ISPS Code: international ship and port facility security

Background and origins

Pre-2001 maritime security landscape

Before 2001 the international regime for the physical security of ships and ports was sparse. The International Convention for the Safety of Life at Sea (SOLAS) addressed fire, lifesaving appliances, navigation, and construction but contained no dedicated chapter on the prevention of hostile acts against ships as platforms or targets. The International Maritime Organization (IMO) had addressed piracy and armed robbery at sea through circulars and resolutions, and the 1988 Convention for the Suppression of Unlawful Acts Against the Safety of Maritime Navigation (SUA Convention) criminalised the seizure of ships and attacks on fixed platforms, but it created no ongoing operational compliance machinery. Individual port authorities maintained varying access-control measures with no common international standard.

The Achille Lauro hijacking of October 1985, when Palestinian militants seized the Italian cruise ship and murdered a wheelchair-using American passenger, had already revealed the gap in maritime security regulation. That incident prompted the SUA Convention negotiations and the creation of IMO Circular MSC/Circ.443 on measures to prevent unlawful acts against passengers and crews. Yet no instrument required ships to carry security plans, designate security officers, or submit to certification.

The 9/11 catalyst and the December 2002 conference

The terrorist attacks of 11 September 2001 shifted the risk calculus for maritime transport decisively. The United States, acutely conscious that roughly 7,000 foreign-flagged vessels call at American ports each year carrying approximately 9 million loaded containers, pressed the IMO for an accelerated regulatory response. The IMO Maritime Safety Committee (MSC) convened an intersessional working group in February 2002 that produced a draft Code and a set of SOLAS amendments within nine months - a pace without precedent in the history of maritime legislation.

The Diplomatic Conference on Maritime Security held in London from 9 to 13 December 2002 adopted SOLAS amendments creating Chapter XI-2 (Special measures to enhance maritime security) and the text of the ISPS Code itself as the Conference Resolution 2. The conference simultaneously revised SOLAS Chapter V on safety of navigation to mandate the Automatic Identification System (AIS) on a phased schedule and addressed the Continuous Synopsis Record (CSR). The entire package entered into force on 1 July 2004, giving administrations and shipping companies less than 18 months to achieve full compliance.

Two incidents in the Gulf of Aden and the Arabian Sea reinforced the urgency. The suicide boat attack on USS Cole in Aden harbour on 12 October 2000 killed 17 US Navy sailors and damaged a destroyer; although a warship rather than a commercial vessel, it demonstrated the vulnerability of ships at anchor or berth to small-craft assault. The attack on the French-flagged very large crude carrier MV Limburg on 6 October 2002 - weeks before the Diplomatic Conference - used a small explosive-laden dhow to punch a hole in the tanker off the coast of Yemen, killing one crew member and spilling approximately 90,000 barrels of oil. That attack occurred on a ship at anchor, not in a port, and provided a live illustration of the threat the Code was designed to address.

Structure of the ISPS Code

Part A: mandatory requirements

Part A of the ISPS Code is incorporated by reference into SOLAS Chapter XI-2 and therefore carries the same mandatory force as the Convention itself for all Contracting Governments. Part A specifies the security responsibilities of governments, companies, and ships; prescribes the content of Ship Security Plans (SSPs) and Port Facility Security Plans (PFSPs); defines the three security levels; establishes the roles of the Ship Security Officer (SSO), Company Security Officer (CSO), and Port Facility Security Officer (PFSO); and requires ships to carry an approved SSP, a valid ISSC, and a Continuous Synopsis Record.

Part A leaves substantial discretion to the ship’s Contracting Government (the flag state) in approving SSPs and to the coastal or port state in conducting Port Facility Security Assessments (PFSAs) and approving PFSPs. The Code does not prescribe the operational content of security plans in granular detail; it defines categories of information and types of protective action that plans must address for each of the three security levels.

Part B: guidance

Part B of the ISPS Code is recommendatory. It provides guidance on how to conduct ship security assessments, what a ship security plan should contain, how security drills and exercises should be organised, and what kinds of measures are appropriate at each security level. Because Part B is not incorporated into SOLAS directly, it is not legally binding, but many administrations have incorporated elements of Part B into their national legislation or domestic instructions to recognised security organisations, in practice making much of the guidance de facto mandatory in those jurisdictions. The United States, through the Maritime Transportation Security Act 2002 and the implementing regulations of the US Coast Guard in 33 CFR Parts 101-106, parallels the ISPS Code while adding requirements specific to American ports.

Security levels

The ISPS Code and SOLAS Chapter XI-2 define three security levels that apply to both ships and port facilities:

Security Level 1 (normal) is the level at which minimum appropriate protective security measures shall be maintained at all times. Ships and port facilities must always operate at Level 1 as a baseline. The vast majority of commercial voyages worldwide operate at Level 1 throughout.

Security Level 2 (heightened) applies when there is a heightened risk of a security incident. It is set by the relevant authority - the flag state for ships, the designated authority for port facilities - and requires additional protective measures to be maintained for a period of time as a result of the heightened risk.

Security Level 3 (exceptional) applies when there is a probable or imminent risk of a security incident, even if the specific target cannot be identified. Level 3 is set for a limited period when there is reliable and specific information that a security incident is likely or imminent; during Level 3, ships and port facilities must implement further specific protective measures. In practice Level 3 declarations have been rare and typically localised - for example, following credible intelligence of an attack on a specific terminal.

When a ship is at a port facility operating at a higher security level than the ship, the ship must raise its own security level to match. The ship may also request a Declaration of Security (DoS) when the security level changes or when there is a discrepancy in security levels.

