Stowlog at TOC Europe 2026 — showcasing innovation and industry leadershipRead more
Logo Stowlog
ISPS & Maritime Compliance

Preparing for an ISPS Audit: A Port Facility Checklist

An ISPS audit checks whether your security plan is actually being followed, and whether you can prove it. Use this checklist to walk in prepared.

Pablo Aguirre

Pablo Aguirre

CEO, Stowlog · Certified PFSO

15 min read
Two port workers reviewing a tablet at a container terminal

An ISPS audit does not test your Port Facility Security Plan on paper. It tests whether the plan is actually being followed, and whether you can prove it. A document that describes restricted areas, access procedures and drill schedules is only the starting point. What an auditor or verifier wants to see is a facility where the written plan and the daily operation are the same thing, supported by records that confirm it.

This guide walks through what an ISPS audit and verification actually involves, who conducts it, how to prepare in the weeks and days beforehand, what documentation to have ready, how to handle the day itself, and how to close out findings so they do not reappear. It is written for Port Facility Security Officers (PFSOs) and port facility security managers, and it uses the International Ship and Port Facility Security (ISPS) Code as the common framework, with national implementation mentioned only as examples.

What an ISPS audit and verification actually is

The ISPS Code, adopted under chapter XI-2 of the SOLAS Convention, sets out security requirements for ships and port facilities. Part A of the Code is mandatory. Part B is guidance that many administrations apply as if it were mandatory through national legislation. For a port facility, the core obligations sit in Part A: the Port Facility Security Assessment (PFSA) under section A/15, the Port Facility Security Plan (PFSP) under section A/16, the PFSO under section A/17, and drills and exercises under section A/18.

It is useful to separate two related but distinct activities.

  • Internal audit of the plan. The PFSP itself must be kept under review. Section A/16.3.13 requires procedures for auditing the security activities described in the plan. This is an internal exercise: the facility checks itself against its own plan and against the Code, and corrects what it finds.
  • External oversight by the Contracting Government or Designated Authority. Each Contracting Government to SOLAS designates a body responsible for port facility security, often called the Designated Authority. This body, or a recognised security organisation acting on its behalf, approves the PFSP and verifies continued compliance. When people speak of "an ISPS audit", they usually mean this external verification, but a strong internal audit programme is what makes the external one straightforward.

The terminology varies between jurisdictions. Some administrations speak of audits, others of inspections, verifications or compliance visits. In the European Union, port facility inspections are carried out by national authorities and the framework is reinforced by Regulation (EC) No 725/2004 and Commission inspections. In the United States, the Coast Guard conducts facility inspections under the Maritime Transportation Security Act, which implements the ISPS Code domestically. In the United Kingdom, the relevant department oversees port facility compliance and conducts inspections. The labels differ, but the underlying question is the same everywhere: does the facility operate the way its approved plan says it does, and can it prove that over time?

For the broader picture of how these obligations fit together, see our ISPS Code compliance guide for Port Facility Security Officers.

Before the audit: building a defensible baseline

Audit readiness is not a task you start when a visit is announced. It is the by-product of running the facility properly all year. Still, there are specific checks worth running deliberately, well ahead of any scheduled verification.

Confirm the assessment and plan are current and approved

Start with the foundation. Confirm that the PFSA (A/15) reflects the facility as it exists today, not as it existed at the last major review. Layout changes, new tenants, new cargo types, new equipment and changes to adjacent infrastructure can all alter the threat picture. If the assessment is out of date, the plan built on it is questionable by definition.

Then confirm the PFSP (A/16) is the current approved version, that the approval is valid, and that the copy in use at the facility matches the copy held by the Designated Authority. Check the revision history. Every amendment of significance should be recorded, dated and, where required by your administration, submitted for re-approval. An auditor who finds an unapproved change in operational use will treat it as a finding.

Check drill and exercise records for the period

Drills and exercises are among the most scrutinised areas of an ISPS audit, because they are concrete, dated and easy to verify. Section A/18 requires that security drills and exercises be conducted.

  • Drills test individual elements of the plan and should be conducted at regular intervals. Part B/18.5 recommends that drills be carried out at least every three months.
  • Exercises are larger, test the plan as a whole and may involve multiple parties. Part B/18.6 recommends at least one exercise per calendar year, with no more than 18 months between exercises.

