Top 10 Security Obligations in the ISPS Code for Ships and Port Facilities

Explore the top 10 mandatory security obligations under the ISPS Code for ships and port facilities. Learn how this global framework protects maritime operations from terrorism, piracy, and cyber threats.

Why the ISPS Code Still Matters in 2025

It was July 2004, just three years after 9/11, when the maritime world implemented the International Ship and Port Facility Security (ISPS) Code. Driven by the need to prevent acts of terrorism and unlawful interference, this IMO-backed framework became a global turning point for maritime security culture.

Fast-forward to today: shipping faces not only the traditional risks of stowaways and piracy, but also cyberattacks, cargo tampering, smuggling, and drone surveillance. These modern threats demand more than compliance—they demand vigilance.

Whether you’re a deck officer, shipowner, port manager, or maritime student, understanding your top 10 obligations under the ISPS Code is critical. This article breaks it all down—simply, clearly, and with real-world examples from port terminals and shipboard operations around the globe.

Understanding the ISPS Code and Its Global Role

The ISPS Code is a comprehensive security regime created under SOLAS Chapter XI-2 by the International Maritime Organization (IMO). It applies to:

• Ships engaged on international voyages of 500 GT and above.

• Mobile offshore units and passenger vessels.

• Port facilities serving such ships.

Its dual structure includes:

• Part A: Mandatory security requirements.

• Part B: Guidance and recommendations.

The ISPS Code complements national laws and is enforced through flag state inspections, port state control, and company audits.

1. Appointing a Ship Security Officer (SSO) and Port Facility Security Officer (PFSO)

Security starts with leadership. Under the ISPS Code, every ship must appoint a Ship Security Officer (SSO), and every port must designate a Port Facility Security Officer (PFSO).

Their duties include:

• Implementing and maintaining the Security Plan.
• Conducting security drills and exercises.
• Liaising with the Company Security Officer (CSO) and port authorities.

SSOs and PFSOs must complete IMO-compliant training under Model Courses 3.19, 3.20, and 3.21.

Real-world tip: Onboard, the Chief Mate often doubles as the SSO, while in port, the Harbourmaster or designated terminal manager typically serves as the PFSO.

---

2. Maintaining an Approved Ship or Port Facility Security Plan (SSP/PFSP)

Every vessel and port facility must have a Security Plan approved by the flag state or competent authority.

The plan should include:

• Access control protocols.
• Communication procedures.
• Threat response measures.
• Emergency contact lists.
• Cybersecurity layers (updated post-2017 IMO cybersecurity guidelines).

Plans are confidential but must be auditable and up to date, especially when threats or operations change.

Update (2023–2024): Many flag states now require the inclusion of cybersecurity and drone threat response in SSPs.

---

3. Conducting Regular Security Assessments

Before developing a security plan, a Ship Security Assessment (SSA) or Port Facility Security Assessment (PFSA) must be completed.

Assessments should cover:

• Past incidents and vulnerabilities.
• Cargo handling zones.
• Ship-to-shore interfaces.
• Use of remote access technology.

Security assessments must be updated:

• After major incidents or changes in routing/cargo.
• Every 5 years or during major audits.

Case Example: Following piracy attempts in the Gulf of Guinea, several container ships updated their SSA to include razor-wire fencing and bridge blackout drills.

---

4. Implementing and Managing Security Levels (1, 2, 3)

The ISPS Code defines three security levels:

• Level 1: Normal operations.
• Level 2: Heightened threat.
• Level 3: Exceptional threat or attack.

Ship and port responses must scale up based on level:

• At Level 2, additional watchkeeping and ID checks are enforced.
• At Level 3, ship movements may be restricted, and local law enforcement may board.

These levels are declared by national maritime authorities (e.g., USCG, AMSA) and must be recorded in the ship’s log.

---

5. Restricting Unauthorized Access to Ships and Port Areas

Controlling who gets onboard or into secure areas is fundamental.

Obligations include:

• Fencing, CCTV, and watchmen at port entrances.
• Access card validation and crew ID checks at gangways.
• Sealing and tagging of cargo units.

Onboard, access logs must be maintained, and visitors must sign in, wear visible IDs, and remain escorted.

Best Practice: Combine traditional barriers with biometric systems or QR-based port access—increasingly used in ports like Singapore, Rotterdam, and Hamburg.

---

6. Ensuring Continuous Synopsis Record (CSR) and Log Entries

Ships must maintain a Continuous Synopsis Record (CSR) as part of the ISPS documentation trail.

