Maritime Cyber Security and ISM guidance FIT for Purpose

The ISM Code, supported by the IMO Resolution MSC.428(98), requires ship owners and managers to assess cyber risk and implement relevant measures across all functions of their safety management system, which will be verified by DNVGL at the first Document of Compliance ISM office audit after 1 January 2021.

More information

Important
CYBER SECURITY will be a focus area during the ISM office DOC audit in 2020, where the company auditor verifies the status of implementation. Observations and suggestions for improvement will be issued to support you for further preparation and implementation.

Checklist
Click here for the Cyber Security Protocol which has been developed to support the auditing process having the focus on measures and procedures for managing Cyber Security Risks as per the ISM Code, based on IMO Resolution MSC 428(98), mandating cyber risk to be managed through the ISM Code and the corresponding Safety Management Systems.

Implementation process
(1) Recommended steps to ensure IMO`s Cyber Security compliance:

Application of PDCA process:

 

(2) Make an inventory of systems and software:

IT: Information Technology (IT)

  • IT networks
  • E-mail
  • Administration, accounts, crew lists, …
  • Planned Maintenance
  • Management system
  • Spare part management and procurement
  • Electronic manuals & certificates
  • Permits to work
  • Charter party, notice of readiness, bill of lading

OT: Operation Technology

  • Propulsion, Thrusters & Steering
  • Watertight integrity & Fire Detection
  • Ballasting
  • Power generation & Auxiliary systems
  • Navigation & Communication (ECDIS, …)
  • Industrial systems if applicable (DP, Drilling, … )
  • Cargo systems

(3) Prepare a gap analysis based on the ISM-code requirements:

  • Objectives for cyber security management
  • Define a cyber security policy
  • Critical Equipment: Risk Assessment & Systems to be covered
  • Responsibilities and Authority
  • Resources and Personnel
  • Training and Awareness
  • Shipboard Operations
  • Emergency Response, including drills
  • Reports and Analysis of Non-Conformities, Incidents and Hazardous Occurrences
  • Cyber security maintenance on IT/OT systems and equipment
  • Documentation
  • Company Verification, Internal audits, Review and Evaluation

More information can be found on the DNVGL website.