CONVENTION

ISM & ISPS Code:
safety, security and the superyacht management system in 2026

ISM and ISPS Codes for superyachts: the SMS, DOC and SMC, DPA, ship security plan and ISSC, the 500 GT threshold, audits, security levels and cyber risk.

Last updated : 6 June 2026

The ISM Code at a glance

The International Safety Management Code (ISM) is the instrument through which the International Maritime Organization (IMO) shifted maritime safety from a logic of technical compliance of the ship to a logic of organised risk management. Adopted by resolution A.741(18) in 1993 and made mandatory by chapter IX of the SOLAS convention, it entered into force in two phases — 1998 for passenger ships, tankers and bulk carriers, 2002 for other ship types.

ISM was born of a series of maritime disasters, the most defining of which remains the capsizing of the Herald of Free Enterprise in 1987, where organisational failures ashore and on board — not a mere technical mishap — had cost 193 lives. The founding insight of the Code is that a safe ship depends not only on the quality of its hull or machinery, but on the chain of responsibility linking the bridge to the owner’s office, and on that chain’s ability to anticipate, report and correct failures before the accident.

The explicit objective of ISM is twofold: to ensure safety at sea, prevent injury and loss of life, and avoid harm to the environment. To achieve this, it requires every company to develop, implement and maintain a Safety Management System (SMS): a documented body of policies, procedures and responsibilities, genuinely applied and audited.

The ISPS Code at a glance

Where ISM deals with safety — protecting the ship and crew from accidents — the International Ship and Port Facility Security Code (ISPS) deals with security — protecting the ship from intentional, malicious acts. The two notions, conflated in everyday language, are legally distinct.

ISPS is the maritime community’s direct response to the attacks of 11 September 2001. Adopted in December 2002 by a conference of governments party to SOLAS and incorporated into chapter XI-2 of SOLAS, it entered into force on 1 July 2004. Like the STCW Code, it consists of a mandatory Part A (detailed requirements) and a recommended Part B (implementation guidance).

ISPS rests on a risk-analysis approach: assess the vulnerability of the ship and its interfaces (ports, contractors, transfers), define graduated measures across three security levels, and designate clearly identified responsible persons on board and ashore. For a superyacht, whose profile — high-visibility owner, wealthy guests, publicised port calls — is precisely a potential target, the logic of ISPS goes well beyond a mere administrative formality.

ISM, ISPS and yachting: the 500 GT threshold

In yachting, the application of both codes is governed by a threshold that has become emblematic: 500 GT. A commercial yacht (operated in charter) of 500 GT or more on international voyages falls into the cargo-ship category under SOLAS: it must apply ISM and ISPS in full, with DOC, SMC, complete SMS, security plan and ISSC. It is this threshold that explains the existence of an entire generation of yachts designed to stay just under 500 GT — in order to escape the heaviest regime.

Below 500 GT, ISM is not mandatory under SOLAS, but the flag ecosystem has filled the gap: the REG Yacht Code (Red Ensign Group Yacht Code, which merged the former Large Yacht Code LY3 and the Passenger Yacht Code) and each flag’s own rules require a scaled-down safety management system, often called a “Mini-ISM”, proportionate to the size of the vessel. The expected rigour increases with tonnage and the number of persons on board.

For private yachts, the principle is exemption: a yacht not operated commercially falls outside the mandatory scope of ISM and ISPS. But several major flags require or recommend an SMS for large private units, and a switch to charter — even occasional, through arrangements such as the Private Yacht Limited Charter — brings the ship into the mandatory regime. For the owner, anticipating that switch is a structuring matter in its own right.

