Ship Security

The ISPS Code provides a comprehensive mandatory security regime for international shipping

International Ship and Port Facility Security (ISPS) Code

The International Ship and Port Facility Security (ISPS) Code came into force on 1 July 2004 under Chapter XI-2 of the Safety of Life at Sea Convention (SOLAS).

The Code establishes a standard framework for shipping companies, port authorities and government authorities to evaluate and manage security risks to port facilities and ships used in international trade. The Code is divided into two sections: Part A sets out the Code’s mandatory provisions. Part B provides recommended guidelines for implementing Part A provisions.


The ISPS Code is mandatory for the following ship types:

  • cargo ships, including high-speed craft of 500 GT and above;
  • passenger ships, including high-speed passenger craft;
  • mobile offshore drilling units;

Regulation (EC) No 725/2004 on Enhancing Ship and Port Facility Security extends the Code’s scope to the following ship types:

  • domestic ‘Class A’ passenger ships which travel more than 20 miles from a place of refuge;
  • domestic ships identified through an EU member state’s risk assessment.



The ISPS Code sets the following objectives:

  • establish an international framework to detect security threats and take preventive measures against security incidents affecting ships or port facilities used in international trade;
  • establish the respective roles and responsibilities of the Contracting Governments, Government agencies, local administrations and the shipping and port industries, at the national and international level for ensuring maritime security;
  • ensure the early and efficient collection and exchange of security-related information;
  • provide a methodology for security assessments so as to have in place plans and procedures to react to changing security levels; and
  • ensure confidence that adequate and proportionate maritime security measures are in place.



The Code imposes a series of legally binding obligations on the part of vessel owners and operators of the vessel. Every ship to which the Code applies must have the following:

  • Ship Security Plan which has been approved and implemented;
  • Company Security Officer (CSO);
  • Ship Security Officer (SSO);
  • IMO Number marked on the vessel;
  • Installed Automatic Identification System (AIS);
  • Continuous Synopsis Record (CSR);
  • Installed Security Alert System.


Ship Security Assessment (SSA)

The SSA is essential for developing and updating a Ship Security Plan. An on-scene security survey identifies and evaluates:

  • existing security measures, procedures and operations;
  • key ship board operations requiring protection;
  • possible threats to key ship board operations and the likelihood of their occurrence, so as to establish and prioritize security measures; and
  • weaknesses in infrastructure, policies and procedures.

The Company may use their Company Security Officer, other trained personnel or security consultants to conduct the on-scene Ship Security Assessment provided they have appropriate skills to evaluate the security of a ship.

Personnel conducting SSAs shall be independent of the activities being assessed unless this is impracticable due to the size and the nature of the Company or of the ship. Specifically, the person conducting the SSA should not be any of the officers or crewmembers permanently assigned or serving onboard the ship.


Ship Security Plan (SSP)

Every Company must ensure each of its vessels carries on board an approved ship security plan (SSP) that complies with SOLAS Chapter IX-2 and the ISPS Code. The SSP ensures the application of measures on board the ship designed to protect persons on board, cargo, cargo transport units, ship’s stores and the ship against the risk of a security incident.

The SSP must contain a clear statement to the effect that the Master has the overriding authority and responsibility to make decisions with respect to the safety and security of the ship.

It should also address:

  • measures designed to prevent weapons, dangerous substances and devices intended for use against persons, ships or ports and the carriage of which is not authorized from being taken on board the ship;
  • identification of restricted areas and measures for preventing unauthorized access;
  • measures to prevent unauthorized access to the ship;
  • procedures for responding to security threats or breaches of security, including provisions for maintaining critical operations of the ship or ship/port interface;
  • procedures for responding to any security instructions Contracting Governments may give at security level 3;
  • procedures for evacuation in case of security threats or breaches of security;
  • duties of shipboard personnel assigned security responsibilities and of other shipboard personnel on security aspects;
  • procedures for auditing the security activities;
  • procedures for training, drills and exercises associated with the plan;
  • procedures for interfacing with port facility security activities;
  • procedures for the periodic review of the plan and for updating;
  • procedures for reporting security incidents;
  • identification of the ship security officer;
  • identification of the company security officer including 24-hour contact details;
  • procedures to ensure the inspection, testing, calibration, and maintenance of any security equipment provided on board;
  • frequency for testing or calibration of any security equipment provided on board;
  • identification of the locations where the ship security alert system activation points are provided; and
  • procedures, instructions and guidance on the use of the ship security alert system, including the testing, activation, deactivation and resetting and to limit false alerts;
  • Declaration of Security (DOS) establishing responsibilities between a ship and a port facility or another ship.


Company Security Officer (CSO)

The Company is required to designate a company security officer (CSO) for each of its vessels. The CSO is a member of the shore-side management responsible for monitoring security for the vessel(s) for which he is responsible within the organization.

The main duties and responsibilities of the CSO include:

  • ensure a Ship Security Assessment is carried out;
  • ensure a Declaration of Security (DOS) is completed;
  • ensure the SSP is developed, approved, implemented and modified, as necessary;
  • arrange internal audits and reviews of security activities;
  • ensure deficiencies and non-conformities identified during internal audits, periodic reviews and security inspections are promptly addressed and dealt with;
  • ensure adequate training for personnel responsible for the security of the ship; and
  • act as a liaison with port facility security officer, ships security officer and relevant administrative bodies.

The Company is responsible for ensuring the CSO receives appropriate training.

