The ISPS Code was introduced in the wake of the September 2001 attacks and entered into force on 1 July 2004. For the superyacht industry, it introduced a layer of security compliance that many operators initially viewed as irrelevant to their operations. Two decades later, the Code is firmly embedded in the regulatory landscape, and failure to comply can result in denied port entry, vessel detention, and serious operational disruption.
In our experience, the ISPS Code is one of the areas where superyachts are most likely to be underprepared. The security plan sits in a locked cabinet, rarely reviewed, and the crew treat the three security levels as abstract concepts rather than operational realities. This guide covers the practical requirements and how to implement them effectively.
Who Needs This?
The ISPS Code does not apply to every yacht. The applicability threshold is clear, but the implications of getting it wrong are significant:
- All yachts of 500 GT and above engaged on international voyages
- Yachts operating under SOLAS Chapter XI-2 (which cross-references the ISPS Code)
- Yachts visiting ISPS-compliant port facilities (which is effectively all major commercial ports)
- Yachts flagged with states that enforce ISPS (most major yacht registries)
- Company Security Officers (CSOs) responsible for shore-side security oversight
- Ship Security Officers (SSOs) responsible for onboard implementation
SOLAS Chapter XI-2 and the ISPS Code
The ISPS Code derives its legal authority from SOLAS Chapter XI-2, “Special Measures to Enhance Maritime Security,” adopted by the IMO Diplomatic Conference in December 2002. The Code itself is divided into two parts:
- Part A (Mandatory): Sets out the requirements for governments, port facilities, and ships
- Part B (Guidance): Provides guidance on the implementation of Part A
While Part B is technically non-mandatory, most flag states and port states treat significant portions of it as effectively obligatory. Your Ship Security Plan should address both Part A requirements and the relevant Part B guidance.
Key SOLAS Chapter XI-2 Regulations
| Regulation | Subject | Key Requirement |
|---|---|---|
| Regulation 2 | Definitions | Defines ship, company, port facility, security levels |
| Regulation 4 | Requirements for Companies and Ships | Companies must comply with ISPS Part A and relevant Part B |
| Regulation 6 | Requirements for Port Facilities | Port facilities must comply with ISPS Part A |
| Regulation 8 | Master’s discretion for safety and security | Master retains overriding authority on security decisions |
| Regulation 9 | Control and compliance measures | Allows port state control of security requirements |
| Regulation 10 | Requirements for port facilities | Interface with ships and port facility security |
The Ship Security Assessment (SSA)
Before you can develop a Ship Security Plan, you must conduct a Ship Security Assessment. The SSA is the foundation of your entire security programme and is required under ISPS Code Part A, Section 8.
What the SSA Must Cover
The SSA must address the following elements as specified in Section 8.4:
- Identification of existing security measures, procedures, and operations
- Identification and evaluation of key shipboard operations that need to be protected
- Identification of possible threats to key operations and the likelihood of their occurrence
- Identification of weaknesses in infrastructure, policies, and procedures
- Identification, selection, and prioritisation of countermeasures and procedural changes
The SSA must be carried out by persons with appropriate knowledge and must consider the physical security of the vessel, structural integrity, personnel protection systems, procedural policies, radio and telecommunication systems, and relevant transportation infrastructure.
Ship Security Plan (SSP) Requirements
The Ship Security Plan is the core document of your ISPS compliance. It must be developed based on the SSA and approved by the flag state Administration or a Recognised Security Organisation (RSO) acting on its behalf.
Mandatory SSP Contents (ISPS Part A, Section 9.4)
The SSP must address the following for each of the three security levels:
| SSP Element | What It Must Cover |
|---|---|
| Measures to prevent weapons and contraband | Access screening, baggage checks, vehicle inspections |
| Identification of restricted areas and access control | Bridge, engine room, steering gear, stores |
| Measures against unauthorised access | Gangway watch, CCTV, lighting, fencing |
| Response procedures for security threats | Bomb threats, suspicious packages, stowaways |
| Evacuation procedures | Security-related evacuation routes and muster points |
| Duties of personnel with security responsibilities | SSO, watchkeepers, gangway crew |
| Interface with port facility security | Declaration of Security (DoS), communication protocols |
| Review and audit procedures | Plan review intervals, reporting, updating |
| Reporting of security incidents | Internal and external reporting chains |
| SSO duties and training | Qualifications, responsibilities, authority |
Plan Approval and Amendments
The SSP must be submitted to the flag state or RSO for approval before the International Ship Security Certificate (ISSC) can be issued. Any substantial amendments to the plan (changes to security organisation, equipment, or procedures) must be re-submitted for approval.
