[CRSI] SCARP Under IACS UR E26: What Shipowners Must Prepare Before Delivery — and Why It's Not Just the Yard's Job
SCARP Under IACS UR E26: What Shipowners Must Prepare Before Delivery — and Why It's Not Just the Yard's Job
SCARP Is a UR E26 Required Deliverable — and the Shipowner Is the One Responsible for It
Whenever IACS UR E26 comes up on site, there's a reaction I hear all the time: "Isn't that just something the yard prepares during newbuilding to satisfy Class?" That's not entirely wrong — but it's only half the story. This post reframes UR E26 from a shipowner responsibility perspective, and explains why SCARP is the document that actually answers the owner's question.
"Who is responsible for this ship — and this fleet — for the next 20 years, and how?"
1. What Question Does IACS UR E26 Really Ask?
UR E26 is actually very straightforward. It asks only one thing:
"Does this ship have cyber resilience?"
That's why UR E26 requires the following six Deliverables:
| No | UR E26 Deliverable | Nature |
|---|---|---|
| 01 | Ship Asset Inventory | Technical document |
| 02 | Zones & Conduit Diagram | Network architecture |
| 03 | CSDD | Design description |
| 04 | Risk Assessment for Exclusion | Technical risk assessment |
| 05 | Compensating Countermeasures | Technical / operational mitigation |
| 06 | Cyber Resilience Test Procedure | Test & verification |
At this point, the character of UR E26 is obvious: it applies to one ship, documents are mainly produced by the yard and system vendors, and Class approval targets the ship and its systems. In short — UR E26 is a strictly ship-level requirement.
2. But the Owner's Question Is Different
From an owner's point of view, the real question is this:
"Not just this ship — how do I safely operate the entire fleet?"
UR E26 gives the technical foundation — but the document that actually answers the owner's fleet-level question is SCARP. And critically: SCARP is itself a UR E26 required deliverable that the shipowner must prepare before delivery.
3. SCARP Is a UR E26 Deliverable — and It's the Owner's
This is where confusion happens most often. SCARP (Ship Cybersecurity Asset & Risk Plan) is indeed a UR E26 required deliverable — but unlike the technical documents prepared by the yard and suppliers, SCARP is the deliverable that the shipowner must prepare before ship delivery.
While yards and suppliers produce technical documents (Asset Inventory, CSDD, Zones & Conduit Diagram, etc.), SCARP is the owner's obligation: a ship-wide cyber risk management plan that demonstrates how the owner will maintain cyber resilience throughout the vessel's operational lifecycle.
4. How UR E26 Technical Documents Support SCARP
SCARP doesn't stand alone — it must be built on the technical evidence produced by yards and suppliers under UR E26. The owner integrates these deliverables into SCARP to demonstrate ship-wide cyber risk management.
Yard & Supplier UR E26 Documents → technical evidence the owner integrates into SCARP (Owner's UR E26 Deliverable)
5. SCARP Must Be Ready Before Delivery — But It Governs the Entire Lifecycle
SCARP is required to be submitted and approved before ship delivery as part of UR E26 compliance. But its purpose extends far beyond newbuilding. Its true identity is a fleet-wide cyber operating model that remains active throughout the vessel's life.
That's why SCARP must provide fleet-wide standards, such as:
- Minimising cyber security gaps between ships
- Fleet standardisation
- Annual audit readiness
- Cyber monitoring criteria
- Incident response scenarios
- Management of Change (MOC) rules
6. SCARP Quality Depends on Integration, Not Paperwork
When SCARP fails in real projects, the reason is almost always the same:
There is no integrator.
SCARP must combine dozens of E27 vendor documents, network architecture, and operational procedures. Without integration, three conditions are unavoidable:
Without a clear owner-defined risk appetite and operating philosophy, SCARP becomes nothing more than a document bundle.
Without a CRSI: zones don't align, risk criteria conflict, and the same findings repeat at every audit.
Individual quality matters less than whether documents can fit together.
7. SCARP Is Ultimately About Cost
This isn't theory — it's operational reality.
- Lower incident response costs
- Reduced annual audit effort
- Faster and clearer MOC handling
- Lower maintenance and patching costs
- Document inconsistency
- Poor risk assessment
- Zone & conduit confusion
- Delayed Class approval
- Escalating operational costs
- The same findings every year
High-quality SCARP = cost reduction
Low-quality SCARP = cost explosion
Final Thoughts
If you only see UR E26 as paperwork, you're seeing half the picture. Seen through SCARP, UR E26 finally becomes what it should be: the technical foundation for owner-level responsibility.
Key Takeaways
Ship-level, newbuilding phase — documents produced by yard and suppliers for Class approval
Owner-prepared UR E26 deliverable: required before ship delivery, governs fleet-level cyber risk throughout operational lifecycle
Yard & supplier UR E26 technical documents are inputs to SCARP — evidence the owner integrates, not substitutes for it
Without Owner Policy + CRSI + integrable E27 docs, SCARP collapses into a document bundle with no operational value
Maritime professional focused on the intersection of vessel operations, classification society regulations, and OT/IT cybersecurity. Writing for engineers, consultants, and operators navigating Maritime 4.0 together.
🌐 More Articles ↗
Comments
Post a Comment