The ISPS port facility security level calculator supports determination of the applicable level for a given port facility, consistent with the three-tier classification in Part A.

Ship security roles and responsibilities

Company Security Officer

The Company Security Officer (CSO) is the person designated by the company (the shipowner or operator as defined in the ISM Code) as responsible for the security of the ship, liaison with the SSO, and liaison with port facility security officers. Regulation 2 of SOLAS Chapter XI-2 requires that each company designate a CSO for each ship it operates. One person may serve as CSO for more than one ship, provided the company ensures adequate oversight.

The CSO’s duties under Part A include ensuring that a Ship Security Assessment (SSA) is conducted, that an SSP is developed, submitted for approval, and implemented; arranging security audits and exercises; and ensuring that SSOs receive adequate training. The CSO is the primary interface with the flag state administration during the approval and verification process for the SSP.

Under Part B guidance, CSOs should be familiar with current security threats and patterns, with recognition and detection of weapons and dangerous substances, with techniques for circumventing security measures, with methods of physical searches and non-intrusive inspections, and with security training and education. The Code does not prescribe formal certification for CSOs, but many flag states and classification societies acting as Recognised Security Organisations (RSOs) require CSOs to hold a certificate from an approved training provider aligned with IMO Model Course 3.20 or an equivalent national scheme.

Ship Security Officer

The Ship Security Officer (SSO) is the officer on board the ship, accountable to the master, responsible for the security of the ship and for implementing the ship’s security plan, maintaining and supervising the security equipment on board, and liaison with port facility security officers. Each ship must have a designated SSO; on smaller vessels the master frequently holds both roles simultaneously.

Specific Part A duties of the SSO include conducting regular security inspections, ensuring that security equipment is properly operated and tested, encouraging security awareness among crew, reporting security incidents to the CSO, co-ordinating with the port facility when the ship is at berth or anchor, and ensuring that the ISSC and the SSP are kept aboard and available for inspection.

Part B guidance on SSO training is detailed. SSOs should be trained in ship and port operations and conditions, ship security plans, emergency preparedness and response, instructions for security equipment, methods of inspection, surveillance, and monitoring, recognition of persons likely to threaten security, techniques for bypassing security measures, security communications, and handling sensitive security information. In practice many flag states reference STCW requirements and IMO Model Course 3.19 (Ship Security Officer) as the qualification standard, though STCW itself does not create a mandatory ISPS certificate.

Port Facility Security Officer

The Port Facility Security Officer (PFSO) is the person designated as responsible for the development, implementation, revision, and maintenance of the Port Facility Security Plan. The PFSO is the primary contact for communicating with the SSO and the CSO. Each port facility subject to the Code must designate a PFSO; large terminals with multiple berths frequently have a PFSO supported by a team of facility security personnel.

The PFSO’s responsibilities under Part A include ensuring that the PFSA is carried out, that the PFSP is approved, implemented, and exercised, that port facility personnel with security responsibilities are adequately trained, and that security incidents and deficiencies are reported to the designated authority. The PFSO co-ordinates with local law enforcement and emergency services and with the SSO on arriving and departing ships. When a ship at the facility requests a Declaration of Security, it is the PFSO who executes it on behalf of the port facility.

Ship Security Plan

The Ship Security Plan is the foundational document of shipboard security compliance. Part A, section 9 prescribes the mandatory elements of an SSP. The plan must address the security measures for each of the three security levels for: access to the ship, restricted areas, handling of cargo, delivery of ship’s stores, handling unaccompanied baggage, monitoring the security of the ship, duties of security-sensitive personnel, and reporting security incidents. It must also contain procedures for the Declaration of Security, the use of the Ship Security Alert System (SSAS), evacuation, drills and exercises, record-keeping, and identification of the SSO.

The SSP must be approved by the Administration (flag state) or a Recognised Security Organisation authorised to act on its behalf. Approval may be granted following the submission of the SSP and a summary of the Ship Security Assessment on which it is based. Once approved the SSP must be kept on board and be available to duly authorised officers of Contracting Governments conducting a control and compliance measure, but the plan is protected from unauthorised disclosure. Port State Control officers are entitled to examine the ISSC, verify that a plan exists, and review certain specified records; they are not entitled to read the operational content of an approved SSP without the explicit agreement of the Administration.

Drills and exercises

Part A requires that security drills be carried out at least once every three months. Where a ship has more than 25% crew change within three months - as frequently occurs on vessels with rotational crewing - a drill must be held within one week of the crew change. Security exercises involving the full implementation of security response procedures must be conducted at least once each calendar year, with no more than 18 months elapsing between exercises.

The distinction between a drill and an exercise is functional. A drill tests a specific security procedure - for example, the lockdown of restricted areas in response to a security Level 2 declaration - and involves ship’s personnel. An exercise may be multi-agency, involving coordination with the CSO ashore, the PFSO, local authorities, and, where appropriate, coast guard or naval assets. Exercises may be conducted in conjunction with port authorities or other ships.

The SOLAS fire drill frequency calculator provides a related compliance reference for overlapping drill scheduling under SOLAS Chapter III.

Ship Security Assessment

Before an SSP can be drafted, a Ship Security Assessment (SSA) must be conducted. The SSA is an analysis that identifies existing security measures, procedures, and operations; identifies key shipboard operations and assets that are important to protect; identifies possible threats to those key operations and assets and the likelihood of their occurrence in order to establish and prioritise security measures; and identifies weaknesses, including human factors, in the infrastructure, policies, and procedures.

