What Is the ISPS Code and Why Does Port Compliance Matter in 2026?

What Is the ISPS Code and Why Does Port Compliance Matter

Introduction: The Foundation of Modern Port Security

The International Ship and Port Facility Security Code — universally known as the ISPS Code — is the cornerstone of international maritime security regulation. Adopted by the International Maritime Organization (IMO) in December 2002 in the immediate aftermath of the 9/11 attacks, and entering into force in July 2004, the ISPS Code established the first globally standardised framework for the security of ships and port facilities involved in international trade.

Two decades on, ISPS compliance remains as relevant and as demanding as ever. The threat environment that underpins the Code has, if anything, intensified: state-sponsored hybrid threats to maritime infrastructure, cyber-attacks on port operational systems, the persistent threat of terrorism, and the smuggling of weapons and people through major ports continue to challenge security officers and port operators worldwide.

For the United Kingdom — one of the most active maritime trade nations in the world, with over 120 designated ISPS-compliant port facilities — compliance with the ISPS Code is enforced by the Department for Transport (DfT) and carries serious legal consequences for non-compliance. This guide provides UK port operators, terminal managers, and security officers with a clear, practical understanding of the ISPS Code, its requirements, and why compliance matters in 2026.

 

1. What Is the ISPS Code?

The ISPS Code is a comprehensive set of security measures for ships and port facilities. It is implemented through Chapter XI-2 of the International Convention for the Safety of Life at Sea (SOLAS), making compliance mandatory for all SOLAS Contracting Governments — including the UK. The Code applies to:

 

  • Cargo ships of 500 gross tonnes or more on international voyages
  • Passenger ships, including high-speed passenger craft
  • Mobile offshore drilling units
  • Port facilities serving ships on international voyages

 

The Code is divided into two parts. Part A sets out the mandatory requirements that must be implemented by Contracting Governments, shipping companies, and port facilities. Part B provides guidance on how to meet those requirements. While Part B is technically advisory, in practice compliance with its guidance is expected by the DfT and forms the basis for port state control inspections.

UK Implementation: The ISPS Code is implemented in UK law through the Merchant Shipping and Fishing Vessels (Port Facility Security) Regulations 2004, as retained and amended following Brexit. The Secretary of State for Transport approves Port Facility Security Plans and authorises Recognised Security Organisations to conduct security assessments on the government’s behalf.

 

2. The Three Core Requirements: PFSA, PFSP, and the PFSO

Port Facility Security Assessment (PFSA)

The PFSA is the risk analysis of all aspects of the port facility’s operation to identify which parts are most susceptible to a security attack. It must address the full range of possible security incidents — from terrorist attack and sabotage to unauthorised access and smuggling — and produce a risk-ranked assessment of vulnerabilities that informs the PFSP. The PFSA must be conducted by the contracting government, a designated authority, or an approved RSO, and must be approved by the DfT.

 

Port Facility Security Plan (PFSP)

The PFSP is the operational document that sets out the security measures the facility will implement at each of the three ISPS security levels. It must be developed on the basis of the PFSA and address: access control, restricted areas, cargo handling procedures, vessel interface management, security communications, incident reporting, and the conduct of security drills and exercises. The PFSP must be approved by the DfT before it can be implemented, and must be protected as sensitive security information.

 

Port Facility Security Officer (PFSO)

Every designated port facility must appoint a qualified PFSO who is responsible for the development, implementation, review, and maintenance of the PFSP. The PFSO is the primary point of contact for liaison with Ship Security Officers (SSOs) and Company Security Officers (CSOs), and is responsible for ensuring that security drills and exercises are conducted as required by the Code.

In the UK, PFSOs must complete accredited training to hold the qualification. Neptune P2P Group’s 3-day PFSO training course, delivered in Manchester, provides the full competency framework required for UK ISPS compliance.

