Professional Documents
Culture Documents
Ae Scns Ncema 7001 2015 English
Ae Scns Ncema 7001 2015 English
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
ﺷ�ﻞ 3ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
-1ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
BUSINESS CONTINUITY
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ .و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ
MANAGEMENT
BUSINESS STANDARD
CONTINUITY
�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ:
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر
MANAGEMENT
) ( GUIDELINES
STANDARD
• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن.
ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ. •
) ( GUIDELINES
اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء ،واﳌﻴﺎﻩ ،وﻏ��هﺎ(. •
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت ،ا��ﻮادم ،وﻏ��هﺎ(. •
ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت. •
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو��. •
اﻟ��ﺰ�اﳌﺎ��. •
ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ. •
أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ. •
AE/SCNS/NCEMA 7001:2015
1
39 AE/SCNS/NCEMA 7001:2015
1
ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ:
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
ﺷ�ﻞ 3ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
-1ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ .و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ:
ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن. •
ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ. •
اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء ،واﳌﻴﺎﻩ ،وﻏ��هﺎ(. •
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت ،ا��ﻮادم ،وﻏ��هﺎ(. •
ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت. •
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو��. •
اﻟ��ﺰ�اﳌﺎ��. •
ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ. •
أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ. •
39
ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ:
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
ﺷ�ﻞ 3ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
-1ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ .و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ:
ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن. •
ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ. •
اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء ،واﳌﻴﺎﻩ ،وﻏ��هﺎ(. •
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت ،ا��ﻮادم ،وﻏ��هﺎ(. •
ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت. •
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو��. •
اﻟ��ﺰ�اﳌﺎ��. •
His Highness Sheikh ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ. •
أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ. •
Khalifa Bin Zayed Al Nahyan
ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن ،واﻟﻌﺎﻣﻠ�ن ،واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ
President of the United Arab Emirates
اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ���
Chairman of the Supreme Council for National Security
اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت ،واﻷﻧﻈﻤﺔ ،واﳌﻌﻠﻮﻣﺎت ،واﻟﻌﺎﻣﻠ�ن ،واﻷﺻﻮل ،واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ ،واﳌﻮارد
اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ.
39 3
ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ:
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
ﺷ�ﻞ 3ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
-1ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ .و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ:
ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن. •
ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ. •
اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء ،واﳌﻴﺎﻩ ،وﻏ��هﺎ(. •
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت ،ا��ﻮادم ،وﻏ��هﺎ(. •
ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت. •
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو��. •
اﻟ��ﺰ�اﳌﺎ��. •
His Highness Sheikh ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ. •
أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ. •
Mohammed Bin Rashid Al Maktoum
ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن ،واﻟﻌﺎﻣﻠ�ن ،واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ
Vice President and Prime Minister of the UAE and Ruler of Dubai
اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ���
Vice Chairman of the Supreme Council for National Security
اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت ،واﻷﻧﻈﻤﺔ ،واﳌﻌﻠﻮﻣﺎت ،واﻟﻌﺎﻣﻠ�ن ،واﻷﺻﻮل ،واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ ،واﳌﻮارد
اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ.
39 5
ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ:
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
ﺷ�ﻞ 3ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
-1ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ .و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ:
ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن. •
ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ. •
اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء ،واﳌﻴﺎﻩ ،وﻏ��هﺎ(. •
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت ،ا��ﻮادم ،وﻏ��هﺎ(. •
ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت. •
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو��. •
اﻟ��ﺰ�اﳌﺎ��. •
His Highness Sheikh ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ. •
أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ. •
Mohammed Bin Zayed Al Nahyan
ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن ،واﻟﻌﺎﻣﻠ�ن ،واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ
Crown Prince of Abu Dhabi
�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ��� اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
Deputy Supreme Commander of the UAE Armed Forces
ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ ،واﳌﻮارد
Memberواﻟﺸﺮ�ﺎء واﻷﺻﻮل
of ،the واﻟﻌﺎﻣﻠ�ن،
Higher واﳌﻌﻠﻮﻣﺎت،
National واﻷﻧﻈﻤﺔ،
Security اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت،
Council
اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ.
39 7
ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ:
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
ﺷ�ﻞ 3ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
-1ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ .و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ:
ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن. •
ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ. •
اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء ،واﳌﻴﺎﻩ ،وﻏ��هﺎ(. •
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت ،ا��ﻮادم ،وﻏ��هﺎ(. •
ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت. •
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو��. •
اﻟ��ﺰ�اﳌﺎ��. •
His Highness Sheikh
ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ. •
���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦHazza Bin.
Zayed Al Nahyan أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء •
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ واﻟﻌﺎﻣﻠ�ن،
National �ﻣﻊ�اﳌﻮﻇﻔ�ن،
Security ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى
Advisor
اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ���
اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت ،واﻷﻧﻈﻤﺔ ،واﳌﻌﻠﻮﻣﺎت ،واﻟﻌﺎﻣﻠ�ن ،واﻷﺻﻮل ،واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ ،واﳌﻮارد
اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ.
39 9
ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ:
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
ﺷ�ﻞ 3ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
United Arab Emirates
-1ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
)Management Authority (NCEMA
ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ .و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ:
ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن. •
ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ. •
اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء ،واﳌﻴﺎﻩ ،وﻏ��هﺎ(. •
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت ،ا��ﻮادم ،وﻏ��هﺎ(. •
ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت. •
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو��Guidelines . •
اﻟ��ﺰ�اﳌﺎ��AE/SCNS/NCEMA 7001:2015 . •
ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ. •
أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ. •
39 11
Use Key Use Key
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
1
39
12 01 1
01
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
The development
he development and issuance of and
theissuance of the
first version of first version of
this standard therough-
took Business Continuity
The development and issuance of the first version of the Business Continuity
Management Standard and Guidelines roughly eighteen months. The
Management
project ofwas
espectable number Standard
initiated
bodies, and Guidelines
in early
companies, roughly2009.
September
global experience eighteen months. The
A respectable
houses together projectofwas
number
initiated in specialists
early ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
with numerous bodies,
global
�ا��ﺎﻃﺮ ﻗﺒﻮلSeptember
companies, 2009.
tookinternational
part A respectable
in producing experience number
houses
thisﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ
Standard, of bodies,
under together companies,
with
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
international
numerous experience
international houses together
ا��ﺎﻃﺮ
specialists took with numerous
part in producinginternational specialists
the Standard,
under
took partthe leadershipthe
in producing andStandard,
supervision under of thethe National
leadership Emergency Crisis and
and supervision of the
Disasters
National Management
Emergency Authority
Crisis and Disasters (NCEMA)
Management that isAuthority
operating(NCEMA)under the that is
umbrella of the Supreme Council for National Security.
operating under the umbrella of the Supreme Council for National Security.
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
he second version of the standard was developed by a professional team
Due to the development in the Business Continuity Management field, the-1
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
Due to the development
second version of the in the BusinessContinuity
Business Continuity Management
Management field, the second
Standard –
trategic partners.
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل � �ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛﺮ �اﺳﺘﻤ
ﺮ �ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃ
version of the (AE/SCNS/NCEMA
Specifications Business Continuity Management
7000:2015) Standard
was officially – Specifications
released in 2015,
along with.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ
(AE/SCNS/NCEMA the development
7000:2015) of was theofficially
second versionreleased of in
these
2015, Guidelines
along withby a the
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
professionalof team
development from version
the second NCEMAof:�اﻟﺘﺎﻟﻴﺔ
and
these ﺮparticipation
Guidelines
�ﺣﺪوث�ا��ﺎﻃ from
�ﻣﺼﺎدرby experts and
a professional team
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر
professional bodies and strategic partners.
from NCEMA and participation from experts and professional bodies
ﻋﺪم�ﺗﻮﻓﺮand• strategic
.�اﻟﻌﺎﻣﻠ�ن
partners. .• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
Bodies participating in the specialized .(وﻏ��هﺎreview
، واﳌﻴﺎﻩ،)اﻟﻜهﺮ�ﺎء
of theاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ
Guidelines: • اﳌﺮ
Bodies participating in،ا��ﻮادم
.(وﻏ��هﺎ the specialized
،)ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎتreview of the Guidelines:
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت •
Abu Dhabi Investment Authority
Commander ofAbu theDhabi
UAE Armed Federal Transport Authority - • ﻋﺪم�ﺗﻮﻓﺮ
.�اﳌﻌﻠﻮﻣﺎت
EmiratesInvestment
Nuclear EnergyAuthority
Corporation (ENEC)
Forces
Emirates
FinanceNuclear Energy–Corporation
Department Government (ENEC)
of Sharjah
.���ا�����واﻟﺪو • اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى
Abu Dhabi Polymers Company (Borouge)
Armed ForcesFinance Department – Government Ministry of ofEnergy
Sharjah .��• اﻟ��ﺰ�اﳌﺎ
Abu Dhabi National
Abu Dhabi Polymers Company Bank (Borouge)
Ministry of Economy .• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
DNV-GL
Council – AbuAbu Dhabi DhabiAbuNational
Dhabi Bank
Ventures Middle East .• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
AccountabilityDNV-GL
Authority (ADAA)
Ventures Authority
Middle East واﻷﻃﺮ،واﻟﻌﺎﻣﻠ�ن
ار�ﺔ
ﺮ �اﺳﺘﻤ
Ministry of Interiorﺮ اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃ ،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
Authority
Security State
واﳌﻮاردDepartment Chamber
، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ،واﻷﺻﻮل of،واﳌﻌﻠﻮﻣﺎت
،واﻟﻌﺎﻣﻠ�ن Commerce and ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
،واﻷﻧﻈﻤﺔ
Industry .اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
Federal Authority for Nuclear
2
39 13 2
Table of Contents
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Use Key 01
A- 1. General
Preface 12
02
Introduction
1.1. Purpose ﻗﻴﺎس�ﺗﻘﻴﻴﻢ 05
12
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
Definitions 08
1.2. Risponsibilities ا��ﺎﻃﺮ 12
A-1. General 12
1.1.1.3.Purpose
Controls set by Legislaties 13
12
1.2.1.4.Responsibilities
Plans and Procedures 13
12
A- 2. Controls
1.3. set by Legislative
Applicability Bodies ﻣﺴﺎر3 ﺷ�ﻞ
�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ 13
13
1.4. Plans and Procedures 13
A- 3. Responsibility Level 14 -1
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
A-2. Applicability 13
A- 4. Scope
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
A-3. Responsibility Level � �ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ ﺮ �اﺳﺘﻤ ﺮ 14
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃ
14
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ
A-4. 4.1.Scope.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
Scope of the Guideline اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
14
14
4.1.4.2.Scope of the Guideline
Organization’s Scope of Business :�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
Continuity �ﻣﺼﺎدر 14
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر
Capability 15
4.2. Organization’s Scope of Business Continuity Capability 15
A- 5. Business Continuity Program establishment . • ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن16
A-5. Business Continuity Program establishment 16
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
5.1.5.1.Understanding
Understanding thethe organization
organization 17
17
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
5.2.5.2.TopTop
Management
Management Commitment
Commitment 18
18
A-6. Business .(وﻏ��هﺎ ،ا��ﻮادم
Continuity ،�اﻟﺒﻴﺎﻧﺎتﺰ
Capability )ﻣﺮﻛ ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت • 22
A- 6. Business Continuity Capability 22
A-7. BCM Documentation and Records . • ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت22
A- 7. BCM Documentation and Records 22
7.1. Required Documents .�� • اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو22
7.2.7.1.Controlling
RequiredBCM Documents
documentation and record .�� • اﻟ��ﺰ�اﳌﺎ22 23
A-8. 7.2.
