The IMO Cyber Risk Requirement Explained
In June 2017, the IMO Maritime Safety Committee adopted Resolution MSC.428(98), which required cyber risk management to be addressed in Safety Management Systems no later than the first annual verification of a company's Document of Compliance after 1 January 2021. This was not a suggestion - it was a binding requirement that applies to every vessel subject to the ISM Code.
The practical guidance for implementation comes from MSC-FAL.1/Circ.3, titled "Guidelines on Maritime Cyber Risk Management." This circular provides a framework for identifying, assessing, and managing cyber risks, structured around five functional elements borrowed from the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover.
What catches many operators off guard is that this is not a standalone cybersecurity regulation. It is an amendment to the existing ISM Code framework. That means cyber risk must be woven into your existing Safety Management System documentation - not bolted on as a separate manual that sits on a shelf. Flag state auditors assess cyber risk management as part of the standard ISM audit, not as a separate inspection.
What MSC-FAL.1/Circ.3 Actually Says
The circular is deliberately non-prescriptive. It provides high-level guidance rather than specific technical requirements, recognising that cyber risk varies significantly across vessel types, trading patterns, and operational profiles. However, this flexibility is also what makes compliance confusing for many operators - there is no simple checklist to follow.
The five functional elements define the scope of what your SMS must address:
- Identify - Define personnel roles and responsibilities for cyber risk management. Identify the systems, assets, data, and capabilities whose disruption could pose risks to vessel operations and safety.
- Protect - Implement risk control processes and measures, including contingency planning. This covers access controls, training, data security, and maintenance of safety-critical systems.
- Detect - Develop and implement activities necessary to detect a cyber event in a timely manner. This includes monitoring of onboard systems and establishing processes for identifying anomalies.
- Respond - Develop and implement activities to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber event.
- Recover - Identify measures to back up and restore cyber systems necessary for shipping operations impacted by a cyber event.
What Changes Need to Be Made to Your SMS
Updating your Safety Management System for cyber risk is not about creating an entirely new document. It is about making targeted amendments across several existing SMS sections. Here are the specific areas that need attention.
Risk assessment procedures
Your existing SMS risk assessment procedures must be expanded to include cyber risks alongside traditional safety risks. This means adding cyber threat scenarios to your risk register, defining likelihood and impact criteria for cyber events, and establishing a process for regularly reviewing cyber risks. The risk assessment should cover both IT systems (email, business applications, crew WiFi) and OT systems (ECDIS, engine management, ballast control, GMDSS).
Many operators make the mistake of conducting a one-time cyber risk assessment and filing it away. The ISM Code requires continuous improvement - your cyber risk assessment must be a living document that is reviewed after system changes, crew rotations, incidents, or changes in the threat landscape.
Incident procedures
Your SMS incident reporting and investigation procedures must include cyber events. This means defining what constitutes a reportable cyber incident, establishing reporting chains (including shore-side notification), documenting initial response actions, and creating investigation procedures for cyber events that parallel your existing safety investigation processes.
The SMS should clearly define thresholds for different response levels. A suspicious email detected by a crew member requires a different response than ransomware encrypting bridge systems. Your procedures should cover containment steps, communication protocols (including when to isolate affected systems from the network), and escalation criteria for involving shore-based support or flag state notification.
Training requirements
The ISM Code already requires training appropriate to assigned duties. Incorporating cyber risk means adding cybersecurity awareness to your training matrix. All crew members should receive basic awareness training covering phishing recognition, password management, USB device policies, and incident reporting procedures. Personnel with specific cyber responsibilities - such as the master, chief engineer, ETO, or designated cyber security officer - require additional role-specific training.
Training records must be maintained as part of the SMS and available for flag state audit. This includes documenting the content of training delivered, the date, the trainer, and the personnel who completed it.
Backup and recovery procedures
Your SMS must document backup procedures for safety-critical systems and data. This includes defining which systems require backup, how frequently backups are performed, where backup media is stored (and whether it is isolated from the main network), and how restoration is verified. Recovery procedures should include step-by-step instructions for restoring critical navigation and communication systems from backup after a cyber event.
These procedures should be tested periodically. A backup that has never been tested is not a backup - it is a hope. Include backup restoration testing in your drill schedule.
