.9 Pre-audit Team Briefing

4.9.1 Where appropriate, prior to the audit taking place a meeting between
the Lead Auditor and members of the audit team must be held. All audit team
members must be provided with the appropriate documentation and background
information to be able to successfully complete the audit.

4.10 Travel Arrangements

4.10.1 The Lead Auditor is responsible for ensuring travel arrangements are
made for the audit team, and where international travel is involved, that form
MSF 5215 is completed and authorised.
ps
shi
s4
eg
R
by

4.11 Conducting On-site Audits

d
ce
du
ro
ep
R

4.11.1 Audit opening meeting

4.11.1.1 An opening meeting must be held at the start of the first day of the
audit, it is left to the discretion of the Lead Auditor as to whether an opening
meeting is required at the start of each day or other. The Lead Auditor should
chair the meeting and note those attending the meeting. The meeting should
include suitable representatives of the client. During the opening meeting the
following should be discussed:

• Scope of Audit;
• Audit methodologies;
• Explanation of non-conformance process;
• Introduction of audit team;
• Confirmation of audit plan and any changes;
• Limitations of auditing process; and
• Confidentiality and the Freedom of Information Act.

4.11.2 Conduct of audits

4.11.2.1 The Lead Auditor is responsible for carrying out audits and should be
available to the audit team should queries arise. The purpose of the audit is to

MSIS 37/CH4/REV 0810 Page 21 of 37

obtain evidence of conformity (or non-conformity) regardless of familiarity with
processes or persons involved.

4.11.2.2 The Lead Auditor must ensure that tasks are appropriately assigned to
suitably qualified and competent team members, i.e. where an activity requires a
particular specific competence, the auditor with that competency must be
assigned to complete that part of the assessment.

4.11.2.3 Audits are a two way process and their success depends on obtaining
the full facts. They are confidential between MCA and the client within the
precepts of the Freedom of Information Act 2000 and Environmental Impact
Regulations 2004. For assessment purposes different audit areas are followed
for each audit programme and are detailed in the technical guidance.

4.11.3 Communication during audit

4.11.3.1 Findings are to be brought to the attention of the client’s local

management by auditors, when assessment of each activity is complete.

4.11.3.2 The audit team should periodically confer to exchange information,

assess audit progress, and to reassign work between the audit team members as
needed.
ps
shi
s4
eg

4.11.3.3 During the audit the Lead Auditor is to periodically communicate

R
by
d
ce
du

progress of the audit and any concerns to the client. Evidence collected during
ro
ep
R

the audit that suggests an immediate and significant risk should be reported
without delay to the client. Any concern about an issue outside of the audit
scope should be noted and reported to the Lead Auditor, for possible
communication to the client.

4.11.3.4 If the available evidence indicates that the audit objectives are
unattainable, the Lead Auditor should report the reasons to the client, and, if
practicable, to the Line Manager to determine what action is appropriate. Such
action may include reconfirmation or modification of the audit plan, changes to
audit objectives or audit scope or termination of the audit.

4.11.4 Roles and responsibilities of guides and observers

4.11.4.1 Guides and observers may accompany the audit team, but are not part
of the team. They are not to influence or interfere with the conduct of the audit.
In cases of inappropriate intervention by guides when an informal request has
not achieved resolution the matter should be referred to the client’s senior on-site
representative.

4.11.4.2 When guides are appointed by the client they should assist the team
and act on the request of the Lead Auditor. Their responsibilities are:

MSIS 37/CH4/REV 0810 Page 22 of 37

 • Establishing contacts and timing for interviews;
• Arranging visits to specific parts of the site or organisation;
• Ensuring that rules concerning site safety and security procedures are
known and respected by the audit team;
• Witnessing the audit on behalf of the client; and
• Providing clarification or assisting in collecting information.

4.11.4.3 The following supervising bodies may point observers to provide

feedback on the performance of the audit:

• European Commission (including European Maritime Safety Agency for

ISM Code and ISPS Code audits;
• United Kingdom Assessment Service for ISO 9001 and ISO 14001
audits.