Part A, section 8 specifies that the SSA must cover at minimum: the identification and evaluation of important shipboard assets and infrastructure that are important to protect; the identification of possible threats to the assets and infrastructure and the likelihood of their occurrence; the identification of weaknesses, including human factors; and the identification, selection, and prioritisation of countermeasures and procedural changes and their effectiveness in reducing vulnerability.

The SSA is conducted by, or under the authority of, the CSO. It may use the services of persons with expertise in risk analysis, relevant maritime security, specific ship types, port operations, fire prevention, physical security, radio and telecommunications systems, or transport security. The SSA itself must be documented, reviewed by the Administration or RSO, and retained.

In practice SSAs for standard ship types follow templates developed by classification societies and RSOs. The identified threats and vulnerabilities form the framework of the SSP sections, with each protective measure mapped to a specific threat, ship operation, and security level. On complex vessels such as passenger ships carrying thousands of passengers and operating with multiple gangways, the SSA and the resulting SSP can be detailed documents of several hundred pages.

Port Facility Security Assessment and Plan

Port Facility Security Assessment

The Port Facility Security Assessment (PFSA) is the risk analysis that precedes the development of the Port Facility Security Plan. Governments are responsible for ensuring that PFSAs are carried out for port facilities within their territory and jurisdiction that serve ships subject to the Code. The PFSA must identify critical infrastructure and systems that require protection, potential threats to those critical assets, the likelihood of threats, the consequences of particular vulnerabilities, and the current security countermeasures in place.

A PFSA must address the physical security of the facility; the structural integrity of ships, berths, and associated structures; personnel protection; procedural policies; radio and telecommunications systems; existing security equipment and systems; and transportation infrastructure. The PFSA forms the factual and analytical basis for the content of the PFSP, and the assessment itself must be documented, reviewed by the authority responsible for port security, and available to those conducting a verification.

Port Facility Security Plan

The Port Facility Security Plan (PFSP) must address security at all three levels and include measures to prevent unauthorised weapons or dangerous substances from being introduced, prevent unauthorised access to the port facility and to ships, and ensure procedures for responding to security threats or breaches. The PFSP must also contain procedures for the Declaration of Security with arriving ships and for the evacuation of the facility in case of security threats.

Contracting Governments determine the extent to which the ISPS Code applies to specific port facilities. Terminals that serve only coastal or domestic traffic are not required to comply unless the flag state of ships calling there would otherwise require it. Very large ports may have multiple separate PFSPs for different areas or terminals, each with its own PFSO.

Recognised Security Organisations

SOLAS Chapter XI-2 permits Administrations to delegate the approval of SSPs, the conduct of verifications, and the issuance of ISSCs to Recognised Security Organisations (RSOs). This arrangement parallels the use of Recognised Organisations (ROs) - classification societies - for plan approval and survey under other SOLAS instruments. The IMO has not established a formal list of RSOs; rather, each Administration defines the criteria and issues authorisations to specific bodies.

In practice the major classification societies - including Lloyd’s Register, Bureau Veritas, DNV, ClassNK, Korean Register, and others - obtained RSO authorisations from multiple flag states in the period 2002-2004 and currently hold authorisations from dozens of Administrations. Dedicated maritime security consultancies, some formed specifically to serve the ISPS market, also hold RSO authorisations from some flag states.

The RSO conducting an ISSC verification must assess: whether the ISSC was issued on the basis of an approved SSP; whether the SSP is being implemented; whether drills and exercises have been carried out as required; whether the SSO has been properly designated and trained; whether the SSAS is operational; and whether the CSR is correctly maintained. A deficiency in any of these elements must be reported to the Administration.

The RSO framework introduces a layer of commercial delegation that has been subject to criticism. An RSO acting on behalf of a flag state is paid by the ship operator whose compliance it is verifying, creating a potential conflict of interest that parallels long-standing debates about classification society independence. The IMO and several flag states have responded by introducing audit requirements for RSOs, and the IMO’s Code for Recognised Organisations (Resolution A.1070(28)) - though primarily addressed to ROs conducting statutory surveys - has been referenced in RSO governance frameworks.

International Ship Security Certificate

The International Ship Security Certificate (ISSC) is the document that certifies that a ship’s SSP has been approved and that the ship complies with SOLAS Chapter XI-2 and Part A of the ISPS Code. The ISSC is issued by the Administration or by a Recognised Security Organisation acting on its behalf for ships flying the flag of that state. Its format is prescribed in the appendix to SOLAS Chapter XI-2.

An ISSC is valid for five years from the date of issue, subject to annual verification. The issuing authority endorses the ISSC following each annual verification to confirm continued compliance. The ISSC may be issued as an Interim ISSC for a maximum of six months, for example when a ship is newly delivered, when a ship changes flag, or when a company takes over responsibility for a ship already in service. A ship that cannot produce a valid ISSC on demand from a PSC officer is liable to detention or, in extreme cases, denial of entry to port.

Port State Control examination of the ISSC is the primary mechanism by which the Code is enforced at the international level. PSC regimes operating under the Paris MOU, the Tokyo MOU, the Indian Ocean MOU, and other regional arrangements have incorporated ISPS-related deficiencies into their inspection databases. The PSC targeting factor calculator provides a tool for estimating the likelihood that a given ship will be selected for a targeted inspection under regional MOU criteria.

Ship Security Alert System

The Ship Security Alert System (SSAS) is a covert distress and threat signalling system required under SOLAS Chapter XI-2, Regulation 6 on all ships subject to the Code. The SSAS transmits a ship-to-shore security alert that includes the ship’s identity and its position at the time the alert was activated, communicated to a competent authority designated by the Administration. The system must not sound an alert on board the ship or indicate to other ships or shore stations that an alert has been sent.