Roles and responsibilities
The SMS must clearly define who is responsible for cyber risk management at both the vessel and company level. This includes designating a person or role with responsibility for day-to-day cyber security onboard (often the ETO or a designated Cyber Security Officer), defining the DPA's role in cyber risk oversight, and establishing company-level responsibilities for providing support, resources, and policy guidance.
How Flag State Auditors Check for Cyber Provisions
Flag state auditors are now trained to assess cyber risk management as part of ISM audits. The depth of scrutiny varies between administrations, but the general approach follows a consistent pattern.
Auditors will look for documented evidence that cyber risk has been formally assessed, that the assessment is reflected in the SMS documentation, and that the company is actively managing the identified risks. This typically involves:
- Document review - The auditor will examine your SMS for references to cyber risk in the risk assessment, incident procedures, training matrix, and backup procedures. A complete absence of cyber references will result in a non-conformity.
- Record inspection - Training records, drill records, risk assessment reviews, and incident logs will be examined for evidence that cyber risk management is being actively implemented, not just documented.
- Crew interviews - Auditors may ask crew members about their awareness of cyber risks, what they would do if they encountered a suspicious email or USB device, and who they would report a cyber incident to. If crew members cannot answer basic questions about cyber procedures, it suggests the SMS provisions are not being effectively implemented.
- System observation - Some auditors will ask to see password policies in practice, network segmentation between crew and operational systems, or backup procedures being demonstrated. This is becoming more common as auditor training improves.
A major non-conformity related to cyber risk management can affect your Document of Compliance. This is not a theoretical risk - flag states including the Marshall Islands, Liberia, and Panama have all issued guidance to their auditors on assessing cyber provisions, and non-conformities have been raised against operators who have not updated their SMS.
The Documentation Challenge
The biggest practical challenge with ISM Code cyber compliance is not understanding what needs to be done - it is maintaining the documentation. SMS documents need to be updated, version-controlled, and distributed to vessels. Training records need to be tracked across crew rotations. Risk assessments need to be reviewed and updated. Drill records need to be maintained. Incident reports need to be filed and followed up.
For a single vessel, this is manageable with discipline. For a fleet of vessels with rotating crews, multiple flag states, and different system configurations, it becomes a significant administrative burden. This is where most operators struggle - not with the initial update, but with the ongoing maintenance of cyber provisions across their fleet.
How NCoDE Command Supports ISM Code Cyber Compliance
NCoDE Command is designed to address exactly this documentation and maintenance challenge. Rather than managing cyber compliance through standalone Word documents and Excel spreadsheets, the platform provides integrated modules that align with ISM Code requirements.
Document Vault
The Document Vault provides version-controlled storage for all SMS documentation. When cyber provisions are updated, the system tracks the change, records who made it and when, and maintains the complete revision history. Documents can be distributed to vessels with acknowledgement tracking, ensuring that every vessel has the current version and that crew have confirmed receipt.
Change Management
The Change Management module provides a structured workflow for SMS amendments. When you update a procedure to incorporate cyber risk provisions, the change goes through a defined review and approval process. This creates the documented evidence of management review that flag state auditors look for - proof that cyber provisions were deliberately incorporated into the SMS through your company's established change management process, not simply inserted without oversight.
Compliance tracking
NCoDE Command's compliance tracking maps your SMS provisions against the requirements of MSC-FAL.1/Circ.3, USCG 33 CFR 101, and EU NIS2. Each requirement is linked to the specific SMS sections, procedures, and records that demonstrate compliance. When an auditor asks how your SMS addresses a particular aspect of cyber risk management, the system can show exactly which documents, training records, and drill logs provide the evidence.
Training and drill records
The Training Matrix tracks cybersecurity training completion for every crew member, with expiry dates and renewal alerts. Drill records document cyber exercise execution, findings, and corrective actions. These records are maintained in a central system that persists across crew rotations, solving the problem of training records being lost or incomplete when crew change.
Risk Register integration
The Risk Register module maintains your cyber risk assessment as a living document within the same platform that manages the rest of your SMS. Risk scores are updated as mitigations are implemented, and the register links directly to the SMS procedures and controls that address each identified risk. This integration means your risk assessment and your SMS documentation are always in sync - a common audit finding is resolved by design.