4.11.5 Collecting and verifying information – generating audit evidence

4.11.5.1 During the audit, information relevant to the audit objectives, scope and
criteria, including information relating to interfaces between functions, activities
and processes, is to be collected by appropriate sampling and should be verified.
Only information that is verifiable may be used as audit evidence. Audit evidence
ps
hi

is to be recorded by each auditor recording the details of the personnel who were
s
s4
eg
R
by

the focus of each activity/process assessed and the specific details relating of the
d
ce
du
ro
ep

documents/records examined. This information may be in the form of annotated

R

aide memoires, and/or a copy of the contemporaneous audit notes, or

annotations to photocopies/records under audit. Notes taken during the audit are
an integral part of the report on findings at the location. In the event that
evidence obtained later in the audit clarifies or alters early evidence a suitable
cross-reference is to be made in the auditor’s notes or any aide memoirs used.

4.11.6 Generating audit findings

4.11.6.1 Audit evidence is to be evaluated against the audit criteria to generate

audit findings. Audit findings can indicate either conformity or non conformity
with audit criteria. When specified by the audit objectives, audit findings can
identify an opportunity improvement.

4.11.6.2 The audit team should meet as needed to review the audit findings at
appropriate stages during the audit.

4.11.6.3 Conformity with audit criteria is to be summarised to indicate locations,

functions or processes that were audited. If included in the audit plan, individual
audit findings of conformity and their supporting evidence are to be recorded.

MSIS 37/CH4/REV 0810 Page 23 of 37

4.11.6.4 Non-conformities and their supporting evidence are to be recorded.
Non-conformity grading is specified in technical guidance. The non conformance
is to be reviewed with the client to obtain acknowledgement that the audit
evidence is accurate, and that the non-conformity is understood. Every attempt
is to be made to resolve any diverging opinions concerning the audit evidence
and/or findings, and unresolved points are to be recorded.

4.11.7 Drafting Non-Conformity Notes

4.11.7.1 Non-Conformity Note (NCN) Form MSF1902 must be used when

raising non-conformities. The form must be filled out by the auditor, ensuring that
the standards/code under which the non-conformity has been raised have been
included.

NCN Number

4.11.7.2 All NCN’s are allocated a unique number. The unique number should
follow the form:

Standard/Co.or ship name in short/year/serial no.

Example: SM/ABC LTD/10/02 or ISPS/EURO STAR/10/01

This number combined with the ship or company name provides the unique
ps
shi
s4
eg

reference.
R
by
d
ce
du
ro
ep
R

Description of deficiency

4.11.7.3 The description of the deficiency on the NCN form should include:

• Identification of the problem:

“A Review of records of deck stores received revealed that no reports of
compliance had been made for one year despite the ‘ship XYZ’ receiving
stores every three months, and there has been no follow up from the
company.”
• Identification of the requirement
“Procedure PR-08 requires ship staff to inspect 10% of deck stores
received to verify compliance with specification and submit a report to the
company.”
• Attribution
“Clause 7.4.3 of the ISO 9001:2008 requires the company to establish
and implement the inspection or other activities necessary for ensuring
that purchased product meets specified purchase requirements.”
Although insertion of the clause reference in the required box will suffice.

4.11.7.4 In this example the root cause of the deficiency has been identified
rather than the shallower “control of records” (ISO 9001:2008, clause 4.2.4).

MSIS 37/CH4/REV 0810 Page 24 of 37

4.11.7.5 Deficiencies from similar clauses of the relevant standard should be
grouped together under a single Non-Conformance Note.

Classification of non-conformities

4.11.7.6 Different auditing systems have differing requirements regarding

classification of non-conformity (see technical instructions for more detail):

ISM Code Major non-conformity, Non-conformity, or Observation;

ISPS Code Non-conformity;
ISO 9001 Major non-conformity, Minor non-conformity or Observation;
ISO14001 Major non-conformity, Minor non-conformity or Observation.

Downgrading Major Non-conformities

4.11.7.7 If a major non-conformity is issued it indicates that the system under

review requires immediate rectification. The non-conformity form has a section
that allows the major non-conformity to be downgraded when this rectification
has taken place.

