A Port Facility Security Officer walks down to the berth, asks to see the vessel's International Ship Security Certificate, and wants to know who the Ship Security Officer is. For a charter yacht over 500 GT on an international voyage, this is not an unusual question — it is a routine part of operating in a regulated port. For a crew that has never been asked before, it can be the first sign that ISPS compliance was treated as paperwork rather than an operational system.
The International Ship and Port Facility Security Code (ISPS Code) is one of the less-discussed compliance frameworks in the superyacht world, overshadowed by ISM, MLC, and MARPOL. But for the vessels it applies to, it is mandatory under SOLAS Chapter XI-2, and gaps in it carry the same kind of consequences as gaps in any other statutory certificate.
When ISPS Actually Applies
The ISPS Code, adopted by the IMO after 2001 and implemented through SOLAS Chapter XI-2, applies to passenger ships, cargo ships of 500 gross tonnage and above, and mobile offshore drilling units engaged on international voyages, along with the port facilities that serve them.
For yachts, the practical rule is straightforward: a commercial (charter-registered) yacht of 500 GT or above operating internationally falls squarely within scope. A private yacht, or a commercial yacht under 500 GT, generally sits outside the mandatory ISPS framework.
That said, "outside mandatory scope" is not the same as "no security expectations." Port facilities that are themselves ISPS-designated will still expect any vessel calling — regardless of size or registration — to follow basic access control and reporting procedures while alongside. Captains of smaller or private yachts who treat a secured marina or commercial port as a purely private berth are the ones most likely to have an awkward conversation with a Port Facility Security Officer.
If your yacht sits near the 500 GT threshold, or moves between private and commercial (charter) registration during the season, confirm your ISPS status with your flag state or management company before you assume you are — or are not — in scope. Tonnage measurement and registration status both affect the answer.
The Two Security Officers: CSO and SSO
ISPS compliance is built around two designated roles, one ashore and one on board, working together.
The Company Security Officer (CSO) sits with the yacht's management company, not on the vessel itself. The CSO is responsible for ensuring a Ship Security Assessment is carried out, that a Ship Security Plan is developed and submitted for flag state approval, and for acting as the ongoing liaison between the company, the vessel, and port facility security officers ashore. One CSO can cover multiple vessels within a management company's fleet.
The Ship Security Officer (SSO) is on board and reports directly to the Master on security matters. The SSO implements and maintains the Ship Security Plan day to day: supervising access control at the gangway, ensuring restricted areas are respected, coordinating security equipment checks, running crew security drills, and liaising directly with the Port Facility Security Officer whenever the vessel calls at a port.
In practice on many yachts, the SSO role is combined with another senior deck position — often the Chief Officer or First Mate — rather than being a dedicated full-time post. What matters is that the person holding it has completed the required ISPS/SSO training and genuinely owns the day-to-day security procedures, not just the certificate on file.
The Ship Security Plan: The Document That Does the Work
The Ship Security Plan (SSP) is the vessel's operational security manual, developed from a formal Ship Security Assessment that identifies the vessel's vulnerabilities, critical operations, and appropriate countermeasures.
A typical SSP covers:
- Access control — who can board, how identity is verified, how visitors and contractors are logged and escorted
- Restricted areas on board and how they are monitored and enforced
- Procedures for handling ship's stores, provisions, and unaccompanied baggage
- Security equipment: what is installed, how it is tested, and how failures are reported
- Communication procedures with the Company Security Officer and with Port Facility Security Officers
- Drills and exercises, including frequency and record-keeping
- Specific actions required at each of the three security levels
The SSP must be approved by the flag state administration, or by a Recognised Security Organisation acting on the flag state's behalf, before the vessel can be issued an International Ship Security Certificate. Once approved, the SSP is treated as confidential — it is not a document to leave lying in the crew mess or hand over casually during a PSC-style inspection. Only relevant authorities and designated officers should have access to its full content.
An SSP that was written once at delivery and never revisited is a common gap. The plan should reflect the vessel's actual current operation — itinerary patterns, guest capacity, tender and water toy operations, and any changes to access points or security equipment. Flag states and Recognised Security Organisations expect the SSP to be a living document, verified at survey.
