Ae Scns Ncema 7001 2015 English

‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‪:‬‬
‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
‫ﻗﺒﻮل�ا��ﺎﻃﺮ‬ ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
‫ا��ﺎﻃﺮ‬
‫ﺷ�ﻞ ‪ 3‬ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
‫‪ -1‬ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
‫‪BUSINESS CONTINUITY‬‬
‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ��ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬
‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‪ .‬و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬
‫‪MANAGEMENT‬‬
‫‪BUSINESS‬‬ ‫‪STANDARD‬‬
‫‪CONTINUITY‬‬
‫�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‪:‬‬
‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر‬
‫‪MANAGEMENT‬‬
‫) ‪( GUIDELINES‬‬
‫‪STANDARD‬‬
‫• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‪.‬‬
‫ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‪.‬‬ ‫•‬
‫) ‪( GUIDELINES‬‬
‫اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‪ ،‬واﳌﻴﺎﻩ‪ ،‬وﻏ��هﺎ(‪.‬‬ ‫•‬
‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‪ ،‬ا��ﻮادم‪ ،‬وﻏ��هﺎ(‪.‬‬ ‫•‬
‫ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‪.‬‬ ‫•‬
‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى�ا��واﻟﺪو��‪.‬‬ ‫•‬
‫اﻟ��ﺰ�اﳌﺎ��‪.‬‬ ‫•‬
‫ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‪.‬‬ ‫•‬
‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‪.‬‬ ‫•‬
‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‪ ،‬واﻟﻌﺎﻣﻠ�ن‪ ،‬واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬

‫اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ��‬
‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‪ ،‬واﻷﻧﻈﻤﺔ‪ ،‬واﳌﻌﻠﻮﻣﺎت‪ ،‬واﻟﻌﺎﻣﻠ�ن‪ ،‬واﻷﺻﻮل‪ ،‬واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‪ ،‬واﳌﻮارد‬
‫اﻷﺧﺮى�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‪.‬‬
‫‪AE/SCNS/NCEMA 7001:2015‬‬
‫‪1‬‬
‫‪39‬‬ ‫‪AE/SCNS/NCEMA 7001:2015‬‬
‫‪1‬‬
‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‪:‬‬
‫ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‪.‬‬ ‫•‬
‫اﻟ��ﺰ�اﳌﺎ��‪.‬‬ ‫•‬

‫‪All intellectual property‬‬
‫‪All intellectual‬‬
‫‪rights and copyrights‬‬
‫‪property rights‬‬
‫‪are reserved.‬‬
‫‪and copyrights are reserved.‬‬
‫‪The Supreme Council for National Security‬‬
‫‪National Emergency Crisis and Disasters Management Authority‬‬
‫)‪Approved by National Media Council, Abu Dhabi, UAE ( 2015/30184‬‬
‫‪39‬‬
‫اﻟ��ﺰ�اﳌﺎ��‪.‬‬ ‫•‬
‫‪His Highness Sheikh‬‬ ‫ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‪.‬‬ ‫•‬
‫‪Khalifa Bin Zayed Al Nahyan‬‬
‫‪President of the United Arab Emirates‬‬
‫‪Chairman of the Supreme Council for National Security‬‬
‫‪39‬‬ ‫‪3‬‬
‫اﻟ��ﺰ�اﳌﺎ��‪.‬‬ ‫•‬
‫‪Mohammed Bin Rashid Al Maktoum‬‬
‫‪Vice President and Prime Minister of the UAE and Ruler of Dubai‬‬
‫‪Vice Chairman of the Supreme Council for National Security‬‬
‫‪39‬‬ ‫‪5‬‬
‫اﻟ��ﺰ�اﳌﺎ��‪.‬‬ ‫•‬
‫‪Mohammed Bin Zayed Al Nahyan‬‬
‫‪Crown Prince of Abu Dhabi‬‬
‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ��‬ ‫اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ‬
‫‪Deputy Supreme Commander of the UAE Armed Forces‬‬
‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‪ ،‬واﳌﻮارد‬
‫‪Member‬‬‫واﻟﺸﺮ�ﺎء‬ ‫واﻷﺻﻮل‬
‫‪of ،the‬‬ ‫واﻟﻌﺎﻣﻠ�ن‪،‬‬
‫‪Higher‬‬ ‫واﳌﻌﻠﻮﻣﺎت‪،‬‬
‫‪National‬‬ ‫واﻷﻧﻈﻤﺔ‪،‬‬
‫‪Security‬‬ ‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‪،‬‬
‫‪Council‬‬
‫‪39‬‬ ‫‪7‬‬
‫اﻟ��ﺰ�اﳌﺎ��‪.‬‬ ‫•‬
‫‪His Highness Sheikh‬‬
‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‪Hazza Bin.‬‬
‫‪Zayed Al Nahyan‬‬ ‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬ ‫•‬
‫واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬ ‫واﻟﻌﺎﻣﻠ�ن‪،‬‬
‫‪National‬‬ ‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‪،‬‬
‫‪Security‬‬ ‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى‬
‫‪Advisor‬‬
‫‪39‬‬ ‫‪9‬‬
‫‪United Arab Emirates‬‬
‫)‪Management Authority (NCEMA‬‬
‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‪ .‬و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬
‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى�ا��واﻟﺪو��‪Guidelines .‬‬ ‫•‬
‫اﻟ��ﺰ�اﳌﺎ��‪AE/SCNS/NCEMA 7001:2015 .‬‬ ‫•‬

‫‪39‬‬ ‫‪11‬‬
Use Key Use Key
:‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
NCEMA Provides a Business Continuity Management Standard to build an

NCEMA Provides capability
organization’s a Business Continuity
to continue Management
functioning Standard
and delivering to build an
its prioritized
organization’s capability
activities when to continue
its operations functioning
are disrupted die toand deliveringorits
emergencies prioritized
crises. The
standard
activities consists
‫�ا��ﺎﻃﺮ‬
when ‫ﻗﺒﻮل‬ of three major
its operations parts provided
are disrupted in separate
‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬
die to publications
emergencies or crises.
‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬andThe
are available on ‫ا��ﺎﻃﺮ‬
standard ofNCEMA
consistsand are
three website.
available
major online. www.ncema.ae
parts provided in separate publications and are
available on NCEMA website.
Which the Business Continuity Management Standard – Specifications
Specifications
(AE/SCNS/NCEMA
Which 7000:2015).
the Business Continuity
‫ ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬3 ‫ﺷ�ﻞ‬
Management Standard – Specifications
program.
(AE/SCNS/NCEMA 7000:2015). ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
Guidelines Guidelines
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ ��‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬
(AE/SCNS/NCEMA
Guidelines
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ 7001:2015)
.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
The purpose of this document, which interprets “how” the elements
(AE/SCNS/NCEMA 7001:2015) :‫ﺮ�اﻟﺘﺎﻟﻴﺔ‬The
‫�ﺣﺪوث�ا��ﺎﻃ‬ ‫�ﻣﺼﺎدر‬
mentioned in the “Specifications” work. sections in ‫“ر‬Guidelines”
‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎ‬
reflect
Thetheir
purpose of this document,
bearing the which
same interprets
numbering
counterparts in the “Specifications”, bearing the.‫�اﻟﻌﺎﻣﻠ�ن‬ “how”
system. the
For elements
example, mentioned
‫• ﻋﺪم�ﺗﻮﻓ‬paragraph 8.2 in
same‫ﺮ‬numbering
in system. “Standard”
the “Specifications”
For example, corresponds
work.
clause 4 inThe to paragraph
sections
“Specifications” A8.2- in “Guidelines”,
in corresponds
“Guidelines” reflectetc.
to clause their
.‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬
‫ا��ﺴﺎﺋﺮ‬ • A4-
counterparts in theetc.
in “Guidelines”, “Specifications”, bearing the same numbering system. For
Toolkit .(‫ وﻏ��هﺎ‬،‫ واﳌﻴﺎﻩ‬،‫• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬
example,
Toolkitclause 4 in “Specifications” corresponds to clause A-4 in “Guidelines”,
etc.Includes BCM.(‫وﻏ��هﺎ‬ ،‫ ا��ﻮادم‬،‫• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‬
Includes
framework BCMtemplates
framework templates
.‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
.��‫• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى�ا��واﻟﺪو‬
Toolkit
This
This document standard
does doesn’t contradict
not contradict with any otherwith document
any other document
• by issued by
issued
.��‫اﻟ��ﺰ�اﳌﺎ‬
Includes BCM framework templates
the National Emergency Crisis and Disasters Management Authority
(NCEMA). In case of contradiction, please refer .‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬
to the ‫ﻋﺪم�ﺗﻮﻓﺮ‬ •
documents
concerned and follow them..‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
This document is “Guidelines” and is only
‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬ •
to managedoes
This document business
not continuity.
contradict with any other document issued by the
National
‫�اﺳﺘﻤﺮار�ﺔ‬Emergency Crisis and
‫واﻷﻃﺮ‬Disasters
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬ Management
،‫ واﻟﻌﺎﻣﻠ�ن‬،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى‬
Authority (NCEMA). In case
of ��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
contradiction, please refer to the documents concerned and follow them. This
‫اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ‬
document is “Guidelines”
‫ واﳌﻮارد‬،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ and،is
‫واﻟﺸﺮ�ﺎء‬ only ،‫واﻟﻌﺎﻣﻠ�ن‬
‫واﻷﺻﻮل‬ to manage business
،‫واﳌﻌﻠﻮﻣﺎت‬ ،‫واﻷﻧﻈﻤﺔ‬continuity.
،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
.‫اﻷﺧﺮى�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
1
39
12 01 1
01
The development
he development and issuance of and
theissuance of the
first version of first version of
this standard therough-
took Business Continuity
The development and issuance of the first version of the Business Continuity
Management Standard and Guidelines roughly eighteen months. The
Management
project ofwas
espectable number Standard
initiated
bodies, and Guidelines
in early
companies, roughly2009.
September
global experience eighteen months. The
A respectable
houses together projectofwas
number
initiated in specialists
early ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
with numerous bodies,
global
‫�ا��ﺎﻃﺮ‬ ‫ﻗﺒﻮل‬September
companies, 2009.
tookinternational
part A respectable
in producing experience number
houses
this‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬
Standard, of bodies,
under together companies,
with
‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
international
numerous experience
international houses together
specialists took with numerous
part in producinginternational specialists
the Standard,
under
took partthe leadershipthe
in producing andStandard,
supervision under of thethe National
leadership Emergency Crisis and
and supervision of the
Disasters
National Management
Emergency Authority
Crisis and Disasters (NCEMA)
Management that isAuthority
operating(NCEMA)under the that is
umbrella of the Supreme Council for National Security.
operating under the umbrella of the Supreme Council for National Security.
he second version of the standard was developed by a professional team
Due to the development in the Business Continuity Management field, the-1
Due to the development
second version of the in the BusinessContinuity
Business Continuity Management
Management field, the second
Standard –
trategic partners.
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ � �‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬‫ﺮ‬ ‫�اﺳﺘﻤ‬
‫ﺮ‬ ‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃ‬
version of the (AE/SCNS/NCEMA
Specifications Business Continuity Management
7000:2015) Standard
was officially – Specifications
released in 2015,
along with.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬
(AE/SCNS/NCEMA the development
7000:2015) of was theofficially
second versionreleased of in
these
2015, Guidelines
along withby a the
professionalof team
development from version
the second NCEMAof:‫�اﻟﺘﺎﻟﻴﺔ‬
and
these ‫ﺮ‬participation
Guidelines
‫�ﺣﺪوث�ا��ﺎﻃ‬ from
‫�ﻣﺼﺎدر‬by experts and
a professional team
‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر‬
professional bodies and strategic partners.
from NCEMA and participation from experts and professional bodies
‫ﻋﺪم�ﺗﻮﻓﺮ‬and• strategic
.‫�اﻟﻌﺎﻣﻠ�ن‬
partners. .‫• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬
Bodies participating in the specialized .(‫وﻏ��هﺎ‬review
،‫ واﳌﻴﺎﻩ‬،‫)اﻟﻜهﺮ�ﺎء‬
of the‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬
Guidelines: ‫• اﳌﺮ‬
Bodies participating in،‫ا��ﻮادم‬
.(‫وﻏ��هﺎ‬ the specialized
،‫)ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‬review of the Guidelines:
‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت‬ •
Abu Dhabi Investment Authority
Commander ofAbu theDhabi
UAE Armed Federal Transport Authority - ‫• ﻋﺪم�ﺗﻮﻓﺮ‬
.‫�اﳌﻌﻠﻮﻣﺎت‬
EmiratesInvestment
Nuclear EnergyAuthority
Corporation (ENEC)
Forces
Emirates
FinanceNuclear Energy–Corporation
Department Government (ENEC)
of Sharjah
.��‫�ا��واﻟﺪو‬ ‫• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬
Abu Dhabi Polymers Company (Borouge)
Armed ForcesFinance Department – Government Ministry of ofEnergy
Sharjah .��‫• اﻟ��ﺰ�اﳌﺎ‬
Abu Dhabi National
Abu Dhabi Polymers Company Bank (Borouge)
Ministry of Economy .‫• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬
DNV-GL
Council – AbuAbu Dhabi DhabiAbuNational
Dhabi Bank
Ventures Middle East .‫• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
AccountabilityDNV-GL
Authority (ADAA)
Ventures Authority
Middle East‫ واﻷﻃﺮ‬،‫واﻟﻌﺎﻣﻠ�ن‬
‫ار�ﺔ‬
‫ﺮ‬ ‫�اﺳﺘﻤ‬
Ministry of Interior‫ﺮ‬ ‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃ‬ ،‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ ‫اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ‬
Authority
Security State
‫واﳌﻮارد‬Department Chamber
،‫ واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬،‫واﻷﺻﻮل‬ of،‫واﳌﻌﻠﻮﻣﺎت‬
،‫واﻟﻌﺎﻣﻠ�ن‬ Commerce and ،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
،‫واﻷﻧﻈﻤﺔ‬
Industry .‫اﻷﺧﺮى�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
Federal Authority for Nuclear
Supreme Petroleum Council Federal Customs Authority
2
39 13 2
Table of Contents
Use Key 01
A- 1. General
Preface 12
02
Introduction
1.1. Purpose ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬ 05
12
Definitions 08
1.2. Risponsibilities ‫ا��ﺎﻃﺮ‬ 12
A-1. General 12
1.1.1.3.Purpose
Controls set by Legislaties 13
12
1.2.1.4.Responsibilities
Plans and Procedures 13
12
A- 2. Controls
1.3. set by Legislative
Applicability Bodies ‫ ﻣﺴﺎر‬3 ‫ﺷ�ﻞ‬
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ 13
13
1.4. Plans and Procedures 13
A- 3. Responsibility Level 14 -1
A-2. Applicability 13
A- 4. Scope
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬
A-3. Responsibility Level � �‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬ ‫ﺮ‬ ‫�اﺳﺘﻤ‬ ‫ﺮ‬ 14
‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃ‬
14
A-4. 4.1.Scope.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
Scope of the Guideline ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
14
14
4.1.4.2.Scope of the Guideline
Organization’s Scope of Business :‫�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
Continuity ‫�ﻣﺼﺎدر‬ 14
Capability 15
4.2. Organization’s Scope of Business Continuity Capability 15
A- 5. Business Continuity Program establishment .‫ • ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‬16
A-5. Business Continuity Program establishment 16
.‫• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬
5.1.5.1.Understanding
Understanding thethe organization
organization 17
17
.(‫ وﻏ��هﺎ‬،‫ واﳌﻴﺎﻩ‬،‫• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬
5.2.5.2.TopTop
Management
Management Commitment
Commitment 18
18
A-6. Business .(‫وﻏ��هﺎ‬ ،‫ا��ﻮادم‬
Continuity ،‫�اﻟﺒﻴﺎﻧﺎت‬‫ﺰ‬
Capability ‫)ﻣﺮﻛ‬ ‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت‬ • 22
A- 6. Business Continuity Capability 22
A-7. BCM Documentation and Records .‫ • ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬22
A- 7. BCM Documentation and Records 22
7.1. Required Documents .��‫ • اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى�ا��واﻟﺪو‬22
7.2.7.1.Controlling
RequiredBCM Documents
documentation and record .��‫ • اﻟ��ﺰ�اﳌﺎ‬22 23
A-8. 7.2.
Business ContinuityBCMManagements
documentationProgram Operations 25
Controlling and record .‫ • ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬23
8.1. Business Impact Analysis 27
A- 8. Business Continuity Managements .‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬ Program Operations
‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬ • 25
8.2. Risk Assessment 30
8.3.8.1.Business
Business Impact Analysis
Continuity (BC) Strategies 27
39
‫ واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬،‫ واﻟﻌﺎﻣﻠ�ن‬،‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
8.4.8.2.Incident
Risk Assessment
Response Plan 30
48
��‫اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
8.5. Business Continuity Plan (BCP) 50
39
‫ واﳌﻮارد‬8.3. Business
،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ Continuity (BC)
‫ واﻟﺸﺮ�ﺎء‬،‫واﻷﺻﻮل‬ Strategies
،‫واﻟﻌﺎﻣﻠ�ن‬ ،‫ واﳌﻌﻠﻮﻣﺎت‬،‫ واﻷﻧﻈﻤﺔ‬،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
8.6. Media Response plan 52
8.4. Incident Response Plan .‫�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬48
‫اﻷﺧﺮى‬
8.7. Awareness and training 54
3
39
14
Table of Contents
8.8. Test and Exercise 56

A- 1.
A-9. General
Business Continuity Program Review 12
60
9.1.1.1.Annual Review ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
Purpose 60
12
9.2. ‫�ا��ﺎﻃﺮ‬‫ﻗﺒﻮل‬of Suppliers and Service providers
Review ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
62
1.2. Risponsibilities ‫ا��ﺎﻃﺮ‬ 12
9.3. Compliance and Internal Audit Review 63
A-10.1.3.TopControls set by Legislaties
Management Review 13
66
10.1.
1.4.Management review of BCM Program
Plans and Procedures 67
13
A- 2. Documentation
10.2. Applicability of the management
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ review
‫ﻣﺴﺎر‬ 3 ‫ﺷ�ﻞ‬ 67
13
10.3. Points of input during management review 67
A- 3. Responsibility Level 14 -1
10.4. Management Review outcome 67
A- 4. Scope
A-11. BCM Program Continual Improvement � �‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬‫ﺮ‬ ‫�اﺳﺘﻤ‬ ‫ﺮ‬ 14
68
11.1. .‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
4.1.Non-Conformities
Scope of the Guideline ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
14
68
4.2.Corrective
11.2. ActionsScope of Business
Organization’s :‫�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
Continuity ‫�ﻣﺼﺎدر‬ 69
Capability 15
Right of Use 71
A- 5. Business Continuity Program establishment .‫ • ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‬16
Contact NCEMA 71
5.1. Understanding the organization 17
5.2. Top Management Commitment 18
.(‫ وﻏ��هﺎ‬،‫ ا��ﻮادم‬،‫• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‬
A- 6. Business Continuity Capability 22
A- 7. BCM Documentation and Records 22
7.1. Required Documents .��‫ • اﻟ��ﺰ�اﳌﺎ‬22
7.2. Controlling BCM documentation and record
.‫ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ • 23
A- 8. Business Continuity Managements Program
.‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬ Operations
‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬ • 25
8.1. Business Impact Analysis 27
8.2. Risk Assessment 30
‫ واﳌﻮارد‬8.3. Business Continuity
،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ (BC)،‫واﻟﻌﺎﻣﻠ�ن‬
‫ واﻟﺸﺮ�ﺎء‬،‫واﻷﺻﻮل‬ Strategies 39
،‫ واﳌﻌﻠﻮﻣﺎت‬،‫ واﻷﻧﻈﻤﺔ‬،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
8.4. Incident Response Plan .‫�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬48
‫اﻷﺧﺮى‬
4
39
14
Introduction
The following Business Continuity Management documents and references

