The International Ship and Port Facility Security (ISPS) Code is the global baseline for security at every port facility that serves ships on international voyages. For a Port Facility Security Officer (PFSO), it is not a certificate earned once. It is a continuous operational discipline, and the gap between passing an audit and failing one is almost always the evidence.
This guide covers what the ISPS Code requires, how each requirement works in practice, where facilities most often fall short, and how digital record-keeping turns an audit from a fire drill into a routine export.
Where the ISPS Code comes from
The ISPS Code was developed by the International Maritime Organization (IMO) following the attacks of 11 September 2001, adopted in December 2002 by a Conference of Contracting Governments to the SOLAS Convention, and entered into force on 1 July 2004.
It does not stand alone. The Code sits inside a deliberate legal structure, and a PFSO needs to understand the whole stack:
- SOLAS chapter XI-2, "Special measures to enhance maritime security", is the chapter of the International Convention for the Safety of Life at Sea that makes the ISPS Code mandatory. Regulation XI-2/10 sets the requirements that apply specifically to port facilities.
- ISPS Code Part A: the mandatory requirements for contracting governments, port facilities and ships.
- ISPS Code Part B: recommendatory guidance on how to meet Part A.
That last distinction matters more than it looks. The ISPS Code applies worldwide, but every maritime nation implements it through its own legislation, and several go further, making parts of Part B mandatory. The European Union does this through Regulation (EC) No 725/2004; the United States through the Maritime Transportation Security Act and the Coast Guard regulations in 33 CFR Part 105; other administrations through their own instruments. A provision that is "guidance" in one country can be hard law in another, so the first thing a PFSO must establish is exactly which national regime governs their facility, on top of the global baseline the Code sets.
The IMO maintains the authoritative overview of SOLAS XI-2 and the ISPS Code, and publishes Frequently Asked Questions on Maritime Security for interpretation questions.
Which port facilities the Code applies to
The ISPS Code applies to port facilities serving ships engaged on international voyages, passenger ships, cargo ships of 500 gross tonnage and above, and mobile offshore drilling units.
The scope is not always obvious. Each Contracting Government decides, on the basis of a port facility security assessment, the extent to which the Code applies to a given facility, including facilities that only occasionally serve ships on international voyages. A terminal that handles a single qualifying call a year can still be brought within scope.
Within each Contracting Government, a Designated Authority (ISPS A/2.1.6) is named as responsible for port facility security and the ship/port interface. The Designated Authority approves the security plan, sets and communicates security levels, and oversees compliance. The PFSO's primary regulatory relationship is with that authority.
A facility within scope cannot conduct the ship/port interface without an approved Port Facility Security Plan. That plan is, in practice, the licence to operate.
The Port Facility Security Assessment (PFSA)
The Port Facility Security Assessment is the risk analysis everything else is built on. It is the responsibility of the Contracting Government, which may authorise a Recognized Security Organization to carry it out, and it must be documented, reviewed and approved.
Under ISPS A/15.5, a PFSA must address at least four things:
- Identification and evaluation of the assets and infrastructure it is important to protect: berths, terminals, cargo, storage, utilities, control systems, and the people on site.
- Identification of possible threats to those assets, and the likelihood of their occurrence, in order to establish and prioritise security measures.
- Identification, selection and prioritisation of countermeasures: and a realistic view of how effective each is at reducing vulnerability.
- Identification of weaknesses, physical, structural, procedural and human. That a threat could exploit.
A credible PFSA includes an on-scene survey of the facility, not just a desk review. And it is not a one-off: it must be revisited when the facility changes materially, new infrastructure, new cargo types, a new operating pattern, or after a security incident. An out-of-date PFSA is one of the most common root causes behind a weak security plan.
The Port Facility Security Plan (PFSP)
The Port Facility Security Plan is the operational plan built on the PFSA and approved by the Contracting Government or its Designated Authority (ISPS A/16).
It is far more than a policy document. ISPS A/16.3 requires the PFSP to address at least fifteen specified elements, among them:
- Measures to prevent weapons and dangerous devices from being brought into the facility or onto a ship
- Measures to prevent unauthorised access to the facility, to ships moored at it, and to restricted areas
- Procedures for responding to security threats and breaches, while maintaining critical operations
- Procedures for responding to security instructions at security level 3
- Evacuation procedures for a security threat or breach
- The duties of personnel with security responsibilities
- Procedures for interfacing with ship security activities
- Procedures for the periodic review and updating of the plan
- Procedures for reporting security incidents
- Identification of the PFSO, including 24-hour contact details
- Measures to protect the security information held in the plan itself
- Measures for the security of cargo and cargo-handling equipment
- Procedures for auditing the plan
- Procedures for responding to a ship security alert system activation
- Procedures for facilitating shore leave, crew changes and visitor access to ships
The plan is a sensitive document: ISPS A/16.8 requires it to be protected from unauthorised access and disclosure, and significant amendments must go back to the Designated Authority for approval.
Compliance is rarely lost on the plan itself. It is lost on the evidence, the records that prove the plan was actually followed.
