ISPS Code Compliance: I will write your Ship Security Plan (SSP) + DoS & Security Levels Procedures

SEO meta-title

ISPS Code Compliance: Ship Security Plan (SSP) Writing + DoS & Security Levels Procedures

Meta-description

Learn what an ISPS Code-compliant Ship Security Plan (SSP) must include: restricted areas, security levels 1–3, Declaration of Security (DoS), threat-response procedures, and the roles of CSO, SSO, and PFSO—plus how to prepare for audits and port calls.

Slug

isps-code-compliance-ship-security-plan-ssp-dos-security-levels

Excerpt

An ISPS-compliant Ship Security Plan (SSP) is more than paperwork—it’s the operational playbook for preventing and responding to security threats at sea and in port. This guide explains SSP requirements, security levels, restricted areas, DoS, vulnerabilities, required procedures, and the responsibilities of CSO/SSO/PFSO in a clear, practical way.

Introduction: Why SSP Compliance Is Not “Just a Document”

If you work in maritime operations, you already know this: the sea is predictable compared to people. Weather follows patterns. Machinery has failure modes. But security threats? They can change fast, without warning, and they often exploit the smallest gaps—an unsecured access point, a miscommunication about security levels, or a restricted space that isn’t properly controlled.

That’s why the ISPS Code requires applicable vessels to maintain a Ship Security Plan (SSP)—a structured, ship-specific plan that defines how to prevent, detect, deter, and respond to security threats across multiple risk levels. The SSP isn’t meant to sit in a binder and collect dust. It’s intended to guide real actions: controlling access, protecting critical areas, responding to intrusions, coordinating with port facilities, and escalating measures when security levels rise.

In this blog post, you’ll learn—step by step—what an SSP must include under the ISPS framework, how security levels work, when you need a Declaration of Security (DoS), what threats the plan must address, and what the Company Security Officer (CSO), Ship Security Officer (SSO), and Port Facility Security Officer (PFSO) are responsible for. The goal is simple: make ISPS security requirements clear and practical so you can implement them confidently and stay audit-ready.

What Is the ISPS Code, and Why Does It Require an SSP?

The International Ship and Port Facility Security (ISPS) Code is the global maritime security framework that sets mandatory security requirements for ships and port facilities. A core requirement of the ISPS Code is the development and maintenance of a Ship Security Plan (SSP)—a document that details procedures for preventing and responding to security threats.

The SSP is designed to be:

• Ship-specific (because every ship has different layouts, operations, and vulnerabilities)
• Scalable (because the required measures change depending on the security level)
• Operational (it must describe what people do—not just what the policy says)
• Coordinated (it must align with port facility security expectations and authorities)

In other words: the SSP is the security “playbook” that connects shipboard operations, crew responsibilities, and port security coordination.

Applicability: Which Ships Must Have a Ship Security Plan?

Under ISPS-related requirements described in your transcript summary, the SSP applies to:

• Ships of 500 gross tonnage or more engaged in international voyages
• High-speed craft
• Mobile offshore drilling units (MODUs)

If your vessel falls under these categories, an SSP is not optional—it’s a mandatory requirement. And not just any SSP: it must be appropriate, ship-specific, and aligned with the applicable security levels and the ship’s operations.

The Core Building Block: Restricted Areas

A major SSP requirement is defining and controlling restricted areas—spaces onboard that are essential for the ship’s operation, control, and safety.

What counts as a restricted area?

Restricted areas typically include:

• Bridge
• Cargo control room
• Engine control room
• Engine room
• Spaces with access to potable water tanks, pumps, or manifolds

These spaces matter because if an attacker (or unauthorized person) gains access, they could disrupt navigation, disable systems, damage machinery, contaminate potable water, or compromise safety.