Business ContinuityBCMManagements
documentationProgram Operations 25
Controlling and record . • ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ23
8.1. Business Impact Analysis 27
A- 8. Business Continuity Managements .���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ Program Operations
أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء • 25
8.2. Risk Assessment 30
8.3.8.1.Business
Business Impact Analysis
Continuity (BC) Strategies 27
39
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
8.4.8.2.Incident
Risk Assessment
Response Plan 30
48
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
8.5. Business Continuity Plan (BCP) 50
39
واﳌﻮارد8.3. Business
،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ Continuity (BC)
واﻟﺸﺮ�ﺎء،واﻷﺻﻮل Strategies
،واﻟﻌﺎﻣﻠ�ن ، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
8.6. Media Response plan 52
8.4. Incident Response Plan .�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ48
اﻷﺧﺮى
8.7. Awareness and training 54
8.5. Business Continuity Plan (BCP) 50
8.6. Media Response plan 52
3
39
14
Table of Contents
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
4
39
14
Introduction
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
5
39 05 17
5
Introduction
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
6
39 05 17 6
ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ:
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
ﺷ�ﻞ 3ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
-1ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ .و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ:
ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن. •
ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ. •
اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء ،واﳌﻴﺎﻩ ،وﻏ��هﺎ(. •
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت ،ا��ﻮادم ،وﻏ��هﺎ(. •
ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت. •
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو��. •
اﻟ��ﺰ�اﳌﺎ��. •
ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ. •
أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ. •
7
39
Definitions :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Term Definition
A
process,
service,
procedure,
product,
task,
or
combination
of
them
that
Activity
are
managed
by
organization.
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮAn
organized,
autonomous
and
ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ documented
form
of
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
activity
of
an
Audit organization
conducted
by
an
independent
body
in
order
to
comply
to
ا��ﺎﻃﺮ
the
BCM
Standard
Development
of
understanding
of
primary
Business
Continuity
Management
risks
and
issues.
Awareness
enables
the
workforce
to
Awareness identify
threats
and
responding
�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ ﻣﺴﺎرp3romptly
ﺷ�ﻞand
appropriately.
Awareness
is
created
among
employees
in
the
organization
and
it
is
less
formalized
as
compare
to
training.
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
The
ability
of
the
organization
to
continue
its
prioritized
activities
at
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
Business Continuity (BC) ���ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ
predetermined
level
after
the
occurrence
of
disruptive
incident.
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
A
comprehensive
management
process,
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
which
highlights
possible
threats
and
impact
of
such
threats
:ﺮ�اﻟﺘﺎﻟﻴﺔo�ﺣﺪوث�ا��ﺎﻃ
n
business
رo�ﻣﺼﺎد
perations
of
the
organization.
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر
Business Continuity
The
identification
of
threats
assists
to
develop
organizational
resilience,
Management (BCM) .• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
toward
these
threats,
and
an
effective
and
suitable
response
that
will
protect
the
stakeholders’
.ﻣﻨﮫ �اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء
interest,
ا��ﺴﺎﺋﺮ
brand
name
and
reputation.
•
Business Continuity It
is
a
component
.(وﻏ��هﺎ
of
overall
organizational
،واﳌﻴﺎﻩ management
،اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء اﳌﺮsystem,
• which
Management Program establishes,
implements,
operates,
reviews,
monitors,
maintains
and
.( وﻏ��هﺎ، ا��ﻮادم،• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت
(BCM Program) improves
business
continuity
capability.
Set
of
procedures
in
a
documented
form,
.�اﳌﻌﻠﻮﻣﺎت which
dﺮirect
ﻋﺪم�ﺗﻮﻓ •
the
organization
to
Business Continuity Plan react,
recover,
restore
and
restart
.���ا�����واﻟﺪو the
predetermined
level
o•f
operations
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى
after
the
interruption.
.��• اﻟ��ﺰ�اﳌﺎ
It
is
the
major
document
that
identifies
the
governance
and
scope
of
Business Continuity .�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ ﻋﺪم�ﺗﻮﻓﺮ •
business
continuity
plan
along
with
BCM
objectives
and
highlights
the
Policy
cause
of
its
implementation.
.���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء
Business Continuity The
method
of
an
organization
to
plan
in
order
to
recover
and
continue
Strategy after
a
dﺮisruptive
اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ event.
واﻷﻃ،واﻟﻌﺎﻣﻠ�ن ،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
Business Impact It
is
the
process
for
analyzing
business
activities
and
the
impacts
of
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
Analysis (BIA) disruptive
incidents
that
may
happen
over
time.
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
Capacity
to
apply
skills,
resources
and
knowledge
to
accomplish
desired
Competence .اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
goals.
Continual Improvement Consistent
activities
to
increase
the
performance
level.
8
39
8
Term Definition :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
9
39
9
Term Definition :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Activities
that
are
critical
and
must
be
given
priority
when
recovering
Prioritized Activities
from
a
disruptive
incident
in
order
to
reduce
the
impacts
It
is
a
set
of
interdependent
actions
that
convert
inputs
into
finished
Process
products
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
Resources
ا��ﺎﻃﺮ include
information,
skills,
people,
technology,
assets
and
Resources premises,
which
are
obtain
and
used
by
an
organization
to
achieve
its
organizational
goals
and
objective.
Recovery Retrieval
or
recapturing
of
normal
or
prior
state.
A
strategy
t�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ ﻣﺴﺎر
hat
is
used
by
an
3 ﺷ�ﻞto
make
sure
it’s
regaining
or
organization
Recovery Strategies
continuing
after
an
incident.
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
The
extent
to
which
an
organization
can
afford
and
bear
the
risks
and
Risk Appetite
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل ��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ
neutralize
these
risks
to
eliminate
the
threats.
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ
Recovery Time Time
span
after
the
occurrence
of
an
ﺮincident
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ in
which
an
activity
or
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤ
Objective (RTO) product
should
be
restarted
or
resources
and
assets
should
be
regained.
:ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
Risk Assessment The
process
in
which
risks
is
identified,
analyzed
and
evaluated.
.ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن •
Risk The
impacts
of
uncertainties
on
organizational
goals.
.�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ ا��ﺴﺎﺋﺮ •
An
official
declaration,
.(وﻏ��هﺎw،واﳌﻴﺎﻩ
hich
c،)اﻟﻜهﺮ�ﺎء
ommunicates
that
emergency
اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ • اﳌﺮsituation
is
Stand Down
.(وﻏ��هﺎcontrolled
، ا��ﻮادم،�اﻟﺒﻴﺎﻧﺎت and
no
further
invocation
of
plans
is
required.
• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ
Group
of
individuals
sitting
at
the
top
of
the
organization
and
plays
the
Top Management .• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
role
to
guide
and
control
the
organization.
This
is
an
activity
or
a.���ا�����واﻟﺪو اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى
ction
that
is
undertaken
to
gauge
the
capabilities
• or
Test effectiveness
of
a
strategy
or
plan
against
a
predetermined
criteria
or
.��• اﻟ��ﺰ�اﳌﺎ
benchmark.
This
activity
is
more
formalized
as
compared
.�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ ﻋﺪم�ﺗﻮﻓﺮIt
• purports
to
to
awareness.
Training build
skills
and
k.���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
nowledge
to
increase
the
performance
of
staff
أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء • regarding
a
specific
function.
اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ
SMART Objectives واﻷﻃﺮ
Specific,
، واﻟﻌﺎﻣﻠ�ن،�ﻣﻊ�اﳌﻮﻇﻔ�ن
Measurable,
ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى
Achievable,
Relevant
and
Times
objectives.
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
10
39
10
ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ:
Business Continuity Management Action Model
Understanding the
Organization
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
Top Management
Commitment
BCM Program Establishment
ﺷ�ﻞ 3ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Business Impact
Analysis -1ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
Incident Response
Planﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤ
Development
Continual Improvement
Plans
Risk Assessment
Plan
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ:
Media Response
Business Continuity �اﻟﻌﺎﻣﻠ�ن.
ﻋﺪم�ﺗﻮﻓﺮ
Plan •
Strategy
ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ. •
Awareness اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎءand ،
واﳌﻴﺎﻩ ،وﻏ��هﺎ(. •
Training
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت ،ا��ﻮادم ،وﻏ��هﺎ(.
Tests and Exercises
•
ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت. •
BCM Program Operations
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو��. •
اﻟ��ﺰ�اﳌﺎ��. •
Annual Review and
Internal Audit ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ. •
أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ. •
11
39 13 25
A-1. General :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
1.1. Purpose
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
12
39
12
1.3. Controls set by Legislative Bodies :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
13
39
13
A-3. Responsibility Level :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
The Top Management remains the decisive body and the driving force that
endorses the success of the implementation of a BCM Program within the
organization. Top Management should provide their leadership, commitment
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
and all the resources required
ا��ﺎﻃﺮto implement and validate the BCM Program.