The Port Facility Security Officer (PFSO)
Every port facility must designate a Port Facility Security Officer (ISPS A/17). One PFSO may be designated for more than one facility, provided they can effectively discharge the duties for each.
ISPS A/17.2 sets out the PFSO's duties. They include, but are not limited to:
- Conducting an initial comprehensive security survey of the facility, informed by the PFSA
- Ensuring the development, maintenance and implementation of the PFSP
- Undertaking regular security inspections of the facility
- Recommending and incorporating modifications to the plan
- Enhancing security awareness and vigilance among facility personnel
- Ensuring adequate security training for personnel
- Reporting security occurrences to the relevant authorities, and keeping records of them
- Coordinating implementation of the plan with Company and Ship Security Officers
- Coordinating with security services as appropriate
- Ensuring that security equipment is properly operated, tested, calibrated and maintained
- Assisting Ship Security Officers in confirming the identity of those seeking to board
Two things are easy to miss. First, the role demands real knowledge, of security administration, relevant legislation, threat recognition, security surveys and the operation of security equipment, not just a job title. Second, the role demands authority. A PFSO who cannot change measures when the security level rises, control access, or compel a corrective action when an inspection finds a gap cannot actually perform the function. Responsibility without authority is the quiet reason many security plans underperform.
The three security levels
The ISPS Code defines three security levels, and the PFSP must specify the measures that apply at each.
| Security level | Meaning | Facility posture |
|---|---|---|
| Level 1 | Normal | The minimum appropriate protective measures, maintained at all times |
| Level 2 | Heightened | Additional protective measures, for as long as there is a heightened risk of a security incident |
| Level 3 | Exceptional | Further specific protective measures, for when a security incident is probable or imminent |
The security level is set by the Contracting Government, not by the facility. It can apply to a whole country, a port, a single facility or a specific ship. The facility must be able to receive and act on a level change at any hour, which means a communication chain that works at 3 a.m. on a public holiday, not only during office hours.
The practical risk is the transition. When the level is raised, the facility must apply the new measures without delay, and must be able to show afterwards exactly when measures changed and who acted. At level 3, measures are normally coordinated with the authorities, and the facility is expected to comply with the security instructions it is given. Our guide to MARSEC levels covers the measures at each level in detail.
Access control and restricted areas
Audit findings cluster around access control because it is the most operational, highest-volume part of the plan. ISPS A/16.3.2 requires the PFSP to prevent unauthorised access to the facility, to ships moored at it, and to its restricted areas, the parts of the facility, identified in the plan, where access must be limited for security reasons. The required standard rises with the security level.
Every person and vehicle entering the facility is a record that either exists or does not. The PFSO needs to be able to answer, at any moment:
- Who is inside the facility right now?
- Were they identified, inducted and authorised before entry?
- Which restricted areas are they cleared for?
- Is there a complete, time-stamped trail of their movements?
When those answers live on paper logs or scattered spreadsheets, reconstructing them for an auditor, or for an incident investigation, is slow and error-prone.
The Declaration of Security
A Declaration of Security (DoS) is a written agreement between a ship and a port facility, or between two ships, recording the security measures each will apply during their interface, and which party is responsible for each (ISPS A/5).
A DoS is typically required when:
- A ship is operating at a higher security level than the port facility it is using
- There is an agreement on a Declaration of Security between Contracting Governments covering an international voyage or specific ships on it
- There has been a security threat or a security incident involving the ship or the facility
- The ship is at a port facility that is not required to have and implement an approved PFSP
- The ship conducts ship-to-ship activity with a ship not required to have a security plan
The PFSO should know exactly when a DoS is needed for their facility, complete it correctly, and keep completed declarations on file for the period the Contracting Government requires. A missing Declaration of Security, where one was required, is a clear and easily evidenced finding.
Drills and exercises
Training, drills and exercises for port facility security are required under ISPS A/18. The Code draws a clear distinction between the two:
- Drills test individual elements of the plan, a single procedure, a single response, and are run frequently.
- Exercises are larger and less frequent. They test the plan as a whole, may run as a full-scale or live simulation, and may involve other stakeholders: government authorities, Company and Ship Security Officers, and other facilities.
ISPS Part B sets the cadence: drills should be conducted at least every three months (B/18.5), and exercises at least once each calendar year, with no more than 18 months between exercises (B/18.6). Some administrations make these intervals mandatory rather than recommendatory through national law, so a PFSO should confirm their exact status under the regime that governs the facility.
Each drill and exercise must be documented, date, scenario, participants, outcomes and lessons learned. A drill that happened but was not recorded is, for audit purposes, a drill that did not happen.
Security equipment and systems
ISPS A/17.2.12 makes the PFSO responsible for ensuring that security equipment is properly operated, tested, calibrated and maintained. In practice that covers access-control systems, surveillance and monitoring, lighting, communications and intrusion detection.
Equipment is only as good as its upkeep. Every test, calibration and maintenance action should generate a dated record, both because the Code expects it, and because a camera that turns out not to have been working on the day of an incident is a question the PFSO will have to answer.
