ISPS Code: 9 Important and Must

Know Elements
11th Sept 2001. Do you remember this date?

This, my friend, is
the date that had great influence on the way we operate our
ships. This is the date that led to the ISPS code.
I bet when you hear about ISPS code, you think about places like
Somalia and Nigeria. But security has been the concern for
shipping far longer than that.

IMO has developed many codes, regulations, and

conventions since its inception in 1948.
If not all, most of these conventions were triggered by some
major incident. For example, ISM code came into existence
because of the incident of “Herald of free enterprise”. MARPOL
was the result of the incident of Torrey Canyon. And as everyone
knows, SOLAS was developed because of infamous incid the nt
of sinking of Titanic.
ISPS code is probably the only code that was developed because
of a non-marine incident. It was considered and developed after
the 9/11 terror attack in the USA.
So what exactly ISPS code requires us to do. Let us discuss 10
elements of ISPS code we need to know about.

1. Ship security plan

Ship security plan has all the security-related instructions for the

ship’s crew.
ISPS code part A/9.4 gives the minimum points that must be
included in the ship security plan.
Ship security plan need to be approved by flag state of the vessel
or by Recognised security organisation (RSO) on behalf of flag
state. RSO is usually the classification society of the vessel.

Handling Ship security plan on board

Ship security plan is to be kept in a locker. If it is at an open
location, it may lead to a non-conformity during PSC inspection or
ISPS audit.
Master and SSO must not give access of SSP to any external
party. Only Company security officer and person conducting
security audit can be given access.

If any PSC inspector seeks access to SSP, this request should be

politely rejected.
There may be situations where PSC inspector believes that there
exists a security related non-conformance and only way to prove
to him that this non-conformance does not exist is by showing
him the SSP.

In these cases, Master / SSO can show only the SSP section that
is required to prove the non-conformance as invalid.
2. Ship Security Assessment

Ship security assessment is the first step toward developing a

security plan.
Let us say you have the responsibility to develop a ship security
plan. There are many aspects you would like to explore.

You would like to ensure that your ship is not attacked. You have
responsibility to ensure that unauthorised persons are not able to
board your ship. how will you go about to achieve all this ?

You would probably want to identify all the access point of the
ship. You may want to brainstorm and identify the possible ways
your ship can be attacked. You may even want to assume yourself
as an attacker and think of how you can gain access to the ship.

That is what ship security assessment is all about.

It is about identifying the

applicable security scenarios for the ship. For example, will there
 be any security concern during cargo operation ? Are there any
weaknesses in the ship security ?
Ship security assessment is a kind of risk assessment about the
security of the ship.
Ship security assessment aims to answer these five questions.

 Is there any motive to attack the ship?

 Which are the key shipboard operations and areas that are
prone to security incident

 Are there any existing security measures, procedures in

place?

 What are ways ship can be attacked?

 What are the likelihood and consequences of such attack?

Ship security assessment forms the basis for development of ship
security plan. It is the responsibility of the company security
officer to conduct initial ship security assessment.

Here is an example of ship security assessment.

 3. Ship security officer

ISPS code requires company to appoint a ship security officer. The

crew member appointed as SSO must have done the security
training required as per STCW.
The main duties of ship security officer is
 to implement and maintain all the elements of ship security
plan and

 to liase with the company security officer and port facility

security officer (PFSO) for all security related activities

It is quite obvious that to implement SSP on board, SSO must

himself know about what SSP requires from SSO and ship’s crew.

For this reason, SSO must read the SSP thoroughly and preferably
make notes of key points specific to SSP of the ship he must know
at all times.

For example SSO must know

 percentage of baggage gangway watch need to check at

each security level

 Procedure to follow if any unaccompanied baggage is found

on board

 Restricted areas as per SSP

 Security equipments on board and what maintenance is
required for these

 Procedure and required interval for testing of ship security

alert system

One of the important duty of SSO is to review the ship security

plan. The idea for review is to make the SSP robust over the time.
SSO has to look for shortcomings in the SSP and point these out
in the SSP review.

Some companies may have a quick checklist for review of ship

security plan. Even if there is no checklist, SSO can review the
SSP to best of his capacity.
For example, SSO may find that an access which should be a
restricted area is not designated as restricted area in the SSP.

He may find that there are no clear instructions if the port

security personnel with weapons can be allowed on board or not.

Whatever the SSO feel should include in the SSP which isn’t
included, he can mention that in his SSP review.

4. Company Security Officer

ISPS code also requires company to appoint a company security

officer. The main duties of the company security officer is to
 Carry out ship security assessment

 Develop ship security plan and submit it for approval

 ensure efficient implementation of SSP on board

One of the important duty of CSO is to share regular security

information to the SSO and ship.

5. Security levels

ISPS code has set three security levels.

