Master Project Summary
Vessel Cyber Resilience Dashboard
Framework: IACS UR E26 & E27 (Rev.1 Nov 2023) | All vessel types
1. IACS UR E26 / E27 Audit Readiness Framework
This scorecard serves as the Vessel Benchmark for IACS compliance. It provides a standardized method for the ETO and Technical Managers to track implementation progress across the five functional phases. A 5/5 score is the required target for Class notation, confirming that both vessel-level requirements (E26) and equipment documentation (E27) are verified and complete.
Maturity Framework Criteria
The following criteria define the progression toward full IACS UR E26 / E27 Audit Readiness.
| Score | Level | Required Evidence & Milestones |
|---|---|---|
| 1 / 5 | Initial | No formal cyber resilience measures. Systems are unmapped and unprotected. High risk of vessel detention during PSC inspection. |
| 2 / 5 | Managed | Cyber security requirements are documented in the Safety Management System (SMS). Responsibilities are assigned to the ETO and Chief Engineer. |
| 3 / 5 | Defined | Technical controls (segmentation, access control, malware protection, backups) are implemented on all Category II and III systems. E26 §4.2 requirements are physically active. |
| 4 / 5 | Verified | The CBS security capability test procedure has been executed and documented. Logs prove that detection and response capabilities are functioning as intended. Annual local control test records are complete. |
| 5 / 5 | Optimized | Audit Ready. All E27 vendor type approval certificates and technical documentation are filed in the SMS. Vessel meets IACS UR E26 & E27 Rev.1 (Nov 2023) requirements for Class notation. |
2. Regulatory Evidence Mapping
Verification of UR E26 vessel-level requirements depends on the UR E27 Computer Based System (CBS) documentation stored in the vessel’s SMS. The table below maps each E26 phase requirement to its corresponding E27 documentation obligation.
| E26 Phase | Vessel Requirement (E26) | SMS Documentation (E27 Alignment) |
|---|---|---|
| Identify | §4.1.1: Vessel asset inventory & CBS categorisation | Topology & inventory list (E27 §3.1.2) |
| Protect | §4.2.1: Security zones & segmentation architecture | Security capabilities description (E27 §3.1.3) |
| Detect | §4.3.1: Network operation monitoring & CBS diagnostics | Capabilities test procedure (E27 §3.1.4) |
| Respond | §4.4.1: Incident response plan & safe state procedures | Response support documentation (E27 §3.1.8) |
| Recover | §4.5.3: Integrity verification & system reconstitution | Recovery & reconstitution plans (E27 §3.1.8, §3.1.9) |
3. SMS Integration (ISM Code Alignment Examples)
To ensure operational compliance with the IMO Cyber Mandate (in force January 2021 under MSC.428(98)), the framework is integrated into the vessel’s Safety Management System (SMS). Below are standard examples of how E26 requirements align with existing ISM chapters:
Example: Chapter 7 (Operations)
Integration of cyber SITREP procedures for bridge teams and pre-departure verification of Category III critical system integrity (Ref: E26 §4.1).
Example: Chapter 10 (Maintenance)
Inclusion of offline backup verification and firmware integrity checks within the Planned Maintenance System (Ref: E26 §4.2 & §4.5).
*The specific chapter placement varies depending on the structure of the Company’s SMS and Safety Management Manual (SMM).
Surveyor’s Note (Class Cyber Notation)
Class surveyors verify the physical and logical segregation between Category I systems (passenger/crew networks, hotel systems) and Category III essential systems (propulsion, steering, power management). Ensure that E26 §4.2.1 zone architecture is testable at survey and that E27 §3.1.3 security capability descriptions are available for each CBS in scope. For vessels with complex network environments, surveyors may request a live demonstration of zone isolation capability.
