The ISPS Code transformed maritime security from an afterthought into a structured, auditable discipline. Enacted through SOLAS Chapter XI-2 in response to the September 11 attacks and the bombing of the French tanker Limburg, the International Ship and Port Facility Security Code establishes a comprehensive framework requiring ships, port facilities, and their operators to assess threats, develop security plans, designate trained security officers, and maintain graduated readiness across three security levels. It applies to all passenger ships and cargo ships of 500 GT and above on international voyages, plus the port facilities that serve them. For Company Security Officers (CSOs), Ship Security Officers (SSOs), and fleet managers, ISPS compliance is verified through the International Ship Security Certificate (ISSC), with PSC officers checking security documentation, crew familiarity, SSAS functionality, and drill records at every port call. This guide covers every ISPS requirement — from conducting Ship Security Assessments to passing PSC security inspections — with practical implementation guidance for 2026. Start a free trial of Marine Inspection to manage security drills, access control logs, and ISSC tracking digitally across your fleet.

ISPS Code: Maritime Security Framework at a Glance
148
SOLAS Parties
Contracting governments enforcing the Code
3
Security Levels
Graduated response from normal to exceptional threat
3
Key Security Officers
CSO (shore), SSO (ship), PFSO (port)
5 Years
ISSC Validity
With intermediate verification between 2nd & 3rd anniversary

The Three Security Levels

The ISPS Code operates through a tiered security level system that allows protective measures to scale with the assessed threat. Port authorities and flag states set and communicate security levels — ships must comply with the higher of their own level or the port's level.

Level 1
Normal
Standard operating conditions. Minimum appropriate protective security measures maintained at all times on all ships and port facilities.
Controlled access to the ship — gangway watch, visitor log, ID checks
Monitoring of deck areas, restricted zones, and areas surrounding the ship
Supervision of cargo handling and ship's stores delivery
Regular SSAS testing and security communication verification
Level 2
Heightened
Additional protective measures for a defined period due to increased security risk. Activated based on intelligence or threat assessments.
Additional personnel assigned to patrol deck and monitor access points
Escort required for visitors and service providers — no unaccompanied access
Enhanced searching of cargo, stores, and personal effects
Restricted areas checked more frequently — waterside monitoring increased
Level 3
Exceptional
Highest alert — security incident probable or imminent. Maintained for limited duration. Requires specific instructions from the contracting government.
All access points controlled — single-point entry if possible
Suspension of cargo operations if directed by authorities
Full vessel search conducted — hull, underwater, all internal spaces
Ship may be ordered to move, prepare for evacuation, or restrict movement

The Security Officer Architecture: CSO, SSO & PFSO

The ISPS Code creates a three-role security structure connecting shore management, shipboard operations, and port facilities. Each role has distinct responsibilities, required training, and accountability — and PSC officers verify that these roles are actively filled and functioning, not just named on paper. Book a Marine Inspection demo to see how digital workflows support CSO oversight and SSO daily operations.

Table 1: ISPS Security Officer Roles & Responsibilities
Role Based At Core Responsibilities Training Required PSC Verification
CSO
Company Security Officer		 Shore office Conducts Ship Security Assessments. Develops and maintains SSPs for all fleet vessels. Ensures SSO training. Coordinates with flag state and RSOs. Arranges ISSC certification. Approved CSO course per STCW and flag state requirements Name and 24hr contact must be documented. Communication records with SSOs may be checked.
SSO
Ship Security Officer		 Onboard each vessel Implements SSP onboard. Conducts security inspections. Manages access control. Coordinates with PFSO at ports. Conducts and documents security drills. Reports security incidents. Approved SSO course per STCW Section A-VI/5 Must demonstrate SSP familiarity, know CSO contact, explain duties at each security level, show drill records.
PFSO
Port Facility Security Officer		 Each port facility Develops and maintains Port Facility Security Plan. Conducts port security assessments. Coordinates with SSOs of visiting vessels. Manages port access control and surveillance. Approved PFSO course per flag/port state Not directly verified on ship, but Declaration of Security between ship and port may be checked.