 Security Level 1

 Security Level 2

 Security Level 3
Security level 1 requires minimum security measures and is the
normal security level all ships and ports are supposed to operate.

security level 2 requires most stringent security measures.

Security level 3 is set only in exceptional circumstances when

there is a credible information about a probable or imminent
security incident.
There is this one frequently asked question related to security
levels. The question is “Who decides the security level on board” ?

Who decides the security levels on board?

When the ship is at sea, Security level is set by the flag state of
the vessel. Flag state may not instruct the ship directly but may
do so through CSO.
CSO will forward the message from the flag state to the applicable
ships to change the security level. SSO need to acknowledge the
mail for instructions to change the security level and confirm to
CSO when the security level is changed.

At port, vessel need to have same security level as the port.

Before arrival, agent gives all the security details of the port and
also advises the security level of the ship.

If the security level of the port is higher than the ship, the ship
must increase the security level to same as the port.

Now there may be instances where security level of ship is higher

than the port it is calling. In this case, SSO should consult CSO.
CSO may advise to decrease the level of the ship without
downgrading the security measures.

This means that in this case, the ship will have lower security
level but will have same security measures that are required as
per higher security level in SSP.

CSO after consultation with flag may advise to keep the higher

security level. In this case, vessel must inform the port of its
higher security level.

6. Declaration of security
As the name suggests, declaration of security is security related
declaration between two parties. One of the party is own ship and
other party can either be a port or another ship.
 The question is when do we need Declaration of security and why
do we need Declaration of security?
Let us answer the “when” part first.

The DoS is intended to be used in exceptional cases usually

related to higher risk. These are the times when there is a need to
reach an agreement between the port facility and the ship as to
the security measures to be applied.
ISPS code requires each flag state to establish the requirements
of the declaration of security.

But in general DOS need to be filled when

 Ship is operating at higher security level than the port it is

calling

 Ship is operating at higher security level than the other ship

it is doing operations with

 Ship is calling a port which do not have port facility security

plan. This will be the case when port is in a country that has not
ratified ISPS code

 Ship is doing operations with a ship the flag of which has not
ratified the ISPS code and thus do not have an approved ship
security plan

Another question is why do we need to fill DOS. As you would

notice in above situations that the ship is either at higher security
level or is dealing with port or ship that does not comply with
ISPS code.

In first case, we need to make sure that ship’s higher security

level is efficiently conveyed to the port or ship it is dealing with.
Also as the port or other ship is at lower level, we would want to
know what security duties the port and ship will be performing.

For example we need to get the declaration from other ship that
they will monitor the areas around their ship and restrict the
access to their ship.

In the second case where port or ship is not ISPS compliant, we

need to make joint declaration that the port or other ship will
perform some of the security duties as per declaration of security.

Many ships or companies requires DOS to be completed at every

port & ship operation. This is not required and in doing so we are
just wasting paper and energy on something that is grossly
unnecessary.

7. Security drills and exercises

Company is required to devise a security drill planner which

should cover all the security situations.

These drills may include situations like

 Bomb threat at port / at sea

 change in security level

 Stowaway or Bomb search

The whole idea of these drills and exercises is to test the

effectiveness of ISPS code implementation. These drills should
aim to identify the gaps between expected outcomes and actual
performance.

SSO should maintain the records of all the security drill carried
out on board.
8. International ship security certificate

International ship security certificate is a statutory certificate.

ISPS code applies to all ships over 500 GRT. ISPS code requires
these ships to have a valid “International ship security certificate”.
 But how can a ship get “International ship security certificate
(ISSC)?
A new building ship or the ship that changes flag or class will get
an interim ISSC. The interim ISSC will be issued after verification
by flag state or RSO (usually class) that all the elements of SSP
are implemented on board.

The interim ISSC is valid for six months.

A full term ISSC is issued

 after SSP has been implemented for at least 30 day

 A successful ISPS audit has been conducted by the flag or

RSO on behalf of flag

The full term ISSC is valid for 5 years subject to intermediate

verification and endorsement by flag or RSO on behalf of flag.

9. Ship Security Alert system

One of the main security equipment on board required by ISPS

code is ship security alert system.

There needs to be a minimum of two security buttons that can

initiate SSAS. One of these buttons should be on the wheel house
of the ship.
Generally, when a SSAS button is pressed, the alert goes to the
Flag state and the CSO. But some flag state may require that
alert is only received by the CSO.

Ship security alert system (SSAS) must be tested at least

annually.

The test procedure is given in the SSP.  SSO must know this
procedure of testing.
Conclusion

ISPS code may not have been able to put an end to the security
incidents around the world. But it has surely given a framework
for deterrence in the security issues around the world.

This deterrence will only be effective if we know and implement all

the elements of ISPS code effectively.