Is the ISPS Code sufficient and relevant for modern security threats?


John Southam
Loss Prevention Executive
The North of England P&I Club
Dr . Phillip Belcher
Marine Director
YES – The Code is worded so it can cover the changing landscape of security threats. Whether ship operators and crew can enforce the requirements through attending short courses and using limited equipment is another matter. The Code was introduced following the events of 9/11, and focused primarily on terrorist-related activities. However, the basic premise revolves around all security threats to ships and port facilities regardless of type. The Code does not lay out exact threats. Instead, it asks the operators to conduct a risk assessment for the vessel within the landscape it is operating. The Code requires a Ship Security Assessment (SSA) is carried out and key stages include the Threat Assessment and Scenario Setting (a “what if” process). These are ongoing processes that must be revisited regularly.  The issue therefore is, are vessel operators able to train their crew and equip their vessels to allow them to identify and deal with ever-changing security threats? For example, as piracy methods become more hi-tech, are current vessel hardening methods appropriate. Or as drug smuggling drugs becomes more prolific, is a simple crew search adequate? Yes. The ISPS Code provides the baseline. It is still very relevant as it is the framework upon which everything else hangs, particularly how the structure allows for the linkage to industry guidance. The position of the Company Security Officer is vital for the management of security risk. In this current environment of limpet mines, ship hijacking and piracy, having a single point of contact who has the authority to act is key. As has been recently proven in Hormuz, the Code levels are very important for focusing minds and ensuring the right response is implemented. Similarly the control procedures work well for ship access. Everything can be reviewed, but it’s good for now.


Capt. Panagiotis Nikiteas
HSQE Manager / DPA / CSO, Maran Dry Management Inc
James Wilkes
Managing Director
No! No shipping, No shopping! The world’s economy floats on water. International maritime security is about safeguarding the people, the seas and the goods. The contemporary risks shipping faces are influenced by factors beyond its control. Direct security risks such as terrorism, organized crime, weapons trafficking, piracy, theft, illegal fishing, corruption, illicit trade, stowaways and indirect risks deriving from environmental polluters, human migration, activism, climate change, water crisis, cyber attacks, sanctions and data fraud, all comprise today’s framework. Although the generic ISPS Code objective to detect security threats and take preventive measures remains valid, the Functional requirement and its implementation appear not capturing today’s risks. This is supported by the failure to protect seafarers against modern piracy and “terrorists” drones’ attacks. No, the ISPS Code is patently not sufficient and relevant for the security threats faced by international shipping. However, it wasn’t designed to be. It was a knee-jerk reaction to 9/11 and the perceived activities of Al Qaeda, driven by a lack of “maritime domain awareness” amongst the world’s security and intelligence agencies. The Code took no account of the security issues actually faced by shipping on a day to day basis, and so still has nothing to say on issues such as piracy (including crew abduction and hijack for cargo theft), environmental activism, stowaways etc. It would be a substantial exercise to review and revise the ISPS Code, as much because there hasn’t been a single review since it came into force in 2004 (15 years ago!). However, absent a review, it will remain a “paper tiger”: a massively expensive, bureaucratic exercise in ‘issue signaling’, rather than being a practically meaningful piece of regulation that improves security in the industry.
Phil Diacon
Managing Director
Dryad Global
Dimitris Maniatis
Chief Commercial Officer
Diaplous Maritime Services
NO, the ISPS Code has gone a long way towards satisfying a demand for standardised security measures onboard vessels and in port, and minimises the risks of a vessel being attacked and or the crew being harmed if applied properly, yet there are significant gaps within the ISPS Code.  While the Code is suitable for many traditional maritime security risks it does not provide comprehensive guidance on how to respond to state-based and asymmetric security risks. Operators must recognise its significant limitations and continue to enhance their security understanding by engaging with maritime intelligence specialists who can provide detailed actionable advice based on deep understandings of geopolitical impacts on commercial activity. NO, current ISPS is not sufficient. The ISPS code was introduced right after 9-11 with the aim to deal with the new threat environment forged by terrorism, but this was only an amendment to the SOLAS convention, not a unique and free-standing set of guidance’s or rules.

It is also worth noting that the ISPS code refers to minimum security arrangements.

The attacks on the 4 tankers off Fujairah on the 12th of May and those of the 13th of June in the Gulf of Oman, showed that even if the threat was identified prior to the event and the ISPS code of the vessels involved was set to 3, this alone would have had very limited benefits.

The Chinese flag administration on the 2nd of July 2019 ordered all Chinese flagged vessels transiting the Malacca straits to do so on ISPS level 3 due to intelligence that an Indonesian terrorist group was targeting Chinese ships.

However, the Indonesian authorities apprehended subject group’s leaders before that could proceed to any attacks.

All above scenarios do not include ships in port but ships underway, however, if we look closely at the ISPS code it mainly focuses on ships interface with ports and not ships in the middle of the world’s oceans where the author (s) of the code, at the time of writing, understood the threat to be minimal.

The ISPS code needs a reform and to include actual risk mitigation measures.

Setting an alert level and suggesting minimum security arrangements, while at the same time putting the bulk of the responsibility on the SSP based on each vessels SSA is not the way to go.

Each CSO does the best he/she can based on the training and experience he/she has, but this is not enough, there should be guidance or even enforcement of the security requirements for each region, from a higher authority (IMO), always based on the risk environment current for the trade area of each vessel.