If a vessel calls at any port covered by the International Ship and Port Facility Security (ISPS) Code, it must carry a designated Ship Security Officer (SSO) on board. The SSO is the officer the master and the company rely on to keep the ship safe from unlawful acts, from petty stowaways to armed boarding and terrorism. The role was created after the 2002 amendments to SOLAS Chapter XI-2, hammered out by the IMO in the wake of 9/11, and has been the cornerstone of maritime security ever since.
This guide explains exactly what a Ship Security Officer does, the STCW training pathway, where to take an approved course, certification validity, and how the role compares with the Company Security Officer (CSO) and Port Facility Security Officer (PFSO). You'll also find a self-check on whether you qualify, a pros and cons breakdown, and answers to the questions candidates ask most before booking a course. By the end, you'll know whether the SSO certificate belongs on your record โ and what passing the assessment actually demands.
The SSO sits at a peculiar pressure point in modern shipping. They're the named individual a port state control inspector asks for at the gangway. They're the person the master leans on when a security drill exposes a weakness. And they're the officer who has to know โ by heart โ what changes at Security Level 2 versus Security Level 3, with the gangway watch waiting for a decision.
The Ship Security Officer is the person on board designated by the shipping company and accountable to the master for the security of the ship. The role is defined in Regulation XI-2/1 of SOLAS and detailed inside the ISPS Code Part A, Section 12. Every vessel of 500 gross tonnage or more engaged on international voyages, plus mobile offshore drilling units and high-speed passenger craft, must have one.
An SSO is not a security guard. It's a senior shipboard appointment, normally given to a deck officer (chief mate or master) who already holds an STCW management-level certificate. The SSO writes nothing on the spot when an incident happens โ they execute a plan that was approved months earlier by the flag state. That plan is the Ship Security Plan (SSP), and implementing it is the SSO's full-time concern.
Why does the role sit separately from the master's overall command authority? Because the IMO wanted accountability for security to be focused, named, and trained โ not diluted across general shipboard duties. The master still has ultimate authority for the safety and security of the ship under SOLAS, but the SSO carries the specialist competence and the documented training. If something goes wrong, port state control wants to know who held the SSO designation, what training they completed, and when the SSP was last reviewed. That single trail of accountability is what the ISPS Code was built around.
A Ship Security Officer (SSO) is the on-board officer designated by the company and accountable to the master, responsible for the implementation and maintenance of the Ship Security Plan and for liaison with the Company Security Officer (CSO) and Port Facility Security Officers (PFSOs). The role is mandated by SOLAS Chapter XI-2 and the ISPS Code.
The day-to-day duties cluster around four functions: implement, monitor, train, and report. The ISPS Code lists fourteen specific responsibilities, but in practice they fall under a manageable framework that any working SSO recognises immediately.
Implementation means making sure the Ship Security Plan is actually followed โ not just filed. That covers gangway watches, restricted area sign-off, baggage screening protocols, and Security Level 1, 2, and 3 procedures. Monitoring is continuous: the SSO walks the ship, checks lockers, verifies seals, and reviews CCTV. Training and drills happen monthly (drills) and at least once every 18 months (exercises with the CSO, PFSO, or contracting government). Reporting flows up to the master and out to the CSO, and any security incident must be logged and notified ashore without delay.
A working week for an SSO at sea isn't dramatic. Most of it is paperwork, walk-arounds, and brief security tool-box talks at the start of cargo operations. The discipline is in the repetition. Restricted area signs get torn down, locks get jammed, and seals get cut by mistake โ the SSO replaces them and logs why. When the ship enters a higher-risk area, the workload climbs sharply: extra lookouts, rigging citadel doors, briefing the bridge team on Ship Security Alert System protocols, and confirming the engine room knows the planned course of action if a boarding occurs.
Carry out the Ship Security Plan as approved by the flag administration, including all three security levels and any temporary measures during port calls.
Regular inspections of the ship, restricted areas, cargo spaces, and stores to confirm security measures are working and to spot tampering early.
Provide security awareness and familiarisation training to all crew, conduct monthly drills, and brief new joiners during their handover.
Notify the master and CSO of any security threat, incident, or breach without delay, and log it in the ship's security record for audit.
Coordinate with the CSO ashore, PFSO at each port, and any contracting government officials or naval forces boarding the ship.
Ensure the Ship Security Alert System (SSAS), CCTV, AIS, access control gear, and security equipment are tested, serviced, and ready.
You cannot self-certify as an SSO. The mandatory training is laid down in STCW Regulation VI/5 and detailed under Section A-VI/5 of the STCW Code, with guidance in Section B-VI/5. The course is short โ most providers run it over three working days โ but the content is dense and covers maritime security policy, threat identification, security equipment, and ISPS Code documentation.
