Maritime cybersecurity & IMO 2021 compliance
IMO Resolution MSC.428(98) made cyber risk management a mandatory part of the ISM Code in 2021. IACS UR E26 and E27 raised the bar again for new-builds from July 2024. We help shipowners, ship managers and class candidates close the gap with practical, audited remediation — not paperwork.
Service scope
Every engagement delivers the following items as a minimum. The exact scope is confirmed in writing before we start.
- IMO MSC.428(98) gap analysis and policy drafting
- IACS UR E26 (cyber-resilient ship) assessment for new builds
- IACS UR E27 (cyber-resilient onboard systems) review
- Network segmentation between IT and OT (engine, navigation, cargo)
- Firewall rule design and review (Fortinet, Cisco, Peplink)
- Endpoint protection deployment (anti-malware, EDR)
- Patch management strategy and rollout
- Internal penetration testing and vulnerability scans
- Audit-ready reports for class society and flag state
Brands and equipment we work with
How we work
- 01
Gap analysis
Onboard assessment mapping current network topology, OT integration points, patch state, endpoint coverage and policy gaps against IMO MSC.428(98) and IACS UR E26/E27.
- 02
Remediation plan
Prioritised, time-boxed remediation plan with rough effort and impact for each item. Class-society-friendly format for owner approval.
- 03
Implementation
Onboard work: network re-segmentation, firewall hardening, endpoint deployment, patch rollout, password and privilege review.
- 04
Verification & documentation
Internal pentest, vulnerability re-scan, evidence package, and audit-ready report your class society and flag inspectorate will accept.
Frequently asked questions
What does IMO 2021 require?
IMO Resolution MSC.428(98) requires cyber risk management to be addressed in the ship's Safety Management System (SMS) under the ISM Code, with effect from the first annual DOC verification after 1 January 2021. In practice: documented policies, identified risks, controls, audit evidence.
What about IACS UR E26 and E27?
IACS UR E26 (cyber-resilient ships) and UR E27 (cyber-resilient onboard systems) apply to new-build vessels contracted from July 2024. They define cybersecurity requirements at the ship and component level, enforced by class societies during construction.
Can you do this remotely or do you have to come onboard?
Initial gap analysis can often be done remotely from configuration exports and a few photos. Real remediation almost always requires onboard time — particularly for OT/IT segmentation and physical-layer changes.
Will your work satisfy our class society?
We produce documentation specifically aligned to the formats class societies (DNV, ABS, Lloyd's Register, RINA, ClassNK, Bureau Veritas) expect — risk registers, control matrices, evidence packages — so the surveyor can sign off without back-and-forth.
How much does a typical compliance project cost?
Highly variable by fleet size and current state. A single-vessel gap analysis is typically 3–5 engineer-days. Fleet-wide remediation can be a multi-month engagement. We give fixed-price quotes after a short scoping call.
Ready for a fixed-price quote?
Share the vessel, the port and the scope — we respond within one business day with a quote and dispatch plan.
Contact operations