What is the ISPS Code?
The International Ship and Port Facility Security Code, or ISPS Code, is an international framework for safeguarding ships and port facilities from security threats. It is part of the International Convention for the Safety of Life at Sea (SOLAS) under Chapter XI-2 and became mandatory on July 1, 2004.
Governments at the December 2002 Conference of Contracting Governments introduced the Code to close security gaps in international shipping. It provides a common approach for preventing unlawful acts that could harm people, cargo, or infrastructure. It also ensures that responses to incidents are coordinated between governments, port authorities, and shipping companies.
The ISPS Code applies to:
- Cargo ships of 500 gross tonnage and above on international voyages.
- Passenger ships on international voyages, regardless of size.
- Mobile offshore drilling units engaged in international trade.
- Port facilities serving these ships, including terminals and berths.
It covers both public and private port facilities involved in cross-border trade. Compliance is mandatory for vessels and facilities engaged in international shipping. Countries may extend the Code to domestic operations, but it is not required under SOLAS.
Structure – Part A (Mandatory) vs Part B (Guidance)
The ISPS Code is divided into two sections: Part A and Part B.
Part A sets out the mandatory requirements for contracting governments, port authorities, and shipping companies. These rules cover security assessments, security plans, officer designations, and compliance procedures.
Part B contains recommended guidance on how to meet the obligations in Part A. This includes advice on carrying out risk assessments, training security personnel, and implementing physical and procedural measures to protect ships and port facilities. While not mandatory, many administrations expect operators to follow Part B closely.
This structure ensures the Code has both a consistent global baseline and enough flexibility to adapt to local conditions.
Key Objectives of the ISPS Code
The ISPS Code translates its broad purpose into specific, actionable objectives that guide operations:
- Use standardized methods to identify and assess risks to ships and port facilities.
- Require every covered ship and port facility to maintain an up-to-date security plan.
- Define the responsibilities of Company Security Officers (CSOs), Ship Security Officers (SSOs), and Port Facility Security Officers (PFSOs).
- Improve the speed and accuracy of security-related information exchange between industry and governments.
- Adjust measures to match the current MARSEC security level.
- Strengthen readiness through drills, audits, and reviews after security incidents.
These objectives make the Code an operational tool rather than a static set of rules, allowing ships and ports to respond effectively to changing security conditions.
Roles and Responsibilities
The ISPS Code assigns specific security responsibilities to people and organizations involved in international shipping. These roles ensure that the Code’s requirements are implemented on board ships, within port facilities, and at the company level.
Company Security Officer (CSO)
- Develops and maintains the company’s ship security plans.
- Coordinates security measures between ships and port facilities.
- Ensures that Ship Security Officers (SSOs) receive proper training.
- Oversees internal audits and compliance checks.
Ship Security Officer (SSO)
- Manages the ship’s day-to-day security.
- Implements and maintains the ship security plan.
- Conducts security drills and training for crew members.
- Reports security incidents to the CSO and relevant authorities.
Port Facility Security Officer (PFSO)
- Develops and maintains the port facility security plan.
- Coordinates security with ships calling at the port.
- Monitors access to the facility and oversees security patrols.
- Works with government agencies during heightened security levels.
These officers form the operational link between ships, ports, and governments. Their work ensures that security measures are practical, up-to-date, and effective against potential threats.
Security Plans and Assessments
Security under the ISPS Code begins with formal plans and regular risk assessments. These documents outline how a ship or port facility will prevent, detect, and respond to security threats. They are tailored to the specific operations of each vessel or facility but follow a standardized framework set by the Code.
Ship Security Plan (SSP)
An SSP describes all security procedures and equipment on a ship. It covers access control, cargo handling, crew training, and communication during security incidents. The Ship Security Officer (SSO) is responsible for maintaining and updating the plan. Any changes must be approved by the relevant maritime administration.
Port Facility Security Plan (PFSP)
A PFSP applies to the land-based side of maritime security. It outlines how the port facility will manage access points, protect cargo areas, monitor activity, and coordinate with visiting ships. The Port Facility Security Officer (PFSO) ensures the plan is active, tested, and adjusted to meet current security levels.
