By ShipCalculators.com · Published 9 May 2026 · last updated 7 June 2026

SOLAS Chapter XI-2: Maritime Security and ISPS Code

SOLAS Chapter XI-2: Special Measures to Enhance Maritime Security is the chapter of the International Convention for the Safety of Life at Sea that gives the International Ship and Port Facility Security Code (ISPS Code, Resolution MSC.94(73)) the force of treaty law and frames the post-9/11 maritime security regime. The chapter was inserted into SOLAS by the December 2002 Diplomatic Conference on Maritime Security as the principal regulatory response to the terrorist attacks of 11 September 2001, the USS Cole suicide-boat attack of 12 October 2000 in Aden harbour, the MV Limburg small-craft attack of 6 October 2002 off Yemen, and the historical antecedent of the Achille Lauro hijacking of October 1985. Chapter XI-2 entered into force globally on 1 July 2004 alongside the ISPS Code, making it the most rapidly adopted substantive amendment in the history of the IMO. The chapter contains thirteen regulations that together apply to all passenger ships including high-speed craft on international voyages, all cargo ships of 500 gross tonnes and above including high-speed cargo craft on international voyages, all mobile offshore drilling units when not on station, and all port facilities serving such ships. The regulations require contracting governments, companies, ships and port facilities to implement Part A of the ISPS Code in full and to consider Part B as guidance, to operate at one of three Security Levels (Level 1 normal, Level 2 heightened, Level 3 exceptional), to install and maintain a covert Ship Security Alert System (SSAS) under Regulation 6, and to carry an International Ship Security Certificate issued by the flag administration or a Recognized Security Organization acting on its behalf. The chapter is interlocked with SOLAS Chapter XI-1 (the parallel safety chapter introducing the IMO ship identification number and the Continuous Synopsis Record), with the ISM Code under Chapter IX, with SOLAS Chapter II-2, with the STCW Convention, the MLC 2006, the MARPOL Convention, the Ballast Water Management Convention, the Polar Code and the Hong Kong Convention. The chapter was supplemented in 2005 by Resolution MSC.196(80) on boarding procedures, in 2017 by Resolution MSC.428(98) on cyber risk management in the SMS (effective 1 January 2021 via ISM), and in 2024 by cyber-security amendments under MSC.97 extending cyber requirements directly into the ISPS regime. The SOLAS XI-2/6 Ship Security Alert System calculator and the SOLAS XI-2/8 master’s authority security calculator at ShipCalculators.com support SSAS compliance and Regulation 8 threshold checks.

Contents

Quick reference: Chapter XI-2 key facts

Item	Detail
Adopted	December 2002 Diplomatic Conference, London, 9-13 December 2002
ISPS Code resolution	MSC.94(73) (Part A mandatory, Part B guidance)
Entry into force	1 July 2004
Number of regulations	13 (Reg 1 to Reg 13)
Ships in scope (cargo)	500 GT and above on international voyages
Ships in scope (passenger)	All passenger ships on international voyages (any GT)
Ships in scope (MODU)	All MODUs on international voyages when not on station
Security Levels	Level 1 (normal), Level 2 (heightened), Level 3 (exceptional)
Ship certificate	International Ship Security Certificate (ISSC)
ISSC validity	5 years; intermediate verification at 30-36 months
Key ship roles	SSO (on board), CSO (ashore), master (accountable officer)
Key port role	PFSO (Port Facility Security Officer)
Covert alarm	Ship Security Alert System (SSAS), minimum 2 activation points
Cyber-security	MSC.428(98) via ISM (effective 1 January 2021); MSC.97 ISPS amendments 2024
US parallel regime	MTSA 2002, 33 CFR 101-106, MARSEC 1/2/3
EU parallel regime	Regulation (EC) 725/2004; Directive 2005/65/EC

Background: 9/11, USS Cole 2000, Achille Lauro 1985

The historical predicate for SOLAS Chapter XI-2 is a sequence of attacks against ships and the recognition that the international maritime regime had no operational compliance machinery to prevent them. Before 2001 the International Convention for the Safety of Life at Sea addressed fire, lifesaving, navigation and construction but contained no chapter on hostile acts against ships as platforms or as targets. The International Maritime Organization had addressed piracy and armed robbery through circulars and the 1988 Convention for the Suppression of Unlawful Acts Against the Safety of Maritime Navigation (SUA) had criminalised the seizure of ships, but no instrument required carriage of security plans, designation of security officers, or certification of security compliance. Port authorities maintained ad hoc access controls without an international standard.

The Achille Lauro hijacking of October 1985, in which the Palestine Liberation Front seized the Italian cruise ship in the eastern Mediterranean and murdered wheelchair-using American passenger Leon Klinghoffer, exposed the gap and triggered the SUA negotiations and IMO Circular MSC/Circ.443 on measures to prevent unlawful acts against passengers and crews. The USS Cole suicide-boat attack on 12 October 2000 in Aden harbour killed seventeen United States Navy sailors and damaged a destroyer, and although the target was a warship rather than a commercial vessel, it demonstrated the vulnerability of ships at anchor or alongside to small-craft assault. The MV Limburg attack of 6 October 2002, weeks before the Diplomatic Conference, used a small explosive-laden dhow against a French very large crude carrier off Yemen, killing one crew member and spilling approximately 90,000 barrels of oil from a commercial ship at anchor. The convergence of these incidents with the terrorist attacks of 11 September 2001 in New York, Arlington and Pennsylvania reframed the entire maritime risk calculus.

The United States, conscious that approximately 7,000 foreign-flagged vessels call at American ports each year, pressed the IMO for an accelerated regulatory response. The IMO Maritime Safety Committee convened an intersessional working group in February 2002 that produced a draft Code and a set of SOLAS amendments within nine months, a pace without precedent in the history of maritime legislation.

SOLAS 2002 Conference: insertion of XI-1, XI-2, and ISPS

The Diplomatic Conference on Maritime Security held in London from 9 to 13 December 2002 adopted SOLAS amendments creating Chapter XI-2: Special Measures to Enhance Maritime Security and the text of the ISPS Code itself as Conference Resolution 2. The Maritime Safety Committee subsequently formalized the ISPS Code as Resolution MSC.94(73), the authoritative IMO identifier for the Code. The conference simultaneously split the original Chapter XI into Chapter XI-1 on safety measures (carrying forward the enhanced survey programme, port state control on operational requirements, and the new Continuous Synopsis Record) and Chapter XI-2 on security measures. The conference also revised SOLAS Chapter V to mandate the Automatic Identification System (AIS) on a phased schedule.

The drafting work pivoted on a structural decision: the operational detail of the security regime would live in a self-standing Code with mandatory Part A and recommendatory Part B, while the SOLAS chapter itself would remain compact and frame the obligations at the level of contracting governments, companies, ships and port facilities. This separation mirrored the architecture of the ISM Code under SOLAS Chapter IX and made it possible to update the operational detail without reopening the SOLAS Convention itself through the heavier procedure of treaty amendment with the consequent risk of objection by contracting governments.