The covert nature of the SSAS is its defining feature. It is designed to be activated secretly in a hostage or piracy scenario where overt transmission of distress would alert the attackers. Activation points must be provided at the navigation bridge and at least one other location. The SSAS alert is transmitted continuously or at frequent intervals until reset or cancelled by the flag state’s competent authority.

Ships typically fulfil the SSAS requirement through existing communications equipment fitted with a dedicated alert button. The Inmarsat C SafetyNET service, the Fleet 77/Fleet Xpress systems, and Iridium satellite handsets have all been used as SSAS platforms, typically integrated with the ship’s Global Maritime Distress and Safety System (GMDSS) equipment. The GMDSS sea area coverage calculator helps verify that a ship’s GMDSS and associated SSAS installation meets the sea area requirements for the intended voyage.

Continuous Synopsis Record

The Continuous Synopsis Record (CSR) was introduced by SOLAS Regulation XI-1/5, adopted alongside the ISPS Code at the December 2002 conference. The CSR is an on-board record of the ship’s history required for every ship engaged on international voyages. It records the state whose flag the ship is entitled to fly, the date when the ship was registered with that state, the ship’s identification number, the port at which the ship is registered, the name of the owner and their registered address, the name of any registered bareboat charterer, and the name of the company as defined in the ISM Code together with its registered address.

Entries must be kept in sequence from the date of first issue. Amendments are noted in successive pages rather than by erasure; the CSR builds a paper trail of the ship’s ownership, flag, and management history that cannot easily be falsified. The CSR must be available for inspection by an authorised officer of any Contracting Government. Its purpose is to prevent ships from obscuring their identity or commercial connections in a security incident - a concern heightened after the Limburg attack, where initial confusion about the vessel’s ownership and flag complicated the initial response.

Pre-arrival notification and Declaration of Security

Pre-arrival notification

SOLAS Chapter XI-2, Regulation 9 requires ships intending to enter a port of a Contracting Government to provide advance notice of their arrival. Governments may set the minimum notice period; 24 hours before arrival has become the widely adopted standard, though the United States requires 96 hours’ advance notice for vessels calling at American ports under the requirements of 33 CFR Part 160. The required information includes the ISSC details, the current security level at which the ship is operating, the security level at which the ship has operated during the preceding ten port calls, any special or additional measures taken during the preceding ten port calls, details of any ship-to-ship activity during the preceding ten calls, and the information required under the general advance notification regulations.

If a ship cannot provide this information, or if the port authority considers the information provided to be inadequate, it may refuse entry or require the ship to proceed to a holding position while the matter is investigated. The combination of pre-arrival notification with LRIT data and AIS tracking (discussed below) forms the maritime domain awareness picture on which port security authorities rely.

Declaration of Security

The Declaration of Security (DoS) is an agreement reached between a ship and a port facility - or between two ships during ship-to-ship operations - specifying the security measures each will implement and the responsibilities each party accepts. The DoS is required when the ship is operating at a higher security level than the port facility, when a Contracting Government has so directed, when the ship or port facility considers it necessary, or when a ship operating as a bulk carrier is taking on or discharging passengers or cargo in a port with a higher or lower security level than the ship.

The DoS does not replace the SSP or the PFSP; it supplements them by documenting the interface security arrangements for a specific encounter. Records of DoS agreements must be kept on board for a minimum period of three years and be available for inspection by PSC officers.

Interface requirements: ship-to-ship activities

The Code addresses security at ship-to-ship interfaces as well as ship-port interfaces. Ship-to-ship activities subject to security provisions include ship-to-ship cargo transfers at sea or at anchor (common for tankers and gas carriers in lightering operations), crew transfers, and resupply operations. The SSO is responsible for ensuring that the security level of the receiving or transferring ship is compatible with that of the own vessel, and for ensuring that a DoS is completed if the threat environment or a governmental directive requires it.

Floating storage and offloading units (FSOs) and floating production storage and offloading units (FPSOs) are treated as port facilities under the Code when they receive ships alongside and as ships when they transit. Mobile offshore drilling units (MODUs) are explicitly within the scope of the Code’s ship requirements when engaged on international voyages.

Restricted areas

Part A requires that SSPs define restricted areas on board the ship and specify the measures to control access to them. Categories of restricted areas must include the navigation bridge, machinery spaces, spaces containing safety equipment or systems, spaces containing cargo-handling equipment, crew accommodation areas, and any spaces where the storage of weapons or sensitive security equipment is located.

The specific boundaries and access control methods for restricted areas are defined in the individual SSP and vary with ship type. On a passenger ship the restricted area definitions are extensive and must address passenger access to crew-only spaces. On a bulk carrier or tanker, restricted areas typically include cargo control rooms, engine rooms, battery rooms, and any space with direct access to the sea.

Access control measures may include electronic key card systems, CCTV monitoring, intruder detection equipment, and physical barriers. Part A does not mandate specific technology; it requires that the SSP be specific about what measures apply at each security level and that the SSO be responsible for implementing those measures.

Long-Range Identification and Tracking

The LRIT system

Long-Range Identification and Tracking (LRIT) was introduced by SOLAS Chapter V, Regulation 19-1, adopted in May 2006 and entering into force on 31 December 2008. LRIT is distinct from the ISPS Code but closely related to maritime security. Where AIS is a continuous broadcast, LRIT is a polled or scheduled transmission of identity and position data to a flag state data centre, accessible also to coastal states within 1,000 nautical miles of their baselines and to SAR services, via a network of LRIT Data Centres coordinated through the IMO LRIT Coordinator.

