IMO’s Updated Cyber Guidelines: 10 Practical Changes Shipping Companies Can’t Ignore in 2026

December 1, 2025

📊 Subscribe to the Ship Universe Weekly Newsletter

Most shipping companies now “tick the box” on cyber in their SMS, but the IMO’s updated Guidelines on Maritime Cyber Risk Management quietly raised the bar. The new version makes it much clearer that cyber is not a side policy – it has to live inside the same risk processes that already govern navigation, engineering and safety.

Over 2025–2026, that shift will show up everywhere: in DOC audits, Port State questions, insurers’ questionnaires, and even how charterers and financiers look at operational resilience. The good news is that the updated guidance is practical if you translate it into 10 concrete changes.

⏱️ 2-minute summary: 10 practical cyber changes for 2025–2026 Quick reference for DOC audits, internal reviews and briefings. Open, scan, print.

▼

IMO cyber guidelines – quick fleet summary

Use this table as a one page view when you explain to auditors, boards and customers how your company is turning the updated IMO cyber guidance into practical work across ships and shore.

#	Focus area	What changes in practice	90-day move
1️⃣	CBS inside the SMS	Computer based systems for navigation, propulsion, cargo and power sit in the same risk register and change control as other safety critical systems.	Build a CBS inventory for one vessel type and link it to existing SMS hazards and procedures.
2️⃣	Identify–Protect–Detect–Respond–Recover	Cyber work is organised as a simple loop that people can follow, instead of scattered controls with no visible structure.	Map existing procedures and controls to the five steps and highlight obvious gaps to fix first.
3️⃣	Vendors and remote access	Service laptops, USB media and remote links follow defined rules and approvals instead of ad hoc connections to critical systems.	List main vendors and agree a short rule set for how and when they connect to ship and shore systems.
4️⃣	Incident and near miss reporting	Cyber events are logged and investigated through the same channels as safety and operational incidents, not only in IT ticket tools.	Add two or three cyber categories to existing incident forms and run one cyber related case through your normal review process.
5️⃣	Realistic cyber drills	Drills test how bridge, engine and office teams react when systems misbehave, not only how they answer theory questions.	Write one short drill script each for bridge, engine and office and run at least one during an existing drill.
6️⃣	Clear roles on ship and ashore	Named roles own CBS inventories, approvals, incidents and follow up, instead of “everyone and no one” being responsible for cyber.	Extend the existing safety role chart with a few explicit cyber duties for DPA, masters, chief engineers and fleet managers.
7️⃣	Projects, newbuilds and purchasing	New ships and retrofits include cyber questions in specs, design reviews and handover documents, not only in later policy updates.	Add a small set of cyber questions to RFQs and one cyber checkpoint in the next newbuild or retrofit review.
8️⃣	Backups and recovery	Backups for key systems are known, tested and include at least one copy that is not permanently connected to live networks.	Document and test restore steps for one shipboard system and one shore system that matter for operations.
9️⃣	Role based training	Short sessions use real bridge, engine and office tools as examples, with clear routes to raise concerns quickly.	Define one short topic for three key groups and run ten to twenty minute sessions using screenshots from your own systems.
🔟	Simple metrics and reviews	A small set of indicators and actions is reviewed along with safety and environmental performance, so cyber becomes part of normal management.	Choose three to five basic indicators and bring them into the next management review with one or two concrete improvements agreed.

Map your Computer-Based Systems (CBS) inside the SMS Put CBS into the same risk machinery that already governs safety and operations.

▼

The updated IMO cyber guidance expects companies to know which systems on board and ashore are computer-based, how critical they are, and where those risks are controlled in the Safety Management System. This is the anchor for everything else you do on cyber.

Navigation, propulsion, cargo and comms One CBS inventory shared across fleet Same change control as other safety systems

What changed in the guidance

Cyber risk is framed through the lens of computer-based systems instead of generic IT wording.
Systems that support navigation, propulsion, cargo handling and power are pulled firmly into scope.
Risk management is expected to use the same structure you already use for other hazards in the SMS.

How it should look on paper

An asset list of computer-based systems grouped by function: bridge, engine, cargo, power, communications and admin.
Each system marked as safety critical, business critical or supporting, with simple criteria for each label.
Clear references in the risk register to failure modes and controls for these systems, not only to manual processes.