The package was adopted by consensus, with no contracting government recording an objection. Implementation guidance was issued through MSC circulars in early 2003, and Resolution MSC.159(78) on interim guidance on control measures and Resolution MSC.160(78) on the role of the IMO in maritime security were adopted by the Maritime Safety Committee at its seventy-eighth session in May 2004, weeks before entry into force.

1 July 2004 entry into force

Chapter XI-2 entered into force globally on 1 July 2004 under the SOLAS tacit-acceptance procedure. The eighteen-month implementation window between the December 2002 adoption and the July 2004 entry into force was the shortest in the history of substantive SOLAS amendments and required parallel rapid action by approximately 160 contracting governments, by classification societies and dedicated security firms acting as Recognized Security Organizations (RSOs), by approximately 60,000 SOLAS-class ships and by approximately 10,000 port facilities worldwide.

The United States acted ahead of the international timetable through the Maritime Transportation Security Act of 2002 (MTSA, signed 25 November 2002) and the implementing United States Coast Guard regulations under 33 CFR Parts 101-106, which mirrored Chapter XI-2 obligations and added the MARSEC level terminology that has since become the United States working synonym for the IMO Security Level. The MARSEC levels (MARSEC 1, MARSEC 2, MARSEC 3) map one-to-one to the IMO Security Levels under the USCG regulations at 33 CFR 101.300, though the United States Coast Guard reserves operational discretion in their setting and the MARSEC level applies to all vessels in United States waters regardless of flag. The European Union transposed Chapter XI-2 and the ISPS Code through Regulation (EC) 725/2004 of 31 March 2004 and through Directive 2005/65/EC of 26 October 2005 on enhancing port security. The Australian transposition came through the Maritime Transport and Offshore Facilities Security Act 2003 with the offshore facilities extension reflecting the North-West Shelf petroleum sector.

The first ISSCs were issued from early 2004 with effective dates of 1 July 2004; the issuance ramp peaked in May and June 2004 as flag administrations and RSOs raced to certify the global fleet ahead of entry into force. Port state control under the Paris MOU, the Tokyo MOU and the United States Coast Guard domestic vessel inspection programme began verifying ISSC validity and security plan implementation from 1 July 2004 onward, with non-compliant ships subject to detention.

Reg 1: definitions

Regulation 1 sets the definitional vocabulary for the entire chapter. The principal terms are: Bulk carrier, Chemical tanker, Gas carrier, High-speed craft, Mobile offshore drilling unit, Oil tanker and Passenger ship (referencing the Chapter I and Chapter II-1 definitions for ship-type categories); International voyage (a voyage from a country to which the Convention applies to a port outside that country); Cargo ship (a ship which is not a passenger ship); Company, Ship Security Officer, Company Security Officer, Port Facility Security Officer and Port Facility (carried into the chapter from Part A of the ISPS Code); Ship-port interface (the interactions when a ship is directly and immediately affected by activities involving the movement of persons or goods or the provision of port services to or from the ship); Ship-to-ship activity (any activity not related to a port facility involving the transfer of goods or persons from one ship to another); Designated authority (the organization or organizations identified within the contracting government as responsible for ensuring implementation of the chapter); and Security Level 1, Security Level 2 and Security Level 3.

The definitional section also imports by reference the ISPS Code (Resolution MSC.94(73)), ensuring that any definitional refinement at Code level flows automatically into the chapter without requiring re-opening of the chapter text. This was a deliberate drafting choice that preserves regulatory agility while keeping the chapter compact.

Reg 2: application scope (500 GT cargo, passenger, HSC, MODU)

Regulation 2 sets the scope of application. The chapter applies to: passenger ships, including high-speed passenger craft, on international voyages; cargo ships, including high-speed cargo craft, of 500 gross tonnes and upwards on international voyages; and mobile offshore drilling units on international voyages, when not on location. The chapter does not apply to ships of war, naval auxiliaries, or other ships owned or operated by a contracting government and used only on government non-commercial service.

The 500 gross-tonnes threshold for cargo ships, the same threshold used for the ISM Code Document of Compliance and Safety Management Certificate, anchors the scope at the level where commercial international trade is concentrated. Below 500 GT, cargo ships fall under flag-state coastal regimes and outside Chapter XI-2 obligations, although individual coastal states (notably the United States and the European Union) have extended security obligations to smaller vessels through domestic instruments.

Mobile offshore drilling units (MODUs) are within scope when transiting between locations on an international voyage but fall outside scope when on station, where they are regulated under the MODU Code and applicable coastal-state offshore safety regimes. Fixed offshore platforms are entirely outside the scope of Chapter XI-2 and are regulated through the SUA Convention and the Protocol Concerning Fixed Platforms.

Key security roles: SSO, CSO, PFSO

The chapter and Part A of the ISPS Code MSC.94(73) together create three security-officer roles that form the operational backbone of the regime. The table below summarises them alongside the certificate instruments.

Role	Appointment	Scope	Key obligation
Ship Security Officer (SSO)	By company; accountable to master	Individual ship	Implement and maintain the SSP; liaise with CSO and PFSO
Company Security Officer (CSO)	By company	All company ships	Ensure SSA, SSP development and approval; liaison with PFSOs
Port Facility Security Officer (PFSO)	By port operator under contracting government	Individual port facility	Develop, implement and maintain the PFSP
Recognized Security Organization (RSO)	Authorized by flag/port-state administration	Flag-delegated functions	SSP/PFSP approval, ISSC issuance, security verification

The Ship Security Officer (SSO) undergoes specific training under the STCW Convention Section A-VI/5 (Ship Security Officer training) and holds a certificate of proficiency. The STCW A-VI/5 certificate is a hard requirement: port state control under Reg 9 verifies the SSO’s qualification, and an officer designated as SSO without the certificate is a direct Reg 9 deficiency leading to corrective action or detention.

The Company Security Officer (CSO) may be designated for multiple ships in the company fleet and is typically a shore-based safety-and-security professional within the company office. A single CSO covering a large fleet is common, with the Designated Person Ashore (DPA) under the ISM Code frequently doubling as CSO in practice. The combination is an efficiency measure rather than a regulatory requirement; the separation of the DPA (safety) and CSO (security) domains is doctrinal.

The Port Facility Security Officer (PFSO) is appointed by the port facility operator under supervision of the contracting government Designated Authority. Training requirements for PFSOs are set by national port-security regulations rather than directly by the ISPS Code, though Part B Section 18 of the Code provides detailed competence guidance that many administrations adopt into domestic law.

Three Security Levels: the graduated threat framework

The chapter and Code operate on three Security Levels corresponding to graduated threat conditions:

Level	Descriptor	Trigger	Default state
Level 1 (normal)	Routine security measures maintained at all times	Baseline; no identified specific threat	Yes: ships and port facilities normally operate at Level 1
Level 2 (heightened)	Additional protective measures for the period the level is in force	Heightened risk of a security incident	No: set by flag/port-state administration when threat intelligence warrants
Level 3 (exceptional)	Specific protective measures for the limited period the level is in force	Security incident is probable or imminent; specific target may not be identifiable	No: set for a limited period; triggers Declaration of Security and SSP-specified Level 3 measures

The Security Level is set by the flag administration for ships flying its flag and by the port-state administration for port facilities and ships in its ports. The default rule for ship-port interaction is that the higher of the two applicable levels applies to the ship-port interface, with the Declaration of Security triggered for asymmetric or elevated levels.

