Revisions: | ||
Date: | Author: | Description: |
| First Version Published |
Definitions
In this Agreement (including the background recitals), unless expressly stated otherwise:
"Agreement" | means the agreement between IASME and the CB under which the CB provides services in relation to the Scheme; |
"Approval", "Approve", "Approved" | means ’s or IASME’s express prior written approval or consent that may, at ’s or IASME’s sole and absolute discretion, be withheld or delayed; |
"Assessor" | an individual who will assess the compliance of an Organisation's Maritime Cyber systems with the Scheme Technical Standard; |
"Assessor Criteria" | shall have the meaning given in PR1.3 Schedule 2 (Certification Services Requirements); |
"Auditor General" | has the meaning given in the National Audit Act 1983; |
"Branding Guidelines" | means the branding guidelines applicable (as the case may be) to use of: (a) the Scheme Logo (as set out in Part A of Schedule 7 ); (b) CB Badges and Assessor Badges (as set out in Part B of Schedule 7); and (c) the Scheme Certification Mark (as set out in Part C of Schedule 7); and (d) the Maritime Cyber Baseline Audited Certification Mark (as set out in Part D of Schedule 7), (e) the IASME Consortium Logo (as set out in Part E of Schedule 7 in each case as may be updated by or IASME from time to time; |
"Certificate" | the certificate (in the form specified by IASME/) issued by a Scheme Supplier to an Organisation whose Product which has successfully been assessed against the Scheme Technical Standard; |
"Certification Mark" | means the Scheme Certification Mark and the Maritime Cyber Baseline Audited Certification Mark; |
"Certification Process" | means the process by which an Organisation is assessed against the Scheme Technical Standard and, if successful, is awarded a Certificate; |
"Certification Services" | means the certification services provided by a Certifying Body (CB) in connection with the Scheme which must as a minimum include the Certification Services Requirements set out in Schedule 2; |
"Certifying Body" | means a Scheme Supplier which has been appointed by IASME to provide Certification Services; |
“Certifying Body Criteria” | means the criteria set out in Schedule 9. |
"Change" | means any amendment or variation of this Agreement (including to the Scheme Services or Scheme) effected in accordance with the Change Control Procedure; |
"Change Control Procedure" | means the procedure referred to in Clause 27 (Change Control Procedure); |
"Change of Control" | means, on or after the Effective Date: (a) any person acquiring Control of the CB; or (b) any person having Control of the CB ceasing to have such Control |
"Claim" | means any claim, demand, action, cost, expense (including legal cost and disbursement), loss, damage and liability of whatsoever nature; |
"Confidential Information" | means all information relating to either Party or its operations or business, disclosed in confidence by or on behalf of one Party, or generated from such information by the receiving Party (whether before or after the Effective Date), either in writing, orally, or in any other form, directly or indirectly from or pursuant to discussions with the other Party or which is obtained through observations made by the receiving Party, including commercial, policy, technical, scientific, operational, personnel, personal, property and other information, and including ideas, concepts, schemes, information, knowledge, techniques, generic business methodologies (and anything else in the nature of know-how relating to the Scheme Services, Scheme or otherwise to this Agreement), and all analyses, compilations, studies and other documents, whether prepared by or on behalf of either Party that contain or otherwise reflect or are derived from such information (and any copy of such information), whether or not marked or designated as "confidential", which ought reasonably to be considered as confidential, except any information that: (a) at the time of disclosure, is already public knowledge, or subsequently becomes public knowledge, other than by way of any breach of this Agreement (b) prior to disclosure, was not subject to any confidentiality obligation of any sort; (c) is properly disclosed under any legal requirement to a designated regulatory or other body; or (d) prior to disclosure, was already known (by some other means ) by the recipient; |
"Control" | the possession by a person, directly or indirectly, of the power to direct or cause the direction of the management and policies of the other person (whether through the ownership of voting shares, by contract or otherwise) and “Controls” and “Controlled” shall be interpreted accordingly; |