🔍 What auditors and clients will test

That a current list of systems exists for real vessels, not only in a generic policy slide.
That changes to critical systems follow a formal approval and testing path, including cyber aspects.
That drills, contingency plans and manuals reflect what happens if a key computer-based system is lost.

🚀 Concrete actions for the next 60–90 days

1️⃣ For one representative ship type, list the main systems under navigation, propulsion, cargo, power and communications, then confirm that list with the chief engineer and master.
2️⃣ Assign a criticality level to each system and note how crews would operate if it fails or is unavailable.
3️⃣ Update SMS documents so that cyber-related changes to these systems use the same change management and risk evaluation already used for other safety-critical equipment.

Turn cyber into an Identify–Protect–Detect–Respond–Recover cycle Move away from static PDFs to a simple, repeatable loop that people can actually follow.

▼

The updated IMO guidance leans heavily on a simple idea that mirrors common cyber frameworks: identify what matters, protect it, detect issues early, respond in a controlled way, and recover. For a shipping company, that loop needs to be visible in the SMS and used in everyday decisions, not hidden in a one-off policy document.

Identify → Protect → Detect → Respond → Recover One simple loop for ships and shore Fits into existing SMS structure

What the guidance expects in practice

Cyber risks are identified using the same style of hazard thinking you already apply to navigation and machinery.
Controls are organised so it is clear which ones protect systems, which detect issues and which support response and recovery.
Reviews and audits check that all five steps are covered, not just policies and firewalls under the “protect” heading.

How it should look in your SMS

A short section that shows how existing procedures map to identify, protect, detect, respond and recover steps.
Risk assessment templates that ask which part of the loop is being strengthened for a given change or project.
Internal reviews that look for gaps in the loop, such as strong protection but weak detection or recovery planning.

🔁 Turning the five steps into something crews and offices understand

Identify: when a new system, vendor or connection is added, someone notes what it does, where it sits and what could go wrong.
Protect: basic controls such as access rights, passwords, network separation and physical security are documented and checked.
Detect: logs, alerts and simple checks are in place so unusual activity or failures are noticed quickly instead of days later.
Respond: there is a clear playbook for who calls whom, what gets isolated and how decisions are recorded during an incident.
Recover: there are tested backup, restore and work-around steps so ships can keep operating safely while systems are brought back.

🧭 Concrete actions for the next 60–90 days

1️⃣ Take one recent cyber or near-miss incident and map what actually happened against identify, protect, detect, respond and recover, then note the gaps.
2️⃣ For a single vessel type, list three to five controls under each step and check with the DPA and IT/OT team that they are realistic and current.
3️⃣ Add a one-page “cyber loop” overview to the SMS, and use it as the basis for the next internal audit or management review discussion on cyber.

Put vendors and remote access inside your cyber controls Service laptops and remote links should follow the same rules as your own crew and systems.

▼

Many cyber incidents at sea start with a service engineer laptop, a remote support tunnel or a USB stick. The updated guidance expects companies to treat vendors and remote access as part of the safety picture, not as one time exceptions that sit outside normal rules.

Remote OEM access to OT Shipyard, riding squads, contractors USB media and service laptops

What the guidance is really pointing to

External parties often connect directly to critical systems with more rights than ship staff.
Vendor equipment may bypass your normal antivirus, patching and network separation rules.
Remote support is sometimes left enabled or reused without a clear record of who did what.

How it should appear in your SMS

Clear rules for how vendor laptops, USB media and tools are checked before they connect on board.
Written steps for authorising and supervising remote access sessions, including who signs off and who watches.
Requirements that critical changes performed by vendors are logged and reported into the same change process as your own work.

🤝 What to agree with vendors before they connect

Access scope: which systems they can reach, when, and for what purpose, with a record of each session.
Minimum safeguards: expected patch level, malware protection and configuration on their laptops or tools.
Media handling: how USB drives, update packages and diagnostic tools are scanned or staged before use.
Incident duties: what happens if something goes wrong during a session and how the vendor must support investigation and recovery.

🧰 Concrete actions for the next 60–90 days

1️⃣ List the main vendors who connect to ship or shore systems and note how they currently access them, including remote tools and on board visits.
2️⃣ Draft a simple one page vendor and remote access rule set and test it with one or two key suppliers to confirm it is workable for both sides.
3️⃣ Update SMS procedures so that any vendor work on critical systems is requested, approved, supervised and recorded in the same way as internal changes.

