Internal Auditing of Cyber Risk Management in the Cruise Industry

Participants will learn how to effectively audit a safety management system in terms of cyber risk management

Since 2021, DOC audits have included cyber risk management. In April 2025 IMO approved the third version of MSC-FAL.1.Circ.3 (Guidelines on Maritime Cyber Risk Management) which includes cyber security auditing. This course was developed by DNV Cyber to support the internal audit team called upon to undertake this additional requirement. 
Please note: This training is not suitable for attendees without previous ISO auditor experience.

Participants will learn how to effectively audit a safety management system in terms of cyber risk management. The scope of the audit is aligned towards the ISM code and takes other best practices into consideration (see focus points). This includes practical instructions and exercises to audit the company with respect to: 

• roles and responsibilities through interviews with DPA, administrators or cyber security officers and users
• relevant documentation such as the cyber risk assessment, software change management, cyber incident response plan or cyber awareness training. 
• relevant security processes such as asset inventory management, network segregation, remote access control, portable devices (USB) and system change control. 

This training has been customized for the cruise segment, drawing on relevant use case studies. The course will end with a final exam to verify and solidify the new learnings. 

The course focuses on:

• Cyber and information security regulations and relevant standards and best practices (ISM code, IACS UR-E26, ISO 27001, NIST cyber security framework, TMSA 3)
• Cyber risk management defence-in-depth principles: Govern, Identify, Protect, Detect, Respond and Recover
• Typical cyber and information security audit findings 
• Continuous improvements and maturity finalization 
• Benefit from DNV’s experience with other customer projects in the cruise segment