SMS architecture: what the system must cover

The heart of ISM is the Safety Management System. The Code does not prescribe a single model: it sets functional objectives that each company translates into its own organisation. A compliant SMS covers at least:

  • A safety and environmental protection policy — the company’s formal commitment, broken down into objectives.
  • Instructions and procedures to ensure safe operation of ships and protection of the environment, in compliance with applicable regulations.
  • Defined levels of authority and lines of communication between shore and ship personnel, and within the ship.
  • Procedures for reporting accidents, near-misses and non-conformities with the Code.
  • Procedures to prepare for and respond to emergency situations — drills, scenarios, crisis organisation.
  • Procedures for internal audits and management review to assess and improve the effectiveness of the system.

The SMS is built around a continuous improvement cycle — plan, implement, verify, correct — which fundamentally distinguishes ISM from a mere regulatory checklist. The classic trap, on yachts as elsewhere, is the “shelf SMS”: an immaculate manual on paper, but disconnected from the real life of the ship. A system overloaded with unworkable procedures is as dangerous as a deficient one: the crew ends up working around it.

The players: company, DPA, master, CSO, SSO

ISM and ISPS rest on a clear distribution of roles, ashore and on board.

The company is the entity responsible for operating the ship — owner, manager or charterer who has assumed responsibility for operation. It holds the DOC and answers for the SMS. The identity of the ISM company must be unambiguous: this is a major point of legal structuring for a yacht.

The DPA (Designated Person Ashore) is the keystone of ISM. A direct link between ship and the company’s highest level of management, the DPA monitors the safety and pollution-prevention aspects of each ship and ensures the adequacy of resources and shore support. Direct access to the ultimate decision-maker is a requirement of the Code, not an option.

The master holds a singular place: ISM explicitly reaffirms the master’s overriding authority and responsibility to take, in matters of safety and pollution prevention, any decision deemed necessary — including departing from the SMS where safety so requires. The SMS must state this authority in black and white.

On the security side, ISPS designates two officers: the CSO (Company Security Officer), responsible ashore for the security assessment and plan, and the SSO (Ship Security Officer), the security officer on board in charge of day-to-day implementation of the plan. Ashore, port facilities have their own PFSO (Port Facility Security Officer).

DOC and SMC: the two ISM certificates

The ISM certification framework rests on an inseparable pair.

The Document of Compliance (DOC) is issued to the company. It attests that its shore organisation has an SMS compliant with ISM, for the ship types it operates (a DOC states the categories covered). It is valid for 5 years, subject to an annual verification. A certified copy of the DOC must be held on board each of the company’s ships.

The Safety Management Certificate (SMC) is issued to the ship. It attests that the ship actually operates its company’s approved SMS. It is valid for 5 years, subject to at least one intermediate verification between the second and third anniversary.

The dependency is strict: no valid SMC without a valid DOC covering the ship type concerned. If the company’s DOC falls, its whole fleet is in default. For start-up situations — new ship, new company, change of flag — interim certificates exist: an interim DOC valid for 12 months, an interim SMC valid for 6 months, to build the operating record needed for definitive certification.

ISPS: assessment, security plan and ISSC

ISPS certification follows a parallel logic, in three stages.

The Ship Security Assessment (SSA) identifies vulnerabilities: access points, sensitive areas, interfaces with shore and contractors, threat scenarios. It is carried out under the CSO’s responsibility.

The Ship Security Plan (SSP) translates that assessment into concrete measures, set out for each of the three security levels: access control, surveillance of restricted areas, management of stores and supplies, procedures in case of threat. The SSP is a confidential document, protected from any unauthorised consultation.

The International Ship Security Certificate (ISSC) is issued after verification that the plan is approved and effectively implemented. Valid for 5 years, it requires at least one intermediate verification between the second and third anniversary. An interim ISSC of 6 months, non-renewable, covers start-up phases.

To this framework SOLAS chapter XI adds two structuring elements: the Ship Security Alert System (SSAS), which allows a discreet alert to be triggered to the authorities in the event of a malicious act, and the Continuous Synopsis Record (CSR), which traces the ship’s history (flag, owner, ISM company) and must be kept up to date.

