The scheme aims to put vessel owners and operators on the path to compliance in accordance with the IMO Maritime Cyber Risk Management guidelines.
IASME is famous for helping organisations meet compliance requirements and the Maritime Cyber Baseline is no exception – the scheme is affordable and accessible for all sizes of operators.
The cost to certify vessels under 500 GRT is £750 +VAT and is conducted through self assessment.
The cost to certify vessels 500 GRT and above is £1950 +VAT and is audited by an assessor to verify that all the required security controls have been put into place.
A 1 day training course designed for anyone interested in the cyber security of vessels at sea
About The Maritime Cyber Baseline Certification Scheme
The Maritime Cyber Baseline Certification Scheme has been designed to assist vessel operators and owners to improve their cyber security, prepare for attacks and to ensure that cyber security plans meet the IMO Maritime Cyber Risk Guidelines:
- Provides reassurance for your business, your crew, passengers, customers and other operators that your vessel has the correct security controls and processes in place.
- Aligns with the IMO Maritime Cyber Risk Management guidelines and makes evident your true commitment to best security practices.
- Indicates that you have a baseline level of cyber assurance.
- Provides the ability to demonstrate your compliance by displaying a Maritime Cyber Baseline certificate on your vessel and on any business communications.
The IASME Maritime Cyber Baseline certification scheme allows vessels of all sizes to achieve a basic level of cyber security in line with the IMO Maritime Cyber Risk Management. The scheme is operated by trained Certification Bodies who are maritime security experts and can provide guidance and support to vessel owners and operators to improve the security of their vessels through implementing good cyber security controls.
Certification is available to vessels of all sizes. Smaller vessels under 500 gwt complete the assessment solely using the online portal. Larger vessels 500gwt and over are audited by an assessor either in-person or via a remote video link to verify that all the required security controls have been put into place. Certification is renewed annually, with the in-person assessment taking place every three years. This provides a balance between the cost of the assessment and the level of assurance provided, ensuring that the scheme remains affordable and accessible to all vessel owners and operators.
A route to compliance and improved cyber security
The maritime industry accounts for the movement of 90% of world trade, making it a very attractive target for cyber criminals.
In 2017 the IMO (the International Maritime Organisation) issued ‘Guidelines on Maritime Cyber Risk Management’, providing high-level recommendations to safeguard shipping from current and emerging cyber threats and vulnerabilities, including functional elements that support effective cyber risk management.
The guidelines came into force on 1 January 2021 and maritime organisations, including vessel owners and operators, must now be able to demonstrate that they can execute an effective cyber security plan and address the risks in a way that improves the security of their operations.
Developed by Infosec Partners in conjunction with IASME, the UKs leading information assurance organisation, and supported by RINA (Royal Institution Naval Architects), the Maritime Cyber Baseline Certification scheme provides an affordable and practical way for vessel owners and operators to achieve compliance in accordance with the IMO Maritime Cyber Risk Management guidelines, namely:
- The International Maritime Organisation (IMO) Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3) and
- IMO resolution MSC.428 (98).
The rise of maritime OT brings additional cyber challenges
Maritime cyber security risk refers to a measure of the extent to which a technology asset could be threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised.
New technology, automation and digitisation means that vessels are more connected than ever, bringing a higher risk of cyber attacks. In fact over the past 3 years cyber-attacks on the maritime industry’s operational technology (OT) systems have increased by 900%, and with an increase in smart technology within the sector, this trend will only continue.
Therefore securing OT and the complex networks and connected environments is critical for cyber resilience. However, a 2020 Safety at Sea and BIMCO Maritime Cyber Security survey reported that despite the majority of respondents viewing cyber-attacks as a high/medium risk, few appeared to be prepared for attacks.
The Maritime Cyber Baseline Certification Scheme is designed to assist vessel operators and owners to continually improve their cyber security to counter emerging threats and remain cyber resilient. It provides a process of identifying, analysing, assessing cyber-related risks and mitigating them to an acceptable level.
Suitable for vessels of all sizes
The scheme is accessible to owners and operators of vessels of all sizes across the globe, including:
- Cargo vessels
- Passenger vessels
- Specialised craft
Simple steps to achieving and maintaining certification
To achieve certification for a vessel, applicants follow a practical pathway:
- Stage 1:
Answer a series of easy-to-understand questions and complete the verified self-assessment using the IASME online platform.
