Ship Auditing Under ISM Code

The International Safety Management (ISM) Code establishes a global benchmark for managing ships safely while preventing pollution. Ship auditing under the ISM Code evaluates whether a shipping company’s Safety Management System (SMS) functions effectively in real-world operations. Auditors examine documentation, procedures, crew training, maintenance routines, emergency drills, and risk controls to confirm alignment with ISM requirements. These audits occur internally by company personnel or externally by flag states, classification societies, or port authorities. The process identifies gaps, mandates corrections, and supports certification that allows vessels to trade internationally.

Auditing serves multiple purposes: verifying SMS implementation, ensuring regulatory compliance, assessing risks to personnel and the environment, and confirming pollution prevention measures. Internal audits happen at least annually, while external audits tie directly to the Document of Compliance (DOC) for the company and the Safety Management Certificate (SMC) for each ship. Non-conformities range from observations to major issues that threaten safety or the environment. Failure to resolve deficiencies leads to corrective actions, follow-up verifications, fines, detentions, or certificate revocation.

This comprehensive guide explores the ISM Code framework, audit objectives, scope, procedures, findings, certifications, consequences, and supporting guidelines. It incorporates ISM Code sections, audit cycles, auditor qualifications, and management reviews to provide maritime professionals with actionable insights.

Origins and Structure of the ISM Code

The International Maritime Organization (IMO) adopted the ISM Code in 1993 through resolution A.741(18). It became mandatory on 1 July 1998 via amendments to SOLAS Chapter IX. The code addresses safe ship operation and pollution prevention by requiring companies to develop an SMS tailored to their fleet, personnel, and operating conditions.

The code emphasizes top-level commitment. Safety outcomes depend on competence, attitudes, and motivation across shore and shipboard teams. It applies broad principles to accommodate diverse company sizes and ship types. Companies assess risks to ships, personnel, and the environment, then implement safeguards.

Key Amendments to the ISM Code

Amendments refine requirements without altering core objectives:

2000 (MSC.104(73), effective 1 July 2002): Clarified designated person ashore (DPA) roles.
2004 (MSC.179(79), effective 1 July 2006): Strengthened emergency preparedness.
2005 (MSC.195(80), effective 1 January 2009): Enhanced maintenance procedures.
2008 (MSC.273(85), effective 1 July 2010): Improved non-conformity reporting.
2013 (MSC.353(92), effective 1 January 2015): Integrated cyber risk management.

Related provisions include:

MSC-MEPC.7/Circ.8: Operational implementation guidelines.
MSC-MEPC.7/Circ.6: DPA qualifications.
MSC-MEPC.7/Circ.7: Near-miss reporting.
MSC-FAL.1/Circ.3: Cyber risk management.
MSC.428(98): Cyber risks in SMS.

The code divides into Part A (Implementation) and Part B (Certification). Part A contains 12 sections covering objectives, SMS requirements, company responsibilities, DPA duties, master’s authority, resources, maintenance, documentation, verification, and certification.

Objectives of ISM Auditing

Auditing evaluates SMS effectiveness across safety and environmental domains. Primary goals include:

SMS Effectiveness Assessment: Determine if policies reduce risks to crew, ship, cargo, and environment.
Compliance Verification: Confirm adherence to ISM Code, SOLAS, MARPOL, STCW, and flag state laws.
Deficiency Identification: Pinpoint gaps in procedures, training, or equipment.
Pollution Risk Mitigation: Verify controls for oil spills, emissions, ballast water, and garbage.
Continuous Improvement: Recommend enhancements to close non-conformities.

Auditors sample records, interview personnel, observe operations, and test drills. Findings drive corrective actions that strengthen the SMS.

Types of Audits Under the ISM Code

Audits fall into internal and external categories, each with defined frequencies and independence requirements.

Internal Audits

Companies conduct internal audits to self-assess SMS performance. ISM Code Section 12.1 mandates audits onboard and ashore at intervals not exceeding 12 months. Extensions up to 15 months require documented justification for exceptional circumstances, such as remote locations or pandemics.

Auditors must remain independent of audited areas. Small companies may use external consultants to meet this rule. Audits follow company procedures covering planning, execution, reporting, and follow-up.

External Audits

External audits support certification and are performed by flag states or recognized organizations (ROs) like classification societies (DNV, ABS, Lloyd’s Register). They include:

Initial Audit: For new companies or ships entering the SMS.
Annual/Intermediate Audit: Between 2nd and 3rd anniversary of DOC/SMC.
Renewal Audit: Every 5 years for DOC/SMC.
Additional Audit: Triggered by major incidents, port state detentions, or multiple non-conformities.

External audits verify DOC for shore operations and SMC for ships. The DOC confirms company-wide SMS compliance; the SMC applies per vessel.

Audit Type	Frequency	Conducted By	Certificate Impact
Initial	Once (new SMS)	RO/Flag	Issues interim DOC/SMC
Annual	Years 2-3	RO	Endorses DOC/SMC
Renewal	Every 5 years	RO/Flag	Reissues DOC/SMC
Additional	As needed	RO/Flag	Resolves major issues

What Auditors Examine?

