ISPS in Practice: Restricted-Area Visitor Logs and Security Levels on Cruise Ships
The International Ship and Port Facility Security (ISPS) Code asks a ship to do two things: have a security plan, and be able to prove it is following it. The plan is the easy part. The proof - the records that show who entered which restricted space, under what authority, at which security level - is where a lot of vessels are still relying on a clipboard by a door. When the Company Security Officer (CSO) or a Port Facility Security Officer comes looking, that clipboard is not a strong position.
Here is how ISPS works in practice, and what good records look like.
Restricted areas and who may enter them
A ship has spaces not everyone should enter: the bridge, the engine control room, certain stores, security and crew-only areas. ISPS expects you to control and record access. A restricted-area visitor log does this across the access levels a security plan actually uses:
- crew only,
- escorted visitors,
- permit required, and
- SSO-only (Ship Security Officer).
The point is not just to record entries; it is to enforce the rules - an escorted visitor who has no escort, or a permit-required entry with no permit, should be caught at the door, not discovered later. And the resulting log should be something the SSO can produce on demand, not reconstruct from memory.
Security levels, and what changes when they rise
ISPS defines three security levels. Level 1 is normal operations; levels 2 and 3 are heightened states declared in response to a specific threat. The obligation is twofold: manage the change, and record it - who raised the level, when, and why.
Security-level management handles both. Every change is logged automatically for the audit trail the PFSO and flag state expect, and raising the level can tighten restricted-area access and prompt the required actions, rather than relying on someone to remember the procedure under pressure.
The records that hold it together
ISPS is a documentation regime as much as an operational one. Alongside the visitor log and security-level audit, a credible security posture usually includes a CCTV camera registry - so you know what is watched and what is down - and door-access control tied to the same guest and crew credentials that drive the gangway and folio. One credential, many doors, fully revocable, every access recorded.
Why integration matters here too
Ship security is not a standalone system; it touches the gangway, the crew roster and the guest credential. When restricted-area access, door control and badge printing all use the same card a guest or crew member already carries, security stops being a parallel process and becomes part of how the ship already works. That is what makes the records consistent - and consistency is exactly what an auditor is checking for.
What to ask
- Is restricted-area access enforced (escort, permit, sealed-bag), or only logged?
- Are security-level changes recorded automatically, with who and why?
- Can the SSO produce the visitor log on demand?
- Do door access, gangway and badges share one credential, or several?
The bottom line
The ISPS Code rewards operators who can prove their plan is live, not just written. Digital restricted-area visitor logs and security-level management replace the clipboard with an enforced, auditable record - so when the question comes, the answer is a clean export rather than an awkward silence.
See Restricted Area Visitor Log in action
This article touches on Restricted Area Visitor Log, part of HF Property Management. Book a walkthrough tailored to your operation.