Security Levels 1, 2, and 3
ISPS defines three security levels, and knowing which one applies — and what changes at each — is the core operational knowledge every SSO and Master should carry.
Security Level 1 — normal. The baseline. Minimum appropriate protective security measures are maintained at all times: controlled access, ID verification, basic monitoring of restricted areas, and general security awareness among the crew.
Security Level 2 — heightened. Applied when there is an elevated risk of a security incident, for a defined period. Additional protective measures kick in — increased frequency and thoroughness of access checks, tighter restricted area enforcement, more frequent security patrols, and closer coordination with the Port Facility Security Officer.
Security Level 3 — exceptional. Applied when a security incident is probable or imminent. Further specific measures are implemented, usually for a limited and defined time, and typically involve direct instruction from the flag state or the relevant port/coastal authority.
The security level is set by the flag state administration, but in practice, a vessel operating in or approaching a port takes its cue from that port facility's declared security level — the ship must be able to meet or exceed it. A yacht arriving at a port operating at Security Level 2 while the vessel itself is only postured for Level 1 will be expected to raise its measures accordingly, and the SSP should already spell out exactly what that means operationally, rather than leaving it to be improvised at the gangway.
The ISSC and What Port Facility Security Officers Actually Check
The International Ship Security Certificate (ISSC) is the certificate that confirms a vessel has an approved Ship Security Plan and has been verified as compliant. It is issued after an initial verification and renewed on a schedule aligned with the vessel's other statutory certification cycle.
When a Port Facility Security Officer boards or requests documents, the checks typically focus on:
- A valid ISSC, matching the vessel's name, flag, and particulars
- Confirmation of who holds the SSO role, and evidence of their training
- Access control procedures actually being followed at the gangway — not just described on paper
- Records of security drills and exercises, at the required frequency
- Evidence that security equipment referenced in the SSP is present and functioning
A vessel that cannot produce a valid ISSC, or whose actual gangway practice clearly does not match what the SSP describes, is treated the same way a PSC officer treats any other statutory deficiency: it can lead to delay, additional inspection, or in serious cases, denial of port entry. Our Port State Control guide covers the broader inspection regime that ISPS deficiencies sit within.
Run security drills on the same disciplined schedule you run fire and abandon-ship drills, and log them the same way. An SSO who can immediately produce a dated drill record, rather than reconstructing one from memory, sends a clear signal to a Port Facility Security Officer that the SSP is a working document, not a filing cabinet exercise.
Crew Training: Not a Superyacht-Specific Add-On
Since the STCW Manila Amendments took effect, baseline security awareness training has been folded into mandatory training for all seafarers — it is part of Basic Safety Training, not an optional extra layered on top for yachts specifically. Crew with designated security duties, including the SSO, require additional, more specific training covering security equipment operation, threat recognition, and response procedures.
For crewing purposes, this means ISPS awareness should already be present in any properly STCW-certified crew member's training record. What varies by vessel is whether that awareness has been translated into vessel-specific procedures the crew actually practise — which is precisely what the SSP and regular drills are for.
Frequently Asked Questions
Security as an Operating Discipline, Not a Certificate
ISPS compliance, like ISM and MLC, rewards captains and management companies who treat it as a live operational system rather than a certificate to renew once a year. A CSO who keeps the Ship Security Plan current with the vessel's actual operation, an SSO who runs and logs drills on schedule, and a crew whose security awareness training is genuinely current together produce a vessel that clears a Port Facility Security Officer's questions without friction.
HelmOps supports exactly this kind of operational discipline — crew certification tracking with expiry alerts, drill and inspection logging, and document storage accessible at every port, so the record a security officer asks for is never more than a few taps away.
Start your 30-day free trial — no credit card required.
Sources: IMO, "SOLAS XI-2 and the ISPS Code" (imo.org); International Convention for the Safety of Life at Sea (SOLAS), Chapter XI-2; STCW Convention, 2010 Manila Amendments. ISPS applicability and enforcement details can vary by flag state and Recognised Security Organisation — confirm current requirements with your flag administration or security consultant.



