3. All intellectual property rights and copyrights are reserved
The Supreme Council for Naional Security
Naional Emergency Crisis and Disasters Management Authority
Approved by National Media Council, Abu Dhabi, UAE (2015/30184)
4. 3
His Highness Sheikh
Khalifa Bin Zayed Al Nahyan
President of the United Arab Emirates
Chairman of the Supreme Council for Naional Security
5.
6. 5
His Highness Sheikh
Mohammed Bin Rashid Al Maktoum
Vice President and Prime Minister of the UAE and Ruler of Dubai
Vice Chairman of the Supreme Council for Naional Security
7.
8. 7
His Highness Sheikh
Mohammed Bin Zayed Al Nahyan
Crown Prince of Abu Dhabi
Deputy Supreme Commander of the UAE Armed Forces
Member of the Higher Naional Security Council
12. 11
Business Coninuity Management Standard
Specificaions
AE/SCNS/NCEMA 7000:2015
United Arab Emirates
The Supreme Council for Naional Security
Naional Emergency Crisis and Disasters
Management Authority (NCEMA)
13. 12
NCEMA provides a Business Coninuity Management Standard to build an
organizaion’s capability to coninue funcioning and delivering its prioriized
aciviies when its operaions are disrupted due to emergencies or crises.
The standard consists of three major parts provided in separate publicaions
and are available on NCEMA website.
Specificaions
Includes the specificaions, and sets out all key parts and elements of the
program.
Guidelines
Interprets clearly “how” the elements menioned in “Specificaions” work.
The secions in “Guidelines” reflect their counterparts in the “Standard”,
bearing the same numbering system. For example, paragraph 8.2 in
“Standard” corresponds to paragraph A-8.2 in “Guidelines”, etc.
Toolkit
Includes BCM framework templates
Use Key
This standard does not contradict with any other document issued by
the Naional Emergency Crisis and Disaster Management Authority
(NCEMA). In case of any contradicion, please refer to the documents
concerned and follow them. This document is a “Specificaions” is only
to manage business coninuity.
14. 13
02
The development and issuance of the first version of this standard took
roughly eighteen months. The project was iniiated in early September 2009.
A respectable number of bodies, companies, global experience houses
together with numerous global specialists took part in producing this
Standard, under the leadership and supervision of the Naional Emergency
Crisis and Disaster Management Authority (NCEMA) that is operaing under
the umbrella of the Supreme Council for Naional Security.
Due to the development in the Business Coninuity Management field, the
second version of the standard was developed by a professional team from
NCEMA, and paricipaion from experts and professional bodies and strategic
partners.
Bodies paricipaing in the specialized review of the Standard:
Business Coninuity Insitute (BCI)
DNV-GL
Lloyds Register
Bodies paricipaing in technical review:
Preface
Office of the Supreme Deputy
Commander of the UAE Armed
Forces
Office of the Chief of Staff of the
Armed Forces
General Secretariat of the Execuive
Council – Abu Dhabi
Abu Dhabi Accountability Authority
Abu Dhabi Informaion Center
Ministry of Interior
Ministry of Foreign Affairs
Security State Department
Federal Electricity & Water Authority
Federal Authority for Nuclear
Regulaion
Supreme Petroleum Council
Naional Media Council
Ministry of Health
Federal Transport Authority -
Land & Marine
Ministry of Labor
Ministry of Energy
Ministry of Economy
General Civil Aviaion Authority
Securiies and Commodiies
Authority
Telecommunicaions Regulatory
Authority
Chamber of Commerce and
Industry
Central Bank of the U.A.E.