Auditors cover all SMS elements per ISM Code Part A. The scope spans shore and shipboard activities.

1. Company Responsibilities and Authority

Defined safety and environmental policy.
Clear lines of authority between shore and ship.
DPA with direct access to top management.

2. Designated Person Ashore

DPA qualifications: maritime experience, ISM knowledge, communication skills.
24/7 availability.
Authority to monitor safety and request resources.

3. Master’s Responsibility and Authority

Master overrides non-compliant instructions.
Authority to request company assistance.
Reviews SMS and reports deficiencies.

4. Resources and Personnel

Adequate manning per safe manning document.
Crew familiarization with SMS.
Training records for STCW, flag, and company requirements.

5. Shipboard Operations

Navigation procedures (passage planning, bridge checklists).
Cargo handling per IMSBC/IMSGC codes.
Hot work permits and enclosed space entry.

6. Emergency Preparedness

Drills for fire, abandon ship, oil spill, security incidents.
SOPEP/SMPEP availability and crew knowledge.
Emergency contact lists updated.

7. Maintenance and Inspections

Planned maintenance system (PMS) records.
Critical equipment testing (lifeboats, fire pumps).
Dry-dock and survey compliance.

8. Documentation Control

SMS manual current and accessible.
Obsolete documents removed.
Change control process.

9. Verification and Review

Internal audit reports.
Management review minutes.
Corrective action tracking.

Auditors also check cyber risk controls per MSC.428(98), including network security, access controls, and incident response.

Audit Process Step by Step

Planning: Define scope, select team, issue checklists.
Opening Meeting: Explain objectives, confirm schedule.
Document Review: Examine SMS manual, records, logs.
Interviews: Question master, officers, ratings, DPA.
Observations: Witness drills, rounds, maintenance.
Sampling: Check 10-20% of records based on risk.
Closing Meeting: Present preliminary findings.
Report: Detail conformities, observations, non-conformities.
Corrective Actions: Company submits plan within agreed timeline.
Follow-Up: Verify implementation.

Audit Findings and Classifications

Findings categorize by severity:

Finding Type	Definition	Example	Response Time
Observation	Fact noted, no breach	Outdated poster	None required
Minor Non-Conformity	Isolated deviation	Missing drill record	3 months
Major Non-Conformity	Serious risk or SMS breakdown	No PMS for critical equipment	Immediate/14 days

Multiple minor non-conformities in one area can upgrade to major. One major non-conformity invalidates the SMC until resolved.

Certification Process

Document of Compliance (DOC)

Issued to company after initial audit.
Valid 5 years.
Lists ship types covered.
Copied to each managed vessel.

Safety Management Certificate (SMC)

Issued per ship after onboard audit.
Valid 5 years.
Requires intermediate verification.

Interim Certificates

Valid maximum 12 months for DOC, 6 months for SMC.
Issued for new ships, change of flag, or new company.

Consequences of Non-Compliance

Corrective Actions

Companies receive timelines based on risk:

Major non-conformity: 14 days for plan, 3 months for evidence.
Minor: 3 months.

Follow-up audits confirm closure.

Operational Impacts

Port State Control (PSC) Detention: ISM failures trigger detention until rectified.
Insurance Issues: Invalid SMC voids P&I cover.
Commercial Penalties: Charterers reject non-certified ships.

Legal and Financial Penalties

Flag states report SMC revocations to IMO. Fines vary by jurisdiction but reach millions for repeat pollution violations. Classification societies suspend class for unresolved majors.

Internal Auditor Requirements

ISM Code Section 12.5 requires independence. Auditors complete IMO-approved training covering:

ISM Code structure.
Audit techniques (sampling, interviewing).
Root cause analysis.
Report writing.

Training providers offer online or classroom courses. Sample programs:

Course	Provider	Duration	Mode	Cost (USD)
ISM Internal Auditor	DNV	16 hours	Online	450
Lead Auditor	ABS	24 hours	Classroom	1,200
DPA Training	Lloyd’s	20 hours	Online	600

No universal price exists; costs depend on provider and region.

Management Review of SMS

Section 12.3 mandates periodic SMS evaluation. Reviews consider:

Internal/external audit results.
Non-conformities and near-misses.
Master’s reports.
PSC findings.
Incident investigations.
Regulatory changes.

Minutes document decisions, action items, and responsibilities. Reviews occur annually or after major events.

Documentation Control

Companies maintain procedures to:

Ensure valid documents at all locations.
Review changes by authorized personnel.
Remove obsolete versions promptly.

The Safety Management Manual (SMM) compiles SMS documents. Ships carry hard copies or approved electronic versions.

Role of the Designated Person Ashore (DPA)

The DPA bridges ship and shore. Qualifications include:

Seagoing experience as officer.
Shore management exposure.
ISM auditor training.

