Part of the IDENTIFY Playbook ← Return to Hub

CSDD & Exclusion Assessment

UR E26 5.1.1 & 6: The Cyber System Definition Document (CSDD) is the mandatory technical file submitted for Class approval. Section 6 provides the framework for a Risk-Based Exclusion, allowing systems to be removed from the scope of UR E26 if they do not impact the safety of life or the environment.

1. Assembling the CSDD

The CSDD is the “Master Blueprint” of your ship’s cyber resilience. It is not a single document, but a compilation of the data collected in the previous pillars. Your CSDD must include:

Network Topologies

Logical and physical diagrams showing all CBS and their connections.

Asset Inventory

The full HW/SW list including Category II and III classifications.

Data Flow & Protocols

Description of interdependencies and protocols used for communication.

2. Section 6: Risk-Based Exclusions

In accordance with IACS UR E26, not all onboard systems are required to meet the full set of cybersecurity controls. Systems (typically Category I, such as crew welfare or entertainment) may be proposed for exclusion based on a documented risk assessment, provided they are adequately segregated from safety-critical and essential systems.

Exclusion Assessment Criteria:

A system may be considered for exclusion if it meets ALL of the following conditions:

  • No physical, logical, or indirect network connection to Category II or Category III systems.
  • Compromise cannot result in loss/degradation of propulsion, steering, or power generation.
  • Compromise cannot cause or contribute to an environmental discharge (e.g., MARPOL).
  • Does not provide data required for SOLAS, MARPOL, Class rules, or Flag-state regulations.
  • Is logically segregated, does not share credentials, and has controlled maintenance access.

Where all criteria are met, a Formal Exclusion Assessment shall be documented and submitted to the attending surveyor for review and acceptance as part of the UR E26 compliance process.

Next Security Phase

Audit Evidence Templates

Audit Evidence Templates The Surveyor's View: During a Cyber Secure (Tier 1 or 2) audit, the inspector won't just look at the equipment; they will look for the Paper Trail. These templates ensure your evidence meets IACS standards. 1. The Evidence Ch...

Continue to Audit Evidence Templates →
Scroll to Top