 

3. The Three ISPS Security Levels

The ISPS Code introduces three security levels that communicate the current threat environment and determine the security measures that must be in place:

 

  • MARSEC Level 1 (Normal): The minimum appropriate security measures are maintained at all times. Day-to-day operations and standard security procedures apply.
  • MARSEC Level 2 (Heightened): Additional protective security measures are maintained for a period of time as a result of a heightened risk of a security incident. Specific measures set out in the PFSP are activated.
  • MARSEC Level 3 (Exceptional): Further specific protective measures are maintained for a limited period of time when a security incident is probable or imminent. This level may restrict or suspend port operations.

In the UK, security levels are set nationally by the DfT in consultation with the Joint Terrorism Analysis Centre (JTAC) and other intelligence agencies. Port facilities must be prepared to operate at all three levels at short notice.

 

4. What Non-Compliance Looks Like — and What It Costs

ISPS non-compliance is not a theoretical risk in the UK. The DfT’s Maritime Security inspectors conduct regular audits of designated port facilities, and port state control officers routinely check the ISPS compliance status of vessels calling at UK ports. The consequences of non-compliance are significant:

  • Vessel detention: Ships calling at non-compliant port facilities can be detained by port state control, with direct costs to operators from delay and the reputational damage of a public detention record.
  • Loss of designation: A port facility that fails to maintain compliance with its PFSP and PFSA can have its ISPS designation suspended or revoked, effectively preventing it from handling international shipping.
  • Criminal liability: Under the Merchant Shipping and Fishing Vessels (Port Facility Security) Regulations 2004, breaches of ISPS obligations can result in prosecution and fines.
  • Reputational and commercial damage: Non-compliance signals to shipping lines, insurers, and cargo owners that a facility operates below international security standards, with direct commercial consequences.
DfT Enforcement Focus 2026: The DfT’s 2026 port security inspection programme has an increased emphasis on cyber security within ISPS compliance frameworks, reflecting the growing threat to port operational technology systems. PFSOs should ensure their PFSPs address cyber threats to port systems including vessel traffic management, cargo tracking, and access control infrastructure.

 

5. ISPS Compliance in Practice: The PFSO’s Annual Checklist

Maintaining ISPS compliance is an ongoing operational commitment, not a periodic exercise. PFSOs should maintain the following as standing operational requirements:

  • Current, DfT-approved PFSA and PFSP
  • Regular security drills at each MARSEC level (at least annually for Level 2 and 3 scenarios)
  • Quarterly security committee meetings with records maintained
  • Up-to-date security personnel training records for all designated security staff
  • Declaration of Security (DoS) procedures ready for activation at any vessel interface
  • ISPS certificates and compliance documentation available for inspection
  • Contact details for DfT, port police, and emergency services current and accessible
  • Cyber security review of port operational technology systems completed

 

6. PFSO Training: Building Compliance from the Inside

The effectiveness of an ISPS compliance framework ultimately depends on the competence and commitment of the PFSO. Neptune P2P Group’s PFSO training course is specifically designed for the UK market, equipping security officers with the knowledge and practical skills to conduct PFSAs, develop and maintain PFSPs, manage the full range of ISPS compliance obligations, and respond effectively to security incidents.

 

Conclusion: Compliance Is Not Optional — But It Doesn’t Have to Be Complicated

The ISPS Code has been the bedrock of international port security for over two decades. In 2026, with the UK operating in an elevated threat environment that includes terrorism, state-sponsored hybrid attacks, and sophisticated cyber threats, ISPS compliance is more important than ever. For UK port operators and terminal managers, meeting ISPS obligations is a legal requirement, a commercial necessity, and a fundamental expression of the duty of care owed to vessel crews, dock workers, and the communities that rely on safe and secure port operations.

Neptune P2P Group’s ports and terminal security in UK supports facilities with PFSO training, PFSA advisory services, security planning, and ongoing compliance support. If your PFSA is due for review, if your PFSO needs to qualify or refresh their training, or if you need support preparing for a DfT inspection, contact our UK team.

 

About Neptune P2P Group

Neptune P2P Group is a global security risk solutions company founded in 2009 and owned by former British and French Special Forces personnel. With over 8,500 completed security tasks across the AMEA region and a 100% success record for anti-piracy operations, Neptune P2P Group delivers maritime security services, ports and terminal security, protective security, maritime security training, and travel risk management to shipping companies, port operators, corporations, and governments worldwide.