- Stage 2:
An IASME assessor undertakes a review of your systems, processes and collates evidence to verify the answers provided in stage 1. The applicant receives feedback from the assessor on how they can improve the security of their vessel depending on the answers provided to the various questions.
- Stage 3:
once your self-assessment has been verified, you will be officially awarded vessel certification for 3 years.
- Stage 4:
in order to maintain certification, the vessel owner/operator must complete and pass an annual verified self-assessment on the first and second anniversary of the audit to demonstrate their continued compliance.
Developed and supported by Assurance, Maritime and Cyber Security Experts
The Maritime Cyber Baseline scheme is managed and operated by the IASME CONSORTIUM
IASME Consortium is a cyber security certification organisation that operates a network of over 250 Certification Bodies across the UK who improve and certify the cyber security of organisations. IASME has a particular focus on making cyber security guidance and certification affordable for smaller organisations and champions diversity through its neuro and gender diverse team.
IASME is the sole partner for the UK government to operate the national Cyber Essentials scheme. IASME’s own highly-regarded Governance, Counter Fraud and IoT device certification schemes have been developed to provide a unique combination of affordable security across a range of sectors.
The Maritime Cyber Baseline scheme is supported by the Royal Institution of Naval Architects
Supported by RINA (Royal Institution Naval Architects), an internationally renowned professional institution whose members are involved at all levels in the design, construction, maintenance and operation of marine vessels and structures.
As trusted experts in cyber security, Infosec Partners have a proven track record in helping maritime and shipping organisations become cyber secure. Our maritime cyber security experts are available to advise you on how your systems and processes can be adapted in order to safeguard against current and emerging threats, and meet the IMO compliance standards.
Frequently Asked Questions
Can I demonstrate compliance to IMO Maritime Cyber Resolution MSC.428(98) without getting the Maritime Cyber Baseline certification?
Yes, you can, although it is likely to be more expensive and take longer through the need for external consultants and additional services. In addition, many within the maritime industry report that they are putting significant effort into demonstrating compliance yet are not 100% confident that they are in fact compliant.
Your Question Goes Here
The Maritime Cyber Baseline enforces a standard level of control that can be evidenced across a large range of vessels. Without the Maritime Cyber Baseline it is difficult to know whether security controls and procedures are adequate and if compliance has been met.
Do insurance companies recognise the Maritime Cyber Baseline?
Insurance is a key driver for the introduction of the Maritime Cyber Baseline scheme. Brokers and underwriters typically attempt to gauge the effectiveness of a potential policy holders’ cybersecurity controls onboard through a series of questionnaires, often without a clear method of marking and grading responses. In some instances, they also demand that technical tests are performed to demonstrate levels of protection, and these are different across insurance products as there are no baseline tests. Through the Maritime Cyber Baseline scheme, insurance brokers can measure cyber protection against a common baseline without incurring costs pre-quotation stage. This should also allow the market to stabilise, ultimately resulting in reduced premiums.
Who is going to perform the audits, and how do I know they are qualified?
To mitigate against the risks of unqualified consultants and businesses providing cyber security advice to the maritime sector, there is a strict program to certify both an organisation and also a consultant to be approved to run the audits and produce certifications.
A company wishing to become a certification body for the Maritime Cyber Baseline must demonstrate they have a formal company wide accreditation such as ISO 27001 or IASME Governance, whilst individual consultants must work for an approved certification body and also demonstrate experience and professional qualification in the following 3 areas:
- Cyber Security Professional
- Maritime Experience
- Operation Technology (OT)
Who are IASME, and how are they qualified to run the scheme?
In order for the Maritime Cyber Baseline to run effectively there is a need for a single entity to administer and operate the scheme.
IASME is an organisation that has a history of operating large scale certification schemes and is committed to helping businesses improve their cyber security, risk management and governance through an effective and accessible range of certifications.
IASME currently operates the most widely deployed optional cyber certification globally – Cyber Essentials – on behalf of the UK NCSC. In addition, IASME offers IASME Governance, which is an alternative and easier route to achieve business wide cyber assurance than ISO 27001, plus a number of schemes across other sectors, including the Civil Aviation Authority Assure Scheme, Counter Fraud Fundamentals Scheme and the Internet of Things Security Assured scheme.