Underhavethe been used:and directions of the wise leadership and the UAE federal
guidance
government which continuously strives to maintain and enhance the stability of
International
‫�ا��ﺎﻃﺮ‬‫ﻗﺒﻮل‬ Standard ISO 22313:2012 – Societal Security
‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ – Business
the country,Continuity
with theManagement
ongoing follow
‫ا��ﺎﻃﺮ‬ up of
Systems – Guidance
the Supreme Council for National
Security, the National Emergency
International Standard ISO Crisis and Disasters
31000:2009 Management– Authority
- Risk Management
(NCEMA) draftedPrinciplesthe and
firstGuidelines
version of Business Continuity Management Standard
and Guidelines British Standard BS 1:2006-25999 Business Continuity Management –
in 2012.
Specifications ‫ ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬3 ‫ﺷ�ﻞ‬
This GuidelinesBCI Good document
Practicehas been developed
Guidelines 2013 from Business to adaptContinuity
international best
Institute
practices in business continuity management. This UAE Business ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬ -1
Continuity
The information
Management Standardwas tailored to �match
Specifications
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ the naturealong
and Guidelines of the
�‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬ UAE
with
‫�اﺳﺘﻤﺮ‬ government
templates
‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬ are
unique business. It provides theareinternational
in the.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
sense that they provided together best practices used by internal and
comprehensively.
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
external parties to help organizations continue performing their prioritized
Theseactivities, comply have
BCM Guidelines with their
been organizational
developed and ‫ر‬contractual
:‫�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
to assist ‫�ﻣﺼﺎد‬ commitments
organizations systemically
and to protect the interests of beneficiary
build their business continuity capability before, during .‫�اﻟﻌﺎﻣﻠ�ن‬ organizations after
and after an emergency,
an emergency,
‫ﻋﺪم�ﺗﻮﻓﺮ‬ •
crisis or disaster that hinders the organization from properly performing is
disaster or crisis. All these initiatives are aimed at ensuring ongoing
.‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬ ‫ا��ﺴﺎﺋﺮ‬performance
• sized
activities and services. The Guidelines can be applied to different
of prioritized activates
organizations, in both
in both publicpublic
and and
private
.(‫وﻏ��هﺎ‬ ،‫واﳌﻴﺎﻩ‬private
،‫)اﻟﻜهﺮ�ﺎء‬sectors,
sectors. for the
‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬ ‫ اﳌﺮ‬purpose
• of
enhancing the UAE’s national stability.
Government organizations and its private sector partners .‫ﺮ�اﳌﻌﻠﻮﻣﺎت‬should
‫ ﻋﺪم�ﺗﻮﻓ‬effectively
•
handle emergencies and crises in a well-coordinated manner in order• to fully
.��‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى�ا��واﻟﺪو‬
recover from such situations. Service delivery should be maintained at minimum
.��‫• اﻟ��ﺰ�اﳌﺎ‬
required level and should not be disrupted when an emergency occurs until
.‫• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬
recovery is complete.
.‫• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
‫ واﳌﻮارد‬،‫ واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬،‫ واﻷﺻﻮل‬،‫ واﻟﻌﺎﻣﻠ�ن‬،‫ واﳌﻌﻠﻮﻣﺎت‬،‫ واﻷﻧﻈﻤﺔ‬،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
5
39 05 17
5
Introduction
The following Business Continuity Management documents and references

have beenBusiness
The following used: Continuity Management documents and references have
been used: ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
International
‫�ا��ﺎﻃﺮ‬ ‫ﻗﺒﻮل‬ Standard ISO 22313:2012 – Societal Security
‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ – Business
Continuity Management‫ا��ﺎﻃﺮ‬ Systems ––Guidance
International Standard ISO 22313:2012 Societal Security – Business
Continuity Management Systems – Guidance- Risk Management –
International Standard ISO 31000:2009
Principles and Guidelines
International StandardBSISO
British Standard 31000:2009 Business
1:2006-25999 - Risk Management
Continuity –Management
Principles and –
Guidelines
Specifications ‫ ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬3 ‫ﺷ�ﻞ‬
BritishBCIStandard BS 25999-1:2006
Good Practice GuidelinesBusiness2013 from Continuity
BusinessManagement –
Continuity Institute
Specifications ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
The
BCI information
Good Practice was tailored to
Guidelines
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ �match
2013 fromthe natureContinuity
Business of the
�‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬ UAE
‫�اﺳﺘﻤﺮ‬ government
Institute
‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬
business. It provides the international best practices used by internal and
‫ و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬.‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
The information
external partieswas tailored
to help to match the nature
organizations continue of the UAE government
performing their prioritized
activities,
business. comply
It provides thewith their organizational
international :‫�اﻟﺘﺎﻟﻴﺔ‬practices
best andused
‫�ﺣﺪوث�ا��ﺎﻃﺮ‬ ‫ر‬contractual
‫�ﻣﺼﺎد‬ commitments
by internal and external
and to protect the interests of beneficiary
parties to help organizations continue performing their prioritized organizations after an emergency,
activities,
.‫ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‬ •
crisis or disaster that hinders the organization from properly performing is
comply with their organizational and contractual commitments and
.‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬ to protect
‫ا��ﺴﺎﺋﺮ‬ • sized the
activities and services. The Guidelines can be applied to different
interests of beneficiary
organizations, organizations
in both public and after
private
.(‫وﻏ��هﺎ‬ an emergency,
،‫واﳌﻴﺎﻩ‬sectors. crisis or disaster
،‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬ ‫ • اﳌﺮ‬that
hinders the organization from properly performing is activities and services. The
Guidelines can be applied to different sized organizations, in both public and
private sectors.
.��‫اﻟ��ﺰ�اﳌﺎ‬ •
.‫ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ •
.‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬ •
6
39 05 17 6
‫اﻟ��ﺰ�اﳌﺎ��‪.‬‬ ‫•‬

‫‪7‬‬
‫‪39‬‬
Definitions :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
Term Definition
A process, service, procedure, product, task, or combination of them that
Activity
are managed by organization.
‫ ﻗﺒﻮل�ا��ﺎﻃﺮ‬An organized, autonomous and ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ documented form of ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
activity of an
Audit organization conducted by an independent body in order to comply to
the BCM Standard
Development of understanding of primary Business Continuity
Management risks and issues. Awareness enables the workforce to
Awareness identify threats and responding
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ ‫ﻣﺴﺎر‬p3romptly
‫ ﺷ�ﻞ‬and appropriately. Awareness is
created among employees in the organization and it is less formalized as
compare to training. ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
The ability of the organization to continue its prioritized activities at
Business Continuity (BC) ��‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬
predetermined level after the occurrence of disruptive incident.
‫ و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
A comprehensive management process, ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
which highlights possible threats
and impact of such threats
:‫ﺮ�اﻟﺘﺎﻟﻴﺔ‬o‫�ﺣﺪوث�ا��ﺎﻃ‬
n business ‫ر‬o‫�ﻣﺼﺎد‬
perations of the organization.
Business Continuity
The identification of threats assists to develop organizational resilience,
Management (BCM) .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‬
toward these threats, and an effective and suitable response that will
protect the stakeholders’ .‫ﻣﻨﮫ‬ ‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء‬
interest, ‫ا��ﺴﺎﺋﺮ‬
brand name and reputation. •
Business Continuity It is a component .(‫وﻏ��هﺎ‬
of overall organizational
،‫واﳌﻴﺎﻩ‬ management
،‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬ ‫اﳌﺮ‬system,
• which
Management Program establishes, implements, operates, reviews, monitors, maintains and
(BCM Program) improves business continuity capability.
Set of procedures in a documented form, .‫�اﳌﻌﻠﻮﻣﺎت‬ which d‫ﺮ‬irect
‫ﻋﺪم�ﺗﻮﻓ‬ •
the organization to
Business Continuity Plan react, recover, restore and restart
.��‫�ا��واﻟﺪو‬ the predetermined level o•f operations
‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬
after the interruption.
.��‫• اﻟ��ﺰ�اﳌﺎ‬
It is the major document that identifies the governance and scope of
Business Continuity .‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ ‫ﻋﺪم�ﺗﻮﻓﺮ‬ •
business continuity plan along with BCM objectives and highlights the
Policy
cause of its implementation.
.‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬ ‫• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬
Business Continuity The method of an organization to plan in order to recover and continue
Strategy after a d‫ﺮ‬isruptive
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬ event.
‫ واﻷﻃ‬،‫واﻟﻌﺎﻣﻠ�ن‬ ،‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
Business Impact It is the process for analyzing business activities and the impacts of
Analysis (BIA) disruptive incidents that may happen over time.
Capacity to apply skills, resources and knowledge to accomplish desired
Competence .‫اﻷﺧﺮى�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
goals.
Continual Improvement Consistent activities to increase the performance level.
Compliance Extent to which requirements are fulfilled
8
39
8
Term Definition :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
Conformity Extent to which mandatory requirements are fulfilled.
Corrective Action Steps or measures that remove discrepancies.

‫ل‬
Capability ‫ﻗﺒﻮ �ا��ﺎﻃﺮ‬ Ability of capacity to perform a ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
specific activity effectively.
An incident which disturbs routine operation, process or function of the
Disruption
business. These events could be anticipated or unanticipated.
Activity in which the business continuity plans is rehearsed in a part or in
Exercise whole to ensure that the plans
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ ‫ﻣﺴﺎر‬contain
3 ‫ ﺷ�ﻞ‬the appropriate information and
produce the desired results when put into effect.
External and internal External or internal variables that can have impact over the business
‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬ -1
issues continuity capability of the organization.
Fit-‐For-‐Purpose Fulfilling the requirements of the organization.
‫ و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
Individual, group, or a:‫�اﻟﺘﺎﻟﻴﺔ‬
n organization
‫�ﺣﺪوث�ا��ﺎﻃﺮ‬ which
‫�ﻣﺼﺎدر‬ can affect or be affected or
Interested Party consider to be influenced by an activity or decision.
.‫• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‬
Set of procedure for immediate response after an ‫ﺮ‬a‫ا��ﺴﺎﺋ‬
.‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬ ccident, a• nd it is
Incident Response Plan
focused upon the safety of personal
A compliance review against BCM standard requirements. Therefore take
Internal Audit .(‫وﻏ��هﺎ‬corrective
،‫ ا��ﻮادم‬،‫�اﻟﺒﻴﺎﻧﺎت‬ ‫)ﻣﺮﻛﺰ‬
actions and ‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت‬
suitable decisions accordingly. •
Minimum Business .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
Minimal level for product or service, which considered as appropriate for
Continuity Objective
ccomplish o‫ى‬
the organization to a.��‫�ا��واﻟﺪو‬ ‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮ‬
rganizational •
goals after disruption
(MBCO)
Set of procedures that will enable organization t.��‫�اﳌﺎ‬ ‫ • اﻟ��ﺰ‬with
o communicate
media and interested parties throughout roles and
.‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ responsibilities
‫ﻋﺪم�ﺗﻮﻓﺮ‬ • and
Media Response Plan
use of available media channels to communicate and deliver the
necessary information and instruction effectively during a disruption.
Time it would take for adverse impacts, which might arise as a result of
Maximum Acceptable
not providing a product/service or performing an activity, to become
Outage (MAO)
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
unacceptable. ‫اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ‬
Non Conformities Mandatory requirements in the BCM standard not fulfilled.

The targets or goals that an organization wants to achieve throughout the
BCM Objectives
BCM Program.

9
39
9
Term Definition :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
Activities that are critical and must be given priority when recovering
Prioritized Activities
from a disruptive incident in order to reduce the impacts
It is a set of interdependent actions that convert inputs into finished
Process
products ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
Resources ‫ا��ﺎﻃﺮ‬ include information, skills, people, technology, assets and
Resources premises, which are obtain and used by an organization to achieve its
organizational goals and objective.
Recovery Retrieval or recapturing of normal or prior state.
A strategy t‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ ‫ﻣﺴﺎر‬
hat is used by an 3 ‫ ﺷ�ﻞ‬to make sure it’s regaining or
organization
Recovery Strategies
continuing after an incident.
‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
The extent to which an organization can afford and bear the risks and
Risk Appetite
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ ��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬
neutralize these risks to eliminate the threats. ‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ‬
Recovery Time Time span after the occurrence of an ‫ﺮ‬incident
‫ و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ in which an activity or
‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤ‬
Objective (RTO) product should be restarted or resources and assets should be regained.
:‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
Risk Assessment The process in which risks is identified, analyzed and evaluated.
Risk The impacts of uncertainties on organizational goals.
.‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬ ‫ا��ﺴﺎﺋﺮ‬ •
An official declaration,
.(‫وﻏ��هﺎ‬w،‫واﳌﻴﺎﻩ‬
hich c،‫)اﻟﻜهﺮ�ﺎء‬
ommunicates that emergency
‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬ ‫• اﳌﺮ‬situation is
Stand Down
.(‫وﻏ��هﺎ‬controlled
،‫ ا��ﻮادم‬،‫�اﻟﺒﻴﺎﻧﺎت‬ and no further invocation of plans is required.
‫• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ‬
Group of individuals sitting at the top of the organization and plays the
Top Management .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
role to guide and control the organization.
This is an activity or a.��‫�ا��واﻟﺪو‬ ‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬
ction that is undertaken to gauge the capabilities
• or
Test effectiveness of a strategy or plan against a predetermined criteria or
.��‫• اﻟ��ﺰ�اﳌﺎ‬
benchmark.
This activity is more formalized as compared .‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ ‫ ﻋﺪم�ﺗﻮﻓﺮ‬It • purports to
to awareness.
Training build skills and k.‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
nowledge to increase the performance of staff
‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬ • regarding
a specific function.
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬
SMART Objectives ‫واﻷﻃﺮ‬
Specific, ،‫ واﻟﻌﺎﻣﻠ�ن‬،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
Measurable, ‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى‬
Achievable, Relevant and Times objectives.

10
39
10
‫‪Business Continuity Management Action Model‬‬
‫‪Understanding the‬‬
‫‪Organization‬‬
‫‪Top Management‬‬
‫‪Commitment‬‬
‫‪BCM Program Establishment‬‬
‫‪Business Impact‬‬
‫‪Analysis‬‬ ‫‪ -1‬ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
‫‪Incident Response‬‬
‫‪Plan‬ﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ��ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬
‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤ‬
‫‪Development‬‬
‫‪Continual Improvement‬‬
‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‪ .‬و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ ‫‪Business Continuity‬‬

‫‪Plans‬‬
‫‪Risk Assessment‬‬
‫‪Plan‬‬
‫‪Media Response‬‬
‫‪Business Continuity‬‬ ‫�اﻟﻌﺎﻣﻠ�ن‪.‬‬
‫ﻋﺪم�ﺗﻮﻓﺮ‬
‫‪Plan‬‬ ‫•‬
‫‪Strategy‬‬
‫‪Awareness‬‬ ‫اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‪and ،‬‬
‫واﳌﻴﺎﻩ‪ ،‬وﻏ��هﺎ(‪.‬‬ ‫•‬
‫‪Training‬‬
‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‪ ،‬ا��ﻮادم‪ ،‬وﻏ��هﺎ(‪.‬‬
‫‪Tests and Exercises‬‬
‫•‬
‫‪BCM Program Operations‬‬
‫اﻟ��ﺰ�اﳌﺎ��‪.‬‬ ‫•‬
‫‪Annual Review and‬‬
‫‪Internal Audit‬‬ ‫ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‪.‬‬ ‫•‬
‫‪Management‬واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬ ‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى ‪Review‬‬

‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‪ ،‬واﻟﻌﺎﻣﻠ�ن‪،‬‬
‫‪BCM Program Review‬‬
‫‪Figure 1: BCM Action Model‬‬
‫‪11‬‬
‫‪39‬‬ ‫‪13‬‬ ‫‪25‬‬
A-1. General :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
1.1. Purpose
This document is aimed at providing a common set of guidelines that can

serve the purpose in ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬ referencing to the development, implementation,
establishing and maintaining ‫ ا��ﺎﻃﺮ‬a BCM (Business Continuity Management)
Program by all the public and private sectors across the nation. As a body of
knowledge, this document main emphasis is laid on providing help for
following:
a. Enlist prioritized activities based on‫ﻣﺴﺎر‬
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ the3 understanding
‫ﺷ�ﻞ‬ of the strategy,
objectives and culture of the organization;
b. Analyze and evaluate the impact on prioritized activities in case of a
disruption; ��‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ .‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
c. Analyze the risks involved and their impacts‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
on business disruption;
d. Develop the Business Continuity :‫(�اﻟﺘﺎﻟﻴﺔ‬BC) Capability
‫�ﺣﺪوث�ا��ﺎﻃﺮ‬ of‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر‬
‫�ﻣﺼﺎدر‬ the organization with
the intention of responding and recovering from the ‫ﺮ‬disruptions;
.‫�اﻟﻌﺎﻣﻠ�ن‬ ‫• ﻋﺪم�ﺗﻮﻓ‬
e. Develop an integrated and coordinated set of plans for‫ا��ﺴﺎﺋﺮ‬
.‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬ increasing•
organization resilience;
f. Validate the BCM Program by conducting exercises, maintaining and
continually reviewing for improvement.
1.2. Responsibilities .��‫• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى�ا��واﻟﺪو‬
Refer to AE/SCNS/NCEMA 7000:2015 specifications Figure .��‫�اﳌﺎ‬2.
‫• اﻟ��ﺰ‬
NCEMA is committed and dedicated in establishing the‫ﻋﺪم�ﺗﻮﻓﺮ‬
.‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ guidelines
• for the
BCM Program.
12
39
12
1.3. Controls set by Legislative Bodies :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
Legislative and licensing bodies may establish further specifications in

addition to those defined in this BCM standard to ensure community
safety,
‫�ا��ﺎﻃﺮ‬security,
‫ﻗﺒﻮل‬ and continuity of functions and services
‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ required to
promote national security. Where additional specifications are established,
the organization should comply with such specifications. However, in case
of discrepancy between the specifications contained in this BCM standard
and the additional ones, such organization should have recourse to the
issuing authority of this standard for settlement.
1.4. Plans and Procedures
��‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬
Based .‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
on the nature, size and complexity of‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
activities, an organization
should develop their BCM Program. :‫ﺮ�اﻟﺘﺎﻟﻴﺔ‬Top Management
‫�ﺣﺪوث�ا��ﺎﻃ‬ in an organization
should approve the details and level of the plans to.‫�اﻟﻌﺎﻣﻠ�ن‬ be maintained,
‫ • ﻋﺪم�ﺗﻮﻓﺮ‬whether
to have individual business continuity plan, disaster recovery
.‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬ plans,
‫ا��ﺴﺎﺋﺮ‬ • crisis &
incident management plans .(‫وﻏ��هﺎ‬ and emergency
،‫ واﳌﻴﺎﻩ‬،‫)اﻟﻜهﺮ�ﺎء‬response plans.
‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬‫ اﳌﺮ‬For• ease of
planning, implementation and maintenance organizations may combine
two or more of these plans.
.��‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى�ا��واﻟﺪو‬ •
A-2. Applicability
.��‫• اﻟ��ﺰ�اﳌﺎ‬
The requirements and specifications set forth in this BCM standard
.‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ ‫ ﻋﺪم�ﺗﻮﻓﺮ‬are• general
and are applicable to all types of organizations irrespective of the sector they
belong to. Every organization should assume the responsibility of defining and
documenting
‫ار�ﺔ‬ its “fit for purpose”
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ‬ BC،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
‫ واﻷﻃﺮ‬،‫واﻟﻌﺎﻣﻠ�ن‬ Capability, which ensures performance of
‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى‬
prioritized activities and services during disruptive incidents. Pursuant to this
BCM standard, organizations should identify their prioritized activities as well
as the business units, departments and sections where such activities are
performed. In addition, organizations should identify their associates such as
third-party suppliers, service providers and partners which provision goods
and services needed to perform these activities.
13
39
13
A-3. Responsibility Level :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
The Top Management remains the decisive body and the driving force that
endorses the success of the implementation of a BCM Program within the
organization. Top Management should provide their leadership, commitment
and all the resources required
‫ا��ﺎﻃﺮ‬to implement and validate the BCM Program.
Moreover, the commitment and support of Top Management is required not
only during the initiation of the BCM Program but also during the entire
implementation of the BCM Program.
Top Management can evident their commitment by:
 Understanding their role in the BCM Program and communicating
the importance of BC in the organization
 Ensuring the availability of resources required to implement the BCM
Program :‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
 Conducting periodic management reviews. .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‬
Top Management can define appropriate competencies
.(‫ وﻏ��هﺎ‬،‫ واﳌﻴﺎﻩ‬،‫)اﻟﻜهﺮ�ﺎء‬ and responsibilities
‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬‫• اﳌﺮ‬
to other levels in order to implement the BCM Program. This standard,
along with these guidelines, offers the minimum requirements needed for a
BCM Program.
A-4. Scope .��‫اﻟ��ﺰ�اﳌﺎ‬ •
4.1. Scope of the Guideline .‫ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ •
These guidelines are applicable .‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬

to all the‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬
types and sizes of organization •
that wish to develop, implement, operate, maintain, review and continue
its prioritized activities following an emergency, crisis or a disruptive
incident.
4.1.1. This guideline should not be used to assess an organization’s ability
to meet its own business continuity needs, nor any customer, legal or
regulatory needs. Organizations wishing to do so should use the “Business
14
39
14
Continuity Management Standard – Specifications AE/SCNS/NCEMA
7000:2015” to demonstrate conformance to others.
4.2. Organization’s Scope of Business Continuity Capability