Level 3 is reserved for the period of time when a security incident is probable or imminent. In practice, most administrations have operated at Level 1 since 2004 for the bulk of their fleet and ports, with Level 2 activations used during heightened-threat periods (the 2019-2020 Strait of Hormuz tensions, the 2022-onward Black Sea corridor situation, the late 2023-onward Red Sea / Bab-el-Mandeb Houthi-attack crisis). Level 3 activations have been rare and geographically targeted.

Reg 3: contracting government obligations

Regulation 3 sets the obligations of contracting governments. Each contracting government is required to set the Security Level applying to ships flying its flag and to ports within its jurisdiction, to provide the security level information to ships on its register and to ships in its ports, and to review the security level periodically. Contracting governments must communicate the point of contact for security-related queries to the IMO and to other contracting governments.

The security-level setting authority is exercised at flag-state level for ships and at port-state level for port facilities, which can produce situations where a ship operating at one Security Level enters a port operating at a different Security Level. Contracting governments retain the authority to delegate security-certification functions to Recognized Security Organizations under defined conditions, paralleling the Recognised Organization framework under SOLAS Chapter XI-1 for safety functions. The delegation of security-level setting itself is not permitted; it remains a sovereign function.

Reg 4: company and ship Part A ISPS implementation

Regulation 4 is the operative obligation provision. Companies and ships shall comply with the relevant requirements of this chapter and of Part A of the ISPS Code, taking into account the guidance in Part B. The drafting elevates Part A to mandatory status (treaty-binding through this reference) while retaining Part B as recommendatory guidance, although Part B is in practice followed by RSOs and flag administrations as the de facto standard for plan content. Several administrations (notably the United Kingdom, Australia and Singapore) have made parts of Part B mandatory under domestic law for ships on their registers.

The Reg 4 obligation extends to: implementing the Ship Security Plan approved under Part A; designating a Company Security Officer and a Ship Security Officer; ensuring training and drills under the SSP; ensuring the SSP and SSA are kept on board and are accessible to authorised officers; and reporting security incidents to the flag administration.

A ship is in compliance with Reg 4 only if all four conditions are simultaneously satisfied: (i) the ship holds a valid International Ship Security Certificate issued by the flag administration or by an authorised RSO; (ii) the ship has on board the approved Ship Security Plan; (iii) the Continuous Synopsis Record under SOLAS Chapter XI-1 Regulation 5 is current and onboard; and (iv) the ship is operating at the Security Level set by the flag or port state, with appropriate measures implemented at that level.

Reg 5: company-specific responsibility

Regulation 5 addresses the responsibility of the Company specifically, defined for SOLAS purposes as the owner of the ship or any other organization or person (such as the manager or bareboat charterer) that has assumed the responsibility for operation of the ship from the owner and that has agreed to take over all the duties and responsibilities imposed by the ISM Code.

Companies are required to ensure that the master has available on board, at all times, information through which officers duly authorised by a contracting government can establish: who is responsible for appointing the members of the crew or other persons currently employed or engaged on board; who is responsible for deciding the employment of the ship; and the parties to any charter parties in force.

This regulation closes a gap exposed by the Achille Lauro and other historical incidents where the chain of operational responsibility was opaque to investigators after the fact. By making this information accessible to authorised officers in real time, Reg 5 enables port-state and flag-state authorities to identify accountable parties immediately upon a security event.

Reg 6: Ship Security Alert System (SSAS)

Regulation 6 mandates the carriage of a Ship Security Alert System (SSAS), a covert means of transmitting a security alarm from the ship to the flag administration and to designated alarm receivers. The SSAS is not an alarm sounder onboard. The defining characteristic is covert transmission: the alarm goes silently from the ship to a remote receiver without sounding any audible or visible signal aboard the ship that the alarm has been sent. This is intentional, to prevent hostile parties on board from detecting the alarm and taking countermeasures. The SOLAS XI-2/6 Ship Security Alert System calculator at ShipCalculators.com provides a compliance-threshold check for SSAS carriage requirements by ship type and year of construction.

The Reg 6 carriage timetable was: ships constructed on or after 1 July 2004 to be fitted at construction; passenger ships including high-speed passenger craft constructed before 1 July 2004 not later than the first survey of the radio installation after 1 July 2004; oil tankers, chemical tankers, gas carriers, bulk carriers and high-speed cargo craft of 500 GT and above constructed before 1 July 2004 not later than the first survey of the radio installation after 1 July 2004; and other cargo ships of 500 GT and above and MODUs not later than the first survey of the radio installation after 1 July 2006.

The SSAS shall, when activated: initiate and transmit a ship-to-shore security alert to a competent authority designated by the administration, identifying the ship, its location, and indicating that the security of the ship is under threat or has been compromised; not send the security alert to any other ship (the SSAS is a ship-to-shore-only alarm, never a ship-to-ship signal, to prevent inadvertent escalation or hostile-party interception); not raise any alarm onboard the ship (the covert nature is essential to prevent hostile parties from detecting that an alarm has been transmitted); and continue the security alert until deactivated or reset, with the alert persisting through reception confirmation by the receiving authority.

The activation points must be at least two, with at least one located on the navigation bridge, and protected against inadvertent activation through a guard cover, a press-and-hold sequence, or a combination. The SSAS power supply must be independent of the main electrical supply so that the alarm can be activated even during power loss to the principal electrical bus. The default communication channel is Inmarsat C through the maritime mobile satellite service. Modern dedicated SSAS satellite terminals also operate over Iridium and VSAT channels with end-to-end covert routing through the flag administration and designated alarm receivers. AIS-MMSI is not considered a covert SSAS channel because the AIS signal is broadcast and can be received by other ships.

Reg 7: threats to ships in transit

Regulation 7 addresses threats to ships in transit. Contracting governments are required to set the Security Level and ensure the provision of security level information to ships operating in their territorial sea or to ships having communicated an intention to enter their territorial sea. Contracting governments shall provide a point of contact through which such ships can request advice or assistance and to which incidents can be reported. Where a risk of attack has been identified, the contracting government shall advise the ships concerned and their administration of the current Security Level and any security measures in place to provide protection against the attack.

This regulation is the legal basis for the threat-warning notices issued by flag and coastal administrations during the Gulf of Aden and Western Indian Ocean piracy crisis from 2008 onward, the Strait of Hormuz tensions of 2019-2020, the Black Sea corridor advisories from 2022 onward, and the Red Sea / Bab-el-Mandeb Houthi-attack crisis from late 2023 onward. The notices are typically issued through NAVAREA broadcasts under the SOLAS Chapter V navigational warning regime and through MSC circulars at the IMO level.

Reg 8: master’s discretion (non-overridable)

Regulation 8 preserves the master’s professional discretion for decisions that, in the master’s professional judgement, are necessary to maintain the safety and security of the ship. This includes denial of access to persons (except those identified as duly authorised by a contracting government) or their effects, and refusal to load cargo including containers or other closed cargo transport units. The Company, the charterer or any other person shall not prevent or restrict the master from making or executing any decision which, in the professional judgement of the master, is necessary to maintain the safety and security of the ship. The SOLAS XI-2/8 master’s authority security calculator provides a structured reference for the conditions under which master’s authority cannot be overridden.

