NOTING the ISM objective: to provide safe practices in ship operation and in working environments, an assessment of all identified risks to ships, personnel and the environment, the establishment of appropriate safeguards, and the continuous improvement of safety management skills of personnel ashore and aboard;
The IMO has decided that:
- An approved safety management system should take into account cyber risk management in accordance with objectives and functional requirements of the ISM Code
- Deadline for cyber risks being appropriately addressed in safety management systems set to no later than the first annual verification of the company's Document of Compliance after 1 January 2021
With a continuous aim to optimize operations on board and ashore, the maritime industry will seek to utilize the potential provided by new technologies, and we recommend DoC holders manage this through their SMS. In addition to new opportunities, there will be new risks which must be understood and handled. In doing so, we suggest noting the IMO’s recommendations:
- “A risk management approach to cyber risks [should be] resilient and evolve as a natural extension of existing safety and security management practices.”
- “In considering potential sources of threats and vulnerabilities and associated risk mitigation strategies, a number of potential control options should also be taken into consideration, including amongst others, management, operational or procedural, and technical controls.”
- “Cyber risk management [is] the process of identifying, analysing, assessing, and communicating a cyber-related risk and accepting, avoiding, transferring, or mitigating it to an acceptable level, considering costs and benefits of actions taken to stakeholders.”
- “Effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels of an organization and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.”
- “The goal of maritime cyber risk management is to support safe and secure shipping, which is operationally resilient to cyber risks.”
DNV’s Maritime Management System services are based on partnerships with DoC holders, while the audit’s focus is based on needs and performance. Where traditional audits focus on conformity with detailed requirements, we assess the effectiveness of SMS and whether they support achieving the desired results.
With the IMO decision on cyber security, we have included a cyber security focus area for audits supported by our cyber security audit protocol. We agree that no two companies are alike and that each DoC holder must consider their own cyber risks and, in the SMS, implement needed measures. We recommend considering cyber security in accordance with the objectives and requirements of the ISM Code, and for DoC holders to note that compliance will be assessed through ISM audits.