ISPS Code: 9 Important and Must Know Elements

11th Sept 2001. Do you remember this date?

This, my friend, is the date that had great influence on the way we operate our ships. This is the date that led to the ISPS code.

I bet when you hear about ISPS code, you think about places like Somalia and Nigeria. But security has been the concern for shipping far longer than that.

IMO has developed many codes, regulations, and conventions since its inception in 1948.

If not all, most of these conventions were triggered by some major incident. For example, ISM code came into existence because of the incident of “Herald of free enterprise”. MARPOL was the result of the incident of Torrey Canyon. And as everyone knows, SOLAS was developed because of infamous incid the nt of sinking of Titanic.

ISPS code is probably the only code that was developed because of a non-marine incident. It was considered and developed after the 9/11 terror attack in the USA.

So what exactly ISPS code requires us to do. Let us discuss 10 elements of ISPS code we need to know about.

1. Ship security plan

Ship security plan has all the security-related instructions for the ship’s crew.

ISPS code part A/9.4 gives the minimum points that must be included in the ship security plan.

Ship security plan need to be approved by flag state of the vessel or by Recognised security organisation (RSO) on behalf of flag state. RSO is usually the classification society of the vessel.

Handling Ship security plan on board

Ship security plan is to be kept in a locker. If it is at an open location, it may lead to a non-conformity during PSC inspection or ISPS audit.

Master and SSO must not give access of SSP to any external party. Only Company security officer and person conducting security audit can be given access.

If any PSC inspector seeks access to SSP, this request should be politely rejected.

There may be situations where PSC inspector believes that there exists a security related non-conformance and only way to prove to him that this non-conformance does not exist is by showing him the SSP.

In these cases, Master / SSO can show only the SSP section that is required to prove the non-conformance as invalid.

2. Ship Security Assessment

Ship security assessment is the first step toward developing a security plan.

Let us say you have the responsibility to develop a ship security plan. There are many aspects you would like to explore.

You would like to ensure that your ship is not attacked. You have responsibility to ensure that unauthorised persons are not able to board your ship. how will you go about to achieve all this ?

You would probably want to identify all the access point of the ship. You may want to brainstorm and identify the possible ways your ship can be attacked. You may even want to assume yourself as an attacker and think of how you can gain access to the ship.

That is what ship security assessment is all about.

It is about identifying the applicable security scenarios for the ship. For example, will there be any security concern during cargo operation ? Are there any weaknesses in the ship security ?

Ship security assessment is a kind of risk assessment about the security of the ship.

Ship security assessment aims to answer these five questions.

• Is there any motive to attack the ship?
• Which are the key shipboard operations and areas that are prone to security incident
• Are there any existing security measures, procedures in place?
• What are ways ship can be attacked?
• What are the likelihood and consequences of such attack?

Ship security assessment forms the basis for development of ship security plan. It is the responsibility of the company security officer to conduct initial ship security assessment.

Here is an example of ship security assessment.

3. Ship security officer

ISPS code requires company to appoint a ship security officer. The crew member appointed as SSO must have done the security training required as per STCW.

The main duties of ship security officer is

• to implement and maintain all the elements of ship security plan and
• to liase with the company security officer and port facility security officer (PFSO) for all security related activities

It is quite obvious that to implement SSP on board, SSO must himself know about what SSP requires from SSO and ship’s crew.

For this reason, SSO must read the SSP thoroughly and preferably make notes of key points specific to SSP of the ship he must know at all times.

For example SSO must know

• percentage of baggage gangway watch need to check at each security level
• Procedure to follow if any unaccompanied baggage is found on board
• Restricted areas as per SSP
• Security equipments on board and what maintenance is required for these
• Procedure and required interval for testing of ship security alert system

One of the important duty of SSO is to review the ship security plan. The idea for review is to make the SSP robust over the time. SSO has to look for shortcomings in the SSP and point these out in the SSP review.

Some companies may have a quick checklist for review of ship security plan. Even if there is no checklist, SSO can review the SSP to best of his capacity.

For example, SSO may find that an access which should be a restricted area is not designated as restricted area in the SSP.

He may find that there are no clear instructions if the port security personnel with weapons can be allowed on board or not.

Whatever the SSO feel should include in the SSP which isn’t included, he can mention that in his SSP review.

4. Company Security Officer

ISPS code also requires company to appoint a company security officer. The main duties of the company security officer is to

• Carry out ship security assessment
• Develop ship security plan and submit it for approval
• ensure efficient implementation of SSP on board

One of the important duty of CSO is to share regular security information to the SSO and ship.

5. Security levels

ISPS code has set three security levels.

