International Ship and Port Facility Security (ISPS) Code
Status: In force — the international maritime security regime: security assessments, plans, officers, levels, and the ISSC.
What Is It?
The ISPS Code is the international framework for maritime security, adopted after the September 2001 attacks and made mandatory through SOLAS Chapter XI-2. It establishes a structured security regime spanning ships and port facilities: security assessments, approved security plans, designated security officers, graduated security levels, and verifiable records — all certified through the International Ship Security Certificate (ISSC).
For each vessel, compliance begins with a Ship Security Assessment feeding an approved Ship Security Plan (SSP), maintained by a designated Ship Security Officer (SSO) aboard and a Company Security Officer (CSO) ashore. Ships operate at one of three security levels set by administrations and port states, with the SSP defining the protective measures for each level — access control, restricted areas, cargo and stores handling, monitoring, and communications. The ship security alert system provides covert notification to shore in the event of a security incident.
Port calls create a continuous compliance interface: pre-arrival security information, Declarations of Security where required, and the Continuous Synopsis Record documenting the vessel's history. As maritime security threats have evolved — from piracy and armed robbery through stowaways to hybrid and cyber threats — ISPS increasingly intersects with cyber security governance, with security plans expected to reflect the connected reality of modern ship operations.
Who It Affects
The ISPS Code applies to passenger ships and cargo ships of 500 GT and above on international voyages, mobile offshore drilling units, and the port facilities serving them. Companies, CSOs, SSOs, and masters carry defined security responsibilities, with the master retaining overriding authority for the ship's security. Port facility operators run the parallel shore-side regime through Port Facility Security Assessments, Plans, and Officers, coordinated by contracting governments who set security levels and approve plans.
Key Dates
ISPS Code enters into force through SOLAS Chapter XI-2
Guidance updates align ship and port facility security practices with evolving threat landscape
Cyber risk management in the SMS (MSC.428(98)) extends security thinking to connected ship systems
Security regimes continue integrating physical and cyber threat management across ship and shore
Requirements
- Complete a Ship Security Assessment and maintain a flag-approved Ship Security Plan for each vessel
- Hold a valid International Ship Security Certificate (ISSC) with required verification audits
- Designate and train a Company Security Officer (CSO) and Ship Security Officer (SSO) per vessel
- Operate the graduated protective measures for security levels 1-3, including access control and restricted areas
- Maintain and test the ship security alert system (SSAS)
- Conduct security drills and exercises at required intervals and keep auditable security records
- Execute Declarations of Security with port facilities or other ships where required
- Maintain the Continuous Synopsis Record and provide pre-arrival security information to port states
Penalties & Non-Compliance
Ships unable to demonstrate ISPS compliance face control measures under SOLAS XI-2: inspection, delay, detention, restriction of operations, or expulsion from port — and a missing or invalid ISSC effectively bars entry to most trading ports. Security deficiencies feed port state targeting systems and can trigger conditions of class and charterer rejection. Following a security incident, inadequate implementation of the approved SSP exposes owners and managers to liability and flag state sanctions, while repeated failures invite enhanced inspection regimes across subsequent port calls.
How CyberSmart Helps
These modules directly support your ISPS Code compliance workflow.
Integrate ship security, physical and cyber
See how CyberSmart supports ISPS compliance and extends security management to the connected systems modern ships run on.