Minor amendments (updated contact details, crew changes) can typically be made by the SSO and recorded in the plan’s amendment log without requiring re-approval, though this varies by flag state.
The Three Security Levels
The ISPS Code establishes three security levels that determine the intensity of protective measures. The security level is set by the Contracting Government (the coastal or flag state), not by the vessel.
Security Level 1: Normal
This is the baseline operational level. The minimum protective security measures must be maintained at all times. At Security Level 1, the SSP must address:
- Access control to the vessel (gangway watch, visitor logging)
- Monitoring of deck areas and areas surrounding the vessel
- Supervision of cargo and stores handling
- Ensuring security communications are readily available
Security Level 2: Heightened
Additional protective measures are implemented in response to a heightened risk of a security incident. At Security Level 2, the SSP must specify enhanced measures including:
- Additional watchkeepers or security patrols
- Restricted access to certain areas of the vessel
- Enhanced screening of persons and baggage
- Deterrent measures such as increased lighting, restricted boat traffic near the vessel
Security Level 3: Exceptional
Further specific protective measures are implemented for a limited period when a security incident is probable or imminent. At Security Level 3:
- The vessel must follow instructions from the Contracting Government
- The SSP must include procedures for responding to specific directions
- Access may be restricted to essential personnel only
- The vessel may need to prepare for evacuation or departure
CSO and SSO Roles
The ISPS Code establishes two key security roles that must be filled at all times.
Company Security Officer (CSO)
The CSO is the shore-side person responsible for security across the company’s fleet. Under ISPS Part A, Section 11, the CSO is responsible for:
- Ensuring the SSA is carried out and the SSP is developed and maintained
- Arranging for SSP approval and subsequent amendments
- Ensuring adequate training for the SSO and ship personnel
- Liaising with port facility security officers
- Coordinating the implementation of the SSP
- Ensuring internal audits of security activities are conducted
Ship Security Officer (SSO)
The SSO is the onboard person responsible for implementing the SSP. Under ISPS Part A, Section 12, the SSO must:
- Conduct regular security inspections of the vessel
- Maintain and supervise implementation of the SSP
- Coordinate security aspects of cargo and stores handling
- Propose modifications to the SSP as necessary
- Report security incidents to the CSO
- Ensure security equipment is properly maintained and tested
- Ensure security awareness and vigilance among the crew
Both the CSO and SSO must hold valid training certificates. The CSO must meet the competence requirements of STCW Regulation VI/5, Section A-VI/5, and the SSO must meet those of STCW Regulation VI/6, Section A-VI/6.
Security Drills and Exercises
The ISPS Code and SOLAS Chapter XI-2 require regular security drills and exercises. The specific intervals are:
| Activity | Minimum Frequency | Requirement |
|---|---|---|
| Security drills | Every 3 months | ISPS Part A, Section 13 |
| Security exercises | At least once per calendar year (max 18-month interval) | ISPS Part A, Section 13 |
| Drills after major crew changes | Within 1 week of crew change (if >25% change) | ISPS Part A, Section 13.6 |
What Drills Must Cover
Security drills should test individual elements of the SSP, such as:
- Access control procedures at different security levels
- Response to a bomb threat or suspicious package
- Response to an attempted unauthorised boarding
- Communication procedures with port facility security
- Declaration of Security (DoS) completion procedures
- Transition between security levels
Exercises
Exercises are more comprehensive than drills and should test the full SSP or significant portions of it. Exercises may be conducted in conjunction with port facility exercises and can include participation from the CSO, local authorities, and other stakeholders.
International Ship Security Certificate (ISSC)
The ISSC is the certificate that confirms your vessel complies with SOLAS Chapter XI-2 and the ISPS Code. It is issued by the flag state Administration or an RSO after verification that the SSP has been approved and implemented.
ISSC Validity and Surveys
- Validity: Maximum 5 years
- Intermediate verification: Between the second and third anniversary of the certificate
- Additional verifications: After any modification to the SSP or security equipment
- Renewal: Requires a full verification audit
The ISSC must be carried onboard at all times and presented during PSC inspections. An expired or missing ISSC is grounds for vessel detention.
