Candidates routinely conflate the roles of the key duty-holders — Company Security Officer (CSO), Ship Security Officer (SSO), and Port Facility Security Officer (PFSO) — and cannot clearly state what the ISPS Code requires a vessel to do at each security level. Those two gaps almost always attract follow-up questions and can derail an otherwise solid answer.
What the ISPS Code is and why it exists
The ISPS Code (International Ship and Port Facility Security Code) is a mandatory IMO framework under SOLAS Chapter XI-2, introduced after the 11 September 2001 attacks. It establishes a standardised, risk-based approach to security for ships and port facilities, creating a framework for detecting and deterring security threats in international shipping.
It applies to ships on international voyages (including passenger ships, cargo ships of 500 GT and above, mobile offshore drilling units) and to the port facilities that serve them. Yachts in commercial operation that fall within scope must comply.
The three security levels
- Level 1 – Normal: Minimum appropriate protective measures maintained at all times.
- Level 2 – Heightened: Additional protective measures due to an elevated risk.
- Level 3 – Exceptional: Further specific measures for a probable or imminent incident. Set by contracting governments; the ship does not set Level 3 unilaterally.
Key duty-holders — know the distinctions
- CSO (Company Security Officer): Ashore. Responsible for the Ship Security Assessment, ensuring the Ship Security Plan (SSP) is developed, approved, implemented and maintained, and for liaison with PFSOs and the SSO.
- SSO (Ship Security Officer): Onboard. Responsible for implementing the SSP, conducting regular inspections, ensuring crew are trained, reporting security incidents to the CSO and the master.
- PFSO (Port Facility Security Officer): Responsible for the port facility's security plan and for coordinating with the SSO when a vessel is in port or approaching.
Ship Security Plan (SSP)
The SSP is confidential. It must be approved by the flag state (or an approved Recognised Security Organisation on the flag state's behalf) and must detail the measures for each security level. Crew must know their duties under it; the full document need not be disclosed to port state control inspectors — inspectors can verify it exists and is approved, but cannot demand to read confidential operational details.
International Ship Security Certificate (ISSC)
Issued by the flag state following verification of compliance. Required for vessels in scope. Port state control can check its validity. A vessel without a valid ISSC can be detained or denied entry.
Declarations of Security (DoS)
A DoS is a written agreement between an SSO and a PFSO (or ship-to-ship) setting out the respective security responsibilities for a specific interface. Either party may request one; certain circumstances may make it mandatory.