[BOOK] Introduction to the Book “ISO 23806 Ship Cyber Safety Certification”
Ship Cybersecurity Practical Guide — ISO 23806 & IACS UR E26/E27 in Practice
IT & OT Security in the Maritime and Shipbuilding Manufacturing Industry
| Subtitle | Practical Guide for IT & OT Security in the Maritime and Shipbuilding Manufacturing Industry |
| Publisher | Information Security Books |
| Published | October 2023 |
| Authors | 19 Subject Matter Experts |
| Pages | ~500 pages |
| Reviewed by | Korea Cyber Surveillance Association · ICCA · ISTI · ISRS |
This book, issued in October 2023 by Information Security Books, was written by 19 experts and reviewed by leading cybersecurity associations. Spanning nearly 500 pages, it covers IMO policy frameworks (MSC.428(98), MSC-FAL.1/Circ.3, ISM Code), IAPH cybersecurity guidelines, IACS UR E26/E27, shipboard cybersecurity guidelines, and the NIST Cybersecurity Framework. This review explains the content through three core topics for systematic application in practical ship cybersecurity operations.
- Overview of ISO 23806
- Characteristics and Applicability of International Standards — Comparison with IACS UR E26/E27
- Additional Standards Required for Practical IACS UR E26/E27 Certification
(1) Overview of ISO 23806
1. Official Name and Nature of ISO 23806
Prepared by ISO/TC 8 (Ships and marine technology), the official title is "Ships and marine technology — Cyber safety." The first edition was established in November 2022.
The purpose of establishing this standard, as stated by ISO:
- Provide requirements and recommendations for identifying and assessing cyber hazards and risks affecting ship safety and environmental operations — within a company's ISM Code / SMS, establish, implement, maintain, and continuously improve a cyber risk assessment system
- Design a standard that integrates a cyber safety management system into corporate operational procedures — moving beyond a simple technical specification
2. Content Structure Used to Explain ISO 23806
- 01Scope
- 02Normative references
- 03Terms and definitions
- 04Context of the organization
- 05Management responsibility
- 06Cyber risk exposure & assessment
- 07Documented information
- 08Implementation of protective measures
3. Scope of Cybersecurity Covered by ISO 23806
- OT systems installed on ships
- Cyber risks arising from OT–IT integration
- Interfaces among ship owners, operators, and shipyards
- Supply chain and third-party access
- Existing policies, procedures, and protective measures
4. International Standards and Regulatory Frameworks Related to ISO 23806
- IMO regulations (MSC.428, ISPS Code, etc.)
- ISMS family standards such as ISO/IEC 27001
- IACS UR E26/E27 — directly linked to maritime OT security requirements
- NIST Cybersecurity Framework 2.0 — explained in connection with ISO 23806's risk management approach
5. Key Functional Characteristics of ISO 23806
- ✓Embedded cyber risk management within the SMS of ships and shipping companies (Integrated Risk Management)
- ✓Provides procedures for cyber risk identification, assessment, documentation, and implementation of protective measures
- ✓Clarifies management responsibilities and organizational roles and responsibilities
- ✓Continuous improvement of risk assessment processes
- ✓Control of documented information (records and documentation control)
6. Scope of Application of ISO 23806
(2) Characteristics and Applicability of International Standards — Comparison with IACS UR E26/E27
This book classifies and describes key global standards related to ship cybersecurity, and summarizes how each relates to IACS UR E26/E27 and ISO 23806.
