For any operator running ships through commercial ports, the International Ship and Port Facility Security (ISPS) Code is the rulebook that decides whether a vessel is allowed to trade at all. Get it right and port calls are routine. Get it wrong and you face detention, delay, lost charter time and, in the worst case, exposure to a security incident the framework was meant to prevent. The Code has been the backbone of maritime security for two decades, yet the threat it was built to counter has changed faster than the Code itself. This article sets out what ISPS is, why it still matters, where it strains against modern risk, and what that means for the way you plan a voyage.
What the ISPS Code actually is
The ISPS Code is an international security regime adopted by the International Maritime Organization (IMO) in 2002 and brought into force in July 2004. It was a direct response to the attacks of 11 September 2001, which forced governments to treat ships and ports as potential targets and vectors rather than purely as commercial assets. The Code sits inside Chapter XI-2 of the International Convention for the Safety of Life at Sea (SOLAS), which makes it mandatory for the great majority of vessels engaged in international trade.
In practice the Code does three things. It requires ships to carry an approved Ship Security Plan and a designated Ship Security Officer. It requires port facilities to carry an approved Port Facility Security Plan and a Port Facility Security Officer. And it ties both together through a shared, three-tier system of security levels that everyone, ship and shore, must apply consistently. A vessel that complies is issued an International Ship Security Certificate (ISSC); without a valid certificate, a ship can be refused entry or detained by Port State Control.
How the security levels work
The heart of the Code is its graduated response. Rather than a single fixed posture, ISPS asks ships and ports to scale their measures to the assessed threat. The three levels run as follows.
| Level | Meaning | Typical posture |
|---|---|---|
| Security Level 1 | Normal operations: the baseline that applies at all times | Standard access control, identity checks, routine searches and watchkeeping |
| Security Level 2 | Heightened threat: a credible risk of a security incident | Additional searches, tighter access control, increased patrols and restricted areas |
| Security Level 3 | Exceptional threat: an incident is probable or imminent | Maximum measures, often set by national authorities, including possible suspension of operations |
The level is set by the flag state for a ship and by the relevant national authority for a port facility. When a port raises its level, visiting ships must match it or exceed it. That interface, the moment a vessel and a terminal reconcile their security postures, is where most practical friction occurs and where good intelligence pays for itself.
Why ISPS still matters to operators
Two decades on, the Code remains the single most important piece of security compliance a commercial vessel carries. The consequences of non-compliance are immediate and commercial: detention by Port State Control, refusal of entry, and the cost of a ship sitting idle while a deficiency is closed out. ISPS records also feed into vetting. Charterers, insurers and terminal operators look at a vessel's security history, and a poor one narrows the trading options open to that ship.
Beyond compliance, the Code provides a common language. When a master, an agent, a terminal and a flag administration all reference the same three levels and the same plan requirements, coordination across a fragmented industry becomes possible. That shared vocabulary is a genuine achievement and one reason the framework has endured.
Where the framework strains against modern risk
The limitation of ISPS is not poor design. It is that maritime security guidance has historically evolved in response to incidents, while the threat landscape now moves faster than the regulatory cycle. The Code was written for a world of physical intrusion, stowaways, theft and terrorism at the quayside. It speaks far less clearly to the risks that now dominate operator planning.
- Drone and uncrewed-system threats: aerial and surface drones used for surveillance or attack, as seen in the Red Sea, sit outside the Code's original frame of reference.
- Cyber compromise: attacks on navigation, cargo and port-management systems can disable a vessel or terminal without anyone setting foot aboard.
- GNSS interference: jamming and spoofing of satellite positioning degrade situational awareness in exactly the chokepoints where security matters most.
- State and proxy actors: targeting linked to flag, ownership or cargo blurs the line between a security incident and a geopolitical one.
ISPS sets a floor. It does not, on its own, tell a master whether a specific port at a specific time carries an elevated risk of drone activity, port-side protest, or politically motivated targeting. That assessment has to come from somewhere else.
What it means for voyage planning
For an operator, the practical takeaway is that ISPS compliance is necessary but not sufficient. A valid certificate keeps a ship trading; it does not keep the crew ahead of a fast-moving threat. The gap is filled by current, port-specific intelligence: knowing the real security posture of a terminal before arrival, understanding why a national authority may be about to raise a level, and reading the local pattern of incidents that a static plan cannot capture. The operators who manage security well treat the Code as the baseline and layer live risk assessment on top of it.
Where Verihelm helps
This is precisely the gap Verihelm is built to close. Verihelm turns raw maritime security signals into analyst-verified intelligence, so the picture you act on is checked by people, not just scraped by machines. For ISPS-relevant decisions that means port-by-port risk assessment that goes beyond the certificate on file: the current threat posture at a facility, the drivers that could push a security level higher, and the recent incident history that shapes how cautiously a call should be handled. Operators use that view to brief masters, satisfy charterers and insurers, and decide with confidence whether a port call proceeds, proceeds with caution, or should be reconsidered. Explore how this comes together in our port risk assessment capability, where the static requirements of the ISPS Code meet the live intelligence that modern voyage planning demands.