General Informaion Authority
Federal Customs Authority
15. 14 02
Table of Contents
Use Key 12
Preface 13
Foreword by 17
Introducion 18
Definiions 22
1. General: 26
1.1. Purpose of the Standard 26
1.2. Responsibiliies 26
1.3. Controls set by Legislaive Bodies 27
1.4. Plans and Procedures 27
2. Applicability 27
3. Responsibility Level 27
4. Scope 28
4.1. Scope of the Standard 28
4.2. Organizaion’s Scope of Business Coninuity Capability 28
5. Business Coninuity Manegement Program establishment 28
5.1. Understanding the organizaion 28
5.2. Top Management Commitment 29
6. Business Coninuity Capability 30
7. BCM Program Documentaion and Records 30
7.1. Required Documents 30
7.2. Controlling BCM Documentaion and Records 31
8. Business Coninuity Management Program Operaions 31
8.1. Business Impact Analysis 31
8.2. Risk Assessment 32
8.3. Business Coninuity Strategy 33
8.4. Incident Response plan 34
8.5. Business Coninuity Plan 34
8.6. Media Response Plan 36
8.7. Awareness and Training 36
8.8. Tests and Exercises 37
9. Business Coninuity Program Review 38
9.1. Annual BCM Review 38
9.2. Review of Suppliers and Service Providers 39
9.3. Compliance and Internal Audit 39
16. 15
Table of Contents
04
10. Management Review 40
10.1. Management Review of BCM Program 40
10.2. Documentaion of the management review 40
10.3. Points of inputs during management review 40
10.4. Management Review outcome 41
11. BCM Program Coninual Improvement 41
11.1. Non Conformiies 41
11.2. Correcions 41
Right of use 42
Contact NCEMA 42
18. 17
Foreword by
06
H.H. The Naional Security Advisor
As our wise leadership endeavors to ensure the welfare and stability of our
great naion at all imes, we spare no effort to empower all UAE eniies, in all
vital sectors, to perform their services and duies towards the society. This
should not be restricted to normal condiions but should extend to include
the capability to deal with sudden incidents by developing well-rounded and
pre-coordinated plans. In doing so, such eniies would be able to coninue
performing their role and duies towards the community, when a disaster
occurs.
This document is produced to serve as a guidance standard to help all eniies
in the field of business coninuity management. Our experts and specialists
revised the global best pracices in business coninuity and we deemed it
necessary to produce this standard to be used as a reference to help all public
and private eniies reach the required level of performance and achieve the
flexibility and capability of addressing sudden incidents as well as coninuity
of business during emergencies and crises.
Today, business coninuity management is being unquesionably recognized
as an increasingly important element in the emergency and crisis
management process. Building this capability requires support and
encouragement by top management to ensure addiional resources are put
into use, which would help the organizaion coninue performing its criical
and essenial funcions during an emergency unil full recovery.
In this context, we call upon everyone to cooperate and comply with this
standard, so as to ensure meeing the minimum technical, training, and
administraive requirements are saisfied, providing reassurance and stability
for the community at all imes.
May God’s blessings alight upon our endeavors to protect our country and
people under the umbrella of our wise leadership.
Hazza Bin Zayed Al Nahyan
19. 18
Introducion
Under the guidance and direcion of the wise leadership and the UAE federal
government which coninuously strives to maintain and enhance the stability
of the country, with the ongoing follow up of the Supreme Council for
Naional Security, the Naional Emergency Crisis and Disaster Management
Authority (NCEMA) had drated the first version of the Business Coninuity
Management Standard in 2012. This version is an enhancement to align this
standard with the internaional best pracices and guidelines. This UAE BCM
Standard is unique in the sense that it provides guidelines and sample
templates. This Standard is one of the most comprehensive document in its
domain.
This BCM Standard, Guidelines and Toolkit have been developed to help
eniies systemaically build their business coninuity capability before, during
and ater an emergency, disaster or crisis. All these iniiaives are aimed at
ensuring ongoing performance of prioriized funcions and services in both
the public and private sectors, for the purpose of enhancing the UAE’s
naional stability.
Government eniies and its private-sector partners should effecively handle
emergencies and crises in a well-coordinated manner in order to fully recover
from such a situaion. Service delivery should be maintained at the minimum
required level and should not be disrupted when an emergency occurs unil
recovery is completed.
Business Coninuity Management (BCM) refers to building the organizaion’s
capability to coninue performing essenial funcions and services (at a
minimum) in and ater an emergency, crisis or disaster that could have
resulted in a business disrupion.
The first BCM standard was drated in 2006 in the UK ater having endured
large-scale crises and disasters. Researchers thus found themselves
compelled to find mechanisms and methods to develop BCM standards.
Should the eniies comply with such standards, they will coninue delivering
criical/ essenial funcions and services, recover from the disrupion, and
return to normal operaions. United Arab Emirates is a leading naion in this
field since there is no BCM standard in Arabic in any country in the region.
20. 19
08
The business coninuity management objecives of the UAE government or
local governments of each emirate and the eniies under their jurisdicion in
both public and private sectors are as follows:
• Maintain coninuity of prioriized aciviies in both public and
private sectors.
• Secure supply chain required for business coninuity.
• Set up effecive business coninuity plan for delivering prioriized
aciviies, when an emergency occurs, in a planned and
controlled manner.
• Develop proacive business coninuity at all federal and local
eniies in the UAE, and the eniies under their jurisdicion in
both public and private sectors.
The following BCM references and documents have been used:
• Internaional Standard 22301:2012(E) Societal Security - Business
Coninuity Management Systems – Requirements.