Bring cyber incidents and near misses into your safety reporting Treat cyber events like any other safety signal, not only as IT trouble tickets.

▼

The updated IMO cyber guidance expects companies to learn from cyber incidents and near misses in the same way they learn from navigational, machinery and cargo events. That means simple reporting routes, investigation routines and follow up actions that feed back into the Safety Management System.

Cyber events in the same log as other incidents Near misses on board and ashore Lessons that feed back into procedures

What the guidance expects you to log

Events where systems were unavailable or unreliable because of suspected cyber issues.
Cases where malware, phishing attempts or unauthorised access were detected and stopped in time.
Situations where crews had to switch to manual or backup modes because a computer based system did not behave as expected.

How it should appear in your reporting flow

Cyber related events included in the same incident and near miss channels that crews already use for safety and operations.
Simple categories for cyber events so reporting is quick and does not require technical language.
Follow up steps that mirror normal safety practice, for example root cause review, corrective actions and checks of effectiveness.

📝 Turning cyber incidents into learning, not blame

Focus on what helped or hindered detection and response rather than who clicked or made a mistake.
Look at procedures, training, vendor involvement and system design in the same way as any other safety investigation.
Feed agreed actions back into drills, checklists, vendor requirements and change control, then close the loop at management review level.

📣 Concrete actions for the next 60–90 days

1️⃣ Add one or two cyber specific categories to your existing incident and near miss forms, for example suspected malware, unauthorised access, unexpected system behaviour.
2️⃣ Take one recent cyber related event and run it through your normal safety review process, then document the lessons in the same format as other incidents.
3️⃣ Brief masters and key shore staff that cyber events should follow the same reporting route as other operational events so minor issues are captured before a major one occurs.

Turn cyber drills into realistic bridge, engine and office scenarios Move beyond password lectures and test what people do when key systems misbehave.

▼

The updated cyber expectations from regulators and clients are not satisfied by a yearly slide deck. They look for crews and shore staff who have rehearsed what to do when a chart system, cargo terminal application or planning tool behaves in an unexpected way. Cyber drills should feel as practical as fire or steering gear drills, only with different triggers.

Bridge, engine room and office scenarios Loss of CBS and degraded modes Simple injects, clear objectives

What cyber drills are expected to exercise

Recognition of unusual system behaviour on the bridge, in the engine control room or in shore applications.
Hand over to backup or manual procedures when computer based systems are not trusted.
Communication paths between ship and shore when an incident is suspected and needs coordinated response.

How cyber drills can look in your SMS

Scenario based drills that describe a starting situation, a trigger and the expected outcome for ship and shore.
Short injects that can be run during normal drills, for example a navigation system glitch or unexpected data on a cargo screen.
Simple scorecards that note what worked well, what was confusing and which procedures need to be updated or clarified.

🎮 Three simple drill scenarios you can adapt

Bridge: during a watch, the primary ECDIS shows inconsistent data compared with paper or a second unit. The drill tests cross checks, escalation and use of alternate navigation methods.
Engine: a control workstation behaves erratically when adjusting set points. The drill tests how the team isolates the issue, uses local control and informs shore.
Office or terminal: a key planning or cargo system becomes unavailable during operations. The drill tests manual fallbacks, communication with customers and prioritisation of work while the system is investigated.

🛟 Concrete actions for the next 60–90 days

1️⃣ Select one bridge, one engine and one shore scenario that fit your fleet and write a short, one page drill script for each.
2️⃣ Run at least one of these scenarios during an existing drill or training session and capture feedback from crew and shore staff.
3️⃣ Update procedures and checklists where the drill showed confusion, missing contact information or unrealistic expectations.

Give cyber responsibilities clear owners on board and ashore Everyone touches cyber, but a few roles must carry defined duties that auditors can see.

▼

The updated cyber expectations assume that companies know who is responsible for cyber decisions at sea and on shore. Generic statements that everyone is responsible for cyber are not enough. Regulators, class and clients want to see which functions own risk assessment, day to day controls, incident handling and follow up.

Clear roles for ship and shore DPA, masters, chief engineers, IT and OT Ownership for normal work and incidents

What needs a named owner

Who keeps the list of computer based systems up to date for ships and shore locations.
Who decides on control measures for new systems and signs off related risk assessments.
Who coordinates cyber incidents and communicates with customers, class and authorities.
Who drives follow up actions and checks if agreed improvements are actually in place.