How restricted areas change by vessel and security level

The nature and number of restricted areas are not identical for every ship. They depend on:

• ship type and layout
• operational profile (cargo, passenger, offshore support, etc.)
• threat environment
• current security level set by the relevant authority (port State)

A strong SSP doesn’t just list restricted areas. It defines:

• how access is controlled
• who is authorized
• how access is monitored
• what happens if access control is breached

Understanding the Three Security Levels (1, 2, and 3)

A core ISPS concept is scalable security levels. These levels communicate threat extent and guide required measures.

Security Level 1 — Normal Risk

This is the “baseline” level. The SSP must ensure minimum appropriate security measures are maintained at all times.

Typical expectations include:

• controlled access points
• identification checks as required
• routine security patrols/rounds
• monitoring restricted areas
• functioning and tested security equipment

Security Level 2 — Increased Risk

When the risk increases, additional security measures must be implemented. This might happen due to intelligence, regional threats, or specific port conditions.

Examples of Level 2 intensification may include:

• increasing frequency of security rounds
• limiting access further
• more thorough screening of persons and stores
• heightened monitoring and reporting
• stronger coordination with port facility security

Security Level 3 — Incident Imminent

This is the highest level, used when an incident is probable or imminent. At this level, the SSP requires specific and heightened measures.

Level 3 can include:

• maximum restriction of access points
• heightened emergency readiness
• strict control of movement onboard
• rapid communication to shore authorities
• coordination with port response teams
• preparing ship systems to prevent hostile control

Quick reference table

Security Level Communication: The Ship Cannot Be “Below the Port”

Before entering a port, the Ship Security Officer (SSO) must communicate with the port to determine the applicable security level.

A critical rule highlighted in your transcript is:

A ship’s security level can never be lower than the port facility’s security level.

That means:

• If a port is Level 2, the ship must be Level 2 (or higher if required).
• If a port is Level 3, the ship must implement Level 3 measures.

This prevents a “weak link” scenario where a ship is operating at a lower readiness level than the port facility expects.

When You Need a Declaration of Security (DoS)

When the ship and port facility are operating at different security levels, a Declaration of Security (DoS) is required.

What is a DoS?

A DoS is an agreement between:

• a ship and a port facility, or
• a ship and another ship (in certain interfaces)

It specifies:

• what security measures each party will implement
• how responsibilities are divided
• how inconsistencies in security levels are managed

Who checks and completes the DoS?

The DoS is checked/verified by:

• the Ship Security Officer (SSO)
• the Port Facility Security Officer (PFSO)

Practical note for frequent port calls

If a ship frequently calls at the same port, a DoS for every call is not required if prior agreements confirm that all security measures are met before arrival.

This is operationally important: it reduces repetitive paperwork while still maintaining compliance—provided the security measures are truly consistent and verified.

Key Shipboard Operations Vulnerable to Security Threats

A good SSP doesn’t just list threats. It identifies where the ship is most vulnerable and ensures measures are in place around those operations.

According to your transcript summary, key vulnerable operations include:

• Cargo and stowage operations
• Navigation
• Machinery operation and steering control
• Crew and passenger safety

These are “high-impact” areas. Disruptions here can lead to loss of control, safety incidents, commercial disruption, or direct harm to people onboard.

Threats the SSP Must Address (Practical Coverage)

The SSP must include responses to all potential threats. Your transcript lists a broad range, including:

• Damage from explosive devices, arson, sabotage, or vandalism
• Hijacking or seizure of the ship or persons onboard
• Tampering with cargo, essential equipment, ship systems, or stores
• Unauthorized access, including stowaways
• Smuggling of weapons or equipment, including WMD
• Using the ship to transport people/equipment intended to cause harm
• Using the ship itself as a weapon or as a means to cause damage
• Attacks at sea or from shore while at berth or anchor

Why broad threat coverage matters

In security planning, threats aren’t always neat. A hostile act might begin as “unauthorized access” and escalate into sabotage. Or stowaways might enter through cargo operations. The SSP’s value is that it defines decision-making and response actions before panic sets in.

What Procedures Must Be Included in the SSP?

Your transcript highlights several categories of procedures that the SSP should outline clearly. Let’s break them down in a way that’s easy to apply onboard.