Pull the records for the full audit period and check them against this cadence. For each entry, confirm the date, the scenario, who took part, what was tested and what was learned. A drill log that lists dates but no outcomes is weak evidence. A log that records a problem identified during a drill and the corrective action that followed is strong evidence, because it shows the security system improving itself.

Verify training records for all security personnel

The PFSO (A/17) and security personnel must have the knowledge and training needed to perform their duties. For the audit, this means a complete, current record for every person with a security role: the PFSO, deputies, security guards and personnel with specific security duties.

Check that training is documented, that it covers the topics relevant to each role, and that refresher training is current. Pay attention to turnover. New starters and contractors are a frequent gap, because they may be operating at the facility before their training records catch up. For more on how the PFSO role and its competence requirements are defined, see the PFSO role and responsibilities at a port facility.

Make sure access-control and visitor logs are complete and retrievable

Access control is where the plan meets the gate. Confirm that records exist for the movement of people and vehicles into and out of the facility and its restricted areas, and that those records can be retrieved quickly for any date in the audit period.

The test an auditor often applies is simple: they pick a date, sometimes months back, and ask to see the access and visitor records for that day. If retrieving them takes an hour of searching through paper folders, that is itself a weakness, even if the records are eventually found. Completeness and retrievability are both being assessed.

See how Stowlog handles this on a live facility

Book a focused 30-minute consultation, mapped to your terminal's workflows.

Book a consultation

Documentation the auditor will expect

The auditor will ask for evidence, not assurances. The phrase to keep in mind is that an undocumented action, from a security and compliance standpoint, did not happen. Assemble the following before any visit so that nothing has to be located under pressure.

  • The Port Facility Security Assessment and the approved Port Facility Security Plan, both with a clear revision history.
  • Drill and exercise reports for the full audit period, including scenarios, participants, outcomes and follow-up actions.
  • Access and visitor records for any date in the period, covering people and vehicles.
  • Records of security-level changes: when the Maritime Security level changed, on whose instruction, what additional measures were activated and when normal operations resumed.
  • Maintenance, testing and calibration logs for security equipment: cameras, lighting, intrusion detection, access-control hardware, communications and alarm systems.
  • Training and qualification records for the PFSO and all security personnel.
  • Records of security incidents and breaches, however minor, and the response to each.
  • Correspondence with the Designated Authority and records of any previous audit findings and their closure.

The single most useful preparation step is to make this set retrievable on demand. An auditor forms an impression early. A facility that produces a requested record in seconds signals a controlled operation. A facility that cannot signals the opposite, regardless of what the record eventually shows.

A pre-audit timeline

Treating preparation as a sequence rather than a single push makes it manageable. The timeline below is a practical structure; adjust the spans to the size of your facility and the notice you receive.

Several weeks before

  • Confirm the PFSA and PFSP are current, approved and consistent with the facility as it operates today.
  • Run a full internal audit against the plan under A/16.3.13. Treat it as a rehearsal of the external visit.
  • Review drill and exercise records for the period and, if there is a gap in the cadence, schedule what is needed before the visit rather than after.
  • Check training records and close any gaps, including for recent starters and contractors.
  • Review the closure status of findings from the previous audit. Open items from a past audit are among the worst things for a current one to uncover.

Days before

  • Assemble the full documentation set in one place, physical or digital, organised so any item can be produced quickly.
  • Walk the facility yourself, with the plan in hand, exactly as an auditor would.
  • Brief security personnel: they should know an audit is taking place, understand that they may be asked questions, and answer honestly and from their own knowledge.
  • Confirm that security equipment is functioning and that recent maintenance and testing logs are in order.
  • Verify that signage for restricted areas is correct, visible and matches the plan.

Day of the audit

  • Make the PFSO or a fully briefed deputy available throughout.
  • Provide records promptly when requested. Do not improvise or speculate; if something is not immediately available, say so and retrieve it.
  • Accompany the auditor on the facility walk and take your own notes.
  • At the close-out, make sure you understand each finding precisely: what was observed, which provision it relates to, and what is expected.

During the audit: the walk and the conversation

An ISPS audit has two parts that matter most: the document review and the facility walk. The walk is where written intent is compared with physical reality.

Walk the facility as the auditor would. Check that restricted-area signage, access points, fencing, lighting and monitoring match what the plan describes. Watch how access control is actually performed at the gate, not how it is supposed to be performed. Look at how visitors are received, how identity is checked, how vehicles are handled and how restricted areas are controlled in practice.

