Key Takeaways
- IMO Resolution MSC.428(98), in force from 1 January 2021, requires every shipping company to address cyber risk in its Safety Management System (SMS) under the ISM Code.
- MSC-FAL.1/Circ.3 (revision 2) is the operational guidance, identify, protect, detect, respond, recover, mapped to the NIST Cybersecurity Framework.
- Compliance is not optional. Flag states now check cyber evidence at SMS audits. Port State Control is starting to ask similar questions during inspections.
- Documentation is the dominant gap. Most shipowners have done the work in pieces but cannot show the auditor a single coherent set of records.
- The roadmap: asset inventory, risk assessment, SMS integration, crew training, contingency plans, vendor management, periodic review. 3 to 6 months for a mid-size fleet to get audit-ready.
What Is IMO 2021 and Why It Matters
IMO 2021 is shorthand for the cyber security requirements introduced by the International Maritime Organization through Resolution MSC.428(98), adopted in June 2017 and brought into operational effect on 1 January 2021. The resolution requires every shipping company subject to the ISM Code (which is essentially every commercial vessel over 500 gross tonnes, plus passenger vessels) to integrate cyber risk management into its Safety Management System.
Before IMO 2021, cyber risk on vessels was largely an unregulated, vendor-specific concern. Bridge systems, engine monitoring, cargo control and crew networks were each treated as separate technology problems. After 1 January 2021, all of these are part of the safety regime. A cyber failure that affects a vessel's safety, navigation, environmental protection or pollution prevention is now within the same regulatory framework as a propulsion failure or a fire-safety lapse.
Flag state administrators (DGS in India, MPA in Singapore, MCA in the UK, USCG in the US, the Norwegian, Greek, Liberian, Maltese and Marshall Islands registries) now expect to see cyber evidence at the company SMS audit and the vessel SMC audit. Several have published their own cyber inspection checklists derived from the IMO guidance.
MSC-FAL.1/Circ.3: The Operational Guidance
The IMO Resolution MSC.428(98) sets the high-level requirement. The operational guidance for shipping companies is MSC-FAL.1/Circ.3 (Guidelines on Maritime Cyber Risk Management), most recently issued in revision 2 in 2022. This circular is the document auditors will reference when reviewing your SMS cyber content.
The guidance frames maritime cyber risk management around five functional elements borrowed directly from the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond and Recover. Each element has expectations the shipping company should be able to demonstrate.
- Identify: vessel and shore asset inventory, threat assessment, vulnerability assessment, vendor identification, criticality assessment of each system
- Protect: technical controls (segmentation, hardening, patching), administrative controls (access management, training), physical controls (USB media, removable devices)
- Detect: monitoring of vessel and shore systems for anomalies, integrity checks on bridge systems, log review, alerting
- Respond: documented incident response plan, vessel-shore communication protocols during a cyber incident, recovery decision authority
- Recover: backup of safety-critical systems, restoration testing, post-incident review and SMS updates, lessons learned
Need Maritime Cyber Assessment?
Codesecure runs IMO 2021 and BIMCO-aligned cyber risk assessments and OT pentests for shipowners, managers, ports and terminals. ISO/IEC 27001:2022 certified, named consultants with OSCP and ICS credentials, fixed-price proposals and free retest within 90 days.
See Maritime Services →Integrating Cyber Into the Safety Management System
The novel part of IMO 2021 is that cyber risk is to be integrated into the SMS, not maintained as a separate parallel document set. This integration is where most shipowners stumble. A standalone cyber security policy is not enough. The SMS itself must reference cyber, treat cyber failures as safety hazards, and incorporate cyber-related contingencies into existing emergency procedures.
Practical integration looks like: the existing SMS section on shipboard safety inspection adds a cyber walkthrough checklist; the existing emergency response procedures add cyber-incident-specific actions (isolate ECDIS, switch to paper charts, lose-comms drill); the existing master review adds a quarterly cyber posture summary; the existing internal audit programme adds cyber-control verification. The cyber work does not live in a separate binder. It lives inside the SMS the master and chief officer already use every day.
The ISM Code Connection: Why This Is a Safety Issue
The ISM Code (International Safety Management Code) is the legal vehicle. It is the framework that requires companies to operate a Safety Management System and to obtain Document of Compliance (DOC) at the company level plus Safety Management Certificate (SMC) per vessel. Without a valid DOC and SMC, the vessel cannot trade.
IMO 2021 inserts cyber risk into the ISM Code by including it as an element the SMS must address. A serious cyber finding at an SMS audit can lead to non-conformity notes, corrective action requirements, and in extreme cases suspension of the DOC. The cyber risk regime is enforced through the ISM Code's existing teeth, not through a new parallel inspection regime. This is the design choice that gives IMO 2021 its weight.
What Shipowners Must Document
Document control is the single most under-served area in maritime cyber programmes. Most shipowners have done some risk assessment, deployed some controls, and run some training, but cannot produce a coherent evidence pack on demand. Auditors do not give partial credit for activity without records.
