ISM cyber security is coming soon - check your preparedness

The IMO has identified cyber security as a risk to be addressed in safety management systems, and the handling of risks is to be verified in audits from 1 January 2021 onwards. This statutory news summarises experiences so far, provides advice on handling and offers a Quick Check.

Cyber security | DNV GL - Maritime

Relevant for ship owners and managers as well as yards, design offices and suppliers.

The handling of cyber risk through safety management systems continues to vary. Some Document of Compliance (DoC) holders seem to have a good start, while others have not even started. Investing in time and resources is important to implement an effective system.

DNV GL has developed an SMS Cyber Security Quick Check supporting maritime cyber risk handling through the ISM Code. We recommend all ship owners and DoC holders to perform this check, as it gives an overview of topics that have been addressed in 2020, including:

  • Commitment from the top and throughout the organization
  • Safety and environmental protection policy addressing cyber security
  • Comprehensive cyber risk management to identify threats, assess potential consequences of compromised IT and OT systems, and establish appropriate safeguards
  • Measures to cover normal operation and emergency situations
  • Roles, tasks and responsibilities for company staff and onboard crew
  • Continuous improvement of safety management skills of personnel onshore and on board ships, including preparing for emergencies also in light of cyber security
  • Cyber safety and cyber security maintenance of systems and data
  • Identification of vulnerabilities and weaknesses as well as continuous execution of improvements

DNV GL has collected valuable information from some of our ISM auditors, and a summary of their feedback is provided below.

Cyber challenges reported by DNV GL auditors:

  • Often difficult to address complicated problems in an easy way so that people can manage them without high technical knowledge of cyber safety and security
  • Insufficient control of subcontracted IT services
  • Focusing on both IT and OT is a challenge
  • Weaknesses in access control, separating networks and effective firewalls
  • Insufficient knowledge and training of crew, internal auditors, and superintendents on cyber security
  • Cyber security risks and safeguards are not always easy to understand, and follow-up is a challenge for many

Main advice from our auditors and cyber security experts:

  • Enhance risk and vulnerability assessments, test systems and network integrity with experts and concentrate improvement efforts first and foremost on crew and other staff involved in handling cyber security.
  • Build on existing SMS, roles, responsibilities, tasks, etc.
  • mprove the organizational understanding that success is dependent on support from all involved.
  • nvolve, train and motivate crew, superintendents and auditors and gain commitment from top management.
  • Establish appropriate safeguards for cyber security risks and do not try to prohibit everything.
  • Apply work permits tailored for software and hardware changes in order to manage risks in changes to systems.
  • Train both normal safe operational behaviour as well as drill emergency response, also to cyber security events.
  • Keep it simple and remember the IMO advice that the risk management approach to cyber risks should be resilient and evolve as a natural extension of existing safety and security management practices!

The DNV GL SMS Cyber Security Quick Check is a simple way to facilitate the handling of cyber security and support DoC holders with SMS measures on cyber security that fit their needs.


To be prepared for 2021 audits, consider IMO MSC-FAL.1/Circ.3 and note:

No two organizations are the same, and SMS measures must fit the needs of DoC holders. Companies operating ships with limited cyber-related systems may find MSC-FAL.1/ Circ.3 sufficient, while those with complex cyber-related systems may require a greater level of care and seek additional resources through reputable partners. DNV GL has services and experts ready to help.



  • For customers: DATE – Direct Access to Technical Experts via My Services on Veracity 
  • Otherwise (including approved radio service suppliers): Use our office locator to find the nearest DNV GL office.
29 April 2022

IMO maritime safety committee (MSC 105)

The 105th session of the IMO’s Maritime Safety Committee (MSC) was held remotely from 20 to 29 April. A wide range of topics was on the agenda, including the safety of ships carrying industrial personnel, the safety of ships relating to the use of fuel oil, and the consideration of a regulatory framework for maritime autonomous surface ships. Requirements reflecting modern systems for maritime distress and safety communication were adopted and interim guidelines for the safety of ships using fuel cell power installations were approved. The development of interim guidelines for ships using ammonia as fuel were initiated.

  • Maritime
11 April 2022

IMO sub-committee on pollution prevention and response (PPR9)

The 9th session of the IMO’s Sub-Committee on Pollution Prevention and Response (PPR 9) was held remotely from 4 to 8 April 2022. A wide range of topics was on the agenda, including biofouling, ballast water management, black carbon, sewage treatment and marine plastic litter. PPR agreed on draft guidelines on risk and impact assessments of the discharge water from exhaust gas cleaning systems when considering local or regional regulations.

  • Maritime
24 March 2022

SEEMP Part III and the upcoming SEEMP Generator from DNV

Since 2019 ships of 5,000 GT and above have been reporting their fuel oil consumption data mandated by the IMO DCS. From 2023, cargo, cruise and RoPax ships must calculate CII with a required rating of C or better. This means some ships will have to improve their carbon intensity. A verified Ship Operational Carbon Intensity Plan, or SEEMP Part III, is to be kept on board from 1 January 2023 to document how you plan to achieve your CII targets. This statutory news provides an update on the SEEMP Part III and recommends next steps.

  • Maritime
07 March 2022

IMO Sub-Committee on Ship Systems and Equipment (SSE 8)

The 8th session of the IMO’s Sub-Committee on Ship Systems and Equipment (SSE 8) was held remotely from 28 February to 4 March. SSE 8 finalized draft new ventilation requirements for lifeboats and liferafts, and draft new guidelines for the design, construction, installation, testing, maintenance and operation of lifting appliances and anchor handling winches. Good progress was made on the new mandatory requirements to minimize the incidence and consequences of fires on ro-ro passenger ships, and on the work to improve the safety of commercial diving operations.

  • Maritime
14 February 2022

IMO Sub-Committee on Human Element, Training and Watchkeeping (HTW 8)

The 8th session of the IMO’s Sub-Committee on Human Element, Training and Watchkeeping (HTW 8) was held remotely from 7 to 11 February. Highlighting the human element as a key factor both for safety and environmental protection, HTW 8 agreed on a revised checklist for considering the human element in the review, development and implementation of new and existing IMO requirements. HTW 8 also agreed on amendments to the STCW Convention and Code to accommodate the use of seafarers’ electronic certificates and documents.

  • Maritime
View all