LRIT applies to ships 300 gross tonnes and above on international voyages, passenger ships (including high-speed craft), mobile offshore drilling units, and ships covered by the ISPS Code. The LRIT equipment transmits position reports at a default interval of six hours. A flag state administration may reduce the reporting interval down to 15 minutes, and a coastal state with a legitimate security or SAR interest may request historical reports going back up to 24 hours. Ships may switch to a reduced reporting interval when in port.

The SSAS and LRIT serve complementary functions. LRIT provides routine surveillance; the SSAS provides a covert distress signal when a ship is under threat. Both deliver position and identification data to authorities ashore without an on-board audible or visual indication that the transmission is occurring. The LRIT reporting interval calculator assists in determining the required LRIT polling interval for a given voyage profile.

Interaction with AIS

The Automatic Identification System (AIS) was mandated under SOLAS Chapter V by the same December 2002 conference that adopted the ISPS Code, though on a phased implementation schedule running to 2008 for older ships. AIS Class A transponders broadcast identity, position, course, speed, navigational status, and voyage data at intervals of two seconds to three minutes depending on vessel speed and manoeuvre status. Unlike LRIT, AIS broadcasts are received by any AIS receiver within range, including by other ships, coastal authorities, and satellite receivers.

The tension between AIS and security is well recognised. Piracy and armed robbery groups have exploited AIS data - freely available through commercial aggregators - to identify and track target vessels. The IMO has addressed this in circular MSC-FAL.1/Circ.3 (Guidelines for the Onboard Operational Use of Shipborne AIS), which clarifies that masters retain the authority to switch off AIS when it is their professional judgement that it poses a security risk, but that switching off AIS is itself reportable and should not be done routinely to evade commercial monitoring or PSC scrutiny.

The AIS Class A carriage requirement calculator provides a reference tool for determining mandatory AIS installation, while the AIS transponder system guide covers technical installation standards.

Piracy and maritime security

Historical context

The ISPS Code was designed primarily to prevent and respond to terrorist attacks on ships and port facilities rather than to address piracy as traditionally understood. Yet in practice the security infrastructure created by the Code - security officers, security plans, threat-level frameworks, and ship-shore communication protocols - has been deployed extensively in response to the surge of maritime piracy that emerged after 2005.

Piracy off the Somali coast, exploiting the collapse of functional governance in Somalia and the strategic chokepoint of the Gulf of Aden, reached a peak between 2008 and 2012. In 2011 Somali pirates were holding approximately 700 seafarers hostage aboard some 30 ships. The UN Security Council adopted a series of resolutions - most significantly Resolution 1816 (2008), Resolution 1838 (2008), and Resolution 1851 (2008) - authorising naval forces to enter Somali territorial waters to repress piracy. NATO, the European Union Naval Force Somalia (EUNAVFOR, Operation Atalanta), and Combined Maritime Forces Combined Task Force 151 have maintained naval presences in the region since 2008. The combination of naval patrolling, industry self-protection measures, and improved Somali governance gradually reduced Somali piracy attacks after 2012, though the threat has not been eliminated.

The Gulf of Guinea off West Africa presents an ongoing and in some respects more serious piracy challenge. Unlike Somali pirates who primarily sought ransoms from large vessels held offshore, Gulf of Guinea pirates frequently target crew members for kidnap-for-ransom and engage in violent attacks on ships in or near territorial waters. The IMO Maritime Safety Committee has issued multiple circulars on Gulf of Guinea piracy, and the ECOWAS/ECCAS/GGC-MTIRC Yaoundé Architecture represents the regional maritime security framework.

The Strait of Malacca, the sea lane between the Malay Peninsula and the Indonesian island of Sumatra through which roughly 70,000 vessels transit annually, was the world’s highest-risk piracy area through the early 2000s. The combination of coordinated naval patrolling by Indonesia, Malaysia, and Singapore under the Malacca Strait Sea Patrol (MSSP), intelligence sharing, and improved coastal governance has substantially reduced attacks in the Strait since 2005, though robbery from ships at anchor and low-level piracy incidents continue.

Since 2023, the security environment in the Red Sea and the Gulf of Aden has deteriorated sharply due to Houthi attacks on commercial vessels - cruise missiles, ballistic missiles, and drone attacks as well as vessel boardings. These attacks extend the threat from small-craft piracy to state-sponsored or quasi-state asymmetric warfare, a category for which the ISPS Code’s Level 3 declarations and the BMP guidance provide the framework but which ultimately requires a government-to-government and naval response.

Best Management Practices

Best Management Practices for Protection Against Somalia Based Piracy, now in its fifth edition as BMP5 (published jointly by BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF, and other industry bodies), is the primary industry guidance document for self-protection against piracy. BMP5 provides detailed guidance on voyage planning in high-risk areas, ship hardening measures (razor wire, water spray systems, citadels), use of the Maritime Security Communications with Industry (MSCHOA) and UK Maritime Trade Operations (UKMTO) reporting systems, and the management of crew in a piracy attack.

BMP5 supplements but does not replace the ISPS Code. The ISPS Code and SSP define the security architecture of the ship; BMP5 provides the tactical guidance for a specific threat context. Many shipowners incorporate BMP5 procedures by reference into their SSPs for voyages transiting the High Risk Area (HRA) as defined by the joint war risk committee.