• Briish Standard 25999-1: 2007 Business Coninuity Management
– Part 1: Specificaions.
• US Standard NFPA 1600:2010, Disaster/Emergency Management
and Business Coninuity Programs.
• Australian/New Zealand Standard, AS/NZS 5050:2010, Managing
Disrupion-Related Risk.
• ISO 31000: 2009, Risk Management – Principles and Guidelines.
• Singapore Standard SS540:2008 (BCM): Business Coninuity
Management.
Then, the informaion was tailored to match the nature of UAE government
business. It provides the basic requirements and specificaions used by
internal and external paries to help eniies coninue performing their
prioriized aciviies and services, comply with their organizaional and
contractual commitments and to protect the interests of beneficiary
organizaions ater an emergency, crisis or disaster that hinders the
organizaion from properly performing its funcions or services. BCM
requirements set out in this standard can be applied to different-sized
organizaions, in both public and private sectors.
Introducion
21. 20 09
Introducion
The term “shall” as used in this standard refers to express mandatory
requirements.
The term “should” as used in this standard refers to express guidance, which
is not mandatory.
23. 22
Term� Definition�
Activity�
A process�,�service,�procedure,�product,�task,�orcombination ofthem thatare�
managed by organization.�
Audit�
An organized,�autonomousanddocumentedform ofactivity ofan�
organization conducted by an independentbody in order to comply to the�
BCM Standard.�
Awareness�
Developmentof�understanding ofprimary Business Continuity Management�
risksand issues.�Awarenessenablestheworkforceto identify threatsand�
responding promptly and appropriately.�Awareness is created among�
employees in the organization and itis less formalized as compare to training.�
BusinessContinuity�
(BC)�
The ability of the organization to continue its prioritized activities��at�
predetermined levela��after the occurrence of disruptive��incident.�
BusinessContinuity�
Management�(BCM)�
A comprehensivemanagement�process,�which highlightspossible threats�
and impactof such threats on business operations of the organization.�The�
identification ofthreatsassiststo develop organizationalresilience,�toward�
thesethreats,�and an effectiveand suitableresponsethat�willprotectthe�
stakeholders’�interest,�brand name and reputation.�
BusinessContinuity�
Management�Program�
(BCM�Program)�
Itis a componentofoverallorganizationalmanagementsystem,�which�
establishes,�implements,��operates,�reviews,�monitors,�maintains�and�
improves��businesscontinuitycapability.�
BusinessContinuity�
Plan�
Setof�procedures in a documented form,�which directthe organization to�
react,�recover,�restoreand restartthepredetermined levelofoperationsafter�
theinterruption.�
BusinessContinuity�
Policy�
Itis the major documentthatidentifies the governance and scope ofbusiness�
continuity��plan alongwith BCM objectives and highlights thecauseofits�
implementation��
BusinessContinuity�
Strategy�
The method of an organization to plan in�orderto recoverand continue after�
a disruptive event.�
BusinessImpact�
Analysis�(BIA)�
Itis the process for analyzing business activities and the impacts ofdisruptive�
incidents thatmay happen over time.�
�
Competence�
Capacity to apply skills,�resources�and knowledge to accomplish desired�
goals.�
Definiions
25. 24
Term� Definition�
MaximumAcceptable�
Outage�(MAO)�
�
Timeitwouldtakeforadverseimpacts,�whichmightariseasa resultofnot�
providingaproduct/serviceorperforminganactivity,�tobecome�unacceptable.
�
�
Nonconformities
�
MandatoryrequirementsintheBCM standardnotfulfilled.�
�
BCM Objectives throughoutthe�
The targetsorgoalsthatan organization wantsto achieve�
BCM program.
PrioritizedActivities
Non Conformities
Activitiesthatare�criticalandmustbegivenprioritywhenrecoveringfrom a�
disruptiveincidentinordertoreducetheimpacts.
�
Itisasetofinterdependentactionsthatconvertinputsintofinishedproducts.�
Resources
Process
,�technology,�assetsand�
Resourcesincludeinformation,�skills,�people
premises,�whichareobtainandusedbyanorganizationtoachieveits�
organizationalgoalsandobjective.���
Recovery
�
Retrievalorrecapturingofnormalorpriorstate.
�
RecoveryStrategies
Astrategythatisusedbyan�organizationtomakesureitsregainingor�
continuingafteranincident.
RiskAppetite
The extentto which an organization can afford and bearthe risksand�
neutralizetheseriskstoeliminatethethreats.