Records: the evidence that survives an audit
An ISPS audit does not test the plan on paper. It tests whether the plan is being followed, and whether the facility can prove it. That proof is the body of records the facility generates as it operates. Auditors typically review:
- The security assessment and the security plan, with revision history
- Access-control and visitor records for any date requested
- Contractor pre-qualification and induction records
- Drill and exercise reports
- Training records for personnel with security duties
- Documentation of every security-level change, when, why, and who acted
- Maintenance, testing and calibration logs for security equipment
- Reports of security incidents, breaches and threats
Two qualities decide whether records hold up. They must be complete, captured consistently, every time, not only when someone remembers, and retrievable, produced in minutes, not found after an afternoon in a filing cabinet. A record that exists but cannot be located on request is, in an audit, no record at all.
How port facility compliance is verified
Port facilities are not certificated the way ships are. A ship carries an International Ship Security Certificate, issued after the verification process in ISPS A/19; a port facility has no equivalent mandatory certificate. Instead, port facility compliance rests on the approved PFSP and the ongoing oversight of the Designated Authority, supported by the facility's own audits of the plan (required by ISPS A/16.3.13).
A Contracting Government may also issue a Statement of Compliance of a Port Facility, an optional instrument described in ISPS Part B (B/16.62 to B/16.67), valid for a period the Contracting Government sets. Where it is used, it is a useful external confirmation; where it is not, the approved plan and the Designated Authority's oversight remain the basis of compliance.
The practical takeaway for a PFSO: there is no certificate to hide behind. Compliance is demonstrated continuously, through evidence.
Common compliance failures
The same gaps turn into findings again and again:
- Plan-to-practice drift: the written plan and what actually happens at the gate have quietly diverged.
- Incomplete access records: entries logged inconsistently, partially, or not at all, so the facility cannot say with confidence who was on site on a given day.
- Undated or missing drill and exercise reports: the activity happened, but the evidence does not exist.
- An out-of-date PFSA: the assessment was never revisited after the facility changed, so the plan is solving last year's risk.
- Unrecorded security-level changes: the level was raised and measures applied, but there is no trail of when, or by whom.
- Untested security equipment: cameras, barriers or alarms with no maintenance or testing log behind them.
- Evidence that cannot be retrieved quickly: the records exist somewhere, but not in minutes, and not in a form an auditor will accept.
Almost every item on that list is a records failure, not a plan failure. The facility knew what to do; it could not prove it did it.
Security beyond the ISPS perimeter
The ISPS Code focuses on the ship/port interface. Security of the wider port area is addressed by the ILO/IMO Code of Practice on Security in Ports, developed jointly by the International Labour Organization and the IMO. PFSOs working in larger ports should be familiar with both instruments.
How Stowlog supports ISPS compliance
Stowlog brings the operational side of ISPS compliance into a single platform. Safety inductions, contractor management, visit and access control and restricted-area oversight are captured digitally as work happens, so the evidence an auditor asks for is already structured, time-stamped and one export away.
That shifts the PFSO's effort away from assembling paperwork and back toward what the Code is actually for: keeping the facility secure.
Sources and further reading
Frequently asked questions
Who is responsible for ISPS compliance at a port facility?
The Port Facility Security Officer (PFSO) is the designated person accountable for developing, implementing, revising and maintaining the Port Facility Security Plan. The PFSO also carries out security inspections, ensures drills and training take place, and liaises with ship security officers and the contracting government.
When did the ISPS Code enter into force?
The ISPS Code was adopted by the International Maritime Organization in December 2002 and entered into force on 1 July 2004, as part of chapter XI-2 of the SOLAS Convention.
What is the difference between Part A and Part B of the ISPS Code?
Part A sets out the mandatory security requirements for governments, port facilities and ships. Part B provides guidance on how to meet Part A. Some contracting governments make parts of Part B mandatory through national legislation.
How often are ISPS security drills and exercises required?
Security drills should be carried out at regular intervals, and at least one security exercise must be conducted each calendar year, with no more than 18 months between exercises. Every drill and exercise should be documented with date, scenario, participants and outcomes.
What is a Declaration of Security?
A Declaration of Security is a written agreement between a ship and a port facility setting out the security measures each will apply during their interface. It is typically required when the two operate at different security levels, or when a contracting government requires one.
What records does an ISPS audit typically review?
Auditors commonly review the security assessment and plan, access-control and visitor records, contractor and induction records, drill and exercise reports, training records, security equipment testing logs, and documentation of any security-level changes.
What must a Port Facility Security Assessment cover?
Under ISPS A/15, a Port Facility Security Assessment must identify the assets and infrastructure it is important to protect, the threats to them and how likely they are, the countermeasures available and how effective they are, and the weaknesses, physical, structural, procedural and human. That a threat could exploit.
Does a port facility receive an ISPS certificate?
No. Unlike ships, which carry an International Ship Security Certificate, port facilities are not certificated. Compliance rests on an approved Port Facility Security Plan and the oversight of the Designated Authority. A Contracting Government may, optionally, issue a Statement of Compliance of a Port Facility.
Who sets the security level for a port facility?
The security level is set by the Contracting Government, not by the facility. The facility must be able to receive a level change at any hour and apply the corresponding measures from its security plan without delay.