The non-overridable nature of master’s discretion is critical. It mirrors the parallel master’s-discretion clause in SOLAS Chapter V Regulation 34-1 for navigational safety and creates a uniform doctrinal floor: the master cannot be ordered by the company, charterer or any commercial counterparty to take or refrain from action that the master in professional judgement considers necessary for safety or security. This shields the master legally and operationally from commercial pressure that would otherwise compromise the safety-and-security calculus.

Reg 9: port state control and compliance measures

Regulation 9 is the port state control provision for security. Authorised officers from contracting governments may inspect a ship to which Chapter XI-2 applies in any port of another contracting government, to verify that the ship has on board a valid International Ship Security Certificate or Interim International Ship Security Certificate. If clear grounds exist that the ship is not in compliance with the chapter or with Part A of the ISPS Code, control measures may be imposed.

Control measures available under Reg 9 include: inspection of the ship; delaying the ship; detention of the ship; restriction of operations including movement within the port; or expulsion of the ship from port. These measures are without prejudice to the additional or different measures under Regulation 19 of Chapter I (control measures for safety) and the Regulation 4 measures under Chapter XI-1 (port state control on operational requirements).

The Reg 9 control regime is operated in practice through the regional Memoranda of Understanding on port state control (Paris MOU, Tokyo MOU, Vina del Mar Agreement, Caribbean MOU, Indian Ocean MOU, Mediterranean MOU, Black Sea MOU, Riyadh MOU, Abuja MOU and West and Central Africa MOU), and through the United States Coast Guard, Australian Maritime Safety Authority, Transport Canada and other unilateral national PSC programmes. The targeted-inspection regimes incorporate ISSC validity and security-related deficiency history into their risk-scoring algorithms.

Reg 10: port facility requirements

Regulation 10 extends the chapter to port facilities. Each contracting government shall ensure that port facility security assessments are carried out and reviewed for each port facility serving ships engaged on international voyages. A port facility security plan (PFSP) shall be developed and maintained on the basis of the assessment for each port facility. The PFSP shall be approved by the contracting government in whose territory the port facility is located.

The contracting government may delegate the conduct of port facility security assessments and the approval of port facility security plans to a Recognized Security Organization, but the responsibility for adequacy remains with the contracting government. Each port facility within scope shall designate a Port Facility Security Officer (PFSO), who is responsible for development, implementation, review and maintenance of the port facility security plan. The PFSO is the principal point of contact for the Ship Security Officer, the Company Security Officer and the Designated Authority of the contracting government.

The European Union supplemented the Chapter XI-2 / ISPS Code port-facility regime with Directive 2005/65/EC of 26 October 2005, which extended the security perimeter to the whole port beyond the immediate ship-port interface, recognising that port-area access control is necessary to protect the ship-port interface and that landside threats can propagate to the waterside.

Reg 11: alternative security agreements

Regulation 11 authorises bilateral or multilateral alternative security agreements between contracting governments for short international voyages on fixed routes between port facilities located in their territories. The alternative arrangements must provide a level of security at least equivalent to that prescribed by the chapter and Part A of the ISPS Code, must not compromise the security of other ships or port facilities not covered by the agreement, must not result in commercial discrimination, and must be communicated to the IMO with details of the routes and ships covered.

Alternative security agreements have been concluded for: Baltic short-sea routes (multilateral arrangement among the Baltic Sea contracting governments for ferries on fixed schedules); the Gibraltar Strait Spain-Morocco ferry routes; the Adriatic intra-Schengen ferry routes; the English Channel UK-France-Belgium-Netherlands routes; and various Asian fixed-route ferry corridors. The arrangements typically rely on coordinated port-side measures, harmonised passenger and vehicle screening, and reciprocal access for security personnel.

Reg 12: equivalent security arrangements

Regulation 12 authorises equivalent security arrangements for individual ships or port facilities as a substitute for the prescribed Chapter XI-2 / Part A measures, where the administration is satisfied that the equivalent arrangements are at least as effective as the prescribed measures. The administration shall communicate to the IMO particulars of any equivalent security arrangements authorised under Reg 12.

The equivalence framework is most commonly used for: special-purpose ships with non-standard security architecture (research vessels, cable layers, specialised offshore service vessels); MODUs and FPSOs during conversion or extended station-keeping where standard ship security measures are operationally impracticable; and port facilities with unusual configurations (multi-buoy mooring systems, single-point moorings, offshore terminals) where the standard port-facility security plan model does not map cleanly. The IMO maintains a register of equivalences notified under Reg 12 within the GISIS Maritime Security module.

Reg 13: GISIS Maritime Security communications

Regulation 13 requires contracting governments to communicate to the IMO, and to make available to companies and ships, by 1 July 2004 and thereafter as updates occur, specified categories of security information: the names and contact details of the national authority or authorities responsible for ship and port facility security; the locations within their territory covered by approved port facility security plans; the names and contact details of those authorised to receive and act upon ship-to-shore security alerts referred to in Reg 6; the names and contact details of those authorised to receive and act upon any communications from contracting governments exercising control and compliance measures under Reg 9; and the names and contact details of those authorised to provide advice or assistance to ships.

The information is communicated through the Global Integrated Shipping Information System (GISIS) Maritime Security module, the IMO’s online database that consolidates national contact details and approved port facility lists for use by ships, companies, RSOs and other contracting governments. The GISIS Maritime Security module is partially public and partially restricted to designated national authorities, with sensitive operational details (alarm-receiver contact points, incident-reporting channels) protected from open disclosure.

ISPS Code Part A + Part B structure (MSC.94(73))

The ISPS Code adopted as Resolution MSC.94(73) is divided into Part A: Mandatory Requirements and Part B: Guidance. Part A specifies the ship security plan content, the ship security assessment methodology, the role of the Ship Security Officer, the role of the Company Security Officer, the role of the Port Facility Security Officer, the port facility security plan content, the port facility security assessment methodology, the training, drills and exercises requirements, the verification and certification regime, and the records and reporting obligations. Part B provides extensive non-binding guidance on how to comply with Part A, including model security plan structures, threat-assessment methodologies, drill scenarios and inspection checklists.

Part A is mandatory through the SOLAS Chapter XI-2 Regulation 4 reference; Part B is recommendatory but is followed in practice by RSOs and flag administrations as the de facto compliance standard. The ISPS Code was adopted as a standalone instrument at the 2002 Diplomatic Conference and then incorporated into the SOLAS framework through the Chapter XI-2 reference, preserving the ability to amend the Code through a simpler MSC resolution process rather than through a formal SOLAS Convention amendment under Article VIII.

Ship Security Plan (SSP) approval workflow

The Ship Security Plan (SSP) is the operational security document for each ship, addressing access control, restricted areas, cargo handling security, ship’s stores security, monitoring of restricted areas, training, drills, exercises, and the response to security threats including the response to ship security alerts. The SSP is confidential: it is not subject to inspection by port state control officers except as provided under Reg 9, and the contents are accessible only to the master, the SSO, the CSO, the company senior management with security responsibility, the flag administration, and the RSO that approved it.