From Ship Security Assessment to Ship Security Plan

The SSA and SSP are the operational core of ISPS compliance. The assessment identifies vulnerabilities; the plan addresses them. Both must be approved by the flag state administration or a Recognized Security Organization (RSO). Sign up for Marine Inspection to manage SSP updates and security equipment tracking digitally.

1
Ship Security Assessment (SSA)
On-scene survey identifying existing security measures, key operations, potential threats, and vulnerabilities. Evaluates physical security, access points, communication systems, and operational procedures. Must be conducted or reviewed by the CSO.
2
Ship Security Plan (SSP)
Developed from the SSA findings. Addresses procedures for all three security levels covering: access control, restricted areas, cargo handling, stores delivery, unaccompanied baggage, security monitoring, SSAS procedures, security training, and interfacing with port facilities. Confidential document — must be stored securely.
3
Administration Approval
SSP submitted to flag state or RSO for review and approval. Plan must be accompanied by the SSA. Any subsequent changes to the SSP or security equipment require re-approval. Electronic SSPs permitted if adequately protected.
4
ISSC Issued
International Ship Security Certificate issued upon verification that SSP meets ISPS Part A requirements. Valid for 5 years with intermediate verification. Interim ISSC valid for 6 months for new ships or flag/company changes.

Ship Security Alert System (SSAS)

The SSAS is a silent alarm system that transmits a covert distress signal to the flag state when the vessel is under security threat — piracy, terrorism, armed robbery. Unlike distress signals, SSAS alerts generate no audible or visible alarm onboard to avoid endangering crew if captured.

Activation Requirements
Minimum 2 independent activation points — one on bridge, one in another accessible location (engine room, master's cabin, or crew area). Designed to prevent accidental activation. Once pressed, alert transmits continuously until reset.
What Gets Transmitted
Ship name, IMO number, MMSI, call sign, current position (GPS), date/time, speed, and course. Sent via satellite (Inmarsat C/D+) to the flag state administration and company-designated recipients (owner, fleet manager).
Testing & Maintenance
Annual check during radio equipment survey and during ISSC renewal/intermediate verification. Internal test capability required — flag state representative must be able to verify operation onboard. Testing procedures documented in SSP.
Non-Compliance Consequences
Invalidation of ISSC. Vessel detention. Denial of port entry. Financial penalties. Additional security measures imposed by port authorities. Increased scrutiny during subsequent inspections.
Track Security Compliance Across Your Fleet
ISSC renewals, security drill schedules, SSP updates, access control logs, SSAS test records — Marine Inspection centralizes every ISPS requirement with automated alerts and photo-documented inspection trails.
Book Your Fleet Demo Start Free Trial

PSC Security Inspection: What Officers Check

Although security may not always be the PSC officer's primary focus, the following items are routinely verified — and deficiencies in any of them create a formal record that affects your vessel's risk profile.

Table 2: PSC ISPS Security Inspection Items
PSC Code Inspection Item What Officers Verify Common Failures
16101 Security-related defects Overall security posture — lighting, CCTV, locks, access barriers Broken security lighting, non-functional CCTV, damaged door locks on restricted areas
16102 Ship Security Alert System SSAS activation points accessible, tested, crew knows locations and procedures Crew unable to locate activation points, no test records, SSAS programming errors
16103 Ship Security Plan SSP approved, current, stored securely, confidential sections protected SSP not updated after vessel modification, confidential sections stored in non-restricted areas
16104 Ship Security Officer SSO identified, trained, can explain duties at each security level, knows CSO contact SSO cannot describe Level 2/3 procedures, doesn't know CSO 24hr contact number
16105 Access control to ship Gangway watch, visitor log, ID verification, security badges in use No gangway watch, incomplete visitor log, security badges not issued to visitors
16106 Security drills Drill records with dates, scenarios, participants, findings, corrective actions Drills not conducted quarterly, identical scenarios repeated, no documented findings

Security Drill & Exercise Requirements

ISPS mandates regular security drills to ensure crew can respond effectively to threats. PSC officers and auditors check both the frequency and the quality of drill documentation. Schedule a demo to see how Marine Inspection automates drill scheduling and documentation with photo evidence.

