In the days following the terror attacks of September 11 2001, a concerned US government assembled a team of intelligence and maritime industry experts to identify what might be the most likely terrorist target in the maritime world. Will al-Qaeda potentially strike at petroleum or LNG tankers, seaports, ferries, or offshore oil platforms? After a robust debate, a consensus was reached that cruise ships are likely to provide the most attractive target to terrorists.

While admittedly this was a hastily arrived at conclusion, there appeared to be ample logic behind the choice: cruise ships carry over five million US citizens each year; they often sail to remote ports that specialise in cargo rather than passenger operations; and the countries they frequently visit are part of what is referred to euphemistically as the ‘developing world’, where security is often a luxury rather than a priority.

“Cruise ships are not only less attractive to terrorists than originally thought, they are also better protected than any other ships in the world.”

History has shown that terrorists are frighteningly aware of the vulnerability of cruise ships. Previous hijackings include Santa Maria in 1961 and the Achille Lauro in 1985.

Subsequent re-evaluation by law enforcement and intelligence services has recently prompted a different conclusion: cruise ships are not only less attractive to terrorists than originally thought, they are also better protected than any other ships in the world, barring warships.

Part of the reason for this is the remarkable partnership that exists between the cruise lines and the US Coast Guard. Between them, they have developed a strong partnership, which has resulted in both US and international security protocols and measures that help to ensure the safety of millions of passengers looking for a safe and stress-free holiday.


With the bitter experience of the al-Qaeda bombing of the USS Cole (which occurred while the ship was refuelling in the port of Aden in Yemen), and the 9/11 attacks on New York and Washington, the US Coast Guard convinced the IMO, an arm of the United Nations, to create an international standard for ship and port security.

The Coast Guard, along with many cruise and cargo ship operators, were understandably anxious about the state of maritime security around the world. In some ports, security took a back seat to selling t-shirts. Fencing, lighting, access controls and security guards were a rarity. Vendors, homeless people and criminals of various kinds entered ports without challenge, raising a number of serious concerns about the safety of crew and passengers.

Now with al-Qaeda presenting an imminent threat, the concern has evolved from that of pilfered ship’s stores and pickpockets to the real threat of a ‘spectacular attack’ on ships of all kind. After months of discussion, the IMO’s member states agreed to create a comprehensive code that would address not only the security shortcomings of ports but of international shipping in its entirety.


With the help of the US Coast Guard and other nations, the IMO began to develop a set of codes, requirements and procedures to address the security of ships and ports engaged in international commerce. These stringent requirements are now known to the maritime community as the International Ship and Port Facility Security (ISPS) Code. While the effects of these regulations have had a major impact on the sea carrier industry, many of the Code’s provisions were already quite familiar to the cruise industry.

Cruise ship operators had already been operating under various iterations of the ISPS Code found in previous resolutions. For example, following the Achille Lauro hijacking, the IMO decided to adopt a resolution on measures to prevent unlawful acts from threatening the safety of ships and the security of their passengers and crews (Assembly Resolution A584[14]).

Subsequently, guidelines were established by the IMO’s Maritime Safety Committee (MSC) in one of its circulars ‘Measures to Prevent Unlawful Acts against Passengers and Crew On-board Ships’ (MSC Circular 443). Requirements such as the development of a security plan, the implementation of appropriate security measures, the performance of risk-based security surveys or assessments, and training to enhance security awareness were adopted and put into place. In many cases, they were virtually identical to the ISPS Code requirements adopted 20 years later. In 2005, the rest of the maritime industry is, in many respects, catching up with what the cruise industry has been doing for two decades.


While the cruise industry has undoubtedly been at the forefront of maritime security for many years, the ISPS Code does offer enhancements that will not only bolster the security measures imposed on cruise ships, but also significantly increase security at the ports they visit.

From the family heading to the Caribbean on their favourite cruise ship to the importer bringing goods to market from foreign lands, the elements of the ISPS Code will help to reduce the risk of terrorism and crime and greatly enhance the development of a uniform security culture with the following mandatory measures:

  • Company security officer: Each shipping company is now required to appoint a company security officer (CSO) who serves as the overall manager of fleet security. The CSO is obliged to assess the threat and vulnerability of each company ship, and to take the necessary steps to mitigate the risk of terrorism and crime. All company ships and their security personnel must report to the CSO, who in turn must report security incidents to the appropriate government office on behalf of the company. Although this is a new ISPS Code requirement, the appointment of a CSO has been a standard practice on many cruise lines for some years. Some, like Royal Caribbean and Carnival, have had the same high-calibre security management for almost a decade.
  • Ship security officer: Under the ISPS Code, all ships must appoint a ship security officer (SSO) to manage on-board security procedures. This includes the implementation and maintenance of their security plan; training crew members to meet strict ISPS Code requirements; record-keeping in accordance with company and Code requirements; and documenting their ship’s compliance with the Code. The SSO may also be responsible for performing declarations of security and liaising with the port facility security officers at their ship’s ports of call. Like the CSO, the SSO is usually someone with significant expertise characterised by many years of experience. On Princess Cruises ships, the SSO is often a retired master at arms from the British Navy – an individual steeped in the culture of ship security.
  • Crew training: For the first time, all crew members must receive specific training in security procedures; recognition and detection of dangerous substances and devices; assessing threats and vulnerabilities; and other security subjects. The intention is to create a crew force-multiplier for the security department, with everyone aware of potential threats and the risk mitigation measures undertaken to address those threats.
  • Drills and exercises: Security plans are important and the performance of drills and exercises is the most practical means by which to gauge their effectiveness. To the credit of the ISPS Code, both are mandatory, with security drills required at least once every three months and exercises, which are typically on a larger scale and involving ports and police units, required annually. Of particular note for cruise ships, drills must be conducted within one week if 25% of the crew has been rotated off the ship. In addition, if the ship has been laid up, a security drill must take place within one week of reactivation.
  • Ship security records: Like the International Safety Management Code that preceded it, the ISPS Code is heavily reliant on solid record-keeping by the company and ship security officers. Documentation and record-keeping are essential in both managing a complex security programme and facilitating compliance audits by outside agencies. Records must be maintained for a minimum of two years, and should document: security drills and exercises; security incidents; changes in security levels; calibration and testing of security equipment; security threats; declarations of security; and internal annual security audits.
  • The declaration of security: A declaration of security (DoS) is an agreement between a ship and a port facility which specifies the security measures each will implement to safeguard the other. Both must share information about perceived threats, incidents they may have suffered and the security level they happen to be operating under. This kind of security information sharing is vital and is something the cruise industry has been lobbying for since the 1980s.
  • Continuous synopsis record: Every ship must now maintain a continuous synopsis record (CSR). This rather cryptic-sounding requirement is really nothing more than a permanent record of the ships operations, along with its ownership. In a move towards transparency of operations, the CSR is motivated in part by a desire to eliminate questionable ownership and operational activities of some merchant ships. While not directly aimed at cruise ships, they are nevertheless affected. The CSR provides an on-board record of the history of the ship and must provide, at the very least: the name of the state whose flag the ship is entitled to fly; the date on which the ship was registered with that state; the ship’s IMO-provided identification number; the name of the ship and all previous names; the port at which the ship is registered; the name of the registered owner(s) and their registered address(es); the name of the registered charterer(s) and their registered address(es); the name of the shipping company; the name of all classification society(ies) with which the ship is classed; the name of the administration or of the government which has issued the ship’s documents of compliance; and the date on which the ship ceased to be registered with that state.


To ensure the ongoing protection of the ship, both the CSO and SSO must conduct annual audits of the ship’s security plan. As companies periodically make changes to their ships and itineraries, the ISPS Code requires that amendments reflecting such changes be made to their security plan in a timely manner. Along with strict adherence to the amendment process outlined in the ISPS Code, the CSO and SSO must also continuously challenge the effectiveness of their security plan by performing an annual audit.


Arguably, the most essential factor embedded in the security improvements of the ISPS Code is its inclusion of security requirements for all ports visited by cruise ships. Previous codes and resolutions created regulations to improve safety and security for vessels and left out the interface activities between vessels and the ports they called upon. The ISPS Code addressed this deficiency by setting forth definitive requirements and procedures to be carried out by the port’s stakeholders and the authorities that govern them.

Now, instead of the responsibility resting entirely with the owner or operator of the cruise ship, the ISPS Code places significant security responsibilities on port stakeholders and governments presiding over ports of call. Governments have the responsibility of ensuring that port facilities within their jurisdiction are in compliance with ISPS Code regulations, effectively melding the two previously disparate security programmes.

The owner or operator of a port (or port facility) is required to designate a port facility security officer (PFSO) to manage the security programme. The ISPS Code requires that an SSO of a ship wishing to call on a particular port liaise with the PFSO of that port as part of an ongoing security protocol. Once a consensus on the respective security responsibilities has been agreed on, a declaration of security can be announced.


The ISPS Code requires that all cruise ships subject to SOLAS (specifically, XI-2, Regulation 6) be equipped with a ship security alert system (SSAS). The purpose of the SSAS is simple; the SSAS provides the master or SSO with a security system capable of alerting authorities to hijackings, acts of piracy and terrorism at the simple push of a button.

Once activated, this system will initiate and transmit a ship-to-shore security alert to a competent authority. This SSAS will not send the alert to any other ships, nor will it raise any alarm on board the ship. However, it will continue sounding the alarm until it has been deactivated or reset.


“The ISPS Code places significant security responsibilities on port stakeholders and governments presiding over ports of call.”

The US Maritime Transportation Security Act of 2002 (MTSA) is the US corollary to the ISPS Code. Most cruise ships are not US-flagged and are therefore subject to the ISPS Code rather than the MTSA. This is because registering a ship in the USA requires that the ship be built in the USA and subsequently staffed with US employees. Paying US wages and complying with US employment regulations is far more expensive than using employees from developing countries, who perform the same work for a fraction of the pay.

Many foreign countries also subsidise their cruise shipbuilding industry, while the USA does not. As a result, almost all major cruise lines use ships built in Germany, France and Italy, and then register them in countries that impose less stringent requirements on their operations. Some cruise lines even maintain recruiting and training facilities in places like Indonesia and the Philippines for their ongoing crewing requirements.


Ships with a valid International Ship Security Certificate (ISSC) will be considered in compliance with the ISPS Code if the ship security plan (SSP) meets the requirements of the ISPS Code Part A and the relevant sections of Part B. The US Coast Guard will expect the ISSC to indicate this. Such ships will not be required to submit their SSP to the US Coast Guard for approval. Ships whose flag states are not in compliance with the ISPS Code will be required to submit their SSP for review and will be subject to boardings.


Due to the intelligently crafted alliance between the US Coast Guard and the cruise ship industry, along with the support of the UN-backed IMO legislation (ISPS Code) and its US corollary (MTSA), the cruise ship industry can boast a safe and formidable security environment for its millions of yearly passengers. The security measures adopted by all international cruise lines, along with the international security protocols required of their host states, are recognised worldwide as a significant deterrent to criminals and terrorists.

Furthermore, due to the existence of higher security standards associated with previous resolutions, the cruise ship industry has adopted these new security enhancements with relative ease. The cruise ship industry recognises and embraces these standards as part of a continued, decades-long effort to improve the protection of passengers and crew against acts of crime or terrorism.