Build a Safety Management System (SMS) that addresses cyber risk per IMO Resolution MSC.428(98), and prepare your new-build vessels and existing ship systems for IACS Unified Requirements E26 and E27. Codesecure runs gap analysis, SMS integration, class-society audit support and ongoing surveillance.
IMO Resolution MSC.428(98) requires shipowners and operators to address cyber risks in their Safety Management Systems (SMS) under the ISM Code from the first annual verification of the Document of Compliance after 1 January 2021. It is principle-based and references the IMO Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3 Rev.2).
IACS Unified Requirements E26 (Cyber resilience of ships) applies to new-build vessels contracted from 1 July 2024, and UR E27 (Cyber resilience of on-board systems and equipment) applies to ship systems and equipment suppliers. Together they make cyber resilience a class-society-enforceable requirement. Codesecure runs the full programme: SMS integration, control implementation, class audit support and ongoing surveillance.
IMO MSC.428(98) is enforced through the ISM Code. Port State Control increasingly reviews cyber elements in the SMS during inspections, and non-conformance can lead to detentions. IACS UR E26 / E27 is enforced at class-society level: new-build vessels contracted after 1 July 2024 cannot be issued class without E26 compliance, and equipment suppliers must demonstrate UR E27 conformity in their products.
Beyond regulation, charterers, P&I clubs and cyber insurance underwriters now ask for evidence of cyber risk management in vessel SMS, especially for tanker, LNG, container and high-value asset trades. TMSA 3 explicitly references cyber security under Element 13. Demonstrating a structured programme aligned to IMO and IACS unlocks charter opportunities and reduces insurance premiums.
Codesecure's IMO & IACS programme covers SMS integration, E26 / E27 readiness and class audit support:
45-minute call with our maritime compliance lead. Bring your fleet, current SMS state and class society, leave with a phased remediation roadmap. Instant response, no delay.
Book Free Strategy CallEvery IMO & IACS engagement follows a 5-phase methodology aligned with IMO and IACS guidance:
Scoping call, NDA, fleet survey, current SMS review, gap assessment against IMO MSC.428(98), UR E26 and UR E27 as applicable.
Per-vessel cyber risk assessment, IT and OT asset inventory, criticality classification, threat modelling.
Cyber procedures integrated into SMS, roles and responsibilities defined, controls implemented across vessels.
Tabletop exercises with master, ETO and DPA. Internal walkthrough of cyber procedures. Evidence consolidation.
Class-society cyber audit accompaniment by named consultant. Annual SMS surveillance and DoC verification support.
Every IMO & IACS engagement ships with the same operational handoff:
Most IMO / IACS programmes reach audit-ready status within 3-6 months. Instant response, no delay, kickoff scheduled same or next business day after scoping.
Scoping, fleet survey, gap analysis, cyber risk assessment, asset inventory.
Cyber procedures integrated into SMS, roles defined, controls implemented across fleet.
Drills, internal walkthrough, class-society audit, SMS surveillance handoff.
// Frameworks & Standards We Cover
30-minute call with our maritime compliance lead. Discuss your fleet, SMS state and class-society relationship with no sales pressure.
Schedule Free CallYes, it applies to all vessels covered by the ISM Code. The cyber risk must be addressed in the Safety Management System from the first annual verification of the Document of Compliance after 1 January 2021. Smaller vessels not under ISM Code are not directly in scope, but charterers and insurers increasingly expect similar controls regardless.
IACS UR E26 (cyber resilience of ships) applies to new-build vessels contracted from 1 July 2024 onwards. Existing vessels are not retroactively in scope but typically need IMO MSC.428(98) compliance instead. Some classification societies are encouraging early adoption of E26 elements for existing vessels.
UR E26 governs cyber resilience at the vessel level, mandating overall design, integration and operational requirements. UR E27 governs cyber resilience at the individual ship system and equipment level, mandating that suppliers (ECDIS, RADAR, engine controls, cargo systems) build cyber-resilient products. Together they form a layered cyber-resilience approach for new builds.
Instant response, no delay. We respond within an hour during business hours, send a fixed-fee scoped proposal in 24-48 hours under NDA, and start gap analysis same or next business day after sign-off.
Yes, increasingly. Paris MoU, Tokyo MoU and US Coast Guard inspection regimes now include cyber elements in their SMS review during PSC inspections. Detentions related to cyber-deficient SMS have already been reported. Failing a PSC inspection has real cost: delay, charterer penalty, reputational damage.
Yes. TMSA 3 Element 13 (Maritime Security) explicitly covers cyber security. Tanker operators serving major charterers (Shell, BP, Chevron, ExxonMobil, etc.) are subject to TMSA self-assessment and vetting. A well-structured IMO MSC.428(98) + UR E26 programme largely satisfies TMSA 3 Element 13 cyber expectations.
Partially. IMO and IACS cyber controls overlap with NIST 800-82 (OT security), IEC 62443 (industrial automation security) and BIMCO Cyber Guidelines. Many of our maritime clients run a combined IMO + IACS + NIST 800-82 programme for the strongest possible posture.
Codesecure runs your maritime cyber compliance programme: gap analysis, SMS integration, control implementation and class-society audit support. Free 30-minute strategy call, instant response, no obligation.
Get a Free Strategy Call See All Maritime Services