�
RecoveryTime�
Objective�(RTO)
Time span afterthe�occurrenceofanincident��inwhichanactivityorproduct�
shouldberestartedorresourcesandassetsshouldberegained.
�
�
RiskAssessment Theprocessinwhichrisksisidentified,�analyzedandevaluated.
�
�
�
�
�
�
�
Risk The impactsof��uncertaintieson organizationalgoals.
�
�
Stand Down�
Anofficialdeclaration,�whichcommunicatesthatemergencysituationis�
controlledand�nofurtherinvocation ofplansisrequired.
TopManagement
Groupofindividualssittingatthetopoftheorganizationandplaystherole�
toguide�andcontroltheorganization.
�
Test
Thisisanactivityoractionthatisundertakentogaugethecapabilitiesor�
effectivenessofastrategyorplanagainstapredeterminedcriteriaor�benchmark.
�
reness.�Itpurportsto�
Training
SMARTObjectives
Thisactivityismoreformalizedascomparedtoawa
Specific,�Measurable,�Achievable,�RelevantandTimedobjectives.
buildskillsandknowledgetoincreasetheperformanceofstaffregardinga�
specificfunction.
Definiions
26. 25
Business Coninuity Management Acion Model
BCM Program Establishment
BCM Program Operaions
BCM Program Review
Figure 1: BCM Acion Model
Risk Assessment
Business Coninuity
Strategy
Tests and Exercises
Incident Response
Plan
Business Coninuity
Plan
Awareness and
Training
Coninual
Improvement
Plans
Development
Media Response
Plan
Business Impact
Analysis
Management Review
Annual Review and
Internal Audit
Understanding the
Organizaion
Top Management
Commitment
27. 26 14
1. General:
1.1. Purpose of the Standard
This standard idenifies the components, mechanisms and aciviies
used to establish, implement, and coninually improve business
coninuity management for eniies in both public and private sectors.
1.2. Responsibiliies
United Arab Emirates consists of muliple sectors and authority levels,
on both Federal and Local Levels, Government and Private Sectors. In
order to achieve an effecive BCM implementaion, below hierarchy is
recommended:
Figure2: BCM Implementaion Responsibiliies
BCM Standard Implementaion
AE/SCNS/NCEMA 7000:2015
Local
Level
- Crown Prince Court -
- General Secretariat of Execuive Council -
- Local Emergency Management Team -
- Assigned by Authority -
- UAE Cabinet -
- Ministerial Concil for Services -
- Assigned by Authority -
Federal
Level
Private
Sector
Local
Enity
Federal
Enity
Private
Sector
28. 27
1.3. Controls set by Legislaive Bodies
Legislaive and licensing bodies may establish further specificaions in
addiion to those defined in this standard to ensure community safety
and security and coninuity of funcions and aciviies required to
promote naional security. Where addiional specificaions are
established, the organizaion shall comply with such specificaions.
However, in case of discrepancy between the specificaions contained
in this standard and the addiional ones, such organizaion shall have
recourse to the issuing authority of this standard for setlement.
1.4. Plans and Procedures
Based on the nature, size and complexity of operaions, top
management in any organizaions shall approve the details and level of
the plans to be maintained, whether to have individual business
coninuity plan, crisis & incident management plans and emergency
response plans. For ease of planning, implementaion and maintenance
organizaions may combine two or more of these plans.
2. Applicability
The requirements and specificaions set forth in this standard are general and
applicable to all UAE eniies, and related bodies such as companies and
service providers to perform the funcions of principal government
insituions and community services. All organizaions must endeavor to
coninue providing the basic minimum products and services to coninue
prioriized aciviies of the organizaion.
3. Responsibility Level
The organizaion’s Top Management is responsible for the preparaion and
implementaion of the BCM program. Top management might delegate
responsibiliies in this process to other levels of the organizaion. This
standard, along with the related guidelines, offers requirements needed for
implemening BCM program. The top management shall, over a period of
ime ensure that the requirements and provisions of this Standard are
managed by personnel with knowledge and experience in business coninuity
management funcion.
All members of the organizaion shall comply with the requirements of this
standard and shall report any non-conformiies, using the appropriate
channels.
29. 28
4. Scope
4.1. Scope of the Standard
This Standard is applicable to all types and sizes of organizaions
that wish to coninue its prioriized aciviies when facing a disrupion
in operaions.
4.1.1.The organizaion shall establish, implement, sustain, main
tain, and coninually improve business coninuity
management capability in accordance with the
requirements of this standard.
