Basic ISPS Code

Course

The International Ship

and Port Facility
Security (ISPS) Code
and
SOLAS Amendments
2002
 TABLE of CONTENTS

Contents Page

z Introduction to ISPS Code 1

z ISPS Code Principle 9

z Risk Management 15

z Introduction to Ship Security Plan (SSP) 18

z Introduction to Ship Security Assessment (SSA) 25

z ISPS as Ship Security Management System 29

z Rules and Regulations 35

z Responsibility and Authority 53

Introduction to ISPS Code
- MARITIME SECURITY

Background

Over the past 20 years there have been many significant reported terrorist acts. Of those
listed below it can be seen that only a small proportion has been directed towards
maritime targets, with relatively small loss of life and impact on the industry as a whole.
The issue of security is a topic of great concern. For some time now, administrations
world-wide have been addressing this problem and have been busy developing plans and
actions for early implementation.
In many areas of the world, the standard of security has already risen significantly. For
some seafarers security incidents may seem to originate in remote corners of the globe
and appear distant or irrelevant. But, the problems of security in general and maritime
security are relevant. Here are just a few:

Terrorism

Achille Lauro, 1985

Four heavily armed Palestinian terrorists
hijacked the Italian cruise-ship Achille
Lauro carrying more than 400 passengers
and crew off the coast of Syria. The
hijackers demanded that Israel free 50
Palestinian prisoners.
When the Israelis refused, the terrorists
shot a disabled American tourist, 69 year
old Leon Klinghoffer, and threw his body
overboard with his wheelchair. It was later
established that the ship was not in fact
the intended target.
The four men were en-route to perform
acts of terrorism against an oil installation
in Ashdod, Isreal, when they were discovered cleaning their weapons by a steward

1
USS Cole, 2000

AI-Qa'ida brought a small explosives laden

boat near the American destroyer USS
Cole at anchor in Yemen.
The explosives were detonated in a
suicide attack killing 17 and injuring 42
members of the Cole's crew

Limburg, 2002

The French VLCC Limburg carrying 158,000

tonnes of crude oil was attacked off the coast
of Yemen by a small boat laden with
explosives and manned by suicide bombers.
The explosives were detonated as the boat
drew near, resulting in a large hole and an
intense oil

Karine A, 2002

Terrorists also use vessels to transport

weapons
A typical example, on 3 January 2002,
Israeli commandos seized the 4,000-tonne
freighter Karine A.
The ship was seized in the Red Sea, 300
miles from the Israeli coast and was found
to be carrying katyusha rockets, tank
missiles, mortars, mines, explosives, sniper
rifles, shotguns, zodiac boats, diving
cylinders and other diving equipment.

2
Baltic Sky, 2003
23 June 2003, Greek Special Forces seized a
ship found to be carrying 680 tonnes of
explosives and apparently bound for Africa.
The shipment of explosives is so large that it
may have been intended for a government
rather than an organization.
Commandos boarded the Baltic Sky in
response to information from a foreign
agency. The ship is still being investigated.

In spite of heightened awareness and increased security efforts since 11 September,

2001, nations remain vulnerable to terrorist attacks. Terrorists have discovered that fear
and chaos is easily achieved through wide-scale attacks on infrastructures and other
economic targets that lead to civil strife, the ultimate goal being the collapse of societies.
Terrorism usually involves violence or the threat of violence by extremist groups seeking
to gain political objectives by other than democratic means.
Various types of bombs or bomb threats may be employed, or hijacking may be the
method by which the terrorist group hopes to make a statement. Increasingly terrorists
are acting in connection with extremist religious sects that promote suicidal behaviour.
The threat of maritime terrorism is therefore very real. The industry now recognizes that
terrorists are willing, able and equipped to conduct maritime terrorism, hence the drive for
international regulation of maritime security

3
Piracy

US Navy ship apprehends Somalian pirates, January 2006 (Photo courtesy of the US Navy)

Of increasing concern to the industry is the rise of violent pirate attacks against merchant
vessels. The problem is such that in 2005, after a series of incidents including a high
profile attack on a cruise ship by Somalian pirates, the IMO sought action from the United
Nation's Security Council.
In the past, modern pirates would flee from the vessel if disturbed. But in recent years the
trend is to use violence involving weapons. Of increasing concern to the industry is the
rise of violent pirate attacks against merchant vessels. The problem is such that in 2005,
after a series of incidents including a high profile attack on a cruise ship by Somalian
pirates, the IMO sought action from the United Nation's Security Council.
In the past, modern pirates would flee from the vessel if disturbed. But in recent years the
trend is to use violence involving weapons. The frequency of recorded worldwide attacks
tends to fluctuate, although they remain unacceptably high, as does the ferocity of
attacks. For example, the International Maritime Bureau's Piracy Reporting Centre,
reported 325 attacks in 2004 with 30 deaths. In 2005 attacks fell to 276, with no
confirmed deaths, although 440 crew members were taken hostage.
Attacks using automatic weapons are now common and in some areas, a daily occurrence.
The modern pirate will not hesitate in murdering an entire crew. A typical attack will last
around 30-40 minutes during which time the ship could well be out of control.
There are also many alarming accounts of 'ship jacking' involving large pirate mother-ships
in which a particular vessel and its cargo are targeted and taken. In such attacks the ships
crew are either killed or set adrift. The most common targets are food cargos of rice and
palm oil, or fuel cargo, which are easier to sell on. In such attacks, the cargos are often
stolen to order.

4
International security legislation, although very much driven by the threat of terrorism, will
assist in the fight against piracy.

1985 Achille Lauro hijack

1988 Pan Am Flight 103

1993 Mumbai bomb blasts

1993 World trade centre bombing

1998 Petro Ranger hijacking

1999 Alondra Rainbow hijacking

2000 USS Cole bomb attack

2001 Inabukwa hijacking

2001 World Trade Centre

Pentagon attacks

2002 Han Wei hijackings

2002 limburg bomb attack

2002 Bali bombings

2003 Saudi Arabia bombings

2003 Mumbai bombings

5
The International Ship and Port Facility Security (ISPS) Code
and SOLAS Amendments 2002

History
The International Ship and Port Facility Security
(ISPS) Code represents the culmination of just over
a year's intense work by the IMO's Maritime Safety
Committee (MSC) and its Maritime Security Working
Group (MSWG).
The process of developing the ISPS Code was
initiated in November 2001 when the 22nd session
of the Assembly adopted resolution A.924(22) on
the review of measures and procedures to prevent
acts of terrorism, which threaten the security of
passengers and crews, and the safety of ships.
The ISPS Code was adopted by a resolution on 12
December 2002 by the conference of Contracting
Governments to the SOLAS convention.
Another resolution also includes the necessary
amendments to chapters V (Safety of Navigation) and XI (Special Measures to Enhance
Maritime Safety) of SOLAS by which compliance with the ISPS Code became mandatory on
1 July 2004
The existing chapter XI (Special measures to enhance maritime safety) of SOLAS was
amended and re-identified as chapter XI-1 and a new chapter, XI-2 (Special measures to
enhance maritime security) was adopted.
It is perhaps little appreciated that these are not the first attempts made to minimize or
control threats to security in maritime transportation; The IMO has adopted a number of
resolutions and conventions as shown below

1983 Resolution A.545(13). Measures to prevent acts of piracy and armed robbery
against ships

1985 Resolution A.545(14). Measures to prevent unlawful acts that threaten safety
of ships and security of passengers

1986 MSC/Circ.443, Measures to prevent unlawful acts against passengers and crew
on board ships

6
 1988 Convention for the suppression of unlawful acts against passengers and crew
on board ships

2001 Following the terrorist attacks in New York and Washington DC on September
11, the 22nd session (Nov) of the IMO Assembly adopted resolution A.924(22)
on the review of measures and procedures to prevent acts of terrorism that
threaten the security of passengers and crews, and the safety of ships

2002 Feb - MSC ISWG on Maritime Security

May – MSC 75
Sept – MSC ISWG on Maritime Security
Dec – MSC 76 and Diplomatic Conference
The ISPS Code was adopted by the resolution on 12 December by the
conference of Contracting Governments to the SOLAS Convention

2003 MSC 77

2004 Jan – It will be deemed accepted

July – Enters into force
The ISPS Code became mandatory on 1 July 2004

What is the ISPS Code?

The International Maritime Organization’s (IMO)

Diplomatic Conference of December 2002
adopted new Regulations to enhance maritime
security through amendments to SOLAS
Chapters V and XI. Chapter XI, previously
covering ship safety has been split into two new
chapters, XI-1 and XI-2.
Chapter XI-1, Special Measures to Enhance
Maritime Safety, has been enhanced to include
additional requirements covering ship
identification numbers and carriage of a
Continuous Synopsis Record.
Chapter XI-2, Special Measures to Enhance Maritime Security, has been created and
includes a requirement for ships and companies to comply with the International Ship and
Port Facility Security (ISPS) Code.
The ISPS Code contains two Parts. Part A is mandatory, while Part B is recommendatory
and contains guidance for implementation of the Code.

7
The USCG has decreed that Part B of the Code will also be mandatory for all USA-flagged
ships and ships of other flags that trade with the United States. Chapter XI-2 also sets out
requirements for ship Security Alert Systems and control and compliance measures for
port states and contracting governments.
As well as the new Regulations in SOLAS Chapter XI-2, the Diplomatic Conference has
adopted amendments to extant SOLAS Regulations accelerating the implementation of the
requirement to fit Automatic Identification Systems (AIS) (Chapter V). The Diplomatic
Conference has also adopted a number of Conference Resolutions including technical co-
operation, and the co-operative work with the International Labour Organization and
World Customs Organization.
Review and amendment of certain of the new provisions regarding maritime security may
be required on completion of the work of these two organizations.
These requirements form a framework through which ships and port facilities can co-
operate to detect and deter acts which pose a threat to maritime security. The regulatory
provisions do not extend to the actual response to security incidents or to any necessary
clear-up activities after such an incident.
In summary the ISPS Code:
• enables the detection and deterrence of security threats within an international
framework
• establishes roles and responsibilities
• enables collection and exchange of security information
• provides a methodology for assessing security
• ensures that adequate security measures are in place.
It requires ship and port facility staff to:
• gather and assess information
• maintain communication protocols
• restrict access; prevent the introduction of unauthorized weapons, etc.
• provide the means to raise alarms put in place vessel and port security plans; and
ensure training and drills are conducted.
Maritime security is often portrayed as a complicated subject, so it is important
that the industry takes a practical, rather than a bureaucratic, approach.

8
The International Ship and Port Facility Security (ISPS) Code
Principles

ISPS terminology

Ship Security Plan (SSP)

A plan to ensure the application of measures on board the
ship, designed to protect persons on board, cargo, cargo
transport units, ship's stores or the ship from the risks of a
security incident.