Moreover, the commitment and support of Top Management is required not
only during the initiation of the BCM Program but also during the entire
implementation of the BCM Program.
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
Top Management can evident their commitment by:
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
Understanding their role in the BCM Program and communicating
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
the importance of BC in the organization
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
Ensuring the availability of resources required to implement the BCM
Program :ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
Conducting periodic management reviews. .• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
Top Management can define appropriate competencies
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،)اﻟﻜهﺮ�ﺎء and responsibilities
اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ• اﳌﺮ
to other levels in order to implement the BCM Program. This standard,
.( وﻏ��هﺎ، ا��ﻮادم،• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت
along with these guidelines, offers the minimum requirements needed for a
.• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
BCM Program.
.��• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو
A-4. Scope .��اﻟ��ﺰ�اﳌﺎ •
4.1. Scope of the Guideline .ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ •
14
39
14
Continuity Management Standard – Specifications AE/SCNS/NCEMA
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
7000:2015” to demonstrate conformance to others.
15
39
15
BCM Maturity: What level of BCM Program maturity:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
does the
organization currently possess
Geographical Location: Locations, facilities, and environment
Governments directives, standards, regulatory or legal requirements
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
shall
�ا��ﺎﻃﺮﻗﺒﻮلbe fulfilled. ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
4.2.2. The organization’s scope for business continuity should include all
activities required to maintain its prioritized activities.
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
The scope document should identify but not be limited to:
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
Agreed-upon objectives and business priorities;
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
The deliverables required during the project and delivery times of
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
primary and final products;
Any assumptions whereby :�اﻟﺘﺎﻟﻴﺔ �ﺣﺪوث�ا��ﺎﻃﺮ
risk or ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر
impact statements can be
provided; .• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
Locations and / or activities to.ﻣﻨﮫbe�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء
included in or excluded;• ا��ﺴﺎﺋﺮ
The organizational structure .(وﻏ��هﺎof the،)اﻟﻜهﺮ�ﺎء
،واﳌﻴﺎﻩ organization’s BCM ﺮProgram
اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ • اﳌ
(roles and،ا��ﻮادم
.(وﻏ��هﺎ responsibilities).
،• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت
.• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
A-5. Business Continuity Program establishment
.��• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو
Top Management is responsible for the establishment of.���اﳌﺎ the BCM• Program
اﻟ��ﺰ
and may appoint a BC Manager or Head of BC. The BC Manager or Head of BC
.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
is responsible for implementation and maintaining the BCM Program.
.• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
Depending on the size of the organization, it may be a full or part-time duty.
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
To emphasize the importance of duties and responsibilities associated with the
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
BCM Program, the position should have specific BC elements incorporated into
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
the job description, including fulfillment of duties taken into consideration as
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
part of the annual job performance review.
16
39
16
5.1. Understanding the organization :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
5.1.1. Identify all processes, relations, partnership, and supply chains with
interested parties.
5.1.2. The overall risk which the organization
�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ ﻣﺴﺎر3 ﺷ�ﻞis willing to undertake.
5.1.3. While implementing the BCM Program certain external and internal
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
issues may affect the desired outcomes of the BCM Program.
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
Internal
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ issues are factors that occur within an ﺮorganization
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ such as:
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤ
Organizations financial changes :ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
Changes in the Top Management .• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
Employee morale .• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
Change in the culture of the organization
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
.( وﻏ��هﺎ، ا��ﻮادم،• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت
External issues are factors that take place outside the organization and are
harder to predict and control, such as: .• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
Changes to the economy .��• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو
Threats from competition .��• اﻟ��ﺰ�اﳌﺎ
Political factors .• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
Government regulations .• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
The industry itself
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
5.1.4. Identify the needs and
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ expectations of the addressed interested
اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
واﳌﻮاردparties and their
،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ legal
واﻟﺸﺮ�ﺎء and،واﻟﻌﺎﻣﻠ�ن
،واﻷﺻﻮل regulatory
،واﳌﻌﻠﻮﻣﺎتrequirements. All contractual
، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
obligations with suppliers, service providers or.�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
others should be setاﻷﺧﺮى along
with other legislative obligations, in accordance with the laws and
regulations and any regulatory obligations.
17
39
17
5.2. Top Management Commitment :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Commitment from the Top Management is one of the main factors for a
successful implementation the BCM Program.
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
�ا��ﺎﻃﺮ
5.2.1. Topﻗﺒﻮل
Managements commitments should ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ
be evidencedﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
through:
ا��ﺎﻃﺮ
Establishing a BC Policy and Objectives
Ensuring the BCM Objectives are met
Assigning roles and responsibilities
allocating the resources for implementing
�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ ﻣﺴﺎر3 ﺷ�ﻞthe BCM Program
Actively participating in selection of the BC Strategy
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
Actively engaged in exercising and testing
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
Ensuring internal BCM Programs audits are conducted
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
Conducting effective management reviews of the BCM Program
Directing and supporting improvement:�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
ofرBCM
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎد
Program.
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
5.2.2. Top Management should .ﻣﻨﮫ ensure that the organization’s
�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء
• ا��ﺴﺎﺋﺮ BCM
objectives are identified. The BCM .(وﻏ��هﺎObjectives should:
، واﳌﻴﺎﻩ،)اﻟﻜهﺮ�ﺎء • اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ
Be aligned with the
.( وﻏ��هﺎ،ا��ﻮادم organizational
،�اﻟﺒﻴﺎﻧﺎت strategic objectives
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ •
Determine Minimum Business Continuity Objective (MBCO)
.• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
SMART and be set as a performance indicator in the BCM Program.
.��• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو
5.2.4.
�اﺳﺘﻤﺮار�ﺔ Refer to AE/SCNS/NCEMA ،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
واﻷﻃﺮ،واﻟﻌﺎﻣﻠ�ن7000:2015
اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ Specifications Clause 5.2.4.
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
واﳌﻮارد5.2.5. The responsibility
،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ واﻟﺸﺮ�ﺎء،لof the،واﻟﻌﺎﻣﻠ�ن
واﻷﺻﻮ Top Management is to ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
، واﳌﻌﻠﻮﻣﺎت،واﻷﻧﻈﻤﺔ assign qualified
experienced personnel to implement, maintain.�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
and continually improve اﻷﺧﺮىthe
BCM Program. Assigned personnel should receive relevant trainings to
fulfill their responsibilities in maintaining and operating the organization’s
BCM Program.
18
39
18
5.2.6. Different members from each department of the organization maybe
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
identified to assist in the implementation of the BCM Program depending
on the size and complexity of the organization. Their BCM roles and
responsibilities may be collaborated with their daily jobs. The minimum
required ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ل�ا��ﺎﻃﺮroles
ﻗﺒﻮand responsibilities of theﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ
Business Continuity Management
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
team who would be accountable
ا��ﺎﻃﺮ and responsible to establish, implement,
operate and maintain the BCM Program detailed as below:
BCM Manager
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
Establish and demonstrate commitment to BCM Policy
Responsible for all BCM Program activities ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
Nominate the BCM team��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل with appropriate seniority and authority
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩthat is accountable for BC Policy and implementation
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
Facilitate approval of all BC plans, exercises and strategies
:ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
Raise recommendations of BCM Team and BCM representatives
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
during management review meetings
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
Incident Response Manager .( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
Participate in the،�اﻟﺒﻴﺎﻧﺎت
.( وﻏ��هﺎ،ا��ﻮادم development of the Incident Response Plan•
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ
Ensure that Incident Response Plan is regularly updated
.�اﳌﻌﻠﻮﻣﺎت • ﻋﺪم�ﺗﻮﻓﺮ
Ensure safety procedures .���ا�����واﻟﺪو
for all resources including personnel
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى • during
a crisis
.��• اﻟ��ﺰ�اﳌﺎ
Raise incident response awareness to staff across the organization
.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
Be the main point of contact between the incident response teams
.• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
Progress updates on damage assessment
Manage the incident response process
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
19
39
19
BCM Team :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Accountable to establish, implement, operate and maintain the BCM
Program.
Overall responsibility for the maintenance of the BCM
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
documentation
�ا��ﺎﻃﺮ ﻗﺒﻮل for any improvements in the BCM Program.
ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
Ensure conduct of reviews on all aspects for the BCM Program.
Assess preparedness of different departments for meeting the
recovery strategies and BCM objectives.
Organize and coordinate the BCM
�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ awareness
ﻣﺴﺎر 3 ﺷ�ﻞ programs.
Create the annual exercise program and seek approval from
appropriate authority and distribute it to all concernedﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ stakeholders -1
of the BCM Program.
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل ���ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ
To
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ ensure BCM exercises, internal auditsﺮifاﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤ
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ any and management
reviews are carried out periodically. :ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
Maintain relation with departments and liaise withﺮvarious
.�اﻟﻌﺎﻣﻠ�ن • ﻋﺪم�ﺗﻮﻓ
departments during crisis.
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
Constantly update the Top Management on the status of resumption
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
and recovery.
Liaise .(وﻏ��هﺎ ، ا��ﻮادم،�اﻟﺒﻴﺎﻧﺎت
for obtaining status)ﻣﺮﻛﺰonﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت
damage assessment and recovery •
progress from the concerned teams. .• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
Track incidents as applicable for their
.���ا�����واﻟﺪو root cause analysis and
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى • to
update log relating to lessons learned .��• اﻟ��ﺰ�اﳌﺎ
Facilitate the efforts of BCM departments.�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ representatives
ﻋﺪم�ﺗﻮﻓﺮ/ •
Champions for the respective department
.• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
Internal
�اﺳﺘﻤﺮار�ﺔ sectors / Departments
واﻷﻃﺮ،واﻟﻌﺎﻣﻠ�نrepresentatives
اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ / Champions
،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
Responsible for maintaining
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ documents and update details
اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
periodicallyواﻟﺸﺮ�ﺎء
واﳌﻮارد،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ pertaining
،واﻷﺻﻮلto،واﻟﻌﺎﻣﻠ�ن
their department
، واﳌﻌﻠﻮﻣﺎت،واﻷﻧﻈﻤﺔas and when required or
،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
directed by BCM Manager, e.g., changes to the procedural
.�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ flow
اﻷﺧﺮى
impacting business, personnel roles and responsibilities etc.
