ISM Code

International Safety Management (ISM) Code

Status: In force — the safety management backbone of shipping: SMS, DOC and SMC certification, and since 2021, cyber risk management.

What Is It?

The ISM Code establishes the international standard for the safe management and operation of ships and for pollution prevention, made mandatory through SOLAS Chapter IX. Its central instrument is the Safety Management System (SMS): a documented framework of policies, procedures, and responsibilities through which the company ensures safe practices in ship operation, a safe working environment, assessed risks with appropriate safeguards, and continuous improvement of safety management skills ashore and aboard.

Compliance is evidenced by two certificates: the Document of Compliance (DOC), issued to the company after audit of its shore-side management system, and the Safety Management Certificate (SMC), issued to each ship after verification that the company and its shipboard management operate in accordance with the approved SMS. Both run on five-year cycles with annual (DOC) and intermediate (SMC) verification audits. The code requires a Designated Person Ashore (DPA) with direct access to the highest level of management, explicit documentation of the master's overriding authority, and structured processes for reports of non-conformities, accidents, and hazardous occurrences.

Since 1 January 2021, IMO Resolution MSC.428(98) requires cyber risks to be appropriately addressed in the SMS — making cyber risk management an auditable ISM element. In practice the ISM Code is the connective tissue of maritime compliance: MARPOL procedures, SOLAS drills, MLC working arrangements, and security measures all live inside the SMS, and an ISM audit finding can put the entire trading certificate chain at risk.

Who It Affects

The ISM Code applies to companies operating passenger ships and cargo ships of 500 GT and above on international voyages, including mobile offshore drilling units. The "company" — the entity that has assumed responsibility for operation from the shipowner, typically the technical manager — holds the DOC and carries the compliance obligation. Masters, DPAs, superintendents, and shipboard officers all have defined roles within the SMS, and charterers and insurers routinely audit ISM performance as a proxy for operational quality.

Key Dates

ISM Code mandatory for passenger ships, tankers, bulk carriers, and HSC of 500 GT and above (phase one)

ISM Code extended to all other cargo ships and MODUs of 500 GT and above (phase two)

Amendments strengthen requirements on company responsibility and SMS documentation

Cyber risk management must be addressed in the SMS per IMO Resolution MSC.428(98)

Requirements

  • Establish and maintain a documented Safety Management System covering all ISM Code elements
  • Hold a valid Document of Compliance (company) and Safety Management Certificate (each ship), with annual and intermediate verification audits
  • Appoint a Designated Person Ashore (DPA) with direct access to top management and responsibility for monitoring the SMS
  • Document the master's responsibility and overriding authority for safety and pollution prevention decisions
  • Operate structured reporting and analysis of non-conformities, accidents, and hazardous occurrences with corrective action tracking
  • Maintain shipboard operational procedures, emergency preparedness plans, and drill programs under the SMS
  • Conduct internal audits and periodic management reviews of the SMS, ashore and aboard
  • Address cyber risks within the SMS as required by MSC.428(98)

Penalties & Non-Compliance

An invalid or suspended SMC or DOC effectively removes a vessel's ability to trade: port state control treats major ISM non-conformities as detainable deficiencies, and flag states can withdraw certification where audits reveal systemic failure. Beyond regulatory sanctions, ISM documentation is central evidence in casualty litigation — an SMS that was not followed can establish owner privity, jeopardizing limitation of liability and P&I cover. Detentions coded to ISM also raise a company's risk profile across every regional MoU targeting system, increasing inspection frequency fleet-wide.

How CyberSmart Helps

These modules directly support your ISM Code compliance workflow.

Run your SMS as a living system

See how CyberSmart connects compliance rules, audits, inspections, and training into one auditable safety management workflow.

Cookie Preferences

We use cookies to enhance your experience

We use cookies and similar technologies to provide essential functionality, remember your preferences, and analyse how our site is used. You can accept all cookies, reject non-essential ones, or customise your preferences. Read our Cookie Policy for more details.