"Controller" | has (as the case may be and as the context allows) the meaning given in Data Protection Law, as applicable to and (if applicable) IASME and to their individual circumstances; |
"Data Loss Event" | any event that results, or may result, in unauthorised access to Personal Data held by the CB under this Agreement, and/or actual or potential loss and/or destruction of Personal Data in breach of this Agreement, including any Personal Data Breach; |
"Data Protection Law" | Me means (as the case may be and the context allows): (a) the UK GDPR and any applicable national implementing Laws as amended from time to time; (b) the DPA 2018 to the extent that it relates to processing of Personal Data and privacy; and/or (c) all applicable law about the processing of Personal Data and privacy; |
"Data Subject" | has the meaning given in the DPA 2018; |
"Default" | means any breach of the obligations of the relevant party (including abandonment of this Agreement in breach of its terms, repudiatory breach or breach of a fundamental term) or any other default, act, omission, negligence or statement: (a) in the case of IASME, of its employees, servants, agents; or (b) in the case of the Supplier of its Sub-contractors or any Staff, in connection with or in relation to the subject-matter of this Agreement and in respect of which such Party is liable to the other; |
"Default Event" | shall have the meaning given in Clause 16.2 (Termination); |
"Digital by Default" | means the use of secure online services to deliver a personalized user experience including process automation, information collection, storage and analytics; |
"DPA 2018" | the Data Protection Act 2018; |
"Dispute" | any dispute, difference or question of interpretation arising out of or in connection with this Agreement, including any dispute, difference or question of interpretation relating to the Certification Services, failure to agree in accordance with the Change Control Procedure or any matter where this Agreement directs the parties to resolve an issue by reference to the Dispute Resolution Procedure; |
"Dispute Resolution Procedure" | means the procedure, set out at Clause 25 (Dispute Resolution Procedure), by which the Parties shall seek to settle any Dispute; |
"Effective Date" | means the date of this Agreement; |
"EIRs" | the Environmental Information Regulations 2004, ether with any guidance and/or codes of practice issued by the Information Commissioner or any Central Government Body in relation to such Regulations; |
"Expiry Date" | means the last day of the Initial Term or any Extension Period, when this Agreement shall cease to have effect; |
"Force Majeure Event" | means an event beyond the reasonable control of a Party, including acts of God, civil commotion, war, fire, flood, pandemic or political interference; |
"UK GDPR" | the General Data Protection Regulation (Regulation (EU) 2016/679) as retained and applied in England and Wales from time to time; |
"Good Industry Practice" | means the use of standards, practices, methods and procedures conforming to Law, and the exercise of that degree of skill, care, diligence, prudence and foresight that would reasonably and ordinarily be expected from a skilled and experienced person engaged in England and Wales in the provision of services of the same type as the Certification Services in the same or similar circumstance; |
IASME Logo | means the logo identified in part E of Schedule 7 |
"ICT" | means any electronic equipment used for processing, storing or transmitting information, including hardware, software, and electronic communications networks and equipment; |
"Maritime Cyber Baseline Audited" | means the second level of certification under the Scheme. It involves a number of tests being carried out on an Organisation by a Scheme Supplier who will award certification on satisfactory completion of these tests; |
"Maritime Cyber Baseline Audited Certification Mark" | means the certification mark set out in Part D Schedule 7 (Trade Marks and Certification Marks); |
"Maritime Cyber Baseline Audited Test Specification" | means the test specification to be used for testing an Organisation's systems against the Scheme Technical Standard; |
"Individual Recipients" | shall have the meaning set out in Clause 35.1.3 (Limited access); |