4.2. Organizaion’s Scope of Business Coninuity Capability
4.2.1.The organizaion shall define the deliverables, outputs,
aciviies, services and funcions that fall within the scope
of its business coninuity capability.
4.2.2.The organizaion’s scope for business coninuity shall
include all aciviies required to maintain its prioriized
aciviies. The prioriized aciviies are the basic minimum
products and services of the organizaion to coninue
criical operaions.
The organizaion shall idenify all applicable legislaive, regulatory,
internaional, local and contractual requirements; and interests of
stakeholders and primary partners (collecively also known as the interested
paries). The organizaion shall also idenify any internal issues, which might
influence its business coninuity capabiliies.
5. Business Coninuity Management Program establishment
Business Coninuity Management Program shall be developed in accordance
with the requirements in this Standard; this shall include commitment of top
management in its implementaion and on-going maintenance, tesing and
exercising, reviewing, developing and coninual improvement.
5.1. Understanding the organizaion
The organizaion shall understand its context in relaion with:
5.1.1.Idenify all processes, relaionship, partnerships and supply
16
30. 29
chains with interested paries.
5.1.2.The overall risk which the organizaion is willing to
undertake.
5.1.3.External and internal issues that may affect the outcome of
implemening business coninuity management program.
5.1.4.Idenify the needs and expectaions of the addressed
interested paries and their legal and regulatory
requirements.
5.2. Top Management Commitment
5.2.1.Top management shall demonstrate commitment with
respect to the BCM Program.
5.2.2.Top Management shall ensure that the organizaion’s BCM
objecives are idenified. The BCM Objecives shall:
a. Be aligned with the organizaional strategic
objecives.
b. Determine Minimum Business Coninuity
Objecive (MBCO).
c. SMART and to be set as a performance indicator in
the BCM program.
5.2.3.Business coninuity policy shall be approved by the top
management. The policy shall include BCM objecives and
risk appeite, and be published internally and to interested
paries (if applicable).
5.2.4.The top management shall idenify and provide the
resources required to implement and maintain its BCM
program and ensure the allocaion of resources required to
achieve coninuity of its prioriized aciviies.
5.2.5.The top management shall provide competent personnel
required to implement and maintain the organizaion’s BCM
program.
5.2.6.Top management shall assign roles and responsibiliies for
the following:
• Business Coninuity Manager.
• Incident Response Manager.
• Business Coninuity Team.
31. 30
• Internal sectors/departments representaives.
(Or depending on the organizaion’s structure).
• Relevant interested paries. Roles and responsibiliies
shall be communicated within the organizaion. (if
applicable)
5.2.7.Top Management shall approve the governance framework
of how the BCM program will be managed, the reporing
structure for the purpose of its effecive implementaion,
maintenance and coninual improvement. The governance
framework shall be in line with the organizaional tructure.
6. Business Coninuity Capability
Each UAE organizaion shall assume the responsibility of defining and
documening its “fit-for-purpose” business coninuity capability that ensures
performance of prioriized aciviies and services during emergencies, crises
and disasters.
7. BCM Program Documentaion and Records
7.1. Required Documents
7.1.1.The organizaion shall establish, implement and maintain
record of BCM program capability implementaion
procedures.
7.1.2.Organizaion’s BCM documents shall at least contain, and
not exhausive to, the following:
a. Understanding the organizaion.
b. Objecives and Policy of BCM.
c. Roles and Responsibiliies.
d. External and internal issues and interested paries.
e. Competency of personnel.
f. Business Impact Analysis.
1. Business Impact Analysis Methodology.
2. Business Impact Analysis Report.
g. Risk Assessment.
1. Risk Assessment Methodology.
2. Risk Assessment Report.
h. Business Coninuity Strategy.
18
32. 31
i. Incident Response plan.
j. Business Coninuity Plan.
k. Media Response Plan.
l. Awareness and Training record
m. Test and Exercises record.
n. Internal Audit record.
o. Management Review record.
p. Correcive acions.
q. Regulatory requirements.
7.2. Controlling BCM Documentaion and Records
7.2.1.Controls shall be developed to ensure BCM documents:
a. Are easily understandable, idenifiable and accessible
especially in imes of emergency, crisis or disaster.
b. Provide the idenificaion needed to store, protect
and easily retrieve them.
c. Are approved for compliance with the standard prior
to issue.
d. Are reviewed, updated, and re-approved if need be, in
addiion to documening all updates.
e. Up to date copies are available where needed; for
instance, alternaive sites and other points of use.
f. Idenify documents received from external sources.
g. Subject to controlled and monitored distribuion and
change control.