Gaps between the written plan and the operation on the ground are the most common category of finding. A plan that names a restricted area the signage does not mark, a camera position the plan shows but the site no longer has, an access procedure staff have quietly simplified: these are the discrepancies a walk exposes. The lesson is not to write a vaguer plan. It is to keep the plan and the operation aligned continuously, so the walk finds nothing the facility did not already know. For the access-control element specifically, see restricted areas and access control under the ISPS Code.

The conversation matters too. Auditors talk to security personnel, not only to the PFSO. A guard who can explain, in their own words, what they do when the security level rises is strong evidence that the plan is understood and lived. Personnel who can describe their duties only by reading from a laminated card are a sign the plan exists more on paper than in practice. The remedy is genuine, regular training and realistic drills, not pre-audit coaching on what to say.

After the audit: handling and closing findings

The audit does not end at the close-out meeting. How a facility handles its findings is part of how it will be judged at the next visit.

Treat every finding as a small project with a clear lifecycle.

  1. Record it precisely. Capture what was observed, the provision it relates to, the date and the auditor's wording. Vague records lead to vague corrective actions.
  2. Determine the root cause. Ask why the gap existed. A missing drill might be a scheduling failure, a staffing shortage or an unclear ownership of the drill programme. The corrective action should address the cause, not only the symptom.
  3. Assign an owner and a deadline. Every finding needs one named person accountable and a realistic date. A finding owned by everyone is owned by no one.
  4. Implement the corrective action and record the evidence. The proof of closure is documentary: the completed drill report, the updated plan page, the new training record, the repaired equipment log.
  5. Verify and close. Confirm the action resolved the finding, then formally close it with the closure date and the evidence attached.
  6. Check for recurrence. At the next internal audit, confirm closed findings have stayed closed. A finding that reappears suggests the corrective action treated the symptom only.

A clear, well-maintained findings register is itself valuable evidence. It shows an auditor that the facility identifies problems, owns them and resolves them, which is exactly the behaviour the ISPS framework is designed to produce.

Common findings and how to avoid them

Certain findings appear again and again across port facilities. Knowing them in advance lets you check for them before an auditor does.

Common findingHow to avoid it
Drill or exercise cadence not met for the periodTrack the schedule against B/18.5 (drills every three months) and B/18.6 (an exercise each calendar year, max 18 months apart); plan the year in advance.
Plan does not match the facility on the groundUpdate the PFSP whenever layout, equipment or procedures change; run internal walks regularly.
Training records incomplete, especially for new staff and contractorsMake security training a gate for facility access; record it before the person starts duties.
Access or visitor records hard to retrieve for past datesKeep records complete and indexed; test retrieval by picking a random past date yourself.
Security-level changes not properly documentedRecord every level change with time, authority, measures activated and stand-down.
Equipment maintenance and testing logs out of dateSchedule maintenance and testing; log every check so the record is continuous.
Findings from the previous audit still openRun a findings register with owners and deadlines; review it before every audit.
Unapproved amendments to the plan in operational useRoute every significant change through the approval process before it goes live.

None of these are difficult to fix. They persist because preparation is left until a visit is announced, by which point the records for the period are already written. The way to avoid them is continuous, not seasonal.

An ISPS audit rarely fails a facility because the plan is poor. It fails a facility because the plan and the operation drifted apart and no one was tracking the gap.

How digital records change audit preparation

For many years, ISPS records lived in binders: drill logs in one folder, visitor sheets in another, maintenance records in a third, often in different offices. That model still passes audits, but it makes preparation slow, makes retrieval a scramble, and makes it easy for a gap to go unnoticed until an auditor finds it.

Digital record-keeping changes the preparation problem in several specific ways.

  • Retrievability. Access logs, visitor records, drill reports and maintenance histories for any date can be produced in seconds rather than reconstructed from paper. This directly addresses one of the most common audit weaknesses.
  • Continuity. When records are captured at the moment the activity happens, there are no end-of-period reconstruction exercises and no gaps that appear only when someone goes looking.
  • Visibility of cadence. A system that tracks drill and exercise intervals against B/18.5 and B/18.6 shows the PFSO at a glance whether the facility is on schedule, long before a gap becomes a finding.
  • Findings management. A digital register keeps every finding, owner, deadline and closure evidence in one place, so nothing from a previous audit is quietly forgotten.
  • Audit trail integrity. Time-stamped digital records that cannot be edited after the fact are stronger evidence than handwritten logs, because they answer the auditor's underlying question of whether the record was made when it claims to have been.