1) Repelling boarders / responding to intruders and stowaways

Your plan should define:

• detection methods (watchkeeping, patrols, monitoring)
• reporting chain (who is informed first)
• containment actions (secure zones, lock down points)
• safe response (avoid escalating risk to crew)
• coordination with authorities and port facility response teams

2) Malfunctions of security equipment

Security equipment can fail—alarms, locks, monitoring tools, communications. A production-grade SSP specifies:

• how failures are reported
• how temporary controls are implemented
• how repairs/replacements are arranged
• how the ship remains secure while equipment is down

3) Screening underwater hulls / searching the ship for bomb threats

This can include:

• ship search procedures and checklists
• who leads the search and who participates
• how findings are reported
• what actions are taken if a suspicious object is found
• how the ship coordinates with shore-side responders

4) Securing access points (core control)

The SSP should clearly define:

• all access points (gangway, pilot ladder, doors, hatches, ramps)
• watch responsibilities
• visitor controls and ID checks
• escort policies
• restrictions under each security level

5) Emergency shutdown of the main engine (prevent hostile use)

If unauthorized control is a risk, the SSP should specify:

• who is authorized to order shutdown
• how shutdown is executed
• how safety is maintained during shutdown
• what communication steps occur immediately after

6) Securing non-critical operations to focus response

In elevated security situations, ships may need to pause non-essential work to focus on security readiness. The SSP should state:

• what qualifies as “non-critical”
• who can halt operations
• how the crew is re-assigned to security roles

7) Alerting ship and shore-side authorities promptly

This should cover:

• internal communication methods onboard
• external contacts (company, port authority, coastal state, etc.)
• escalation steps
• reporting format and what information is required

8) Rendering assistance to nearby ships under unlawful acts

Your plan should include:

• safe assistance criteria (do not create additional risk)
• communication methods
• coordination with authorities
• any ship-specific limitations

9) Communication methods during breaches and emergencies

An SSP is incomplete if it doesn’t specify communication:

• onboard channels (radio procedures, alarms, muster communications)
• ship-to-shore protocols
• methods to coordinate with port response teams

Roles and Responsibilities: CSO, SSO, and PFSO

Security plans work when people know who owns what. Your transcript clearly defines three key roles.

1) Company Security Officer (CSO) — Shore-based responsibility

The CSO typically works at the shipping company office and is responsible for:

• developing, maintaining, and enforcing SSPs
• advising on threats using security assessments and relevant data
• ensuring initial security assessments and annual reassessments happen
• ensuring SSPs satisfy ship-specific needs (and fleet adaptations)
• enhancing awareness through training and vigilance programs
• coordinating with SSOs and port facility representatives
• implementing approved alternative/equivalent arrangements when applicable

In practice: the CSO is the program owner and ensures the SSP stays aligned with real threats and compliance expectations.

2) Ship Security Officer (SSO) — Onboard implementation

The SSO is assigned by the company and is responsible for:

• implementing and supervising the SSP onboard
• conducting regular security inspections
• proposing improvements based on onboard realities
• promoting security awareness among crew
• ensuring security training is adequate
• ensuring security equipment is operated, tested, calibrated, and maintained
• reviewing and completing the DoS checklist when required

In practice: the SSO turns the SSP into daily behavior—watchkeeping routines, access control, drills, and real-time responses.

3) Port Facility Security Officer (PFSO) — Port-side equivalent role

The PFSO is appointed at the port facility and is responsible for:

• developing and maintaining the Port Facility Security Plan
• coordinating with ship/company security officers and local authorities
• acting as the key liaison at the ship–port interface

In practice: the PFSO is the ship’s security “counterpart” on shore, ensuring alignment and readiness at the port interface.

How to Make Your SSP Audit-Ready (Practical Tips)

Even if the SSP is well written, audits often focus on proof that it’s implemented.