Responsible for keeping the head of BCM updated on the status of
BCM Program pertaining to their department.
20
39
20
Responsible for all follow up of activities related to BCM Program,
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
reports like (Business Impact Analysis , Risk Assessment , Recovery
Strategies, Exercise results) and maintain them as per respective
department.
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
Responsible
�ا��ﺎﻃﺮ ﻗﺒﻮل for ensuring that vendors maintain BCM
ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ requirements
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
for their outsourced activities.
Liaise with all concerned within their department to conduct BCM
exercise as per the schedule and maintains records of such exercise.
Responsible for �ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
updating the ﻣﺴﺎر BCM3 ﺷ�ﻞ head and other dependent
departments of changes made within their department.
Responsible for tracking the incidents pertaining to their ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
department-1
for their root cause analysis
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل and updating data �اﺳﺘﻤﺮbase
��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ relating to
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩlessons learned.
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
Responsible for implementation of Preventive
:�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ Action and Corrective
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر
Action plans and updates BCM Manager / BCM team.
.�اﻟﻌﺎﻣﻠ�ن
• ﻋﺪم�ﺗﻮﻓﺮ
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
Relevant interested parties
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
Role of interested parties will based on the organization prioritized
.( وﻏ��هﺎ، ا��ﻮادم،• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت
activities.
Relevant interested parties. Roles and responsibilities . ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎتshould
• be
communicated within the .���ا�����واﻟﺪو
organization (if applicable).
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى •
.��• اﻟ��ﺰ�اﳌﺎ
5.2.7. Developing and implementing a governance framework is on the
.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
important success factors for BCM Program, there is no “one size fits all”
.• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
governance framework. According to the size, nature, of an organization
should establish its governance framework. Components of a governance
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
framework are but not limited to:
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
Reporting structure for effective implementation
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
Defined roles and responsibilities
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
Clear project management methodology
BCM Program implementation plan
21
39
21
A-6. Business Continuity Capability ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ:
Each United Arab Emirates organization should assume the responsibility of
defining and documenting its “fit-for-purpose” business continuity capability
that ensures performance of prioritized activities and services during
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
emergencies, crisis and disasters.
ا��ﺎﻃﺮ
22
39
22
7.1.2 Organization should maintain a documentary record:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ of BCM Program
implementation. Organization’s BCM Programs documents should at least
contain, and not be exhaustive to, the following:
a. Context of Organization
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
b. Objectives
�ا��ﺎﻃﺮ ﻗﺒﻮل and Policy of BCM ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
c. Roles and Responsibilities
d. External and internal issues and interested parties
e. Competency of personnel
f. Business Impact Analysis (BIA)
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
g. Business Impact Analysis Methodology
h. Business Impact Analysis Report ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
i. Risk Assessment (RA)
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل���ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ
j. Risk
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ Assessment Methodology
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
k. Risk Assessment Report
:ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
l. Business Continuity Strategies
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
m. Incident Response plan (IRP)
n. Business Continuity Plan (BCP) .• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
o. Media Response Plan (MRP) .( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
p. Awareness and Training
.( وﻏ��هﺎ،ا��ﻮادم records
،)ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت •
q. Test and Exercises record .ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت •
r. Internal Audit record
.��اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو •
s. Management Review record
.��اﻟ��ﺰ�اﳌﺎ •
t. Corrections and corrective actions
u. Regulatory requirements .ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ •
.أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ •
7.2. Controlling BCM documentation and record
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
7.2.1 The following key points
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ can be considered when developing and
اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
واﳌﻮاردmanaging the BCM
،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ documentation
واﻟﺸﺮ�ﺎء and،واﳌﻌﻠﻮﻣﺎت
، واﻷﺻﻮل،واﻟﻌﺎﻣﻠ�ن records: ، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
a. BCM documentation should be prepared in an understandable way
and should focus on providing and maintaining the effectiveness of
its preparedness and response to business continuity.
23
39
23
b. The intensity of the BCM Program may vary from organization to
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
organization normally on the basis of the organization’s size and
structure, work, nature, the extent of the services provided and the
employees’ skills in handling emergencies, occurring crisis and the
management
�ا��ﺎﻃﺮ ﻗﺒﻮل of ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
Business Continuity. ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
c. BCM documentations should be effective enough to provide
ا��ﺎﻃﺮ
comprehensive support in generating operational and
auditing/reviewing the details.
d. Frequent reviews should be conducted. If any amendment, addition
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
on or cancellation is made to the documents, they should be
reapproved by the Top Management. ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
e. BCM documents should be
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل easy to retrieve. Copies
��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ ofﺮthe
�اﺳﺘﻤﺮ BC Plans
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃ
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩand all other important documents should
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ be available on the
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
primary and alternative locations (if any), as well as in all
:ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
organizations branches.
f. If documentation or information from external .�اﻟﻌﺎﻣﻠ�ن
ﻋﺪم�ﺗﻮﻓﺮ
sources • such
is used,
sources should be mentioned..• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
g. A documentation control and،واﳌﻴﺎﻩ
.(وﻏ��هﺎ distribution system should
،اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء اﳌﺮbe created
•
to ensure that all،�اﻟﺒﻴﺎﻧﺎت
.( وﻏ��هﺎ،ا��ﻮادم copies retained
)ﻣﺮﻛﺰ in all locations are properly•
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت
updated. .• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
h. Interpreting the relevant documents/information into more than one
.��• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو
dialect by considering the organizations’ structure, nature and
.��• اﻟ��ﺰ�اﳌﺎ
language of its workforce, particularly those people who are chiefly
engaged in execution of the business continuity .�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ ﻋﺪم�ﺗﻮﻓﺮ
plans and/or•
entrusted with particular responsibilities.
.���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ • أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء
i. Ensuring the consistent compliance of the documents with the
اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ
NCEMA Standard واﻷﻃﺮ ، واﻟﻌﺎﻣﻠ�ن،�ﻣﻊ�اﳌﻮﻇﻔ�ن
specifications ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى
(AE/SCNS/NCEMA 7000:2015).
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
24
39
24
ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮA-8. Business Continuity Managements Program Operations :
25
39
25
Additional groups may be created to facilitate the development of the BCM
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Program. These comprise of:
BCM Steering Committee – A Top Management group consisting of
executives, officers or section heads, whose responsibility is to
provide ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
�ا��ﺎﻃﺮ ﻗﺒﻮلadvice, guidance and management
ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮsupervision.
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
Incident Management Team – A team involved in incident response,
whose responsibility is to resolve coordination issues and provide
assistance in the management of the incident.
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
All staff who has been assigned to positions and dutiesﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ or roles -1and
responsibilities in the BCM Program
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل should be equipped
��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ�اﺳﺘﻤﺮwith awareness,
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ
education,
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ and training so that they can accomplish
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ their responsibilities in
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
maintaining and operating the BCM Program of the organization.
:ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
Confirmation of the effectiveness of the BC Capability of the organization
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
can be provided through audited reports and post exercise reports
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
Outcomes of a BCM Program:
Outcomes.(وﻏ��هﺎ
of an،ا��ﻮادم ،�اﻟﺒﻴﺎﻧﺎت
effective BCM )ﻣﺮﻛﺰ ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت
Program may include the following:•
Staffs are trained to respond effectively to .�اﳌﻌﻠﻮﻣﺎت a disruption
• ﻋﺪم�ﺗﻮﻓﺮ
Enables incident management capability
.���ا�����واﻟﺪو of the organization•
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى
Regulations from government authorities and emergencies .��• اﻟ��ﺰ�اﳌﺎare
properly developed, understood and documented .• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
Compliance of the organization with its legal and regulatory is
.• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
maintained
Interested parties’
اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ requirements
واﻷﻃﺮ،واﻟﻌﺎﻣﻠ�ن areﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى
،�ﻣﻊ�اﳌﻮﻇﻔ�ن well understood
The organization understands
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ its prioritized activities.
اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
Protectionواﻟﺸﺮ�ﺎء
واﳌﻮارد،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ of the،لorganization’s reputation
واﻷﺻﻮ، واﻟﻌﺎﻣﻠ�ن،واﳌﻌﻠﻮﻣﺎت ، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
Adequate communication and support to.�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
staff in the event of ىaاﻷﺧﺮ
disruption.
26
39
26
8.1. Business Impact Analysis :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Introduction
The Business Impact Analysis (BIA) is the process for analyzing business
activities and the impacts of disruptive incidents that may happen over
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
time. It provides information
ا��ﺎﻃﺮfrom which relevant business continuity
strategies for continuity are determined.
Techniques
�اﺳﺘﻤﺮار�ﺔ to collectﺮBIA
اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ واﻷﻃ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
Depending on the nature, ﺮsize,
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ and the complexity of the organization,
اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃ
واﳌﻮاردcollecting BIA data
،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ techniques
واﻟﺸﺮ�ﺎء may vary
، واﻷﺻﻮل،واﻟﻌﺎﻣﻠ�ن from one
،واﳌﻌﻠﻮﻣﺎت organization
،واﻷﻧﻈﻤﺔ to another.
،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
27
39
27
One-on-one interviews :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
This approach enables an organization to have an active interaction with
the staff, to investigate, and to formulate questioning to obtain the
required information.
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
Management / supervisor workshops
Data collection workshops can prove to be an effective and efficient mode
of collecting required data. Determine the suitable/appropriate level of
participating persons. Identify workshop completion criteria to ensure that
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
the facilitator and participants have clear idea about what is expected out
of them, what are the required outcomes, and how the workshop will come
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ -1
to a conclusion.
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
���ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
Questionnaire
:ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
The most common method utilized for data collection is the questionnaire.
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
BIA questionnaires must be designed with utmost care to ensure that the
right questions are asked and they .ﻣﻨﮫ are�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء
easily understood ﺮinا��ﺴﺎﺋ its real• context.