The SSP approval workflow runs as follows: the Company Security Officer ensures that a Ship Security Assessment (SSA) is carried out for each ship; the SSA findings are translated into a draft SSP; the draft SSP is submitted to the flag administration or to a Recognized Security Organization authorised by the flag administration; the administration or RSO reviews the SSP for compliance with Part A and (typically) Part B of the ISPS Code; on approval, the SSP becomes the operative document and the International Ship Security Certificate can be issued. The SSP must be reviewed periodically and amended whenever significant changes occur in the ship, its operations, or the threat environment.

Ship Security Assessment (SSA) as SSP precondition

The Ship Security Assessment (SSA) is the analytical foundation for the Ship Security Plan and is required by Part A of the ISPS Code MSC.94(73) as a precondition to SSP development. The SSA addresses: the identification of existing security measures, procedures and operations; the identification and evaluation of key shipboard operations that it is important to protect; the identification of possible threats to those operations and the likelihood of their occurrence in order to establish and prioritize security measures; and the identification of weaknesses, including human factors, infrastructure, policies and procedures.

The SSA is typically conducted by a security professional with expertise in threat assessment, working with the Company Security Officer, the master and the Ship Security Officer. The SSA output is a written assessment report retained by the company that informs the SSP. The SSA is reviewed periodically, typically on the same cycle as the SSP, and is updated whenever the threat environment, the ship configuration, or the trade pattern materially changes. Post-2024, the SSA must also address cyber-security threats under the MSC.97 amendments.

International Ship Security Certificate (ISSC)

The International Ship Security Certificate (ISSC) is the security counterpart to the Safety Management Certificate under the ISM Code and the various statutory certificates under SOLAS Chapter II-1 and the load-line and tonnage conventions. The ISSC certifies that the ship has on board an approved Ship Security Plan, that the SSP has been verified by the flag administration or by an RSO acting on its behalf, and that the ship is in compliance with Chapter XI-2 and Part A of the ISPS Code MSC.94(73).

The certificate is issued in the form prescribed in the Appendix to Part A of the ISPS Code. It is held on board at all times in original form and is presented to authorised officers exercising port state control under Reg 9. The certificate is supplemented by the Continuous Synopsis Record (which records all ISSC issuance and re-issuance events) and by the master’s records of security drills and exercises under the SSP.

An Interim International Ship Security Certificate may be issued for a period not exceeding six months in defined circumstances: a ship without a certificate at delivery or before entry into service; transfer of a ship from one contracting government to another; or transfer of a ship to a company assuming responsibility for its operation for the first time. The interim certificate is a transitional instrument that buys time for the standard verification cycle to commence and cannot be renewed.

ISSC 5-year cycle and intermediate verification

The ISSC has a maximum validity of five years from the date of issue. An intermediate verification is required between the second and third anniversary of the certificate, conducted between 30 and 36 months from the date of issue, to confirm continued compliance. A renewal verification is required prior to expiry and not more than three months before the certificate expiration date, with a new certificate issued for a further five years.

The 30-36 month window gives the verification body flexibility to schedule the audit at a convenient port call without forcing an exact two-and-a-half-year date, while ensuring the certificate cannot remain unverified for the full five-year cycle. Additional verifications may be required after a security incident, after a substantial modification to the ship affecting security arrangements, or where a flag-state or port-state authority has imposed a verification requirement following a control measure under Reg 9. Failure to maintain the verification cycle invalidates the ISSC and triggers Reg 9 control measures including potential detention.

The ISSC verification cycle parallels the Safety Management Certificate (SMC) cycle under the ISM Code (also five years with intermediate verification), and many flag administrations and RSOs run the ISSC and SMC verifications jointly to reduce ship-time and inspection-cost duplication. The combined ISM-ISPS audit is the dominant industry practice as of 2026.

Continuous Synopsis Record (CSR) since 2004

The Continuous Synopsis Record (CSR) is the on-board document required by SOLAS Chapter XI-1 Regulation 5 (not Chapter XI-2 itself, but adopted in the same 2002 package and operationally interlocked with the security regime). The CSR records the ship’s complete history from the date of entry into force (1 July 2004) and includes: the flag state, the date on which the ship was registered, the ship identification (IMO) number, the name of the ship, the port of registration, the name of the registered owner, the name and registered address of the bareboat charterer (if applicable), the name of the company as defined for ISM purposes, the name of the classification society, the name of the administration that issued the Document of Compliance under the ISM Code, the name of the body that performed the audit on the basis of which the Document of Compliance was issued, the name of the administration that issued the Safety Management Certificate, the name of the body that performed the audit on the basis of which the SMC was issued, the name of the administration that issued the International Ship Security Certificate, and the name of the body that performed the verification on the basis of which the ISSC was issued.

The CSR is updated whenever any of the recorded particulars change. The previous CSRs are retained on board for a period of at least 15 years to provide the full history of the ship. The 15-year retention period matches the typical commercial life span of a ship’s principal characteristics (flag, name, owner) and provides a coherent audit trail that survives most ownership changes. The CSR is examined by port state control under Chapter XI-1 Regulation 4 and is one of the standard documents inspected during the security-related PSC examination under Chapter XI-2 Reg 9.

Recognized Security Organization (RSO) framework

The Recognized Security Organization (RSO) is the security counterpart of the Recognised Organization (RO) under SOLAS Chapter XI-1. An RSO is an organisation with the appropriate expertise in security matters and knowledge of ship and port operations, authorised by a contracting government to carry out specified ISPS Code functions on its behalf. These functions may include: approval of Ship Security Plans, verification of ship security on behalf of the administration, issuance of ISSCs on behalf of the administration, conduct of port facility security assessments, and approval of port facility security plans.

A single contracting government cannot delegate the setting of Security Levels to an RSO; this remains a sovereign function reserved to the administration. The delegation rules and oversight requirements are set out in Resolution MSC.196(80) of 2005 and in subsequent MSC circulars. The IACS member classification societies operate as the largest RSO group, with Lloyd’s Register, DNV, ABS, Bureau Veritas, ClassNK, RINA, Korean Register, CCS and Russian Maritime Register authorised by multiple flag administrations, and Indian Register of Shipping (IRS) holding RSO authorisation from the Government of India and several other administrations. Dedicated security firms also operate as RSOs for niche segments.

The classification societies provide the SSA, SSP approval, ISSC issuance and renewal verification services as part of their integrated statutory-services portfolios, frequently bundled with ISM Code DOC and SMC services, with SOLAS Chapter II-1 construction certificates, with the load-line certificate, with the IOPP and IAPP certificates and with the IBWMC.

Declaration of Security (DoS) for Level 2/3 interactions

The Declaration of Security (DoS) is a written agreement between a ship and either a port facility or another ship interface, recording the security measures each party will implement during a specific ship-port or ship-to-ship interface activity. The DoS is required when: the ship is operating at a higher Security Level than the port facility or another ship with which it is interfacing; there is a security agreement between contracting governments covering certain international voyages; there has been a security threat or security incident involving the ship or the port facility; the ship is at a port not required to have an approved port facility security plan; or the ship is conducting ship-to-ship activities with another ship not required to have an approved ship security plan.