8. Business Coninuity Management Program Operaions
8.1. Business Impact Analysis
The organizaion shall establish, implement and maintain a
methodology for idenifying the business impact of disrupions of
prioriized aciviies. BIA lays the foundaion for the organizaions BCM
program by quanifying and qualifying the impact of disrupion over
ime on the delivery of product and services.
19
33. 32
The organizaion shall idenify and document the impact of business
disrupion by:
a. Idenifying its prioriized funcions, aciviies and
services.
b. Idenify impact categories that are fit to the nature of
the organizaion.
c. Idenifying disrupion impacts on the organizaion
based on predefined impact categories.
d. Idenifying Recovery Time Objecive (RTO) of each
acivity disrupion.
e. Idenifying Maximum Acceptable Outage (MAO).
f. Idenifying acions required to support prioriized
funcions, aciviies and services.
g. Idenifying aciviies deemed paramount to the
coninuity of prioriized aciviies.
h. Prioriizing aciviies and services according to their
recoverability priority, as per the BIA.
i. Idenifying internal and external bodies, which an
organizaion relies on for coninual performance of
main/essenial aciviies and services, including support
by suppliers and service providers.
j. Verifying the capability of vendors, suppliers and service
providers to support and maintain minimum service
levels for prioriized aciviies during disrupive
incidents.
k. Idenifying the indispensable resources for each acivity,
funcion or service to ensure business coninuity.
8.2. Risk Assessment
The organizaion shall establish, implement and maintain a
methodology for risk assessment to idenify, analyze and evaluate the
risks which may disrupt coninuity of aciviies. The risk assessment
parameters shall be preapproved by the top management. The risk
assessment process should be carried out in a structured manner as per
pre-defined procedure. The same shall be reviewed at regular intervals,
and if any significant changes occurs in the business as usual condiions.
The organizaion shall:
20
34. 33
a. Idenify and approve risk parameters.
b. Idenify the risks that can disrupt the performance of
prioriized aciviies.
c. Analyze the risks against predefined evaluaion criteria.
d. Evaluate the impact of the addressed risk.
e. Take into account interdependencies related to the
performance of prioriized aciviies.
8.3. Business Coninuity Strategy
The organizaion shall develop BCM strategies as approved by the top
management, to be able to coninue performing its prioriized aciviies
and services following a business disrupion, due to such risks which
could not be removed or miigated to acceptable levels. The selected
strategy should also consider establishing stability, resumpion and
recovery of prioriized aciviies. The organizaion should also analyze
the BCM capability of suppliers to service the minimum requirement to
coninue prioriized aciviies.
8.3.1.The organizaion shall implement strategies to achieve
defined RTO’s for the prioriized acivates.
8.3.2.The organizaion shall allocate resources required to
achieve RTO’s as below:
• People (competence).
• Buildings and faciliies.
• Informaion and communicaion infrastructure.
• Budget allocaion.
• Suppliers and service providers.
8.3.3.The organizaion shall treat risks taking into consideraion
organizaional risk appeite.
8.3.4.The organizaion shall protect its supply chain dependency
by having in place appropriate agreements covering aspect
of “service levels” during business as usual and crisis or
emergencies.
21
35. 34
8.4. Incident Response plan
The organizaion shall establish, implement and maintain an incident
response plan and its procedures to respond to an occurring events that
may cause a disrupion for the organizaion aciviies. Incident response
plan shall ensure life safety of personnel as a priority, along with the
assets of the organizaion to restrict and reduce loss or damage.
Incidents response plan shall include:
a. Incident response structure.
b. Assigned roles and responsibiliies.
c. Incident detecing and warning procedures.
d. Acivaion criteria.
e. Escalaion process.
f. Recovery procedures.
g. Communicaion to the interested paries.
The organizaion shall put in place a response structure that will
monitor incidents on a regular basis, enable early detecion of any
incident causing disrupion, its impact, criterion for invoking business
coninuity response along with clarity on roles and responsibiliies of
personnel. The iniiaion of business coninuity procedures should
trigger acion as per Plan.
8.5. Business Coninuity Plan
The organizaion shall develop Business Coninuity plan in support of its
strategies, as follows:
8.5.1.Shall establish, implement and maintain plans detailing its
business disrupion to maintain coninuity of its prioriized
aciviies at the predetermined performance levels llowing
a business disrupion. The organizaion shall ensure that
risks idenified are addressed to coninue the prioriized
aciviies.
8.5.2.Each plan shall:
• Have a defined purpose and scope.
• Be communicated to all personnel that needs to be
aware of it, and to personnel with specific roles and
responsibiliies for review and update.
