Part of the IDENTIFY Playbook ← Return to Hub

Risk Assessment & System Criticality Guide

A standardized framework for IACS UR E26 Section 3.3 Compliance.

1. Understanding System Criticality

Under UR E26, every Computer Based System (CBS) onboard must be categorized based on its impact on the safety of the vessel, personnel, and the environment.

Category I

Systems where failure does not lead to dangerous situations. (e.g., Entertainment, Crew Wi-Fi).

Category II

Systems where failure could eventually cause a risk to safety or environment. (e.g., Bilge systems, Fire detection).

Category III

Systems where failure can immediately lead to dangerous situations. (e.g., Propulsion, Steering, Navigation).

2. The Exclusion Logic

Not every computer onboard is “In-Scope” for a cyber audit. However, to exclude a system, you must prove Isolation. An auditor will look for the following three technical “Locks”:

No Network Link: Is the system air-gapped from the Administrative and Control networks?
No Wireless: Does the device have Bluetooth, Wi-Fi, or Cellular 4G/5G disabled?
No Functional Impact: If the system is hit by ransomware, does the ship keep moving?

Download the Audit Artifacts

The following forms are pre-mapped to UR E26 §3.3 requirements and ready for Class Society verification.

Exclusion Assessment Form Get Full Bundle Access

Unlock Full Compliance & Intelligence

Upgrade to the TAGSIA Pro Bundle to get all 40+ fillable documents, editable SOPs, and unlimited access to our real-time Threat Intel feed, CVE Library, and Vendor Advisories.

Upgrade to Pro Bundle

Includes Unlimited Intel Search

Instant access to IACS E26/E27 Templates

PREVIOUS:
Audit Evidence Templates

Next Section

Identify Phase: Summary & Audit Readiness

Identify Phase: Summary & Audit Readiness 🔍 Phase Objective The Identify Phase is about Visibility. You cannot protec...

Identify Phase: Summary & Audit Readiness →