The DoS form is set out in Appendix 1 to Part B of the ISPS Code MSC.94(73). The DoS is completed and signed by the master or the Ship Security Officer for the ship and by the Port Facility Security Officer for the port facility (or by the SSO for the other ship in a ship-to-ship interaction). The completed DoS is retained by the ship for at least the duration of the visits covered by the DoS, the next ten consecutive ports of call, or whichever period is longer, in line with the Part A retention requirement. The 10-port retention window provides an auditable record for port state control inspectors examining the previous call history.

2014 MSC.92 and MSC.93: piracy and armed robbery measures

The MSC.92 session of June 2013 and subsequent MSC.93 in May 2014 adopted additional measures to address the Gulf of Aden and Western Indian Ocean piracy crisis that had peaked in 2010-2012 with hundreds of attacks per year and tens of crew members held hostage. The measures consolidated the operational guidance into MSC.1/Circ.1339 (Best Management Practices for Protection against Somalia-Based Piracy, BMP4, later updated to BMP5 in 2018) and into MSC.1/Circ.1405 and MSC.1/Circ.1406 (guidelines on the use of Privately Contracted Armed Security Personnel, PCASP, on board ships in the High Risk Area).

The PCASP framework was novel for the IMO regime: it acknowledged that flag-state authorities could permit the carriage of armed private security teams on commercial vessels in defined high-risk transit corridors, subject to flag-state authorisation, port-state acceptance, weapons-handling protocols, and rules-of-engagement aligned with international law. The framework remains in force and has been adapted for the Gulf of Guinea piracy environment from 2018 onward and for the Red Sea / Bab-el-Mandeb Houthi-attack environment from late 2023 onward.

Resolution MSC.428(98): cyber risk management in SMS (effective 1 January 2021)

Resolution MSC.428(98) of June 2017 confirmed that an approved Safety Management System should take into account cyber-risk management in accordance with the objectives and functional requirements of the ISM Code. The resolution specifies that the requirement applies from the first annual verification of the company’s Document of Compliance after 1 January 2021, meaning that all DOC-holding companies were brought into the cyber-risk regime through the 2021-2022 verification cycle.

The resolution anchors cyber security initially in the ISM Code safety management regime rather than in the ISPS security regime, which was a deliberate structural choice: the ISM DOC covers the whole company and all its ships, making it a faster implementation vehicle than the ship-by-ship ISSC cycle. The IACS Unified Requirements E26 (cyber resilience of ships) and E27 (cyber resilience of on-board systems and equipment), mandatory for newbuildings with contract dates from 1 January 2024, build on the MSC.428(98) baseline and extend it into specific technical requirements for OT system segmentation, network architecture and software lifecycle management.

The IACS URs E26 and E27 require that cyber-resilience functions be treated as software that affects vessel safety, triggering documentation, change-management and type-approval processes at the classification society level. Systems in scope include bridge navigation (ECDIS, GPS/GNSS, radar, AIS), propulsion and machinery control, cargo monitoring and loading computers, ballast water treatment systems, and crew communications. The URs require network segmentation between operational technology (OT) networks and IT / crew welfare networks, with firewall rules and anomaly detection at the boundary. For existing ships not subject to the 1 January 2024 newbuild cut-off, MSC.428(98) compliance is assessed through the ISM SMS internal audit and the DOC annual verification, without the same technical prescription as the IACS URs.

MSC.428(98) is the operational predecessor to the 2024 cyber-security amendments under the security regime, with the safety regime (ISM) and the security regime (ISPS) progressively converging on a unified cyber-risk management framework.

2024 MSC.97 cyber-security amendments to the ISPS regime

The MSC.107 session of June 2023 and MSC.108 in December 2023 progressed the dossier of cyber-security amendments to Chapter XI-2 and the ISPS Code, with formal adoption targeted through the MSC amendment cycle. These amendments build on Resolution MSC.428(98) and extend cyber-security treatment specifically into the security regime, recognising that the convergence of operational technology (OT) and information technology (IT) systems on modern ships makes cyber attacks a credible vector for security compromise.

The documented incidents that drove the regulatory response include: the 2017 Maersk NotPetya incident (ransomware propagated via the global Maersk network, disrupting vessel operations across the fleet); the 2020 CMA CGM ransomware attack (Ragnar Locker ransomware affecting shore-based and vessel systems); the 2020 MSC ransomware attack (affecting shore-based booking and operational systems); and the 2023 DNV ShipManager ransomware attack (affecting ship management software used by approximately 70 vessels). Each incident involved commercially significant disruption without requiring any physical boarding of the ship.

The cyber-security amendments require the SSA to address cyber-security threats and the SSP to address cyber-security mitigations alongside physical-security mitigations. The flag administration or RSO approving the SSP must verify that cyber-security has been adequately addressed in the assessment and the plan. Implementation is staged through the next ISSC verification cycle for each ship in scope, meaning the cyber-security elements will be progressively integrated through the 2024-2029 period.

PSC inspection: ISSC, SSO docs, DoS, and security drills

A typical port state control inspection under Reg 9 examines the security regime through a structured documentation review and limited operational sampling. The standard inspection items are:

ISSC validity check: date of issue, date of expiry, intermediate verification endorsement, RSO or administration issuing the certificate, IMO number consistency with the rest of the ship’s documentation.
SSO documentation: Ship Security Officer certificate of proficiency under STCW A-VI/5, drill records under the SSP, training records for the ship’s crew on security duties.
CSO contact: Company Security Officer name, contact details, 24/7 reachability through the contact channel notified in the GISIS module.
Declaration of Security (where applicable): copies retained on board for the previous ten ports of call, with dates, port facilities, security levels and signatures.
CSR: under Chapter XI-1 Reg 5, examined for consistency with the ISSC issuing-authority record and with the rest of the ship’s flag and ownership history.
Security drill records: periodic drills required under Part A of the Code, with dates, scenarios, participants, debrief records and corrective actions.
Sampling of security measures in operation: access control at the gangway, restricted-area signage, monitoring of the ship’s environs, and (where the inspection is at Security Level 2 or 3) the elevated measures specified in the SSP.

Where the inspection identifies a deficiency, the ship is given an opportunity to rectify before sailing or, where the deficiency is serious, may be detained under Reg 9 until the deficiency is rectified. Persistent deficiencies feed into the regional MOU risk-scoring algorithms and elevate the inspection probability for the ship and the company on subsequent port calls.

Compliance errors observed in PSC inspections

Common compliance failures observed during port state control inspections across the Paris MOU, Tokyo MOU, USCG and other PSC regimes include the following:

ISSC expiry not tracked: a recurring deficiency with smaller operators with thin shore-office capacity. The ISSC five-year cycle requires active diary management; the intermediate verification window of 30-36 months is missed when the company relies on the RSO to initiate contact rather than tracking internally. Failure to maintain the intermediate verification invalidates the ISSC and brings the ship to a halt at its next PSC port call.

SSO not certified: master designating a deck officer without the STCW A-VI/5 certificate, or designating an officer whose certificate has expired. The STCW Convention training requirements for SSOs are not relaxed because the ship is operating at Security Level 1. PSC inspectors check the STCW certificate against the ISSC as a routine step.

