Human factor, training, processes are essential and should be integrated in the cyber risk management onboard and in a cybersecurity assessment

For IMO : “Effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels of an organization and ensure a holistic* and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.” (source IMO Guidelines / MSC-FAL.1/Circ.3, 5 July 2017, § 3.3)

“Cyber risk management should ensure an appropriate level of awareness of cyber risks at all levels of an organization. The level of awareness and preparedness should be appropriate to roles and responsibilities”. (source IMO Guidelines / MSC-FAL.1/Circ.3, 5 July 2017, § 3.7)

Personnel conducting internal audits of the security activities shall be independent of the activities being audited unless this is
impracticable due to the size and the nature of the Company or of the ship. (Source ISPS Code, Part A / 9. Ship Security Plan)

*holistic cybersecurity: not just limited to IT security, but covering the whole scope of cybersecurity. 3 pillars of cybersecurity are: Human + Organization + Technology