ISPS Code: Important and Must

Know Elements

11th Sept 2001. Do you remember this date?

IMO has developed many codes, regulations, and
conventions since its inception in 1948.
If not all, most of these conventions were triggered by some
major incident. For example, ISM code came into existence
because of the incident of “Herald of free enterprise”.
MARPOL was the result of the incident of Torrey Canyon. And
as everyone knows, SOLAS was developed because of
infamous incid the nt of sinking of Titanic.
ISPS code is probably the only code that was developed
because of a non-marine incident. It was considered and
developed after the 9/11 terror attack in the USA.
So what exactly ISPS code requires us to do. Let us discuss
10 elements of ISPS code we need to know about.
1. Ship security plan

Ship security plan has all the security-related instructions for

the ship’s crew.
ISPS code part A/9.4 gives the minimum points that must be
included in the ship security plan.

Ship security plan need to be approved by flag state of the

vessel or by Recognised security organisation (RSO) on
behalf of flag state. RSO is usually the classification society
of the vessel.

Handling Ship security plan on board

Ship security plan is to be kept in a locker. If it is at an open
location, it may lead to a non-conformity during PSC
inspection or ISPS audit.
Master and SSO must not give access of SSP to any external
party. Only Company security officer and person conducting
security audit can be given access.

If any PSC inspector seeks access to SSP, this request should

be politely rejected.
There may be situations where PSC inspector believes that
there exists a security related non-conformance and only
way to prove to him that this non-conformance does not
exist is by showing him the SSP.

In these cases, Master / SSO can show only the SSP section
that is required to prove the non-conformance as invalid.
2. Ship Security Assessment

Ship security assessment is the first step toward developing

a security plan.
Let us say you have the responsibility to develop a ship
security plan. There are many aspects you would like to
explore.

You would like to ensure that your ship is not attacked. You
have responsibility to ensure that unauthorised persons are
not able to board your ship. how will you go about to achieve
all this ?

You would probably want to identify all the access point of

the ship. You may want to brainstorm and identify the
possible ways your ship can be attacked. You may even want
to assume yourself as an attacker and think of how you can
gain access to the ship.

That is what ship security assessment is all about.

 It is about
identifying the applicable security scenarios for the ship. For
example, will there be any security concern during cargo
operation ? Are there any weaknesses in the ship security ?
Ship security assessment is a kind of risk assessment about
the security of the ship.
Ship security assessment aims to answer these five
questions.

§ Is there any motive to attack the ship?

§ Which are the key shipboard operations and areas that are
prone to security incident

§ Are there any existing security measures, procedures in

place?
§ What are ways ship can be attacked?

§ What are the likelihood and consequences of such attack?

Ship security assessment forms the basis for development of

ship security plan. It is the responsibility of the company
security officer to conduct initial ship security assessment.

Here is an example of ship security assessment.

 3. Ship security officer

ISPS code requires company to appoint a ship security

officer. The crew member appointed as SSO must have done
the security training required as per STCW.
The main duties of ship security officer is
§ to implement and maintain all the elements of ship security
plan and

§ to liase with the company security officer and port facility

security officer (PFSO) for all security related activities

It is quite obvious that to implement SSP on board, SSO

must himself know about what SSP requires from SSO and
ship’s crew.

For this reason, SSO must read the SSP thoroughly and
preferably make notes of key points specific to SSP of the
ship he must know at all times.

For example SSO must know

§ percentage of baggage gangway watch need to check at

each security level

§ Procedure to follow if any unaccompanied baggage is found

on board

§ Restricted areas as per SSP

§ Security equipments on board and what maintenance is
required for these

§ Procedure and required interval for testing of ship security

alert system

One of the important duty of SSO is to review the ship

security plan. The idea for review is to make the SSP robust
over the time. SSO has to look for shortcomings in the SSP
and point these out in the SSP review.

Some companies may have a quick checklist for review of

ship security plan. Even if there is no checklist, SSO can
review the SSP to best of his capacity.
For example, SSO may find that an access which should be a
restricted area is not designated as restricted area in the
SSP.

He may find that there are no clear instructions if the port

security personnel with weapons can be allowed on board or
not.

Whatever the SSO feel should include in the SSP which isn’t
included, he can mention that in his SSP review.

4. Company Security Officer

 ISPS code also requires company to appoint a company
security officer. The main duties of the company security
officer is to

§ Carry out ship security assessment

§ Develop ship security plan and submit it for approval

§ ensure efficient implementation of SSP on board

One of the important duty of CSO is to share regular security

information to the SSO and ship.

5. Security levels

ISPS code has set three security levels.

§ Security Level 1

§ Security Level 2

§ Security Level 3
Security level 1 requires minimum security measures and is
the normal security level all ships and ports are supposed to
operate.

security level 3 requires most stringent security measures.