• Security Level 1
• Security Level 2
• Security Level 3

Security level 1 requires minimum security measures and is the normal security level all ships and ports are supposed to operate.

security level 3 requires most stringent security measures.

Security level 3 is set only in exceptional circumstances when there is a credible information about a probable or imminent security incident.

There is this one frequently asked question related to security levels. The question is “Who decides the security level on board” ?

Who decides the security levels on board?

When the ship is at sea, Security level is set by the flag state of the vessel. Flag state may not instruct the ship directly but may do so through CSO.

CSO will forward the message from the flag state to the applicable ships to change the security level. SSO need to acknowledge the mail for instructions to change the security level and confirm to CSO when the security level is changed.

At port, vessel need to have same security level as the port. Before arrival, agent gives all the security details of the port and also advises the security level of the ship.

If the security level of the port is higher than the ship, the ship must increase the security level to same as the port.

Now there may be instances where security level of ship is higher than the port it is calling. In this case, SSO should consult CSO. CSO may advise to decrease the level of the ship without downgrading the security measures.

This means that in this case, the ship will have lower security level but will have same security measures that are required as per higher security level in SSP.

CSO after consultation with flag may advise to keep the higher security level. In this case, vessel must inform the port of its higher security level.

6. Declaration of security

As the name suggests, declaration of security is security related declaration between two parties. One of the party is own ship and other party can either be a port or another ship.

The question is when do we need Declaration of security and why do we need Declaration of security?

Let us answer the “when” part first.

The DoS is intended to be used in exceptional cases usually related to higher risk. These are the times when there is a need to reach an agreement between the port facility and the ship as to the security measures to be applied.

ISPS code requires each flag state to establish the requirements of the declaration of security.

But in general DOS need to be filled when

• Ship is operating at higher security level than the port it is calling
• Ship is operating at higher security level than the other ship it is doing operations with
• Ship is calling a port which do not have port facility security plan. This will be the case when port is in a country that has not ratified ISPS code
• Ship is doing operations with a ship the flag of which has not ratified the ISPS code and thus do not have an approved ship security plan

Another question is why do we need to fill DOS. As you would notice in above situations that the ship is either at higher security level or is dealing with port or ship that does not comply with ISPS code.

In first case, we need to make sure that ship’s higher security level is efficiently conveyed to the port or ship it is dealing with. Also as the port or other ship is at lower level, we would want to know what security duties the port and ship will be performing.

For example we need to get the declaration from other ship that they will monitor the areas around their ship and restrict the access to their ship.

In the second case where port or ship is not ISPS compliant, we need to make joint declaration that the port or other ship will perform some of the security duties as per declaration of security.

Many ships or companies requires DOS to be completed at every port & ship operation. This is not required and in doing so we are just wasting paper and energy on something that is grossly unnecessary.

7. Security drills and exercises

Company is required to devise a security drill planner which should cover all the security situations.

These drills may include situations like

• Bomb threat at port / at sea
• change in security level
• Stowaway or Bomb search

The whole idea of these drills and exercises is to test the effectiveness of ISPS code implementation. These drills should aim to identify the gaps between expected outcomes and actual performance.

SSO should maintain the records of all the security drill carried out on board.

8. International ship security certificate

International ship security certificate is a statutory certificate. ISPS code applies to all ships over 500 GRT. ISPS code requires these ships to have a valid “International ship security certificate”.

But how can a ship get “International ship security certificate (ISSC)?

A new building ship or the ship that changes flag or class will get an interim ISSC. The interim ISSC will be issued after verification by flag state or RSO (usually class) that all the elements of SSP are implemented on board.

The interim ISSC is valid for six months.

A full term ISSC is issued

• after SSP has been implemented for at least 30 day
• A successful ISPS audit has been conducted by the flag or RSO on behalf of flag

The full term ISSC is valid for 5 years subject to intermediate verification and endorsement by flag or RSO on behalf of flag.

9. Ship Security Alert system

One of the main security equipment on board required by ISPS code is ship security alert system.

There needs to be a minimum of two security buttons that can initiate SSAS. One of these buttons should be on the wheel house of the ship.

Generally, when a SSAS button is pressed, the alert goes to the Flag state and the CSO. But some flag state may require that alert is only received by the CSO.

Ship security alert system (SSAS) must be tested at least annually.

The test procedure is given in the SSP.  SSO must know this procedure of testing.

Conclusion

ISPS code may not have been able to put an end to the security incidents around the world. But it has surely given a framework for deterrence in the security issues around the world.

This deterrence will only be effective if we know and implement all the elements of ISPS code effectively.