E26 Deliverable Quality — The Low, Medium, and High Tiers
E26 Deliverable Quality: The Low, Medium, and High Tiers
The same E26 documents — so why do some projects build resilience while others leave behind only paperwork?
- LinkedIn : https://www.linkedin.com/in/abysstoinfinity/
Over the past few years, IACS UR E26 has become an essential requirement for newbuilding vessel projects. As a result, a great many E26 deliverables are being produced.
What's interesting is that most projects submit a similar list of documents. But when you actually open the deliverables, the difference in quality is far greater than expected. Some documents become powerful assets in the operational phase. Others are never opened again after class approval.
Why does this difference arise? The answer is surprisingly simple.
Higher-tier organizations produce documents.
The highest-tier organizations produce resilience.
The Real Purpose of E26
Many people think of E26 as a cybersecurity regulation. But the core of E26 is not the security function. The core is cyber resilience. That is:
A good deliverable, therefore, must not be a document that describes security equipment, but a document that explains how the vessel will survive.
The Low Tier
"As long as it passes class approval, that's enough."
This is the most commonly seen tier. The documents exist. All the requirements are checked off. But after reading the documents, you find yourself thinking: So how does the system actually work?
Take an Asset Inventory, for example.
| Asset Name | IP Address |
|---|---|
| ECDIS | 192.168.1.10 |
| Radar | 192.168.1.20 |
| IAS Server | 192.168.1.30 |
That's it. From this document alone, you cannot tell:
The document exists, but there is no information.
Characteristics
The problem
It can pass the review. But when an incident occurs, it provides no help at all. In other words, it is nothing more than an approval document.
The Medium Tier
"It can describe the current state."
This is the tier most organizations aim for. The documents and the actual system are largely consistent. The Asset Inventory includes not just a simple equipment list but also the following information:
The Network Diagram, too, reflects the actual configuration. The Risk Assessment also has at least a minimum of logic.
Characteristics
The problem
But there is a limit here too. Many documents explain "what exists" but cannot explain "what happens."
The High Tier
"It can describe resilience."
High-tier deliverables do not simply describe assets. They describe functions. And they even describe failure scenarios. Take an Asset Inventory, for example.
| Asset | Function | Essential Function | Recovery Priority |
|---|---|---|---|
| ECDIS-A | Navigation | Yes | High |
| ECDIS-B | Navigation Backup | Yes | High |
| Printer | Administration | No | Low |
At this point, it becomes not a simple equipment-management document but an operational decision-making document.
The Top Tier
"It supports operation, incident response, and recovery."
This is, in fact, the tier closest to the intent of E26. Deliverables at this tier do not simply describe the current state. They are used when an incident occurs. For example, they can immediately answer the following questions:
And the following information is already defined:
Documents at this tier are not review-response documents but are closer to an operation tool.
The Real Difference Shows in the Data Flow Diagram
This is one of the documents where the quality gap is largest in practice.
Why Class-Approval Documents and Operational Documents Differ
There is one of the most common misconceptions in practice.
Half right, half wrong. A class-approval document is written to prove conformity at a specific point in time. An operational document is used for actual decision-making when an incident occurs. The very purpose is different.
Take an Asset Inventory, for example. For a class-approval document, the following may be sufficient:
Manufacturer
IP address
Installation location
Recovery priority
Maintenance owner
Supplier contact chain
Backup location
Alternative operating procedures
In other words, class checks "what exists." The operating organization checks "what to do if a problem arises."
The same goes for the Network Diagram. A review-response diagram shows the connection structure. An operational diagram shows the impact. A high-tier organization can answer the following questions:
This is what a document from the operational perspective looks like.
The Most Dangerous Check-Box Culture in E26 Projects
The biggest cause of E26 project failure is not a lack of technology. It is check-box culture. Many projects proceed like this:
☑ Complete Risk Assessment
☑ Draft Network Diagram
☑ Draft Data Flow Diagram
☑ Draft Backup Policy
☑ Draft Remote Access Procedure
☑ Collect Vendor Requirements
☑ Obtain class approval
But the important questions are missing.
Looking at real incident cases, problems caused by the absence of documents are far outnumbered by problems caused by documents that existed but could not be used.
Every check-box was filled. But resilience does not exist.
What a Truly High-Quality Deliverable Is
A high-quality deliverable is not long in page count. Rather, it is a document that can answer the following questions:
From the E26 perspective in particular, a good deliverable must be able to explain the following four things:
The Deliverables That Will Be Required Going Forward
Recently, the USCG introduced a performance-based inspection regime. Regulators are increasingly beginning to look not at "do the documents exist?" but at "does it actually work?" Cybersecurity is moving in the same direction.
The questions of the future will be different.
Conclusion
The quality of E26 deliverables is not determined by the volume of documents. It is determined by whether they can explain resilience.
And maritime cybersecurity going forward will increasingly demand top-tier deliverables. Because what regulators and owners want to know is not "do the documents exist?" but "can this vessel survive even under a real attack or failure?"
The purpose of E26 is not certification. It is resilience.
And a good deliverable becomes the most powerful evidence of that resilience.
A maritime cybersecurity and compliance specialist across the ship design & build lifecycle, focused on cybersecurity architecture, governance, and regulatory conformity for the shipbuilding and offshore sectors.
🌐 More Articles ↗⚓ Join the ShipPaulJobs Community
Join →
Comments
Post a Comment