4.11.7.8 A sample of a completed MSF 1902 can be found at Annex A.

ps
shi
s4
eg

4.11.8 Preparing audit conclusions

R
by
d
ce
du
ro
ep
R

4.11.8.1 Audit conclusions address:

• The extent of conformity of the system under audit with the audit criteria;
• The effective implementation, maintenance and improvement of the
system under audit;
• The capability of the management review process to ensure the
continuing suitability, adequacy, effectiveness and improvement of the
system under audit; and
• If specified in the audit objectives, the future of certification.

4.11.8.2 The audit team are to confer prior to the closing meeting to:

• Review audit findings, and any other appropriate information collected

during the audit, against the audit objectives;
• Agree audit conclusions, taking into account the uncertainty inherent in
the audit process;
• Prepare recommendations; and
• Discuss audit follow-up;

4.11.9 Conducting the closing meeting

MSIS 37/CH4/REV 0810 Page 25 of 37

4.11.9.1 At the end of each day of the audit a closing meeting must be held,
chaired by the Lead Auditor. Records of those present at the closing meeting
should be kept. The Lead Auditor should indicate that this meeting is an
opportunity for the client to ask questions about the findings and their basis. The
findings of the day, including non-conformities and areas of good practice should
be discussed.

4.11.9.2 In particular, at the closing meeting on completion of the audit, remedial

action is to be discussed and any non-conformance notes signed by the Lead
Auditor and the relevant management representative of the client to agree
appropriate action including timescale for completion. The client is to be
informed of the need for a full or partial reassessment or whether a written
declaration, to be confirmed at a future surveillance visit will be considered
adequate to close out any non-conformances.

4.11.9.3 The Lead Auditor must provide the client with an indication of the
conformity of the organisation’s system with the audit criteria.

4.11.10 Endorsement of certification

4.11.10.1 After a successful intermediate ISPS verification, intermediate SMC

audit, or annual DOC audit, the certificate will require endorsing by signing and
stamping the relevant space on the certificate’s reverse.
ps
shi
s4
eg
R
by
d
ce
du

4.11.10.2 Similarly, if an ISM Code or ISPS Code additional audit has been
ro
ep
R

undertaken the certificate requires endorsing.

4.12 Post Audit Activities

4.12.1 Audit report

4.12.1.1 Following the assessment the Lead Auditor is responsible for writing a
report on the findings of the audit team (see section 5 for audit report formats).

4.12.1.2 The Lead Auditor must endeavour to forward the report to the client
within two weeks of the completion of the audit. The Lead Auditor will need to
liaise with team members and to ensure receipt of draft reports relating to
activities and processes assessed. It is left to the Lead Auditor’s discretion as to
whether individual auditors should produce reports, which are then collated, or
whether one report is produced by a combined effort of the audit team.

4.12.1.3 As a minimum the audit report must include:

• An account of the audit, including a summary of any documentation

reviewed, areas of investigation and methodologies used, as applicable;
• Details of any previously raised non-conformances and actions taken;

MSIS 37/CH4/REV 0810 Page 26 of 37

 • Details of any non-conformances raised during current audit;
• Date and duration of audit;
• Lead Auditor’s name;
• Identification of the entities audited (name and address of client, vessel
name, identification of elements audited);
• Scope of certification assessed;
• Reference to the standard audited against;
• Comments on conformity of the system to the requirements of the
standard;
• Clear statements of non-conformity when non-conformity was found;
• If appropriate comparisons with previous assessments of the client;
• An explanation of any differences from the information presented to the
organisation at the closing meeting; and
• A recommendation.

4.12.1.4 The report may also include:

• Areas of good practice;

• Areas of bad practice; and
• List of personnel audited.

4.12.1.5 Before the report is released it should be reviewed by the Line Manager
ps
shi
s4
eg

(or someone given authority). The original signed and for ISM, ISPS, and
R
by
d
ce

MCAQA audits, stamped, audit report is then sent to the client, and a photocopy
du
ro
ep
R

kept on the appropriate client file. The client’s local management are invited to
respond to this report highlighting any areas of ambiguity.