22
36. 35
• Be consistent with the BCM strategy and incident
response plan, capabiliies and requirements of
interested paries.
• Be accessible to and understood by interested paries
upon implementaion.
8.5.3.All plans shall contain:
a. Key obligaions and reference informaion.
b. Defined roles and responsibiliies of personnel and
teams during and following an incident.
c. Idenificaion of people who have the authority to
invoke each plan under any given circumstances.
d. Criteria for invoking the plan and the method whereby
the plan is invoked.
e. Details of primary and alternaive locaions as applicable.
f. Contact and other details including service level
agreement for the key suppliers, vendors and service
providers.
g. Impact of disrupion on prioriized aciviies over
pre-determined imeframes.
h. List of procedures and acions that need to be performed.
i. List of the resources required for recovery.
j. Prioriized objecives in terms of prioriized aciviies to
be recovered, recovery imescale and recovery levels
needed for each main acivity.
k. Recovery procedures to be followed to return to normal
post emergency, and ater minimum business coninuity
objecives have been met.
l. "Stand down procedure" once incident is over and
organizaion personnel need to return to their normal
duies.
Organizaion shall have communicaion plan governing:
• Idenified lines of communicaions.
• Details of who is authorized to communicate.
• What to communicate.
• With whom to communicate.
23
37. 36
• How and when to communicate.
Communicaion procedures shall cover all interested paries,
including:
• Internal.
• External.
• Relevant interested paries.
8.6. Media Response Plan
The organizaion shall establish, implement and maintain a Media
Response Plan that has clear-cut communicaion procedures to enable
personnel and mass media to communicate to get beter acquainted
with the incidents that impacted organizaion’s business coninuity.
The organizaion shall have the capability of:
• Assigning a spokesperson.
• Receiving.
• Acknowledging and.
• Responding to any queries related to the organizaion.
• Integraing its communicaion procedures/systems with
naional/regional/global communicaion systems.
• Issuing early warnings (to the extent possible) to its
interested paries
The organizaion’s communicaion capabiliies shall be tested as part
of the regular tesing and exercising of BCM program. The organizaion
should ensure that details of person authorized to address media is
known to all employees.
On an ongoing basis organizaion shall maintain:
• Media Contact list Including its update frequency.
• Media Templates.
• Legal procedures prior to media statement.
8.7. Awareness and Training
The organizaion shall establish, implement and maintain a training and
awareness program is developed and implemented that effecively
supports the BCM objecives by developing required competence.
24
38. 37
8.7.1.Staff Awareness
The organizaion shall ensure BCM integraion into its
day-to-day aciviies, through an ongoing awareness plan
which shall be documented.
The Staff Awareness Program shall:
a. Include BCM policy and objecives
b. Establish a methodology for evaluaing its
effeciveness;
c. Spread BC capability and awareness;
d. Ensure coninual improvement of BCM program; and
e. Ensure personnel are aware of their roles and
responsibiliies in BCM program.
8.7.2.Spread BCM awareness among interested paries.
Interested paries shall be aware of their roles and
responsibiliies during disrupive incidents, to achieve BCM
requirement within agreed imelines maintaining the
approved agreements.
8.7.3.Training
The organizaion shall develop a training program to ensure
that the training provided for personnel and teams matches
their roles and responsibiliies in the BCM program.
8.8. Tests and Exercises
The organizaion shall conduct tests and exercises at regular intervals to
ensure the plans remain fit-for-purpose and effecive, and shall
establish, implement and maintain a ‘Test and Exercise Plan’.
8.8.1.Tests
Tests shall be conducted to assess readiness, usability and
adequacy of the tools, technology, faciliies, and
infrastructure required to implement the organizaion’s
BCM plans. Post-Test reports shall be developed, reviewed
and correcive acion takes, when necessary.
8.8.2.Exercises
Exercises shall be conducted to ensure BCM effeciveness
25
39. 38
and meet its objecives. The exercises shall:
a. Define the aims and objecives of each exercise.
b. Develop an exercise plan detailing scope, scenarios.
c. Does not impact business operaions adversely.
d. Assess if the objecives of the exercise have been
achieved.
e. Document the results of the exercise including
opportuniies for coninual improvement.
f. Prepare post-exercise report.
9. Business Coninuity Program Review
9.1. Annual BCM Review
In order to coninually improve its BCM capability, the organizaion shall
annually review its:
a. Policy and objecives.
b. BCMS framework and documentaion.
c. Exercise reports.
d. Audit Reports.
e. Changes to the business and risks that can result in
business disrupion.
f. Review risk appeite.
g. Review business coninuity strategy.
h. Approving response, incident response, business
coninuity plan(s) tailored to achieve the organizaion’s
BCM objecives.
