The ISM Code Crucial for Cyber Resilience


The ISM Code is now more important than ever, to ensure that vessels report any identified cyber risk, and become cyber resilient, reports Safety4Sea.

About ISM Code 

  • The ISM Code entered into force on 1 July 1998.
  • Code has been revised multiple times, following the changes and the evolution of the shipping industry.

What is the requirement?

In the new era of digitalization, the ISM Code, supported by the IMO Resolution MSC.428(98), requires ship owners and managers to assess cyber risk and implement relevant measures across all functions of their safety management system, until the first Document of Compliance after 1 January 2021.

Vessels vulnerable to cyber-attacks

Vessels of today consist of complex systems that make them more vulnerable to cyber-attacks, from their IT and OT, to bridge systems, as well as communications systems.

So it is of great importance that all shipping companies include cyber risk into their SMS, so they know how to deal and approach a cyber incident.

First inspection by the ISM auditors 

Thus, adding cyber risk into the SMS, typically, needs several months of preparations, depending on how complex are the technological systems on the vessel concerned. 

However, all cases must be completed ahead of the first inspection by the ISM auditors after January 1st, 2021.

Incorporating cyber risk into the company’s SMS 

What should the SMS include?

  • Instructions and procedures to ensure the safe operation of the ship and 
  • protection of the environment in compliance with relevant international and flag state requirements. 

Instructions and procedures 

These instructions and procedures should consider risks arising from the use of IT and OT on board, taking into account applicable codes, guidelines and recommended standards.

The industry, now, aspires to deal with the risks from IT and OT systems in an almost identical way to minimizing physical risks such as fire.

Assessing the potential physical damage from a cyber incident  

When included in the company’s SMS, a cyber incident should be assessed on:

  1. how it could manipulate the operation of sensors and actuators to impact the physical environment
  2. what redundant controls and manual overriding possibilities exist in the OT system to prevent an incident
  3. how a physical incident could emerge.
  4. how to evaluate potential effects to the physical process performed by the OT system.

Steps a shipping company should follow

Company should plan its objectives

More specifically, a shipping company should firstly “plan” its objectives. This means that the company has to know:

  • its goals and what it wants to protect, 
  • make an inventory of systems and 
  • software and execute its cyber risk assessment. 

What the company should “do”?

Then, Georg Smefjell, Management Systems, DNV GL, proposes that the company should “do”. 

  • The company ought to set its cyber security policy & procedures, define roles and responsibilities, 
  • implement cyber security training and 
  • report any cyber incident. 


The third step is to “check”. Each company is advised to evaluate the effectiveness of its plan, analyse the cyber incident and event report, and conduct internal audits of cyber security.


The last step is to “act”. After planning, acting and checking, each company has to take a step back, understand the procedure, execute corrective & preventive actions and continue improving. 

Maintain the management system systematics

Another issue arising is that you have to maintain the management system systematics, to ensure that you will continue being protected and that the personnel is aware of the possible dangers and knows how to deal with them. 

How can this be achieved?

#1 Identification

A shipping company can define key personnel for specific roles and responsibilities on cyber risk management and be able to identify systems the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations.

#2 Protection

Implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations.

#3 Detection

Develop and implement activities necessary to detect a cyber-event in a timely manner.

#4 Response

Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event.

#5 Recovery

Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.

Cyber awareness is the key

Cyber security the human factor

It is supported that the weakest link when it comes to cyber security is still the human factor. Onboard personnel have a key role in operating the IT and OT systems onboard, as well as protecting them.

Training to identify and report cyber incidents

It is therefore important that seafarers are given proper training to help them identify and report cyber incidents. Training and awareness should be tailored to the appropriate seniority of onboard personnel including the master, officers and crew.

Raise awareness of cyber risk threats

Overall, the key is the need to raise awareness of cyber risk threats, understand the challenges, prevent any incident and know how to deal with any problem that may arise.

Did you subscribe to our daily newsletter?

It’s Free! Click here to Subscribe!

Source: Safety4Sea


This site uses Akismet to reduce spam. Learn how your comment data is processed.