ISPS Code

ISPS applies to ships on international voyages, including passenger ships and cargo ships of 500 GT or more, plus mobile offshore drilling units, as well as the port facilities serving them. For yachts, the practical takeaway is clear, commercial yachts of 500 GT and above engaged on international voyages are typically within scope. Private yachts are generally outside the Code, although some flags or port facilities may require equivalent measures for berthing or events.

Industry and flag-facing guidance echoes this threshold for commercial yachts at or above 500 GT, with passenger-carrying thresholds triggering passenger ship rules. Always check your flag state rules and the destination port’s instructions before a crossing or season start.

How ISPS works, in plain language

ISPS organizes security around three core building blocks.

Security levels

Authorities set a level, and you respond with predefined measures. Level 1 is the baseline, Level 2 requires additional protections for a period of heightened risk, and Level 3 calls for specific, temporary measures when an incident is probable, imminent, or occurring. You will also see MARSEC terminology in the United States, which mirrors these three tiers.

Defined roles and plans

Each applicable ship designates a Company Security Officer (CSO) shoreside and a Ship Security Officer (SSO) on board. Ports appoint a Port Facility Security Officer (PFSO). Together, they conduct a Ship Security Assessment (SSA) and maintain the Ship Security Plan (SSP), the practical playbook for access control, restricted areas, monitoring, stores handling, visitor management, drills, and records. Your compliance is evidenced by the International Ship Security Certificate (ISSC), normally valid for five years with periodic verifications.

Ship–port coordination tools

When needed, a Declaration of Security (DoS) aligns responsibilities at the interface, for example during a heightened level, when the yacht or port has vulnerabilities, or during special operations. The DoS format and trigger conditions draw from Part B and local law.

A final, often overlooked component is the Ship Security Alert System (SSAS), a silent distress function that sends a covert alert with your identity and position to predesignated recipients. Regulations for SSAS placement and operation live under SOLAS XI-2 and related resolutions.

What this looks like on a yacht

For a 55 m commercial yacht at Level 1, a practical set-up typically includes controlled gangway access with a visitor log and ID checks, defined restricted areas such as the bridge and ECR, monitoring of boarding points and tender docks, screened deliveries, and crew familiarization with the SSP. At Level 2, you may add more patrols, escalate screening, shorten visitor windows, or post additional security at the passerelle. At Level 3, actions are tightly directed by your flag or port authority and may include suspension of interface until specific conditions are met.

For private yachts, many marinas use ISPS-like practices, especially during high-profile events. Even if the Code does not formally apply, adopting proportionate measures protects people, privacy, and assets, and it can speed up berth approvals when operating alongside ISPS facilities.

Common mix-up, ISPS vs ISM vs MLC

Yacht teams often confuse compliance regimes. A quick disambiguation helps decisions and budgeting.

• ISPS focuses on security, access control, threat response, and coordination with ports. It is tied to SOLAS XI-2 and produces the ISSC.

• ISM is your safety management system, covering procedures for safe operation, drills, and continuous improvement, and results in a DOC/SMC.

• MLC sets minimum working and living conditions for seafarers.

All three can be audited on similar cycles by your flag or a recognized organization, which is why many yachts plan assessments together during shipyard maintenance or class surveys.

A yacht-focused readiness checklist

• Confirm applicability by tonnage and trading pattern. If you are converting to, or from, commercial use, reassess scope and timing.

• Engage your RSO or class to conduct the SSA and approve the SSP, then schedule initial and intermediate verifications to secure the ISSC.

• Drill and record. Keep a clean log of access control, patrols, stores screening, and security equipment tests. Your audit will check evidence, not intent.

• Coordinate early with ports. Ask whether a DoS will be required, what MARSEC or security level is in force, and whether additional screening is expected during events.

• Integrate tech and comms. Ensure the SSAS is tested and crew know activation procedures. Align CCTV, lighting, and tender operations with the SSP.

• Consider digital exposure. While ISPS is physical-security centric, modern threat surfaces include satcom, navigation networks, and guest Wi-Fi. Pair your plan with good practice from cybersecurity on yachts to avoid creating an easy back door.

• Mind definitions that trigger scope such as gross tonnage and how your flag interprets charter, passenger count, and voyage definitions. This affects whether you need full ISPS compliance or a tailored regime.

For whom, why, and under what conditions

• Owners and managers of commercial yachts at or above 500 GT need ISPS to trade internationally without delays, detentions, or berth refusals.

• Captains and SSOs need it because the SSP, drills, and records are your defense during inspections and incidents.

• Private yachts benefit when operating in or near ISPS ports, during high-visibility events, or where authorities request heightened control measures.

When the threat picture shifts, ISPS gives you a predictable way to scale protection without improvisation, and it provides the vocabulary and templates that port facilities expect.

Security on a yacht blends discretion, hospitality, and resilience. The ISPS Code provides the framework to do that systematically, with shared expectations from the dock gate to your gangway. Whether you are a first-time owner planning Mediterranean seasons, a captain taking a vessel commercial, or a shore team coordinating refit and audits, ask how ISPS fits your current and next operation, then right-size your plan. The goal is not to make the yacht feel like a fortress, it is to keep the experience open and enjoyable while quietly managing risk.

ISPS Code FAQ

What are the ISPS security levels and how do they affect a yacht?

The three ISPS security levels set the intensity of protective measures. Level 1 is your steady state with standard access control and monitoring. Level 2 adds extra checks for a defined period when risk increases, such as tighter visitor control or more patrols. Level 3 introduces specific, short-term actions directed by authorities when a threat is probable or occurring.