9.1.1.Organizaions shall evaluate changes since previous review
and update ater:
a. Consideraion of all opions.
b. Assess the impact of proposed changes.
c. Accept the changes and update Plans post approval by
Management.
9.1.2.Post any incident or crisis, there shall be a log maintained
reflecing a post-incident review and key lessons learned.
Details of log showing acivaion of emergency, crisis or
disaster management plan or business coninuity plan, and
shall be approved by top management.
26
40. 39
9.1.3.Annual BCM Evaluaion Report
The organizaion shall produce an annual report on the
BCM program status.
9.2. Review of Suppliers and Service Providers
The organizaion should:
a. Ensure its suppliers and service providers are
sufficiently capable to meet the idenified BIA
requirements and agreements.
b. Assess supplier capability through joint tests and
exercises with the organizaion, or through organizaion
organizaion review of the extent of supplier’s
compliance with this Standard.
c. Request a supplier or provider to submit their report
of BCP test wherein the focus would be the ability of
the supplier to fulfill business requirement of
coninuing clients prioriized aciviies during emergency
or crisis.
9.3. Compliance and Internal Audit
The organizaion shall establish, implement and maintain an internal
audit program.
9.3.1.Annual Internal Audit
The organizaion shall conduct a complete annual internal
audit of its BCM. This audit shall cover all requirements of
this Standard.
9.3.2.Internal Audit Program
The Internal Audit Program should address all aspects of the
organizaion’s BCM capability building program.
9.3.3.Internal Audit procedures
The organizaion shall develop procedures to implement
its Internal Audit Program which:
a. Idenifies the responsibiliies, competencies and
requirements for planning and conducing audits,
reporing results and maintaining related records; and
b. Idenifies audit criteria: scope, frequency and methods.
27
41. 40
9.3.4.Internal Audit Report
The results of the organizaion’s Internal Audit shall be
documented in an Audit Report which shall:
a. Contain audit results and recommendaions for
improvement.
b. Non-conformiies.
c. Communicated with relevant personnel.
d. Be submited to top management for approval.
10. Management Review
10.1. Management Review of BCM Program
Management shall periodically or when significant changes occur,
review the organizaion’s BC capability to ensure it remains
fit-for-purpose and coninues to meet BCM objecives. The
Management Review shall be carried out annually.
10.2. Documentaion of the management review
The results of the management review shall be clearly documented and
records shall be maintained.
10.3. Points of input during management review
The organizaion shall ensure that the following points are addressed in
the management review:
a. Results of BCM audits, post emergency, crisis or disaster
reviews, and exercise results.
b. Level of remaining and acceptable risks.
c. Inadequately managed risks, including those idenified
in the organizaion’s previous risk assessment.
d. Internal or external changes likely to affect the
organizaion’s BCM capability.
e. Results of tests and exercises.
f. Accomplishments of awareness and training programs;
g. BCM status of key suppliers and service providers, if
applicable.
h. Follow-up procedures based on previous management
reviews.
28
42. 41
i. Proposed recommendaions for development of the
organizaion’s BC capability.
10.4. Management Review outcome
Management review shall include the following decisions and
recommendaions to address:
a. Deficiencies in the organizaion’s BCM capability.
b. Enhance the effeciveness of organizaion’s BC
capability.
c. Change in the organizaion’s:
• Strategies and procedures to respond to internal
or external incidents likely to impact its BC
capability.
• Need for resources required for BCM.
11. BCM Program Coninual Improvement
The organizaion shall ensure BCM objecives are met through periodic
review, including internal audit, and coninual improvement of its plans,
performance and documentaion.
11.1. Non Conformiies
The organizaion shall address its BC capability’s non-conformiies with
this Standard, through correcive acions. None conformiies shall
aligned with the Business Coninuity Policy and objecives.
11.2. Correcive Acions
The organizaion shall take required acion to eliminate the causes of
non-conformity and prevent their recurrence. The procedures shall
explain and document correcive acions, defining points and causes of
non-conformity and recording all acions taken.
29
43. 42
All training and consuling service providers shall seek NCEMA’s approval prior
to use of this standard.
For addiional informaion and guidance, please contact NCEMA, Safety and
Prevenion Department, Business Coninuity Secion at:
Tel : +971 2 4177000
E-mail : bcm@ncema.gov.ae
Website : www.ncema.ae
NCEMAUAE
Right of use
Contact NCEMA