IMO Cyber Compliance: Regulation Implementation Guide

The Requirement: MSC.428(98) in Plain Terms

IMO Resolution MSC.428(98), adopted in 2017 and effective from 1 January 2021, is short and consequential. It affirms that an approved Safety Management System (SMS) under the ISM Code should take cyber risk management into account, and it encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company's Document of Compliance after 1 January 2021.

The reach is broad. The ISM Code applies to most commercial vessels above 500 gross tonnes engaged on international voyages, plus passenger ships and certain other categories. Every company holding a Document of Compliance for such vessels is therefore expected to have integrated cyber risk into its SMS. This applies regardless of flag or region: a company operating under any IMO member administration is in scope.

Crucially, the resolution does not create a separate cyber inspection regime. It folds cyber into the existing ISM machinery. That design choice is what gives it weight, because the ISM Code already carries real enforcement: without a valid Document of Compliance and Safety Management Certificate, a vessel cannot trade.

The Guidance: MSC-FAL.1/Circ.3 and the Five Functions

The high-level requirement lives in MSC.428(98). The operational detail lives in MSC-FAL.1/Circ.3, the IMO Guidelines on Maritime Cyber Risk Management, most recently revised in 2022. This is the document auditors reference when they review what your SMS actually says about cyber.

The guidance frames maritime cyber risk management around five functional elements taken directly from the NIST Cybersecurity Framework. They give a company a checklist of capabilities it should be able to demonstrate, not a prescriptive product list.

• Identify: inventory vessel and shore assets, assess threats and vulnerabilities, identify vendors with system access, rate the criticality of each system
• Protect: technical controls (segmentation, hardening, patching), administrative controls (access management, training), and physical controls (USB and removable media)
• Detect: monitor vessel and shore systems for anomalies, run integrity checks on bridge systems, review logs, and alert on suspicious activity
• Respond: maintain a documented incident response plan, define vessel-to-shore communication during an incident, and assign recovery decision authority
• Recover: back up safety-critical systems, test restoration, run post-incident review feeding back into the SMS, and capture lessons learned

Integrating Cyber Into the Safety Management System

The defining feature of IMO cyber compliance is that cyber risk must be integrated into the SMS, not maintained as a separate parallel binder. A standalone cyber security policy that the SMS never references is the most common implementation mistake, and auditors recognise it immediately. The SMS itself must treat cyber failures as safety hazards and fold cyber contingencies into existing emergency procedures.

Effective integration is concrete and unglamorous. The existing shipboard safety-inspection section gains a cyber walkthrough checklist. The existing emergency-response procedures gain cyber-specific actions (isolate ECDIS and revert to paper charts, switch to hand steering, run a loss-of-communications drill). The existing master's review gains a periodic cyber-posture summary. The existing internal-audit programme gains cyber-control verification. The cyber work does not live apart from the SMS, it lives inside the documents the master and chief officer already use.

The reason this matters is enforcement. Because cyber is woven into the ISM Code, a cyber failure that affects safety, with no documented contingency in the SMS, is a safety non-conformity, not a separate cyber finding. Integration is what makes the company able to point to a procedure when the auditor, or a real incident, asks for one.

A Practical Implementation Roadmap

For a typical fleet starting from a low base of cyber documentation, a realistic path to audit-ready compliance runs three to six months. The work divides into three phases.

Phase 1 (Weeks 1 to 3): Gap Assessment

Map the current state against the five MSC-FAL.1/Circ.3 functions. Visit a representative vessel, interview the master, chief officer and chief engineer, inventory the bridge and engine networks, list the vendors with remote or physical system access, and review the existing SMS for any cyber references. The output is a prioritised gap register with severity ratings and indicative remediation effort. This phase routinely reveals more vendor access paths and more undocumented network connections than the company expected, which is exactly why it comes first.

Phase 2 (Weeks 4 to 12): SMS Integration, Controls and Training

Embed cyber procedures into the existing SMS sections rather than writing a separate manual. Build per-vessel-class asset inventories. Deploy the achievable protective controls: network segmentation between bridge OT, engine OT, vessel IT and crew networks; USB and removable-media controls; account hygiene and removal on crew change; control of vendor remote access. Run per-vessel risk assessments. Roll out crew cyber familiarisation and role-specific training, and put incident response procedures in place with tabletop scenarios.

Phase 3 (Weeks 13 to 20): Internal Audit and Drill

Run a full internal audit against the updated SMS, sample at least one vessel for a deep walkthrough, and run a cyber tabletop involving the company crisis team and at least one vessel master. Fix the findings, capture the drill evidence, and assemble the coherent evidence pack the flag state or class auditor will ask to see. Codesecure typically delivers this phase as a managed engagement, with named consultants on the vessel and at the company office.

The Evidence Pack Auditors Actually Want

Document control is the single most under-served area of maritime cyber programmes, and it is where audits are won or lost. Auditors do not give partial credit for activity without records. The company must be able to produce, on demand, a coherent set of documents that are reviewed at least annually and accessible both at the office and on board.

At minimum the evidence pack contains: a per-vessel asset inventory (bridge, engine, cargo, communications and crew systems with vendor, version, network location and criticality); a per-vessel-class cyber risk assessment with threats, vulnerabilities, likelihood, impact and residual risk; cyber procedures written into the SMS in the SMS's own style; training records with dates and content; a vendor and third-party register with cyber clauses in service agreements; an incident, near-miss and drill log; management-of-change records for new systems and upgrades; and master's-review and internal-audit outputs covering the cyber elements at the SMS cadence.

• Asset inventory per vessel, with vendor, version, network location and criticality
• Cyber risk assessment per vessel class, with residual risk after controls
• Cyber procedures inside the SMS, referenced from the operational sections
• Training records with dates, content and refresher schedule
• Vendor register with cyber clauses and assurance evidence
• Incident and drill log with after-action notes
• Management-of-change and audit records at the SMS cadence

Common Audit Findings and How to Close Them

Across flag states and classification societies, cyber audit findings cluster around the same recurring gaps, and they are largely closable in 30 to 90 days if addressed before the audit rather than after. The most common is the master who cannot articulate the cyber procedures from memory, which signals that training was paper-only and never embedded in practice. The fix is role-specific, scenario-based training with a short refresher at each crew change.

Other frequent findings: no incident or drill log entries in the previous twelve months, indicating a dormant programme, closed by running and documenting at least one tabletop per vessel per year; unclear or inconsistent USB and removable-media handling across departments, closed by a single documented procedure applied bridge to engine room; no cyber assurance for chart and ECDIS update vendors, closed by adding cyber clauses and requiring vendor attestation; and an asset inventory that is missing or out of date, closed by a one-time build and a management-of-change process to keep it current.

The pattern is consistent: the technical controls are rarely the binding constraint. The binding constraint is integration and evidence. Companies that internalise that cyber compliance is mostly a documentation and crew-competence discipline, supported by a few high-value technical controls, pass their audits. Codesecure supports owners and managers through the full cycle, from gap assessment to standing alongside the Designated Person Ashore during the audit itself.