How it should appear in your documentation

A short role and responsibility section that links cyber duties to existing positions such as DPA, fleet managers and technical superintendents.
Clear description of what masters and chief engineers are expected to do on board when cyber issues affect navigation, machinery or cargo.
References to who approves vendor access, who can authorise system changes and who receives incident reports.

👤 How to explain roles without heavy jargon

Use the same simple language you use for safety roles. Avoid complex security terms that mean little outside IT teams.
Describe what people observe, who they inform and what decisions they own, rather than listing long policy texts.
Link cyber roles to familiar processes such as change control, drill planning and incident review to keep things intuitive.

📌 Concrete actions for the next 60–90 days

1️⃣ Take your existing safety role chart and add one or two clear cyber duties for key functions such as DPA, masters, chief engineers and fleet managers.
2️⃣ Agree with IT and OT leads who approves major changes, who runs incident coordination and who owns updates to the computer based systems inventory.
3️⃣ Add a one page summary of cyber roles to the SMS and use it in the next round of drills or tabletop exercises so people can test how it works in practice.

Build cyber checks into newbuilds, retrofits and purchasing Cyber should be a design and procurement question, not only a policy question after delivery.

▼

The updated cyber expectations assume that new ships and major upgrades arrive with basic security questions already answered. That connects directly to class requirements for cyber capable equipment and to what charterers and financiers ask when they assess future risk. Procurement and projects are now part of the cyber story, not outside it.

Yard specs and maker lists Class cyber notations and CBS Vendor questionnaires and clauses

What needs to be built into specs and RFQs

How each system connects to other equipment, networks and remote support paths on board and ashore.
Which security measures are included as standard, such as user accounts, logging, update mechanisms and hardening guides.
How the vendor will support security updates, incident investigation and end of life replacement over the life of the system.

How newbuilds and retrofits should show cyber thinking

Project checklists that include cyber alongside class, stability, emissions and automation topics.
Design reviews where IT, OT and safety staff have a chance to question network layouts and remote access methods.
Handover documents that include updated computer based system inventories and basic security settings, not only functional tests.

🧩 Simple checks when you choose equipment and vendors

Ask if the equipment has been used on ships with class cyber related notations and whether any issues were recorded.
Request a short description of how access control, logging and updates work in practice for the system you are buying.
Check that support contracts mention security updates and incident assistance, not only hardware replacement and normal faults.

🧱 Concrete actions for the next 60–90 days

1️⃣ Take one ongoing or recent newbuild or retrofit project and check whether cyber topics were recorded in any design or review minutes.
2️⃣ Create a short set of cyber questions that procurement can add to RFQs for systems that connect to ship or shore networks.
3️⃣ For the next project, add a single checkpoint where IT, OT and safety staff review network and remote access plans before final approval.

Make backups and recovery simple, tested and documented Recovery is often the weak link, even when protection looks strong on paper.

▼

Many companies invest heavily in firewalls and training but only discover backup problems during a real incident. The updated cyber expectations put more weight on the ability to recover systems and data within an acceptable time and to keep ships operating safely while that happens. Backups are useful only if people know what exists, where it lives and how to restore it under pressure.

Config backups for CBS Offline and off ship copies Regular restore tests

What should be in scope for backups

Configuration data and images for critical computer based systems on the bridge, in the engine control room and for cargo operations.
Shore based planning and fleet systems that ships depend on for schedules, documentation and certificates.
Key documents such as SMS procedures, checklists and contact lists in a form that ships can access if office networks are unavailable.

How recovery should work day to day

Clear information on who holds backups, how often they are taken and how many versions are kept.
At least one copy that is not permanently connected to the live network, for example offline media or a tightly controlled vault.
Documented steps to restore a system or move to a backup instance, including who authorises and who supports the work.

💾 Turning backups into confident restore paths

Schedule small restore tests for selected systems instead of waiting for a full crisis to find out if backups work.
Involve ship staff where relevant so they see how long a restore takes and what operational workarounds are needed.
Record any problems during restore tests and feed them into change control and vendor discussions so weaknesses are fixed.

📀 Concrete actions for the next 60–90 days

1️⃣ Choose one shipboard system and one shore system that are important for operations and document where their backups are stored and who is responsible.
2️⃣ Run a controlled restore test for at least one of these systems and measure how long it takes to return to a safe and usable state.
3️⃣ Update SMS guidance so that backup locations, responsible roles and basic restore steps are easy to find for crews and shore staff.

