Cyber security to be covered in SMS from 1 January 2021 – are you prepared?

The IMO has identified cyber security as a risk to be addressed in safety management systems and the handling of the risks are to be verified in audits from 1 January 2021 onwards. This statutory news summarises IMO’s main recommendations.

Technical and Regulatory News

Relevant for ship owners and managers as well as yards and manufactures.

The IMO decision to be handled:

As the maritime community is becoming increasingly connected and vessel operators are growing dependent on digital solutions for optimization of operations. Cyber security is key to ensuring safe operation of vessels; and safeguarding people, cargo and the environment.

The IMO has adopted a Resolution MSC 428(98) , “AFFIRMING that an approved safety management system should take into account cyber risk management in accordance with the objectives and f a Resolution MSC 428(98)unctional requirements of the ISM Code.” Companies must, no later than the first annual verification of their Document of Compliance (DOC) after 1 January 2021, demonstrate that cyber security is an integral part of the safety management system.

In support of the Resolution, the IMO has issued a guideline on maritime cyber security management. We recommend that all DOC holders carefully consider the guidance given. When doing so we draw your attention to the IMO’s guidance, stating that:

  • Ships with limited cyber-related systems may find a simple application of these Guidelines to be sufficient; however, ships with complex cyber-related systems may require a greater level of care and should seek additional resources through reputable industry and Government partners.
  • These Guidelines recommend a risk management approach to cyber risks that is resilient and evolves as a natural extension of existing safety and security management practices.

DOC holders must assess their safety management systems’ effectiveness for handling cyber security and develop appropriate measures.. DNV GL will as Recognized Organization (RO) stick to requirements from the ISM Code and from the flag states.

Through the DNV GL Fit for Purpose delivery model for management systems services, we will speak to our customers, assess their needs and apply an audit focus, as appropriate, on cyber security.

Advice from DNV GL’s cyber security experts:

DNV GL’s Class and Maritime Advisory units have special cyber security expertise and provide services to make customers’ systems more robust to outside threats. These services, delivered separately from our work as RO, will support handling your needs effectively. It must be noted that the DOC holder will remain responsible for having measures needed to ensure ongoing compliance and meeting objectives in the ISM Code and that decisions on compliance will remain with the formal statutory audits (DOC and SMC). Noting that DOC holders must develop measures fitting their needs, DNV GL recommends considering the following Plan-Do-Check-Act cycle:


  • Identify cyber security objectives o Make an inventory of systems and software
  • Execute cyber risk assessment and identify improvement needs with prioritization


  • Integrate cyber security policies and procedures into the SMS
  • Define and update roles and responsibilities for cyber security
  • Execute cyber security training (general awareness and role based)
  • Roll out network segregation and hardening of systems


  • Evaluate effectiveness of reaching objectives o Analyse cyber incident and event reports, data monitoring, etc.
  • Execute internal audits and have management and master’s reviews with cyber security on the agenda


  • Execute corrective and preventive actions to the whole fleet o Ensure ongoing compliance and strive for continuous improvement

More information on DNV GL’s services to build and verify cyber security resilience is provided in the references below, including a link to DNV GL cyber security class notations which address the cyber security of a vessel’s main functions and the owner’s operational needs, in reference to the upcoming IMO resolution MSC.428(98).


Cyber security will be a mandatory focus area in the 2021 annual DOC audits. DNV GL suggests companies use the opportunity to consider cyber security for its digital solutions, making sure cyber security will be implemented and ready for management systems audits in 2021.


For full text of IMO documents see:

Further information from DNV GL:

Several flag states also have cyber security information on their web sites.


  • For customers: DATE – Direct Access to Technical Experts via My Services on Veracity 
  • Otherwise: use our office locator to find the nearest DNV GL office.
29 April 2022

IMO maritime safety committee (MSC 105)

The 105th session of the IMO’s Maritime Safety Committee (MSC) was held remotely from 20 to 29 April. A wide range of topics was on the agenda, including the safety of ships carrying industrial personnel, the safety of ships relating to the use of fuel oil, and the consideration of a regulatory framework for maritime autonomous surface ships. Requirements reflecting modern systems for maritime distress and safety communication were adopted and interim guidelines for the safety of ships using fuel cell power installations were approved. The development of interim guidelines for ships using ammonia as fuel were initiated.

  • Maritime
11 April 2022

IMO sub-committee on pollution prevention and response (PPR9)

The 9th session of the IMO’s Sub-Committee on Pollution Prevention and Response (PPR 9) was held remotely from 4 to 8 April 2022. A wide range of topics was on the agenda, including biofouling, ballast water management, black carbon, sewage treatment and marine plastic litter. PPR agreed on draft guidelines on risk and impact assessments of the discharge water from exhaust gas cleaning systems when considering local or regional regulations.

  • Maritime
24 March 2022

SEEMP Part III and the upcoming SEEMP Generator from DNV

Since 2019 ships of 5,000 GT and above have been reporting their fuel oil consumption data mandated by the IMO DCS. From 2023, cargo, cruise and RoPax ships must calculate CII with a required rating of C or better. This means some ships will have to improve their carbon intensity. A verified Ship Operational Carbon Intensity Plan, or SEEMP Part III, is to be kept on board from 1 January 2023 to document how you plan to achieve your CII targets. This statutory news provides an update on the SEEMP Part III and recommends next steps.

  • Maritime
07 March 2022

IMO Sub-Committee on Ship Systems and Equipment (SSE 8)

The 8th session of the IMO’s Sub-Committee on Ship Systems and Equipment (SSE 8) was held remotely from 28 February to 4 March. SSE 8 finalized draft new ventilation requirements for lifeboats and liferafts, and draft new guidelines for the design, construction, installation, testing, maintenance and operation of lifting appliances and anchor handling winches. Good progress was made on the new mandatory requirements to minimize the incidence and consequences of fires on ro-ro passenger ships, and on the work to improve the safety of commercial diving operations.

  • Maritime
14 February 2022

IMO Sub-Committee on Human Element, Training and Watchkeeping (HTW 8)

The 8th session of the IMO’s Sub-Committee on Human Element, Training and Watchkeeping (HTW 8) was held remotely from 7 to 11 February. Highlighting the human element as a key factor both for safety and environmental protection, HTW 8 agreed on a revised checklist for considering the human element in the review, development and implementation of new and existing IMO requirements. HTW 8 also agreed on amendments to the STCW Convention and Code to accommodate the use of seafarers’ electronic certificates and documents.

  • Maritime
View all