CSR not updated after a flag, name or ownership change. The CSR is a live document that must be amended when any of the recorded particulars change; a CSR that reflects former ownership while the ISSC reflects current ownership creates an inconsistency that triggers an explanation obligation under Reg 9.

DoS not signed at Level 2/3 or at asymmetric-level interactions. Companies whose ships call at ports where the port has raised to Level 2 without notifying the ship in advance are particularly exposed; the SSO must proactively inquire about the port security level on arrival.

Drill records absent or generic: drills not actually conducted, or recorded in template form without scenario-specific detail. Part A of the Code requires that records show the scenario, date, participants, outcome and corrective actions. Generic records signal that the SSP is not being actively implemented.

SSP not amended after a substantial modification to the ship affecting security arrangements, for example after fitting new cargo-area access controls or after a change in trade pattern. The SSP is a living document tied to the specific ship configuration and trade; it cannot be a one-time document filed at ISSC issuance.

Cyber-security elements absent from the SSA and SSP following the 2024 amendments: ships whose SSPs pre-date the 2024 cyber-security amendments and have not been updated through the renewal verification cycle are at risk of a finding where the RSO or PSC inspector identifies a material gap between the SSP contents and the current ISPS requirements. The 2024 amendments are not retrospective to completed ISSCs, so the exposure window is narrow at any given time, but companies that have not flagged the cyber-security update requirement in their SSP review cycle will encounter it as a deficiency at first renewal after the amendment effective date.

Relationship to ISM Code (safety vs. security domains)

The ISM Code under SOLAS Chapter IX and Chapter XI-2 / the ISPS Code share a parallel architecture but cover distinct domains. The ISM Code addresses safety management: prevention of marine casualties, environmental protection, and safe operations of ships and equipment. Chapter XI-2 / ISPS addresses security management: prevention of unlawful acts against ships and port facilities. The certificate frameworks parallel: the ISM Code uses the Document of Compliance (DOC) for the company and the Safety Management Certificate (SMC) for the ship; the ISPS regime uses no company-level certificate but uses the International Ship Security Certificate (ISSC) for the ship.

The dual-domain integration in practice is extensive: most flag administrations and RSOs run combined ISM-ISPS audits on a single visit; the on-board documentation uses a unified safety-and-security management system handling both domains; the master serves as the on-board accountable officer for both regimes (with the SSO subordinate to the master for security and the on-board ISM officer subordinate to the master for safety); and the company shore office typically merges the Designated Person Ashore (DPA) under ISM with the Company Security Officer (CSO) under ISPS. The separation is doctrinal (treaty law) rather than operational (industry practice).

Relationship to MARPOL and BWM (distinct regimes)

The MARPOL Convention addresses pollution prevention and the Ballast Water Management Convention addresses invasive aquatic species control, both as environmental-protection regimes distinct from the security regime under SOLAS Chapter XI-2 / ISPS. The certificates are separate: MARPOL uses the IOPP, IAPP and other annex-specific certificates; BWM uses the International Ballast Water Management Certificate (IBWMC); ISPS uses the ISSC.

Operational interfaces exist: the Ship Security Plan addresses access to ballast pump rooms, oil-record-book locations and pollution-prevention equipment as restricted areas where security-related access control matters; the port facility security plan addresses the security of bunker barges, oil-spill response equipment and ballast water reception facilities in the port. The integrated audit for a modern ship is consequently a four-stream exercise (safety / security / environment / labour standards under MLC 2006), reflected in the consolidated audit programmes operated by the major flag administrations and RSOs.

PSC regimes applying Chapter XI-2 worldwide

The regional Memoranda of Understanding on port state control collectively inspect tens of thousands of ships per year, with Chapter XI-2 / ISPS compliance forming a standard check item in each regime’s inspection form:

Paris MOU: 27 European and North Atlantic port-state members; highest total inspections by volume. ISSC validity is a documentary check item on every inspection.
Tokyo MOU: 21 Asia-Pacific port-state members covering the world’s busiest maritime trade corridors. Concentrated ISPS deficiency data from the South-East and East Asian port calls.
United States Coast Guard (33 CFR Parts 101-106): applies the MTSA/ISPS-equivalent regime unilaterally to all vessels in United States waters; MARSEC levels set by the USCG.
Indian Ocean MOU, Mediterranean MOU, Black Sea MOU, Caribbean MOU, Riyadh MOU, Abuja MOU, West and Central Africa MOU: each covers regionally relevant port-call volumes, with ISPS deficiencies feeding into the IMO GISIS database and the regional detention registers.

The USCG, AMSA (Australian Maritime Safety Authority) and Transport Canada operate independent unilateral programmes in addition to participating in the MOU regimes, and their data feeds into the international CIC (Concentrated Inspection Campaign) exercises coordinated through the IMO when a particular compliance area is targeted.

RSO services from IACS classification societies

The IACS member classification societies are the dominant providers of Recognized Security Organization services worldwide:

DNV (Norway): RSO authorisation from Norway, Liberia, Singapore, Greece, Malta and other major flag administrations.
Lloyd’s Register (LR) (UK): RSO for the United Kingdom, Liberia, Marshall Islands, Singapore, Greece, Cyprus and others.
American Bureau of Shipping (ABS) (USA): RSO for USCG delegations, Liberia, Marshall Islands, Bahamas and others.
Bureau Veritas (BV) (France): RSO for France, Malta, Liberia, Cyprus, Greece and others.
ClassNK (NK) (Japan): RSO for Japan, Panama, Singapore, Liberia, Marshall Islands and others.
RINA (Italy): RSO for Italy, Malta, Marshall Islands, Liberia and others.
Korean Register (KR) (South Korea): RSO for South Korea, Panama, Liberia, Marshall Islands and others.
CCS (China): RSO for China and the Hong Kong Special Administrative Region.
Russian Maritime Register (RS) (Russia): RSO for Russia and several Commonwealth of Independent States flags.
Indian Register of Shipping (IRS) (India): RSO for India and emerging African flag administrations.

Independent dedicated security firms (Securewest, MAST, NEAS and others) also operate as RSOs for niche segments, particularly offshore drilling units, specialised research vessels, and high-risk-route consultancy. The classification-society dominance of the RSO market reflects the existing relationship between the class society and the ship on other statutory certificates; bundling the ISSC renewal with the SMC renewal reduces port time and survey cost.

MASS and autonomous-vessel security considerations (under development)

The IMO Maritime Safety Committee has been developing the regulatory framework for Maritime Autonomous Surface Ships (MASS) since 2017, with the MASS Code under development for adoption in the late 2020s. The security-regime implications are under active discussion at the IMO as of 2026 but no adopted amendments to Chapter XI-2 address MASS specifically.

The principal adaptations under discussion include: the role of the master and the Ship Security Officer for ships without on-board crew, with security accountability shifting to the Remote Operations Centre (ROC) operator; the physical access control model for ships without on-board personnel, relying on perimeter sensors and remote monitoring; the SSAS activation for ships without on-board personnel via automated trip-points and ROC-initiated alarms; and the Declaration of Security workflow for ship-port and ship-to-ship interfaces involving uncrewed ships. The MASS Code, when adopted, is expected to address these adaptations through dedicated security regulations rather than through stretching the existing Chapter XI-2 / ISPS Code text. Until that adoption, the existing Chapter XI-2 regulations apply to all ships within scope on a best-fit basis.

