The code sets out a framework for evaluating risk to ensure that the most suitable, appropriate and effective safety and security measures are in place. Shipping firms that do not comply can be refused entry into ports and, equally, ships will not call at non-compliant ports. Its effect has been substantial as ports and shipping firms alike attempted to become ISPS-compliant by the 1 July implementation date.

The main measures adopted by the code include: the fitting of an automatic information system (AIS) to all vessels except passenger ships and tankers; the marking of identification numbers on the ship's hull; the granting of authority to the master of a ship to override the owner company or charterer in matters of security; and the issuance of a continuous synopsis record to provide a full onboard history of the ship.

Ports must put in place a framework to assess security risk and be able to react to certain security levels as outlined by the International Maritime Organisation (IMO) below:

Security level 1:normal, the level at which the ship or port facility normally operates; the level for which minimum appropriate protective security measures shall be maintained at all times;

Security level 2:heightened, the level applying for as long as there is a heightened risk of a security incident; the level for which appropriate additional protective security measures shall be maintained for a period of time as a result of heightened risk of a security incident;

Security level 3:exceptional, the level applying for the period of time when there is the probable or imminent risk of a security incident; the level for which further specific protective security measures shall be maintained for a limited period of time when a security incident is probable or imminent, although it may not be possible to identify the specific target.

One of the most contentious issues is that under the new code, signatory governments can take control of a ship if it considers it to be a threat regardless of its nationality. Similarly, vessels that call at ports not complying with the code can be refused entry into other ports even if the ship is ISPS-compliant.

The toughest task for most ships and ports has been implementing the code within the time allowed. Jebel Ali port and Port Rashid in the UAE, for example, only received their port facility security plan (PFSP) approval on 28 June, just three days before ISPS came into force. There has been criticism that ISPS is neither wide ranging nor specific enough to prevent acts of terrorism or piracy. Critics point to the fact that the code does not apply to ships of less than 500 dwt and that the code was rushed through without proper consultation.