After collecting the information through
.( وﻏ��هﺎ،واﳌﻴﺎﻩ questionnaires,
،)اﻟﻜهﺮ�ﺎء اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔface• to face
interviews.(وﻏ��هﺎ
must،ا��ﻮادم
be conducted to ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت
،)ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت clarify doubts arising from any answer. •
.ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت •
BIA Information analysis .��• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو
In order to identify critical information and processes, .���اﳌﺎ as well
اﻟ��ﺰas •potential
disaster impacts, the information gathered during BIA must be evaluated
.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
and analyzed thoroughly. The information gathered from BIA should
.• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
include:
Validation procedure
ﺮ�اﺳﺘﻤﺮار�ﺔاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃ should
واﻷﻃﺮ،واﻟﻌﺎﻣﻠ�ن be carried
،�ﻣﻊ�اﳌﻮﻇﻔ�ن out in order to ensure the
ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى
information gathered from the BIA
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
Detailed and
واﳌﻮارد،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ comprehensive
واﻟﺸﺮ�ﺎء ، واﻷﺻﻮل،واﻟﻌﺎﻣﻠ�نunderstanding
، واﳌﻌﻠﻮﻣﺎت،واﻷﻧﻈﻤﺔof ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
organization’s
prioritized activities and services
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
Identification of activities that provide support to such prioritized
activities provided.
28
39
28
Assessing the potential impacts of a disruption on these activities.
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
When assessing impacts, the following should be address:
Adverse effects on staff or public well-being;
Consequences of breaching legal or regulatory requirements;
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
Impact
�ا��ﺎﻃﺮ ﻗﺒﻮلon the reputation ; ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
Financial Impact; ا��ﺎﻃﺮ
Operational Impact
Estimating how long it would take for the impacts to become
unacceptable ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
Identifying dependencies between activities; and identifying each
activity’s dependency on supporting resources, including ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
suppliers -1
and other relevant interested
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل parties.
��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ �ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ
The prioritized timeframe for resuming an
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ activity may be referred
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
to as Recovery Time Objective :(ﺮ�اﻟﺘﺎﻟﻴﺔRTO). The�ﻣﺼﺎدر
�ﺣﺪوث�ا��ﺎﻃ RTOرmay take into account
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎ
dependencies of interrelated activities and the time
.�اﻟﻌﺎﻣﻠ�ن within which
ﻋﺪم�ﺗﻮﻓﺮ •
the impacts of not resuming the activity would become acceptable.
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
Outcomes of BIA
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
BIA findings are properly documented in a formal report; a typical BIA
.( وﻏ��هﺎfollowing:
report includes ، ا��ﻮادم،• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت
Project Overview .• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
Executive summary .��• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو
Scope .��• اﻟ��ﺰ�اﳌﺎ
Data collection and analysis methodology.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
Summary of BIA findings
.• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
Detailed BIA findings (by departments)
Charts and graphs
اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ واﻷﻃﺮto illustrate
،واﻟﻌﺎﻣﻠ�ن potential
،�ﻣﻊ�اﳌﻮﻇﻔ�ن impacts (e.g., financial,
ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى
information, operational,
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ reputational, regulatory )
اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
Recommendations
واﳌﻮارد،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ واﻟﺸﺮ�ﺎء، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
Future Steps .اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
Appendices may include:
BIA Impact Criteria
BIA Attendees
29
39
29
Report presentation to Top Management :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
After the BIA outcomes have been documented and consolidated, the
formal BIA report must be presented to the Top Management as per the
approved mechanisms of the organization.
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
8.2. Risk Assessment ا��ﺎﻃﺮ
30
39
30
1. Risk Identification :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
The business continuity risk identification is based on the results of the
business impact analysis. This analysis specifies the business services carried
out by BCM Team or Section, and specifies their importance in terms of
prioritized ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
�ا��ﺎﻃﺮactivates.
ﻗﺒﻮل For these services, the following
ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮsources of risk shall be
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
considered: ا��ﺎﻃﺮ
• Unavailability of staff;
31
39
31
2. Risk Analysis :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Risk Analysis Scales
All risks that have been identified need to be analyzed to assess their severity to
ensure that the most important risks are treated first. All risks that have been
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
identified�ا��ﺎﻃﺮ
are aلcompound
ﻗﺒﻮ of ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
Impact – how big is the impact of the risk occurring to organization’s business and
to the objectives?
32
39
32
The following table (2) shows an example of samples of impacts related to the
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
various parts to support the identification of the right impact level:
Moreover, further categories to risks may be added that suits the needs of the
organization, Table (3) shows examples of risk categorization and related risks:
33
39
33
ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ:
Risk Category Relative Risks
Process Delay
Absence of key staff
Operations Procedural Flaws
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ Process Non Compliance
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ Supply Chain disruption
Mass absenteeism
Disgruntled Employee
PEOPLE
Thefts, Frauds
�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ and
ﻣﺴﺎر Employee Infidelity
ﺷ�ﻞ 3
Sabotage by employee
-1ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
Building Collapse
ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ
)Flood (burst pipes
Premises
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ.
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮBomb Explosion
/ Threat
Powerﺮ�اﻟﺘﺎﻟﻴﺔ:
�ﺣﺪوث�ا��ﺎﻃا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر
Outage
ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن. •
Confidentiality of Data
Dataﻣﻨﮫ.
�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء
corruption
ا��ﺴﺎﺋﺮ •
Information
Dataوﻏ��هﺎ(.
securityواﳌﻴﺎﻩ،
)breachesاﻟﻜهﺮ�ﺎء،
اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ •
Security of Data
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت ،ا��ﻮادم ،وﻏ��هﺎ(. •
ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت.
Confidentiality of Electronic Data
•
ى Security of
�ا�����واﻟﺪو��. اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮ
Electronic Data •
Network Link failure / Outage
اﻟ��ﺰ�اﳌﺎ��. •
Cyber Attack
Technology ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ. •
Configuration changes
���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ. أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء
Obsolete •
Cabling failure, destructions
�ﻣﻊ�اﳌﻮﻇﻔ�ن ،واﻟﻌﺎﻣﻠ�ن ،واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى
Software bugs
اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ���
Earthquake
اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت ،واﻷﻧﻈﻤﺔ ،واﳌﻌﻠﻮﻣﺎت ،واﻟﻌﺎﻣﻠ�ن ،واﻷﺻﻮل ،واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ ،واﳌﻮارد
Epidemics
Environmental اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ.
Unsustainable Weather
Flood
34
39
34
Terrorism
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Man-Made Political Protests
Worker Strikes
Table 3 Examples of Risk Categorization
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
Likelihood Scale:
�ا��ﺎﻃﺮﻗﺒﻮل ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
The second part of the risk analysis is the determination of the risk likelihood. For
the risk assessment methodology, we might use a quantitative approach, as the
information available in many cases is not sufficient to allow an analysis using a
qualitative scale. The likelihood �ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
of a risk is رdistinguished
ﻣﺴﺎ3 ﺷ�ﻞ using the table below,
and the following considerations can help to identify an appropriateﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ likelihood-1for
a risk in question:
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
If objective information, such as records of past events, are available they
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
should be used
Without objective information, :�اﻟﺘﺎﻟﻴﺔinterviews with
�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ stakeholders and
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر
employees can be used to get a first impression .• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
Information from other UAE governments or other organizations can also
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
help to assess the likelihood
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
Another important part
.(وﻏ��هﺎ of ،�اﻟﺒﻴﺎﻧﺎت
،ا��ﻮادم the likelihood estimation is the consideration
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ • of
existing controls to manage the risk – if controls .�اﳌﻌﻠﻮﻣﺎت of anyﻋﺪم�ﺗﻮﻓﺮ
kind have • been
implemented, they will help to protect against the risk and will make its
.��• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو
occurrence less likely. Controls can vary depending on the discipline-specific risks
.��• اﻟ��ﺰ�اﳌﺎ
considered, but it is important to take them into account.
.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
In the same way, controls not in place can actually increase the likelihood of the
.• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
identified risks. Any control that is incompletely implemented or not properly
documented will make the ﺮorganization
اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ vulnerable,
واﻷﻃ، واﻟﻌﺎﻣﻠ�ن،�ﻣﻊ�اﳌﻮﻇﻔ�ن and therefore increase the
ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى
risk����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
likelihood. اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
35
39
35
Based on all of the above considerations, table (4) below is an:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
example of the
likelihood of each risk might be estimated using this scale:
Likelihood Scale
Very ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮUnlikely Possible Likely
ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ Almost Certain
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
Unlikely ا��ﺎﻃﺮ
1 2 3 4 5
Less than 1 Less than 1 Once or twice Between 3 At least 5 per
in 5 years per year per year and 5 per year year
Extremely Unlikely, but The event
�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ There is a
ﻣﺴﺎر3 ﺷ�ﻞ Very likely! The
unlikely there's a might occur strong event is
events, not slight at some time, possibility the expected to
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ -1
expected to possibility it e.g. as there
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل event will occur
��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ in most
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ
happen may occur at is a history of occur, e.g. as circumstances,
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
some time casual there is aاﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
e.g. as there is a
occurrence:�اﻟﺘﺎﻟﻴﺔ
at ﺮhistory
�ﺣﺪوث�ا��ﺎﻃof ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر
history of
the frequent regular
.�اﻟﻌﺎﻣﻠ�ن
• ﻋﺪم�ﺗﻮﻓﺮ
organization occurrence at occurrence at
or similar .ﻣﻨﮫthe �اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء
theﺮorganization
• ا��ﺴﺎﺋ
organizations organization
.( وﻏ��هﺎ،واﳌﻴﺎﻩ or similar
،اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء • اﳌﺮ
or similar organizations
.( وﻏ��هﺎ، ا��ﻮادم،ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت •
organizations
Table.�اﳌﻌﻠﻮﻣﺎت
4 Exampleﻋﺪم�ﺗﻮﻓﺮ •
of Likelihood Scale
.���ا�����واﻟﺪو• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى
Further detailed likelihood scales can be used to emphasize on the probabilities
and quantified prediction of risk occurrence. .��• اﻟ��ﺰ�اﳌﺎ
.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
.أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ •
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
36
39
36
3. Risk Evaluation: ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ:
The results of the risk analysis (also defined as Risk Value) shall be compared with
predefined risk criteria to determine whether a risk is acceptable or needs risk
treatment. Basis of the comparison is the risk calculation and the level of
acceptable ﻗﺒﻮلrisk. methodology uses the following table toﻗﻴﺎس�ﺗﻘﻴﻴﻢ
This risk assessment
�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
assess the overall risk criticality:
ا��ﺎﻃﺮ
Risk Matrix
Very High
ﺷ�ﻞ 3ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
High
Impact
Medium -1ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
Low
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ��
Very Low
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ.
