The circular dated 6 November 2017 (ENGG. Circular No 6 of 2017) has
two parts A and B with A dealing with the background for the circular and B
with requirements for shipping companies to comply with IMO requirements. The following is the full text of the
A) Back ground: 1) Modern developments in information and
communication technology have led shipboard machineries and equipments fitted
with complex control systems and such control systems are increasingly being
networked with the information technology wherein the technology uses data as
information for operation, monitor and control the physical processes
2) The exchange of information
and data via networked systems using internet is susceptible to cyber-attack.
The consequences of a cyber-attack are wide-ranging, that is, from business
disruption, damage to ship, pollution, safety of crew to ship collision.
Therefore, it is important that these information and data exchange systems be
protected from risks that may occur via un-authorized access or malicious attacks
to ships' systems and networks and from personnel having access to the systems
onboard, for example by introducing malware via removable media.
3) To address the issues
related to cyber-security IMO at the 98th session of the Maritime Safety
Committee held on June 16, 2017, approved Resolution MSC.428 (98) on Maritime
Cyber Risk Management in Safety Management Systems. The resolution affirms that
approved safety management systems should take cyber risk management into
account in accordance with the objectives and requirements of the International
Safety Management Code. Further the member states are encouraged to ensure
cyber risks are appropriately addressed in safety management systems no later
than the first annual verification of the company's Document of Compliance
after I January 2021.
4l The IMO guidelines define
cyber risk management as being "the process of identifying, analyzing,
assessing and communicating a cyber-related risk and accepting, avoiding,
transferring, or mitigating [that risk] to an acceptable level [after]
considering the costs and benefits of
actions taken to stakeholders." Further, Cyber risk management should be
considered a part of operational risks and should evolve "as a natural
extension of existing safety and security management practices.
B) Requirements: 1) To ensure that all shipping companies holding DOC
issued under ISM Code comply with the IMO requirement within the prescribed
time limit, the Directorate hereby specifies the following procedure:
i) All new DOC applicants requesting for initial DOC audit on/after I
a) Cyber-risk management
procedures to be included in the SMS risk mitigation manuals. These procedures
to be reviewed by Recognized Organization prior conduct of initial DOC audit by
the Administration auditor.
b) Review and verification of
satisfactory implementation of the said cyber-security risk mitigation during
the initial audit by the Administration Surveyor. The initial audit report
narrative and Document review record narrative to clearly state the same'
c) A suitable memo (stating the satisfactory compliance to the said
IMO requirement) be raised in the survey status of each vessel owned/managed by
the said company by the RO conducting the initial audit after satisfactory
verification of the implementation of the cyber risk mitigation measure on
board each such vessel during the initial audit. The audit report narrative to
include verification of the compliance with such requirement on board'
D All other existing DOC holders wishing to demonstrate compliance
prior to l January 2018:
a) lt is advised that Indian DOC holders may not wait till the l st annual/renewal
DOC audit after 1 January 202I
b) A Company wishing to
demonstrate compliance with the said IMO – requirement earlier may carry out a
cyber-risk assessment and include the mitigation procedures in their SMS after
due review by Ro.
c) Request DG$ auditor to verify compliance during the next due
annual/renewal DOC audit. Administration auditor to follow procedures detailed
in Paragraph B)l(i)(b) above with respect to verification and reporting during
this annual/renewal DOC audit. A copy of such report to be forwarded by the
Company to the concerned RO/s which conducted previous SMS audits on the
Company managed vessels. d) Ro/Administration auditor carrying out the. next
due intermediate/renewal SMS audit (after demonstrating the verification of
compliance in the last Doc audit)on the company managed vessel/s to follow
procedures detailed in Paragraph B)l(i) (c)above with respect to compliance ,report
narrative and raising of a suitable Memo in the survey status of the said
iii) On/After l January 20211
a) No request for DOC annual/renewal audit shall be accepted unless
risk mitigation procedures reviewed by RO are included in the SMS manuals.
b) No request for vessel/s SMC
intermediate/renewal audit shall be entertained unless the report narrative of
previous DOC audit states compliance with the said IMO requirement with respect
to cyber security risk management.
This is issued with the approval of the competent authority.