Cyber security to be covered in SMS from 1 January 2021 – are you prepared?

The IMO has identified cyber security as a risk to be addressed in safety management systems and the handling of the risks are to be verified in audits from 1 January 2021 onwards. This statutory news summarises IMO’s main recommendations.

Technical and Regulatory News

Relevant for ship owners and managers as well as yards and manufactures.

The IMO decision to be handled:

As the maritime community is becoming increasingly connected and vessel operators are growing dependent on digital solutions for optimization of operations. Cyber security is key to ensuring safe operation of vessels; and safeguarding people, cargo and the environment.

The IMO has adopted a Resolution MSC 428(98) , “AFFIRMING that an approved safety management system should take into account cyber risk management in accordance with the objectives and f a Resolution MSC 428(98)unctional requirements of the ISM Code.” Companies must, no later than the first annual verification of their Document of Compliance (DOC) after 1 January 2021, demonstrate that cyber security is an integral part of the safety management system.

In support of the Resolution, the IMO has issued a guideline on maritime cyber security management. We recommend that all DOC holders carefully consider the guidance given. When doing so we draw your attention to the IMO’s guidance, stating that:

  • Ships with limited cyber-related systems may find a simple application of these Guidelines to be sufficient; however, ships with complex cyber-related systems may require a greater level of care and should seek additional resources through reputable industry and Government partners.
  • These Guidelines recommend a risk management approach to cyber risks that is resilient and evolves as a natural extension of existing safety and security management practices.

DOC holders must assess their safety management systems’ effectiveness for handling cyber security and develop appropriate measures.. DNV GL will as Recognized Organization (RO) stick to requirements from the ISM Code and from the flag states.

Through the DNV GL Fit for Purpose delivery model for management systems services, we will speak to our customers, assess their needs and apply an audit focus, as appropriate, on cyber security.

Advice from DNV GL’s cyber security experts:

DNV GL’s Class and Maritime Advisory units have special cyber security expertise and provide services to make customers’ systems more robust to outside threats. These services, delivered separately from our work as RO, will support handling your needs effectively. It must be noted that the DOC holder will remain responsible for having measures needed to ensure ongoing compliance and meeting objectives in the ISM Code and that decisions on compliance will remain with the formal statutory audits (DOC and SMC). Noting that DOC holders must develop measures fitting their needs, DNV GL recommends considering the following Plan-Do-Check-Act cycle:


  • Identify cyber security objectives o Make an inventory of systems and software
  • Execute cyber risk assessment and identify improvement needs with prioritization


  • Integrate cyber security policies and procedures into the SMS
  • Define and update roles and responsibilities for cyber security
  • Execute cyber security training (general awareness and role based)
  • Roll out network segregation and hardening of systems


  • Evaluate effectiveness of reaching objectives o Analyse cyber incident and event reports, data monitoring, etc.
  • Execute internal audits and have management and master’s reviews with cyber security on the agenda


  • Execute corrective and preventive actions to the whole fleet o Ensure ongoing compliance and strive for continuous improvement

More information on DNV GL’s services to build and verify cyber security resilience is provided in the references below, including a link to DNV GL cyber security class notations which address the cyber security of a vessel’s main functions and the owner’s operational needs, in reference to the upcoming IMO resolution MSC.428(98).


Cyber security will be a mandatory focus area in the 2021 annual DOC audits. DNV GL suggests companies use the opportunity to consider cyber security for its digital solutions, making sure cyber security will be implemented and ready for management systems audits in 2021.


For full text of IMO documents see:

Further information from DNV GL:

Several flag states also have cyber security information on their web sites.


  • For customers: DATE – Direct Access to Technical Experts via My Services on Veracity 
  • Otherwise: use our office locator to find the nearest DNV GL office.
27 February 2024

IMO Sub-Committee on pollution prevention and response (PPR 11)

The 11th session of the IMO’s Sub-Committee on Pollution Prevention and Response (PPR11) was held in London from 19 to 23 February 2024. A wide range of topics was on the agenda, including engine certification, black carbon, sewage treatment and marine plaster litter. PPR agreed on amendments to the NOx Technical Code allowing for multiple engine operational profiles (MEOP), and also to improving the recertification of existing engines on board ships.

  • Maritime
12 February 2024

IMO Sub-Committee on human element, training and watchkeeping (HTW 10)

The 10th session of the IMO’s Sub-Committee on Human Element, Training and Watchkeeping (HTW 10) was held from 5 to 9 February 2024. A comprehensive revision of the STCW Convention and Code was initiated to address experiences, emerging challenges and technological advancements. Training provisions for seafarers on ships using alternative fuels, including battery-powered ships, will be considered separately.

  • Maritime
29 January 2024

IMO Sub-Committee on ship design and construction (SDC 10)

The 10th session of the IMO’s Sub-Committee on Ship Design and Construction (SDC 10) was held from 22 to 26 January 2024. To ensure the safety of crew, draft amendments were agreed to the Load Line Protocol relating to the setting of guard rails on exposed deck structures. Draft goal-based requirements for electrical and machinery installations were agreed in general, while work to define goal-based requirements also for non-traditional steering and propulsion systems made good progress. SDC 10 also moved forward the revision of the explanatory notes to the Safe Return to Port requirements for passenger ships.

  • Maritime
10 November 2023

How to reduce the risk of propeller shaft bearing damage

In January 2022, DNV published a technical news drawing attention to the latest trend related to propeller shaft aft bearing damage on vessels, typically 10 years or older. This trend continues, and many of the reported damages are encountered on installations using environmentally acceptable lubricants (EALs) and/or involving a history of operation with a contaminated lubricant. This news focuses on how to reduce the risk of shaft aft bearing damage.

  • Maritime
View all