Very Almost
�اﻟﺘﺎﻟﻴﺔUnlikely :Possible Likely
�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر
Unlikely Certain
Likelihood �اﻟﻌﺎﻣﻠ�ن.
ﺮ ﻋﺪم�ﺗﻮﻓ •
�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ.
ا��ﺴﺎﺋﺮTable 5 • Matrix
Example Risk
37
39
37
Interpretation of the Risk Levels: :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Risk Value
Very Low Low Medium High Very High
1 2 3
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ 4 5
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
No action No action Risk of this level Risks of that
ا��ﺎﻃﺮ These risks
required required can or cannot be level need to have a very
treated, they be treated to high or
need to be manage the catastrophic
considered on a situation impact on the
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
case by case organization
basis ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
Table 7 Example of Interpretation of Risk Levels
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
4. Risk
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ Acceptance Criteria
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
In accordance with risk ratings defined above in table (7), only very low
:ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
and low risks can be readily accepted, and risks of a medium level
.�اﻟﻌﺎﻣﻠ�ن need to
ﻋﺪم�ﺗﻮﻓﺮ •
be investigated on a case-by-case basis –.ﻣﻨﮫ
the�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء
decisions taken need ا��ﺴﺎﺋﺮto be
•
explained. Risks of high and very high level
.(وﻏ��هﺎ should
،واﳌﻴﺎﻩ ،)اﻟﻜهﺮ�ﺎءalways be considered
اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ
• اﳌﺮ
for risk treatment, but،ا��ﻮادم
.(وﻏ��هﺎ can be accepted
،�اﻟﺒﻴﺎﻧﺎت if one or more of the following
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ •
criteria apply: .ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت •
.��• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو
The cost of risk treatment outweighs the impact of the risk
.��• اﻟ��ﺰ�اﳌﺎ
occurring;
.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
The actions for risk treatment are not practical within the organization
.• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
business, work environment or culture;
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
There are no legal implications when this risk is accepted;
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
There
واﳌﻮارد are only tolerable
،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ واﻟﺸﺮ�ﺎء،لimpacts on organization’s
واﻷﺻﻮ،واﻟﻌﺎﻣﻠ�ن business
، واﳌﻌﻠﻮﻣﺎت،واﻷﻧﻈﻤﺔ objectives.
،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
Record Findings
Document the findings and prepare the proposed solutions in a report
submitted to Top Management.
38
39
38
Review and Monitor :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Changes are continuously happening in the organization therefore all BCM
related documents should be reviewed at periodic intervals so that they
remain up to date.
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
Risk Assessment outcomes ا��ﺎﻃﺮ
Risk Assessment outcomes should include the following:
Risks that could result in the disruption or suspension of the
organizations prioritized activities, classified by level of impact.
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
Single points of failure (SPoF) associated with such as physical risks
or resources. ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
Actions required to reduce
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل the risk of disruptionﺮor
��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ �اﺳﺘﻤsuspension of
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ
the organization’s prioritized activities. اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
:ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
8.3. Business Continuity (BC) Strategies .• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
After the BIA has been completed,.ﻣﻨﮫ the�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء
next step is to form ا��ﺴﺎﺋﺮ •
BC Strategies.
The organization should identify .(وﻏ��هﺎrecovery solutions
، واﳌﻴﺎﻩ،)اﻟﻜهﺮ�ﺎء for key ﺮdependencies
اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ • اﳌ
and potential.(وﻏ��هﺎinterim business
، ا��ﻮادم،�اﻟﺒﻴﺎﻧﺎت processes. These will be based• on the
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ
findings from BIA and the RA process and should be appropriate
.�اﳌﻌﻠﻮﻣﺎت • ﻋﺪم�ﺗﻮﻓﺮfor the
organization. The organization should also evaluate the BCM competency
.��• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو
of suppliers and the least possible requirement for the continuation of the
.��• اﻟ��ﺰ�اﳌﺎ
prioritized activities.
Identify the appropriate measures for the control .�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
of ﺮthe
ﻋﺪم�ﺗﻮﻓ
risks.• Identify
treatments that can ensure.���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
the achievement of the business continuity
أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء •
objectives and are according to the Risk Appetite of the organization.
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
Once a risk has been identified, اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
a treatment strategy should be developed
واﳌﻮاردand
،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ
recorded in the risk،لregister.
واﻟﺸﺮ�ﺎء واﻷﺻﻮ،واﻟﻌﺎﻣﻠ�ن ،واﳌﻌﻠﻮﻣﺎتshould
Risk register ،واﻷﻧﻈﻤﺔinclude:
،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
Risk-related tasks; .اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
Responsibilities entrusted to specific individuals or positions, to
ensure tasks performance;
The date when such task should be completed;
39
39
39
Resources required to complete the task; and :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Name of the person who approves task completion
In many cases, a number of treatments can be applied to ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ a risk and -1the
overall strategy may require a combination
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل of treatments
��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ to�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ
�اﺳﺘﻤﺮ reduce the risk
to an acceptable
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ level. The following Business Continuity
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ strategy should be
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
taken into account: :ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
Back-up Sites (Split/ Dual site operations)
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
This strategy involves performance of prioritized activities at two or more
geographically dispersed sites.(وﻏ��هﺎ ، واﳌﻴﺎﻩ،)اﻟﻜهﺮ�ﺎء
so operations اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ
continue from other اﳌﺮsite
• when
one site fails. These
.(وﻏ��هﺎ arrangements
،ا��ﻮادم are two ways i.e. any site fails, the
،ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت • other
continues to deliver. Both sites are in full operation technically
.�اﳌﻌﻠﻮﻣﺎت ﻋﺪم�ﺗﻮﻓﺮduring
• BAU
(business as usual) times. This is.���ا�����واﻟﺪو
suitable, especially for financial or• security
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى
organizations, where the recovery time objective “RTO” is measured in
.��• اﻟ��ﺰ�اﳌﺎ
minutes or hours rather than days.
.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
40
39
40
crisis or disaster rather than at a previous time are conducted, such site
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
would be known as ‘cold’ site. Implementing this strategy involves moving
personnel to the predefined alternative site after an emergency, crisis or
disaster strikes. The alternative site may be a facility provided by a third-
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
party, orلaﻗﺒﻮcommon site which is related to
�ا��ﺎﻃﺮ the local or federal
ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ government.
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
A ‘hot site’ strategy is ا��ﺎﻃﺮgood where RTOs are very short (in minutes); a
‘warm site’ strategy is good for relatively longer RTOs (in days); while a
’cold site’ strategy works well when RTOs are very long (in weeks and
months). Staff can be moved to the alternative site quickly enough, to
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
continue performance of prioritized activities within RTO. The success of
this strategy depends on whether staffs are able and willing ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ to work at-1the
alternative site for a prolonged period
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل of time when necessary.
��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
Outsourcing
:ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
Another strategy that can be employed to reduce risk is to outsource or
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
contract performance of prioritized activities to a third-party depending on
the nature of the organization. .�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
To that end, memorandum • ا��ﺴﺎﺋﺮ of
understanding (MOU), Service Level
.(وﻏ��هﺎ ،واﳌﻴﺎﻩAgreements (SLA) or
،اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء اﳌﺮother
• legal
formats should be concluded
.( وﻏ��هﺎ،ا��ﻮادم with outsourcers. This option • may be
،ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت
preferable in manufacturing, where the added cost incurred
.�اﳌﻌﻠﻮﻣﺎت ﻋﺪم�ﺗﻮﻓﺮto •establish
back-up or alternative sites might be higher
.���ا�����واﻟﺪو than the benefits •resulting
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى
from the project. At times, the only outsourcing option might be to enter
.��• اﻟ��ﺰ�اﳌﺎ
into contract with another organization that is engaged in the same type of
business, which could be a competitor. In this.�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ case, the ﻋﺪم�ﺗﻮﻓﺮ • of risk
benefits
treatment need to be weighed .���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
against theأي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء
risk of creating dependency • on a
competitor. Such arrangements are also known as ‘mutual aid
�اﺳﺘﻤﺮار�ﺔاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ واﻷﻃﺮ،واﻟﻌﺎﻣﻠ�ن ،�ﻣﻊ�اﳌﻮﻇﻔ�ن ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى
arrangements’. As regards short- RTO products and services, outsource
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ ﺮ اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃ
contracts should be concluded in advance. However, when it comes to
واﳌﻮاردproducts
،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ
and services ،واﻷﺻﻮل
واﻟﺸﺮ�ﺎءwith ،واﻟﻌﺎﻣﻠ�ن
longer ،واﳌﻌﻠﻮﻣﺎت
RTOs, ،واﻷﻧﻈﻤﺔ
it may be ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
possible to wait until
.�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
after the event to conclude the contract. There is, however, a risk in waiting اﻷﺧﺮى
until after an event has occurred to establish a contract – for, by that time
the outsource partner may be fully committed and unable to meet the
organization’s needs. Outsourcing or contracting the performance of
41
39
41
prioritized activities to third parties does transfer the risk, but does not
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
discharge the organization from its legal liability to provide the products
and services to its stakeholders.
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
Post-Event
ﻗﺒﻮل�ا��ﺎﻃﺮProcurement ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
An additional strategy that can be used for products and services that have
their RTO measured in days or weeks is to purchase such products and
services from vendors and suppliers that can provide the same on short
notice whether for the public or private sectors. This strategy poses the
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
same risk as waiting until after an event to establish outsourcing
agreements, the vendors and suppliers may have used their available stocks
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ -1
to meet the needs of other clients.