Security Assessments
Security assessments identify potential vulnerabilities before they can be exploited. These evaluations consider the type of cargo handled, the layout of the ship or port facility, and the regional security environment. The results guide updates to both SSPs and PFSPs, ensuring that the measures remain relevant and effective.
Security Levels (MARSEC Levels 1, 2, 3)
The ISPS Code uses three security levels, known as MARSEC levels, to adjust measures according to the current risk. These levels guide ships, port facilities, and governments in matching security actions to the situation at hand.
MARSEC Level 1 – Normal Operation
Level 1 applies during routine conditions. It requires basic security measures to be in place at all times. Ships and port facilities control access, monitor activity, and maintain communication procedures. Regular training and drills help ensure that security officers and personnel can respond if the situation changes.
MARSEC Level 2 – Heightened Security
Level 2 is set when there is a greater risk of a security incident. Additional measures are put in place, such as increased patrols, tighter access control, and closer monitoring of cargo operations. The level can apply for a specific period or in response to intelligence about potential threats.
MARSEC Level 3 – Exceptional Security
Level 3 is used when a security incident is probable or underway. Ships and port facilities take maximum protective actions, which may include suspending operations or evacuating areas. Coordination with government agencies becomes constant, and all measures focus on safeguarding people, cargo, and infrastructure.
Types of Security Threats Addressed
The ISPS Code identifies specific risks that could disrupt maritime operations and applies targeted measures to reduce them. Each type of threat requires different actions from security officers, ships, and port facilities.
Terrorism and Sabotage
Terrorism can involve direct attacks on ships, ports, or cargo, as well as sabotage designed to damage infrastructure. Under the ISPS Code, security officers carry out regular inspections of access points, monitor restricted areas, and coordinate with law enforcement. MARSEC Level 2 or 3 may be applied when credible threats are identified, triggering tighter controls and increased patrols.
Smuggling and Trafficking
Illegal goods, such as drugs, weapons, and contraband cargo, pose a security and legal risk. The Code requires strict cargo verification procedures, including container seals, documentation checks, and random inspections. Ship and port staff are trained to spot irregularities and report them immediately to customs or relevant authorities.
Piracy and Armed Robbery at Sea
In high-risk regions, such as parts of the Gulf of Aden or the Strait of Malacca, piracy remains a concern. ISPS security plans include lookouts, evasive routing, and pre-arranged communication with naval or coast guard units. In port, extra monitoring of vessels alongside is used to prevent boarding attempts.
Cyber Security Threats
Modern ships and ports depend on electronic navigation, cargo handling, and communication systems. The ISPS Code now incorporates cyber security guidance to protect against hacking, malware, and data breaches. Measures include controlling network access, conducting regular system scans, and having an incident response plan ready for digital threats.
Insider Threats
Security risks can also come from employees, contractors, or crew members with authorized access. Background checks, controlled access to sensitive areas, and monitoring of unusual activity are part of ISPS-aligned security plans to address this risk.
Compliance, Enforcement, and Penalties
Compliance with the ISPS Code is mandatory for all covered ships and port facilities. Each contracting government is responsible for enforcing the Code within its jurisdiction. This includes verifying that ships and port facilities have approved security plans, designated security officers, and evidence of regular training and drills.
Ships must carry a valid International Ship Security Certificate (ISSC) to prove compliance. Port facilities maintain security records and may be subject to inspections or audits from national authorities or the International Maritime Organization (IMO).
If a ship or port facility fails to meet ISPS requirements, the consequences can be serious. Penalties may include:
- Denial of entry into a port.
- Detention until security deficiencies are corrected.
- Monetary fines or legal action under national laws.
- Damage to commercial reputation and potential loss of contracts.
Enforcement is not only reactive. Many countries use regular audits and unannounced inspections to ensure that security measures are active, not just documented. By linking compliance to operational readiness, the ISPS Code helps ensure that measures on paper are carried out in practice.
Further Resources on the ISPS Code
For a complete reference, you can purchase the ISPS Code, the 2012 Guide to Maritime Security, and other related publications from the IMO’s Catalogue & Book Code List. These resources offer the full framework and practical guidance used by governments, shipping companies, and port facilities to plan, implement, and maintain effective security measures.