The three security levels

ISPS grades the response across three levels, set by the flag State or the government concerned — never by the ship alone:

  • Level 1 — normal. The ship operates under normal conditions: minimum security measures maintained at all times (access control, rounds, verification of visitors’ identity).
  • Level 2 — heightened. A heightened risk of a security incident is perceived: additional measures are maintained for the relevant period (intensified checks, restricted access, increased surveillance of the quay).
  • Level 3 — exceptional. A security incident is probable or imminent: specific additional measures are implemented, generally for a short period and often in coordination with the authorities.

The security plan must precisely describe the measures applicable at each level and how to switch from one to another. On board, the SSO and crew must know these procedures and be able to execute them without delay. For a superyacht calling at a sensitive port or during a publicised event, a temporary move to level 2 is a realistic scenario that must be prepared.

ISM/ISPS audits: the verification cycle

Compliance with both codes is never settled once and for all: it is verified through regular audits, internal and external.

Internal audits are conducted by the company itself, at a frequency the SMS must set (in practice at least annual for each ship and for the office). They aim to detect and correct gaps before the external audit — the self-monitoring mechanism at the heart of ISM.

External audits are carried out by the flag State or, most often, by a recognized organization (RO) — an authorised classification society. They set the rhythm of the certification cycle: initial audit (issuance of the DOC, SMC and ISSC), annual verification of the DOC, intermediate verification of the SMC and ISSC, then a renewal audit at 5 years. For a new ship or a new company, interim certification opens operations while the required record is built.

In yachting practice, these audits are often grouped and coordinated with the MLC audit (working conditions) and class inspections, to limit the ship’s downtime. Documentary preparation — registers up to date, drills logged, non-conformities closed out, crew training current — is the bulk of the work: an audit is not prepared the day before.

Non-conformities, observations and Port State Control

ISM/ISPS audits distinguish several levels of finding. An observation flags a situation that may deteriorate if not addressed. A non-conformity (NC) records an objective gap against the Code or the SMS. A major non-conformity (major NC) characterises a serious gap representing a grave threat to safety, security or the environment, calling for immediate corrective action: it can lead to suspension or withdrawal of the certificate concerned until it is cleared.

Beyond scheduled audits, Port State Control (PSC) verifies, during port calls, the validity of certificates (DOC on board, SMC, ISSC) and the reality of their application: a valid certificate but a manifestly unapplied SMS is itself a ground for deficiency. Classic ISM/ISPS non-conformities found on yachts: SMS not kept up to date, emergency drills not carried out, prior non-conformities not closed out, obsolete security plan, untested SSAS, crew unaware of their emergency duties.

Depending on severity, PSC issues a deficiency to be corrected within a deadline or, for a serious failing, may detain the ship until rectification. A detention appears in public databases (such as Equasis) and weighs lastingly on the reputation of the flag, the company and the owner. The control logic here is the same as for STCW and MLC: see our guides STCW for superyachts and MLC 2006 for superyachts.

Event reporting and continuous improvement

One of ISM’s major innovations is to require a culture of reporting. The SMS must provide procedures to report to the company accidents, near-misses and non-conformities with the Code, so they can be analysed and turned into corrective and preventive action. It is this flow of information that feeds the system’s continuous improvement.

For it to work, this mechanism rests on a cultural condition: the crew must be able to report a gap without fear of sanction. A system that punishes the messenger empties itself of substance — near-misses stop being reported, and the system loses precisely the weak signals that allow a serious accident to be avoided. On a yacht, where proximity to the owner and service pressure run high, building that trust is as much about management as about procedure.

The management review closes the cycle: periodically, the company assesses the effectiveness of its SMS in light of audits, reports and corrective actions, and decides on adjustments. The DPA’s role is central to this process: it is the DPA who consolidates the reports from the ship and carries safety concerns to the appropriate decision level.