Privately Contracted Armed Security Personnel

The use of Privately Contracted Armed Security Personnel (PCASP) aboard merchant ships is addressed through IMO circulars MSC.1/Circ.1405/Rev.3 (Interim guidance on the use of privately contracted armed security personnel on board ships in the High Risk Area) and MSC.1/Circ.1406/Rev.3 (Interim recommendations for flag states regarding the use of PCASP). These circulars provide guidance on vetting, command and control, rules for the use of force, firearms storage and manifest, and engagement with coastal state authorities. The carriage of PCASP requires flag state authorisation and must be addressed in the SSP. PCASP do not replace SSOs or other crew security responsibilities; they operate under the command authority of the master.

Port State Control and ISPS verification

Port State Control officers exercising authority under SOLAS Chapter XI-2, Regulation 9 may, when a ship is in a port or approaching it, verify that the ship is in possession of a valid ISSC, verify that it has been issued by or on behalf of a recognised security organisation, and request from the master confirmation of the ship’s current security level and the last ten port calls including the security levels at which the ship operated during those calls. If there are clear grounds to believe the ship is not in compliance, PSC officers may take control and compliance measures including inspection of the ISSC, verification that the SSO and CSO have been designated, and, in extreme cases, detention or expulsion from port.

PSC officers are explicitly not permitted to examine the content of the SSP without the authorisation of the Administration of the flag state. This limitation reflects the confidentiality principle built into Part A: if SSP contents were routinely accessible to port officials of any country, the plans’ value would be undermined by disclosure to potential adversaries. PSC officers assess compliance through review of records, the ISSC, records of security drills, DoS records, and the CSR.

The Paris MOU, covering European and North Atlantic port authorities, the Tokyo MOU covering the Asia-Pacific region, and the Indian Ocean MOU have all integrated ISPS deficiency codes into their New Inspection Regime (NIR) and CIC (Concentrated Inspection Campaign) frameworks. ISPS deficiencies - particularly an invalid ISSC, absence of a designated SSO, or failure to maintain drill records - generate concentrated deficiency reports that increase a ship’s risk score and the probability of future targeting.

The interaction between ISPS compliance and the broader PSC risk targeting framework is explored at the PSC targeting factor calculator.

Interaction with the ISM Code

The ISM Code (International Safety Management Code, adopted under SOLAS Chapter IX) preceded the ISPS Code by a decade and established the foundational structure of the Safety Management System (SMS), the Designated Person Ashore (DPA), and the Safety Management Certificate (SMC). The ISPS Code followed the ISM Code’s model closely: the CSO parallels the DPA, the SSP parallels the SMS document, and the ISSC parallels the SMC.

In practice many shipowners administer ISPS compliance within the same management system that administers ISM compliance, with the CSO and DPA roles held by the same person or by personnel in the same department. The ISM Code’s requirements for non-conformity reporting, internal auditing, and company review are often applied to ISPS compliance as well, though the two instruments maintain separate formal certification tracks. The ISM Code wiki article discusses the relationship between safety management and security management in more detail.

The ISPS Code requires that the SSP be separate from the SMS and subject to separate approval, even where a company integrates the two systems operationally. This separation reflects the confidentiality requirements of the SSP, which cannot be disclosed as freely as the SMS.

Security for specific ship types

Passenger ships

Passenger ships on international voyages face the most detailed ISPS obligations because they combine large numbers of vulnerable persons in a confined space with frequent port calls and complex gangway access. Part B guidance on passenger ship security covers crowd management, segregation of identified security risks within the passenger population, access control to crew-only spaces, and procedures for searching passengers and baggage at embarkation. Passenger ships calling at US ports are further subject to the specific requirements of 33 CFR Part 104 (Maritime Security: Vessels) and must comply with USCG-specific requirements for access control, passenger screening, and law enforcement liaison.

Following several security incidents on cruise ships - including the 1985 Achille Lauro hijacking and subsequent cases of stowaway attempts and security breaches at gangways - the cruise industry through the Cruise Lines International Association (CLIA) developed supplementary security protocols that go beyond ISPS Part A minimums. The typical large cruise vessel operating with 5,000 to 7,000 persons on board in multiple international ports per week represents one of the most logistically demanding ISPS compliance contexts.

Tankers and gas carriers

Tankers and gas carriers present elevated security concerns because a successful attack could release large volumes of flammable or toxic cargo with consequences extending to surrounding port areas. The ISPS Code’s restricted area provisions on tankers typically encompass pump rooms, cargo control rooms, the entire cargo deck, and any spaces containing hazardous cargo venting or inert gas systems. SSPs for tankers calling at high-security terminals - for example, LNG receiving terminals in densely populated areas - typically include specific Level 2 and Level 3 measures co-ordinated with terminal operators under the DoS framework.

The oil tanker and LNG carrier types each carry ship-type-specific security risk profiles that are reflected in the SSA and the SSP sections addressing cargo handling interface and restricted area management.

Bulk carriers and general cargo ships

Bulk carriers and general cargo ships face particular security concerns around access control during port stays, given that long cargo operations at berth - sometimes extending to several days - create extended periods of exposure to unauthorised access. SSPs for bulk carriers and general cargo ships must address the posting of security watches, gangway control procedures for all three security levels, and verification of the identity of persons coming aboard as stevedores, surveyors, or port authority officials.

The bulk carrier and general cargo ship types both commonly operate at ports in regions where piracy risk elevates the standard security measures beyond the Level 1 minimum.

