Skip content

How to approach the IMO cyber requirements

Cybersecurity is reaching the top of the agenda for many maritime organisations as IMO’s requirements for integrating cyber risk into onboard safety management systems come into force on the 1st of January 2021. The sector is already familiar with the concept of risk and with the creation of a risk management plan. What is required now is to include the cyber risk in the management plan.

But is this cyber risk real in the sector? We believe that “Yes” is the definitive answer and the IMO requirements will play a role in raising awareness of the online threats faced.

In this blog post, Nettitude provides a short summary of what shipowners and ship managers need to do to satisfy the new requirements and at the same time improve their cybersecurity posture.

How prepared is the Maritime and Offshore industry?

The Cybersecurity Survey published by Safety at Sea and BIMCO Maritime in May 2020 reports that 77% of the responders see cyber-attacks as a high or medium risk to their organisations, 63% said they received cybersecurity training, but only 42% of respondents said that their organisation protects vessels from operational technology cyber threats.

Nettitude's Product Development Manager, Elisa Cassi comments:

"Some work is still certainly to be done, but the IMO requirements and guidelines coming into force will certainly help in this sense."

What should the maritime organisations do to satisfy the IMO requirements?

The IMO Resolution and Guidelines provide specific recommendations on how to identify and manage maritime cyber risks and are expected to be implemented within the International Safety Management (ISM) Code procedures and the Safety Management System (SMS) for the vessel. This means that in compliance with the requirements of the ISM Code, every company should develop, implement and maintain a SMS. The SMS embraces the objectives of the Code to ensure safety at sea, prevention of human injury or loss of life, and avoidance of damage to the environment, in particular, to the marine environment and to property.

It is important to highlight that the IMO resolution is not just about completing a risk register or defining a management plan – organisations should over time execute on that plan and address the risks. Satisfying the IMO requirements should be just a “starting point” of a longer journey.

What action should be taken? 

Nettitude recommend doing the following:

    1. Prepare and ensure cyber risks are identified and understood within the operations
    2. Document a risk treatment and management plan for these risks
    3. Prepare and demonstrate this at the next ISM DOC Audit (post Jan 2021)
    4. Consider implications for the shipboard ISM and ISPS audits
    5. Put in place effective cyber capabilities based on the threats faced
    6. Build a relevant, pragmatic and suitable cyber strategy for the future

For additional details on the IMO requirements, please, see our previous blogs posts:

    • https://blog.nettitude.com/the-new-imo-maritime-cyber-security-guidelines-nettitude
    • https://blog.nettitude.com/implementing-the-imo-cybersecurity-requirements-for-ships

How can Nettitude help?

Ship owners and ship operators would like assurance that what they are doing will meet the intent of the IMO’s resolution and be accepted when the time of audit comes. As the guidance allows for many ways for organisations to meet this resolution, it can be hard to know what will be accepted at an audit.

In the diagram below, a view of how Nettitude and Lloyd’s Register can support our clients in terms of IMO regulations is presented and visibly the IMO related services are the “Starting point” of the journey.

IMO 2021 Cyber Readiness Assessment -

Designed as a starting point for organisations wanting an independent review of their current status, and future plans. This service is normally delivered by LR/Nettitude as a simple review of the current status of things in terms of client’s cyber strategy, capabilities and readiness to meet the IMO guidance. Guidance and consultancy are given to improve, maturity and address any gaps found. This service can be delivered on site or remotely and the review is largely conducted with head office staff on shore, although some interviews with vessel crews may be required.

This service provides a fast and efficient way to understand the current readiness for the audits post Jan 2021.

IMO Cyber Risk Register Creation -

Designed for organisations requiring a cyber risk register and risk treatment plans to be reviewed/created/matured. Our ‘IMO Cyber Risk Management’ Service supports clients in achieving the requirements set out by the IMO in resolution (MSC.428(98)) to ensure that cyber risks are identified and understood. As part of this service Nettitude help our clients understand cyber risks and implement a risk management framework. This includes educating key stakeholders, creating a risk methodology and approach for cyber risks, completing a risk assessment against critical assets, developing risk treatment plans to address any unacceptable risks identified and providing guidance to the right controls and risk mitigations required.

The service is designed to enable organisations starting out on their journey to meeting IMO cyber requirements and those seeking to address cyber risks pragmatically within their organisations.

For further details on how Nettitude and Lloyd’s Register can help you on the IMO Journey, please don’t hesitate to get in touch.