Worked example: Level 2 interaction and DoS requirement

A 30,000 GT bulk carrier registered in Liberia is on a voyage from Newcastle (Australia) to Qingdao (China) with a transhipment stop in Singapore. The Liberian Maritime Authority has set Security Level 1 for ships on its register; the Australian Maritime Safety Authority has set Security Level 1 for the Newcastle port; the Singapore Maritime and Port Authority has set Security Level 2 in response to a regional threat advisory; the China MSA has set Security Level 1 for Qingdao.

Applying the chapter: the ship operates at Level 1 in transit and Level 1 at Newcastle (ship-port interface at Level 1, no DoS triggered). At Singapore, the ship escalates to Level 2 in line with the port. A Declaration of Security is signed between the SSO and the Singapore PFSO recording the security measures each party will implement at Level 2. The DoS is retained on board for at least 10 consecutive ports of call after Singapore. At Qingdao the ship operates at Level 1, and the ISSC, SSP, CSR and security drill records are made available to port state control on request.

If AMSA boards at Newcastle, the inspector verifies ISSC validity, examines the CSR for ownership-and-flag consistency, samples security drill records, and confirms the SSO’s STCW A-VI/5 certificate. If no deficiencies are found, the ship sails on schedule. An expired SSO certificate at that inspection results in a Reg 9 deficiency and delay until rectified. The ship is flagged in the Paris and Tokyo MOU databases, elevating its inspection probability at the next five to ten port calls.

Limitations

The SOLAS Chapter XI-2 / ISPS Code regime carries inherent structural constraints that practitioners and administrators need to keep in mind:

The regime is port-call-centric. Chapter XI-2 focuses on security at the ship-port interface. It provides limited coverage of ships on the high seas outside a port state’s territorial waters, where the SUA Convention and flag-state jurisdiction apply but enforcement reach is limited. Ships can be at Security Level 1 in deep ocean while facing threat conditions that justify Level 2 or Level 3 operationally.

RSO quality varies. The RSO framework depends on the flag administration’s oversight of its authorised RSOs. Flag states with thin oversight capacity may authorise RSOs without adequate quality-assurance programmes, leading to SSPs that are formally approved but substantively inadequate. The IMO and the regional MOUs have no direct oversight mechanism over RSO quality; the main feedback channel is port state control deficiency data flowing back to flag administrations.

The 500 GT threshold leaves gaps. Small cargo vessels below 500 GT fall outside Chapter XI-2 unless brought in by domestic law. The United States MTSA and the EU Regulation 725/2004 extend coverage below 500 GT, but the international maritime trade below the threshold (particularly in coastal and short-sea shipping in parts of Africa, South Asia and South-East Asia) operates without a uniform international security standard.

Cyber security was retrofitted, not designed in. The 2002 framework pre-dates the OT/IT convergence of modern ships. MSC.428(98) and the 2024 MSC.97 amendments address the gap, but implementation is spread across ISSC verification cycles running through 2029, creating a transitional period where different ships are at different cyber-maturity levels and PSC inspectors have limited standardized tools to assess cyber compliance.

Part B guidance remains non-binding. Despite being the de facto standard for SSP content, Part B of the ISPS Code MSC.94(73) has no mandatory force of its own. Administrations that have not domestically mandated Part B can approve SSPs that deviate from Part B guidance without technical violation, potentially creating inconsistency across flag registries.

The regime does not cover stowaways or migrants as security threats. ISPS access control measures intersect with stowaway and irregular migration management, but the legal framework for stowaways under SOLAS Chapter XI-1/10 and the FAL Convention is distinct from the security regime, and the conflation of the two can lead to operational confusion about which obligations apply and to whom.

References

References include the IMO Maritime Security and ISPS Code overview pages, the consolidated text of SOLAS Chapter XI-2: Special Measures to Enhance Maritime Security as amended through 2024, the International Ship and Port Facility Security Code Parts A and B adopted as Resolution MSC.94(73) and subsequently amended, the December 2002 SOLAS Conference Final Act and Resolutions, Resolution MSC.196(80) of 2005 on procedures for boarding, Resolution MSC.428(98) of June 2017 on Maritime Cyber Risk Management in Safety Management Systems with effect from the first annual verification of the company’s Document of Compliance after 1 January 2021, the IMO Ship Security Alert System reference materials, the IMO Continuous Synopsis Record reference materials, the IMO GISIS Maritime Security module public interface, the IACS Recognized Organization and Recognized Security Organization framework documents, the IMO maritime cyber risk management hot topic page, the IMO Maritime Autonomous Surface Ships regulatory development materials through the MASS Code drafting cycle, the United States Maritime Transportation Security Act of 2002 implementing 33 CFR Parts 101-106, the European Union Regulation (EC) 725/2004 of 31 March 2004 and Directive 2005/65/EC of 26 October 2005 on enhancing port security, and the regional Memoranda of Understanding on Port State Control through the Paris MOU, Tokyo MOU, Indian Ocean MOU, Mediterranean MOU, Caribbean MOU, Black Sea MOU, Riyadh MOU, Vina del Mar Agreement, Abuja MOU, and West and Central Africa MOU. Full citation links appear in the frontmatter.

Frequently asked questions

When did SOLAS Chapter XI-2 enter into force?

SOLAS Chapter XI-2 entered into force on 1 July 2004, eighteen months after its adoption at the December 2002 Diplomatic Conference on Maritime Security.

What is the ISPS Code resolution number?

The ISPS Code was adopted by the IMO Maritime Safety Committee as Resolution MSC.94(73). The code has mandatory Part A and recommendatory Part B.

What are the three security levels under SOLAS Chapter XI-2?

Security Level 1 (normal): routine operations. Security Level 2 (heightened): elevated risk of a security incident. Security Level 3 (exceptional): a security incident is probable or imminent.

What ships does Chapter XI-2 apply to?

Passenger ships on international voyages (any size), cargo ships of 500 gross tonnes and above on international voyages, and mobile offshore drilling units on international voyages when not on station.

How long is an International Ship Security Certificate valid?

The ISSC is valid for five years from the date of issue. An intermediate verification is required between 30 and 36 months from the date of issue.

What is the Ship Security Alert System (SSAS)?

The SSAS is a covert ship-to-shore alarm required by SOLAS XI-2/6 that transmits a security alert to a flag-administration-designated receiver without activating any audible or visible alarm on board the ship.

What does the Declaration of Security (DoS) do?

The DoS is a written agreement between a ship and a port facility (or another ship) recording the security measures each party will implement during a specific interface activity, required at elevated security levels or asymmetric level situations.

How does Resolution MSC.428(98) relate to Chapter XI-2?

MSC.428(98) of June 2017 added cyber-risk management to the ISM Code Safety Management System, effective from the first annual DOC verification after 1 January 2021. The 2024 MSC.97 amendments then extended cyber-security requirements directly into the ISPS security regime.