Insights

Maritime Cyber Risk Management Under the ISM Code

In 2017 the IMO adopted Resolution MSC.428(98), affirming that maritime cyber risks should be appropriately addressed within a ship's Safety Management System under the ISM Code. Administrations were encouraged to ensure this was done from the first annual verification of the company's Document of Compliance after 1 January 2021.

5 min read

What is expected

The IMO's Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3) describe functional elements that work together: identify, protect, detect, respond and recover. The point is not a single document but a living part of the SMS that manages risk to both information technology (IT) and operational technology (OT) systems on board.

Practical steps

In practice this means knowing your systems (an asset inventory), controlling access, separating critical OT from general IT where possible, raising crew awareness, and having response and recovery plans that have actually been tested.

Where it shows up

Auditors verifying the SMS, and Port State Control officers, may ask how cyber risk is addressed. Being able to show that it is built into procedures, rather than bolted on, is what satisfies the requirement.

More Insights

All insights
Port State Control: What It Checks and How to Be ReadyWhat a Real Internal ISM, ISPS and MLC Audit CoversWhy Full Document Review Beats Spot-Checks

Put This Into Practice

Talk to a senior reviewer about your fleet, your next inspection or your newbuilding program.

Get in touchExplore Nautilux