Security level 3 is set only in exceptional circumstances when

there is a credible information about a probable or imminent
security incident.
There is this one frequently asked question related to
security levels. The question is “Who decides the security
level on board” ?

Who decides the security levels on board?

When the ship is at sea, Security level is set by the flag state
of the vessel. Flag state may not instruct the ship directly
but may do so through CSO.
CSO will forward the message from the flag state to the
applicable ships to change the security level. SSO need to
acknowledge the mail for instructions to change the security
level and confirm to CSO when the security level is changed.

At port, vessel need to have same security level as the port.

Before arrival, agent gives all the security details of the port
and also advises the security level of the ship.

If the security level of the port is higher than the ship, the
ship must increase the security level to same as the port.

Now there may be instances where security level of ship is

higher than the port it is calling. In this case, SSO should
consult CSO. CSO may advise to decrease the level of the
ship without downgrading the security measures.

This means that in this case, the ship will have lower security
level but will have same security measures that are required
as per higher security level in SSP.

CSO after consultation with flag may advise to keep the

higher security level. In this case, vessel must inform the
port of its higher security level.

6. Declaration of security
As the name suggests, declaration of security is security
related declaration between two parties. One of the party is
 own ship and other party can either be a port or another
ship.

The question is when do we need Declaration of security and

why do we need Declaration of security?
Let us answer the “when” part first.

The DoS is intended to be used in exceptional cases usually

related to higher risk. These are the times when there is a
need to reach an agreement between the port facility and the
ship as to the security measures to be applied.
ISPS code requires each flag state to establish the
requirements of the declaration of security.

But in general DOS need to be filled when

§ Ship is operating at higher security level than the port it is

calling

§ Ship is operating at higher security level than the other ship

it is doing operations with

§ Ship is calling a port which do not have port facility security

plan. This will be the case when port is in a country that has
not ratified ISPS code

§ Ship is doing operations with a ship the flag of which has not
ratified the ISPS code and thus do not have an approved ship
security plan
Another question is why do we need to fill DOS. As you
would notice in above situations that the ship is either at
higher security level or is dealing with port or ship that does
not comply with ISPS code.

In first case, we need to make sure that ship’s higher

security level is efficiently conveyed to the port or ship it is
dealing with. Also as the port or other ship is at lower level,
we would want to know what security duties the port and
ship will be performing.

For example we need to get the declaration from other ship

that they will monitor the areas around their ship and restrict
the access to their ship.

In the second case where port or ship is not ISPS compliant,

we need to make joint declaration that the port or other ship
will perform some of the security duties as per declaration of
security.

Many ships or companies requires DOS to be completed at

every port & ship operation. This is not required and in doing
so we are just wasting paper and energy on something that
is grossly unnecessary.

7. Security drills and exercises

Company is required to devise a security drill planner which

should cover all the security situations.
 These drills may include situations like

§ Bomb threat at port / at sea

§ change in security level

§ Stowaway or Bomb search

The whole idea of these drills and exercises is to test the

effectiveness of ISPS code implementation. These drills
should aim to identify the gaps between expected outcomes
and actual performance.

SSO should maintain the records of all the security drill

carried out on board.

8. International ship security certificate

International ship security certificate is a statutory
certificate. ISPS code applies to all ships over 500 GRT. ISPS
code requires these ships to have a valid “International ship
security certificate”.

But how can a ship get “International ship security certificate

(ISSC)?
A new building ship or the ship that changes flag or class will
get an interim ISSC. The interim ISSC will be issued after
verification by flag state or RSO (usually class) that all the
elements of SSP are implemented on board.
 The interim ISSC is valid for six months.

A full term ISSC is issued

§ after SSP has been implemented for at least 30 day

§ A successful ISPS audit has been conducted by the flag or

RSO on behalf of flag

The full term ISSC is valid for 5 years subject to intermediate

verification and endorsement by flag or RSO on behalf of
flag.

9. Ship Security Alert system

One of the main security equipment on board required by

ISPS code is ship security alert system.

There needs to be a minimum of two security buttons that

can initiate SSAS. One of these buttons should be on the
wheel house of the ship.
Generally, when a SSAS button is pressed, the alert goes to
the Flag state and the CSO. But some flag state may require
that alert is only received by the CSO.

Ship security alert system (SSAS) must be tested at least

annually.

The test procedure is given in the SSP. SSO must know this
procedure of testing.

Conclusion

ISPS code may not have been able to put an end to the
security incidents around the world. But it has surely given a
framework for deterrence in the security issues around the
world.

This deterrence will only be effective if we know and

implement all the elements of ISPS code effectively.