Practical Implementation Steps
Implementing the ISPS Code on a superyacht does not require a military-grade security operation. It requires a structured, documented approach that your crew can execute consistently.
-
Appoint a CSO and SSO. Ensure both hold valid STCW certificates for their respective roles. The SSO is typically the Chief Officer or First Officer onboard.
-
Conduct or update your Ship Security Assessment. Walk the vessel systematically, identify vulnerabilities, and document them. Consider the ports you visit, the profile of your guests, and the operational pattern.
-
Develop or update your Ship Security Plan. Base it on the SSA findings. Include clear, actionable procedures for each security level. Avoid generic templates that do not reflect your vessel’s actual operations and layout.
-
Submit the SSP for flag state approval. Allow adequate lead time, as approval can take several weeks depending on the flag state and RSO.
-
Train your crew. Every crew member must understand the three security levels, their specific security duties, and the procedures in the SSP. The SSO must deliver this training and document it.
-
Implement a drill schedule. Quarterly drills, annual exercises. Record them properly. Vary the scenarios to test different elements of the SSP.
-
Obtain your ISSC. Schedule the verification audit with your flag state or RSO. Ensure the SSP is fully implemented before the audit.
-
Maintain and review. The SSP is a living document. Review it at least annually, after any security incident, and whenever your vessel’s operations or crew change significantly.
Our ISPS Security Plan template is specifically designed for superyachts and includes a complete SSP framework, SSA methodology, Declaration of Security templates, drill and exercise record forms, and flag state submission guidance.
Common Mistakes and Inspection Findings
These issues come up repeatedly during ISSC audits and PSC inspections:
- SSP approved but not implemented. The plan exists but crew members cannot describe its contents or their security duties.
- No evidence of security drills. The drill log is empty or shows drills conducted only in the weeks before an audit.
- CSO or SSO certificates expired. Training certificates must be current at all times.
- Declaration of Security not completed when required. The DoS is needed when the vessel is interfacing with a port facility at a different security level or when specifically requested.
- Restricted areas not properly identified or controlled. Bridge, engine room, and steering gear spaces must have access control measures in place.
- Security equipment not maintained. CCTV systems offline, access control locks broken, lighting defective.
- No record of SSP review. The plan should show evidence of at least annual review, even if no changes were required.
Frequently Asked Questions
Does the ISPS Code apply to yachts that only do private (non-charter) voyages?
Yes. The ISPS Code applies based on vessel size (500 GT and above) and voyage type (international), not on commercial status. A privately operated yacht of 500 GT on an international voyage must comply with the ISPS Code in the same way as a charter yacht. The only exception is for vessels engaged exclusively in domestic voyages, which fall under the national security regulations of the flag state.
Can the Master override security procedures if they conflict with safety?
Absolutely. SOLAS Chapter XI-2, Regulation 8 explicitly protects the Master’s discretion. The Master has the overriding authority to make decisions regarding the safety and security of the vessel. If the Master believes that compliance with a security directive would compromise the safety of the vessel, they may take appropriate action and must report the situation to the flag state and the relevant Contracting Government.
What is a Declaration of Security (DoS) and when is it needed?
A Declaration of Security is an agreement between the vessel and a port facility (or between two vessels) that records the security measures each party will implement during their interface. Under ISPS Part A, Section 5, a DoS may be required when the vessel is operating at a higher security level than the port facility, when there is a security concern about the ship-port interface, or when the Contracting Government specifically requests one. In practice, many yachts rarely need to complete a DoS, but you must have blank forms onboard and your SSO must know how to complete them.
Related Template
Preview all templates →Related Articles
SOPEP Requirements for Yachts: A Complete Guide
Detailed guide to SOPEP template yacht requirements under MARPOL Annex I. What your plan must contain, flag state approval, and how to prepare for survey.
What Documents Does a Superyacht Need? The Complete Checklist
Complete superyacht documentation checklist organised by convention. MARPOL, ISM, ISPS, MLC, SOLAS, STCW requirements with GT thresholds and mandatory vs recommended status.
Yacht SMS Requirements Under 500GT: ISM Code Explained
ISM Code SMS requirements for yachts under 500GT. Mini-ISM vs full ISM, flag state expectations, what your SMS must contain, and practical implementation guidance.