4.12.1.6 For MCAQA ownership of the audit report remains with MCAQA.

4.12.2 Certificate issue

4.12.2.1 For ISM, ISPS and MCAQA interim, initial and renewal audits the Lead
Auditor is responsible for the preparation of the declaration and the certificate.
The Lead Auditor is to sign the declaration that the audit has been completed
and that all factors were covered. The Line Manager (or someone given
authority) who is independent of the audit process and the client (worked for,
close family member working for, or share holder of client) will take the
declaration and audit report and review the circumstances and if satisfied sign off
the certificate. The Administrator will distribute the certificate and file audit
documentation in the appropriate file.

4.12.3 Follow-up action

4.12.3.1 The Lead Auditor is responsible for ensuring that any

non-conformances raised are closed out by the agreed dates. There should be

MSIS 37/CH4/REV 0810 Page 27 of 37

three considerations when considering the close-out response to a
non-conformance:

• Correction of the deficiency identified;

• An analysis of the cause of the deficiency; and
• Corrective action.

4.12.3.2 When deciding to close-off a non-conformity the auditor needs to

consider if objective evidence has been provided that demonstrates closure of all
three considerations.

4.12.3.3 When the close-out action is complete, the non-conformance with

supporting evidence is returned to the Lead Auditor to demonstrate that required
action has been taken. In the majority of cases, documentary evidence such as
copies of revised records, instructions issued or minutes/letters written will be
accepted as proof and allow the Lead Auditor to effect close-out.

4.12.3.4 If the auditor is satisfied with the documentary evidence supplied the
non-conformity may be closed out. If the auditor is not satisfied the client must
be informed with an explanation of the requirements.

4.12.3.5 If documentary evidence does not provide enough evidence as to the

ps

effectiveness of the corrective action, the auditor may request that an additional
shi
s4
eg
R

visit to the client be made. This may take place immediately or after an arranged
by
d
ce
du
ro

time period to allow any new practices to be put in place. Such audits will be
ep
R

limited to assessing the effectiveness of corrective action.

4.12.3.6 If it becomes clear, that close-out action cannot be completed within the
timescale, the client should contact the lead auditor explaining the situation. If
appropriate the Lead Auditor may then either:

• Close the existing non-conformity and raise a new non-conformity which

is the same as the first but with an amended deadline;
• Upgrade the category of the deficiency; or
• Recommend to the Line Manager that certification process is suspended
or any issued certificate is cancelled (see paragraph 4.12.4).

4.12.3.7 If the Lead Auditor regards the client to be lacking in commitment when
undertaking any follow up action the Line Manager must be informed so a
decision on what action is required can be taken.

4.12.4 Withdrawing certification

4.12.4.1 Withdrawing a client’s certificate (that is making the certification

permanently invalid) is a serious consideration which is not to be taken lightly.
The ISM Code and ISO 17021:2006 (conformity assessment – requirements for

MSIS 37/CH4/REV 0810 Page 28 of 37

bodies providing audit and certification of management systems; that covers
ISO 9001 and ISO 14001 certification) allows for certificates to be withdrawn.
The ISPS Code only provides instances which make a certificate invalid.

4.12.4.2 In cases were Lead Auditors consider that the correct course of action
is to discontinue certification they are to seek the endorsement of this conclusion
by their Line Manager. A report together with full supporting documentation is to
be forwarded to the Audit Policy Manager for review. The Audit Policy Manager
will review the case and made a recommendation to the final decision maker as
to whether the certificate is to be withdrawn or made invalid. The final decision
makers are identified in the following table:

Table 6 – Decision-makers for withdrawing certification

Audit Programme Final Decision-maker

1 International Safety Management
(ISM) Code Assistant Director
2 International Ship and Port facility Seafarer and Ships
Security (ISPS) Code
3 External ISO 9001:2008 Assistant Director
4 External ISO 14001:2004 Seafarer and Ships
ps

4.12.5 Appeals and disputes

shi
s4
eg
R
by
d
ce
du
ro

4.12.5.1 In the event of audit findings or a certification decision not being

ep
R

accepted by the client, reasons for rejection must be provided and the
non-conformance note returned to the Lead Auditor. If satisfied by the evidence
offered, the Lead Auditor will close out the non-conformance note and sign
accordingly. However, where the Lead Auditor is not satisfied with the response,
the Line Manager is to be informed and liaison with a view to resolving
outstanding issues will continue. In cases where agreement cannot be reached,
the Lead Auditor will advise the client to initiate the appeals or disputes
procedure.