At a minimum the following must be documented, reviewed annually, and accessible at the company office and on board each vessel:
- Asset inventory for each vessel (bridge systems, engine systems, cargo systems, comms systems, crew networks) with vendor, version, network location and criticality rating
- Cyber risk assessment per vessel class or per vessel, identifying threats, vulnerabilities, likelihood and impact ratings, plus residual risk after controls
- Cyber procedures inside the SMS, written in the same style and structure as the rest of the SMS, referenced from the relevant operational sections
- Training records for ship and shore staff, including completion dates, content covered, refresher schedule
- Vendor and third-party register with cyber clauses in service agreements (chart updates, satcom, planned maintenance, remote diagnostics)
- Incident log of any cyber events, near-misses, drills, with after-action notes
- Management of change records for any new system, software upgrade, or vendor change that could affect cyber posture
- Master review and internal audit outputs covering the cyber elements, at the same cadence as the rest of the SMS
Flag State Audit or Customer Questionnaire?
Whether you need cyber evidence for a flag state, P&I club query, charterer security questionnaire or BIMCO gap closure, our maritime cyber lead is available for a 30-minute free scoping call.
Talk to a Maritime Lead →What Flag State and Class Auditors Look For
We have supported clients through audits with most major flag states and classification societies (DNV, Lloyd's Register, ABS, BV, Class NK, RINA, IRS). The pattern is consistent. The auditor will sample three to five vessels, ask the master and chief officer to describe the cyber procedures in their own words, ask to see the evidence of training in the last 12 months, ask to walk through a recent incident or drill, and ask the chief engineer about USB media handling and network connections to the cargo or engine systems.
The findings cluster around the same gaps: master cannot articulate cyber procedures from memory (indicates training was paper-only), no incident or drill log entries in 12 months (indicates programme is dormant), USB media procedure unclear or inconsistent across departments, no vendor cyber assurance for chart and ECDIS updates, asset inventory missing or out of date. Each of these is straightforward to close in 30 to 90 days, but they need to be closed before the audit, not after.
Practical Compliance Roadmap (3 to 6 Months)
For a typical mid-size fleet (5 to 30 vessels) starting from a low base of cyber documentation, the path to audit-ready compliance takes 3 to 6 months.
Phase 1 (Weeks 1-3): Gap Assessment
Map the current state against MSC-FAL.1/Circ.3 elements. Visit a representative vessel, interview the master, chief officer and chief engineer, inventory the bridge and engine networks, list the vendors with remote access, and review the existing SMS for cyber references. The output is a gap register with severity ratings and indicative remediation effort.
Phase 2 (Weeks 4-12): Remediation
Update the SMS with cyber procedures embedded in existing sections, build asset inventories per vessel class, deploy basic protective controls (segmentation, USB controls, account hygiene), run risk assessments per vessel, roll out crew training, and put incident response procedures in place with desk-top scenarios.
Phase 3 (Weeks 13-20): Internal Audit and Drill
Run a full internal audit against the updated SMS, sample one vessel for a deep walkthrough, run a cyber tabletop with the company crisis team and at least one vessel master, fix any findings, and finalise the evidence pack for the flag state audit. Codesecure typically supports this phase as a managed delivery, with named consultants on the bridge and at the company office.
Frequently Asked Questions
Does IMO 2021 apply to my vessel?
If the vessel is subject to the ISM Code, which broadly covers commercial vessels over 500 gross tonnes plus passenger vessels and certain offshore units, then yes. Fishing vessels and pleasure craft are generally outside scope, though port state and local regulations may still apply. Your flag state authority is the final word on scope.
Is IMO 2021 only about the vessel, or does it cover the shore office too?
Both. The Document of Compliance is held by the company, not by individual vessels. Cyber risk management must extend across the entire fleet management chain, including shore IT systems, vendor portals, planned maintenance systems, fleet operations centres and crew management platforms. Many cyber incidents originate shore-side and reach the vessel through shore systems.
What happens if I have a cyber non-conformity at an SMS audit?
Like any SMS non-conformity, you receive a corrective action requirement with a deadline. Failure to close it within the deadline can escalate to a major non-conformity, which in extreme cases can lead to suspension of the Document of Compliance and the vessel's Safety Management Certificate. In practice flag states are working constructively with shipowners through 2025 and 2026, but the regime has teeth.
Do I need to do a cyber penetration test on every vessel?
Not strictly required by IMO 2021. The guidance asks for risk-based controls and continuous improvement. Many shipowners do a representative vessel class pentest as part of the risk assessment, then apply lessons across sister vessels. Codesecure delivers vessel pentest engagements that satisfy this risk-assessment requirement for the class.
How does IMO 2021 relate to BIMCO Guidelines and IACS UR E26/E27?
BIMCO Guidelines on Cyber Security Onboard Ships are the most widely adopted industry interpretation of MSC-FAL.1/Circ.3. IACS Unified Requirements E26 (cyber resilience of ships) and E27 (cyber resilience of onboard systems and equipment) are class-society requirements for newbuild and significantly retrofitted vessels delivered from 1 July 2024. They overlap with IMO 2021 but are technical (newbuild design) rather than operational (SMS).
Can Codesecure help us pass our flag state cyber audit?
Yes. Codesecure has supported shipowners through cyber audits with most major flag states and class societies. We can run the gap assessment, help update the SMS, deliver crew training, run a vessel cyber walkthrough, and stand alongside the DPA during the audit itself. ISO/IEC 27001:2022 certified delivery with named consultants.
Get IMO 2021 Audit Ready, Without the Theatre
Codesecure has supported shipowners and managers across India, Singapore, UAE and the Middle East through IMO 2021 SMS integration and flag state cyber audits. ISO/IEC 27001:2022 certified delivery, named consultants with maritime OT experience, fixed-price proposals.