CSR records:

• Ship name and flag changes.
• Owner/operator changes.
• Certification updates.
• Security incidents or inspections.

It must be:

• Kept onboard in both digital and printed formats.
• Updated every time the ship is transferred, renamed, or reflagged.

Port State Control officers can request the CSR at any time, especially after a security breach.

---

7. Training Crew and Port Staff in Security Awareness

All personnel must receive basic security awareness training and those with designated duties must undergo advanced security training.

Required competencies:

• Recognizing suspicious behavior.
• Handling security communications.
• Responding to security breaches or drills.

Courses often include anti-terrorism awareness, human trafficking detection, and now increasingly, cybersecurity threat recognition.

---

8. Performing Security Drills and Exercises

To maintain preparedness, ships and ports must:

• Conduct security drills every 3 months.
• Participate in annual security exercises (jointly with other ships, ports, or agencies).
• Include scenarios such as stowaway detection, unauthorized boarding, or IED threats.

Logs must show:

• Date, scope, participants, and outcomes.
• Lessons learned and follow-up actions.

Example: Port of Rotterdam regularly simulates drone-based smuggling attempts during its ISPS drills, now included as best practice by ESPO.

---

9. Reporting and Responding to Security Incidents

If a security incident occurs—such as unauthorized boarding, piracy attempt, or smuggling—ships must:

• Notify the flag state, Company Security Officer, and nearest port.
• Record the incident in the logbook.
• Cooperate with local law enforcement or coast guards.

ISPS requires full documentation:

• Photos, timelines, reports.
• Preservation of evidence (e.g., CCTV footage).

Data point: According to Lloyd’s List Intelligence (2024), over 60% of port-related security breaches go unreported—raising concerns about under-compliance with ISPS obligations.

---

10. Integrating Cybersecurity Measures

While not explicitly covered in the original 2004 code, cybersecurity is now part of ISPS compliance under IMO Resolution MSC.428(98), which requires its integration into Safety Management Systems (SMS) and Security Plans.

Shipowners must:

• Conduct a Cyber Risk Assessment.
• Install firewalls, access controls, and software patching schedules.
• Train crew in phishing prevention and cyber hygiene.

Ports are also adopting AI-based intrusion detection systems to monitor networks and cargo data pipelines.

–

Real-World Case Study: Port of Antwerp’s Response to Drug Smuggling Threats

In 2022, the Port of Antwerp was at the center of a massive smuggling ring. Criminal groups hacked into cargo systems to reroute containers with concealed drugs.

The port responded by:

• Upgrading perimeter security.

• Adding cyberforensic protocols to the PFSP.

• Mandating cyber-awareness training for logistics partners.

As a result, the port’s revised ISPS Plan became a model for hybrid physical-cyber security across EU ports.

FAQ

Q1: Is the ISPS Code mandatory for domestic ships?
Not always. It applies primarily to international voyages over 500 GT. However, some flag states extend it to domestic high-risk routes.

Q2: What happens if a ship doesn’t comply?
Ships may be denied port entry, detained by PSC, fined, or even blacklisted.

Q3: Who inspects for ISPS compliance?
Port State Control, flag state surveyors, classification societies, and occasionally, regional security authorities.

Q4: How often must the SSP be reviewed?
Every 5 years or after a major security incident, change of operator, or routing changes.

Q5: Does ISPS cover piracy?
Yes, especially in coordination with regional frameworks like BMP5 and IMB Piracy Reporting Centre guidelines.

Conclusion

The ISPS Code is not just a checklist—it’s a living framework for security resilience. As global threats evolve—from terrorism and piracy to cybercrime and insider threats—the Code continues to serve as the maritime industry’s backbone of protection.

Whether you’re a cadet, captain, port operator, or policymaker, the ten obligations we’ve explored aren’t just regulatory burdens—they’re vital to ensuring that ships sail safely, cargo moves securely, and seafarers return home without harm.

By investing in training, technology, and teamwork, maritime stakeholders uphold not only compliance but global maritime trust.

---

References

• International Maritime Organization. (n.d.). ISPS Code Overview

• IMO. (2023). Cybersecurity Resolution MSC.428(98)

• The Nautical Institute. (2023). Security Awareness Training

• Lloyd’s List Intelligence. (2024). Maritime Security Report: Threats and Responses

• EMSA. (2023). Port Security Guidelines

• BIMCO. (2022). Security Measures for Shipowners

• Port of Rotterdam. (2023). [Annual Security Exercise Report]

• ESPO. (2023). Best Practices for ISPS Code Compliance