Port Facility Security Plan (PFSP)

A plan to ensure the application of measures designed to
protect the port facility and ships, persons, cargo, cargo
transport units and ship's stores within the port facility
from the risks of a security incident.

Ship Security Officer (SSO)

The person on board the ship, accountable to the Master,
designated by the company as responsible for the security
of the ship, including implementation and maintenance of
the ship security plan, and for liaison with the company
security officer and port facility security officers.

Company Security Officer (CSO)

The person designated by the company for ensuring that a ship security assessment is
carried out; that a ship security plan is developed, submitted for approval, and
thereafter implemented and maintained, and for liaison with port facility security
officers and the ship security officer

Port Facility Security Officer (PFSO)

The person designated as responsible for the
development, implementation, revision and
maintenance of the port facility security plan,
and for liaison with the ship security officers and
company security officers.

Ship/port interface
The interactions that occur when a ship is directly and immediately affected by
actions involving the movement of persons, goods or the provisions of port
services to or from the ship.

9
Port Facility
The location, as determined by the Contracting Government or by the Designated
Authority, where the ship/port interface takes place. This includes areas such as
anchorages, waiting berths and approaches from seaward, as appropriate.

Designated Authority
The organization or the administration identified within the Contracting Government, as
responsible for ensuring the implementation of the provisions of SOLAS as amended
and pertaining to port facility security and ship/port interface, from the point of view of
the port facility.

Recognized Security Organization (RSO)

An organization with appropriate expertise in
security matters and with appropriate knowledge of
ship and port operations authorized to carry out an
assessment, verification, an approval or a
certification activity, required by SOLAS as
amended or by Part A of the ISPS Code.

Declaration of Security (DOS)

An agreement reached between a ship and either a
port facility or another ship with which it interfaces,
specifying the security measures each will
implement

Ship Security Assessment (SSA)

An essential and integral part of the process of developing and updating the ship
security plan including, at least, identification of existing security measures; procedures
and operations; identification and evaluation of key shipboard operations that it is
important to protect; identification of possible threats and weaknesses in the
infrastructure; policies and procedures.

On-scene Security Survey (OSSS)

An integral part of the ship security assessment
to examine and evaluate existing shipboard
protective measures, procedures and
operations.

Security Level 1
Minimum appropriate protective security
measures shall be maintained at all times.

10
Security Level 2
Appropriate additional protective security measures shall be maintained for a period
of time as a result of a heightened risk of a security incident

Security Level 3
Further specific protective security measures shall be maintained for a limited period of
time when a security incident is probable or imminent.

11
Objectives of the ISPS Code

The ISPS Code is a part of SOLAS (International Convention for the Safety of Life at
Sea) produced by the IMO (International Maritime Organization). IMO is an UN
organization which deals with maritime matters throughout the world.
The objective of the ISPS Code is to establish an international framework through
which ships above 500 GT and Port Facilities can co-operate to detect security threats
in the maritime transport sector.
Following a number of attacks on ships and the events of 11th September 2001, the
IMO unanimously agreed to the development of new measures relating to the security
of ships and of port facilities.
Generally, the objectives of the ISPS Code are to establish an international framework
involving co-operation between contracting Governments, Government agencies, local
administrations and the shipping and port industries to:
• detect/asses security threats
• take preventive measures against security incidents affecting ships or port facilities
used in international trade;
• establish the respective roles and responsibilities of Contracting Governments,
Governments agencies, local administrations and the shipping and port industries, at
the national and international level, for ensuring maritime security;
• ensure the early and efficient collection and exchange of security-related
information;
• provide a methodology for security assessments so as to have in place plans and
procedures to react to changing security levels;
• ensure confidence that adequate and proportional maritime security measures are
in place.

Functional requirements of the Code

In order to achieve its objectives, this Code embodies a number of functional
requirements. These include, but are not limited to:
• gathering and assessing information with respect to security threats and exchanging
such information with appropriate Contracting Governments;
• requiring the maintenance of communication for ships and ports facilities;
• preventing unauthorized access to ships, port facilities and their restrictive areas;
• preventing the introduction of unauthorized weapons, incendiary devices to ships or
port facilities;
• providing means for raising the alarm in reaction to security threats or security
incidents;
• requiring ship and port facility security plans based upon security assessment;
requiring training drills and exercises to ensure familiarity with security plans and
procedures.

12
So, what does the ISPS Code mean for us?
• It is not wholly a specification
It does not tell us proscriptively what we must do - it tells us what we must
achieve., with some proscriptive parts
• It is a model- it does not require identical systems
It will vary from company to company and ship to ship, depending on the types and
sizes of ships, cargo types, and the crews
• A uniform level of care
To be achieved by the company, to protect the crew, the ship and, ultimately, the
port and surrounding areas from damage or loss through acts of theft, violence and
terrorism.

Administrations and Recognized Security Organizations

Administrations are responsible for the review and approval of the Ship Security Plan,
issuing the Continuous Synopsis Record (CSR). Administrations also set the security
levels for all ships entitled to fly their flag, and ensure those ships are provided with
security level information. In addition, Administrations provide a point of contact
through which ships operating in their territorial waters can request can request advice
or assistance, and to which ships can report security concerns.
However, Administrations may delegate any of the above tasks to a Recognised
Security Organization (RSO) with the exception of setting the security level. This task
cannot be delegated.
A Recognized Security Organization is an organization with "appropriate expertise in
security matters and with appropriate knowledge of ship and port operations
authorized to carry out an assessment, or a verification, on an approval or a
certification activity, required SOlAS Chapter XI or by part A of the ISPS Code".

ISPS Certificates
Once a ship security plan has been written and approved by the administration or RSO,
the plan may be implemented. The security measures included in the SSP should be in
place when the initial verification for compliance with the requirements of the Code is
carried out.
After the initial verification, and if all security measures and equipment are found
satisfactory, an International Ship Security Certificate (ISSG) is issued. This is then
renewed every 5 years, the renewal audit for which may be carried out up to three
months prior to the expiry date of the old certificate. In addition, an interim verification
audit must be carried out half way through the five year cycle, between years 2 and
three.
An interim ISSC may be issued for ships before they enter service or changing flag or
owner. Once the security assessment has been completed and the security plan has
been written and approved, an interim ISSC is issued until such time that the new
management system is operational and capable of undergoing initial verification (max
6 months)

13
 Ship Security Certificate

Initial Intermediate Renewal

Verification Verification (up to -3mths)
(minimum of one)

0 1 2 3 4 5
YEAR

Security

What is security? For many, having security means some or all of guards, cameras,
lights, barbed wire, locks, alarms, and may be guns and weapons.
However, no amount of equipment will provide security if the operators of that
equipment are not both well trained, and committed to their job. Similarly, security
staff, either on patrol of guarding an entry point need to be clear of what they are
doing, and why.
Similarly, the maintenance of essential equipment is vital. If deck lighting is an intrinsic
part of the security plan for your ship, then defective security lighting will compromise
that security. The security plan must always allow for defects as we are all aware that
equipment does break down or malfunction from time to time. The plan should allow
for redundancy of equipment to allow for defects.
This is why it is not sufficient to merely verify that the ship has security equipment.
This is why the ISPS Code is a management system rather than a set of proscriptive
rules concerning security equipment. The authors of the Code recognize that how
security is managed; how people are trained and motivated, how plans are executed,
how drills and exercises are run, is as important to the security of a ship as the quality
of the equipment.

14
Risk Management

What Is Risk?
There is no universally accepted definition of risk. Risk used to be about good and bad
outcomes of single events. However, in modern language, "risk" is now synonymous
with "danger".
It is not often referred to as such, but the development and implementation of a
documented management system is, essentially, an exercise in risk management. The
written procedures and work instructions are the means by which the controls are
applied to the risks associated with the company's processes and operations.

Risk Management
Risk management is defined in ISO8402 as: "The process whereby decisions are made
to accept a known or assessed risk and/or the implementation of actions to reduce the
consequences or probability of occurrence".
The process of risk management consists of four main activities:
• Hazard identification
• Risk assessment
• Risk control
• Performance monitoring

Hazard Identification
A hazard may be defined as "A substance, situation or practice that has the potential to
cause damage or personal injury".
When carrying out hazard identification, all hazards must be identified in a systematic
way, and should be carried out by, or with the assistance of, people with detailed
knowledge and experience of the activities. Where possible, it should be based on
observation in realistic conditions.

Risk Assessment
Risk is about uncertainty. Risk Assessment provides an estimation of risk, although it is
not a precise measure. The term "risk assessment" covers a whole range of activities
from the most detailed statistical analysis of the risks involved in the smallest details of
an activity, carried out by specialists (a full safety case), to a much less formal
qualitative assessment, by those familiar with the operation, of what could go wrong,
and what should be done to prevent it.
Risk is a function of:
• likelihood (probability or frequency)
The chance that the danger will result in damage or personal injury
• consequence (nature and severity)
The nature seriousness and extent of the damage or injury

15
 Likelihood Æ
Highly
Unlikely Likely
Consequence Unlikely
È

Extremely
Moderate Substantial Intolerable
Harmful

Harmful Tolerable Moderate Substantial

Slightly
Trivial Tolerable moderate
Harmful

The term "Risk assessments" covers a whole range of activities from the most detailed
statistical analysis of the risks involved in the smallest details of an activity, carried out
by specialists (a full safety case), to a much less formal qualitative assessment, by
those familiar with the operation, of what could go wrong, and what should be done to
prevent it.
Some larger companies employ specialist contractors to carry out detailed risk analyses
over many months; others rely on their own staff's professional knowledge, experience
and judgment.
The level of detail should be commensurate with the level of risk. A detailed
assessment from first principles and a cost/benefit analysis are not needed for every
activity or operation. In many cases, it will be sufficient to rely on a generic risk
assessment, or to comply with the appropriate industry guidance or code of practice.
Whatever the method employed, the principles are the same.
However, judgments made concerning the assessment, tolerability and control of risk
may be challenged later, and it will pay to document the assessment process
irrespective of its detail and degree of formality.

Risk Control
Once all risks have been identified and assessed, we can then begin the process of
controlling those risks - by implementing procedures or equipment that reduce either
the likelihood or consequence of the hazard, or both.

Performance Monitoring
Finally, an important part of risk management is performance monitoring; whether the
controls put in place are being used correctly, and, if they are, whether the risk has
been reduced sufficiently.

16
Bringing the Whole Process Together
Let us examine a simple example of a hazard, such as crossing a busy street:

Dangerous Activity Crossing a busy street

Hazard Speeding traffic

Likelihood High

Consequence Death or injury

Risk Factor High

Risk Control Use pedestrian crossing

Resultant Risk low

Any action taken - and money spent - must be commensurate with the risk (the
likelihood and possible consequence) and the degree to which the risk will be reduced
by the action.
For example, the installation of over-side lighting may deter attacks from the water
side when alongside. Patrols in a high speed craft would be more of a deterrent, but at
a much greater cost.
It is unrealistic to believe that security can be achieved at any cost. There comes a
point where all risk is eliminated only because the costs are so high that no commercial
benefit is to be gained from engaging in the activity.