Make cyber training short, role based and tied to real systems Replace generic e-learning with focused modules that match what people actually touch.

▼

The updated cyber expectations are built on the idea that people at sea and on shore understand their part of the picture. Long, generic courses are rarely remembered. Short, role based sessions that show the actual screens, systems and situations people see in their work are far more effective and easier to audit.

Role based content for ship and shore Short sessions linked to real tools Evidence that training actually happens

What effective cyber training looks like

Bridge and engine teams see examples based on navigation, propulsion and power control systems, not office email screenshots only.
Shore staff see realistic situations around planning tools, cargo and documentation systems that can be misused or disrupted.
Everyone understands how to raise a concern quickly and what the first simple steps are if something looks wrong.

How training should be organised and recorded

A simple training matrix that shows which roles receive which short modules and how often.
Sessions that fit into existing drill days, safety meetings and office town halls to avoid separate long courses.
Records that show dates, participants and topics in a form that is easy to present to auditors, clients and insurers.

🎯 How to make training memorable for busy crews and offices

Use short, focused sessions that last ten to twenty minutes and cover one clear theme instead of trying to cover everything at once.
Show screenshots and examples from your own systems so people recognise what they see on the vessel or in the office.
Connect training topics to real incidents and near misses from your fleet or from public cases and explain what would have helped.

🎓 Concrete actions for the next 60-90 days

1️⃣ Pick three groups, for example bridge officers, engine staff and shore planners, and define one short cyber topic that matters most to each group.
2️⃣ Create a single page or slide per topic that uses your own systems and a simple scenario and then run these sessions during existing meetings or drills.
3️⃣ Start a basic training log that lists dates, roles and topics so you can show a clear record of targeted, repeated cyber awareness work.

🔟

Use simple metrics and reviews to show cyber is improving Turn cyber from one time projects into a normal part of management review and planning.

▼

Regulators and clients increasingly ask how you know that cyber risk is being managed, not only whether you have a policy. The updated expectations fit well with a small set of indicators that are reviewed along with safety, environmental and operational performance. The goal is not a complex dashboard, but a handful of numbers and observations that tell you whether things are getting better or worse.

A few clear cyber indicators Linked to existing management review Evidence for auditors, clients and insurers

What to measure without overcomplicating things

Number of reported cyber related incidents and near misses and whether they are increasing because people are more willing to report.
Completion rates for key training, drills and vendor access checks that matter most for your risk profile.
Progress on closing agreed actions from reviews, incidents and external findings, for example class and customer audits.

How to fold cyber into existing review routines

Add a short cyber section to regular safety or management review meetings instead of creating a separate cycle.
Use the same format you already use for safety and environmental topics so leaders can compare and prioritise.
Record decisions, priorities and resource needs in the same way as other risk and performance topics.

📊 How to explain your cyber story to outside parties

Show that cyber is part of your normal risk management, not a separate side project, by pointing to SMS sections, drills and reviews.
Use a small set of trends such as reports, training completion and action closure to show direction of travel, even if you are still building maturity.
Be honest about remaining gaps and show which improvements have been planned, funded and assigned to named owners.

📈 Concrete actions for the next 60–90 days

1️⃣ Select three to five simple indicators that reflect the work you are already starting to do on cyber, such as drills, training or vendor access controls.
2️⃣ Add a short cyber section to the next management review or safety meeting and present these indicators along with any recent incidents or lessons.
3️⃣ Decide on one or two concrete improvements to target for the next period and record them with clear owners and due dates in your normal follow up system.

Taken together, the updated IMO guidance is really an invitation to treat cyber like any other part of safe, efficient ship operation. The companies that will cope best with the next few years are not the ones with the longest policies, but the ones that quietly map their computer based systems, rehearse realistic drills, bring vendors and projects inside the safety picture and track a handful of simple indicators over time. If you can show that cyber risks are identified, controlled, tested and reviewed through the same SMS machinery that already runs your fleet, you will be in a much stronger position with auditors, customers and insurers, and you will give crews and shore teams a clearer, calmer way to deal with the next wave of digital problems at sea.

We welcome your feedback, suggestions, corrections, and ideas for enhancements. Please click here to get in touch.

By the ShipUniverse Editorial Team — About Us | Contact

Related Posts