"Insolvency Event" | means the occurrence of any of the following events (or any event analogous to any of the following in a jurisdiction other than England and Wales) in relation to the relevant entity: (a) the entity passing a resolution for its winding up or a court of competent jurisdiction making an order for the entity to be wound up or dissolved or the entity being otherwise dissolved or a petition being presented for the winding up of the entity save for a frivolous or vexatious petition which is discharged within 10 days; (b) the appointment of an administrator of or, the making of an administration order in relation to the entity or the appointment of a receiver or administrative receiver of, or an encumbrancer taking possession of or selling, the whole or part of the entity's undertaking, assets, rights or revenue or any steps being taken by any person for or with a view to the appointment of an administrator in relation to the entity; (c) the entity entering into an arrangement, compromise or composition in satisfaction of its debts with its creditors or any class of them or takes steps with a view to the same or to obtain a moratorium or makes an application to a court of competent jurisdiction for protection from its creditors; (d) the entity being unable to pay its debts or being capable of being deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986 without the need to prove any matter to the court's satisfaction; or (e) the entity proposing or entering into any arrangement, compromise or composition in satisfaction of its debts with its creditors; (f) however, a resolution by the relevant entity or a court order that such entity be wound up for the purpose of a bona fide reconstruction or amalgamation shall not amount to an Insolvency Event; (g) where the CB is an individual, any order for bankruptcy against the CB. |
"IPR" | means any right, title or interest in: (a) patents, trademarks, service marks, certification marks, unregistered trade marks, trade names, goodwill, registered designs, design rights, copyrights and other forms of intellectual or industrial property (in each case, in any part of the world), whether or not registered or registrable for their full period of registration with all extensions, renewals and revivals, and including all applications for registration or otherwise; (b) inventions, formulae, confidential information (including know-how and secret processes); (c) computer software; and (d) any similar or equivalent rights and assets that may now or in the future subsist anywhere in the world; |
"Law" | means any Act of Parliament or subordinate legislation within the meaning of section 21(1) of the Interpretation Act 1978 and any enforceable, applied or retained European Union legislation; |
"Malicious Software" | means any software program or code intended to destroy, interfere with, corrupt, or cause undesired effects on or to program files, data or other information, executable code or application software macros, whether or not its operation is immediate or delayed, and whether introduced wilfully, negligently or without knowledge of its existence; |
"Management Information" | means the information to be provided by IASME in the Scheme Management Report; |
"Month" | means a calendar month; |
"Organisation" | means a recipient of Certification Services; |
"Parties" | means IASME and the CB; |
"Permitted Activities" | means the Permitted Activities set out in Schedule 7 (Trade Marks and Certification Marks); |
"Personal Data" | has the meaning given in Data Protection Law; |
"Personal Data Breach" | has the meaning given in Data Protection Law; |
"Processor" | has the meaning given in the Data Protection Law; |
"Prohibited Act" | means any of the acts referred to in Clauses 43.1.1 to 43.1.3 inclusive; |
“Product” | means a Maritime device |
"Protective Measures" | appropriate technical and organisational measures which may include: pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the measures adopted by it; |
"Quality Plan" | has the meaning given in Clause 24.1 (Quality Plans); |
"Quarter" | means a period of three consecutive Months beginning on 1 January, 1 April, 1 July or 1 October; |
"Rectification" | means as set out at Clause 16.5 (Rectification); |
"Rectification Notice" | shall have the meaning set out in Clause 19.5 (Rectification) ; |
"Regulatory Bodies" | means a public organisation or government agency that is set up to exercise a regulatory function; |
"Request for Information" | has the meaning given in section 8 of the FOIA or a request made under Regulation 5 of the EIRs; |
"Scheme Party" | means, IASME, any Scheme Supplier (CB) or any Organisation; |
"Security" | means all aspects of physical, logical, documentary, personnel and other security; |
"Scheme" | the certification scheme developed by with the Scheme Technical Standard. Under this scheme, organisations can apply for certification, which recognizes the achievement of standards of Maritime cyber hygiene and provides an assurance mechanism for companies of all sizes to demonstrate that their Maritime systems include the most important basic cyber security controls have been implemented in the Products; |