Every 3 Months
Security Drills
Test individual SSP elements — unauthorized boarding response, bomb threat procedures, suspicious package handling, restricted area breach. Vary scenarios between drills. Include surprise timing to test real readiness.
Annually
Full-Scale Security Exercise
Comprehensive exercise testing the entire SSP — coordination between SSO, CSO, port facilities, and authorities. Include communication procedures, escalation protocols, and multi-department response.
On Joining
Crew Security Familiarization
Every crew member must receive security familiarization within the first week of joining. Covers security duties, restricted areas, SSAS awareness, reporting procedures, and SSP-relevant responsibilities.

ISPS Compliance Checklist

Use this before every PSC arrival and during internal security audits. These items map directly to the PSC deficiency codes that create formal findings. Sign up for Marine Inspection to run these checklists digitally with timestamped records.

ISPS Code — Pre-PSC Security Readiness Check
Certification & Documentation
ISSC valid with intermediate verification endorsement current
SSP approved, current revision, stored securely in locked location
CSR (Continuous Synopsis Record) updated with latest information
Declaration of Security completed with current port facility (if required)
Personnel & Access Control
Gangway watch posted with visitor log, ID verification, and security badge system active
SSO identified, trained, can explain duties at all three security levels
CSO 24-hour contact details documented and known to SSO and Master
Restricted areas marked, locked, and access controlled per SSP
Equipment & Systems
SSAS — both activation points accessible, crew knows locations and procedures
SSAS test records available — annual check and last internal test documented
Security lighting, CCTV, locks, and barriers functional and maintained
Waterside monitoring arrangements in place per SSP requirements
Drills & Training
Security drills conducted at least quarterly — records show varied scenarios
Annual full-scale security exercise completed and documented
Crew security familiarization completed for all personnel within first week of joining
Drill records include date, scenario, participants, findings, and corrective actions

Frequently Asked Questions

What is the ISPS Code and who does it apply to?
The International Ship and Port Facility Security (ISPS) Code is an IMO security framework under SOLAS Chapter XI-2, in force since July 1, 2004. It applies to all passenger ships and cargo ships of 500 GT and above on international voyages, plus the port facilities that serve them. It does not apply to warships or government non-commercial vessels.
What are the three ISPS security levels?
Level 1 (Normal) — minimum protective measures maintained at all times. Level 2 (Heightened) — additional measures for defined periods due to increased risk. Level 3 (Exceptional) — highest alert when a security incident is probable or imminent, with specific instructions from the contracting government. Ships must comply with the higher of their own level or the port's level.
What is the Ship Security Alert System (SSAS)?
SSAS is a silent alarm system transmitting a covert distress signal via satellite to the flag state when a ship is under security threat. It requires at least two activation points onboard (bridge + one other location). No audible or visible alarm is generated to protect crew if captured. It transmits ship identity, position, speed, and course continuously until reset.
How often must security drills be conducted?
Security drills must be conducted at least every three months, testing individual SSP elements with varied scenarios. A full-scale security exercise must be completed annually. Crew security familiarization is required for all personnel within their first week of joining. All drills must be documented with dates, scenarios, participants, and findings.
What happens if a ship fails ISPS inspection at PSC?
PSC officers can impose control measures including ship inspection, detention, restriction of operations, or expulsion from port. Missing or expired ISSC, non-functional SSAS, absent SSO, incomplete drill records, or inadequate access control can all trigger deficiencies. Non-compliance records affect the vessel's risk profile for future inspections across the regional PSC regime.
Security Compliance Starts with Visibility
ISSC tracking, drill scheduling, access control documentation, SSAS test records, SSP version management — Marine Inspection gives CSOs and SSOs a single platform to prove security readiness at every port call.
Schedule Your Demo Start Free Trial