Professional Documents
Culture Documents
SMS Cyber Security Quick Check: Show All
SMS Cyber Security Quick Check: Show All
Show All
COMPLETED
Response ID : VCCCs0zE
Start time : Mar 03, 2022 11:52:32
Completion time : Mar 03, 2022 12:28:34
Time taken : 36 mins
Collector : Cyber Security Awareness - Crew (template)
Score : 20.02/29 (69.03%)
Page 1 : Introduction
The below checklist is based on the ISM Code and the MSC/FAL.1/Circ.3 and it aims to
create awareness on the cyber security topics; Shipmanagers need to address these
issues within the Safety Management System (SMS) until the first DOC audit 2021. The
checklist covers the most relevant topics of the ISM Code in regard to cyber security.
Therefore, it is helpful to have good knowledge of the ISM Code before starting to
answer the questions.
Q1. What is the main role of your organization that you belong to? (Please, tick off
the one that fits the best)
Owner
Q3. Does your Company handle cyber security in relation to the ISM objective of 1/1
providing for safe practices in ship operation and a safe working environment?
[ISM 1.2.2.1]
Yes, e.g. through measures in the SMS
Q4. Does your Company ensure compliance with regulations on cyber security? 1/1
[ISM 1.2.3.1]
Yes
Q5. Is your Company handling cyber security in relation to the objective of 1/1
assessing all identified risks to ships, personnel and the environment and
establish appropriate safeguards? [ISM 1.2.2.2]
Yes
Q6. Which type of systems are included in the risk management covering cyber 1/1
risks? [MSC-FAL.1/Circ.3]
IT systems (e.g. communication, crew and passenger welfare systems)
OT (Operational Technology, e.g. control systems responsible for power
management, navigation, automation)
Q7. Which type of threats and failures have been accounted for in the risk 0.33/1
management covering cyber risks? [MSC-FAL.1/Circ.3 & ISM 10.3]
Unintentional threats (e.g. human mistake, software bug)
Q8. Does your SMS provide for specific measures aimed at promoting the 0/1
confidentiality, integrity and availability of equipment and technical systems where
threats and failures may result in hazardous situations? [ISM 10.3 & Best practice]
None of the above
Q9. Are these measures ensuring regular testing of stand-by arrangements and 1/1
equipment or technical systems that are not in continuous use? [ISM 10.3]
Yes
Q10. Which measures have been implemented to safeguard ships from current 1/1
and emerging threats (e.g. malware) and vulnerabilities (e.g. lack of patching)
related to digitization, integration and automation of processes and systems in
shipping? [ISM 1.2, MSC-FAL.1/Circ.3 & Best practice]
SMS Cyber Security Quick Check
Q11. Has a Defence-In-Depth Concept for enhancing the cyber risk resilience 0/1
been implemented? [MSC-FAL.1/Circ.3]
No
Q12. What is the basis for updating the cyber risk assessment? [ISM 12] 0.5/1
In case of new threat intelligence
In case of identified deficiency or incident
As a result of internal management systems process (internal audit,
management review or Master’s review)
Q13. Is your Company handling cyber security in relation to the objective 1/1
continuously improve safety management skills of personnel ashore and aboard
ships? [ISM 1.2.2.3]
Yes
Q14. Does this include preparing for emergencies related both to safety and 1/1
environmental protection? [ISM 1.2.2.3]
Yes
Q15. Which type of measures have been implemented? [Best practice] 0.29/1
Training or familiarization
Lessons learned analysis and communication
Q16. Is your Company taking into account applicable codes, guidelines and 1/1
standards recommended by IMO, Administrations, classification societies and
maritime industry organizations regarding cyber security? [ISM 1.2.3.2]
Yes, e.g. integrated in the overall systematic for compliance with IMO and flag
state demands
Q17. Does your Company have policies in place in the SMS to manage cyber 1/1
security issues? [ISM 2.1]
SMS Cyber Security Quick Check
Q18. Does your Company ensure that the cyber security policy is implemented 0.5/1
and maintained at all levels of the organization both ship based as well as shore
based? [ISM 2.2]
Yes, through auditing
No
Q19. Has your Company defined and documented the responsibility, authority and 0/1
interrelation of all personnel who manage, perform and verify work relating to
cyber security? [ISM 3.2]
No
Q20. Does your Company ensure that adequate resources and shore-based 1/1
support are provided to enable the designated person(s) to carry out their
functions, including handling of cyber security? [ISM 3.3]
Q21. Has your Company ensured that there is a link between the company and 1/1
those on board regarding cyber security matters? [ISM 4]
Yes, e.g. through clearly defined reporting lines and monitoring activities by the
DPA
Q22. How has your Company defined and documented the Master’s responsibility 0.6/1
with regards to cyber security? [ISM 5.1]
Implementing cyber security measures in the Safety Management System
Motivating the crew in the observation of the measures
Periodically reviewing the SMS and reporting its deficiencies to the shore based
management
Q23. Has your Company, in the SMS, established that the Master has the 1/1
overriding authority and the responsibility to make decisions with respect to safety
and pollution prevention, including on cyber security, and to request the
Company's assistance as may be necessary? [ISM 5.2]
Q24. Which measures are in place to continuously improve safety management 0.4/1
skills of personnel ashore and aboard ships, including preparing for emergencies,
due to breaches of cyber security? [ISM 6]
SMS Cyber Security Quick Check
Q25. Has cyber security been included in procedures, plans and instructions and 1/1
checklists as appropriate, for key shipboard operations concerning the safety of
the personnel, ship and protection of the environment? [ISM 7]
Yes, the need has been identified with the help of the cyber risk assessment
Q26. Have various tasks, regarding cyber security in shipboard operations, been 1/1
defined and assigned to qualified personnel? [ISM 7]
Yes, the SMS clearly states who have been assigned to execute these tasks
Q27. How is your Company ensuring that cyber security events which may lead to 0.33/1
emergency shipboard situations are identified and procedures to respond to them
established? [ISM 8]
Other measures supporting 24/7 effective response
Q28. How is it ensured that non-conformities, accidents and hazardous situations, 0.67/1
also related to cyber security, are reported to the Company? [ISM 9.1]
Cyber incident reporting procedure
Defined responsibilities and tasks related to who is reporting cyber incident
Q29. How does your Company ensure that non-conformities, accidents and 0/1
hazardous situations, also related to cyber security, are investigated and analysed
to improve safety and pollution prevention? [ISM 9.1]
None of the above
Q30. Which procedures and activities are implemented to ensure identification and 0.4/1
execution of corrective action, including measures intended to prevent recurrence
of cyber related incidents and non-conformities? [ISM 9.2, 10.2, 12]
Master’s review and master’s reviews with cyber security on the agenda
Management review
Q31. Has your Company established, and maintains, procedures to control all 1/1
documents and data which are relevant to the SMS, including on cyber
security? [ISM 11]
SMS Cyber Security Quick Check