Here are practical, ship-friendly ways to keep SSP readiness high:

Maintain clear documentation

• keep records of security drills and training
• document inspections and corrective actions
• record equipment tests, calibration, and maintenance
• keep DoS records where applicable

Run realistic drills

Drills should match likely scenarios:

• unauthorized access at gangway
• discovery of a stowaway
• suspicious package/bomb threat response
• security equipment failure + temporary control measures

Keep access control tight

This is where issues often show up:

• ensure watch is consistent
• maintain visitor logs
• enforce escort rules
• confirm restricted area controls match security level

Ensure crew awareness is continuous

Security awareness isn’t a one-time briefing. It’s:

• regular refreshers
• clear reporting culture (“if you see something, report it”)
• visible leadership from the SSO

Common SSP Weaknesses (And How to Avoid Them)

If you want a plan that passes audits and actually works, avoid these common pitfalls:

“Copy-paste” SSPs

Plans must be ship-specific. A generic SSP often fails because:

• restricted areas differ
• access points differ
• crew size and roles differ
• operational patterns differ

Procedures that don’t match reality

If the SSP says “two guards at gangway” but you don’t have manpower, auditors (and real incidents) will expose the gap.

Missing escalation clarity

Under stress, vague language fails. Your SSP should define:

• who decides actions at each security level
• who communicates externally
• what measures activate immediately

Poor equipment readiness

Security equipment must be:

• tested
• calibrated (where required)
• maintained with records

Service Angle: What a Professional SSP Writing Service Typically Delivers

If you’re positioning this as a service (like a Fiverr gig), here’s what clients usually want—clearly stated:

✅ Ship-specific SSP writing or rewrite aligned with ISPS requirements ✅ Restricted areas identification and access control procedures ✅ Security levels (1–3) procedures clearly structured ✅ DoS guidance and checklist support for port interface requirements ✅ Threat-response procedures for intrusion, sabotage, stowaways, bomb threats, etc. ✅ Roles and responsibilities mapping (CSO, SSO, PFSO) ✅ Audit-readiness recommendations (records, drills, equipment checks)

This makes the offer concrete and easy for buyers to understand.

FAQs

What is an SSP in maritime security?

An SSP (Ship Security Plan) is a ship-specific document required under the ISPS framework that describes procedures to prevent and respond to security threats at different security levels.

What are the three security levels?

• Level 1: normal risk, minimum measures maintained
• Level 2: increased risk, additional measures implemented
• Level 3: incident imminent, specific heightened measures applied

When is a Declaration of Security (DoS) required?

A DoS is required when ship and port facility security levels differ. It defines what security measures each party will implement.

Who is responsible for the SSP?

• CSO: develops/maintains SSP program shore-side
• SSO: implements and supervises SSP onboard
• PFSO: manages port facility security plan and coordination

What areas are typically restricted onboard?

Common restricted areas include the bridge, cargo control room, engine control room, engine room, and spaces providing access to potable water tanks/pumps/manifolds.

Final Thoughts: A Strong SSP Protects People, Operations, and Compliance

An ISPS Code-compliant Ship Security Plan is not just a regulatory requirement—it’s a practical security system that protects your ship, crew, passengers, cargo, and operations. When done properly, the SSP makes security actions clear at every level: normal operations (Level 1), heightened risk (Level 2), and imminent incident readiness (Level 3). It also ensures smooth coordination with ports through the Declaration of Security, and it clarifies responsibilities across CSO, SSO, and PFSO roles.

If you want your SSP to be ship-specific, audit-ready, and operationally realistic—focus on restricted areas, access control, threat procedures, training, equipment readiness, and clear communication plans. That’s how you turn compliance into real security.

Let's Work Together

Looking to build AI systems, automate workflows, or scale your tech infrastructure? I'd love to help.

• Fiverr (custom builds & integrations): fiverr.com/s/EgxYmWD
• Portfolio: mejba.me
• Ramlit Limited (enterprise solutions): ramlit.com
• ColorPark (design & branding): colorpark.io
• xCyberSecurity (security services): xcybersecurity.io