Who does the ISPS Code apply to in yachting?

Commercial yachts of 500 gross tonnage or more on international voyages are typically in scope, along with the port facilities that serve them. Private yachts are generally outside the Code, but a port or event organizer can still require ISPS-like measures to grant access.

What is a Declaration of Security (DoS) and when is it required?

A Declaration of Security is a short agreement between the yacht and a port facility that clarifies who handles which security tasks at the interface. It is commonly required at Security Level 2 or 3, when either side has a vulnerability, or when the port, flag, or company requests it. Keep signed DoS records as part of your security documentation.

Do private yachts need to comply with ISPS?

Not usually. Private yachts are generally exempt, but marinas, event ports, or certain regions may ask for equivalent controls, for example ID checks at the gangway, restricted bridge access, and vetted deliveries. Adopting a scaled, common-sense plan helps smooth berth approvals in sensitive ports.

How do we obtain an International Ship Security Certificate (ISSC)?

Work with your flag or a Recognized Security Organization to complete a Ship Security Assessment, develop and approve the Ship Security Plan, then pass the initial verification. The ISSC is typically valid for five years with at least one intermediate verification during the cycle. Keep logs of drills, access control, stores checks, and equipment tests to support audits.

What happens if a yacht that should comply is not ISPS-compliant?

You risk berth refusal, delays, fines, or detention until deficiencies are corrected. Inspections will focus on your plan, records, and ability to implement measures at the declared security level. Proactive documentation and crew familiarity with the plan are your best defenses.

Is Part B of the ISPS Code mandatory?

Part A is mandatory, Part B is guidance. However, some flags and ports adopt portions of Part B as binding practice, which is why specific formats or procedures can be requested. Always check your flag state rules before seasonal operations.

Who can serve as the Ship Security Officer (SSO) on a yacht?

The SSO is a designated crew member, often the captain or a senior officer, trained and appointed by the company. They maintain the plan on board, lead drills, coordinate with the shore-side Company Security Officer, and act as the main contact for the Port Facility Security Officer.

Do we need an SSAS on a yacht and how is it used?

If your yacht is subject to ISPS under SOLAS XI-2, a Ship Security Alert System (SSAS) is required. It silently alerts predesignated contacts with vessel identity and position when activated. Include SSAS tests in your routine checks and make sure all watchkeepers know the activation steps and false-alarm procedures.

How often should ISPS drills be conducted on a yacht?

Follow your flag and company policy, but many operators run security drills roughly once per quarter and an exercise annually. Vary scenarios, for example unauthorized access, suspicious package, or tender screening, and record participants, timings, and outcomes. Use drill findings to update procedures and training.

What documents need to be ready during an ISPS inspection?

Expect to show the valid ISSC, the approved sections of the Ship Security Plan as permitted, recent drill and training records, access-control logs, stores screening records, DoS forms when used, and evidence of equipment tests. Keep a clear index so you can retrieve documents quickly at the gangway or bridge.

How does ISPS relate to ISM and MLC on yachts?

ISPS is about security and the ship–port interface, ISM is about safety management and operating procedures, and MLC focuses on crew living and working conditions. Treat them as complementary systems that share audits and record-keeping. Planning verifications together during a yard period reduces disruption to operations.

We are converting from private to commercial. When should we start ISPS work?

Begin during the refit or pre-season maintenance so the assessment, plan approval, and initial audit align with class and flag visits. Build in time for crew training and a trial drill before the first commercial voyage. If your itinerary includes controlled events or high-profile ports, coordinate DoS expectations early.

What if my yacht is under 500 GT but visiting an ISPS port?

The port may still require heightened controls to grant access. Bring a concise, yacht-scaled security checklist, for example visitor ID at the passerelle, restricted bridge access, and screened deliveries. Having a point of contact and simple logs often satisfies practical port concerns.

Does the ISPS Code cover cyber risks on yachts?

ISPS is primarily physical security, but the threat surface now includes satcom, navigation networks, and guest Wi-Fi. Many operators integrate digital protections and crew awareness into the security plan by drawing on good practice from cybersecurity on yachts. Align your physical and cyber controls so one does not undermine the other.

How do ISPS requirements change between Europe and the United States?

The framework is harmonized, but you will hear MARSEC Levels in U.S. ports that map to ISPS Levels 1 to 3. U.S. facilities may ask for specific documents or screening practices under local law. Check port advisories in advance and be prepared to complete a DoS on arrival if requested.

Can we share the Ship Security Plan with contractors or guests?

Treat the SSP as confidential. Share only the portions necessary for people to perform their duties, for example visitor procedures at the gangway or stores screening steps for suppliers. Keep the full plan restricted to the SSO, CSO, flag, class, and authorities as required.

What triggers a DoS at Level 1?

Even at Level 1, a DoS can be requested if either the yacht or the port facility identifies a vulnerability, for example a broken gate camera or unusual public access during an event. It is a preventive tool that clarifies temporary responsibilities, not a sign that something has gone wrong.

How can a small yacht crew make ISPS practical day to day?

Streamline access control at a single gangway, keep a simple visitor log, mark restricted areas clearly, and fold checks into existing rounds. Use laminated checklists for stores and bunkering, and brief all crew on how to escalate concerns. Small, consistent habits beat occasional heavy measures.

What common mistakes cause delays at ISPS facilities?

Arriving without current records of drills and equipment tests, unclear visitor procedures, or not knowing the prevailing security level can all slow a berth confirmation. Another frequent issue is relying on the marina for screening that the port expects the yacht to handle. A quick pre-arrival email to the PFSO usually clears up who does what.