"Scheme Assurance Specification" | means the process set out in Schedule 13 for ensuring consistency when Scheme Suppliers are assessing Organisations against the Scheme Technical Standard; |
"Scheme Data" | means any data, diagrams, drawings, images, information, text, or sounds, back-up data, or other materials or items that are embodied in any medium (including all electronic, magnetic, optical, or tangible medium) which IASME and/or a CB is required to generate, process, store or transmit pursuant to this Agreement or in relation to the Scheme; |
"Scheme Certification Mark" | means the Scheme Certification Mark as set out in Part C of Schedule 7 (Trade Marks and Certification Marks) |
"Scheme Documentation" | means each or any of the following: (a) Scheme Questionnaire; (b) Scheme Assurance Specification; Scheme Technical Standard; Maritime Cyber Baseline Audited Test Specification; Scheme Test Specification; Scheme Certificate; and/or any documents recording or relating to management and delivery of the Scheme the (including any guidance produced by IASME), (c) (as may be varied by IASME); |
"Scheme Questionnaire" | means the questionnaire to be used to assess Organisations against the Scheme Technical Standard; |
"Scheme Levels" | means the two levels of the Scheme: Level 1 – Maritime Cyber Baseline ; and Level 2 – Maritime Cyber Baseline Audited; and such other levels as IASME or shall specify. |
"Scheme IPR" | means: (a) (a) IPR in the Scheme Documentation; (b) (d) IPR in any management information provided by the CB to IASME and in any reports, materials and data relating to assessments made either by IASME or by the Supplier (including certificates issued); (c) the Scheme Logo and Badges and any IPR associated with the creation, development, and maintenance of the Scheme Logo; and (d) the Scheme Certification Mark and Maritime Cyber Baseline Audited Certification Mark and any IPR associated with the creation, development and maintenance of the Scheme Certification Mark and Maritime Cyber Baseline Audited Certification Mark, |
"Scheme Logo" | means the logo set out in Part A (Scheme Logo) of Schedule 7 (Trade Marks and Certification Marks); |
“Scheme Platform” | means the platform provided by Crossword Cyber Security or such other platform that IASME may specify for the use in relation to the provision of the Certification Services |
"Scheme Supplier" | means an organisation which is appointed by IASME to provide Certification Services in relation to the assurance of organisations against the Scheme Technical Standard; |
"Scheme Technical Standard" | means ETSI EN 303 645 and associated ETSI documentation |
"Scheme Test Specification" | Scheme Test Specification in Schedule 16 |
"Security Requirements" | means the security requirements set out in this Agreement, including those set out in Clause 13 (Security), Schedule 4 (Security Requirements). Requirements and any requirements specifically identified as such in Schedule 2 (Certification Services); |
"Service Commencement Date | 8th February 2021 |
"Service Standards" | means the service standards set out in Schedule 2; |
"Site" | means any building, location or other site used for providing or supporting the provision of the Certification Services, whether in live use or as a back-up site, and whether or not used exclusively in connection with the Certification Services, excluding any Premises; |
"Staff" | means any principal, employee, agent, supplier, or Sub-contractor of the CB, (and its principals, employees, agents, suppliers, and sub-contractors), employed or otherwise engaged directly in the provision of the Certification Services including without limitation (and where the context requires or permits) any Assessor engaged by the CB; |
"Sub-contractor" | any third party with whom the CB enters into a sub-contract in connection with the performance of all or any part of the Certification Services or the CB's other obligations under this Agreement; |
"Supplier Agreement" | This agreement between IASME and an entity appointed to provide Certification Services, |
"Technical Controls" | means the controls within the Scheme Technical Standard; |
"Termination Date" | means midnight on the date specified for that purpose in a termination notice given under this Agreement; |
"Third Party IPR Claim" | has the meaning given in Clause 11.1 (Claims); |
"VAT" | means value added tax as provided for in the Value Added Tax Act 1994 and any supplemental Law; |
"Working Day" | means a day (excluding Saturdays, Sundays and bank holidays in England and Wales) on which banks are open for normal business in London. |