The Company shall ensure that the CSO, the Master and the SSO are given the necessary support to fulfil their duties and responsibilities in accordance with Chapter XI-2, Part A and the relevant provisions of Part B of the ISPS Code.



Ship Security Officer (SSO)

The Company is required to designate a Ship Security Officer (SSO) for each of its vessels, accountable to the Master and responsible for security on the ship.

Responsibilities of the SSO are listed in ISPS Code, Part A, s 12.2 and include:

  • implement and maintain the SSP;
  • keep the SSP under review;
  • enhance on-board security awareness and vigilance;
  • ensure adequate training has been provided to shipboard personnel;
  • act as liaison with the vessel’s management and other on-shore authorities on security matters.

The Company should designate one of the senior officers onboard (such as Master, Chief Officer, Chief Engineer or 2nd Engineer) to perform the Ship Security Officer duties.

The Company is responsible for ensuring the SSO receives appropriate training.  It is prudent for more than one officer on each ship to be trained to carry out the SSO’s duties.


Additional EU Requirements

By virtue of Regulation (EC) N° 725/2004, the following paragraphs of ISPS Code Part B Code are mandatory for Luxembourg-flagged vessels:


Ship Security Plan revisions (1.1.2) Communication of information when port entry is denied or ship is expelled from port (4.41)
Port facility assessment (1.16) Company obligation to provide ship operator information to Master (6.1)
Confidentiality of security plans and assessments (4.1) Minimum ship security assessment standards (8.3-8.10)
Recognised Security Organisations (RSOs) (4.4) Minimum ship security plan standards (9.2)
Minimum competencies of RSOs (4.5) RSO independence (9.4)
Setting security level (4.8) Security drill and exercise frequency for ship crews, company and ship security officers (16.3 and 16.8)
Contact points and information on port facility security plans (4.14-4.16) Minimum Port facility security assessment standards (15.3-15.4)
Identification documents (4.18) Minimum Port facility security plan standards (16.3 and 16.8)
Application of State-recommended security measures to sail in its territorial waters (4.24) Security drill and exercise frequency in port facilities and for port facility security officers (18.5-18.6)
Manning levels (4.28)


The periodic review of the port facility security assessments provided for in paragraph 1.16 of Part B of the ISPS Code shall be carried out at the latest five years after the assessments were carried out or last reviewed.

Incorporation into the Safety Management System

Although it is not a requirement, the Company should contemplate incorporating the relevant shipboard security requirements into the company’s Safety Management System (SMS).

The Safety Management system should:

  • define the security duties and responsibilities for the Company Security Officer, the Ship Security Officers and the crew;
  • discuss who will be responsible for organizing security drills and exercises;
  • contain procedures for immediately reporting any noncompliance with the ISPS Code, threats and breach of security to the Administration;
  • define maintenance requirement for the security equipment;
  • provide for the logging of actions or measures taken to rectify deficiencies and non-conformities noted during Security Assessments and notification of the Luxembourg Maritime Administration and the RSO of any corrective actions taken;
  • provide the list of records to retain on board and retention period;
  • define the procedures for the harmonized internal ISM and ISPS Code audits;
  • state the company will provide the support necessary to the Company Security Officer, the Master and/or the Ship Security Officer to fulfill their duties and responsibilities in accordance with chapter XI-2 and the ISPS Code.



Luxembourg applies the standard IACS procedure for ISPS Code Certification with no additional national requirements.

Where a ship changes flag to Luxembourg, an interim International Ship Security Certificate (ISSC) is issued on the basis of an Interim verification as required by section A 19.2.1 of the ISPS Code.

Luxembourg RSOs

Luxembourg has appointed Recognised Security Organisations (RSO) to carry out assessment, verification, approval and certification activities, required by SOLAS Chapter XI-2 or by Part A of the ISPS Code, including Ship Security Plan approval, on-board compliance verification and issuance of International Ship Security Certificates (ISSC).

The following Classification Societies have been authorized to act as RSO on behalf of Luxembourg:

  • American Bureau of Shipping
  • Bureau Veritas Marine & Offshore SAS
  • DNV-GL
  • Korean Registry
  • Lloyd’s Register
  • NKK
  • RINA
  • Croatian Register of Shipping


Ships Security Alert System (SSAS)

Ship Security Alert Systems for Luxembourg-flagged vessels should be programmed to send alerts to the Company Security Officer (CSO).

Annual SSAS Test

CSOs are requested to transmit to the Luxembourg Maritime Administration, at least once a year, a report on the results of all SSAS tests messages sent by their Luxembourg flagged ships.

Circular CAM 02/2016 – SSAS – Alert Message forwarding



Where the Company determines an SSAS alert is related to a real threat, the CSO must immediately forward the SSAS to:

POLICE GRAND DUCALE, Centre d’Intervention National (CIN)
+352 4997 2346


The CSO’s message must also detail the following information:

  • name and IMO number of the ship concerned;
  • ship’s latest position;
  • threat type sustained by the ship;
  • CSO contact details to initiate immediate contact.


False alerts

Where a false alert is transmitted to the Luxembourg authorities, the Luxembourg Maritime Administration should be notified immediately by telephone and an email sent to the CIN.

National Competent Authority for Security Matters

Commissariat aux affaires maritimes
19-21, Boulevard Royal
L-2449 Luxembourg
Tel. : + 352 2478 44 53
Fax : + 352 29 91 40
Email :