Digitising records does not change what the ISPS Code requires. It changes how reliably and how visibly a facility can demonstrate that it meets those requirements. The MARSEC level context for many of these records is covered in MARSEC levels explained: security levels at a port facility.

How Stowlog supports ISPS audit readiness

Stowlog is built for HSSE, security and compliance at port facilities, and audit readiness is one of the problems it is designed to solve. Rather than treating an audit as a periodic scramble, Stowlog helps a facility maintain the kind of continuous, retrievable evidence that makes an audit straightforward.

In practice, that means a single place to record and retrieve access-control and visitor activity, schedule and document drills and exercises against the cadences in the Code, log security-level changes with full context, keep equipment maintenance and testing histories current, and manage audit findings through to verified closure with owners and deadlines attached. Because records are captured as activity happens and time-stamped, the documentation an auditor asks for is already assembled, indexed and consistent.

The result is not a different standard of compliance. It is the same standard, demonstrated with less effort and less risk of a gap going unnoticed. For PFSOs, the value is straightforward: more time spent on security itself, and far less spent reconstructing evidence the week before a verification.

To see how Stowlog handles ISPS records and audit preparation for a facility like yours, you can explore more in our ISPS and maritime compliance resources.

Sources and further reading

Frequently asked questions

What is the difference between an internal ISPS audit and an external verification?

An internal audit is the facility checking its own security activities against its approved plan and the Code, as required by section A/16.3.13 of the ISPS Code. An external verification is conducted by the Designated Authority or a recognised security organisation acting on its behalf, and it confirms continued compliance. A strong internal audit programme is what makes the external visit straightforward.

Who conducts an ISPS audit at a port facility?

External oversight is the responsibility of the Contracting Government, usually through a Designated Authority or a recognised security organisation acting on its behalf. The body and its name vary by country: the Coast Guard in the United States, national authorities in European Union member states, and the relevant government department in the United Kingdom. The PFSO is responsible for internal audits and for preparing the facility for the external visit.

How often must drills and exercises be conducted under the ISPS Code?

Part B/18.5 recommends that security drills be conducted at least every three months. Part B/18.6 recommends at least one exercise per calendar year, with no more than 18 months between exercises. Auditors check these cadences closely because the records are concrete and dated.

What documents will an ISPS auditor ask to see?

Expect requests for the Port Facility Security Assessment and approved Security Plan with revision history, drill and exercise reports, access and visitor records for any date, records of security-level changes, equipment maintenance and testing logs, and training records for all security personnel. The auditor wants documented evidence, not verbal assurance. Having everything assembled and retrievable in advance is the single most useful preparation step.

What is the most common finding in an ISPS audit?

The most common category of finding is a gap between the written plan and the operation on the ground, such as restricted-area signage that does not match the plan or access procedures that staff have informally changed. These gaps are exposed during the facility walk. The way to avoid them is to keep the plan and the operation aligned continuously rather than only before a visit.

How should a port facility handle audit findings after the visit?

Record each finding precisely, determine its root cause, assign one named owner and a realistic deadline, implement the corrective action, and close it with documentary evidence. At the next internal audit, confirm that closed findings have stayed closed. A clear findings register is itself strong evidence of a well-run security system.

How far in advance should a facility prepare for an ISPS audit?

Genuine readiness is built all year, because audits assess records for a whole period that cannot be created retroactively. As a practical timeline, run a full internal audit several weeks before, assemble the documentation set and walk the facility in the days before, and have the PFSO available and records ready on the day itself. Open findings from a previous audit should be closed well before any new visit.

Does digital record-keeping help with ISPS audit preparation?

Yes. Digital records make access logs, drill reports and maintenance histories retrievable for any date in seconds, capture activity continuously so there are no end-of-period gaps, and track drill and exercise cadences so a gap is visible before it becomes a finding. Digitising records does not change what the Code requires; it changes how reliably and visibly a facility can prove it meets those requirements.

Does a good Port Facility Security Plan guarantee a clean audit?

No. An audit rarely fails a facility because the plan is poorly written; it fails because the plan and the daily operation have drifted apart. A clean audit depends on the plan being current and approved, the operation matching it on the ground, and the records proving that consistency over the full period.

From the blog

Latest articles

View all articles