Interaction with SOLAS and related conventions

SOLAS Chapter XI-2 is the direct parent of the ISPS Code. SOLAS Chapter XI-1 (Special measures to enhance maritime safety) includes the ship identification number requirements under SOLAS Regulation XI-1/3 - the permanent hull marking and plate required by all ships of 100 gross tonnes or more. The ship identification number (a Lloyd’s Register number, seven digits) is recorded in the CSR and the ISSC, providing a persistent identifier that connects the ship’s documentation trail irrespective of name or flag changes.

MARPOL, the SOLAS convention, STCW, and the MLC 2006 all operate alongside the ISPS Code without direct textual cross-reference in most cases, but PSC officers exercise concurrent authority under multiple instruments and deficiencies in ISPS documentation frequently appear alongside deficiencies under other instruments in PSC inspection records.

The MARPOL convention shares the port state control enforcement mechanism and the certificate-based compliance architecture, making the ISPS Code one element in a family of SOLAS-family and related instruments that a PSC officer examines during a single boarding. The Port State Control wiki article describes the multi-convention examination procedure in detail.

Compliance challenges

Developing country port facilities

The 2004 compliance deadline exposed a significant disparity between the capacity of large developed-country port operators and smaller ports in developing economies. The PFSA and PFSP process requires expertise, resources, and a functioning designated authority. Some developing state port facilities lacked the regulatory infrastructure to complete PFSAs before 1 July 2004. The IMO Technical Cooperation Committee administered an Integrated Technical Co-operation Programme (ITCP) that delivered training and assistance to more than 130 countries in the two years following the Code’s entry into force, with the United States and EU providing additional bilateral assistance.

The asymmetry between well-resourced ports with modern access-control and CCTV infrastructure and lower-capacity ports that rely on manual identification and patrol has persisted. PSC regimes have adapted by incorporating enhanced scrutiny of ships arriving from ports flagged as having persistent ISPS deficiencies.

Cyber security and the digital ISPS challenge

The 2002 Code was drafted before commercial maritime cyber attacks were a recognised threat category. IMO Resolution MSC-FAL.1/Circ.3 (Guidelines on Maritime Cyber Risk Management, 2017) and the subsequent incorporation of cyber risk management requirements into ISM Code submissions from January 2021 - through MSC-FAL.1/Circ.3 and Resolution MSC.428(98) - addressed cyber security through the ISM Code rather than the ISPS Code. However, the operational connection is direct: SSAS, AIS, LRIT, GMDSS, and electronic chart display systems are all networked or satellite-connected and therefore subject to cyber exploitation.

An attacker who can spoof or suppress AIS transmissions, inject false LRIT data, or disable an SSAS transmitter effectively undermines the ISPS Code’s detection and alerting mechanisms without boarding the ship. Flag states and classification societies increasingly require SSPs to address cyber threats to communications and security systems, and the IMO’s Maritime Safety Committee has indicated that a formal revision of the ISPS Code or SOLAS Chapter XI-2 to incorporate cyber security requirements explicitly may be undertaken in a future regulatory cycle.

Crew changes and continuous compliance

One operational challenge distinctive to the ISPS Code is the interaction between crew rotation and drill frequency. On a ship with a 25% or greater crew change in any three-month period - a common pattern on globally-crewed vessels - a full security drill must be conducted within one week of that crew change. This requirement, intended to ensure that new crew members are security-aware before the ship calls at a foreign port, can generate a frequent drill schedule on vessels with high turnover or short contracts.

Ship operators managing drill scheduling across fleets use the SOLAS fire drill frequency calculator as a reference for overlapping SOLAS Chapter III and ISPS drill scheduling. The interaction between fire drill, muster, GMDSS test, and security drill schedules is a practical compliance management task on all larger vessels.

Current developments and amendments

IMO review activities

The IMO Maritime Safety Committee reviews ISPS Code implementation periodically. MSC Circular MSC.1/Circ.1525 (2015) issued revised guidelines on the implementation of SOLAS Chapter XI-2 and the ISPS Code. The IMO maintains a working group focused on maritime security matters within the Facilitation Committee (FAL) and the MSC, addressing inter alia the DoS form, the interaction between ISPS and customs/border authority requirements, and the relationship between ISPS and the IMO’s framework for preventing and suppressing piracy and armed robbery.

The 2021 ISPS-cyber nexus

MSC-FAL.1/Circ.3 on maritime cyber risk management, while not amending the ISPS Code directly, has required companies to ensure that SMS documents address cyber risk, and in practice this has led many shipowners and RSOs to revise SSPs simultaneously to incorporate cyber security measures. The MSC at its 103rd session (May 2021) confirmed that cyber risk management under Resolution MSC.428(98) was to be implemented through the ISM Code rather than the ISPS Code, but noted that the security of electronic systems relevant to ISPS compliance - particularly SSAS and LRIT terminals - is a matter for flag states to address in SSP approval guidance.

Regional extensions and flag state variations

Several flag states have extended ISPS-equivalent requirements beyond the mandatory scope. The Marshall Islands, a major open registry flag state, has issued flag state instructions that require SSPs to address additional categories of threat including cyberattacks and insider threats. The Bahamas, another major registry, has issued detailed guidance on SSAS testing and on the handling of armed security personnel that goes beyond the IMO circulars. The United States, through the MTSA 2002 regime, applies requirements to domestic vessels not covered by the ISPS Code and maintains independent certification procedures for port facilities.

The European Union, through Council Regulation (EC) No 725/2004 on enhancing ship and port facility security, transposed the ISPS Code into EU law and extended SOLAS Chapter XI-2 obligations to domestic vessels of 500 gross tonnes and above engaged in national maritime transport within EU member states - a class of vessels entirely outside the IMO instrument’s scope.