4.12.5.2 In cases where a complaint is made about the conduct of an ISM Code
or ISPS Code audit MCA’s complaints procedure which can be found in
CORP 43, Annex A will be followed.

4.12.5.3 In cases where a complaint is made about the conduct of an ISO 9001
or ISO 14001 audit MCAQA’s complaints procedure which can be found in
MCAQA 1 will be followed.

4.12.5.4 In cases where an appeal against a technical decision is made

regarding ISO 9001 or ISO 14001 audits MCAQA’s appeals procedure which can
be found in MCAQA 2 will be followed.

MSIS 37/CH4/REV 0810 Page 29 of 37

4.12.6 Process control

4.12.6.1 At the end of the process the Administrator is responsible for

undertaking checks to ensure all the appropriate information is held within the
client file and that all data entry has been completed.

4.12.6.2 After completion of the Administrator’s review the file is to be passed to

the Line Manager (or someone authorised) for technical review.

4.12.6.3 Papers for audits are filed as follows:

Table 7 – File requirements

Registered File Documents

Audit Programme
Series Retention Requirement
International DOC ms166/04 25 years -
Safety
1
Management SMC cm48/01 25 years -
(ISM) Code
International Ship and Port 25 years
2 cm/27/09 MSF 5613
facility Security (ISPS) Code
External ISO Office ms166/14 25 years MCAQA 19
3
ps

9001:2008 Ship cm54/01 25 years MCAQA 20

shi
s4
eg
R
by

External ISO Office ms166/16 25 years MCAQA 19

d
ce
du

4
ro
ep

14001:2004 Ship cm54/01 25 years MCAQA 20

R

4.13 Monitoring and measuring the audit programme

4.13.1 The Audit Policy Manager is responsible for conducting monitoring and
measuring of each process. The specific requirements for this monitoring and
management review vary with audit programmes and should be specified in
technical requirements identified in Chapter 3.

4.14 Review for continual improvement

4.13.1 Audit Policy Managers are to undertake at least an annual management

review of the audit programme they are responsible for to assess whether its
objectives have been met and to identify opportunities for improvement. The
outcome of the review is to be reported to senior management.

Author P White Branch Security Policy

Approved P Owen Branch Ship Safety
Authorised by P Coley Branch Seafarers and Ships

MSIS 37/CH4/REV 0810 Page 30 of 37

CHAPTER 5

DOCUMENTATION AND CERTIFICATION

Key Changes

This is a new document and therefore has no highlighting of new text

5.1 Current Documentation

Table 8 – Form Availability

Form
Form Title Availability
Number
ISM Code
MSIS 2 Instructions to Surveyors MLD
MSF 1900 Document of Compliance E-forms
MSF 1901 Safety Management Certificate E-forms
MSF 1902 Non-Conformity Note Printed Pad
MSF 1904 Interim Document of Compliance E-forms
MSF 1905 Interim Safety Management Certificate E-forms
ps
shi
s4
eg

Declaration of audit for Safety

R
by

MSF 1906 E-forms

d
ce
du

Management Certificate (DSM)

ro
ep
R

MSF 1907 Safety Management Certificate (DSM) E-forms

Declaration of Audit for Document of
MSF 1909 E-forms
Compliance
MSF 1911 ISM Code audit report MLD
MSF 5501 ISM document review aide memoire MLD
Audit plan – Safety Management MLD
Audit plan 1
Certificate
Audit plan 2 Audit plan – Document of Compliance MLD
ISM/ISO
Letter of Acceptance of foreign DOC
Policy
ISPS Code
MSIS 25 Instructions to Surveyors MLD
MSF 1902 Non-Conformity Note Printed Pad
MSF 5602 Declaration of Audit E-forms
MSF 5603 International Ship Security Certificate E-forms
Interim International Ship Security
MSF 5604 E-forms
Certificate
MSF 5609 ISPS Code verification report MLD
MSF 5610 ISPS Code verification aide memoire MLD
MSF 5611 Ship Security Plan Document review MLD