Importance and purpose‫ا��ﺎﻃﺮ‬ of setting out the scope
The determination of the scope of the BCM Program is of utmost
importance before its implementation and deployment. The main objective
of setting the scope of a BCM Program is mainly aimed at ensuring
transparency of what areas of the organization
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ ‫ ﻣﺴﺎر‬3 ‫ ﺷ�ﻞ‬are included and what areas
are excluded within the scope of BCM Program. A thorough study and
comprehensive understanding of the objectives, strategies and culture of
the organization must be ensured before setting the scope. The scope
comprehensively defines the activities, products ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
and services, locations,
functions, and processes to which:‫�اﻟﺘﺎﻟﻴﺔ‬ the‫ﺮ‬BCM Program
‫�ﺣﺪوث�ا��ﺎﻃ‬ ‫�ﻣﺼﺎدر‬applies.
4.2.1. Organization should define.‫ﻣﻨﮫ‬the deliverables, outputs,
‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء‬‫ا��ﺴﺎﺋﺮ‬ •activities,
services and functions that fall within
.(‫وﻏ��هﺎ‬ ،‫واﳌﻴﺎﻩ‬the scope
،‫)اﻟﻜهﺮ�ﺎء‬ of its business
‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬
‫اﳌﺮ‬ continuity
•
capability..(‫ وﻏ��هﺎ‬،‫ ا��ﻮادم‬،‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‬ •
Process of setting out the scope
While setting out the scope, intensive study, and comprehensive
understanding of the strategy, objectives and culture of.��‫�اﳌﺎ‬ the‫اﻟ��ﺰ‬ •
organizations is
very essential. Setting up the scope of the BCM Program
.‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ lies within
‫ﻋﺪم�ﺗﻮﻓﺮ‬ • the
jurisdiction of the Top Management in order
.‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬ to define specific and
‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬ • explicit
areas of the organization regarding their inclusion within the BCM Program.
Once
‫�اﺳﺘﻤﺮار�ﺔ‬ the scope has
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬ been ،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
‫ واﻷﻃﺮ‬،‫واﻟﻌﺎﻣﻠ�ن‬ determined, ‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى‬
the organization should
communicate it to interested‫اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ‬
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ parties.
Factors to consider when setting out the scope: .‫اﻷﺧﺮى�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
 Scale: The nature, size, and the complexity of the organization
 Risk: The organizations risk appetite
15
39
15
 BCM Maturity: What level of BCM Program maturity:‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
does the
organization currently possess
 Geographical Location: Locations, facilities, and environment
 Governments directives, standards, regulatory or legal requirements
shall
‫�ا��ﺎﻃﺮ‬‫ﻗﺒﻮل‬be fulfilled. ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
4.2.2. The organization’s scope for business continuity should include all
activities required to maintain its prioritized activities.
The scope document should identify but not be limited to:
 Agreed-upon objectives and business priorities;
 The deliverables required during the project and delivery times of
primary and final products;
 Any assumptions whereby :‫�اﻟﺘﺎﻟﻴﺔ‬ ‫�ﺣﺪوث�ا��ﺎﻃﺮ‬
risk or ‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر‬
impact statements can be
provided; .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‬
 Locations and / or activities to.‫ﻣﻨﮫ‬be‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء‬
included in or excluded;‫• ا��ﺴﺎﺋﺮ‬
 The organizational structure .(‫وﻏ��هﺎ‬of the،‫)اﻟﻜهﺮ�ﺎء‬
،‫واﳌﻴﺎﻩ‬ organization’s BCM ‫ﺮ‬Program
‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬ ‫• اﳌ‬
(roles and،‫ا��ﻮادم‬
.(‫وﻏ��هﺎ‬ responsibilities).
،‫• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‬
A-5. Business Continuity Program establishment
Top Management is responsible for the establishment of.��‫�اﳌﺎ‬ the BCM• Program
‫اﻟ��ﺰ‬
and may appoint a BC Manager or Head of BC. The BC Manager or Head of BC
is responsible for implementation and maintaining the BCM Program.
Depending on the size of the organization, it may be a full or part-time duty.
To emphasize the importance of duties and responsibilities associated with the
BCM Program, the position should have specific BC elements incorporated into
the job description, including fulfillment of duties taken into consideration as
part of the annual job performance review.
16
39
16
5.1. Understanding the organization :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
The primary purpose of a BCM Program is to enable the organization to

promptly and effectively respond to business disruption and maintain
continuity of its prioritized activities, taking into account all interested
parties ‫ﻗﺒﻮل‬
‫�ا��ﺎﻃﺮ‬involved in performing prioritized ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬
activities. ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
5.1.1. Identify all processes, relations, partnership, and supply chains with
interested parties.
5.1.2. The overall risk which the organization
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ ‫ ﻣﺴﺎر‬3 ‫ﺷ�ﻞ‬is willing to undertake.
5.1.3. While implementing the BCM Program certain external and internal
issues may affect the desired outcomes of the BCM Program.
Internal
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ issues are factors that occur within an ‫ﺮ‬organization
.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ such as:
 Organizations financial changes :‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
 Changes in the Top Management .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‬
 Employee morale .‫• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬
 Change in the culture of the organization
External issues are factors that take place outside the organization and are
harder to predict and control, such as: .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
 Changes to the economy .��‫• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى�ا��واﻟﺪو‬
 Threats from competition .��‫• اﻟ��ﺰ�اﳌﺎ‬
 Political factors .‫• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬
 Government regulations .‫• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
 The industry itself
5.1.4. Identify the needs and
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ expectations of the addressed interested
‫واﳌﻮارد‬parties and their
،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ legal
‫واﻟﺸﺮ�ﺎء‬ and،‫واﻟﻌﺎﻣﻠ�ن‬
،‫واﻷﺻﻮل‬ regulatory
،‫واﳌﻌﻠﻮﻣﺎت‬requirements. All contractual
،‫ واﻷﻧﻈﻤﺔ‬،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
obligations with suppliers, service providers or.‫�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
others should be set‫اﻷﺧﺮى‬ along
with other legislative obligations, in accordance with the laws and
regulations and any regulatory obligations.
17
39
17
5.2. Top Management Commitment :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
Commitment from the Top Management is one of the main factors for a
successful implementation the BCM Program.
5.2.1. Top‫ﻗﺒﻮل‬
Managements commitments should ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬
be evidenced‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
through:
 Establishing a BC Policy and Objectives
 Ensuring the BCM Objectives are met
 Assigning roles and responsibilities
 allocating the resources for implementing
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ ‫ ﻣﺴﺎر‬3 ‫ ﺷ�ﻞ‬the BCM Program
 Actively participating in selection of the BC Strategy
 Actively engaged in exercising and testing
 Ensuring internal BCM Programs audits are conducted
 Conducting effective management reviews of the BCM Program
 Directing and supporting improvement:‫�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
of‫ر‬BCM
‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎد‬
Program.
5.2.2. Top Management should .‫ﻣﻨﮫ‬ ensure that the organization’s
‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء‬
‫• ا��ﺴﺎﺋﺮ‬ BCM
objectives are identified. The BCM .(‫وﻏ��هﺎ‬Objectives should:
،‫ واﳌﻴﺎﻩ‬،‫)اﻟﻜهﺮ�ﺎء‬ ‫• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬
 Be aligned with the
.(‫ وﻏ��هﺎ‬،‫ا��ﻮادم‬ organizational
،‫�اﻟﺒﻴﺎﻧﺎت‬ strategic objectives
‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ‬ •
 Determine Minimum Business Continuity Objective (MBCO)
 SMART and be set as a performance indicator in the BCM Program.
5.2.3. Business Continuity Policy shall be approved .��‫اﻟ��ﺰ�اﳌﺎ‬

by •the Top
Management. The policy shall include BCM objectives .‫ﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬and
‫ﻋﺪم�ﺗﻮﻓ‬risk •appetite,
and be published internally and to interested
.‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬ parties (If applicable).•
‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬
5.2.4.
‫�اﺳﺘﻤﺮار�ﺔ‬ Refer to AE/SCNS/NCEMA ،‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
‫ واﻷﻃﺮ‬،‫واﻟﻌﺎﻣﻠ�ن‬7000:2015
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬ Specifications Clause 5.2.4.
‫واﳌﻮارد‬5.2.5. The responsibility
،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ ‫ واﻟﺸﺮ�ﺎء‬،‫ل‬of the،‫واﻟﻌﺎﻣﻠ�ن‬
‫واﻷﺻﻮ‬ Top Management is to ،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
،‫ واﳌﻌﻠﻮﻣﺎت‬،‫واﻷﻧﻈﻤﺔ‬ assign qualified
experienced personnel to implement, maintain.‫�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
and continually improve ‫اﻷﺧﺮى‬the
BCM Program. Assigned personnel should receive relevant trainings to
fulfill their responsibilities in maintaining and operating the organization’s
BCM Program.
18
39
18
5.2.6. Different members from each department of the organization maybe
identified to assist in the implementation of the BCM Program depending
on the size and complexity of the organization. Their BCM roles and
responsibilities may be collaborated with their daily jobs. The minimum
required ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
‫ل�ا��ﺎﻃﺮ‬roles
‫ ﻗﺒﻮ‬and responsibilities of the‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬
Business Continuity Management
team who would be accountable
‫ا��ﺎﻃﺮ‬ and responsible to establish, implement,
operate and maintain the BCM Program detailed as below:
BCM Manager
 Establish and demonstrate commitment to BCM Policy
 Responsible for all BCM Program activities ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
 Nominate the BCM team��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ with appropriate seniority and authority
‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ‬
‫ و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬that is accountable for BC Policy and implementation
 Facilitate approval of all BC plans, exercises and strategies
 Raise recommendations of BCM Team and BCM representatives
during management review meetings
Incident Response Manager .(‫ وﻏ��هﺎ‬،‫ واﳌﻴﺎﻩ‬،‫• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬
 Participate in the،‫�اﻟﺒﻴﺎﻧﺎت‬
.(‫ وﻏ��هﺎ‬،‫ا��ﻮادم‬ development of the Incident Response Plan•
‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ‬
 Ensure that Incident Response Plan is regularly updated
.‫�اﳌﻌﻠﻮﻣﺎت‬ ‫• ﻋﺪم�ﺗﻮﻓﺮ‬
 Ensure safety procedures .��‫�ا��واﻟﺪو‬
for all resources including personnel
‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬ • during
a crisis
.��‫• اﻟ��ﺰ�اﳌﺎ‬
 Raise incident response awareness to staff across the organization
 Be the main point of contact between the incident response teams
 Progress updates on damage assessment
 Manage the incident response process
19
39
19
BCM Team :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
 Accountable to establish, implement, operate and maintain the BCM
Program.
 Overall responsibility for the maintenance of the BCM
documentation
‫�ا��ﺎﻃﺮ‬ ‫ﻗﺒﻮل‬ for any improvements in the BCM Program.
‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
 Ensure conduct of reviews on all aspects for the BCM Program.
 Assess preparedness of different departments for meeting the
recovery strategies and BCM objectives.
 Organize and coordinate the BCM
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ awareness
‫ﻣﺴﺎر‬ 3 ‫ﺷ�ﻞ‬ programs.
 Create the annual exercise program and seek approval from
appropriate authority and distribute it to all concerned‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬ stakeholders -1
of the BCM Program.
 To
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ ensure BCM exercises, internal audits‫ﺮ‬if‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤ‬
.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ any and management
reviews are carried out periodically. :‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
 Maintain relation with departments and liaise with‫ﺮ‬various
.‫�اﻟﻌﺎﻣﻠ�ن‬ ‫• ﻋﺪم�ﺗﻮﻓ‬
departments during crisis.
 Constantly update the Top Management on the status of resumption
and recovery.
 Liaise .(‫وﻏ��هﺎ‬ ،‫ ا��ﻮادم‬،‫�اﻟﺒﻴﺎﻧﺎت‬
for obtaining status‫)ﻣﺮﻛﺰ‬on‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت‬
damage assessment and recovery •
progress from the concerned teams. .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
 Track incidents as applicable for their
.��‫�ا��واﻟﺪو‬ root cause analysis and
‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬ • to
update log relating to lessons learned .��‫• اﻟ��ﺰ�اﳌﺎ‬
 Facilitate the efforts of BCM departments.‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ representatives
‫ ﻋﺪم�ﺗﻮﻓﺮ‬/ •
Champions for the respective department
Internal
‫�اﺳﺘﻤﺮار�ﺔ‬ sectors / Departments
‫ واﻷﻃﺮ‬،‫واﻟﻌﺎﻣﻠ�ن‬representatives
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬ / Champions
،‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
 Responsible for maintaining
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ documents and update details
periodically‫واﻟﺸﺮ�ﺎء‬
‫ واﳌﻮارد‬،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ pertaining
،‫واﻷﺻﻮل‬to،‫واﻟﻌﺎﻣﻠ�ن‬
their department
،‫ واﳌﻌﻠﻮﻣﺎت‬،‫واﻷﻧﻈﻤﺔ‬as and when required or
directed by BCM Manager, e.g., changes to the procedural
.‫�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬ flow
‫اﻷﺧﺮى‬
impacting business, personnel roles and responsibilities etc.
 Responsible for keeping the head of BCM updated on the status of
BCM Program pertaining to their department.
20
39
20
 Responsible for all follow up of activities related to BCM Program,
reports like (Business Impact Analysis , Risk Assessment , Recovery
Strategies, Exercise results) and maintain them as per respective
department.
 Responsible
‫�ا��ﺎﻃﺮ‬ ‫ﻗﺒﻮل‬ for ensuring that vendors maintain BCM
‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ requirements
for their outsourced activities.
 Liaise with all concerned within their department to conduct BCM
exercise as per the schedule and maintains records of such exercise.
 Responsible for ‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
updating the ‫ﻣﺴﺎر‬ BCM3 ‫ﺷ�ﻞ‬ head and other dependent
departments of changes made within their department.
 Responsible for tracking the incidents pertaining to their ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
department-1
for their root cause analysis
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ and updating data ‫�اﺳﺘﻤﺮ‬base
��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬ relating to
‫ و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬lessons learned.
 Responsible for implementation of Preventive
:‫�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬ Action and Corrective
Action plans and updates BCM Manager / BCM team.
‫• ﻋﺪم�ﺗﻮﻓﺮ‬
Relevant interested parties
 Role of interested parties will based on the organization prioritized
activities.
 Relevant interested parties. Roles and responsibilities .‫ ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬should
• be
communicated within the .��‫�ا��واﻟﺪو‬
organization (if applicable).
‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬ •
.��‫• اﻟ��ﺰ�اﳌﺎ‬
5.2.7. Developing and implementing a governance framework is on the
important success factors for BCM Program, there is no “one size fits all”
governance framework. According to the size, nature, of an organization
should establish its governance framework. Components of a governance
framework are but not limited to:
 Reporting structure for effective implementation
 Defined roles and responsibilities
 Clear project management methodology
 BCM Program implementation plan
21
39
21
‫‪A-6. Business Continuity Capability‬‬ ‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‪:‬‬
‫‪Each United Arab Emirates organization should assume the responsibility of‬‬
‫‪defining and documenting its “fit-for-purpose” business continuity capability‬‬
‫‪that ensures performance‬‬ ‫‪of prioritized activities and services during‬‬
‫‪emergencies, crisis and disasters.‬‬
‫‪A-7. BCM Documentation and Records‬‬

‫‪7.1. Required Documents‬‬
‫‪7.1.1. The organization shall establish, implement and maintain records of‬‬
‫‪BCM Program capability implementation procedures.‬‬ ‫‪ -1‬ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
‫‪The purpose of BCM documentation‬‬
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ ‫‪and records as illustrated‬‬
‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ��‬ ‫‪in figure 2.‬‬
‫‪To make sure efficient‬‬ ‫ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‪.‬‬ ‫•‬
‫‪management of the‬‬
‫ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‪BCM system .‬‬ ‫•‬
‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‪ ،‬واﳌﻴﺎﻩ‪ ،‬وﻏ��هﺎ(‪.‬‬
‫اﳌﺮ‬
‫‪To verify that the‬‬ ‫•‬
‫‪To make sure‬‬ ‫‪a swift‬‬
‫وﻏ��هﺎ(‪.‬‬ ‫‪BCM Program has‬‬
‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‪ ،‬ا��ﻮادم‪،‬‬ ‫•‬
‫‪and an effective‬‬ ‫‪been efficiently‬‬
‫‪reaction to any‬‬ ‫‪implemented‬‬ ‫‪(for‬‬
‫‪occurring event‬‬ ‫‪instance during audit‬‬
‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى�ا��واﻟﺪو��‪.‬‬
‫‪sessions).‬‬ ‫•‬
‫اﻟ��ﺰ�اﳌﺎ��‪.‬‬ ‫•‬
‫‪Purpose of‬‬ ‫ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‪.‬‬ ‫•‬
‫‪BCM‬‬
‫‪documentation‬‬
‫‪and records‬‬
‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‪ ،‬واﳌﻮارد‬ ‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‪ ،‬واﻷﻧﻈﻤﺔ‪ ،‬واﳌﻌﻠﻮﻣﺎت‪ ،‬واﻟﻌﺎﻣﻠ�ن‪ ،‬واﻷﺻﻮل‪ ،‬واﻟﺸﺮ�ﺎء‬
‫‪Figure 2 Purpose of BCM documentation and record‬‬
‫‪22‬‬
‫‪39‬‬
‫‪22‬‬
7.1.2 Organization should maintain a documentary record:‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ of BCM Program
implementation. Organization’s BCM Programs documents should at least
contain, and not be exhaustive to, the following:
a. Context of Organization
b. Objectives
‫�ا��ﺎﻃﺮ‬ ‫ﻗﺒﻮل‬ and Policy of BCM ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
c. Roles and Responsibilities
d. External and internal issues and interested parties
e. Competency of personnel
f. Business Impact Analysis (BIA)
g. Business Impact Analysis Methodology
h. Business Impact Analysis Report ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
i. Risk Assessment (RA)
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬��‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬
j. Risk
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ Assessment Methodology
k. Risk Assessment Report
l. Business Continuity Strategies
m. Incident Response plan (IRP)
n. Business Continuity Plan (BCP) .‫• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬
o. Media Response Plan (MRP) .(‫ وﻏ��هﺎ‬،‫ واﳌﻴﺎﻩ‬،‫• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬
p. Awareness and Training
.(‫ وﻏ��هﺎ‬،‫ا��ﻮادم‬ records
،‫)ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‬ ‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت‬ •
q. Test and Exercises record .‫ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬ •
r. Internal Audit record
s. Management Review record
.��‫اﻟ��ﺰ�اﳌﺎ‬ •
t. Corrections and corrective actions
u. Regulatory requirements .‫ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ •
7.2. Controlling BCM documentation and record
7.2.1 The following key points
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ can be considered when developing and
‫واﳌﻮارد‬managing the BCM
،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ documentation
‫واﻟﺸﺮ�ﺎء‬ and،‫واﳌﻌﻠﻮﻣﺎت‬
،‫ واﻷﺻﻮل‬،‫واﻟﻌﺎﻣﻠ�ن‬ records: ،‫ واﻷﻧﻈﻤﺔ‬،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
a. BCM documentation should be prepared in an understandable way
and should focus on providing and maintaining the effectiveness of
its preparedness and response to business continuity.
23
39
23
b. The intensity of the BCM Program may vary from organization to
organization normally on the basis of the organization’s size and
structure, work, nature, the extent of the services provided and the
employees’ skills in handling emergencies, occurring crisis and the
management
‫�ا��ﺎﻃﺮ‬ ‫ﻗﺒﻮل‬ of ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
Business Continuity. ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
c. BCM documentations should be effective enough to provide
comprehensive support in generating operational and
auditing/reviewing the details.
d. Frequent reviews should be conducted. If any amendment, addition
on or cancellation is made to the documents, they should be
reapproved by the Top Management. ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
e. BCM documents should be
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ easy to retrieve. Copies
��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬ of‫ﺮ‬the
‫�اﺳﺘﻤﺮ‬ BC Plans
‫ و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬and all other important documents should
.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ be available on the
primary and alternative locations (if any), as well as in all
organizations branches.
f. If documentation or information from external .‫�اﻟﻌﺎﻣﻠ�ن‬
sources • such
is used,
sources should be mentioned..‫• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬
g. A documentation control and،‫واﳌﻴﺎﻩ‬
.(‫وﻏ��هﺎ‬ distribution system should
،‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬ ‫اﳌﺮ‬be created
•
to ensure that all،‫�اﻟﺒﻴﺎﻧﺎت‬
.(‫ وﻏ��هﺎ‬،‫ا��ﻮادم‬ copies retained
‫)ﻣﺮﻛﺰ‬ in all locations are properly•
‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت‬
updated. .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
h. Interpreting the relevant documents/information into more than one
dialect by considering the organizations’ structure, nature and
.��‫• اﻟ��ﺰ�اﳌﺎ‬
language of its workforce, particularly those people who are chiefly
engaged in execution of the business continuity .‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ ‫ﻋﺪم�ﺗﻮﻓﺮ‬
plans and/or•
entrusted with particular responsibilities.
i. Ensuring the consistent compliance of the documents with the
NCEMA Standard ‫واﻷﻃﺮ‬ ،‫ واﻟﻌﺎﻣﻠ�ن‬،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
specifications ‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى‬
(AE/SCNS/NCEMA 7000:2015).
24
39
24
‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‪A-8. Business Continuity Managements Program Operations :‬‬
‫‪Developing a BCM Program‬‬