17
The Ship Security Plan as an Element of the
Management System

Many people might consider the Ship Security Plan as the security management system.
However, it should be regarded as merely an element of a management system, in the
same way safety procedures are just an element of a safety management system.
The ship security plan tells us how this company and this ship will ensure the
requirements of both the ISPS Code and their flag administration will be met.
Most Ship Security Plans will follow a standard format, as below:

The Content of a Typical Ship Security Plan

1. Documentation
• Company Security Policy & Responsibilities
Security policy statement
This must state the company's objectives and how the objectives will be achieved

Master's authority statement

Must State what the Ships Master responsibilities & what he can authorise

Responsibility for crew hire

This information is available from the company office in electronic form, through the
ship management system from personnel Management Dept

Responsibility for Ships Employment

This information is available from the company office in electronic form through the ship
management system. Also see Continuous Synopsis Record (CSR)

Company Security Officers Responsibility

As per ISPS code Part A sec 11

18
Ship Security Officers Responsibilitv
As per ISPS code Part A sec 12

Authority to enter into a DOS

This will state who from the ship is allowed to enter into a DOS

• Company security organisations diagram

• Ship current employment
This section should contain information on the ship's current employment, charter
details, trade patterns, and common cargoes

• Contact list/details
This information may be held in electronic form on the ship's management system. The
contact details required include the name, company, and contact details of the Company
Security Officer, Ship Security Officer, and the company's security manager.

• Records
The following requirements are as per the ISPS Code. However, many flag
administrations have more stringent requirements concerning the retention of records,
and should be consulted when updating this section of the SSP.

Previous DOS
Records of the previous 10 port/ship or ship/ship interactions must be kept on board,
including ODS where appropriate.

Security Drills and Exercises

All security drills and exercises carried out by the ship and crew must be documented,
reviewed and retained. This may be in Electronic form or as an entry into the ship's log.
A copy should be sent to the CSO. Drills should be conducted every 3 months or where
more than 25% of the ship's personnel has changed since the previous drill. Exercises
should be conducted once each calendar year with no more than18 months between
Exercises.

Security Training
All Security Training carried out by the crew in the form of courses, on-the-job training,
awareness lectures or presentations and any accredited qualifications held by the crew
must be documented and retained in electronic form or hard copy. A copy should be
sent to the CSO.

19
Audits (internal & External)
Audits carried out on board must be documented, reviewed and retained in electronic
form or hard copy. A copy should be sent to the CSO.

Previous Assessments & Proposed Amendments

All previous Assessments and proposed amendments to the ship security plan resulting
from ongoing assessments, drills, exercises and audits (or a security incident) must be
documented, reviewed and retained in electronic form or hard copy .
A copy should be sent to the CSO.

Approved Amendments
Once amendments have been approved by the administration or their RSO, they are to
be inserted in to the relevant section of the security plan and a copy must be retained
within the records.

Security Reports (Incidents and Reports)

All security status reports made by the ships crew while carrying out normal watch /
handover duties, or in the event of a security incident, must be documented, reviewed
and retained. This includes instructions to change the ship's security level and the ship's
acknowledgement of that instruction.

Maintenance of Security Equipment

Ihe inspection, testing, calibration and maintenance of all security equipment must be
recorded. This should include date last tested/calibrated and date for next
tesUcalibration. Details of faults and details of repairs should also be documented.

2. Declaration of security

3. Ships general arrangement

A copy of the ship's general arrangement should be marked up showing the location of
security equipment, and restricted areas and access points (see over):

20
4. Ship access
Access information should also be marked on the GA and documented in the relevant
section of the plan, each door or entry point having an 10 number. Access could be
divided into two separate categories; boarding access and internal access:

Boarding
Mooring lines; anchor chains; pilot ladders/jacob's ladders; gangways; ramps; cranes;
hoists; intake hoses; discharge hoses

Internal
Doors; ramps; emergency hatches; escape hatches; cargo hatches; cargo doors; cargo
ports; ports / scuttles

5. Restricted areas
A definition of Restricted Areas is to be found in the United States Coast Guard
Navigation and Vessel Inspection Circular (NAVIC) 10-02: "Spaces that are essential to
the operation, control, or safety of the vessel".
Restricted areas are locations on a ship that only authorized personnel should have
access to. They are areas in which significant damage could be done to the ship or to
anything in the proximity of the ship. In order to assist in the monitoring of restricted
areas and to ensure that only authorized persons have access, it is recommended that
the GA plan should show all restricted areas using colour-coding. This will allow security
personnel to locate and identify restricted areas easily and simply.

6. Emergency evacuation routes

Emergency evacuation routes may well have to be different at different security levels,
to take account of any sealed access points. Where possible this information should be
shown on the GA plan.

7. Security hardware
The locations & coverage of security and surveillance hardware should be marked on the
ships General Arrangement plan. This information should include cameras, alarm
activation points (not the Ship Security Alert System activation points), alarm sounders,
sensors, security lighting, key pad entry points, and electronic card entry (swipe card)
points.

21
8. Threat evaluation & risk assessment
It is generally accepted that risk-based decision-making is one of the best tools to
complete a security assessment and to determine appropriate security measures for a
vessel. Risk-based decision-making is a systematic and analytical process to consider the
likelihood that a security breach will endanger an asset, individual, or function and to
identify actions to reduce the vulnerability and mitigate the consequences of any
security breach.
The Ship Security Assessment (SSA) is a process that identifies weaknesses in physical
structures, personnel protection systems, processes, of other areas that may lead to a
security breach, and may suggest options to eliminate or mitigate those weaknesses.
For example a SSA might reveal weaknesses in an organization’s security system or
unprotected access points, such as the pilot ladder not being raised, or side ports not
being secured or monitored after loading stores.
To mitigate a threat a ship could implement procedures to ensure that such access
points are secured and verified by some means. Another security enhancement might be
to place locking mechanisms and/or wire mesh on doors and windows that provide
access to restricted areas to prevent unauthorized personnel from entering such spaces.
Such assessments can identify vulnerabilities in vessel operations, personnel security,
and physical and technical security

9. On-scene security survey

The On-Scene Security Survey is an integral and essential part of the Ship Security
Assessment. The On-Scene Security Survey should examine and evaluate existing
shipboard protective measures, procedures and operations. The information is required
to produce a Ship Security Assessment SSA.

10. Communications
This section should include information on all forms of communication used for security
related matters, from the display of general and emergency procedures in prominent
locations, to identification, location and service records and procedures for the use of
the ship's internal communication system, hand held VHF’s, Inmarsat-C, emergency
alarms, telephones, telephone directory, emergency numbers etc.

11. Embarkation of persons & baggage

This section should include procedures for the embarkation of crew, contractors
(including ships agents and port officials), passengers, and visitors at each security level.

22
12. Handling of cargo & ship's stores
This section contains procedures for the supervising and handling of cargo and ship's
stores at each security level. The handling of cargo and stores will be greatly effected by
the security level at which the ship and port are operating. All existing safety procedures
and responsibilities must still be followed.

13. Monitoring ship security

Monitoring of the ships deck areas and areas surrounding the ship should be conducted
while the ship is on passage through or in a high-risk security area, at anchor, and in
port.
The level of monitoring will depend on security level on the ship, the security level set
by the Contracting government of the port the ship is due to visit. The level of
monitoring will also be at the CSO and SSO's discretion, if they have received
information regarding a threat or security risk to the ship.

14. Contingency plans

Contingency plans are not normal operating procedures for how to carry out a task or
role at a particular security level. They are instructions on what to do if the SSP has not
been successful in preventing a security breach. The topics of the contingency plans will
depend on the findings of the risk assessment, but, as a minimum, they should address:
Actions on bomb threat
Establishing a search plan
Actions on searching the ship
Action on a breach of security
Actions on finding a suspicious device or package
Action on weapons/explosives discovered onboard
Action on a suspect boat approaching the ship
Action on hijacking or hostile boarding

15. Ship Security Procedures

Form a part of the Ship Security Plan
The Ship Security Plan should contain all security related procedures for ease of
reference.

23
Maintenance and Amendments to the Ship Security Plan
The Administration shall determine which changes to an approved ship security plan or to any
security equipment specified in an approved plan shall not be implemented unless the relevant
amendments to the plan are approved by the Administration. Any such changes shall be at least
as effective as those measures prescribed in chapter XI-2 and this part of the Code. The nature
of the changes to the ship security plan or the security equipment that have been specifically
approved by the Administration, pursuant to section 9.5, shall be documented in a manner that
clearly indicates such approval. This approval shall be available on board and shall be presented
together with the International Ship Security Certificate [(or the Interim International Ship
Security Certificate)]. If these changes are temporary, once the original approved measures or
equipment are reinstated, this documentation no longer needs to be retained by the ship.
The plan may be kept in an electronic format. In such a case, it shall be protected by procedures
aimed at preventing its unauthorized deletion, destruction or amendment.

Confidentiality
The plan shall be protected from unauthorized access or disclosure.
Ship security plans are not subject to inspection by officers duly authorized by a Contracting
Government to carry out control and compliance measures in accordance with regulation XI-2/9,
save in circumstances specified in section 9.8.1.
If the officers duly authorized by a Contracting Government have clear grounds to believe that
the ship is not in compliance with the requirements of chapter XI-2 or part A of this Code, and
the only means to verify or rectify the non-compliance is to review the relevant requirements of
the ship security plan, limited access to the specific sections of the plan relating to the non-
compliance is exceptionally allowed, but only with the consent of the Contracting Government of,
or the master of, the ship concerned. Nevertheless, the provisions in the plan relating to section
9.4 subsections .2, .4, .5, .7, .15, .17 and .18 of this part of the Code are considered as
confidential information, and cannot be subject to inspection unless otherwise agreed by the
Contracting Governments concerned.

24
Ship Security Assessment (SSA)

The ship security assessment is an essential and integral part of the process of developing
and updating the ship security plan.
An Assessment is a risk based decision-making tool. It is a systematic and analytical
process, which considers the likelihood and identifies actions to reduce and mitigate. Most
of you will have some experience already with carrying out Risk Assessments on your own
or Company vessels.
The Ship Security Assessment considers the likelihood of a security breach and then
identifies actions to reduce vulnerability and mitigate the consequences of that breach.
The Ship Security Plan is based on the results of the Security Assessment. A Ship Security
Assessment can be produced in two ways.
1. Individual
• A Ship Security Assessment which will include the On-Scene Security Survey,
made for each ship.
2. Generic
• A Company may produce an assessment which covers the entire fleet. However,
an On-Scene Security Survey must be done for each ship individually since each
survey will be ship specific.