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل To prevent such a case
��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ �اﺳﺘﻤﺮfrom arising, the
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ
organization
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ may consider warehousing a temporary
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ supply of essential
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
materials for continuity of its prioritized activities. Post-Event Procurement
:ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
strategy is not suitable for products or services that require special
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
equipment or facilities, or skills that are not readily available, or that
require more time to master such as .ﻣﻨﮫmedical
�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء
services or ﺮcustomer
• ا��ﺴﺎﺋservices
at various departments. .( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
.( وﻏ��هﺎ، ا��ﻮادم،ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت •
Insurance .• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
Insurance can be purchased to .���ا�����واﻟﺪو
provide financial compensation for
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى • loss of
assets, cost of recovery and protection of legal responsibilities. However,
.��• اﻟ��ﺰ�اﳌﺎ
insurance is unlikely to cover all costs resulting from a disruption, including
.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
the loss of customers, shareholder value, reputation, life or trademark
image. Contingent Business.���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء
Interruption insurance can, in some• cases, is
purchased to cover direct costs related to loss of revenue as a result of
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
disruption of prioritized activities. However, this type of insurance only
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
covers business losses which are tied to another insurable loss (e.g. damage
واﳌﻮاردto،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ
a building, work ،واﻷﺻﻮل
واﻟﺸﺮ�ﺎءarea, or ،واﻟﻌﺎﻣﻠ�ن
tools and،واﳌﻌﻠﻮﻣﺎت ، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
equipment used in such areas,
.�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ اﻷﺧﺮى
including IT and non- IT systems). Another type of insurance that is
beginning to appear on the market involves coverage of a wider range of
interruptions and disruptions including failure in the supply chain. Other
42
39
42
types of insurance that may be necessary to protect against risk include
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Kidnap and Ransom or Errors and Omissions (professional liability).
Manual Workaround
Most business ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
�ا��ﺎﻃﺮ ﻗﺒﻮلenvironments today are automated ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮand dependent on the
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
systems, tools, and equipment ا��ﺎﻃﺮ that either automate or support its
prioritized activities. In some cases, risk treatment can be as simple as using
a manual process, alternative technology and tools, or paper-based
documentation following a disruption. Such paper based work carried out
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
during recovery needs to be reflected back on to systems when the systems
are available. Hence, the systems should be designed with ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ a capability-1 of
accepting such transactions. ���ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
Cross-training
:ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
A very common risk occurs when there is only one person who can perform
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
a prioritized activity, such as signing cheques, contracts and work
authorizations, maintaining a particular .�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
system or piece ﺮof ا��ﺴﺎﺋ •
equipment, or
leading development of a new product
.(وﻏ��هﺎ ، واﳌﻴﺎﻩor service.
،)اﻟﻜهﺮ�ﺎء This risk can
اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ اﳌﺮbe• treated
by cross-training others
.( وﻏ��هﺎ،ا��ﻮادم to eliminate
،�اﻟﺒﻴﺎﻧﺎت the single point of failure and
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ • ensure
continuity of operations. .• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
Some staff can be trained on professionalىjobs to perform such important
.��• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮ �ا�����واﻟﺪو
jobs identified in the BIA.
.��• اﻟ��ﺰ�اﳌﺎ
43
39
43
Occupational Health and Safety and Environment (OHSE) :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
The risk of damage to the organization by injury, loss of life, or destruction
of property can be reduced by the use of HSE procedures. Such procedures
help reduce the risk of fire, flood, hazards, contamination, and the spread
of �ا��ﺎﻃﺮ
infectious ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮلdisease in the workplace. ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
Third party Review
Much of the risk arising from the use of third parties and suppliers can be
addressed by due diligence in the procurement and contract process. This
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
includes:
Code of conduct / business ethics ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
Corporate social responsibility
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل ���ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ Attention to environment
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
Health and safety :ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
Import and export
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
International standards, including Business Continuity
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
Quality management
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
Regulatory and contractual compliance
Risk.(وﻏ��هﺎ ، ا��ﻮادم،• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت
management
Security level. .• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
.��• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو
The remainder can be addressed by a review of the third-party .�� اﻟ��ﺰ�اﳌﺎ/• supplier
BC capability programs. A good approach is to.�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ ensure that many• of these
ﻋﺪم�ﺗﻮﻓﺮ
risks are assessed and treated in the procurement and contract process,
.• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
then measured and reassessed through the organization.
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
8.3.2. All the resources required
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ to determine the selected BC strategies
اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
واﳌﻮاردshould be documented
،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ واﻟﺸﺮ�ﺎء،لand
واﻷﺻﻮapproved by the ،واﻷﻧﻈﻤﺔ
، واﻟﻌﺎﻣﻠ�ن،واﳌﻌﻠﻮﻣﺎت Top Management. Following
،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
are the examples of resources that can be included however should ىnot be
.اﻷﺧﺮ �اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
limited to:
People (competence)
Buildings and facilities
44
39
44
Information and communication infrastructure :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Budget allocation
Suppliers and service providers
Resources
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
Technology
�ا��ﺎﻃﺮﻗﺒﻮل ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
People
People are the most critical resources of an organization. It is important for
an organization to identify suitable measures
�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ ﻣﺴﺎر3 ﺷ�ﻞfor maintaining and widening
the availability of fundamental skills and knowledge in case a disruptive
incident occurs that results in the loss of availability of staff. ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ Techniques-1for
the protection or development of
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل employee skills may consist
��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ of:
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ Cross-skill training of staff
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
Specialists that can temporary :ﺮ�اﻟﺘﺎﻟﻴﺔwork
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃ
Skilled staff at one or more locations in order to reduce
ﻋﺪم�ﺗﻮﻓﺮthe •impact
.�اﻟﻌﺎﻣﻠ�ن
of an incident
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
Building and Facilities
Size, nature .(وﻏ��هﺎand
،ا��ﻮادم
the،�اﻟﺒﻴﺎﻧﺎتﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ
geographical area of an organization •must be
considered when identifying and considering alternate .ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎتlocation.
• Some
factors that must be considered while determining
.���ا�����واﻟﺪو alternate location
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى • are:
Location Area: If an organization is located in a risky .��ﺰ�اﳌﺎarea
�� اﻟwhich
• is
susceptible to disruptive incidents, then alternate .ﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞlocation
ﻋﺪم�ﺗﻮﻓmust• be
at a large distance from the primary location
.• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
Accessibility: The alternate location must be easily accessible for
staff to travel. ﺮAll
اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ واﻷﻃstaff must
،واﻟﻌﺎﻣﻠ�ن be well-versed
،�ﻣﻊ�اﳌﻮﻇﻔ�ن with the alternate
ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى
location map.
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
Resources:واﻟﺸﺮ�ﺎء
واﳌﻮارد،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ The organization
، واﻷﺻﻮل،واﻟﻌﺎﻣﻠ�نmust make،واﻷﻧﻈﻤﺔ
،واﳌﻌﻠﻮﻣﺎت it very،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
clear whether the
resources in the alternate location are shared or possessed only
.�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ by
اﻷﺧﺮى
the organization. In case the resources are shared, a plan must be
documented and signed to ensure that all resources will be available
when required.
45
39
45
Alternate location can be made available by other organizations or third
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
parties suppliers.
46
39
46
Resources :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
During the BIA, the organization should identify the resources that support
the prioritized activities and maintain an inventory of them. Determine the
resources that are essential to implement the business continuity
strategies. ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮNot all resources can be stored,ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ
such as specialized equipment’s
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
/resources or heavy machinery ا��ﺎﻃﺮmaybe too expensive to store or may get
damaged if not used for long. If a prioritized activity is heavily dependent
upon specialist equipment/ resource or heavy machinery, the organization
should identify the suppliers that provide those equipment’s/ resources.
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
Following points can be considered to maintain the supply of such
resources: ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
Considering more than one
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل supplier
��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ
Signing Service Level Agreements with suppliers
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ according to the
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
RTO of the prioritized activity
:ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
Encouraging suppliers to have business continuity.
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
47
39
47
The options existing for the management of risks consist of::ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Accepting the risk: if, after controls are introduced, the remaining
risk is considered tolerable to the organization “according to its risk
appetite”, the risk can be accepted.
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
Reducing
�ا��ﺎﻃﺮﻗﺒﻮل the possibility of the riskﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ
taking place: by means of
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
preventive maintenance, audit & compliance programs, supervision,
contract conditions, policies & procedures, testing, investment &
portfolio management, staff training, technical controls and quality
assurance programs etc.
�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
ﻣﺴﺎر3 ﺷ�ﻞ
Transferring the risk: this encompasses another party bearing or
sharing some part of the risk using contracts, insurance, ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
outsourcing, joint ventures
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل or partnerships etc. �ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ
��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ
Avoiding the risk: take a decision not to ﺮcarry
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ on the activity which
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤ
can generate the risk, where this
:�اﻟﺘﺎﻟﻴﺔ is feasible.
�ﺣﺪوث�ا��ﺎﻃﺮ ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
8.3.4. The organization should make sure that the business continuity of
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
suppliers is assessed. Techniques of assessing suppliers as follows:
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
Include
.(وﻏ��هﺎthe descriptions
،ا��ﻮادم ،)ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎتofﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت
requirements in tenders and contracts •
Perform periodic evaluation audits of the suppliers business•
.ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
continuity plan .��• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو
document service level agreements or memorandum of •
.��اﻟ��ﺰ�اﳌﺎ
understanding in legal formats
.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
.أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ •
8.4. Incident Response Plan
Theاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ
�اﺳﺘﻤﺮار�ﺔ organization should واﻷﻃﺮintroduce procedures
، واﻟﻌﺎﻣﻠ�ن،�ﻣﻊ�اﳌﻮﻇﻔ�ن and a management structure
ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى
that will enable preparation ﺮfor
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ and respond effectively to disruptive
اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃ
واﳌﻮاردincidents.
، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
48
39
48
Goals of an Incident Response Plan :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Safety of personnel.