The DPA: cornerstone of the framework

If a single role in the ISM architecture were to be singled out, it would be the DPA. Chapter 4 of the Code makes the DPA the guarantor that each ship is operated safely and that the link between ship and management actually works. Direct access to the highest level of management is what prevents safety concerns from being smothered by commercial or hierarchical considerations.

For a yacht, the practical question is: who holds this role, and with what competence? Entrusting the DPA to someone with no maritime experience — a family-office assistant, a generalist lawyer — empties the function of meaning: the DPA must understand what is at stake on a bridge, be able to read a near-miss report, judge the adequacy of a manning level or an emergency procedure. This is why outsourcing the DPA to an experienced maritime professional — typically a former captain — is a common and healthy practice in yachting.

An outsourced DPA brings three things a sole owner generally cannot assemble: maritime competence, availability (24/7 responsiveness in an emergency) and independence (a viewpoint not beholden to the owner’s comfort alone). It is one of the structuring services of ship management. For the “crew competence” dimension, this role pairs with STCW certification; for the “working conditions” dimension, with the MLC.

Convergence of ISM/ISPS/MLC/STCW and cyber risk

The underlying trend, on superyachts as on the merchant fleet, is the convergence of the four major regimes — ISM, ISPS, MLC and STCW — into an integrated ship management system. Registers are pooled (common STCW/MLC rest hours), audit cycles are coordinated, documentary matrices overlap. For a yacht, this integration reduces duplication but demands a coherent reworking of manuals and procedures, on pain of inconsistencies that leap out in an audit.

The most dynamic topic remains cyber risk. With resolution MSC.428(98) of 2017, the IMO established that an approved SMS must incorporate maritime cyber risk management, no later than the first annual DOC verification after 1 January 2021. In practice, the SMS must identify, assess and control the risks bearing on IT and operational systems: navigation (ECDIS, GPS), propulsion and machinery, communications, onboard networks, and — a yacht specificity — home automation, high-throughput satellite connectivity, AV systems and guest networks.

For a superyacht, hyper-connected by nature and carrying sensitive personal data (the owner’s and guests’), cyber risk sits at the crossroads of safety, security and privacy. It calls for measures both technical (network segmentation, backups, updates) and organisational (crew awareness, incident procedures), now auditable under ISM.

For Cursorio, these developments confirm the value of outsourced support: keeping an SMS alive, holding the DPA role, maintaining ISM/ISPS certificates up to date, and coordinating audits with the MLC and the crew’s STCW certification is continuous work, with demanding deadlines, that often exceeds the bandwidth of a captain at sea or a generalist family office. For the two complementary regimes, see our guides STCW for superyachts and MLC 2006 for superyachts.