‫‪The BCM Program is an on-going process that must be managed effectively‬‬
‫‪and efficiently. Proactive planning‬‬
‫‪ is required to develop a BCM Program, so as‬ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
‫ا��ﺎﻃﺮ ‪to respond to unexpected‬‬
‫‪and unanticipated incidents. BCM Program helps‬‬
‫‪organizations to identify, classify, understand and prioritize the business‬‬
‫‪continuity risks, and develop plans so that the risks can be mitigated and‬‬
‫‪disruptive events can be responded in a befitting manner.‬‬
‫‪Figure 3: highlights all the key components to consider when developing a‬‬
‫‪BCM Program‬‬
‫‪Business‬‬
‫‪Test and‬‬
‫‪Impact‬‬
‫اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‪ ،‬واﳌﻴﺎﻩ‪ ،‬وﻏ��هﺎ(‪Exercises .‬‬ ‫•‬
‫‪Analysis‬‬
‫‪Awareness‬‬ ‫‪Risk‬‬
‫‪and Training‬‬ ‫‪Assessment‬‬
‫اﻟ��ﺰ�اﳌﺎ��‪.‬‬ ‫•‬
‫‪Incident‬‬
‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‪Response Plan.‬‬ ‫•‬
‫‪Continuity Plan‬‬ ‫‪Continuity‬‬
‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى‪Strategy‬‬
‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‪ ،‬واﻟﻌﺎﻣﻠ�ن‪ ،‬واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬
‫‪Media‬‬
‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ��‬
‫اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ‪Response Plan‬‬
‫‪Figure 3 Components of BCM Program operations‬‬
‫‪25‬‬
‫‪39‬‬
‫‪25‬‬
Additional groups may be created to facilitate the development of the BCM
Program. These comprise of:
 BCM Steering Committee – A Top Management group consisting of
executives, officers or section heads, whose responsibility is to
provide ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
‫�ا��ﺎﻃﺮ‬‫ ﻗﺒﻮل‬advice, guidance and management
‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬supervision.
 Incident Management Team – A team involved in incident response,
whose responsibility is to resolve coordination issues and provide
assistance in the management of the incident.
All staff who has been assigned to positions and duties‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬ or roles -1and
responsibilities in the BCM Program
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ should be equipped
��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬‫�اﺳﺘﻤﺮ‬with awareness,
education,
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ and training so that they can accomplish
.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ their responsibilities in
maintaining and operating the BCM Program of the organization.
Confirmation of the effectiveness of the BC Capability of the organization
can be provided through audited reports and post exercise reports
Outcomes of a BCM Program:
Outcomes.(‫وﻏ��هﺎ‬
of an،‫ا��ﻮادم‬ ،‫�اﻟﺒﻴﺎﻧﺎت‬
effective BCM ‫)ﻣﺮﻛﺰ‬ ‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت‬
Program may include the following:•
 Staffs are trained to respond effectively to .‫�اﳌﻌﻠﻮﻣﺎت‬ a disruption
 Enables incident management capability
.��‫�ا��واﻟﺪو‬ of the organization•
 Regulations from government authorities and emergencies .��‫• اﻟ��ﺰ�اﳌﺎ‬are
properly developed, understood and documented .‫• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬
 Compliance of the organization with its legal and regulatory is
maintained
 Interested parties’
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬ requirements
‫ واﻷﻃﺮ‬،‫واﻟﻌﺎﻣﻠ�ن‬ are‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى‬
،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬ well understood
 The organization understands
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ its prioritized activities.
 Protection‫واﻟﺸﺮ�ﺎء‬
‫ واﳌﻮارد‬،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ of the،‫ل‬organization’s reputation
‫ واﻷﺻﻮ‬،‫ واﻟﻌﺎﻣﻠ�ن‬،‫واﳌﻌﻠﻮﻣﺎت‬ ،‫ واﻷﻧﻈﻤﺔ‬،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
 Adequate communication and support to.‫�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
staff in the event of ‫ى‬a‫اﻷﺧﺮ‬
disruption.
26
39
26
8.1. Business Impact Analysis :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
Introduction
The Business Impact Analysis (BIA) is the process for analyzing business
activities and the impacts of disruptive incidents that may happen over
time. It provides information
‫ ا��ﺎﻃﺮ‬from which relevant business continuity
strategies for continuity are determined.
The purpose of BIA is to identify and prioritize the activities which

contribute to the identified process ‫ر‬or
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ ‫ﻣﺴﺎ‬processes
3 ‫ﺷ�ﻞ‬ that deliver the most
urgent products and services, and to determine the resources required for
the continuity and recovery of these activities
Goals of .‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
BIA ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
 To determine the prioritized activities
:‫�اﻟﺘﺎﻟﻴﺔ‬ and‫�ﻣﺼﺎدر‬
‫�ﺣﺪوث�ا��ﺎﻃﺮ‬ their time frames for
resuming .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‬
 To assess and analyze the requirements of prioritized
.‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬ activities
‫ا��ﺴﺎﺋﺮ‬ • for
their recovery and continuity .(‫ وﻏ��هﺎ‬،‫ واﳌﻴﺎﻩ‬،‫• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬
 To assess and analyze the impacts of not performing the prioritized
activity
 To evaluate the time span after the occurrence of an incident in
which an activity or product should ‫ى‬be
.��‫�ا��واﻟﺪو‬ ‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮ‬
restored or resources• and
assets should be regained. .��‫• اﻟ��ﺰ�اﳌﺎ‬
 To evaluate the maximum interruption /downtime the organization
can tolerate. .‫• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
Techniques
‫�اﺳﺘﻤﺮار�ﺔ‬ to collect‫ﺮ‬BIA
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬ ‫ واﻷﻃ‬،‫ واﻟﻌﺎﻣﻠ�ن‬،‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
Depending on the nature, ‫ﺮ‬size,
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ and the complexity of the organization,
‫اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃ‬
‫واﳌﻮارد‬collecting BIA data
،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ techniques
‫واﻟﺸﺮ�ﺎء‬ may vary
،‫ واﻷﺻﻮل‬،‫واﻟﻌﺎﻣﻠ�ن‬ from one
،‫واﳌﻌﻠﻮﻣﺎت‬ organization
،‫واﻷﻧﻈﻤﺔ‬ to another.
27
39
27
One-on-one interviews :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
This approach enables an organization to have an active interaction with
the staff, to investigate, and to formulate questioning to obtain the
required information.
Management / supervisor workshops
Data collection workshops can prove to be an effective and efficient mode
of collecting required data. Determine the suitable/appropriate level of
participating persons. Identify workshop completion criteria to ensure that
the facilitator and participants have clear idea about what is expected out
of them, what are the required outcomes, and how the workshop will come
to a conclusion.
��‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬
Questionnaire
The most common method utilized for data collection is the questionnaire.
BIA questionnaires must be designed with utmost care to ensure that the
right questions are asked and they .‫ﻣﻨﮫ‬ are‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء‬
easily understood ‫ﺮ‬in‫ا��ﺴﺎﺋ‬ its real• context.
After collecting the information through
.(‫ وﻏ��هﺎ‬،‫واﳌﻴﺎﻩ‬ questionnaires,
،‫)اﻟﻜهﺮ�ﺎء‬ ‫اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬face• to face
interviews.(‫وﻏ��هﺎ‬
must،‫ا��ﻮادم‬
be conducted to ‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت‬
،‫)ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‬ clarify doubts arising from any answer. •
.‫ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬ •
BIA Information analysis .��‫• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى�ا��واﻟﺪو‬
In order to identify critical information and processes, .��‫�اﳌﺎ‬ as well
‫ اﻟ��ﺰ‬as •potential
disaster impacts, the information gathered during BIA must be evaluated
and analyzed thoroughly. The information gathered from BIA should
include:
Validation procedure
‫ﺮ�اﺳﺘﻤﺮار�ﺔ‬‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃ‬ should
‫ واﻷﻃﺮ‬،‫واﻟﻌﺎﻣﻠ�ن‬ be carried
،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬ out in order to ensure the
information gathered from the BIA
 Detailed and
‫ واﳌﻮارد‬،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ comprehensive
‫واﻟﺸﺮ�ﺎء‬ ،‫ واﻷﺻﻮل‬،‫واﻟﻌﺎﻣﻠ�ن‬understanding
،‫ واﳌﻌﻠﻮﻣﺎت‬،‫واﻷﻧﻈﻤﺔ‬of ،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
organization’s
prioritized activities and services
 Identification of activities that provide support to such prioritized
activities provided.
28
39
28
 Assessing the potential impacts of a disruption on these activities.
When assessing impacts, the following should be address:
 Adverse effects on staff or public well-being;
 Consequences of breaching legal or regulatory requirements;
 Impact
‫�ا��ﺎﻃﺮ‬ ‫ ﻗﺒﻮل‬on the reputation ; ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
 Financial Impact; ‫ا��ﺎﻃﺮ‬
 Operational Impact
 Estimating how long it would take for the impacts to become
unacceptable ‫ ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬3 ‫ﺷ�ﻞ‬
 Identifying dependencies between activities; and identifying each
activity’s dependency on supporting resources, including ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
suppliers -1
and other relevant interested
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ parties.
��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬ ‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ‬
The prioritized timeframe for resuming an
 .‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ activity may be referred
to as Recovery Time Objective :‫(ﺮ�اﻟﺘﺎﻟﻴﺔ‬RTO). The‫�ﻣﺼﺎدر‬
‫�ﺣﺪوث�ا��ﺎﻃ‬ RTO‫ر‬may take into account
‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎ‬
dependencies of interrelated activities and the time
.‫�اﻟﻌﺎﻣﻠ�ن‬ within which
the impacts of not resuming the activity would become acceptable.
Outcomes of BIA
BIA findings are properly documented in a formal report; a typical BIA
.(‫ وﻏ��هﺎ‬following:
report includes ،‫ ا��ﻮادم‬،‫• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‬
 Project Overview .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
 Executive summary .��‫• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى�ا��واﻟﺪو‬
 Scope .��‫• اﻟ��ﺰ�اﳌﺎ‬
 Data collection and analysis methodology.‫• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬
 Summary of BIA findings
 Detailed BIA findings (by departments)
 Charts and graphs
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬ ‫واﻷﻃﺮ‬to illustrate
،‫واﻟﻌﺎﻣﻠ�ن‬ potential
،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬ impacts (e.g., financial,
information, operational,
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ reputational, regulatory )
 Recommendations
‫ واﳌﻮارد‬،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ ‫ واﻟﺸﺮ�ﺎء‬،‫ واﻷﺻﻮل‬،‫ واﻟﻌﺎﻣﻠ�ن‬،‫ واﳌﻌﻠﻮﻣﺎت‬،‫ واﻷﻧﻈﻤﺔ‬،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
 Future Steps .‫اﻷﺧﺮى�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
 Appendices may include:
 BIA Impact Criteria
 BIA Attendees
29
39
29
Report presentation to Top Management :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
After the BIA outcomes have been documented and consolidated, the
formal BIA report must be presented to the Top Management as per the
approved mechanisms of the organization.
8.2. Risk Assessment ‫ا��ﺎﻃﺮ‬
While BIA assists in identifying some of the BC risks, a detailed and a

comprehensive assessment about threat and vulnerability is still required
for the identification of‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
a wide range‫ﻣﺴﺎر‬ of 3risks
‫ ﺷ�ﻞ‬and the likelihood of their
occurrence. Risk Assessment is the process in which risks is identified,
analyzed and evaluated.
Purpose .‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
of Risk Assessment ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
 Risk Assessment provides :‫�اﻟﺘﺎﻟﻴﺔ‬ a mechanism
‫�ﺣﺪوث�ا��ﺎﻃﺮ‬ for the‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر‬
‫�ﻣﺼﺎدر‬ identification of the
risks that represent opportunities as well as.‫�اﻟﻌﺎﻣﻠ�ن‬ the risks that represent
potential pitfalls. .‫• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬
 It enables the organizations to have a clear idea of variables to
which they may be exposed, whether internal or external,
retrospective or forward-looking
Risk Assessment Process: .��‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى�ا��واﻟﺪو‬ •
.��‫اﻟ��ﺰ�اﳌﺎ‬ •
Risk Risk
Risk Analysis Risk Evaluation
Identification Acceptance
Figure 4 Risk Assessment Process .‫اﻷﺧﺮى�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
30
39
30
1. Risk Identification :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
The business continuity risk identification is based on the results of the
business impact analysis. This analysis specifies the business services carried
out by BCM Team or Section, and specifies their importance in terms of
prioritized ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
‫�ا��ﺎﻃﺮ‬activates.
‫ﻗﺒﻮل‬ For these services, the following
‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬sources of risk shall be
considered: ‫ا��ﺎﻃﺮ‬
• Unavailability of staff;
• Destructive loss of all or part of a building;

• Major physical utilities (power, water, etc.);
• Loss of ICT functions (data center, servers, etc.);
• Unavailability
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ of information;
• National / international crisis or disaster;
• Financial shortcomings;
.‫ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬ •
• Unavailability of transportation;
.(‫ وﻏ��هﺎ‬،‫ واﳌﻴﺎﻩ‬،‫اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬ •
• Any issues.(‫وﻏ��هﺎ‬
or problems with business
،‫ ا��ﻮادم‬،‫�اﻟﺒﻴﺎﻧﺎت‬ partners and/or suppliers.
Interviews with relevant functional managers, employees .‫�اﳌﻌﻠﻮﻣﺎت‬

and‫ﻋﺪم�ﺗﻮﻓﺮ‬ •
stakeholders
shall be used to identify the business continuity
.��‫�ا��واﻟﺪو‬ ‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬
risks and the questionnaire• in
could be used. The identified risks shall address disruption to the
.��‫�اﳌﺎ‬ organization
‫اﻟ��ﺰ‬ •
prioritized activities related to processes, systems, information, people,
.‫ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ • assets,
outsource partners, and other resources that support
.‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬ these business •
processes.
31
39
31
2. Risk Analysis :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
Risk Analysis Scales
All risks that have been identified need to be analyzed to assess their severity to
ensure that the most important risks are treated first. All risks that have been
identified‫�ا��ﺎﻃﺮ‬
are a‫ل‬compound
‫ﻗﺒﻮ‬ of ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
Impact – how big is the impact of the risk occurring to organization’s business and
to the objectives?
Likelihood/Probability – how likely are the identified risks to occur?

The generic and the discipline-specific risk analyses that needs to take place are
using the same scales, to ensure that the different risks can be compared and the
results are consistent. Table 1 below illustrates an example to the scales used for
this‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ .‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
risk analysis are: ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
Impact Scale:
Impact Scale
.‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬‫• ا��ﺴﺎﺋﺮ‬
Very High High .(‫وﻏ��هﺎ‬Medium Low ‫ اﳌﺮ‬Very
،‫ واﳌﻴﺎﻩ‬،‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬ • Low
5 .(‫ وﻏ��هﺎ‬،‫ ا��ﻮادم‬4،‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‬
3 2 • 1
The impact of The impact of The impact of The impact
.‫�اﳌﻌﻠﻮﻣﺎت‬ ‫ﻋﺪم�ﺗﻮﻓﺮ‬The •impact
this risk is this risk is this risk is ‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬
.��‫�ا��واﻟﺪو‬ of this risk of this
• risk
very high, its high, there medium, its occurring is occurring is
.��‫• اﻟ��ﺰ�اﳌﺎ‬
occurrence are major effect has low, there is very low,
would be disturbance some minor effect there is no
extremely or .‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
negative ‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬
on the •
or negligible
negative for disruptions effect, but organization impact on
organization, coming from the overall the
up to a total this risk damage is organization
disaster limited
.‫�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
Table 1 Example of Impact
‫اﻷﺧﺮى‬
Scale
32
39
32
The following table (2) shows an example of samples of impacts related to the
various parts to support the identification of the right impact level:
Impact Level Possible Impacts

