In the case of a company, for whatever reason, eg small size, appoints another person not a company employee, ie an agency to act as CSO for them, in a similar way as ISM allows this for the DPA function?

The ISPS Code doesn't specifically disallow this therefore it could be a runner. However the Code does impose some executive powers in the CSO such as ensuring the SSA's are carried out (A?11.2.2) etc which would need addressing.