Course delivery may be face-to-face, blended, or fully online depending on the flag state. The US Coast Guard, MCA (UK), Transport Canada, AMSA (Australia), and most major flag administrations maintain lists of approved providers. On successful completion you receive a Certificate of Proficiency (CoP) that names you as a qualified SSO โ this is the document the port state control inspector will ask to see.
One detail that surprises first-time candidates: the SSO course does not teach you self-defence, weapons handling, or use of force. It's a procedural and managerial qualification, not a tactical one. If your company plans to embark armed guards (Privately Contracted Armed Security Personnel) for a transit through high-risk waters, that's a separate arrangement with its own briefings and rules of engagement. The SSO coordinates that arrangement on board, but the SSO certificate itself doesn't authorise carrying or using weapons.
Morning covers SOLAS Chapter XI-2, the ISPS Code Parts A and B, and the responsibilities of contracting governments, companies, ships, and port facilities. Afternoon introduces the three security levels, the Declaration of Security, and the Ship Security Alert System concept. Candidates receive the course workbook and the model Ship Security Plan used throughout the rest of the training.
Morning is a deep dive into the Ship Security Plan โ its mandatory contents, how it's approved by the flag administration, and how it's amended. Afternoon focuses on the Ship Security Assessment methodology: identifying assets, threats, vulnerabilities, and consequences, plus the documentation that supports each measure. Most providers run a tabletop scenario at the end of the day.
Morning covers security equipment (CCTV, access control, SSAS, AIS, ECDIS security), security drills and exercises, and the keeping of records. Afternoon is reserved for the written examination and any oral or scenario-based assessment the provider includes. Successful candidates receive their Certificate of Proficiency the same day or by post within two weeks.
Maritime security policy and the ISPS Code, security responsibilities, ship security assessment, the Ship Security Plan, threat identification and recognition, ship security actions at the three security levels, emergency preparedness, security drills and exercises, and administration of security including reporting and record-keeping.
Most administrations require seagoing service on a vessel covered by the ISPS Code. The MCA wants either 12 months sea service or completion of the Proficiency in Designated Security Duties (PDSD) course first. Many providers also require candidates to hold an STCW management-level certificate, which in practice means chief mates and masters apply most often.
Continuous assessment plus a written examination at the end of the course. Pass mark is usually 70%. Most providers also include a tabletop exercise or scenario-based oral assessment where you must demonstrate decision-making at Security Level 2 or 3.
Course length: typically 18 to 21 contact hours over three days, although some flag states accept compressed two-day delivery. Tuition: $450 to $950 USD depending on provider and country. Online options through IAMI or Videotel sometimes run $300 to $500.
The short answer: experienced deck officers. The longer answer depends on which flag your ship flies. Universal entry requirements include a valid medical certificate, basic safety training (STCW VI/1), and either seagoing service on an ISPS-covered vessel or prior completion of the Proficiency in Designated Security Duties course (STCW VI/6).
Most companies appoint their chief mate as SSO because the role overlaps naturally with cargo, watchkeeping, and crew management duties. On smaller vessels or short-sea trades, the master may hold the SSO appointment directly. Whoever gets the role needs to be on board most of the time the vessel is at sea โ you cannot be an SSO from shore.
Engineering officers occasionally hold the SSO appointment on offshore units or specialised vessels where the deck department is small, but the deck side of the house remains the natural home for the role across container ships, tankers, bulk carriers, and passenger vessels.
Approved means approved by your flag state โ not by a generic accreditation body. In the United States, that means an organisation appearing on the US Coast Guard National Maritime Center's list of approved course providers. In the UK, the MCA publishes its own list through the Maritime and Coastguard Agency. The IMO maintains a Global Integrated Shipping Information System (GISIS) which lists approved STCW courses worldwide, although the authoritative source is always the national administration.
Well-known providers include MITAGS and PMI in the United States, Warsash Maritime Academy and South Tyneside College in the UK, Marlins and Videotel for online delivery, and the World Maritime University for postgraduate maritime security qualifications. Online options exist but check first that your flag state recognises distance learning for SSO certification โ some still require classroom hours.
A practical tip: if your company operates a fleet under multiple flags, get your CoP issued by whichever administration has the broadest reciprocity. Panama, Marshall Islands, and Liberia certificates are recognised almost everywhere, which makes life easier when you change vessels. Always carry a hard copy and a clearly scanned digital copy โ port state control sometimes asks for paper, and a battery-flat phone is no excuse when the inspector is standing in front of you.
The ISPS Code creates three security officers and they're often confused. The Company Security Officer (CSO) sits in the shipping company head office and is responsible for the security of all vessels in the fleet. One CSO can cover many ships. The Ship Security Officer (SSO) is on board and accountable for one vessel. The Port Facility Security Officer (PFSO) is shoreside, employed by or contracted to the terminal, and responsible for the security of the port facility itself.
