IMO MSC-FAL.1/Circ.3  ·  All ISM vessels since Jan 2021

Your vessel already has
a cyber security obligation.

You don’t need to be building a new ship to need maritime OT security. Every vessel operating under the ISM Code has been legally required to address cyber risk since January 2021 — most fleets haven’t fully acted on it yet.

Start with the playbooks → Check my vessel’s status
2021
Year IMO cyber risk management
became mandatory for all ISM ships
64
TAGSIA playbooks that apply
to your vessel right now
5
NIST phases covering the full
security lifecycle at sea
IMO MSC-FAL.1/Circ.3 — in force since 1 January 2021

The IMO formally requires all companies with vessels under the ISM Code to incorporate cyber risk management into their Safety Management System (SMS) by the first annual DOC verification after 1 January 2021. This is not voluntary guidance — it is a Port State Control (PSC) enforceable requirement under SOLAS. If your SMS does not address cyber risk, your vessel is non-compliant today. Read the full MSC-FAL.1/Circ.3 implementation guide →

Regulatory framework

Three frameworks that apply to every vessel

IACS UR E26 gets the headlines, but it only applies to vessels with keellaid on or after 1 January 2024. The following three frameworks apply to your existing fleet right now — regardless of age, flag, or class society.

Mandatory

IMO MSC-FAL.1/Circ.3

Requires cyber risk management integrated into every ISM-compliant vessel’s SMS. Applies to all SOLAS vessels. PSC enforceable since January 2021.

All ISM vessels
Industry Standard

BIMCO Cyber Security Guidelines v4

The de facto industry standard for fleet cyber security. Referenced by P&I clubs, vetting systems, and charterers. Aligns directly with TAGSIA’s NIST-phase approach.

All vessel types
Vetting / Commercial

TMSA 3 / SIRE 2 / CDI

Tanker and bulk carrier operators face cyber security questions in TMSA 3 KPI 13, SIRE 2 inspections, and CDI assessments. Poor scores affect chartering.

Tanker & bulk
Common misconceptions

Why existing fleet owners delay — and why they shouldn’t

❌  The myth ✓  The reality
“We don’t need E26 — our ship is old.” E26 is for newbuilds only. But IMO MSC-FAL.1/Circ.3 has applied to your vessel since January 2021, regardless of build year.
“Cyber security is an IT problem.” Maritime cyber incidents most commonly target OT systems — ECDIS, PMS, AMS. IT departments don’t understand NMEA 0183 or engine room PLCs.
“We’ve never had an incident.” The Maersk NotPetya incident cost $300M. Most maritime cyber incidents go unreported. Absence of evidence is not evidence of absence.
“Our vendor handles our security.” OEM service access is one of the highest-risk vectors in maritime OT. Supply chain security is your responsibility under E27 §4.5 and BIMCO.
“Compliance is too expensive to implement.” A single ransomware incident on a vessel costs far more than a structured security programme. Most TAGSIA playbooks require process changes, not hardware purchases.
Your implementation path

Where to start — a practical sequence for existing vessels

You don’t need a Class survey to start. The five NIST phases map directly onto the IMO and BIMCO requirements. Work through them in order and you will satisfy your SMS obligation and be ready for PSC inspection.

1
Identify — know what you have
Build a complete inventory of every Computer Based System (CBS) on board. Map the interdependencies between bridge, engine room, and cargo systems. Establish which systems are critical to vessel safety. This is the foundation of your IMO SMS cyber annex.
Start the Identify phase →
2
Protect — harden what matters
Implement the technical controls that reduce your attack surface: network segmentation, USB controls, password policies, remote access management, and physical hardening of OT cabinets. All playbooks in this phase apply to existing vessels.
Start the Protect phase →
3
Detect — know when something is wrong
Set up monitoring so the ETO knows when a rogue device appears, when traffic deviates from the baseline, or when a critical system goes offline. Detection is the difference between a contained incident and a full compromise.
Start the Detect phase →
4
Respond — contain the damage
When an incident occurs, the first 15 minutes determine the outcome. These playbooks give the ETO a structured response sequence, network isolation procedures, and the reporting obligations to shore and flag state under IMO MSC-FAL.1.
Start the Respond phase →
5
Recover — restore and improve
Restore systems from verified backups, conduct a post-incident review, and update the SMS cyber annex. This closes the loop and satisfies the ISM Code requirement to learn from incidents and prevent recurrence.
Start the Recover phase →
Framework alignment