Duties:

Monitor SMS implementation.
Ensure adequate resources.
Report deficiencies to top management.
Coordinate audits.

Emergency Preparedness Audits

Auditors verify:

Drill frequency (monthly fire/abandon, quarterly others).
Crew participation records.
Equipment readiness (lifeboats, fire hoses).
SOPEP exercises with authorities.

Maintenance System Verification

Auditors inspect:

PMS software (AMOS, TM Master) records.
Overdue jobs.
Spare parts inventory.
Thickness measurements for hull.

Cyber Risk Management Integration

Per MSC.428(98), SMS includes:

Inventory of OT/IT assets.
Access controls.
Backup procedures.
Crew cyber awareness training.

Auditors review penetration tests and incident logs.

Best Practices for Audit Preparation

Pre-Audit Self-Assessment: Use internal checklists.
Record Completeness: Ensure logs signed and dated.
Crew Briefings: Conduct SMS refreshers.
Drill Scheduling: Complete required drills.
Document Updates: Remove obsolete procedures.

Audit Report Structure

Standard reports contain:

Executive summary.
Audit details (dates, team, scope).
Positive findings.
Non-conformities with evidence.
Observations.
Recommendations.
Corrective action plan template.

Follow-Up and Close-Out

Companies submit evidence of corrections (photos, revised procedures, training certificates). Auditors verify remotely or onsite. Closed findings receive “verified” status.

Integration with Other Codes

ISM audits overlap with:

ISPS Code: Security plans, SSO interviews.
MLC 2006: Crew accommodation, wages.
ISO 9001/14001: Quality and environmental systems.

Combined audits reduce disruption.

Challenges in ISM Auditing

Remote Locations: Auditor travel delays.
Crew Turnover: Knowledge gaps.
Language Barriers: Multi-national crews.
Digital Transition: Paperless SMS adoption.

Solutions include e-learning, regional auditor pools, and cloud-based PMS.

Future of ISM Auditing

Trends include:

Remote Audits: DNV offers partial remote verification.
Data Analytics: AI predicts maintenance failures.
Blockchain: Immutable audit trails.
Sustainability: GHG reporting integration.

The ISM Code remains the foundation for safe, compliant shipping. Regular auditing transforms theoretical SMS into practical safety culture. Companies that treat audits as improvement opportunities rather than compliance exercises achieve superior safety records and operational efficiency.

Maritime professionals must understand audit requirements, prepare thoroughly, and implement corrections promptly. The SMC represents not just a certificate but evidence of a living, effective SMS protecting lives, assets, and the marine environment.

Frequently Asked Questions

What is ship auditing under the ISM Code?

Ship auditing under the ISM Code is the systematic verification of a shipping company’s Safety Management System (SMS) to ensure compliance with international safety, operational, and pollution prevention standards. It includes internal audits by the company and external audits by flag states or classification societies.

What is the difference between internal and external ISM audits?

Internal audits are conducted by the company’s own trained personnel at least every 12 months (extendable to 15 months in exceptional cases) to self-assess SMS effectiveness.
External audits are performed by independent bodies like classification societies or flag administrations to issue or renew the Document of Compliance (DOC) and Safety Management Certificate (SMC).

What happens if a ship fails an ISM audit?

Failure results in non-conformities. Minor issues require correction within 3 months; major non-conformities demand immediate action and can lead to SMC suspension, port detention, fines, or loss of insurance coverage until resolved through follow-up audits.

How often must ISM audits be conducted?

Internal audits: Every 12 months (max 15 months with justification).
External audits: Initial: For new certification
Annual: Between 2nd and 3rd year
Renewal: Every 5 years
Additional: After incidents or major failures

Who can conduct an internal ISM audit?

Internal auditors must be independent of the area being audited and have completed ISM auditor training. The Designated Person Ashore (DPA) or qualified shore/ship staff typically perform these, though small companies may hire external consultants to ensure impartiality.

Conclusion

Ship auditing under the ISM Code remains the cornerstone of maritime safety and environmental stewardship. By rigorously evaluating the Safety Management System (SMS) through internal and external audits, shipping companies ensure operational integrity, crew welfare, and pollution prevention. The process spanning documentation control, emergency preparedness, maintenance systems, and risk management—transforms theoretical policies into actionable safeguards.

Compliance is non-negotiable. A valid Safety Management Certificate (SMC) and Document of Compliance (DOC) are not mere formalities but legal and commercial prerequisites for global trade. Non-conformities, if unaddressed, trigger corrective actions, detentions, or certificate revocation, with severe financial and reputational consequences.

Ultimately, effective auditing fosters a proactive safety culture. Companies that embrace audits as opportunities for continuous improvement achieve superior reliability, regulatory trust, and operational resilience. For maritime professionals, mastering ISM auditing is not just a requirement—it is a commitment to protecting lives, assets, and the marine environment.

Happy Boating!

Share Ship Auditing Under ISM Code with your friends and leave a comment below with your thoughts.

Read Ship Surveying by Classification Societies until we meet in the next article.