Related Calculators

• ISPS, Port Facility Security Level Calculator
• SOLAS, Fire Drill Frequency Calculator
• PSC, Targeting Factor Calculator
• GMDSS, Sea Area Coverage Check Calculator
• LRIT, Reporting Interval Calculator
• AIS, Carriage Class A vs B Calculator
• System - AIS Transponder: Class A Calculator
• System - LRIT Terminal: INMARSAT / Iridium Calculator

See also

• SOLAS Convention - parent treaty under which SOLAS Chapter XI-2 and the ISPS Code were adopted
• ISM Code - companion management code; shares certification architecture and officer structure with the ISPS Code
• MARPOL Convention - primary pollution-prevention convention enforced alongside ISPS in PSC inspections
• STCW Convention - seafarer training and certification instrument; SSO and CSO training referenced to STCW model courses
• MLC 2006 - Maritime Labour Convention; crew welfare obligations enforced in parallel with ISPS by PSC
• Port State Control - PSC regime through which ISPS compliance is verified and deficiencies recorded
• Oil tanker - ship type with elevated ISPS restricted-area requirements around cargo decks and pump rooms
• LNG carrier - ship type with specific ISPS interface procedures at receiving terminals
• Bulk carrier - ship type facing extended port-stay access-control challenges under ISPS
• General cargo ship - ship type requiring detailed gangway security and watch-posting procedures
• ISPS port facility security level calculator - determine the applicable security level for a port facility under ISPS Part A
• LRIT reporting interval calculator - verify LRIT polling interval requirements for a given voyage
• AIS Class A carriage calculator - mandatory AIS installation requirements under SOLAS Chapter V
• AIS Class A transponder system guide - technical standards for Class A AIS installation
• LRIT terminal system guide - INMARSAT and Iridium LRIT terminal specifications
• PSC targeting factor calculator - estimate PSC inspection targeting probability incorporating ISPS deficiency history
• GMDSS sea area coverage calculator - GMDSS sea area determination relevant to SSAS platform selection
• SOLAS fire drill frequency calculator - overlapping SOLAS III and ISPS drill scheduling reference
• ShipCalculators.com calculator catalogue - full list of maritime compliance calculators

References

1. IMO, International Ship and Port Facility Security (ISPS) Code, 2003 edition, incorporating the text of SOLAS Chapter XI-2 and Resolutions 1-12 of the December 2002 Diplomatic Conference, London: IMO, 2003.
2. IMO, SOLAS: Consolidated Edition 2020, London: IMO, 2020, Chapter XI-2.
3. IMO, Resolution MSC.104(73), Adoption of Amendments to the Annex to the International Convention for the Safety of Life at Sea, 1974, adopted 5 December 2000 (ship identification numbers under SOLAS XI-1).
4. IMO, Resolution MSC.202(81), Adoption of Amendments to the International Convention for the Safety of Life at Sea, 1974, adopted 19 May 2006 (LRIT, entering into force 31 December 2008).
5. IMO, MSC-FAL.1/Circ.3, Guidelines on Maritime Cyber Risk Management, 5 July 2017.
6. IMO, Resolution MSC.428(98), Maritime Cyber Risk Management in Safety Management Systems, adopted 16 June 2017.
7. IMO, MSC.1/Circ.1405/Rev.3, Revised Interim Guidance to Shipowners, Ship Operators, and Shipmasters on the Use of Privately Contracted Armed Security Personnel on Board Ships in the High Risk Area, 2012.
8. IMO, MSC.1/Circ.1406/Rev.3, Revised Interim Recommendations for Flag States Regarding the Use of Privately Contracted Armed Security Personnel on Board Ships in the High Risk Area, 2012.
9. BIMCO, ICS, INTERCARGO, INTERTANKO, OCIMF et al., Best Management Practices to Deter Piracy and Enhance Maritime Security in the Red Sea, Gulf of Aden, Indian Ocean and Arabian Sea (BMP5), Edinburgh: Witherby, 2018.
10. European Parliament and Council, Regulation (EC) No 725/2004 of 31 March 2004 on enhancing ship and port facility security, Official Journal of the European Union, L 129, 29 April 2004.
11. United States Congress, Maritime Transportation Security Act of 2002, Public Law 107-295, 25 November 2002.
12. United States Coast Guard, 33 CFR Parts 101-106: Maritime Security; Final Rule, Federal Register, Vol. 68, No. 189, 1 October 2003.
13. United Nations Security Council, Resolution 1816 (2008), S/RES/1816, 2 June 2008 (authorisation to enter Somali waters to repress piracy).

Further reading

• Bateman, S. and Bergin, A. (eds.), Sea Change: Responding to Australia’s Maritime Security Environment, Canberra: ASPI, 2009.
• Chalk, P., The Maritime Dimension of International Security: Terrorism, Piracy, and Challenges for the United States, Santa Monica: RAND Corporation, 2008.
• Mejia, M.Q., Mukherjee, P.K. and Xu, J. (eds.), Maritime Violence and Other Security Issues at Sea, Malmö: World Maritime University, 2002.
• Till, G., Seapower: A Guide for the Twenty-First Century, 4th ed., Abingdon: Routledge, 2018, chapter on maritime security.

External links

• IMO - Maritime Security (ISPS) - official IMO page for SOLAS Chapter XI-2 and ISPS Code
• IMO - LRIT - official IMO LRIT system information
• EUNAVFOR - Operation Atalanta - EU naval force combating Somali piracy
• UKMTO - United Kingdom Maritime Trade Operations - voluntary reporting and advisory service for vessels in the Indian Ocean High Risk Area