How TAGSIA maps to your compliance requirements

Every TAGSIA playbook displays the regulatory frameworks it satisfies. For existing vessels, look for the IMO, BIMCO, and ISM Code badges on each page — these are your primary obligations.

IMO MSC-FAL.1/Circ.3
All SOLAS / ISM vessels
Requires cyber risk management integrated into your SMS. TAGSIA playbooks across all 5 NIST phases satisfy the functional requirements of this circular.
64 of 67 TAGSIA pages apply
BIMCO Guidelines v4
Industry best practice
The industry’s primary voluntary standard. Referenced by P&I clubs when assessing incident liability. TAGSIA’s NIST-phase structure mirrors the BIMCO lifecycle approach directly.
Aligned across all phases
ISM Code §9 / §10
Emergency & MoC procedures
ISM §9 requires procedures for emergencies — the Respond and Recover playbooks satisfy this. ISM §10 requires MoC — the Roles & MoC playbook covers this directly.
Respond + Recover phases
TMSA 3 / SIRE 2
Tanker & bulk vetting
TMSA 3 KPI 13 and SIRE 2 cyber questions map directly to the Identify, Protect, and Detect phases. Poor vetting scores affect chartering opportunities and insurance premiums.
Identify + Protect phases
Common questions

Frequently asked questions

Yes. The circular requires that cyber risk management is reflected in the vessel’s SMS by the first annual Document of Compliance (DOC) verification after 1 January 2021. Port State Control officers can — and increasingly do — ask to see evidence of a cyber risk management programme during inspections. A deficiency can result in detention. Paris MOU and Tokyo MOU have both flagged cyber SMS gaps as grounds for inspection findings.
IACS UR E26 is a detailed, prescriptive technical standard that applies to newbuilds with keellaid on or after 1 January 2024. It requires formal Class approval including a Cyber System Definition Document (CSDD), risk-based segmentation design, and a full audit trail. IMO MSC-FAL.1/Circ.3 is broader and less prescriptive — it requires that you address cyber risk in your SMS, but it does not dictate the exact technical architecture. Think of E26 as the highest bar, and IMO as the baseline floor that every ship must meet.
For an existing vessel starting from scratch: (1) Asset Inventory & Mapping — you cannot protect what you cannot see; (2) System Criticality Mapping — identify which systems matter most; (3) Network Segmentation (retrofits) — the single highest-impact technical control; (4) OT Password Policy & RBAC — often the easiest quick win; (5) Incident Severity Matrix — so the crew knows how to respond if something goes wrong. These five playbooks together cover the core of your IMO SMS obligation.
Not necessarily. A Class cyber survey (e.g. DNV Cyber Secure, LR CyberSafe, BV CS1/CS2) is voluntary for existing vessels — it’s a notation you can choose to obtain. What is mandatory is satisfying the IMO MSC-FAL.1 requirement through your ISM SMS. A Class notation provides external verification that you have done so to a defined standard, which is increasingly valuable for insurance and chartering purposes — but it is not required to be compliant with the IMO circular.
Start with the Cyber Risk Assessment tool to establish a baseline risk score for your fleet. Then use the Asset Inventory playbook as a template that can be applied across all vessels. The Roles & Change Management playbook will help you define the DPA and ETO responsibilities fleet-wide. For fleet-scale implementation support, the TAGSIA Fleet Enterprise bundle provides master templates designed for multi-vessel deployment. Contact us for enterprise pricing.

Ready to secure your existing fleet?

Start with the free playbooks. Every page is tagged with the frameworks it satisfies — so you always know exactly what obligation you are addressing.

Browse all playbooks → Take the risk assessment
Login
Login
Scroll to Top