Forthcoming changes to the ISM Code – Cyber Security

In June 2017 the IMO’s Marine Safety Committee issued Resolution MSC 428(98), which incorporates changes to the ISM Code.


WHO: The ISM Code is incorporated into SOLAS so the changes will affect all vessels to which Chapter IX of SOLAS applies. This includes all commercially operated vessels over 500gt. It may also include other vessels depending upon Flag State requirements, for example yachts operating mini-ISM systems. However, Flag States are still to issue detailed guidance on their interpretations of the resolution.


WHAT: Companies operating approved safety management systems are “required to take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code”. In practice this means that the company has to risk assess their IT systems – including systems used to operate the vessel – and issue procedures to manage all cyber security risks.


WHEN: All risk assessments, procedures and training needs to be completed by the company no later than the first annual verification of the company’s Document of Compliance after 1st January 2021.


WHERE: This requirement applies to all vessels operated by the company and the company infrastructure ashore. Due to cyber threats from external sources this will include interactions with company suppliers, customers, port operators, agents, regulators etc.


WHY: There have been a number of high profile hacks of large shipping companies over the last few years. There has also been speculation in the global press regarding vulnerabilities to ships from cyber attack and the potential catastrophic consequences.


HOW: Companies are required to comply with industry best practice and assess potentially vulnerable systems. These include, but are not limited to.


    • Bridge Systems
    • Cargo handling and management systems
    • Propulsion and machinery management and power control systems
    • Access control systems
    • Passenger servicing and management systems
    • Passenger facing public networks
    • Administrative and crew welfare systems
    • Communication systems


Changes to a mixture of operational systems and IT hardware may be required to ensure that the company is compliant.


Flag State auditors will be concentrating on cyber security systems at the company DOC audit in 2021. It is also expected that Port State Control will ask for evidence of compliance with cyber security best practice during inspections after 1st January 2021.


Eazi Security is a world leading supplier of marine cyber security systems. It is a premier partner with Cisco Systems, the world’s largest provider of networking hardware, telecommunications equipment and other high-technology services and products.Eazi Security has mariners on staff with unrivaled experience in designing, writing and auditing ISM and ISO systems.


Contact David Clayden now to understand more and register for a free network security healthcheck.