Frequently asked questions

Does the ISM Code apply to my yacht?
The decisive threshold is 500 GT. Any commercial yacht (in charter) of 500 GT or more on international voyages must apply the ISM Code in full under SOLAS chapter IX: documented SMS, DOC for the company, SMC for the ship. Below 500 GT, ISM is not strictly mandatory, but most flags (through the REG Yacht Code and their own rules) require a scaled-down safety management system, often called a 'Mini-ISM', proportionate to size and mode of operation. Strictly private yachts are in principle out of scope, but many major flags still require an SMS for large private units, or strongly recommend one. It is precisely this 500 GT threshold that explains why so many yachts are designed just below it.
What is the difference between the DOC and the SMC?
The DOC (Document of Compliance) certifies that the company — the entity responsible for operating the ship — has a safety management system that complies with ISM, for the ship types it operates. It is issued to the company, not the ship. The SMC (Safety Management Certificate) certifies that the ship itself operates its company's approved SMS. A ship can only hold a valid SMC if its company holds a valid DOC covering that ship type: a copy of the DOC must in fact be kept on board. Both are issued for 5 years, but with different verification rhythms (annual for the DOC, intermediate for the SMC).
What is an SMS and what must it contain?
The Safety Management System is the documented set of policies, procedures and responsibilities that organise the safe operation of the ship and the prevention of pollution. ISM requires it to cover at least: a safety and environmental protection policy; instructions and procedures for safe operation; levels of authority and lines of communication between ship and shore; procedures for reporting accidents and non-conformities; procedures to prepare for and respond to emergencies; and procedures for internal audits and management review. The SMS must be a living document, genuinely applied on board — not a static binder produced only for the audit.
Who is the DPA and can the role be outsourced?
The DPA (Designated Person Ashore) is required by chapter 4 of the ISM Code. Its mission: to ensure the safe operation of each ship and to provide the link between company and ship, with direct access to the highest level of management. The DPA monitors the safety and pollution-prevention aspects of operations and ensures that adequate resources and shore support are provided. The role can perfectly well be outsourced: for a family office or a single-vessel owner, entrusting it to an experienced maritime professional — often a former captain — is the norm, rather than assigning it to someone with no maritime competence. What matters is that the DPA has real authority and direct access to the ultimate decision-maker.
Does the ISPS Code apply to a private yacht?
Like ISM, ISPS is mandatory for commercial yachts of 500 GT and above on international voyages (the 'cargo ship' category under SOLAS), through chapter XI-2. A strictly private yacht falls outside the mandatory scope of ISPS. But security remains a real concern for any large yacht: protecting the owner and guests, controlling access to the gangway and the quay, managing contractors, calling at sensitive ports. Many owners voluntarily adopt an ISPS-inspired security plan, and the charter/private switch often forces a move into the mandatory regime. Consistency with the crew's STCW security training must, in all cases, be maintained.
What is the ISSC and how long is it valid?
The ISSC (International Ship Security Certificate) is the certificate issued to the ship after verification that its Ship Security Plan is approved and effectively implemented. It is valid for 5 years, subject to at least one intermediate verification between the second and third anniversary. For a new ship, or on a change of company or flag, an interim ISSC may be issued for a maximum of 6 months, non-renewable, while the definitive certification is finalised. Without a valid ISSC, a yacht subject to ISPS cannot lawfully make an international port call and risks detention under Port State Control.
What are the ISPS security levels?
ISPS defines three security levels. Level 1 (normal) corresponds to the permanent maintenance of minimum security measures. Level 2 (heightened) applies for as long as a heightened risk of a security incident is perceived: additional measures maintained for a set period. Level 3 (exceptional) is triggered when a security incident is probable or imminent: specific further measures, generally short-lived. The level is set by the flag State or the government concerned, not by the ship. The Ship Security Plan must provide concrete measures for each of the three levels, and the crew must know how to move from one to another.
What happens during an ISM audit?
ISM certification follows a cycle. For new ships or new companies, interim certification (interim DOC valid for 12 months, interim SMC valid for 6 months) allows operations to begin. Then comes the initial audit that issues the definitive DOC and SMC (5 years). The DOC is subject to annual verification; the SMC to an intermediate verification between the second and third anniversary. At expiry, a renewal audit reissues the certificates for 5 years. To this are added the internal audits the company must conduct itself. External audits are carried out by the flag State or a recognized organization (an authorised classification society).
Cyber security and ISM: what is resolution MSC.428(98)?
Adopted in 2017, resolution MSC.428(98) of the IMO Maritime Safety Committee affirms that an approved safety management system must take maritime cyber risk management into account, in line with the objectives of ISM. In practice, from the first annual DOC verification after 1 January 2021, the SMS must incorporate the identification, assessment and control of cyber risks (navigation, propulsion, communications, onboard networks, owner's systems). For a hyper-connected superyacht — home automation, high-throughput satellite connectivity, AV systems, guest networks — this is a dimension, both technical and organisational, that has become unavoidable.

A regulatory issue blocking your operation?

A confidential conversation with a Cursorio manager. No commitment.

Talk to a manager