| Category | ISO 23806 | Relationship with IACS UR E26/E27 |
|---|---|---|
| Purpose | Provides a cyber safety certification framework covering ship design, construction, and operation | Accepts and expands the technical and operational control requirements defined by IACS (UR E26/E27) within an international standard framework |
| Scope | Includes shipyards, equipment suppliers, ship owners, and classification societies | IACS provides classification-society-centered technical standards; ISO 23806 integrates and formalizes them |
| Characteristics | A meta-standard connecting IMO MSC-FAL.1/Circ.3, IEC 62443, ISO/IEC 27001, and UR E26/E27 | Implements Cyber Safety Requirements of UR E26/E27 as certification procedures within the ISO framework |
IMO = "policy framework" · UR E26/E27 = "technical requirements" · ISO 23806 = "certification mechanism"
| Category | Overview of IMO Documents | Rel. with IACS UR E26/E27 | Rel. with ISO 23806 |
|---|---|---|---|
| MSC.428(98) | Specifies cyber risk management obligations within ship SMS | Basis for UR E26/E27 | ISO 23806 operationalizes MSC.428 requirements into certification processes |
| MSC-FAL.1/Circ.3 Rev.3 | Cyber risk management guidelines for ship operations, ship owners, and shipyards | Reference document for operational procedure design of UR E26/E27 | Included as operational certification items |
| ISM Code | Reflects cyber safety requirements within SMS | UR E26/E27 provides technical and operational response mechanisms for ISM | ISO 23806 presents an ISM-based certification process model |
IEC 62443 = technical reference for UR E26/E27 · ISO 23806 integrates IEC 62443 as an applicable evaluation criterion
| IEC Standard | Role | Relationship with UR E26/E27 | Position within ISO 23806 |
|---|---|---|---|
| 62443-1~3 Series | Layered security requirements for ICS/OT (Zone, Conduit, SL, etc.) | Core basis for UR E26 §4.2 Security Zones & Boundaries | Used for evaluating security levels (SL) of technical control elements in ISO 23806 Annex |
| 62443-4-1/4-2 | Product and system security development requirements | Technical basis for UR E27 equipment certification (Type Approval) | Mapped to product certification evaluation framework |
ISO 23806 connects the management framework of ISO 27001 with the technical requirements of UR E26/E27 into a single certification system
| ISO Standard | Role | Relationship with UR E26/E27 | Position within ISO 23806 |
|---|---|---|---|
| ISO/IEC 27001 | ISMS requirements | Basis for UR E26 "Cyber Risk Management" and operational policies | Directly referenced in ISO 23806 Clause 6 "Management Responsibility" |
| ISO/IEC 27005 | Risk assessment methodology | Basis for UR E26 "Threat & Risk Assessment" procedures | ISO 23806 adopts the 27005 risk methodology in evaluation and certification procedures |
BIMCO and TMSA provide cybersecurity guidelines at the operational process level for ship operators
| Category | Content | Relationship with UR E26/E27 | Position within ISO 23806 |
|---|---|---|---|
| BIMCO "Guidelines on Cyber Security Onboard Ships" | Focus on ship operations and crew response | Reference for strengthening operational procedures of UR E26 | Reflected in ISO 23806 Annex C (Operational Controls) |
| OCIMF TMSA 3 Element 13 | Operational security management elements for shipping companies | Not directly linked to UR E26 but connected as operational management evaluation criteria | Combined with ship owner evaluation criteria |
(3) Additional Standards Required for Practical IACS UR E26/E27 Certification
ISO 23806 is one of the most comprehensive international standards addressing ship cyber safety. However, it does not include all globally used important standards — particularly classification-society-specific rules, regional regulations, communication standards, and the latest OT threat frameworks.
- DNV Cyber Secure Rules (Basic / Advanced / Essential)
- ABS CyberSafety™
- LR Cybersecure
- Connection standards for navigation equipment
- Essential for actual equipment security assessment such as ECDIS and AIS
- Strong mandatory regulations for European shipping companies, ports, and ship equipment supply chains
- Increasing influence in shipbuilding and maritime projects
- Affects vessels entering and departing North American ports and international shipping operations
- MITRE ATT&CK for ICS
- NCCoE SP 1800 series
ISO 23806 as a Meta-Standard — Connecting IMO, IEC 62443, ISO/IEC 27001, and IACS UR E26/E27
Maritime cybersecurity researcher and book reviewer specializing in ship OT/IT security, international compliance (IACS UR E26/E27, IMO, IEC 62443), and cyber risk management frameworks. Contributing to the Maritime 4.0 Crew's mission of sharing practical, standards-based knowledge for safer ships.
🌐 More Articles ↗
Comments
Post a Comment