SMS Cyber Security Quick Check

Show All

COMPLETED

Response ID : VCCCs0zE
Start time : Mar 03, 2022 11:52:32
Completion time : Mar 03, 2022 12:28:34
Time taken : 36 mins
Collector : Cyber Security Awareness - Crew (template)
Score : 20.02/29 (69.03%)

Page 1 : Introduction

The below checklist is based on the ISM Code and the MSC/FAL.1/Circ.3 and it aims to
create awareness on the cyber security topics; Shipmanagers need to address these
issues within the Safety Management System (SMS) until the first DOC audit 2021. The
checklist covers the most relevant topics of the ISM Code in regard to cyber security.
Therefore, it is helpful to have good knowledge of the ISM Code before starting to
answer the questions.

Page 2 : Please introduce yourself

Q1. What is the main role of your organization that you belong to? (Please, tick off
the one that fits the best)
Owner

Q2. What is your role in your organization?

Operations responsible
 SMS Cyber Security Quick Check

Q3. Does your Company handle cyber security in relation to the ISM objective of 1/1
providing for safe practices in ship operation and a safe working environment?
[ISM 1.2.2.1]
Yes, e.g. through measures in the SMS

Q4. Does your Company ensure compliance with regulations on cyber security? 1/1
[ISM 1.2.3.1]
Yes

Q5. Is your Company handling cyber security in relation to the objective of 1/1
assessing all identified risks to ships, personnel and the environment and
establish appropriate safeguards? [ISM 1.2.2.2]
Yes

Q6. Which type of systems are included in the risk management covering cyber 1/1
risks? [MSC-FAL.1/Circ.3]
IT systems (e.g. communication, crew and passenger welfare systems)
OT (Operational Technology, e.g. control systems responsible for power
management, navigation, automation)

Q7. Which type of threats and failures have been accounted for in the risk 0.33/1
management covering cyber risks? [MSC-FAL.1/Circ.3 & ISM 10.3]
Unintentional threats (e.g. human mistake, software bug)

Q8. Does your SMS provide for specific measures aimed at promoting the 0/1
confidentiality, integrity and availability of equipment and technical systems where
threats and failures may result in hazardous situations? [ISM 10.3 & Best practice]
None of the above

Q9. Are these measures ensuring regular testing of stand-by arrangements and 1/1
equipment or technical systems that are not in continuous use? [ISM 10.3]
Yes

Q10. Which measures have been implemented to safeguard ships from current 1/1
and emerging threats (e.g. malware) and vulnerabilities (e.g. lack of patching)
related to digitization, integration and automation of processes and systems in
shipping? [ISM 1.2, MSC-FAL.1/Circ.3 & Best practice]
 SMS Cyber Security Quick Check

Human safeguards, e.g. training of crew and office staff

Organisational safeguards, e.g. cyber security related policy and procedures
Technical safeguards (e.g. firewalls, anti-malware software, IDS)

Q11. Has a Defence-In-Depth Concept for enhancing the cyber risk resilience 0/1
been implemented? [MSC-FAL.1/Circ.3]

No

Q12. What is the basis for updating the cyber risk assessment? [ISM 12] 0.5/1
In case of new threat intelligence
In case of identified deficiency or incident
As a result of internal management systems process (internal audit,
management review or Master’s review)

Q13. Is your Company handling cyber security in relation to the objective 1/1
continuously improve safety management skills of personnel ashore and aboard
ships? [ISM 1.2.2.3]

Yes

Q14. Does this include preparing for emergencies related both to safety and 1/1
environmental protection? [ISM 1.2.2.3]

Yes

Q15. Which type of measures have been implemented? [Best practice] 0.29/1
Training or familiarization
Lessons learned analysis and communication

Q16. Is your Company taking into account applicable codes, guidelines and 1/1
standards recommended by IMO, Administrations, classification societies and
maritime industry organizations regarding cyber security? [ISM 1.2.3.2]

Yes, e.g. integrated in the overall systematic for compliance with IMO and flag
state demands

Q17. Does your Company have policies in place in the SMS to manage cyber 1/1
security issues? [ISM 2.1]
 SMS Cyber Security Quick Check

Q18. Does your Company ensure that the cyber security policy is implemented 0.5/1
and maintained at all levels of the organization both ship based as well as shore
based? [ISM 2.2]
Yes, through auditing
No

Q19. Has your Company defined and documented the responsibility, authority and 0/1
interrelation of all personnel who manage, perform and verify work relating to
cyber security? [ISM 3.2]

No

Q20. Does your Company ensure that adequate resources and shore-based 1/1
support are provided to enable the designated person(s) to carry out their
functions, including handling of cyber security? [ISM 3.3]

Yes, e.g. definition of roles and responsibilities, related budget items

Q21. Has your Company ensured that there is a link between the company and 1/1
those on board regarding cyber security matters? [ISM 4]

Yes, e.g. through clearly defined reporting lines and monitoring activities by the
DPA

Q22. How has your Company defined and documented the Master’s responsibility 0.6/1
with regards to cyber security? [ISM 5.1]
Implementing cyber security measures in the Safety Management System
Motivating the crew in the observation of the measures
Periodically reviewing the SMS and reporting its deficiencies to the shore based
management

Q23. Has your Company, in the SMS, established that the Master has the 1/1
overriding authority and the responsibility to make decisions with respect to safety
and pollution prevention, including on cyber security, and to request the
Company's assistance as may be necessary? [ISM 5.2]

Yes, though a clear statement

Q24. Which measures are in place to continuously improve safety management 0.4/1
skills of personnel ashore and aboard ships, including preparing for emergencies,
due to breaches of cyber security? [ISM 6]
 SMS Cyber Security Quick Check

Procedures for identifying training needs, execution of training and distribution of

relevant information
Cyber drills

Q25. Has cyber security been included in procedures, plans and instructions and 1/1
checklists as appropriate, for key shipboard operations concerning the safety of
the personnel, ship and protection of the environment? [ISM 7]

Yes, the need has been identified with the help of the cyber risk assessment

Q26. Have various tasks, regarding cyber security in shipboard operations, been 1/1
defined and assigned to qualified personnel? [ISM 7]

Yes, the SMS clearly states who have been assigned to execute these tasks

Q27. How is your Company ensuring that cyber security events which may lead to 0.33/1
emergency shipboard situations are identified and procedures to respond to them
established? [ISM 8]
Other measures supporting 24/7 effective response

Q28. How is it ensured that non-conformities, accidents and hazardous situations, 0.67/1
also related to cyber security, are reported to the Company? [ISM 9.1]
Cyber incident reporting procedure
Defined responsibilities and tasks related to who is reporting cyber incident

Q29. How does your Company ensure that non-conformities, accidents and 0/1
hazardous situations, also related to cyber security, are investigated and analysed
to improve safety and pollution prevention? [ISM 9.1]
None of the above

Q30. Which procedures and activities are implemented to ensure identification and 0.4/1
execution of corrective action, including measures intended to prevent recurrence
of cyber related incidents and non-conformities? [ISM 9.2, 10.2, 12]
Master’s review and master’s reviews with cyber security on the agenda
Management review

Q31. Has your Company established, and maintains, procedures to control all 1/1
documents and data which are relevant to the SMS, including on cyber
security? [ISM 11]
 SMS Cyber Security Quick Check

Page 4 : Last step before the result

You have answered all our questions.

To now get the result and scores, please submit your answers via the button below.
If you want to check your answers again before submitting them, please first click
“Previous”.

If you have any questions or requests for support please contact us at

www.dnvgl.com/contact-cyber-security-team (https://www.dnvgl.com/contact-cyber-
security-team)