MSIS 37/CH5/REV 0810 Page 31 of 37

 Form
Form Title Availability
Number
MSF 5613 CM27/9 file series document checklist MLD
MSF 5616 Model Ship Security Plan MLD
MSF 5620 Remote verification form MLD
MSF 5621 Ship Security Plan Approval letter MLD
External ISO 9001 and External ISO 4001)
QAF 1 Auditor (Experience) Log

Not individually listed on MLD, list can be found at:

QAF 2 Lead Auditor Authorisation Certificate

m3net.mcga.gov.uk/c4mca/qaf_list_rev_4.pdf
QAF 3 Declaration of Confidentiality
QAF 4 Internal Audit Schedule Proforma
Internal (ISO 17021) Audit Report
QAF 5
template
QAF 6 Internal Audit corrective action
QAF 7 Application Review Report template
QAF 9 Opening/Closing meeting log
QAF 10 Audit report template
QAF 12 9001:2008 declaration
QAF 13 Certificate of compliance
QAF 14 ISO 14001 ship questionnaire
QAF 15 ISO 14001 shore questionnaire
ps
hi

QAF 16 Blank audit plan

s
s4
eg
R
by

QAF 17 14001:2004 declaration

d
ce
du
ro
ep

QAF 18 Auditor competence assessment

R

QAF 19 Client file (office) check list

QAF 20 Client file (ship) checklist
QAF 21 Auditor authorisation certificate
QAF 23 Lead Auditor appointment (for each audit)
m3net.mcga.gov.uk/c4mca/qaf_list

Not individually listed on MLD, list

QAF 24 Application review

QAF 25 ISO Job Control Sheet
Conditions of use for MCAQA
QAF 26
can be found at:

Certification Mark
_rev_4.pdf

QAF 27 (Auditor) competency analysis

QAF 28 Client audit schedule
QAF 29 Auditor resource assessment (for audits)
QAF 34 ISO 9001 (audit) aide memoire
QAF 36 Certificate withdrawal coversheet
QAF 37 QMS aide memoire
QAF 37a QMS Audit guidance
QAF 38 EMS company aide memoire
QAF 40 (Declaration of) Conflicts of Interest

MSIS 37/CH5/REV 0810 Page 32 of 37

5.2 Documentation Made Obsolete by this Process

5.2.1 The current Instructions to Surveyors covering the ISM Code and the
ISPS Code contain a mixture of process and technical information. All process
information will be removed from the documents and any reference in the current
documents to process is to be considered obsolete and replaced by that in this
document.

5.2.2 Procedure MCA 525 on ISM Audits is replaced this document.

Author P White Branch Security Policy

Approved P Owen Branch Ship Safety
Authorised by P Coley Branch Seafarers and Ships

ps
shi
s4
eg
R
by
d
ce
du
ro
ep
R

MSIS 37/CH5/REV 0810 Page 33 of 37

CHAPTER 6

NON-TECHNICAL REFERENCES (back)

Key Changes

This is a new document and therefore has no highlighting of new text

6.1 Technical requirements and guidance

6.1.1 The technical requirements for all Marine Office audits can be found on
the SCMS. Technical guidelines are not included in this document, they can be
found in the documents detailed in the table below:

Table 9 – Technical Guidance

Technical Guidance
Audit Programme
Ref No Title
International Safety Instructions to
1 MSIS 2
Management (ISM) Code Surveyors ISM Code
International Ship and Port Instructions to
2 MSIS 25
facility Security (ISPS) Code Surveyors ISPS Code
ps
shi
s4
eg
R

Certification
by

3 External ISO 9001:2008

d
ce
du

MCAQA 5 Assessments to ISO

ro
ep
R

4 External ISO 14001:2004 9001 and ISO 14001

6.2 Process References

Table 10 – Process References

References
Audit Programme
Ref No Title
Regulation of the
European Parliament
and of the Council of
15 February 2006 on
the implementation
International Safety of the International
1 336/2006/EC
Management (ISM) Code Safety Management
Code within the
Community and
repealing Council
Regulation No
3051/95