Communication flows constantly between the three. The CSO writes the Ship Security Plan and submits it to the flag state; the SSO implements it on board; the PFSO ensures the shore side of the ship/port interface is secure. When a ship arrives, the SSO and PFSO complete a Declaration of Security (DoS) for higher security levels or where the port facility's security level differs from the ship's. All three roles require formal training, but only the SSO has to maintain the Certificate of Proficiency under STCW.
In an emergency the chain matters. The SSO notifies the master, who decides whether to activate the Ship Security Alert System. The CSO is informed immediately and becomes the link between the ship and the flag administration, naval forces, and insurers. The PFSO at the destination port adjusts shoreside arrangements. None of this works if any of the three has poor situational awareness or if records are sloppy โ which is why the SSO logs every drill, every walk-around, and every minor security incident in the ship's security record. Auditors and inspectors read those logs first.
SSO Certificates of Proficiency issued under STCW are valid for five years. Before the certificate expires you must complete a refresher course โ usually a one-day update that covers any amendments to the ISPS Code, new IMO security circulars, and current threat picture briefings. Without revalidation your CoP lapses and you can no longer be designated as SSO on any vessel, regardless of how recent your last drill was.
Sea service on an ISPS-covered vessel during the previous five years counts toward continued professional competence, so most administrations accept a combination of documented service plus a short refresher rather than the full 21-hour course. Check with your flag state's revalidation pathway at least 12 months before your certificate expires to avoid being shore-bound.
Keep a clean record of the drills you've led and any tabletop exercises you've participated in โ most revalidation forms ask for evidence of continued professional development, not just sea time. A simple log of monthly drill topics, lessons learned, and any real security incidents you handled gives the assessor everything they need. Companies that retain SSOs long-term often pay for the refresher and the travel; those that rotate officers frequently leave it to the individual, which is worth knowing before you commit to a contract.
The ISPS Code was drafted in the immediate aftermath of 9/11 and the initial focus was terrorism, but the role has expanded to cover the full spectrum of unlawful acts at sea. The contemporary threat landscape an SSO must plan for includes piracy and armed robbery โ still active in the Gulf of Guinea, Singapore Strait, and parts of the Indian Ocean โ plus stowaways, smuggling (drugs, weapons, wildlife), unauthorised boarding, sabotage, cyber attacks on ship systems, and active shooter scenarios on passenger ships.
Each threat is countered through a layered approach: deterrence (lighting, signage, visible security), detection (CCTV, AIS monitoring, gangway watches), delay (locked doors, citadel rooms, razor wire), and response (Ship Security Alert System activation, communication with naval forces, evasive manoeuvring). The SSO is the person who decides which layers go up at which security level and who briefs the crew on their role in each.
Cyber security has been formally integrated into the SSO's remit since the IMO Maritime Safety Committee issued resolution MSC.428(98) in 2017, and most flag states now expect the Ship Security Plan to include cyber risk management measures.
Crew familiarisation is the part most SSOs underestimate. A perfectly written SSP fails if the messman at the gangway doesn't know to question an unfamiliar visitor, or if the engine cadet hasn't been told where the muster point is during a security incident.
Short, repeated tool-box briefings โ five minutes at the start of cargo operations, ten minutes at the weekly safety meeting โ embed the procedures far more reliably than a binder kept in the SSO's office. Drills should rotate scenarios: stowaway discovered in the void space one month, suspicious package on the bridge wing the next, cyber-attack on the cargo control system the month after.
The SSO is also the company's first eyes on emerging threats. Drone overflights, GPS spoofing in the eastern Mediterranean, and small-boat swarming in the Gulf of Oman are all relatively recent additions to the threat picture. None of them existed when the ISPS Code was written. A good SSO reads MSCHOA and UKMTO bulletins, subscribes to flag state security advisories, and feeds new threat indicators back to the CSO so the SSP can be amended ahead of the next port state inspection rather than after.
One last thing โ the SSO role rewards methodical people more than dramatic ones. The best SSOs you'll meet at sea are quietly thorough. They check the same access points every day, log every minor irregularity, run drills that aren't theatrical but expose real procedural weaknesses, and brief the master in plain language. Port state control inspectors notice this within ten minutes of stepping aboard. If you enjoy that kind of disciplined, repeatable work and want a globally portable maritime qualification, the SSO certificate is a sensible addition to a deck officer's record.
Plan the course around your next leave rotation โ three contact days is a manageable add-on if you book early, and most providers run multiple cohorts a month in major maritime hubs. Get the medical signed off in advance, dig out your sea-time documentation, and confirm the provider you've chosen is on your flag state's current approved list (these lists are updated quarterly). Do that, sit the assessment, and you'll walk away with a Certificate of Proficiency that recognises you as the officer the master and the company can hand the ship's security to with confidence.