Conducting a Ship Security Assessment

Step 1
Obtain and record the following information required to conduct an assessment.
1. Ship and Company Documentation as detailed within Section 1(this should contain the
relevant information that will identify any contributing factors to be included in the Threat
Evaluation and Risk Assessment phase of the assessment).
2. Record and document the following information in detail:
Information Complete
Authorized access points as detailed within Section 4
Restricted areas as detailed within Section 5
Escape and Evacuation routes as detailed within Section 6
Existing Security Equipment/Systems as detailed within Section 7

25
3. A copy of the ships General Arrangement Plan annotated with the following information:
Information Complete
Authorized access points as detailed within Section 4
Restricted areas as detailed within Section 5
Escape and Evacuation routes as detailed within Section 6
Existing Security Equipment/Systems as detailed within Section 7
Once the above information has been compiled, this then becomes the relevant sections
within the ship security assessment.
This information is also copied into the relevant sections of the ships security plan.
Step 2
Conduct and document a detailed Threat Evaluation and Risk Assessment for the ship as
detailed within Section 8. This must include the Contributing Factors identified earlier in
Step 1.
Examine all the information gathered and assess for any weaknesses. Weaknesses should
be noted and addressed during the on-scene security survey.
Once these tasks have been completed, a copy is retained as the relevant sections within
the ship security assessment.
Step3
Conduct the On-Scene Security Survey, during which, all previous details and information
gathered about the ship must be confirmed and any weaknesses identified, as detailed
within Section 9.
Once this task has been completed a copy is retained as the relevant sections within the
ship security assessment.
Step 4
Once the On-Scene Security Survey has been completed, any amendments or additions
required to the information, procedures and measures documented in the previous steps
must be incorporated at this point.
Amendments and additions are to be documented and a copy retained within the On-
Scene Security Survey section of the ship security assessment.
A copy of all additions and amendments are also copied into the relevant sections of the
ship security plan.
Step 5
The ship security assessment is presented to the company for review and acceptance.
Once accepted and documented, the ship security plan can be finalised with any
amendments from the review.
Step 6
The ship security plan, accompanied by the assessment, is put forward for approval by the
Administration, or Recognised Security Organisation (RSO).

26
Producing a Ship Security Assessment

Contributing factors, trade

General Information about pattern, route, ports, flag,
ship cargo and company

Existing security measures,

equipment

Threat evaluation and risk

assessments

Assess weakness

On-scene security survey

Identify any weakness

Required amendments

Ship Security Assessment

to company for approval

Ship security Plan

27
The Company Security Officer shall ensure that the Ship Security Assessment (SSA) is
carried out by persons with appropriate skills to evaluate the security of the vessel. A
recognized security organization may carry out the ship security assessment of a specific
ship.
The SSA shall include an On-Scene Survey and at least the following elements:
• identification of existing security measures, procedures and operations
• identification and evaluation of key shipboard operations that should be
protected
• identification of possible threats to the key ship board operations and the
likelihood of their occurrence in order to establish and prioritize security
measures
• identification of weaknesses including human factors in the infrastructure,
policies and procedures
• shall be documented, reviewed accepted and retained by the Company
• must accompany the Ship Security Plan when put forward for approval
When the SSA is completed a report shall be prepared detailing:
• how the assessment was carried out
• description of any vulnerabilities found during the assessment
• description of counter measures that could be used to address each vulnerability
If the Company has not actually carried out the SSA then it must be documented that the
SSA has been reviewed and accepted and retained by the Company Security Officer
(CSO).
Each ship shall carry on board a ship security plan approved by the Administration. The
plan shall make provisions for the three security levels as defined in this part of the Code.
Subject to the provisions of section 9.2.1, a recognized security organization may prepare
the ship security plan for a specific ship.
The Administration may entrust the review and approval of ship security plans, or of
amendments to a previously approved plan, to recognized security organizations.
In such cases the recognized security organization, undertaking the review and approval
of a ship security plan, or its amendments, for a specific ship shall not have been involved
in either the preparation of the ship security assessment or of the ship security plan, or of
the amendments, under review.
The submission of a ship security plan or of amendments to a previously approved plan,
for approval shall be accompanied by the security assessment on the basis of which the
plans, or the amendments, have been developed.

28
The ISPS Code as a Management System

One definition of a system is a set of resources that have been brought together in an
organized and co-ordinate way to perform a particular function or to achieve a
specified outcome.
This includes the ship and its equipment, people, office staff, paperwork, methods of
communication, and so on.
Many people confuse the system with the system documentation. This leads to a very
narrow view of what is required, and concentration on the contents of the procedures
and instructions. The result is that the maintenance and improvement of the system
are seen as bureaucratic exercises, and the responsibility only of those who administer
it.

Management System Documentation

Too often, the system established to comply with the requirements of the ISPS Code is
seen as something to be implemented and administered in addition to the conduct of
the company's normal operations. It is regarded as a set of additional bureaucratic
tasks that have an existence and a purpose separate from that of the "normal”
activities of the company and its ships. In fact, the management system is nothing
more than a means of organizing and controlling what the company already does. It
must be a fundamental and natural part of the way in which the company operates.
A well designed and controlled documented system, effectively implemented, is
essential in clarifying and communicating the company's requirements, establishing
and maintaining lines of communication, establishing and clarifying responsibilities and
authorities, and in developing a safety culture.
The documentation describes these resources, how they are organized, how they
operate, and how they interact. It will also describe the outputs and the records that
are generated.

The Elements of a (Security) Management System

The proliferation of management standards has led some people to believe that
"quality management", "security management" and "safety management" are new
concepts that have suddenly become fashionable in recent years. In fact, the principles
upon which codes and standards such as the ISM Code and ISO 9000 are based are as
old as commerce itself, and have been fundamental to the operation of successful
companies since people first started bringing together and organizing resources to
make a product or provide a service.
In simple terms, any management system, whether it is ISPS, ISM, or ISO, should
conform to the following three life-cycle "phases":
1. The policy (objectives and commitment)
2. The identification, allocation & organization of resources
3. The systematic planning and control of operations & emergency
responses
4. The measurement, analysis & continual improvement of the system's
performance
29
All that these codes and standards do is formalize those principles, and provide a
model for implementing them.

The Goals of a Security Management System

What a Security Management System Does and Does Not Provide.

A security management system provides:
1. Confidence that the company is complying with security
requirements.
2. Systematic planning and implementation of activities and operations.
3. Evidence of the application of controls with respect to security.
4. Corrective action to prevent the repetition of problems.
However, a security management system does not provide a guarantee that there will
never be an incident or technical defect.
To most of us, this may appear obvious, but there is an implication in the attitude of
many in the industry, and the press, that certification is some kind of guarantee that
there will be no more incidents or technical defects or security breaches. There
appears to be a belief that an incident or technical defects or security breach is, per se,
irrefutable evidence of the failure of the security plan.
This attitude reflects a fundamental lack of understanding of the purpose, scope and
limitations of all management systems - and the audit process - (a management
system audit is not a technical inspection).
By the inclusion of clauses concerning actions in the event of a security incident (Part
A; 9.4.4), the Code itself recognizes that, where there is risk, eventually something will
go wrong. When it does, it is the job of the management system to respond in a way
that minimizes the consequences.

Documenting a Management System

Why are so many people so fearful of paperwork? The most likely reasons are that the
paperwork is badly designed (and therefore cumbersome, time-consuming and difficult
to use), and that it often becomes an end in itself, or it is perceived as an unnecessary
part of the job, rather than a tool to facilitate the achievement of an objective.
It is important to remember that the issue of a certificate means that the plan, and
system as a whole, meets the requirements of the ISPS Code. It is not a guarantee
that it does so in the most efficient and least irksome way possible. Some very over-
blown and inefficient plans have received ISPS certificates!
The more concise a document, the more likely people are to read it, and the easier it
will be to understand. Flow charts and well-designed forms and checklists can do much
to reduce the number and size of the procedures.
The administration of the system will inevitably mean some additional tasks (the
conduct of internal audits and system reviews, for example).

30
The benefits of a formal, documented system are:
• It is a means of communication and clarification.
• It increases consistency in the conduct of operations and other
activities It is independent of the people engaged in the activities, and
permits continuity
• It facilitates the audit of the system
• It assists in the training of the personnel It is a record of good practice
• It assists in the management of change It is a requirement of the code

Designing the Documentation

The design and drafting of instructions, forms and checklists is not as easy as it may
first appear, and requires much thought and care. If done well, it will make life simpler,
easier and safer. The introduction of the management system should not lead to a
large and unacceptable bureaucratic burden. If it does, then the system has been
badly designed, and should be reviewed.

Documents and Records

Management system documentation controls the activities
The activities generate records:

Management System Documentation

Internal External

Ship Security Plan OBLIGATORY: BY REFERENCE:

Standing Orders ISPS Code, SOLAS, etc Technical Manuals
Flowcharts MSC Circ.1097 Standard Manuals
MSC Circ.1111
Checklist Industry Guidance
Flag State requirements
Forms etc

31
Document Control
Developing a document control process ensures:
• Availability of documents & amendments where needed
• Removal & storage or destruction of obsolete documents
• Proper review & approval of documents & amendments
• Accurate identification of documents & revision status
• Rules governing availability & use of uncontrolled documents
Many companies impose procedural requirements that are too strict or too demanding.
A documented procedure should contain sufficient information to allow a new
employee to comply with company specific requirements. Instructions for tasks with
which the employee will be familiar can be left out, so long as the minimum
qualifications for that role are specified, and those qualifications include the task in
question.
In other words;
What is necessary and useful, and what is unnecessary and impractical?

Record Keeping
Record keeping provides a database for the provision of management information, and
provides trails for audit and investigation purposes. It can be used as evidence of
compliance with requirements, and it is essential to continual improvement of the
system.
However, there are some important limitations to record keeping. It is vital to
distinguish between data and information. Information is generated from data, but
information should transmit the required facts and message in a clean and efficient
way. If the raw data is presented as information, then it is very difficult for your staff
to reach and digest the information they need for continual improvement.
It is important to resist the urge to maintain paper "comfort blankets". Decide what
records you need to maintain in order to help continuous improvement and to
demonstrate compliance with the Code - unnecessary information will make the
management system overly complex and harder work to maintain.

Using Documentation and Records as Evidence

Common sense suggests that, in the event of an inquiry following an accident, two of
the first questions to be asked must be:
i) How did your security management system attempt to prevent the incident
occurring in the first place?
and
ii) Given that the incident did occur, how did your security management system
respond in order to minimize the consequences?
It should be remembered that in the event of an incident, evidence will be available to
show that a company exercised due diligence - or vice versa. The delegation of certain
activities to suppliers and sub-contractors does not relieve the company of the
responsibilities imposed by the code.