MSIS 37/CH6/REV 0810 Page 34 of 37

 References
Audit Programme
Ref No Title
c.28 The Merchant
Shipping Act 1995
The European
c.68 Communities Act
1972
The Merchant
Shipping (ISM
1997:3022 Code) (Ro-Ro
Passenger Ferries)
Regulations 1997
The Merchant
Shipping
(International Safety
1998:
Management (ISM)
Code) Regulations
1998
2 International Ship and Port 725/2004/EC Regulation of the
facility Security (ISPS) Code European Parliament
and of the Council of
31 March 2004 on
ps

enhancing ship and

shi
s4
eg
R
by

port facility security

d
ce
du
ro

c.28 The Merchant

ep
R

Shipping Act 1995

2004:1495 The Ship and Port
Facility (Security)
Regulations 2004
c.68 The European
Communities Act
1972
2005:1434 The Ship and Port
Facility (Security)
(Amendment)
Regulations 2005
3 External ISO 9001:2008 ISO Conformity
17021:2006 assessment –
requirements for
bodies providing
audit and
certification of
management
systems

MSIS 37/CH6/REV 0810 Page 35 of 37

 References
Audit Programme
Ref No Title
ISO Guidelines for
19011:2002 quality and/or
environmental
management
systems auditing
4 Internal ISO 9001:2008 As ISO 9001:2008

Author P White Branch Security Policy

Approved P Owen Branch Ship Safety
Authorised by P Coley Branch Seafarers and Ships

ps
shi
s4
eg
R
by
d
ce
du
ro
ep
R

MSIS 37/CH6/REV 0810 Page 36 of 37

 Annex A
Completed Non-Conformity Note MSF 1902/Rev.03/10

NON-CONFORMITY NOTE

NCN Number: # ISPS/NONSUCH/10/01

Name of Co. Id / IMO Number:
NONSUCH
Company/Ship*: 1234567
Address/Location of
ship*: SOUTHAMPTON
Auditor: AN OTHER
Auditee / Area under SHIP SECURITY ALERT SYSTEM
audit
1. NON-CONFORMITY (To be completed by Auditor, including identification of relevant clause(s))**
ISM/DSM ISO 9001 ISO ISPS
Category,
CODE Cl. No.: 14001 CODE
if
MAJOR / MINOR / NC /
Cl. No.: Cl. No.: Cl. No.: applicable OBSERVATION
A/9.4.18
Requirement of ISM Code/ SMS / QMS / EMS / ISPS Code/SSP/STANDARD /
MANUAL
Procedure S-18 requires that the ship’s staff test the ship security alert system with
MRCC Falmouth every six months
ps
shi
s4

What is the deviation from the requirement?

eg
R
by
d
ce

Review of the Ship Security Alert System testing records shows that no test has been
du
ro
ep
R

conducted for 18 months

Signature _ XXXXXXX_______ Signed:_____ A N Other _____
Company / Ship. Representative Auditor
Date: 1st January 2010
2. CORRECTIVE ACTION (To be completed by Auditee in conjunction with the
Auditor)***
Ship Security Alert test to be undertaken within three days of leaving port
Company requested to add Ship Security Alert System test requirement to ships’
computerised planned maintenance system
Evidence of test and revised documentation to be forwarded to MCA
Note to be placed on ship’s internal audit file to review testing of ship security alert
systems at next internal audit
Date Corrective Action to be MAJOR NC DOWN GRADED YES / NO /
completed: 31 March 2010 N/A
3. FOLLOW UP AND CLOSE OUT (MCA use only)****
Successful Ship Security Alert test results received 6th January
Note from internal audit file and revised procedure ‘S-18 revision 3’ received 12th March,
contains evidence of amendment to ships’ computerised planned maintenance system
Date NCN__14th March 2010 Signed ____ A N Other_________ Original :
Closed Auditor Company/Ship
2nd Copy: MCA

MSIS 37/ANNEXES/REV 0810 Page 37 of 37