IMO 2021 requires a holistic* approach of cybersecurity on boats, and highlights that cybersecurity is not just IT security.
Deadline: first annual verification of the company’s DOC after 1 January 2021
Human factor, training, processes are essential and should be integrated in the cyber risk management onboard and in a cybersecurity assessment
For IMO : “Effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels of an organization and ensure a holistic* and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.” (source IMO Guidelines / MSC-FAL.1/Circ.3, 5 July 2017, § 3.3)
“Cyber risk management should ensure an appropriate level of awareness of cyber risks at all levels of an organization. The level of awareness and preparedness should be appropriate to roles and responsibilities”. (source IMO Guidelines / MSC-FAL.1/Circ.3, 5 July 2017, § 3.7)
Personnel conducting internal audits of the security activities shall be independent of the activities being audited unless this is
impracticable due to the size and the nature of the Company or of the ship. (Source ISPS Code, Part A / 9. Ship Security Plan)
*holistic cybersecurity: not just limited to IT security, but covering the whole scope of cybersecurity. 3 pillars of cybersecurity are: Human + Organization + Technology
Special focus: Cayman
To: Owners, Managers, Masters and Recognised Organisations of Cayman Islands Ships
IMO MSC.428(98), adopted on 16 June 2017, requires that an approved safety management system should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code.
Furthermore, this should be addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.
Guidance note 072019
11 November 2019
Specific regulations by flag
Contact us for information and assistance regarding your flag. Specific regulations may apply for cybersecurity, from January 2021: email@example.com