32
Most importantly, the company must be aware of the dangers of including
requirements that are too strict or too demanding in its security management system.
All requirements of the system must be able to be implemented at all times.
In an investigation, if it is found that the management system in place has not been
followed, the management system may be inspected to see whether it was designed
well enough that it could be followed.
Anyone developing, maintaining or auditing management systems to the ISPS Code
would do well to bear this in mind as the possible ultimate test of their work.

The Impact of the Code

The ISPS regime is, in effect, one of self-regulation, subject to external monitoring.
The external auditor's job is to verify that a documented system exists, that it is in
place, that it is understood by those who operate it, and that, at the time of the audit,
sufficient objective evidence exists to demonstrate that it is being implemented
effectively. Certification implies nothing more than that.

Maintenance of the System

Having obtained certification following initial verification, most companies probably feel
that they now know exactly what to expect from a security management system audit.
However, if an auditor is doing their job properly, the emphasis during the audit of a
more mature system will be quite different from that of an initial or early verification
audit.
The purpose of an initial audit is to establish that a system exists that complies with
the requirements of the ISPS Code, that it is understood by those who must operate it,
and that it is being implemented. In most cases, the records are sufficient only to
demonstrate that such a system is in operation.
Furthermore, experience has shown that the first audits after certification do little more
than reassure us that there has been no relaxation in the implementation of the
system after the considerable effort involved in putting it into place, or as a result of
the sense of relief that naturally follows the successful completion of the certification
process.
It would be unfair to many of the companies who have achieved certification to say
that these first audits do no more than establish the minimum compliance necessary to
achieve certification. Nevertheless, in the long term, and if the Code is to have the
impact that we believe it could have, that is how they must come to be seen. The
focus of a future audit of a more mature system must be quite different from that of
an initial verification.
The system must be "alive", and must adapt to the changing requirements of the
company, changes to routes and cargoes, developments in technology and operational
practice, and changes in the regulatory environment in which it operates and identified
threats. The system is maintained by a process of continual improvement.
The auditor's emphasis will also change with time. What they will be looking for,
essentially, is continual improvement. What parts of the system, its operation and its
output will receive more attention in the future, and how will this lead to changes in
the system itself?

33
Continuous Improvement
"Continual improvement" does not mean simply getting better and better (though a
system incapable of improvement is hard to imagine). It also refers to the need to
adapt to changes in the organization, the regulatory environment, the technology,
working practices, threats, and so on.

Implementation
Shipboard operations
Drills and exercises
Recruitment & training, etc

Planning Feedback
Resources Internal audits
Responsibilities & authorities Management review
Risk assessment Accident reports
Corrective action, etc Non-conformities, etc

Analysis

Any management system must undergo a review and improvement cycle (above) on a
regular basis. It is this cycle that leads to continuous improvement of the system,
through implementation, feedback, analysis and planning. However, it should be
remembered that the flag administration may require certain changes to certain parts
of the SSP to be approved by them prior to implementation (ISPS Code Part A9.5) -
Please consult your flag administration for more information.

34
Rules & Regulations

Amendments to SOLAS
The Conference adopted a series of Amendments to the 1974 SOLAS Convention, aimed
at enhancing maritime security on board ships and at ship/port interface areas. Among
other things, these amendments create a new SOLAS chapter dealing specifically with
maritime security, which in turn contains the mandatory requirement for ships to comply
with the ISPS Code.
Modifications to Chapter V (Safety of Navigation) contain a new timetable for the
fitting of Automatic Information Systems (AIS). Ships, other than passenger ships and
tankers, of 300 gross tonnage and upwards but less than 50,000 gross tonnage, will be
required to fit AIS not later than the first safety equipment survey after 1 July 2004 or by
31 December 2004, whichever occurs earlier. Ships fitted with AIS shall maintain AIS in
operation at all times except where international agreements, rules or standards provide
for the protection of navigational information."
The existing SOLAS Chapter XI (Special measures to enhance maritime safety)
has been re-numbered as Chapter XI-1. Regulation XI-1/3 is modified to require ships'
identification numbers to be permanently marked in a visible place either on the ship's hull
or superstructure. Passenger ships should carry the marking on a horizontal surface visible
from the air. Ships should also be marked with their ID numbers internally.
And a new regulation XI-1/5 requires ships to be issued with a Continuous Synopsis
Record (CSR) which is intended to provide an on-board record of the history of the ship.
The CSR shall be issued by the Administration and shall contain information such as the
name of the ship and of the State whose flag the ship is entitled to fly, the date on which
the ship was registered with that State, the ship's identification number, the port at which
the ship is registered and the name of the registered owner(s) and their registered
address. Any changes shall be recorded in the CSR so as to provide updated and current
information together with the history of the changes.

New Chapter XI-2 (Special measures to enhance maritime security).

A brand-new Chapter XI-2 (Special measures to enhance maritime security) is added after
the renumbered Chapter XI-1.
This chapter applies to passenger ships and cargo ships of 500 gross tonnage and
upwards, including high speed craft, mobile offshore drilling units and port facilities
serving such ships engaged on international voyages.
Regulation XI-2/3 of the new chapter enshrines the International Ship and Port Facilities
Security Code (ISPS Code). Part A of this Code will become mandatory and part B contains
guidance as to how best to comply with the mandatory requirements.
The regulation requires Administrations to set security levels and ensure the provision of
security level information to ships entitled to fly their flag. Prior to entering a port, or
whilst in a port, within the territory of a Contracting Government, a ship shall comply with
the requirements for the security level set by that Contracting Government, if that security
level is higher than the security level set by the Administration for that ship.

35
Regulation XI-2/4 confirms the role of the Master in exercising his professional judgment
over decisions necessary to maintain the security of the ship. It says he shall not be
constrained by the Company, the charterer or any other person in this respect.
Regulation XI-2/5 requires all ships to be provided with a ship security alert system,
according to a strict timetable that will see most vessels fitted by 2004 and the remainder
by 2006. When activated the ship security alert system shall initiate and transmit a ship-
to-shore security alert to a competent authority designated by the Administration,
identifying the ship, its location and indicating that the security of the ship is under threat
or it has been compromised. The system will not raise any alarm on-board the ship. The
ship security alert system shall be capable of being activated from the navigation bridge
and in at least one other location.
Regulation XI-2/6 covers requirements for port facilities, providing among other things for
Contracting Governments to ensure that port facility security assessments are carried out
and that port facility security plans are developed, implemented and reviewed in
accordance with the ISPS Code.
Other regulations in this chapter cover the provision of information to IMO, the control of
ships in port, (including measures such as the delay, detention, restriction of operations
including movement within the port, or expulsion of a ship from port), and the specific
responsibility of Companies.

Resolutions adopted by the conference

The conference adopted 11 resolutions, the main points of which are outlined below.

Conference resolution 1 (Adoption of amendments to the annex to the

international convention for the safety of life at sea, 1974, as amended),
determines that the amendments shall be deemed to have been accepted on 1 January
2004 (unless, prior to that date, more than one third of the Contracting Governments to
the Convention or Contracting Governments the combined merchant fleets of which
constitute not less than 50% of the gross tonnage of the world's merchant fleet, have
notified their objections to the amendments) and that the amendments would then enter
into force on 1 July 2004.

Conference resolution 2 (Adoption of the International Ship and Port Facility

Security (ISPS) Code) adopts the International Ship and Port Facility Security (ISPS)
Code, and invites Contracting Governments to the Convention to note that the ISPS Code
will take effect on 1 July 2004 upon entry into force of the new chapter XI-2 of the
Convention;

Conference resolution 3 (Further work by the international maritime

organization pertaining to the enhancement of maritime security) invites the
International Maritime Organization to develop, as a matter of urgency, training guidance
such as model courses for ship security officers, company security officers and port facility
security officers; performance standards for ship security alarms; performance standards
and guidelines for long-range ship identification and tracking systems; guidelines on

36
control of ships; and guidelines on "Recognized security organizations", and to adopt them
in time before the entry into force of the amendments to the Convention adopted by the
Conference.
Conference resolution 4 (Future amendments to Chapters XI-1 and XI-2 of the
1974 SOLAS Convention on special measures to enhance maritime safety and
security) recommends that future amendments to the provisions of chapters XI-1 and XI-
2 of the Convention should be adopted by either the Maritime Safety Committee of the
International Maritime Organization or by a Conference of Contracting Governments to the
Convention.

Conference resolution 5 (Promotion of technical co-operation and assistance)

strongly urges Contracting Governments to the Convention and Member States of the
Organization to provide, in co-operation with the Organization, assistance to those States
which have difficulty in meeting the requirements of the adopted amendments; and to use
the Integrated Technical Co-operation Program of the Organization as one of the main
instruments to obtain assistance in advancing effective implementation of, and compliance
with, the adopted amendments.
It also requests the Secretary-General of the Organization to make adequate provision,
within the Integrated Technical Co-operation Program, to strengthen further the
assistance that is already being provided and to ensure that the Organization is able to
address the future needs of developing countries for continued education and training and
the improvement of their maritime and port security infrastructure and measures; and
invites donors, international organizations and the shipping and port industry to contribute
financial, human and/or in-kind resources to the Integrated Technical Co-operation
Program of the Organization for its maritime and port security activities.
It also invites the Secretary General to give early consideration to establishing a Maritime
Security Trust Fund for the purpose of providing a dedicated source of financial support
for maritime security technical-co-operation activities and, in particular, for providing
support for national initiatives in developing countries to strengthen their maritime security
infrastructure and measures.

Conference resolution 6 (Early implementation of the special measures to

enhance maritime security) refers to the difficulties experienced during
implementation of the International Safety Management (ISM) Code and draws the
attention of Contracting Governments and the industry to the fact that chapter XI-2 of the
Convention does not provide for any extension of the implementation dates for the
introduction of the special measures concerned to enhance maritime security. It urges
Contracting Governments to take, as a matter of high priority, any action needed to
finalize as soon as possible any legislative or administrative arrangements, which are
required at the national level, to give effect to the requirements of the adopted
amendments to the Convention relating to the certification of ships entitled to fly their flag
or port facilities situated in their territory.
It also recommends that Contracting Governments and Administrations concerned
designate dates, in advance of the application date of 1 July 2004 by which requests for
certification should be submitted in order to allow for completion of the certification
process and for companies and port facilities to rectify any non-compliance. It also

37
recommends that Contracting Governments and the industry should take early appropriate
action to ensure that all necessary infrastructure is in place in time for the effective
implementation of the adopted measures to enhance maritime security on board ships and
ashore.