 extensive long term business interruption, possibly
‫ﻗﺒﻮل�ا��ﺎﻃﺮ‬ indefinitely ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
Very High 5  failure of organization to meet its objectives
 extensive effect on stakeholders for several months
 huge financial loss greater than AED 5M
 major business disruption
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ ‫ ﻣﺴﺎر‬longer
3 ‫ ﺷ�ﻞ‬than identified RTOs
for significant business operations
High 4  major project disruption
 major effect on stakeholders for at least a month
 major financial loss between AED ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
500,000 – AED 4,9M
 business disruption :‫�اﻟﺘﺎﻟﻴﺔ‬
‫�ﺣﺪوث�ا��ﺎﻃﺮ‬
partly longer‫�ﻣﺼﺎدر‬
than‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر‬
the identified
RTO (but quick resumption) .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‬
 considerable project.‫ﻣﻨﮫ‬ disruption
‫• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء‬
Medium 3
 noticeable damage .(‫ وﻏ��هﺎ‬to stakeholders
،‫واﳌﻴﺎﻩ‬ for several‫اﳌﺮ‬weeks
،‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬ •
considerable
 ،‫ا��ﻮادم‬
.(‫وﻏ��هﺎ‬ ،‫ﺰ�اﻟﺒﻴﺎﻧﺎت‬financial loss between AED 250,000 –•AED
‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛ‬
499,999
 minor disruption to business operations
 minor project disruption .��‫• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى�ا��واﻟﺪو‬
Low 2  minor damage to stakeholders for a limited .��‫ﺰ�اﳌﺎ‬time
��‫ اﻟ‬period
•
 minor financial loss less in the range AED‫ﺮ‬10,000
.‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ ‫• – ﻋﺪم�ﺗﻮﻓ‬AED
249,999 .‫• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
 no or negligible disruption to business operations
 no or ‫ﺮ‬negligible
‫ واﻷﻃ‬،‫واﻟﻌﺎﻣﻠ�ن‬project
،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬ ‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى‬
disruption
Very Low 1
 no or negligible damage to stakeholders
‫ واﳌﻮارد‬،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬
 very low،‫ل‬financial
‫واﻟﺸﺮ�ﺎء‬ ‫ واﻷﺻﻮ‬،‫واﻟﻌﺎﻣﻠ�ن‬
loss ،‫واﳌﻌﻠﻮﻣﺎت‬
less than،‫واﻷﻧﻈﻤﺔ‬
AED 9,999 ،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
Table 2 Example of Impact ‫ى‬
.‫�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬ ‫اﻷﺧﺮ‬
Analysis
Moreover, further categories to risks may be added that suits the needs of the
organization, Table (3) shows examples of risk categorization and related risks:
33
39
33
‫‪Risk Category‬‬ ‫‪Relative Risks‬‬
‫‪Process Delay‬‬
‫‪Absence of key staff‬‬
‫‪Operations‬‬ ‫‪Procedural Flaws‬‬
‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬ ‫‪Process Non‬‬ ‫‪Compliance‬‬
‫ا��ﺎﻃﺮ‬ ‫‪Supply Chain disruption‬‬
‫‪Mass absenteeism‬‬
‫‪Disgruntled Employee‬‬
‫‪PEOPLE‬‬
‫‪Thefts, Frauds‬‬
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ ‫‪and‬‬
‫ﻣﺴﺎر‬ ‫‪Employee Infidelity‬‬
‫ﺷ�ﻞ ‪3‬‬
‫‪Sabotage by employee‬‬
‫‪Building Collapse‬‬
‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ��ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬
‫)‪Flood (burst pipes‬‬
‫‪Premises‬‬
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ ‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‪.‬‬
‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‪Bomb Explosion‬‬
‫‪/ Threat‬‬
‫‪Power‬ﺮ�اﻟﺘﺎﻟﻴﺔ‪:‬‬
‫�ﺣﺪوث�ا��ﺎﻃ‬‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر‬
‫‪Outage‬‬
‫‪Confidentiality of Data‬‬
‫‪Data‬ﻣﻨﮫ‪.‬‬
‫‪corruption‬‬
‫ا��ﺴﺎﺋﺮ‬ ‫•‬
‫‪Information‬‬
‫‪Data‬وﻏ��هﺎ(‪.‬‬
‫‪security‬واﳌﻴﺎﻩ‪،‬‬
‫‪)breaches‬اﻟﻜهﺮ�ﺎء‪،‬‬
‫اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬ ‫•‬
‫‪Security of Data‬‬
‫ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‪.‬‬
‫‪Confidentiality of Electronic Data‬‬
‫•‬
‫ى ‪Security of‬‬
‫�ا��واﻟﺪو��‪.‬‬ ‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮ‬
‫‪Electronic‬‬ ‫‪Data‬‬ ‫•‬
‫‪Network Link failure / Outage‬‬
‫اﻟ��ﺰ�اﳌﺎ��‪.‬‬ ‫•‬
‫‪Cyber Attack‬‬
‫‪Technology‬‬ ‫ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‪.‬‬ ‫•‬
‫‪Configuration changes‬‬
‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‪.‬‬ ‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬
‫‪Obsolete‬‬ ‫•‬
‫‪Cabling failure, destructions‬‬
‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‪ ،‬واﻟﻌﺎﻣﻠ�ن‪ ،‬واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى‬
‫‪Software‬‬ ‫‪bugs‬‬
‫‪Earthquake‬‬
‫‪Epidemics‬‬
‫‪Environmental‬‬ ‫اﻷﺧﺮى�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‪.‬‬
‫‪Unsustainable Weather‬‬
‫‪Flood‬‬
‫‪34‬‬
‫‪39‬‬
‫‪34‬‬
Terrorism
Man-Made Political Protests
Worker Strikes
Table 3 Examples of Risk Categorization
Likelihood Scale:
‫�ا��ﺎﻃﺮ‬‫ﻗﺒﻮل‬ ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
The second part of the risk analysis is the determination of the risk likelihood. For
the risk assessment methodology, we might use a quantitative approach, as the
information available in many cases is not sufficient to allow an analysis using a
qualitative scale. The likelihood ‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
of a risk is ‫ر‬distinguished
‫ ﻣﺴﺎ‬3 ‫ﺷ�ﻞ‬ using the table below,
and the following considerations can help to identify an appropriate‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬ likelihood-1for
a risk in question:
 If objective information, such as records of past events, are available they
should be used
 Without objective information, :‫�اﻟﺘﺎﻟﻴﺔ‬interviews with
‫�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ‬ stakeholders and
employees can be used to get a first impression .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‬
 Information from other UAE governments or other organizations can also
help to assess the likelihood
Another important part
.(‫وﻏ��هﺎ‬ of ،‫�اﻟﺒﻴﺎﻧﺎت‬
،‫ا��ﻮادم‬ the likelihood estimation is the consideration
‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ‬ • of
existing controls to manage the risk – if controls .‫�اﳌﻌﻠﻮﻣﺎت‬ of any‫ﻋﺪم�ﺗﻮﻓﺮ‬
kind have • been
implemented, they will help to protect against the risk and will make its
occurrence less likely. Controls can vary depending on the discipline-specific risks
.��‫• اﻟ��ﺰ�اﳌﺎ‬
considered, but it is important to take them into account.
In the same way, controls not in place can actually increase the likelihood of the
identified risks. Any control that is incompletely implemented or not properly
documented will make the ‫ﺮ‬organization
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬ vulnerable,
‫ واﻷﻃ‬،‫ واﻟﻌﺎﻣﻠ�ن‬،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬ and therefore increase the
risk��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
likelihood. ‫اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ‬
35
39
35
Based on all of the above considerations, table (4) below is an:‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
example of the
likelihood of each risk might be estimated using this scale:
Likelihood Scale
Very ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
‫ﻗﺒﻮل�ا��ﺎﻃﺮ‬Unlikely Possible Likely
‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ Almost Certain
Unlikely ‫ا��ﺎﻃﺮ‬
1 2 3 4 5
Less than 1 Less than 1 Once or twice Between 3 At least 5 per
in 5 years per year per year and 5 per year year
Extremely Unlikely, but The event
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ There is a
‫ ﻣﺴﺎر‬3 ‫ﺷ�ﻞ‬ Very likely! The
unlikely there's a might occur strong event is
events, not slight at some time, possibility the expected to
expected to possibility it e.g. as there
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ event will occur
��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬ in most
happen may occur at is a history of occur, e.g. as circumstances,
some time casual there is a‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
e.g. as there is a
occurrence:‫�اﻟﺘﺎﻟﻴﺔ‬
at ‫ﺮ‬history
‫�ﺣﺪوث�ا��ﺎﻃ‬of ‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر‬
history of
the frequent regular
organization occurrence at occurrence at
or similar .‫ﻣﻨﮫ‬the ‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء‬
the‫ﺮ‬organization
‫• ا��ﺴﺎﺋ‬
organizations organization
.(‫ وﻏ��هﺎ‬،‫واﳌﻴﺎﻩ‬ or similar
،‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬ ‫• اﳌﺮ‬
or similar organizations
.(‫ وﻏ��هﺎ‬،‫ ا��ﻮادم‬،‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‬ •
organizations
Table.‫�اﳌﻌﻠﻮﻣﺎت‬
4 Example‫ﻋﺪم�ﺗﻮﻓﺮ‬ •
of Likelihood Scale
.��‫�ا��واﻟﺪو‬‫• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬
Further detailed likelihood scales can be used to emphasize on the probabilities
and quantified prediction of risk occurrence. .��‫• اﻟ��ﺰ�اﳌﺎ‬
36
39
36
‫‪3. Risk Evaluation:‬‬ ‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‪:‬‬
‫‪The results of the risk analysis (also defined as Risk Value) shall be compared with‬‬
‫‪predefined risk criteria to determine whether a risk is acceptable or needs risk‬‬
‫‪treatment. Basis of the comparison is the risk calculation and the level of‬‬
‫‪acceptable‬‬ ‫ﻗﺒﻮل‪risk.‬‬ ‫‪ methodology uses the following table to‬ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
‫‪This risk assessment‬‬
‫�ا��ﺎﻃﺮ‬ ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
‫‪assess the overall risk criticality:‬‬
‫‪Risk Matrix‬‬
‫‪Very High‬‬
‫‪High‬‬
‫‪Impact‬‬
‫‪Medium‬‬ ‫‪ -1‬ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
‫‪Low‬‬
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ��‬
‫‪Very Low‬‬
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‪.‬‬
‫‪Very‬‬ ‫‪Almost‬‬
‫�اﻟﺘﺎﻟﻴﺔ‪Unlikely :‬‬‫‪Possible‬‬ ‫‪Likely‬‬
‫�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ‬ ‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر‬
‫‪Unlikely‬‬ ‫‪Certain‬‬
‫‪Likelihood‬‬ ‫�اﻟﻌﺎﻣﻠ�ن‪.‬‬
‫ﺮ‬ ‫ﻋﺪم�ﺗﻮﻓ‬ ‫•‬
‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‪.‬‬
‫ا��ﺴﺎﺋﺮ‪Table 5‬‬ ‫‪• Matrix‬‬
‫‪Example Risk‬‬
‫‪Risk Value:‬‬ ‫اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‪ ،‬واﳌﻴﺎﻩ‪ ،‬وﻏ��هﺎ(‪.‬‬ ‫•‬

‫• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‪ ،‬ا��ﻮادم‪ ،‬وﻏ��هﺎ(‪.‬‬
‫‪Quantifying risk value once impact and likelihood has been calculated as shown in‬‬
‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‪.‬‬
‫‪table (6) will help interpret identified risks based on the risk interpretation table‬‬
‫‪(7).‬‬ ‫• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى�ا��واﻟﺪو��‪.‬‬
‫• اﻟ��ﺰ�اﳌﺎ��‪.‬‬
‫‪Risk Value‬‬
‫• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‪.‬‬
‫‪Very Low‬‬ ‫‪Low‬‬ ‫‪Medium‬‬ ‫‪High‬‬ ‫‪Very High‬‬
‫• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‪.‬‬
‫‪1-2‬‬ ‫‪3-4‬‬ ‫‪5-8‬‬ ‫‪9-15‬‬ ‫‪16-25‬‬
‫‪Table 6 Example Risk Value‬‬
‫‪37‬‬
‫‪39‬‬
‫‪37‬‬
Interpretation of the Risk Levels: :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
Risk Value
Very Low Low Medium High Very High
1 2 3
‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬ 4 5
No action No action Risk of this level Risks of that
‫ا��ﺎﻃﺮ‬ These risks
required required can or cannot be level need to have a very
treated, they be treated to high or
need to be manage the catastrophic
considered on a situation impact on the
case by case organization
basis ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
Table 7 Example of Interpretation of Risk Levels
4. Risk
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ Acceptance Criteria
In accordance with risk ratings defined above in table (7), only very low
and low risks can be readily accepted, and risks of a medium level
.‫�اﻟﻌﺎﻣﻠ�ن‬ need to
be investigated on a case-by-case basis –.‫ﻣﻨﮫ‬
the‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء‬
decisions taken need ‫ا��ﺴﺎﺋﺮ‬to be
•
explained. Risks of high and very high level
.(‫وﻏ��هﺎ‬ should
،‫واﳌﻴﺎﻩ‬ ،‫)اﻟﻜهﺮ�ﺎء‬always be considered
‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬
‫• اﳌﺮ‬
for risk treatment, but،‫ا��ﻮادم‬
.(‫وﻏ��هﺎ‬ can be accepted
،‫�اﻟﺒﻴﺎﻧﺎت‬ if one or more of the following
criteria apply: .‫ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬ •
 The cost of risk treatment outweighs the impact of the risk
.��‫• اﻟ��ﺰ�اﳌﺎ‬
occurring;
 The actions for risk treatment are not practical within the organization
business, work environment or culture;
 There are no legal implications when this risk is accepted;
 There
‫واﳌﻮارد‬ are only tolerable
،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ ‫ واﻟﺸﺮ�ﺎء‬،‫ل‬impacts on organization’s
‫ واﻷﺻﻮ‬،‫واﻟﻌﺎﻣﻠ�ن‬ business
،‫ واﳌﻌﻠﻮﻣﺎت‬،‫واﻷﻧﻈﻤﺔ‬ objectives.
Record Findings
Document the findings and prepare the proposed solutions in a report
submitted to Top Management.
38
39
38
Review and Monitor :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
Changes are continuously happening in the organization therefore all BCM
related documents should be reviewed at periodic intervals so that they
remain up to date.
Risk Assessment outcomes ‫ا��ﺎﻃﺮ‬
Risk Assessment outcomes should include the following:
 Risks that could result in the disruption or suspension of the
organizations prioritized activities, classified by level of impact.
 Single points of failure (SPoF) associated with such as physical risks
or resources. ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
 Actions required to reduce
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ the risk of disruption‫ﺮ‬or
��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬ ‫�اﺳﺘﻤ‬suspension of
the organization’s prioritized activities. ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
8.3. Business Continuity (BC) Strategies .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‬
After the BIA has been completed,.‫ﻣﻨﮫ‬ the‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء‬
next step is to form ‫ا��ﺴﺎﺋﺮ‬ •
BC Strategies.
The organization should identify .(‫وﻏ��هﺎ‬recovery solutions
،‫ واﳌﻴﺎﻩ‬،‫)اﻟﻜهﺮ�ﺎء‬ for key ‫ﺮ‬dependencies
‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬ ‫• اﳌ‬
and potential.(‫وﻏ��هﺎ‬interim business
،‫ ا��ﻮادم‬،‫�اﻟﺒﻴﺎﻧﺎت‬ processes. These will be based• on the
findings from BIA and the RA process and should be appropriate
.‫�اﳌﻌﻠﻮﻣﺎت‬ ‫ • ﻋﺪم�ﺗﻮﻓﺮ‬for the
organization. The organization should also evaluate the BCM competency
of suppliers and the least possible requirement for the continuation of the
.��‫• اﻟ��ﺰ�اﳌﺎ‬
prioritized activities.
Identify the appropriate measures for the control .‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬
of ‫ﺮ‬the
‫ﻋﺪم�ﺗﻮﻓ‬
risks.• Identify
treatments that can ensure.‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
the achievement of the business continuity
‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬ •
objectives and are according to the Risk Appetite of the organization.
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
Once a risk has been identified, ‫اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ‬
a treatment strategy should be developed
‫واﳌﻮارد‬and
،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬
recorded in the risk،‫ل‬register.
‫واﻟﺸﺮ�ﺎء‬ ‫ واﻷﺻﻮ‬،‫واﻟﻌﺎﻣﻠ�ن‬ ،‫واﳌﻌﻠﻮﻣﺎت‬should
Risk register ،‫واﻷﻧﻈﻤﺔ‬include:
 Risk-related tasks; .‫اﻷﺧﺮى�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
 Responsibilities entrusted to specific individuals or positions, to
ensure tasks performance;
 The date when such task should be completed;
39
39
39
 Resources required to complete the task; and :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
 Name of the person who approves task completion
8.3.1. Determination and choice of BC strategy should be done on the basis

of ‫�ا��ﺎﻃﺮ‬
outputs‫ﻗﺒﻮل‬from the analysis of BIA and ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬
RA. The organization must define
‫ا��ﺎﻃﺮ‬for:
appropriate strategy options
 the protection of prioritized activities;
 reducing, and managing the impacts;
 recovery and resuming of prioritized
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ activities.
‫ ﻣﺴﺎر‬3 ‫ﺷ�ﻞ‬
In many cases, a number of treatments can be applied to ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬ a risk and -1the
overall strategy may require a combination
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ of treatments
��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬ to‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬
‫�اﺳﺘﻤﺮ‬ reduce the risk
to an acceptable
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ level. The following Business Continuity
.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ strategy should be
taken into account: :‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
 Back-up Sites (Split/ Dual site operations)
This strategy involves performance of prioritized activities at two or more
geographically dispersed sites.(‫وﻏ��هﺎ‬ ،‫ واﳌﻴﺎﻩ‬،‫)اﻟﻜهﺮ�ﺎء‬
so operations ‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬
continue from other ‫ اﳌﺮ‬site
• when
one site fails. These
.(‫وﻏ��هﺎ‬ arrangements
،‫ا��ﻮادم‬ are two ways i.e. any site fails, the
،‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‬ • other
continues to deliver. Both sites are in full operation technically
.‫�اﳌﻌﻠﻮﻣﺎت‬ ‫ ﻋﺪم�ﺗﻮﻓﺮ‬during
• BAU
(business as usual) times. This is.��‫�ا��واﻟﺪو‬
suitable, especially for financial or• security
organizations, where the recovery time objective “RTO” is measured in
.��‫• اﻟ��ﺰ�اﳌﺎ‬
minutes or hours rather than days.
 Alternative Sites .‫• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬

A strategy similar to the back-up sites strategy involves the use of another
facility to perform the organizations prioritized activities at a site
geographically dispersed from the primary site. Using this strategy, the first
site can be operational and in use while the other is inactive but available
for use. An actively ready site is commonly known as a ‘hot’ site and an
inactive site which is ready for use is commonly known as a ‘warm site’.
Where arrangements to build or renovate a site in times of emergency,
40
39
40
crisis or disaster rather than at a previous time are conducted, such site
would be known as ‘cold’ site. Implementing this strategy involves moving
personnel to the predefined alternative site after an emergency, crisis or
disaster strikes. The alternative site may be a facility provided by a third-
party, or‫ل‬a‫ﻗﺒﻮ‬common site which is related to
‫�ا��ﺎﻃﺮ‬ the local or federal
‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ government.
A ‘hot site’ strategy is ‫ا��ﺎﻃﺮ‬good where RTOs are very short (in minutes); a
‘warm site’ strategy is good for relatively longer RTOs (in days); while a
’cold site’ strategy works well when RTOs are very long (in weeks and
months). Staff can be moved to the alternative site quickly enough, to
continue performance of prioritized activities within RTO. The success of
this strategy depends on whether staffs are able and willing ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬ to work at-1the
alternative site for a prolonged period
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ of time when necessary.
��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬
 Outsourcing
Another strategy that can be employed to reduce risk is to outsource or
contract performance of prioritized activities to a third-party depending on
the nature of the organization. .‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬
To that end, memorandum ‫• ا��ﺴﺎﺋﺮ‬ of
understanding (MOU), Service Level
.(‫وﻏ��هﺎ‬ ،‫واﳌﻴﺎﻩ‬Agreements (SLA) or
،‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬ ‫ اﳌﺮ‬other
• legal
formats should be concluded
.(‫ وﻏ��هﺎ‬،‫ا��ﻮادم‬ with outsourcers. This option • may be
،‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‬
preferable in manufacturing, where the added cost incurred
.‫�اﳌﻌﻠﻮﻣﺎت‬ ‫ ﻋﺪم�ﺗﻮﻓﺮ‬to •establish
back-up or alternative sites might be higher
.��‫�ا��واﻟﺪو‬ than the benefits •resulting
from the project. At times, the only outsourcing option might be to enter
.��‫• اﻟ��ﺰ�اﳌﺎ‬
into contract with another organization that is engaged in the same type of
business, which could be a competitor. In this.‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ case, the ‫ﻋﺪم�ﺗﻮﻓﺮ‬ • of risk
benefits
treatment need to be weighed .‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
against the‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬
risk of creating dependency • on a
competitor. Such arrangements are also known as ‘mutual aid
‫�اﺳﺘﻤﺮار�ﺔ‬‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬ ‫ واﻷﻃﺮ‬،‫واﻟﻌﺎﻣﻠ�ن‬ ،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬ ‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى‬
arrangements’. As regards short- RTO products and services, outsource
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ ‫ﺮ‬ ‫اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃ‬
contracts should be concluded in advance. However, when it comes to
‫واﳌﻮارد‬products
and services ،‫واﻷﺻﻮل‬
‫ واﻟﺸﺮ�ﺎء‬with ،‫واﻟﻌﺎﻣﻠ�ن‬
longer ،‫واﳌﻌﻠﻮﻣﺎت‬
RTOs, ،‫واﻷﻧﻈﻤﺔ‬
it may be ،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
possible to wait until
.‫�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
after the event to conclude the contract. There is, however, a risk in waiting ‫اﻷﺧﺮى‬
until after an event has occurred to establish a contract – for, by that time
the outsource partner may be fully committed and unable to meet the
organization’s needs. Outsourcing or contracting the performance of
41
39
41
prioritized activities to third parties does transfer the risk, but does not
discharge the organization from its legal liability to provide the products
and services to its stakeholders.
 Post-Event
‫ﻗﺒﻮل�ا��ﺎﻃﺮ‬Procurement ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
An additional strategy that can be used for products and services that have
their RTO measured in days or weeks is to purchase such products and
services from vendors and suppliers that can provide the same on short
notice whether for the public or private sectors. This strategy poses the
same risk as waiting until after an event to establish outsourcing
agreements, the vendors and suppliers may have used their available stocks
to meet the needs of other clients.
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ To prevent such a case
��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬ ‫�اﺳﺘﻤﺮ‬from arising, the
organization
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ may consider warehousing a temporary
.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ supply of essential
materials for continuity of its prioritized activities. Post-Event Procurement
strategy is not suitable for products or services that require special
equipment or facilities, or skills that are not readily available, or that
require more time to master such as .‫ﻣﻨﮫ‬medical
services or ‫ﺮ‬customer
‫ • ا��ﺴﺎﺋ‬services
at various departments. .(‫ وﻏ��هﺎ‬،‫ واﳌﻴﺎﻩ‬،‫• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬
 Insurance .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
Insurance can be purchased to .��‫�ا��واﻟﺪو‬
provide financial compensation for
‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬ • loss of
assets, cost of recovery and protection of legal responsibilities. However,
.��‫• اﻟ��ﺰ�اﳌﺎ‬
insurance is unlikely to cover all costs resulting from a disruption, including
the loss of customers, shareholder value, reputation, life or trademark
image. Contingent Business.‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬ ‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬
Interruption insurance can, in some• cases, is
purchased to cover direct costs related to loss of revenue as a result of
disruption of prioritized activities. However, this type of insurance only
covers business losses which are tied to another insurable loss (e.g. damage
‫واﳌﻮارد‬to،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬
a building, work ،‫واﻷﺻﻮل‬
‫واﻟﺸﺮ�ﺎء‬area, or ،‫واﻟﻌﺎﻣﻠ�ن‬
tools and،‫واﳌﻌﻠﻮﻣﺎت‬ ،‫ واﻷﻧﻈﻤﺔ‬،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
equipment used in such areas,
.‫�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬ ‫اﻷﺧﺮى‬
including IT and non- IT systems). Another type of insurance that is
beginning to appear on the market involves coverage of a wider range of
interruptions and disruptions including failure in the supply chain. Other
42
39
42
types of insurance that may be necessary to protect against risk include
Kidnap and Ransom or Errors and Omissions (professional liability).
 Manual Workaround
Most business ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
‫�ا��ﺎﻃﺮ‬‫ ﻗﺒﻮل‬environments today are automated ‫ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬and dependent on the
systems, tools, and equipment ‫ا��ﺎﻃﺮ‬ that either automate or support its
prioritized activities. In some cases, risk treatment can be as simple as using
a manual process, alternative technology and tools, or paper-based
documentation following a disruption. Such paper based work carried out
during recovery needs to be reflected back on to systems when the systems
are available. Hence, the systems should be designed with ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬ a capability-1 of
accepting such transactions. ��‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬
 Cross-training
A very common risk occurs when there is only one person who can perform
a prioritized activity, such as signing cheques, contracts and work
authorizations, maintaining a particular .‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬
system or piece ‫ﺮ‬of ‫ا��ﺴﺎﺋ‬ •
equipment, or
leading development of a new product
.(‫وﻏ��هﺎ‬ ،‫ واﳌﻴﺎﻩ‬or service.
،‫)اﻟﻜهﺮ�ﺎء‬ This risk can
‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬ ‫ اﳌﺮ‬be• treated
by cross-training others
.(‫ وﻏ��هﺎ‬،‫ا��ﻮادم‬ to eliminate
،‫�اﻟﺒﻴﺎﻧﺎت‬ the single point of failure and
‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ‬ • ensure
continuity of operations. .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
Some staff can be trained on professional‫ى‬jobs to perform such important
.��‫• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮ �ا��واﻟﺪو‬
jobs identified in the BIA.
.��‫• اﻟ��ﺰ�اﳌﺎ‬
 Resilient IT Architecture .‫• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬

IT systems in particular have.‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
many single points ‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬
of failure. Risk due• to single
points of failure can be mitigated by analyzing the system to locate them in
‫�اﺳﺘﻤﺮار�ﺔ‬ ‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى‬
the‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬
‫ واﻷﻃﺮ‬،‫واﻟﻌﺎﻣﻠ�ن‬
organization’s hardware, ،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
software or networks. Once a single point of
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬‫ﺮ‬ ‫اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃ‬
failure and the system vulnerabilities that create it are identified, options
‫واﳌﻮارد‬can
be developed‫واﻟﺸﺮ�ﺎء‬ ،‫واﻷﺻﻮل‬the
to reduce ،‫واﻟﻌﺎﻣﻠ�ن‬
risk ،‫واﳌﻌﻠﻮﻣﺎت‬ ،‫واﻷﻧﻈﻤﺔ‬failover
by providing ،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
or rerouting IT
resiliency solutions include high availability architectures such as‫اﻷﺧﺮى‬
.‫�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬ cloud
computing, neural networks, failover software solutions and disk arrays.
There are special standards for BCM technical solutions in IT field.
43
39
43
 Occupational Health and Safety and Environment (OHSE) :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
The risk of damage to the organization by injury, loss of life, or destruction
of property can be reduced by the use of HSE procedures. Such procedures
help reduce the risk of fire, flood, hazards, contamination, and the spread
of ‫�ا��ﺎﻃﺮ‬
infectious ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
‫ ﻗﺒﻮل‬disease in the workplace. ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
 Third party Review
Much of the risk arising from the use of third parties and suppliers can be
addressed by due diligence in the procurement and contract process. This
includes:
 Code of conduct / business ethics ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
 Corporate social responsibility
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ Attention to environment
 .‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
 Health and safety :‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
 Import and export
 International standards, including Business Continuity
 Quality management
 Regulatory and contractual compliance
 Risk.(‫وﻏ��هﺎ‬ ،‫ ا��ﻮادم‬،‫• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‬
management
 Security level. .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
The remainder can be addressed by a review of the third-party .��‫ اﻟ��ﺰ�اﳌﺎ‬/• supplier
BC capability programs. A good approach is to.‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ ensure that many• of these
risks are assessed and treated in the procurement and contract process,
then measured and reassessed through the organization.
8.3.2. All the resources required
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ to determine the selected BC strategies
‫واﳌﻮارد‬should be documented
،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ ‫ واﻟﺸﺮ�ﺎء‬،‫ل‬and
‫واﻷﺻﻮ‬approved by the ،‫واﻷﻧﻈﻤﺔ‬
،‫ واﻟﻌﺎﻣﻠ�ن‬،‫واﳌﻌﻠﻮﻣﺎت‬ Top Management. Following
are the examples of resources that can be included however should ‫ى‬not be
.‫اﻷﺧﺮ �اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
limited to:
 People (competence)
 Buildings and facilities
44
39
44
 Information and communication infrastructure :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
 Budget allocation
 Suppliers and service providers
 Resources
 Technology
 People
People are the most critical resources of an organization. It is important for
an organization to identify suitable measures
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ ‫ ﻣﺴﺎر‬3 ‫ﺷ�ﻞ‬for maintaining and widening
the availability of fundamental skills and knowledge in case a disruptive
incident occurs that results in the loss of availability of staff. ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬ Techniques-1for
the protection or development of
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ employee skills may consist
��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬ of:
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ Cross-skill training of staff
 .‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
 Specialists that can temporary :‫ﺮ�اﻟﺘﺎﻟﻴﺔ‬work
‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃ‬
 Skilled staff at one or more locations in order to reduce
‫ﻋﺪم�ﺗﻮﻓﺮ‬the •impact
of an incident
 Building and Facilities
Size, nature .(‫وﻏ��هﺎ‬and
،‫ا��ﻮادم‬
the،‫�اﻟﺒﻴﺎﻧﺎت‬‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ‬
geographical area of an organization •must be
considered when identifying and considering alternate .‫ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬location.
• Some
factors that must be considered while determining
.��‫�ا��واﻟﺪو‬ alternate location
‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬ • are:
 Location Area: If an organization is located in a risky .��‫ﺰ�اﳌﺎ‬area
��‫ اﻟ‬which
• is
susceptible to disruptive incidents, then alternate .‫ﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬location
‫ ﻋﺪم�ﺗﻮﻓ‬must• be
at a large distance from the primary location
 Accessibility: The alternate location must be easily accessible for
staff to travel. ‫ﺮ‬All
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬ ‫واﻷﻃ‬staff must
،‫واﻟﻌﺎﻣﻠ�ن‬ be well-versed
،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬ with the alternate
location map.
 Resources:‫واﻟﺸﺮ�ﺎء‬
‫ واﳌﻮارد‬،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ The organization
،‫ واﻷﺻﻮل‬،‫واﻟﻌﺎﻣﻠ�ن‬must make،‫واﻷﻧﻈﻤﺔ‬
،‫واﳌﻌﻠﻮﻣﺎت‬ it very،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
clear whether the
resources in the alternate location are shared or possessed only
.‫�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬ by
‫اﻷﺧﺮى‬
the organization. In case the resources are shared, a plan must be
documented and signed to ensure that all resources will be available
when required.
45
39
45
Alternate location can be made available by other organizations or third
parties suppliers.
 Communication and Media

Information ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
‫ ﻗﺒﻮل�ا��ﺎﻃﺮ‬essential for the operation ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬
of organization should be secure
‫ ا��ﺎﻃﺮ‬with the time. The organization should draft
and recoverable in accordance
in advance the message templates, scripts, and statements it may need to
communicate with stakeholder groups, employees family’s regarding the
disruptive incident. The organization should designate key and substitute
official spokespersons especially those are trained to interact with media
and communicating with internal and external stakeholders. ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
 Budget.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ Allocation ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
The organization shall define possibilities to ensure the finance is available
during and after a disruptive incident. This may consist of making sure
there is budget available for:
 Transportation .‫• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬
 Any emergency purchases .(‫وﻏ��هﺎ‬
for،‫واﳌﻴﺎﻩ‬ ،‫)اﻟﻜهﺮ�ﺎء‬providing
example ‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬
food‫ﺮ‬and
‫• اﳌ‬
accommodation
 Heavy purchases such as buying or renting .‫�اﳌﻌﻠﻮﻣﺎت‬ specialist‫• ﻋﺪم�ﺗﻮﻓﺮ‬
equipment/machinery or .��‫�ا��واﻟﺪو‬
buildings ‫• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬
.��‫• اﻟ��ﺰ�اﳌﺎ‬
 Suppliers and service providers
It is the responsibility of the organization to identify products, services or
activities provided by the third .‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
party in the‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬
BIA process. Therefore,•an
organization should make sure that its suppliers and service providers have
effective continuity arrangements in place (e.g. Service Level Agreements).
In order to gain that surety, organization can view the supplier’s:
 Business Continuity Policy
 Business Continuity Plans
 When and where the plans last updated
 Exercise and maintenance programs.
46
39
46
 Resources :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
During the BIA, the organization should identify the resources that support
the prioritized activities and maintain an inventory of them. Determine the
resources that are essential to implement the business continuity
strategies. ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
‫ﻗﺒﻮل�ا��ﺎﻃﺮ‬Not all resources can be stored,‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬
such as specialized equipment’s
/resources or heavy machinery‫ ا��ﺎﻃﺮ‬maybe too expensive to store or may get
damaged if not used for long. If a prioritized activity is heavily dependent
upon specialist equipment/ resource or heavy machinery, the organization
should identify the suppliers that provide those equipment’s/ resources.
Following points can be considered to maintain the supply of such
resources: ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
 Considering more than one
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ supplier
Signing Service Level Agreements with suppliers
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ according to the
RTO of the prioritized activity
 Encouraging suppliers to have business continuity.
Similarly alternate solutions for such resources .‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬

should also be‫ا��ﺴﺎﺋﺮ‬ •
considered. The
organization can consider storing.(‫وﻏ��هﺎ‬ ،‫ واﳌﻴﺎﻩ‬،‫)اﻟﻜهﺮ�ﺎء‬
the resources ‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬
at alternate ‫( اﳌﺮ‬if•
location
available), warehouse or shipping
.(‫ وﻏ��هﺎ‬،‫ا��ﻮادم‬ sites.
،‫)ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‬ ‫• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت‬
 Information and Communication.��‫�ا��واﻟﺪو‬ Technology ‫• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬
Information and communication technology options will be subject to the
.��‫• اﻟ��ﺰ�اﳌﺎ‬
size and complexity of the technology employed and its interdependencies
with the prioritized activities. Some organizations hold great amount of
dependency on technology and .‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
their activities‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬
cannot be executed•without
technology systems and they must be restored before activities can be
restarted. Where it is possible and practical, the organization may be
required to implement manual operations.
8.3.3. Risk treatment encompasses identification of the range of options for
handling risk, evaluating those options, formulating risk treatment plans
and executing them.
47
39
47
The options existing for the management of risks consist of::‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
 Accepting the risk: if, after controls are introduced, the remaining
risk is considered tolerable to the organization “according to its risk
appetite”, the risk can be accepted.
 Reducing
‫�ا��ﺎﻃﺮ‬‫ﻗﺒﻮل‬ the possibility of the risk‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬
taking place: by means of
preventive maintenance, audit & compliance programs, supervision,
contract conditions, policies & procedures, testing, investment &
portfolio management, staff training, technical controls and quality
assurance programs etc.
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
‫ ﻣﺴﺎر‬3 ‫ﺷ�ﻞ‬
 Transferring the risk: this encompasses another party bearing or
sharing some part of the risk using contracts, insurance, ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
outsourcing, joint ventures
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ or partnerships etc. ‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ‬
Avoiding the risk: take a decision not to ‫ﺮ‬carry
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ on the activity which
can generate the risk, where this
:‫�اﻟﺘﺎﻟﻴﺔ‬ is feasible.
‫�ﺣﺪوث�ا��ﺎﻃﺮ‬ ‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر‬
8.3.4. The organization should make sure that the business continuity of
suppliers is assessed. Techniques of assessing suppliers as follows:
 Include
.(‫وﻏ��هﺎ‬the descriptions
،‫ا��ﻮادم‬ ،‫)ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‬of‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت‬
requirements in tenders and contracts •
 Perform periodic evaluation audits of the suppliers business•
.‫ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
continuity plan .��‫• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى�ا��واﻟﺪو‬
 document service level agreements or memorandum of •
understanding in legal formats
8.4. Incident Response Plan
The‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬
‫�اﺳﺘﻤﺮار�ﺔ‬ organization should ‫واﻷﻃﺮ‬introduce procedures
،‫ واﻟﻌﺎﻣﻠ�ن‬،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬ and a management structure
that will enable preparation ‫ﺮ‬for
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ and respond effectively to disruptive
‫واﳌﻮارد‬incidents.
،‫ واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬،‫ واﻷﺻﻮل‬،‫ واﻟﻌﺎﻣﻠ�ن‬،‫ واﳌﻌﻠﻮﻣﺎت‬،‫ واﻷﻧﻈﻤﺔ‬،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
48
39
48
Goals of an Incident Response Plan :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
 Safety of personnel.
 Identification of the impact thresholds that rationalize the
introduction of formal response;
 Introduce an appropriate
‫ ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬response to a disruptive incident;
 Ensure the availability‫ا��ﺎﻃﺮ‬of the resources to support the processes and
procedures required to manage a disruptive incident and to curtail
the impacts; and
 Communicate the processes and procedures to the interested
parties, including responding authorities
 Evaluation of the nature and degree of a disruptive incident or the
potential impact; ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
 Introduce appropriate measures for the welfare to affected
individuals;
Key steps on designing Incident Response Plan ‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر‬
:‫�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
The key steps in designing the incident response plan are:
 Conducting a comprehensive.‫ﻣﻨﮫ‬ study and understand‫ا��ﺴﺎﺋﺮ‬
‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء‬ the nature
• and
the existing incident management of the‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬
.(‫ وﻏ��هﺎ‬،‫ واﳌﻴﺎﻩ‬،‫)اﻟﻜهﺮ�ﺎء‬ organization ‫• اﳌﺮ‬
 Creating a team and assigning roles and responsibilities
 Developing an Incident Response Plan
 Attaining Top Managements approval .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
 Documenting the approved Incident‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬
.��‫�ا��واﻟﺪو‬ Response Plan. •
.��‫اﻟ��ﺰ�اﳌﺎ‬ •
Content .‫• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬
The Incident Response Plan should include the following:
 The criteria of response plan activation;
 The person who has authority to activate the plan;
 The Incident Management Team;
 Developing evacuation plan.
 Establishing ‫واﻟﺸﺮ�ﺎء‬ ،‫ واﻷﺻﻮل‬،‫واﻟﻌﺎﻣﻠ�ن‬
alternative sites for:،‫ واﳌﻌﻠﻮﻣﺎت‬،‫ واﻷﻧﻈﻤﺔ‬،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
1. The restoration of IT or critical infrastructure elements
2. Temporary use of any element in performing prioritized activities
49
39
49
 Record of the internal and external stakeholders that may need to
be contacted in the first few hours of an emergency, crisis and
disaster;
 The means of communication with stakeholders, local authorities,
and media and what is required to be communicated to them;
 Pre-scripted message
‫ا��ﺎﻃﺮ‬templates for communications;
 Personnel responsible for coordinating with first responders; and
 Process and criterion used to assess damage and impact.
8.5. Business Continuity Plan (BCP)

The effectiveness of an organization’s Business Continuity capability is
dependent on its ability to plan for activity at each stage of the disruption.
The organization should effectively respond to the incident to ensure the
health and .‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
safety of its personnel, those responding ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
to the incident and
those impacted by it. :‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
The key steps in developing a BC plan include
 Appoint an owner/ sponsor for .‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬
the BC plan ‫• ا��ﺴﺎﺋﺮ‬
 Make a decision about .(‫وﻏ��هﺎ‬ the structure, format
،‫ واﳌﻴﺎﻩ‬،‫)اﻟﻜهﺮ�ﺎء‬ components
‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬ ‫ اﳌﺮ‬and
•
contents
 Precisely define the objectives and scope
 Assign the roles and responsibilities of the .‫�اﳌﻌﻠﻮﻣﺎت‬ response ‫ﻋﺪم�ﺗﻮﻓﺮ‬
team •
 Collect the information necessary .��‫�ا��واﻟﺪو‬to‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬
populate the plan •
 Prepare a draft of the plan including all the necessary details•
 Circulate the draft plan to all concerned for discussion, input and
review
 Collect the feedback from .‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
discussion ‫• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬
 Incorporate the necessary amendments in the plan and check its
quality
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬ ‫ واﻷﻃﺮ‬،‫ واﻟﻌﺎﻣﻠ�ن‬،‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
 Reach a decision and ‫ﺮ‬authenticate
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ the plan. For example, by
rehearsing‫واﻟﺸﺮ�ﺎء‬
‫ واﳌﻮارد‬،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ it in an exercise
،‫واﻷﺻﻮل‬ ،‫ واﻟﻌﺎﻣﻠ�ن‬،‫ واﳌﻌﻠﻮﻣﺎت‬،‫ واﻷﻧﻈﻤﺔ‬،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
 Come to an agreement on a program of .‫�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
ongoing exercising and ‫اﻷﺧﺮى‬
maintenance of the plan to make sure that it remains up-to-date
and the response teams are up to date as well.
50
39
50
The stakeholders in an organization Business Continuity capability should
include people with special needs. These special needs should be taken into
account when planning.
8.5.1. The organization‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬

should develop documented procedures that will
maintain the continuity‫ا��ﺎﻃﺮ‬ of its prioritized activities at predefined levels
during a disruptive incident. The organization should make sure that
identified risks are addressed for the continuation of the prioritized
activities.
8.5.2. Each plan should: ‫ ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬3 ‫ﺷ�ﻞ‬
 Have a defined purpose and scope.
 Be communicated to all personnel that needs to be aware of it,
and to personnel with specific roles and responsibilities for review
and update. ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
 Be consistent with the BCM :‫�اﻟﺘﺎﻟﻴﺔ‬strategy
‫�ﺣﺪوث�ا��ﺎﻃﺮ‬ ‫�ﻣﺼﺎدر‬
and ‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر‬
incident response plan,
capabilities and requirements of interested parties.
 Be accessible to and understood .‫• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬
8.5.3. All Plans should contain.(‫ وﻏ��هﺎ‬،‫ واﳌﻴﺎﻩ‬،‫• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬

Within the.(‫وﻏ��هﺎ‬
business continuity
،‫ا��ﻮادم‬ plans,
،‫)ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‬ the following must be clearly •
‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت‬
identifiable: .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
 Purpose: This part precisely and clearly
.��‫�ا��واﻟﺪو‬ defines what the•plan sets
out to do .��‫• اﻟ��ﺰ�اﳌﺎ‬
 Scope: Precisely defines the scope of the plan
 Assumptions: This part defines the assumptions on which the
plan is based
 Invocations Instructions: Defines the guidelines and criteria
regarding who has the final authority to invoke these procedures
and under what circumstances these can be invoked – it may
follow defined escalation stages.
 Standing down Procedure: Clearly defines the procedure for
standing teams down once the incident is over; and assess
damage post incident.
51
39
51
 Team Structure: This part summarizes who will :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
perform the role
of leader and supporting functions. It defines the roles,
responsibilities and authorities of people and teams who have to
execute the business continuity plan
 ‫ﻗﺒﻮل‬ ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
Resources: This part provides‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬
the details about‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
the resources
essential for business
‫ ا��ﺎﻃﺮ‬continuity
 Incident management: Management of the immediate
consequences of a disruptive incident paying attention to the
welfare issues of affected individuals (including team members),
options for reacting to the disruption and prevention or further
loss or unavailability of prioritized activities; ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
 Communications: provides
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ the details about‫ﺮ‬addressing
��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬ how and
‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤ‬
under what conditions the organization
‫ و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ will communicate key
interested parties and emergency contacts to the employees as
well as their relatives,; also the details of the media response of
the organization following an incident, including its
communication strategy,.‫ﻣﻨﮫ‬ ‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء‬
preferred interface ‫ﺮ‬with‫ ا��ﺴﺎﺋ‬the• media,
guidelines or templates .(‫وﻏ��هﺎ‬for drafting
،‫واﳌﻴﺎﻩ‬ ،‫)اﻟﻜهﺮ�ﺎء‬media statements
‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬ ‫ اﳌﺮ‬as• well as
identification of appropriate
.(‫ وﻏ��هﺎ‬،‫ ا��ﻮادم‬،‫�اﻟﺒﻴﺎﻧﺎت‬ spokespeople.
 Contact Details: Contact details of members .‫�اﳌﻌﻠﻮﻣﺎت‬of team and
‫ﻋﺪم�ﺗﻮﻓﺮ‬ • others
with their roles and responsibilities
 Action List: identify the actions and tasks that are required to be
.��‫• اﻟ��ﺰ�اﳌﺎ‬
accomplished, particularly regarding how the organization will
continue or recover its prioritized activities within scheduled
timeframes; .‫• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
‫�اﺳﺘﻤﺮار�ﺔ‬
8.6. Media Response plan‫ واﻷﻃﺮ‬،‫ واﻟﻌﺎﻣﻠ�ن‬،‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬
‫واﳌﻮارد‬It،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬
is important to‫واﻟﺸﺮ�ﺎء‬
have ،appropriate
‫ واﻷﺻﻮل‬،‫واﻟﻌﺎﻣﻠ�ن‬procedures to manage
،‫ واﳌﻌﻠﻮﻣﺎت‬،‫واﻷﻧﻈﻤﺔ‬ communication
with external parties. .‫اﻷﺧﺮى�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
52
39
52
External means of communications include: :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
 News or press releases
 Media
 Social media channels
 ‫ل‬Financial
‫�ا��ﺎﻃﺮ‬ ‫ﻗﺒﻮ‬ reports ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
 Newsletters ‫ا��ﺎﻃﺮ‬
 Websites
 Phone calls, emails and text messages (manually delivered and/or
via automated ‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
emergency notification‫ ﻣﺴﺎر‬3 ‫ ﺷ�ﻞ‬systems)
The procedure to manage communication should encompass:
 Details regarding how and under what circumstances ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
the -1
organization will establish
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ communication with
��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬ employees
‫�اﺳﺘﻤﺮ‬ as well
as their relatives regarding emergency‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
‫ و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ contacts, media and other
interested parties’; :‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
 Details regarding the media response of an organization
‫ ﻋﺪم�ﺗﻮﻓﺮ‬after
.‫�اﻟﻌﺎﻣﻠ�ن‬ • an
incident.
The organization’s Media Response Plan should provide instructions and
.(‫ وﻏ��هﺎ‬،‫ا��ﻮادم‬
guidance required to ،‫�اﻟﺒﻴﺎﻧﺎت‬
Top Management, Executives, and Staff and • Public
Relations personnel on how to communicate approved messages
.‫ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬ • with
internal and external stakeholders before,
.��‫�ا��واﻟﺪو‬ during and after a disruptive
‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬ •
event. .��‫• اﻟ��ﺰ�اﳌﺎ‬
This plan should include a predefined structure of the process of gathering
and publishing information on the emergencies, crises and disasters to
internal and external stakeholders.
Also, the plan should identify key partners and persons who will be
responsible for communicating with each partner group, before, during,
and after an event. Pre-scripted message formats should be included as
part of the Media Response Plan. Various methods can be used for
delivering messages to key partner groups.
53
39
53
These include: :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
 Automated notification systems;
 Emergency call-in numbers (‘hotlines’ by virtue of recorded
messages providing current status and updated information on
‫ل�ا��ﺎﻃﺮ‬the
‫ ﻗﺒﻮ‬event); ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
 Call centers; ‫ا��ﺎﻃﺮ‬
 Publication via email or voicemail;
 Status or update postings to the organization’s internal website;
and ‫ ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬3 ‫ﺷ�ﻞ‬
 Short Messages Service (SMS).
The organization’s communication capabilities should be tested ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
as part of-1
the regular testing and exercising��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ of the BCM Program. ‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ‬
8.7. Awareness and training :‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
Awareness and training ensure the organizations personnel and staffs
.‫ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‬ • are
aware of the importance of business.‫ﻣﻨﮫ‬ continuity, understand
‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء‬ their roles,
‫ا��ﺴﺎﺋﺮ‬ • gain
knowledge and ability to execute its ،‫واﳌﻴﺎﻩ‬
.(‫وﻏ��هﺎ‬ plans. The organization
،‫)اﻟﻜهﺮ�ﺎء‬ ‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬should
‫ • اﳌﺮ‬develop
and implement an awareness and training program that supports the BCM
objectives of an organization. Training can be provided through internal or
external sessions and working with professionals assisting in BCM Program
development and implementation. .��‫�ا��واﻟﺪو‬ ‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬
The awareness and training• strategy
varies from one organization to another, depending on.��‫�اﳌﺎ‬ each
‫اﻟ��ﺰ‬organizations
•
strategy and policy. .‫ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ •
8.7.1. Staff Awareness
The‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬
‫�اﺳﺘﻤﺮار�ﺔ‬ organization’s level ‫واﻷﻃﺮ‬of،‫واﻟﻌﺎﻣﻠ�ن‬
awareness differs
،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬ between employees according
to their roles and responsibilities.
The Staff Awareness program should:
 Include BCM policy and objectives
 Establish a methodology for evaluating its effectiveness;
 Spread BC capability and awareness;
 Ensure continual improvement of BCM Program; and
54
39
54
 Ensure personnel are aware of their roles and responsibilities in BCM
Program.
Items that should be available to boost awareness among specific teams in

the organization’s BCM‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬Program include:
 A measurable and assessable system should be developed to ensure
the effectiveness of the awareness program. This can be achieved by
obtaining periodic data or holding interviews with staff to determine
the extent of their understanding and awareness with respect to the
BCM Program. ‫ ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬3 ‫ﺷ�ﻞ‬
 Awareness can be spread within the organization various awareness
courses as well as placing purposeful posts in staff gathering areas to
remind them of the importance ��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬
of being prepared ‫�اﺳﺘﻤﺮ‬
for‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬
emergency.
‫ و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬This should be an integral part of the organization’s
.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ work
environment culture.
 Continuous improvement of the program should be conducted by
attending specialized scientific conferences and .‫�اﻟﻌﺎﻣﻠ�ن‬‫ ﻋﺪم�ﺗﻮﻓﺮ‬whether
seminars •
tailored to the organization’s .‫ﻣﻨﮫ‬ emergency staff or Top
‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء‬ Management
‫ا��ﺴﺎﺋﺮ‬ • to
support their understanding of the importance of these programs.
 Staff playing roles in the BCM Program should be encouraged
.(‫وﻏ��هﺎ‬financial
through ،‫ ا��ﻮادم‬،‫�اﻟﺒﻴﺎﻧﺎت‬
and moral‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ‬
incentives as these roles and •
responsibilities are usually an addition to their original
.‫�اﳌﻌﻠﻮﻣﺎت‬ ‫ﻋﺪم�ﺗﻮﻓﺮ‬roles •and
responsibilities. The efforts should be properly appreciated,
especially after holding annual exercises or real incidents.
.��‫• اﻟ��ﺰ�اﳌﺎ‬
8.7.2. BCM awareness should also be spread.‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ among ‫ﺮ‬interested
‫ • ﻋﺪم�ﺗﻮﻓ‬parties.
Interested parties should have knowledge of their roles and responsibilities
in case of disruptive incidents, in order to accomplish BCM requirements
within
‫�اﺳﺘﻤﺮار�ﺔ‬ defined time frames.
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬ ‫ واﻷﻃﺮ‬،‫ واﻟﻌﺎﻣﻠ�ن‬،‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
8.7.3. Training
All personnel should receive proper training in order to perform their BC
roles. They should also receive instructions on the key components of the
organizations BCM Program, in addition to the Incident response and
business continuity plans that directly affect them.
55
39
55
Response and recovery teams should receive education and training on
their responsibilities and duties, including how to interact with first
responders. Teams should provide initial / refresher training at regular
intervals and a suitable mechanism should be put in place to ensure new
members are trained when they join the team.
Core topics that can be included in the training program are:
 Overview of Business Continuity Management
 Program Development and Management
 Business Impact Analysis (BIA)
 Risk management
 Strategy Development ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
 Incident Preparedness and��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ Response ‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ‬
 Development and implementation of Business Continuity plans
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ .‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
 Development of Awareness and Training Program
 Exercising, Updating and Maintaining BC plans
Other subject areas may include: .‫• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬
 Damage assessment .(‫ وﻏ��هﺎ‬،‫ واﳌﻴﺎﻩ‬،‫• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬
 Restoration of facilities
.(‫ وﻏ��هﺎ‬،‫ا��ﻮادم‬ ،‫ﺰ�اﻟﺒﻴﺎﻧﺎت‬and equipment
‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛ‬ •
 Public Relations and Crisis Communications .‫ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬ •
 Business Continuity Management Audit
 Developing IT Recovery and Continuity Strategies
.��‫• اﻟ��ﺰ�اﳌﺎ‬
 Emergency and Crisis Management
 Team Leadership
 Testing the tools and equipment required
.‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬ to implement BCM•
‫�اﺳﺘﻤﺮار�ﺔ‬
8.8. Test and Exercise ‫ واﻷﻃﺮ‬،‫ واﻟﻌﺎﻣﻠ�ن‬،‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
‫واﳌﻮارد‬Tests and exercises
،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ are
‫واﻟﺸﺮ�ﺎء‬ activities
،‫واﻷﺻﻮل‬ designed
،‫واﻟﻌﺎﻣﻠ�ن‬ ،‫ واﳌﻌﻠﻮﻣﺎت‬to assess
،‫واﻷﻧﻈﻤﺔ‬ the ability of the
organizations personnel to respond, manage, communicate‫اﻷﺧﺮى‬
.‫�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬ with
stakeholders, continue to perform assigned duties and recover from
various scenarios of business disruption.
56
39
56
The organization should design test scenarios that focus primarily on training
on highest risk business activities, as identified in its Risk Assessment and
Business Impact Analysis. Also, the organization should conduct exercises
and record the results of such exercises to ensure BC plans, processes and
teams are‫ل‬effectively ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬the recovery objectives of the organization.
achieving
‫�ا��ﺎﻃﺮ‬ ‫ﻗﺒﻮ‬ ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
A Test and Exercise Plan should be documented before each test,
highlighting the following:
 Objectives;
 Success criteria;
 Timetable and schedule of activities;
 Resources used; ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
 Roles and responsibilities ��‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬
 Risks;
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ .‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬
 Assumptions; :‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
 Exclusions.
A test and exercise report should be completed immediately after each
exercise. This report should contain (but not limited to):
 Introduction .(‫ وﻏ��هﺎ‬،‫ واﳌﻴﺎﻩ‬،‫• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬
 Background
 Results summary .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
 Summary of exclusions and.��‫�ا��واﻟﺪو‬ issues ‫• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬
 Corrective and Preventive Action Plan .��‫• اﻟ��ﺰ�اﳌﺎ‬
 Independent observer report .‫• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬
8.8.1. Tests
Tests
‫�اﺳﺘﻤﺮار�ﺔ‬ should be conducted
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬ for،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
‫ واﻷﻃﺮ‬،‫واﻟﻌﺎﻣﻠ�ن‬ assessing the readiness, usability and
appropriateness of the tools,
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ technology, facilities, and infrastructure
‫واﳌﻮارد‬required for the ‫واﻟﺸﺮ�ﺎء‬
،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ implementation of the
،‫ واﻷﺻﻮل‬،‫واﻟﻌﺎﻣﻠ�ن‬ BC plans
،‫واﳌﻌﻠﻮﻣﺎت‬ of the
،‫واﻷﻧﻈﻤﺔ‬ organization. Post-
Test reports should be developed, revised and remedial measures ‫ى‬taken,
.‫�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬ ‫اﻷﺧﺮ‬
when required.
57
39
57
A process that can be used to develop an effective test involves the
following steps:
 Cooperate with Top Management to identify the organization’s
capability areas that would benefit from the increased awareness that
a test
‫�ا��ﺎﻃﺮ‬ ‫ﻗﺒﻮل‬would provide. ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
 Identify the BC plan elements, resources and procedures that will be
tested, e.g. resource allocation, emergency contact and
communication, or relocation to an alternative worksite.
 Identify suitable tests for each element,
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ ‫ ﻣﺴﺎر‬3 ‫ﺷ�ﻞ‬resource or procedure.
 Identify the personnel or groups involved in the test.
 If tests have been conducted in the past, review the supporting ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
documentation to avoid using
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ the same scenario or
��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬ personnel
‫�اﺳﺘﻤﺮ‬ and to
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬identify the activities that require further ‫ﺮ‬exercising
.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ / testing.
 Create a timetable to ensure that,
:‫�اﻟﺘﺎﻟﻴﺔ‬ over time,
‫�ﺣﺪوث�ا��ﺎﻃﺮ‬ the
‫�ﻣﺼﺎدر‬ scenarios are
capitalized on, which would have the greatest.‫�اﻟﻌﺎﻣﻠ�ن‬ impact on continuity
‫ﻋﺪم�ﺗﻮﻓﺮ‬ • of
the organizations prioritized activities.
 The frequency of tests dependent upon the nature, size and
complexity of the organization.
8.8.2. Exercises .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
Exercising makes sure that the teams and ‫ى‬personnel
.��‫�ا��واﻟﺪو‬ are effectively
‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮ‬ • trained
for the usage and operation of the tools, equipment and .��‫ﺰ�اﳌﺎ‬other
��‫ اﻟ‬resources
•
required to accomplish their duties.
BCM capability cannot be considered dependable until it has been
exercised. A planned Exercise Program is essential to make sure that all
aspects of the plans and personnel have been implemented over a period
of time, evading disruption to the entire business.
Exercises should be developed and conducted to:
 Apparent weaknesses and strengthen the plans, operating
procedures, and the planning assumptions;
58
39
58
 Ensure the organization’s BC Strategies are accurate and BC plans will
enable the organization to meet the recovery objectives defined in
the BIA;
 Ensure cohesion and integration of plans in terms of interoperability;
Test
‫�ا��ﺎﻃﺮ‬ and validate recently changed procedures;
‫ﻗﺒﻮل‬ ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
 Familiarize BC and Incident Management Teams with their processes
and procedures;
 Ensure personnel and teams implementing the plans and procedures
have the requisite skills, authority‫ﻣﺴﺎر‬
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ and3 ‫ﺷ�ﻞ‬
experience to implement such
plans.
 Enhance coordination among response agencies and support ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
organizations;
 Validate
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ the training process and procedures
.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ for evacuation,
response, incident management, communication,
:‫�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬ and regaining of
business continuity; and
 Increase the organization’s awareness and understanding of the
threats which can impact and disrupt its prioritized activities.
 Validate that all the contacts and information necessary to attain
.(‫وﻏ��هﺎ‬resources
recovery ،‫ ا��ﻮادم‬،‫�اﻟﺒﻴﺎﻧﺎت‬
required by the plan, have been accounted • for.
The organization’s BC Exercise Program should‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬
.��‫�ا��واﻟﺪو‬ ensure that all personnel • and
elements of BC plans are exercised over a period of time in.��‫�اﳌﺎ‬ such a way• as to
avoid disruption to normal operations.
A list of exercises types are given in table (8):
59
39
59
Type of Exercise Objectives of the exercise :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
Table Top check the structure and elements of the plan
Walkthrough thoroughly discuss the theory of the plan to check
that it is usable
‫ﻗﺒﻮل�ا��ﺎﻃﺮ‬
Simulation use the plan to undertake ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬
theoretical response to
an incident
Limited rehearsal Confirm that a recovery procedure or the
recovery of a piece of
technology works
Live test Confirm that full recovery of a complete activities
of the organization ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
Table
‫�اﺳﺘﻤﺮ‬8‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬
‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ��ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ Types of exercises
A-9. Business Continuity Program Review :‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
The objective of BC Program review is the evaluation and the‫ﻋﺪم�ﺗﻮﻓﺮ‬
.‫�اﻟﻌﺎﻣﻠ�ن‬ identification
• of
the improvements of BC capability. .‫• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬
Review can be classified into three types:
.(‫وﻏ��هﺎ‬ ،‫ واﳌﻴﺎﻩ‬،‫• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬
 Annual Review
 Review of Suppliers and Service providers
 Compliance and internal Audit Review
Review and updates are obligatory when a change takes place.��‫�اﳌﺎ‬ in‫ﺰ‬the
��‫• اﻟ‬
organization whether in terms of services /works or when a change
‫ﻋﺪم�ﺗﻮﻓﺮ‬takes
.‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ • place
within the Top Management. .‫• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
9.1. Annual
‫�اﺳﺘﻤﺮار�ﺔ‬ Review: ‫ واﻷﻃﺮ‬،‫ واﻟﻌﺎﻣﻠ�ن‬،‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
Frequently, at least annually, the organization must carry out a review of
its:
 Policy and objectives

 BCM Program documentation
60
39
60
 Exercise reports :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
 Audit Reports
 Changes to the business and risks that can result in business disruption
 Review risk appetite
Review
 ‫�ا��ﺎﻃﺮ‬‫ﻗﺒﻮل‬business continuity strategy ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
 Approving response, incident response, business
 continuity plan(s) tailored to achieve the organization’s
 BCM objectives
This review is intended to make sure that all BC capability documents are
effective and in line with the strategic objectives of the organization.
9.1.1. It
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ is essential to establish a formal process
.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ for maintaining the BCM
Program. The process of conducting :‫�اﻟﺘﺎﻟﻴﺔ‬annual review
‫�ﺣﺪوث�ا��ﺎﻃﺮ‬ ‫�ﻣﺼﺎدر‬must be assigned to an
individual or team, and must comprise of: .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‬
 Review what has changed since the last update;
 Analyze the impact of any changes;
 Identify any changes to other areas;
 Update the plans as and when required;
 Provide training, awareness and/or communications .‫ﺮ�اﳌﻌﻠﻮﻣﺎت‬as
required;
 If plans have been modified,.��‫�ا��واﻟﺪو‬ ensure to‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬
distribute the new versions • as
soon as possible; .��‫• اﻟ��ﺰ�اﳌﺎ‬
 Identify the date for undertaking the next planned maintenance,
.‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ ‫ • ﻋﺪم�ﺗﻮﻓﺮ‬and
schedule the maintenance. .‫• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
9.1.2.
‫�اﺳﺘﻤﺮار�ﺔ‬ Post any incident
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬ or crisis,
‫ واﻷﻃﺮ‬،‫واﻟﻌﺎﻣﻠ�ن‬ there‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى‬
،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬ should be a log maintained,
reviewed and analyzed to establish
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ the level of impact, and to identify the
‫واﳌﻮارد‬cause as well as‫واﻟﺸﺮ�ﺎء‬
،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ any corrective and،‫واﳌﻌﻠﻮﻣﺎت‬
،‫ واﻷﺻﻮل‬،‫واﻟﻌﺎﻣﻠ�ن‬ preventative
،‫ واﻷﻧﻈﻤﺔ‬actions required. The
results of this analysis should be recorded, summarized, and made available
as part of the BC Capability Evaluation Report and should include:
 Nature and reason of emergency, crisis or disaster
61
39
61
 Assessment of management reaction in meeting the organization’s BC
objectives
 Assessment of organization’s effectiveness in meeting BCM recovery
objectives
Identification
‫�ا��ﺎﻃﺮ‬‫ﻗﺒﻮل‬ of required changes to ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬
improve its BC capability
9.1.3. Annual BCM Evaluation Report

