Do shipping companies have to introduce a stand-alone ISO management system for cyber protection?

No, an independent cyber management system (such as ISO 27000) is not absolutely necessary. Implementation within the shipping company's Safety Management System (SMS) is sufficient. However, depending on their type and size, shipping companies can decide to introduce a separate certification such as ISO 27000. The latter meets the IMO requirements for cyber risk management (IMO Resolution MSC.428(98)) if the certified system is integrated into the shipping company's safety management system.