ISPS Code

The International Ship and Port Facility Security Code (ISPS Code) was adopted by the IMO in December 2002 in direct response to the 11 September 2001 attacks. It entered into force on 1 July 2004, made mandatory through SOLAS Chapter XI-2, and applies to all SOLAS ships of 500 GT and over engaged in international voyages, all passenger ships, mobile offshore drilling units, and the port facilities serving such ships.

The Code is in two parts: Part A is mandatory and contains the detailed security-related requirements; Part B is recommended guidance, although in practice many flag states implement Part B as mandatory under domestic law. The Code introduces three security levels, requires a Ship Security Plan (SSP) onboard every ship and a Port Facility Security Plan (PFSP) at every port facility, and sets a chain of responsibility from the Company Security Officer (CSO) through the Ship Security Officer (SSO) onboard.

Security levels

• 1Security Level 1

  Normal operations. Minimum protective security measures shall be maintained at all times. Routine access control, deck patrols, restricted-area access regulation, monitoring of cargo and stores.

• 2Security Level 2

  Heightened risk. Additional measures shall be applied because of an elevated risk of a security incident. Increased frequency and detail of patrols and access checks; greater scrutiny of stores; additional restrictions on movements.

• 3Security Level 3

  Probable or imminent threat. Specific protective measures applied for a limited period because a security incident is probable or imminent (although it may not be possible to identify the specific target). Substantial measures including possible restriction on movement, port closure decisions, embarkation control.

The security level applicable to a ship at any time is the higher of (a) the level set by the flag state for the ship and (b) the level set by the port facility for that port. The Master is informed of the prevailing level by the port facility on arrival. When a ship moves between security levels, the SSP specifies what additional measures are taken.

Key roles

• Company Security Officer (CSO)

  Designated by the Company. Develops and submits the Ship Security Plan (SSP) for approval, conducts the Ship Security Assessment (SSA), and ensures the SSP is implemented across the fleet. One CSO may cover multiple ships. Holds STCW V/4 (CSO equivalent) or relevant national qualification.

• Ship Security Officer (SSO)

  Onboard officer designated by the Company. Day-to-day implementation of the SSP, conduct of regular security inspections, training of the crew, security duties at access control points. Holds STCW VI/5 (SSO certificate).

• Port Facility Security Officer (PFSO)

  Designated by the port facility operator. Maintains the Port Facility Security Plan (PFSP) under the Code, conducts security exercises, coordinates with ship security officers during port calls.

• Designated Authority

  Each contracting government designates an authority responsible for the implementation of Part A within its jurisdiction. In the US this is the USCG; in the UK the DfT TRANSEC; in the EU the national maritime administrations.

• Recognised Security Organisation (RSO)

  Bodies authorised by the Designated Authority to perform certain security duties — typically class societies acting under flag delegation, plus specialist security companies.

Ship Security Plan (SSP)

The SSP is a confidential document that describes how the ship will respond to each security level. It is not made public, is not generally subject to PSC inspection except in narrow grounds, and is approved by the flag administration (or an RSO acting under delegation). It covers: access control, restricted-area definition and protection, monitoring of decks and ship's areas, training and drills, communications, declaration of security with port facilities, audit and review, and SSAS activation procedures. A copy is held onboard, additional copies in the Company's offices.

Ship Security Alert System (SSAS)

SOLAS Regulation XI-2/6 requires every ISPS ship to be fitted with a Ship Security Alert System. The SSAS is a covert alerting system: when activated from one of two activation points (typically the bridge and the master's cabin or a similar discreet location), it transmits a security alert direct to the Company and to the flag state — but not to other ships, the port, or any visible alarm onboard. It exists to avoid exactly the kind of public general alarm that would warn an attacker. SSAS is tested at intervals not exceeding 12 months.

Continuous Synopsis Record (CSR)

Required by SOLAS XI-1/5 (a sister regulation to ISPS). The CSR is a paper or electronic record kept onboard that lists the ship's history: name changes, flag changes, owner and ISM Company changes, port of registry, classification society changes, and copies of past SSP approval certificates. The CSR follows the ship for life — it is essentially the ship's passport. It must be presented on PSC request.

Drills and exercises

• · Drills — conducted onboard at intervals not exceeding 3 months, to test specific aspects of the SSP. Examples: stowaway search, suspected explosive device, breach of restricted area.
• · Exercises — broader scenarios involving multiple ships and shore facilities, conducted at least once each calendar year, with not more than 18 months between exercises.

International Ship Security Certificate (ISSC)

Issued by the flag administration (or an RSO) on completion of an initial verification. Confirms the SSS (security system) and SSP comply. Valid for 5 years; an intermediate verification is required between the second and third anniversary. Without a valid ISSC the ship is not entitled to enter the port of any contracting government.

See also

• · SOLAS — Chapter XI-2 is the legal basis.
• · ISM Code — the safety-management companion (Ch IX).
• · Port state control — verifies ISSC validity in port.
• · Help: piracy incidents — overlapping security topic.