After the annual review has been completed,
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ ‫ ﻣﺴﺎر‬3 ‫ﺷ�ﻞ‬ organizations should produce
an annual report on the BCM Program status.
 Summarize the organization’s prevention, protection, response, ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
and-1
recovery capabilities based�on
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ its plans, documentation
�‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬ of its tests of
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬tools, equipment and infrastructure; and records
.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ of the training and
exercise of its personnel; :‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
 Describe the organization’s key deficiencies and weaknesses;
 Describe the tests and exercises completed last year, including dates
and results demonstrating proof of capability based on requirements
and objectives; .(‫ وﻏ��هﺎ‬،‫ واﳌﻴﺎﻩ‬،‫• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬
 Make.(‫وﻏ��هﺎ‬ ،‫ ا��ﻮادم‬،‫)ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت‬
recommendations where ‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت‬
improvements / remedial action • is
required to obtain certification; .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
 Include a plan of action with.��‫�ا��واﻟﺪو‬
ownership assigned and date when
‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬ • each
action should be completed; .��‫• اﻟ��ﺰ�اﳌﺎ‬
 Detail any cost or budget required to achieve certification.
 The BC Capability Evaluation Report is required as documentary
evidence for initial certification and annually during re-certification.
9.2. Review of Suppliers and Service
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ providers
‫واﳌﻮارد‬As،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬
part of the annual‫واﻟﺸﺮ�ﺎء‬ ،‫واﻷﺻﻮل‬the
review, organization
،‫واﻟﻌﺎﻣﻠ�ن‬ ،‫ واﳌﻌﻠﻮﻣﺎت‬is expected
،‫واﻷﻧﻈﻤﺔ‬ to prove it has an
established and appropriate level of interaction.‫�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
with third parties and, ‫اﻷﺧﺮى‬
particularly key suppliers. The steps taken to accomplish this interaction
should include:
62
39
62
 Reviewing the supplier’s BC status and ensuring it is acceptable to the
organization. Integrating its Incident Management / Business
Continuity procedures with the supplier, to ensure there is a formal
process for timely notification by either party in the event of a
disruption; ‫ ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬acceptable levels of cost effective resilience
implementing
‫�ا��ﺎﻃﺮ‬ ‫ﻗﺒﻮل‬ ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
into the business operations to mitigate failure of the third-party.
 Where the organizations supplies products to customers and clients,
its Incident Management and Business Continuity plans should be
reviewed based on the business objectives of the customers and
clients, so as to ensure the organization can meet their expectations
and fulfill the terms of its contracts and agreements with them, in -1
accordance with the organization’s
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ BIA. This capability‫ﺮ�اﺳﺘﻤﺮ‬should
��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬ also be
‫و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬checked through the previously mentioned
.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ exercises.
9.3. Compliance and Internal Audit Review
The audit process must be carried out .‫ ﻣﻨﮫ‬frequently as defined
‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء‬ by the•audit
‫ا��ﺴﺎﺋﺮ‬
and governance policies of the organization. The objective of a BCM audit is
to scrutinize the existing BCM Program of the organization; authenticate it
against predefined standards and criteria and provide a structured audit
report. .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
Audits should be conducted on a regular basis, as defined .��‫�اﳌﺎ‬in the •
organization’s audit and governance policies to.‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ ensure: ‫• ﻋﺪم�ﺗﻮﻓﺮ‬
 Compliance with the standard; .‫• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
 Consistency with BCM objectives and policy;
Proper implementation,
‫�اﺳﺘﻤﺮار�ﺔ‬‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬ execution
‫ واﻷﻃﺮ‬،‫واﻟﻌﺎﻣﻠ�ن‬ and
،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬ sustainability; and
 Effective fulfillment of the
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ organization’s BCM capability objectives.
9.3.1. Annual Internal Audit .‫اﻷﺧﺮى�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
The organization should conduct a complete annual internal audit of its
BCM Program. This audit should cover all requirements of the Standard. A
63
39
63
formal BC Audit process should ensure the organization has:‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
an effective
Business Continuity capability program.
The purpose of a BC audit is to:

Ensure ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
‫�ا��ﺎﻃﺮ‬‫ ﻗﺒﻮل‬compliance with the organization’s BC policies and
‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
procedures; ‫ا��ﺎﻃﺮ‬
 Review the organization’s BC solutions;
 Verify the organization’s BC plans;
 Verify that appropriate exercise and ‫ﻣﺴﺎر‬maintenance
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ 3 ‫ﺷ�ﻞ‬ activities are
available;
 Highlight deficiencies and compliance gaps; ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
 Ensure the remedy of such��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ gaps. ‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ‬
9.3.2. Internal Audit Program :‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬
The organization should develop an audit program that is based on its size,
nature, of the organization, scope of the BCM Program and other related
factors. The internal audit program may not address all the components of
the BCM Program all at once. The .(‫وﻏ��هﺎ‬audit
،‫واﳌﻴﺎﻩ‬can
،‫)اﻟﻜهﺮ�ﺎء‬ ‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬
divided into small‫ﺮ‬parts
‫ • اﳌ‬and can
be conducted at،‫ا��ﻮادم‬
.(‫وﻏ��هﺎ‬ periodic intervals
،‫�اﻟﺒﻴﺎﻧﺎت‬ however all organization activities
‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ‬ • that
come under the scope of the BCM Program should.‫�اﳌﻌﻠﻮﻣﺎت‬ be audited
‫ﻋﺪم�ﺗﻮﻓﺮ‬within
• the
organizations audit time frame. .��‫• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى�ا��واﻟﺪو‬
.��‫• اﻟ��ﺰ�اﳌﺎ‬
9.3.3. Internal Audit procedures
The organization should develop procedures to implement its Internal Audit
Program. .‫• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬
To define audit scope:
 Determine the locations, departments, and activities to be
audited.
 Define the audit approach:
 Identify the auditing activities that will be undertaken, e.g.
questionnaires, one on one interviews, document reviews and/or
solution review.
64
39
64
 Identify the audit activity timetable and due dates.:‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
 Identify the audit evaluation criteria (standards).
 Determine audit requirements by specialists and experts, as a third
party, to conduct audit process.
9.3.4. Internal Audit Report ‫ا��ﺎﻃﺮ‬
To prepare the Internal Audit Report:
 Provide a draft audit report for discussion with key stakeholders.
 Provide an agreed-upon audit‫ر‬report
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ incorporating
‫ ﻣﺴﺎ‬3 ‫ﺷ�ﻞ‬
recommendations as well as audit responses where differences of
opinion appear. ‫ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬-1
 Provide an agreed-upon��‫ار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ remedial action plan including timescales
to implement the recommendations set
‫ و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬.‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ out in the audit report.
 Identify a monitoring process, separate‫ر‬from
:‫�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ‬ the BC capability
‫ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ��اﻻﻋﺘﺒﺎر�ﻣﺼﺎد‬
maintenance program, to ensure appropriate follow-up
‫ ﻋﺪم�ﺗﻮﻓﺮ‬on• the
audit action plan.
The following should be reported to Top Management:
 An .(‫وﻏ��هﺎ‬ ،‫ ا��ﻮادم‬،‫�اﻟﺒﻴﺎﻧﺎت‬
independent ‫ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ‬
BC audit report should include but not be• limited
to: .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
o Executive summary of the audit
.��‫�ا��واﻟﺪو‬ ‫• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬
o Summary of key findings .��‫• اﻟ��ﺰ�اﳌﺎ‬
o Summary of the key report recommendations
o Detailed current state and review results (Detailed
Observations)
o Risks
o Detailed recommendations
o List of staff interviewed
o Documents provided for interview
65
39
65
A-10. Top Management Review :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
Management review involves assessment of improvement opportunities, and

the need to apply changes to BC policy, as well as the performance goals,
plans, operations, procedures,
‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬teams and support teams, to ensure they
remain valid.
In addition to the regularly scheduled management review, certain events can

occur which may trigger a management review of the BC capability. These
events include: ‫ ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬3 ‫ﺷ�ﻞ‬
 Completion or revision of the organizations BC Policy, Risk Assessment,
or BIA;
 Major changes to the organization, its business objectives, business
processes, facilities and IT hardware and software ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
infrastructure;
 Changes in assumptions in the:‫�اﻟﺘﺎﻟﻴﺔ‬ organizations
‫ر�ﺣﺪوث�ا��ﺎﻃﺮ‬Risk ‫�ﻣﺼﺎد‬Assessment and BIA;
 Changes in the organizations Risk Appetite; .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‬
 Changes in the threats faced by the organization, including
.‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬ ‫ا��ﺴﺎﺋﺮ‬the •
environment, locations and.(‫وﻏ��هﺎ‬ markets
،‫واﳌﻴﺎﻩ‬it،‫)اﻟﻜهﺮ�ﺎء‬
operates in;
‫اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ‬ ‫• اﳌﺮ‬
 Changes in its suppliers and the supply chain;
 Major changes in the BC Standards or the continuity planning
regulations and guidelines within the organizations business sector or
industry .��‫• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى�ا��واﻟﺪو‬
 Revision of old requirements or addition of new regulatory .��‫اﻟ��ﺰ�اﳌﺎ‬and •
compliance requirements in the organizations sector or
.‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ industry;
‫ﻋﺪم�ﺗﻮﻓﺮ‬ • and
 Latest events of disruption directly impacting
.‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬ the organization or
‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬ • similar
organizations
 ‫ﺮ‬Where
‫�اﺳﺘﻤﺮار�ﺔ‬ the disruption
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃ‬ ‫واﻷﻃﺮ‬directly
،‫ واﻟﻌﺎﻣﻠ�ن‬affects
،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬the‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى‬
organization itself, the
management review should
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ consider the reason of plan activation and
success, etc. ‫ واﻟﺸﺮ�ﺎء‬،‫ واﻷﺻﻮل‬،‫ واﻟﻌﺎﻣﻠ�ن‬،‫ واﳌﻌﻠﻮﻣﺎت‬،‫ واﻷﻧﻈﻤﺔ‬،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
66
39
66
10.1. Management review of BCM Program :‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
Top management should review the organization BC Capability as per the

planned intervals in order to ensure its continuing, adequacy and
effectiveness. ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
‫�ا��ﺎﻃﺮ‬‫ﻗﺒﻮل‬ ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬
The management review must encompass the scope of the‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
BCM Program,
although it is not obligatory to review all the elements simultaneously and
the review process can last for a period of time. Review of the
implementation and results of the BCM Program by the Top Management
must be frequently planned and assessed.
‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬ ‫ ﻣﺴﺎر‬3 ‫ﺷ�ﻞ‬Although an on-going system
review is desirable, however formal review must be structured and
properly documented and planned on an appropriate basis.
10.2.Documentation of the management review ‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
The Management Review may be conducted as part of the BC Capability
Evaluation Review and the results recognized in the BC Capability
Evaluation Report. .‫• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬
10.3.Points of input.(‫وﻏ��هﺎ‬during management
،‫ ا��ﻮادم‬،‫�اﻟﺒﻴﺎﻧﺎت‬ review
The Management Review takes account of the: .‫ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬ •
 Strategic business objectives;
 Goals defined in its BC Policy; .��‫• اﻟ��ﺰ�اﳌﺎ‬
 Risks identified in its Risk Assessment; .‫• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬
 Recovery objectives set out in its BIA;
 Strategy defined based on the above;
 Output from internal
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬ audit،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
‫ واﻷﻃﺮ‬،‫واﻟﻌﺎﻣﻠ�ن‬ processes; and
 Results of plan testing‫اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ‬
��‫�ا��ﺪدة�إ��ﺣﺪوث�ﻋﻄﻞ��اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‬ and implementation.
10.4.Management Review outcome .‫اﻷﺧﺮى�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
The output from a management review depends on whether it takes place

as part of the BC Capability Evaluation or is done separately. If the
67
39
67
management review was carried out as part of the organization’s annual
capability evaluation, the output should be contained in its BC Capability
Evaluation Report. If the management review was, however, conducted
separately, the output will be contained in a separate document identifying
the:
 Scope of the review;
 Reasons for the review;
 People involved in‫�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‬
the review; ‫ ﻣﺴﺎر‬3 ‫ﺷ�ﻞ‬
 Areas where issues exist, highlighting any raised risks;
 Recommendations for corrective and preventative actions; ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
and -1
 Brief review of tests and �exercises.
‫�ﻋ��اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل‬ �‫�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ��ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ‬
This BC Management Review Report :‫�اﻟﺘﺎﻟﻴﺔ‬should serve
‫�ﺣﺪوث�ا��ﺎﻃﺮ‬ as evidence
‫�ﻣﺼﺎدر‬ for the
organization’s BC Capability Certification. .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن‬
A-11. BCM Program Continual Improvement .‫• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬
On a regular basis, at least annually, the organization is required to perform
a review of its BCM Program including the BIA, Risk Assessment, BC
Strategy, and BC Plans. This review is designed to .‫�اﳌﻌﻠﻮﻣﺎت‬
ensure‫ﻋﺪم�ﺗﻮﻓﺮ‬ •
all BC capability
documents are valid and consistent with
.��‫�ا��واﻟﺪو‬ the organization’s • strategic
objectives. .��‫• اﻟ��ﺰ�اﳌﺎ‬
This review should be formally conducted by .‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ the Internal Auditor
‫ﻋﺪم�ﺗﻮﻓﺮ‬ • or BC
Manager. The review should result in a report to Top Management. Review
and update are necessary when a change occurs in the organization
whether
‫�اﺳﺘﻤﺮار�ﺔ‬ in terms of services
‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬ or works
‫ واﻷﻃﺮ‬،‫واﻟﻌﺎﻣﻠ�ن‬ or when
،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬ a change occurs within Top
Management.
11.1.Non-Conformities .‫اﻷﺧﺮى�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬
A comprehensive study should be conducted to identify nonconformities, to
develop a corrective action plan to address the problems, mitigate
68
39
68
consequences of nonconformity, and apply required changes to remove the
cause of nonconformity with the Standard.
The nature and timing of corrective action should be appropriate to the size
and nature of nonconformity and its potential consequences. Top
management ‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬
‫ ﻗﺒﻮل�ا��ﺎﻃﺮ‬should ensure corrective and preventive actions
‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ have been
implemented and that ‫ا��ﺎﻃﺮ‬
there is systematic follow-up to evaluate their
effectiveness.
11.2.Corrective Actions
Preventive and corrective actions should be compared to BCM objectives
and policy to ensure continual conformity.
The corrective action process should be initiated‫اﻟ��ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ‬
as part of the investigation
after each incident or exercise. It:‫�اﻟﺘﺎﻟﻴﺔ‬can ‫ﺮ‬also be initiated
‫�ﺣﺪوث�ا��ﺎﻃ‬ (plan improvement)
during the incident if such incident is going to extend over
.‫�اﻟﻌﺎﻣﻠ�ن‬ a long •period of
time. .‫• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬
The process should include:
 Development of a statement that describes the problem and
identifies its impact and reasons; .‫• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت‬
 Review of corrective action.��‫�ا��واﻟﺪو‬ from previous ‫اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ��اﳌﺴﺘﻮى‬
evaluations and •
identification of solutions provided; .��‫• اﻟ��ﺰ�اﳌﺎ‬
 Selection of a strategy, prioritization of action(s) to ‫ﺮ‬be
.‫�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬ taken according
to their importance based on specific‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬
.‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬ schedule; •
 Identification of the resources required to implement the strategy;
Provision of authority
‫�اﺳﺘﻤﺮار�ﺔ‬‫اف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ‬ and resources
‫ واﻷﻃﺮ‬،‫واﻟﻌﺎﻣﻠ�ن‬ ،‫�ﻣﻊ�اﳌﻮﻇﻔ�ن‬required to accomplish the
changes;
 Monitoring ‫واﻟﺸﺮ�ﺎء‬
‫ واﳌﻮارد‬،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ progress of corrective
،‫واﻷﺻﻮل‬ action through
،‫ واﻟﻌﺎﻣﻠ�ن‬،‫واﳌﻌﻠﻮﻣﺎت‬ completion;
،‫ واﻷﻧﻈﻤﺔ‬،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
 Verification that the problem is resolved through exercise or test
.‫�اﻟ��ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ‬ of
‫اﻷﺧﺮى‬
the solution once the corrective action is complete.
69
39
69
‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‪Non-conformances and corrective actions that address :‬‬
‫‪them should be‬‬
‫‪recognized and dealt from time to time. If non-conformity is identified,‬‬
‫‪comprehensive study should be conducted in order to understand the‬‬
‫‪cause of the non-conformity and a corrective action should be created‬‬
‫‪immediately.‬‬
‫اﻟ��ﺰ�اﳌﺎ��‪.‬‬ ‫•‬

‫‪70‬‬
‫‪39‬‬
‫‪70‬‬
Right of use
All training and consulting service providers shall seek NCEMA’s approval
All
All training
prior toand
training consulting
anduse if the service
consulting Business
service providers shall
shall seek
Continuity
providers NCEMA’s
NCEMA’s approval
Management
seek Standard
approval prior
prior– to
to
use Specifications
use if if the (AE/SCNS/NCEMA
the Business
Business Continuity 7000:2015).
Continuity Management
Management Standard
Standard –– Specifications
Specifications
(AE/SCNS/NCEMA
(AE/SCNS/NCEMA 7000:2015).
‫ ﻗﺒﻮل�ا��ﺎﻃﺮ‬7000:2015). ‫ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ‬ ‫ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ‬
.‫ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬ •
.(‫ وﻏ��هﺎ‬،‫ واﳌﻴﺎﻩ‬،‫اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬ •
Contact NCEMA .��‫اﻟ��ﺰ�اﳌﺎ‬ •
For additional
ForFor additional
additional information
informationand
information and guidance,
and guidance,
guidance, please
please
please
.‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬ contact
contact NCEMA,
contactNCEMA,
NCEMA,Safety
‫أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء‬ Safety
• andand
Safety and
Prevention
Prevention Department, Business Continuity Section at:
Prevention Department,
Department, Business Business Continuity
Continuity Section
Section at: at:
Telephone
Telephone :: +971: 4177000
2 2 971+
Telephone +971
E-mail 2 4177000
4177000
‫ واﻷﻃﺮ‬،‫ واﻟﻌﺎﻣﻠ�ن‬،‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‬
: bcm@ncema.gov.ae
E-mail
E-mail :: bcm@ncema.gov.ae
bcm@ncema.gov.ae
Website : www.ncema.ae
Website
Website :: www.ncema.ae
‫ واﳌﻮارد‬،‫ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ‬ www.ncema.ae
‫ واﻟﺸﺮ�ﺎء‬،‫ واﻷﺻﻮل‬،‫ واﻟﻌﺎﻣﻠ�ن‬،‫ واﳌﻌﻠﻮﻣﺎت‬،‫ واﻷﻧﻈﻤﺔ‬،‫اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت‬
71
85
39
71
71

Ae Scns Ncema 7001 2015 English

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ae Scns Ncema 7001 2015 English

Uploaded by

Copyright:

Available Formats

‫ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ‪:‬‬

‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‪ ،‬واﻟﻌﺎﻣﻠ�ن‪ ،‬واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬

‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‪ ،‬واﻟﻌﺎﻣﻠ�ن‪ ،‬واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬

‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‪ ،‬واﻟﻌﺎﻣﻠ�ن‪ ،‬واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬

NCEMA Provides a Business Continuity Management Standard to build an

Supreme Petroleum Council Federal Customs Authority

8.8. Test and Exercise 56

The following Business Continuity Management documents and references

The following Business Continuity Management documents and references

‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‪ ،‬واﻟﻌﺎﻣﻠ�ن‪ ،‬واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬

Compliance Extent to which requirements are fulfilled

Conformity Extent to which mandatory requirements are fulfilled.

Corrective Action Steps or measures that remove discrepancies.

‫ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ‪ .‬و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ‬ ‫‪Business Continuity‬‬

‫‪Management‬واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬ ‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى ‪Review‬‬

This document is aimed at providing a common set of guidelines that can

Legislative and licensing bodies may establish further specifications in

These guidelines are applicable .‫���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬

4.2. Organization’s Scope of Business Continuity Capability

The primary purpose of a BCM Program is to enable the organization to

5.2.3. Business Continuity Policy shall be approved .��‫اﻟ��ﺰ�اﳌﺎ‬

‫‪A-7. BCM Documentation and Records‬‬

‫‪Developing a BCM Program‬‬

‫‪Figure 3 Components of BCM Program operations‬‬

The purpose of BIA is to identify and prioritize the activities which

While BIA assists in identifying some of the BC risks, a detailed and a

• Destructive loss of all or part of a building;

Interviews with relevant functional managers, employees .‫�اﳌﻌﻠﻮﻣﺎت‬

Likelihood/Probability – how likely are the identified risks to occur?

Impact Level Possible Impacts

‫‪Risk Value:‬‬ ‫اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‪ ،‬واﳌﻴﺎﻩ‪ ،‬وﻏ��هﺎ(‪.‬‬ ‫•‬

8.3.1. Determination and choice of BC strategy should be done on the basis

 Alternative Sites .‫• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬

 Resilient IT Architecture .‫• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ‬

 Communication and Media

Similarly alternate solutions for such resources .‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬

8.5. Business Continuity Plan (BCP)

8.5.1. The organization‫ﻗﻴﺎس�ﺗﻘﻴﻴﻢ‬

8.5.3. All Plans should contain.(‫ وﻏ��هﺎ‬،‫ واﳌﻴﺎﻩ‬،‫• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء‬

Items that should be available to boost awareness among specific teams in

 Policy and objectives

 Nature and reason of emergency, crisis or disaster

9.1.3. Annual BCM Evaluation Report

The purpose of a BC audit is to:

Management review involves assessment of improvement opportunities, and

In addition to the regularly scheduled management review, certain events can

Top management should review the organization BC Capability as per the

The output from a management review depends on whether it takes place

‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‪ ،‬واﻟﻌﺎﻣﻠ�ن‪ ،‬واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬

You might also like

‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‪ ،‬واﻟﻌﺎﻣﻠ�ن‪ ،‬واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬

‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‪ ،‬واﻟﻌﺎﻣﻠ�ن‪ ،‬واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬

‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‪ ،‬واﻟﻌﺎﻣﻠ�ن‪ ،‬واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬

‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‪ ،‬واﻟﻌﺎﻣﻠ�ن‪ ،‬واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬

‫‪Management‬واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬ ‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى ‪Review‬‬

These guidelines are applicable .‫��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬

 Alternative Sites .‫• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ��اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ‬

Similarly alternate solutions for such resources .‫�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ��ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ‬

‫ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ��ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن‪ ،‬واﻟﻌﺎﻣﻠ�ن‪ ،‬واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ��ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ‬