Conference resolution 7 (Establishment of appropriate measures to enhance

the security of ships, port facilities, mobile offshore drilling units on location
and fixed and floating platforms not covered by chapter XI-2 of the 1974
SOLAS Convention) invites Contracting Governments to establish, as they might
consider necessary, appropriate measures to enhance the security of ships and of port
facilities other than those covered by chapter XI-2 of the Convention; it also encourages
Contracting Governments to establish and disseminate, in an appropriate manner,
information to facilitate contact and liaison between company and ship security officers
and the authorities responsible for the security of port facilities not covered by Chapter XI-
2, prior to a ship entering, or anchoring off, such a port;

Conference resolution 8 (Enhancement of security in co-operation with the

International Labor Organization) invites the ILO to continue the development of a
Seafarers' Identity Document as a matter of urgency, which should cover, among other
things, a document for professional purposes; a verifiable security document; and a
certification information document, and invites IMO and the ILO to establish a joint
ILO/IMO Working Group to undertake more detailed work on comprehensive port security
requirements.

Conference resolution 9 (Enhancement of security in co-operation with the

World Customs Organization) invites the WCO to consider urgently measures to
enhance security throughout international closed CTU movements and requests the
Secretary-General of IMO to contribute expertise relating to maritime traffic to the
discussions at the WCO.

Conference resolution 10 (Early implementation of long-range ships'

identification and tracking) recalls that long-range identification and tracking of ships
at sea is a measure that fully contributes to the enhancement of the maritime and coastal
States security and notes that Inmarsat C polling is currently an appropriate system for
long-range identification and tracking of ships. It urges Governments to take, as a matter
of high priority, any action needed at national level to give effect to implementing and
beginning the long-range identification and tracking of ships and invites Contracting
Governments to encourage ships entitled to fly the flag of their State to take the
necessary measures so that they are prepared to respond automatically to Inmarsat C
polling, or to other available systems. It also requests Governments to consider all aspects
related to the introduction of long-range identification and tracking of ships, including its
potential for misuse as an aid to ship targeting and the need for confidentiality in respect
of the information so gathered.

38
Conference resolution 11 (Human element-related aspects and shore leave for
seafarers) urges Governments to take the human element, the need to afford special
protection to seafarers and the critical importance of shore leave into account when
implementing the provisions of chapter XI-2 of the Convention and the International Ship
and Port Facility (ISPS) Code. It also encourages Governments, Member States of IMO and
non-governmental organizations with consultative status at the Organization to report to
the Organization any instances where the human element has been adversely impacted by
the implementation of the provisions of chapter XI-2 of the Convention or the Code. It
also requests the IMO Secretary-General to bring to the attention of the Maritime Safety
Committee and the Facilitation Committee of the Organization, any human element related
problems, which have been communicated to the Organization as a result of the
implementation of chapter XI-2 of the Convention or the Code.

39
ISPS Code (International Ship and Port Facility Security Code)

SOLAS Chapter XI-2 (Special Measures to Enhance Maritime Security)

Regulation 1 Definition
Regulation 2 Application
Regulation 3 Obligations of Contracting Governments with respect to security
Regulation 4 Requirements for Companies and ships
Regulation 5 Specific responsibility of Companies
Regulation 6 Ship Security Alert System
Regulation 7 Threats to ships
Regulation 8 Master’s discretion for ship safety and security
Regulation 9 Control and compliance measures
.1 Control of ships in port
.2 Ships intending to enter a port of another Contracting Government
.3 Additional provisions
Regulation 10 Requirements for port facilities
Regulation 11 Alternative security agreements
Regulation 12 Equivalent arrangements
Regulation 13 Communication of information

Will be entered into force on 1 July 2004. All ship shall have International
Ship Security Certificate by 1 July 2004

Regulation 2 - Application
Ships engaged on international voyages:
• passenger ships, including high-speed passenger craft
• cargo ships, including high-speed craft of 500 gross tonnage and upwards; and
• mobile offshore drilling units
• port facilities serving such ships engaged on international voyages

40
Regulation 3 - Obligations of Contracting Governments with respect to
security
Administrations shall set security level
• to ships entitled to fly their flag
Contracting Governments shall set security level
• port facilities within their territory
• to ships prior to enter a port/whilst in port

Regulation 4 - Requirements for companies and ships

• Companies shall comply with the relevant requirements of this chapter and of Part A
• Ships shall comply with the relevant requirements of this chapter and of part A &
such compliance shall be verified and certified
• Ship shall comply with the requirements for the security level set by that Contracting
Government of the port, if such security level is higher than the security level set by
the Administration for that ship.

Regulation 5 - Specific responsibility of Companies

• Who is responsible for appointing crew members
• Who is responsible for deciding the employment of the ship
• Who is the party to Charter Party

Regulation 6 - Ship Security Alert System

• ships constructed on or after 1 July 2004;
• passenger ships (PHSC), constructed before 1 July 2004, not later than the first
survey of the radio installation after 1 July 2004;
• oil tankers, chemical tankers, gas carriers, bulk carriers and CHSC of 500 gross
tonnage and upwards constructed before [1 July 2004], not later than the first survey
of the radio installation after 1 July 2004;
• other cargo ships of 500 gross tonnage and upwards and MODU constructed before 1
July 2004, not later than the first survey of the radio installation after 1 July 2006
• initiate and transmit a ship-to-shore security alert to a competent authority
designated by the Administration,
o identifying the ship,
o its location
o security of the ship is under threat or it has been compromised;
• not send to any other ships;

41
• not raise on board the ship;
• continue until deactivated and/or reset;
• being activated from the navigation bridge and in at least one other location.
• Activating points shall be designed to prevent the inadvertent initiation
• may be complied with by using radio installation (Chapter IV)
• when received, Administration shall notify the nearby States

Regulation 7 - Threats to ships

Contracting Governments shall set security levels to ships;
• operating in their territorial sea
• having communicated an intention to enter their territorial sea

Regulation 8 - Master’s discretion for ship safety & security

Master shall not be constrained by;
• Company
• Charterer
from taking or executing any decision including
• denial of access to person or their effects
• reject to load cargo
o containers
o other CTU

Regulation 9 - Control and compliance measures

Section 9.1 - Control of ships in port
• Traditional PSC
Section 9.2 - Ships intending to enter a port of another Contracting Government
• New PSC concept
Section 9.3 - Additional provisions

42
Regulation 10 - Requirements for port facilities
Port facilities shall comply with the relevant requirements of this chapter and part A
Contracting Governments shall set security levels and ensure the provision of security
level information to port facilities and to ships prior to entering a port, or whilst in a port
Contracting Governments with port facility shall ensure that:
• port facility security assessments are;
o carried out
o reviewed
o approved
• port facility security plans are;
o developed
o reviewed
o approved
o implemented

Regulation 11 - Alternative security agreements

Contracting Government may conclude agreements with other Contracting Government;
• on alternative security arrangements
• covering short international voyages
• on fixed route

Regulation 12 - Equivalent security arrangements

Administration may allow implementing other security measures equivalent to ISPS Code
Contracting Government may allow implementing security measures equivalent to ISPS
Code

Regulation 13 - Communication of information

Contracting Government shall communicate to IMO not later than 1 July 2004;
• national authority responsible for the security of;
o ship
o port facility
• who shall receive/act upon the security alert
• authorized RSO
• list showing the approved PFSP

43
ISPS Code Part A

Section 1 General
1.1 Introduction
1.2 Objectives
1.3 Functional requirements
Section 2 Definitions
Section 3 Application
Section 4 Responsibilities of Contracting Governments
Section 5 Declaration of Security
Section 6 Obligations of the Company
Section 7 Ship Security
Section 8 Ship Security Assessment (SSA)
Section 9 Ship Security Plan (SSP)
Section 10 Records
Section 11 Company Security Officer (CSO)
Section 12 Ship Security Officer (SSO)
Section 13 Training, Drills and Exercises on Ship Security
Section 14 Port Facility Security
Section 15 Port Facility Security Assessment
Section 16 Port Facility Security Plan
Section 17 Port Facility Security Officer
Section 18 Training, Drills and Exercises on Port Facility Security
Section 19 Verification and Certification
19.1 Verifications
19.2 Issue or endorsement of certificate
19.3 Duration and validity of certificate
19.4 Interim certification

44
Section 3 - Application
Ships engaged on international voyages:
o passenger ships, including high-speed passenger craft
o cargo ships, including high-speed craft of 500 gross tonnage and upwards; and
o mobile offshore drilling units
port facilities serving such ships engaged on international voyages
Sections 5 to 13 and 19 apply to ships and Companies (3.4)
Sections 5 and 14 to 18 apply to port facilities (3.5)

Section 4 - Responsibilities of Contracting Governments

Contracting Governments shall
o set security levels
o provide guidance for protection from security incidents
Factors to be considered in setting security level
o threat information is credible
o treat information is corroborated
o threat information is specific/imminent
o potential consequences of security incidents

Section 5 - Declaration of Security (DoS)

determined by the Contracting Government (5.1)
Ship can request (5.2)
shall be completed by:
o the master or SSO (5.4.1)
o the PFSO (5.42.2)
could be shared between a port facility and a ship and shall state the responsibility for
each (5.5)
DoS shall be kept by ship & port facility (5.6 & 5.7)
Minimum period to be kept (5.6 & 5.7)

Section 6 - Obligations of the Company

clear statement emphasizing the master’s authority (6.1)
master’s overriding authority and responsibility to make decisions with respect to the
security of the ship (6.1)

45
request the assistance of the Company or of any Contracting Government (6.1)
the company security officer, the master and the ship security officer shall be given the
necessary support (6.2)

Section 7 - Ship Security

A ship is required to act upon the security levels set by Contracting Governments (7.1)
At security level 1, (7.2)
o .1 performance of all ship security duties;
o .2 controlling access to the ship;
o .3 controlling the embarkation of persons and their effects;
o .4 monitoring restricted areas
o .5 monitoring of deck areas and areas surrounding the ship;
o .6 supervising the handling of cargo and ship’s stores;
o .7 security communications is readily available.
At security level 2, (7.3)
o additional protective measures
At security level 3,
o further specific protective measures (7.4)

Section 8 - Ship Security Assessment (SSA)

process of developing and updating the SSP (8.1)
The CSO shall ensure that the SSA is carried out by persons with skills to evaluate the
security of a ship. (8.2)
on-scene security survey and: (8.4)
o .1 identification of existing security measures, procedures and operations;
o .2 identification and evaluation of key ship board operations;
o .3 identification of possible threats to the key ship board operations
o .4 identification of weaknesses, including human factors in the
infrastructure, policies and procedures.

46
Section 9 - Ship Security Plan (SSP)
Each ship shall carry on board a SSP approved by the Administration. (9.1)
provisions for the 3 security levels. (9.1)
Entrust review and approval of SSP to RSOs (9.2)
Submission of SSP for approval shall be accompanied by the security assessment (9.3)
Ship Security Plan (9.4)
o .1 prevent weapons, dangerous substances and devices
o .2 identification of the restricted areas
o .3 prevention of unauthorized access to the ship
o .4 responding to security threats or breaches of security
o .5 responding to any security instructions issued by Contracting
Governments at security level 3
o .6 evacuation in case of security threats or breaches of security;
o .7 duties of shipboard personnel assigned security responsibilities
o .8 auditing the security activities
o .9 training, drills and exercises associated with the SSP
o .10 interfacing with port facility security activities;
o .11 periodic review of the plan;
o .12 reporting security incidents;
o .13 identification of the SSO;
o .14 identification of the CSO (24 hour contact details);
o .15 inspection, testing, calibration, and maintenance of security equipment, if
any
o .16 frequency of testing or calibration, if any
o .17 identification of the locations where the ship security alert system
activation points are provided*;
o .18 procedures, instructions and guidance on the use of the ship security
alert system*
*Administration may allow to be kept elsewhere on board
Personnel conducting internal audits of the security activities shall be independent of the
activities being audited (9.4.1)
Which changes to an approved SSP (Administration shall determine) shall not be
implemented unless approved by the Administration. (9.5)
SSP may be kept in an electronic format (9.6)

47
SSP shall be protected from unauthorized access or disclosure (9.7)
SSP are not subject to inspection by PSCO (9.8)
clear ground --> limited access to the specific sections (9.8.1)
sections 9.4/2, 4, 5, 7, 15, 17, 18 are confidential (9.8.1)

Section 10 - Records
to be kept on board for at least the minimum period specified by the Administration:
(10.1)
o .1 training, drills and exercises;
o .2 security threats and incidents
o .3 breaches of security
o .4 changes in security level;
o .5 communications
o .6 internal audits and reviews of security activities
o .7 periodic review of the SSA
o .8 periodic review of SSP
o .9 implementation of amendments to the SSP
o .10 maintenance, calibration and testing of security equipment, if any;
shall be protected from unauthorized access/disclosure

Section 11 - Company Security Officer (CSO)

The Company shall designate a CSO. (11.1)
A person designated as the CSO may act as the CSO for one or more ships. (11.1)
A Company may designate several persons as CSOs provided it is clearly identified for
which ships each person is responsible. (11.1)
duties & responsibilities of CSO
o .1 advising the level of threats;
o .2 SSAs are carried out;
o .3 development, submission for approval, implementing and maintenance of
the SSP;
o .4 SSP is modified to correct deficiencies;
o .5 internal audits and reviews of security activities;
o .6 initial and subsequent verifications of the ship;
o .7 deficiencies/non-conformities are addressed and dealt with

48
 o .8 enhancing security awareness and vigilance;
o .9 adequate training;
o .10 effective communication and co-operation;
o .11 consistency between security and safety requirements;
o .12 the SSP for each ship reflects the ship-specific information accurately;
o .13 any alternative or equivalent arrangements approved for a particular ship
are implemented and maintained.

Section 12 - Ship Security Officer (SSO)

A SSO shall be designated on each ship. (12.1)
duties and responsibilities of the SSO (12.2)
o .1 regular security inspections of the ship
o .2 maintaining and supervising the implementation of the SSP
o .3 co-ordinating the handling of cargo and ship’s stores
o .4 proposing modifications to the SSP
o .5 reporting to the CSO any deficiencies and non-conformities
o .6 enhancing security awareness and vigilance on board
o .7 adequate training to be provided to shipboard personnel
o .8 reporting all security incidents
o .9 co-ordinating implementation of the SSP with CSO & PFSO
o .10 security equipment is properly operated, tested, calibrated and
maintained

Section 13 - Training and Drills

CSO shall have knowledge and have received training. (13.1)
SSO shall have knowledge and have received training. (13.2)
Shipboard personnel having security duties/responsibilities (13.3)
o shall understand their responsibilities
o shall have sufficient knowledge and ability to perform their assigned duties
Drills shall be carried out at appropriate intervals (13.4)
CSO
o effective coordination & implementation of SSP
o by participating in exercises at appropriate intervals

49
Section 19 - Verification and Certification
19.1 Verifications
19.1.1.1 initial verification
o shall include a complete verification of its security system and any associated
security equipment and the approved SSP.
o security system and any associated security equipment fully complies with
the requirements
o satisfactory condition/fit for the service
19.1.1.2 renewal verification
o not exceeding five years
o security system and any associated security equipment fully complies with
the requirements
o satisfactory condition/fit for the service
19.1.1.3 intermediate verification
• at least one intermediate verification, if only one, shall take place between
the second and third anniversary date.
• include inspection of security system and any associated security equipment
19.1.1.4 additional verification
• any additional verifications as determined by the Administration.
The verifications of ships shall be carried out by officers of the Administration.The
Administration may entrust the verifications to a RSO (19.1.2)
security system and equipment after verification shall be maintained to conform with the
provisions (19.1.4)
After verification has been completed, no changes shall be made in security system and
equipment without the sanction of the Administration (19.1.4)
19.2 Issue or endorsement of certificate
• International Ship Security Certificate shall be issued after the initial or renewal
verification (19.2.1)
• Such certificate shall be issued or endorsed either by the Administration or by
the RSO (19.2.2)
19.3 Duration and validity of certificate
• International Ship Security Certificate shall not exceed 5 years (19.3.1)
• When the renewal verification is completed within 3 months before the expiry date of
the existing certificate, the new certificate shall be valid from the date not exceeding
5 years from the date of completion of the renewal verification to a date not
exceeding 5 years from the date of expiry of the existing certificate (19.3.2

50
• When the renewal verification is completed after the expiry date of the existing
certificate, the new certificate shall be valid from the date of completion of the
renewal verification to a date not exceeding 5 years from the date of expiry of the
existing certificate (19.3.2.1)
• When the renewal verification is completed more than 3 months before the expiry
date of the existing certificate, the new certificate shall be valid from the date of
completion of the renewal verification to a date not exceeding 5 years from the date
of completion of the renewal verification (19.3.2.2)
• at the Renewal verification, if a new certificate cannot be issued/placed on board,
existing certificate may be endorsed (19.3.4)
• and shall be accepted as valid for a further 5 months (19.3.4)
• certificate shall cease to be valid; (19.3.8)
o .1 Renewal/ Intermediate/ (Additional) verifications are not
completed within the period
o .2 certificate is not endorsed
o .3 company changes
o .4 flag changes
19.4 Interim certification
• after 1 July 2004, Interim ISSC may be issued for; (19.4.1)
o .1 a ship without a certificate, on delivery, prior to its entry/re-
entry into service
o .2 flag changes from party Government
o .3 flag changes from non-party Government
o .4 company changes
• Interim ISSC shall be valid for (19.4.4)
o 6 months
o or until full certificate is issued, whichever comes first
o may not be extended
o No subsequent, consecutive Interim ISSC shall be issued (19.4.5)
• to be verified; (19.4.2)
o .1 SSA completed
o .2 copy of SSP (submitted for approval) provided onboard, and
SSP is being implemented
o .3 Security Alert System is provided, if required
o .4 CSO
• .1 shall ensure
• .1 review the SSP

51
 • .2 SSP has been submitted for approval
• .3 SSP is being implemented on the ship
• .2 established necessary arrangements for completion of
initial Verification
• drills, exercises, internal audits
• .5 arrangement for Initial Verification
• .6 Master, SSO & relevant shipboard personnel are familiar with
• their duties specified in the Code
• relevant provisions of the SSP
• have been provided such information

5 years from
3 months Expiry date Expiry date
before

1
Valid 5 years from previous expiry date

1 Valid 5 years from Renewal Verification

1
Valid 5 years from previous expiry date

52
Responsibilities and Authority (General)

Contracting Governments

Contracting Governments have various responsibilities, including

• setting the applicable security level,
• approving the Ship Security Plan and relevant amendments to a previously approved
plan,
• verifying the compliance of ships with the provisions of SOLAS chapter XI-2 and part
A of the ISPS Code and issuing the International Ship Security Certificate,
• determining which port facilities located within their territory are required to
designate a Port Facility Security Officer,
• ensuring completion and approval of the Port Facility Security Assessment and the
Port Facility Security Plan and any subsequent amendments; and
• exercising control and compliance measures.
It is also responsible for communicating information to the International Maritime
Organization and to the shipping and port industries.
Contracting Governments can designate, or establish, Designated Authorities within
Government to undertake their security duties and allow Recognized Security
Organizations to carry out certain work with respect to port facilities, but the final
decision on the acceptance and approval of this work should be given by the Contracting
Government or the Designated Authority.

53
The Company and the Ship

Under the terms of the Code, shipping companies will be required to designate a
Company Security Officer for the Company and a Ship Security Officer for each of its
ships to assure the security plan is followed.
The Company Security Officer's responsibilities include
• ensuring that a Ship Security Assessment is properly carried out,
• that Ship Security Plans are prepared and submitted for approval by (or on behalf of)
the Administration and thereafter is placed on board each ship.
Owner shall conduct a security assessment audit for the company and for each
ship. Ship security assessment must be approved by the owner and the company
security officer.
Comprehensive approved security plans must be developed for company and each ship.
Ship must carry on board a ship security plan approved by the Administration and
contain elements as detailed in the Code. Owner shall ensure that the ship security plan
contains a clear statement emphasizing master’s authority. The Ship Security Plan
should indicate
• the operational and physical security measures the ship itself should take to ensure it
always operates at security level 1.
• the additional, or intensified, security measures the ship itself can take to move to
and operate at security level 2 when instructed to do so.
• the possible preparatory actions the ship could take to allow prompt response to
instructions that may be issued to the ship at security level 3.
Ships will have to carry an International Ship Security Certificate indicating that they
comply with the requirements of SOLAS chapter XI-2 and part A of the ISPS Code. When
a ship is at a port or is proceeding to a port of Contracting Government, the Contracting
Government has the right, under the provisions of regulation XI-2/9, to exercise various
control and compliance measures with respect to that ship. The ship is subject to port
State control inspections but such inspections will not normally extend to examination of
the Ship Security Plan itself except in specific circumstances.
The ship may, also, be subject to additional control measures if the Contracting
Government exercising the control and compliance measures has reason to believe that
the security of the ship has, or the port facilities it has served have, been compromised.

Access at Security Level 1

At security level 1, the SSP should establish the security measures to control access to
the ship, where the following may be applied:
1. checking the identity of all persons seeking to board the ship and confirming their
reasons for doing so by checking, for example, joining instructions, passenger
tickets, boarding passes, work orders etc;

54
2. In liaison with the port facility the ship should ensure that designated secure areas
are established in which inspections and searching of people, baggage (including
carry on items), personal effects, vehicles and their contents can take place;
3. in liaison with the port facility the ship should ensure that vehicles destined to be
loaded on board car carriers, ro-ro and other passenger ships are subjected to
search prior to loading, in accordance with the frequency required in the SSP;
4. segregating checked persons and their personal effects from unchecked persons and
their personal effects;
5. segregating embarking from disembarking passengers;
6. identification of access points that should be secured or attended to prevent
unauthorized access;
7. securing, by locking or other means, access to unattended spaces adjoining areas to
which passengers and visitors have access;
8. providing security briefings to all ship personnel on possible threats, the procedures
for reporting suspicious persons, objects or activities and the need for vigilance.
At security level 1, all those seeking to board a ship should be liable to search. The
frequency of such searches, including random searches, should be specified in the
approved SSP and should be specifically approved by the Administration.
Such searches may best be undertaken by the port facility in close co-operation with the
ship and in close proximity to it.
Unless there are clear security grounds for doing so, members of the ship’s personnel
should not be required to search their colleagues or their personal effects. Any such
search shall be undertaken in a manner which fully takes into account the human rights
of the individual and preserves their basic human dignity.

Access at Security Level 2

At security level 2, the SSP should establish the security measures to be applied to
protect against a heightened risk of a security incident to ensure higher vigilance and
tighter control, which may include:
1. assigning additional personnel to patrol deck areas during silent hours to deter
unauthorised access;
2. limiting the number of access points to the ship, identifying those to be closed and
the means of adequately securing them;
3. deterring waterside access to the ship, including, for example, in liaison with the port
facility, provision of boat patrols;
4. establishing a restricted area on the shore-side of the ship, in close co-operation
with the port facility;
5. increasing the frequency and detail of searches of people, personal effects, and
vehicles being embarked or loaded onto the ship;
6. escorting visitors on the ship;

55
7. providing additional specific security briefings to all ship personnel on any identified
threats, re-emphasizing the procedures for reporting suspicious persons, objects, or
activities and the stressing the need for increased vigilance;
8. carrying out a full or partial search of the ship.

Access at Security Level 3

At security level 3, the ship should comply with the instructions issued by those
responding to the security incident or threat thereof. The SSP should detail the security
measures which could be taken by the ship, in close co-operation with those responding
and the port facility, which may include:
1. limiting access to a single, controlled, access point;
2. granting access only to those responding to the security incident or threat thereof;
3. directions of persons on board;
4. suspension of embarkation or disembarkation;
5. suspension of cargo handling operations, deliveries etc;
6. evacuation of the ship;
7. movement of the ship;
8. preparing for a full or partial search of the ship.

Restricted Areas on the Ship

The SSP should identify the restricted areas to be established on the ship, specify their
extent, times of application, the security measures to be taken to control access to them
and those to be taken to control activities within them. The purpose of restricted areas
is to:
1. prevent unauthorised access;
2. protect passengers, ship's personnel, and personnel from port facilities or other
agencies authorised to be on board the ship;
3. protect sensitive security areas within the ship; and
4. protect cargo and ship's stores from tampering.
The SSP should ensure that there are clearly established policies and practices to control
access to all restricted areas them.
The SSP should provide that all restricted areas should be clearly marked indicating that
access to the area is restricted and that unauthorised presence within the area
constitutes a breach of security.
Restricted areas may include:
1. navigation bridge, machinery spaces of category A and other control stations as
defined in chapter II-2;

56
2. spaces containing security and surveillance equipment and systems and their
controls and lighting system controls;
3. ventilation and air-conditioning systems and other similar spaces;
4. spaces with access to potable water tanks, pumps, or manifolds;
5. spaces containing dangerous goods or hazardous substances;
6. spaces containing cargo pumps and their controls;
7. cargo spaces and spaces containing ship’s stores;
8. crew accommodation;
9. any other areas as determined by the CSO, through the SSA to which access must
be restricted to maintain the security of the ship.
Dependant of the security level, additional measures is foreseen for the restricted areas.

Handling of Cargo
The security measures relating to cargo handling should:
1. prevent tampering, and
2. prevent cargo that is not meant for carriage from being accepted and stored on
board the ship.
The security measures, some of which may have to be applied in liaison with the port
facility, should include inventory control procedures at access points to the ship. Once
on board the ship, cargo should be capable of being identified as having been approved
for loading onto the ship. In addition, security measures should be developed to ensure
that cargo, once on board, is not tampered with.

Dependant of the security level, additional measures are required.

Delivery of Ship’s Stores
The security measures relating to the delivery of ship’s stores should:
1. ensure checking of ship’s stores and package integrity;
2. prevent ship’s stores from being accepted without inspection;
3. prevent tampering;
4. prevent ship’s stores from being accepted unless ordered.
For ships regularly using the port facility it may be appropriate to establish procedures
involving the ship, its suppliers and the port facility covering notification and timing of
deliveries and their documentation. There should always be some way of confirming that
stores presented for delivery are accompanied by evidence that they have been ordered
by the ship.

57
Dependant the security level, additional measures are required.
Handling Unaccompanied Baggage
The SSP should establish the security measures to be applied to ensure that
unaccompanied baggage (i.e. any baggage, including personal effects, which is not with
the passenger or member of ship’s personnel at the point of inspection or search) is
identified and subjected to appropriate screening, including searching, before it is
accepted on board the ship. It is not envisaged that such baggage will be subjected to
screening by both the ship and the port facility, and in cases where both are suitably
equipped, the responsibility for screening should rest with the port facility. Close co-
operation with the port facility is essential and steps should be taken to ensure that
unaccompanied baggage is handled securely after screening.

Dependant the security level, additional measures are required.

Monitoring the Security of the Ship
The ship should have the capability to monitor the ship, the restricted areas on board
and areas surrounding the ship. Such monitoring capabilities may include use of:
1. lighting;
2. watch-keepers, security guards and deck watches including patrols;
3. automatic intrusion detection devices and surveillance equipment.
When used, automatic intrusion detection devices should activate an audible and/or
visual alarm at a location that is continuously attended or monitored.
The SSP should establish the procedures and equipment needed at each security level
and the means of ensuring that monitoring equipment will be able to perform
continually, including consideration of the possible effects of weather conditions or of
power disruptions.

Dependant the security level, additional measures are required.

Differing Security Levels
The SSP should establish details of the procedures and security measures the ship could
adopt if the ship is at a higher security level than that applying to a port facility.
Activities not covered by the Code:
The SSP should establish details of the procedures and security measures the ship
should apply when:
1. it is at a port of a State which is not a Contracting Government;
2. it is interfacing with a ship to which this Code does not apply;
3. it is interfacing with fixed or floating platforms or a mobile drilling unit on location;
4. it is interfacing with a port or port facility which is not required to comply with
chapter XI-2 and part A of this Code.

58
The Port Facility

Each Contracting Government has to ensure completion of a Port Facility Security

Assessment for each port facility within its territory that serves ships engaged on
international voyages. The Port Facility Security Assessment is fundamentally a risk
analysis of all aspects of a port facility's operation in order to determine which parts of it
are more susceptible, and/or more likely, to be the subject of attack.
Security risk is seen a function of the threat of an attack coupled with the vulnerability
of the target and the consequences of an attack. On completion of the analysis, it will be
possible to produce an overall assessment of the level of risk.
The Port Facility Security Assessment will help determine which port facilities are
required to
• appoint a Port Facility Security Officer; and
• prepare a Port Facility Security Plan.
Port Facility Security Officer shall require training in 20 specific area and 10 ancillary
areas as listed in Code. Facility must conduct appropriate training exercises. Port
personnel with security duties must also be trained.
Port Security Plan should indicate
• the operational and physical security measures the port facility should take to ensure
that it always operates at security level 1.
• the additional, or intensified, security measures the port facility can take to move to
and operate at security level 2 when instructed to do so.
• the possible preparatory actions the port facility could take to allow prompt response
to the instructions that may be issued at security level 3.
• detail security Organization
• detail links with relevant authorities
• details basic security levels 1, 2 and 3
• Provide regular review of PFSP
• detail reporting procedures to Government
• address 14 other items including, cargo, ship access, stores personnel IDs, crew,
terminal access etc.
Ships using port facilities may be subject to port State control inspections and additional
control measures. The relevant authorities may request the provision of information
regarding the ship, its cargo, passengers and ship's personnel prior to the ship's entry
into port. There may be circumstances in which entry into port could be denied.

59
Company Obligations

As exists in the ISM documentation, there will also be in the ISPS documentation a
Policy Statement. The purpose is to enhance awareness throughout the company and
onboard its vessels. A example is given below:

Security Policy Statement (sample)

It is …………………………… (Company’s name) policy to:

• provide a secure working environment;
• maintain a secure operating practice.;
• take into account applicable codes, guidelines and standards recommended by the
International Maritime Organization,

Administrations and Classification Societies or other Recognized Security Organizations.

Company objectives are to:
• provide for secure practices in ship operation and a secure working environment;
• establish safeguards against all identified risks;
• continuously improve the security awareness and security management skills of
personnel ashore and aboard our vessels;
• be prepared for emergencies, related both to security, safety and environmental
protection;

These objectives will be achieved by:

• regular inspections and maintenance of equipment and reviews of procedures to
ensure their compliance with experience gained, new technology, and alteration in
public demands;
• maintaining high standards of security consciousness, personal discipline and
individual accountability by adherence to a comprehensive and documented system
of training;
• actively promoting employee participation in measures aimed at improving security
and thus protecting the environment;
• keeping all personnel fully informed of any known or potential hazards that may
affect themselves, their colleagues, the ship or the environment by transmittal of
pertinent documentation;
• ensuring adherence at all times to the documented operating procedures by a system
of internal verification of procedures and activities;

60
• continuously reviewing all mandatory rules, regulations, industry codes and guidelines
that are relevant to specific ship types and trades;
All employees are expected to comply with Security Regulations and Procedures at all
times and to take the necessary precautions to protect themselves, their colleagues, the
ship, its cargo and the environment.
In addition, CSO, the Master and the SSO will be given the necessary support to fulfil their
duties and responsibilities in accordance with Chapter XI-2 of the 1974 SOLAS Convention
Signed:
name,
Managing Director of …..(Company’s name)
At (location)
Date:

Masters Authority:
ISPS Code 6.1 – The Company shall ensure that the Security Plan contains a clear
statement emphasizing the Master’s authority. The Company shall establish in the Ship
Security Plan that the Master has the overriding authority and responsibility to make
decisions with respect to safety and security of the ship and to request the assistance of
the Company or of any contracting Government as may be necessary.
It is quite usual for a statement of this nature to be located within the first page of the
SSP, making clear the Masters overriding authority.

Company and Ship Details including Continuous Synopsis Record (CSR)

Ship details including responsibilities for crew hire and ship employment can be entered in
a form, example on the next page. A record of which will be kept within the ship
management system.

61