Identification of the impact thresholds that rationalize the
introduction of formal response;
Introduce an appropriate
ﻗﻴﺎس�ﺗﻘﻴﻴﻢresponse to a disruptive incident;
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
Ensure the availabilityا��ﺎﻃﺮof the resources to support the processes and
procedures required to manage a disruptive incident and to curtail
the impacts; and
Communicate the processes and procedures to the interested
parties, including responding authorities
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
Evaluation of the nature and degree of a disruptive incident or the
potential impact; ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
Introduce appropriate measures for the welfare to affected
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
individuals;
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
Key steps on designing Incident Response Plan ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر
:�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
The key steps in designing the incident response plan are:
Conducting a comprehensive.ﻣﻨﮫ study and understandا��ﺴﺎﺋﺮ
�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء the nature
• and
the existing incident management of theاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،)اﻟﻜهﺮ�ﺎء organization • اﳌﺮ
Creating a team and assigning roles and responsibilities
.( وﻏ��هﺎ، ا��ﻮادم،• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت
Developing an Incident Response Plan
Attaining Top Managements approval .• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
Documenting the approved Incidentاﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى
.���ا�����واﻟﺪو Response Plan. •
.��اﻟ��ﺰ�اﳌﺎ •
Content .• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
The Incident Response Plan should include the following:
.• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
The criteria of response plan activation;
The person who has authority to activate the plan;
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
The Incident Management Team;
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
Developing evacuation plan.
واﳌﻮارد،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ
Establishing واﻟﺸﺮ�ﺎء ، واﻷﺻﻮل،واﻟﻌﺎﻣﻠ�ن
alternative sites for:، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
1. The restoration of IT or critical infrastructure elements
.�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ اﻷﺧﺮى
2. Temporary use of any element in performing prioritized activities
49
39
49
Record of the internal and external stakeholders that may need to
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
be contacted in the first few hours of an emergency, crisis and
disaster;
The means of communication with stakeholders, local authorities,
and media and what is required to be communicated to them;
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
Pre-scripted message
ا��ﺎﻃﺮtemplates for communications;
Personnel responsible for coordinating with first responders; and
Process and criterion used to assess damage and impact.
50
39
50
The stakeholders in an organization Business Continuity capability should
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
include people with special needs. These special needs should be taken into
account when planning.
51
39
51
Team Structure: This part summarizes who will :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
perform the role
of leader and supporting functions. It defines the roles,
responsibilities and authorities of people and teams who have to
execute the business continuity plan
ﻗﺒﻮل ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
Resources: This part providesﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ
the details aboutﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
the resources
�ا��ﺎﻃﺮ
essential for business
ا��ﺎﻃﺮcontinuity
Incident management: Management of the immediate
consequences of a disruptive incident paying attention to the
welfare issues of affected individuals (including team members),
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
options for reacting to the disruption and prevention or further
loss or unavailability of prioritized activities; ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
Communications: provides
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل the details aboutﺮaddressing
��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ how and
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤ
under what conditions the organization
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ will communicate key
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
interested parties and emergency contacts to the employees as
:ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
well as their relatives,; also the details of the media response of
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
the organization following an incident, including its
communication strategy,.ﻣﻨﮫ �اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء
preferred interface ﺮwith ا��ﺴﺎﺋthe• media,
guidelines or templates .(وﻏ��هﺎfor drafting
،واﳌﻴﺎﻩ ،)اﻟﻜهﺮ�ﺎءmedia statements
اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ اﳌﺮas• well as
identification of appropriate
.( وﻏ��هﺎ، ا��ﻮادم،�اﻟﺒﻴﺎﻧﺎت spokespeople.
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ •
Contact Details: Contact details of members .�اﳌﻌﻠﻮﻣﺎتof team and
ﻋﺪم�ﺗﻮﻓﺮ • others
with their roles and responsibilities
.��• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو
Action List: identify the actions and tasks that are required to be
.��• اﻟ��ﺰ�اﳌﺎ
accomplished, particularly regarding how the organization will
.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
continue or recover its prioritized activities within scheduled
timeframes; .• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
�اﺳﺘﻤﺮار�ﺔ
8.6. Media Response plan واﻷﻃﺮ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
واﳌﻮاردIt،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ
is important toواﻟﺸﺮ�ﺎء
have ،appropriate
واﻷﺻﻮل،واﻟﻌﺎﻣﻠ�نprocedures to manage
، واﳌﻌﻠﻮﻣﺎت،واﻷﻧﻈﻤﺔ communication
،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
with external parties. .اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
52
39
52
External means of communications include: :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
News or press releases
Media
Social media channels
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
لFinancial
�ا��ﺎﻃﺮ ﻗﺒﻮ reports ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
Newsletters ا��ﺎﻃﺮ
Websites
Phone calls, emails and text messages (manually delivered and/or
via automated �ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
emergency notification ﻣﺴﺎر3 ﺷ�ﻞsystems)
The procedure to manage communication should encompass:
Details regarding how and under what circumstances ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
the -1
organization will establish
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل communication with
��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ employees
�اﺳﺘﻤﺮ as well
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ
as their relatives regarding emergencyاﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ contacts, media and other
interested parties’; :ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
Details regarding the media response of an organization
ﻋﺪم�ﺗﻮﻓﺮafter
.�اﻟﻌﺎﻣﻠ�ن • an
incident.
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
The organization’s Media Response Plan should provide instructions and
.( وﻏ��هﺎ،ا��ﻮادم
guidance required to ،�اﻟﺒﻴﺎﻧﺎت
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ
Top Management, Executives, and Staff and • Public
Relations personnel on how to communicate approved messages
.ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت • with
internal and external stakeholders before,
.���ا�����واﻟﺪو during and after a disruptive
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى •
event. .��• اﻟ��ﺰ�اﳌﺎ
.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
This plan should include a predefined structure of the process of gathering
.• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
and publishing information on the emergencies, crises and disasters to
internal and external stakeholders.
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
Also, the plan should identify key partners and persons who will be
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
responsible for communicating with each partner group, before, during,
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
and after an event. Pre-scripted message formats should be included as
part of the Media Response Plan. Various methods can be used for
delivering messages to key partner groups.
53
39
53
These include: :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Automated notification systems;
Emergency call-in numbers (‘hotlines’ by virtue of recorded
messages providing current status and updated information on
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ل�ا��ﺎﻃﺮthe
ﻗﺒﻮevent); ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
Call centers; ا��ﺎﻃﺮ
Publication via email or voicemail;
Status or update postings to the organization’s internal website;
and ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
Short Messages Service (SMS).
The organization’s communication capabilities should be tested ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
as part of-1
the regular testing and exercising��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل of the BCM Program. �ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
8.7. Awareness and training :ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
Awareness and training ensure the organizations personnel and staffs
.ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن • are
aware of the importance of business.ﻣﻨﮫ continuity, understand
�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء their roles,
ا��ﺴﺎﺋﺮ • gain
knowledge and ability to execute its ،واﳌﻴﺎﻩ
.(وﻏ��هﺎ plans. The organization
،)اﻟﻜهﺮ�ﺎء اﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔshould
• اﳌﺮdevelop
and implement an awareness and training program that supports the BCM
.( وﻏ��هﺎ، ا��ﻮادم،• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت
objectives of an organization. Training can be provided through internal or
.• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
external sessions and working with professionals assisting in BCM Program
development and implementation. .���ا�����واﻟﺪو اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى
The awareness and training• strategy
varies from one organization to another, depending on.���اﳌﺎ each
اﻟ��ﺰorganizations
•
strategy and policy. .ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ •
.أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ •
8.7.1. Staff Awareness
Theاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ
�اﺳﺘﻤﺮار�ﺔ organization’s level واﻷﻃﺮof،واﻟﻌﺎﻣﻠ�ن
awareness differs
،�ﻣﻊ�اﳌﻮﻇﻔ�ن between employees according
ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى
to their roles and responsibilities.
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
The Staff Awareness program should:
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
Include BCM policy and objectives
Establish a methodology for evaluating its effectiveness;
Spread BC capability and awareness;
Ensure continual improvement of BCM Program; and
54
39
54
Ensure personnel are aware of their roles and responsibilities in BCM
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Program.
55
39
55
Response and recovery teams should receive education and training on
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
their responsibilities and duties, including how to interact with first
responders. Teams should provide initial / refresher training at regular
intervals and a suitable mechanism should be put in place to ensure new
members are trained when they join the team.
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
Core topics that can be included in the training program are:
Overview of Business Continuity Management
Program Development and Management
Business Impact Analysis (BIA)
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
Risk management
Strategy Development ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
Incident Preparedness and��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل Response �ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ
Development and implementation of Business Continuity plans
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ .اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
Development of Awareness and Training Program
:ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
Exercising, Updating and Maintaining BC plans
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
Other subject areas may include: .• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
Damage assessment .( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
Restoration of facilities
.( وﻏ��هﺎ،ا��ﻮادم ،ﺰ�اﻟﺒﻴﺎﻧﺎتand equipment
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛ •
Public Relations and Crisis Communications .ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت •
Business Continuity Management Audit
.��• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو
Developing IT Recovery and Continuity Strategies
.��• اﻟ��ﺰ�اﳌﺎ
Emergency and Crisis Management
Team Leadership
.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
Testing the tools and equipment required
.���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ to implement BCM•
أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء
�اﺳﺘﻤﺮار�ﺔ
8.8. Test and Exercise واﻷﻃﺮ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
واﳌﻮاردTests and exercises
،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ are
واﻟﺸﺮ�ﺎء activities
،واﻷﺻﻮل designed
،واﻟﻌﺎﻣﻠ�ن ، واﳌﻌﻠﻮﻣﺎتto assess
،واﻷﻧﻈﻤﺔ the ability of the
،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
organizations personnel to respond, manage, communicateاﻷﺧﺮى
.�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ with
stakeholders, continue to perform assigned duties and recover from
various scenarios of business disruption.
56
39
56
The organization should design test scenarios that focus primarily on training
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
on highest risk business activities, as identified in its Risk Assessment and
Business Impact Analysis. Also, the organization should conduct exercises
and record the results of such exercises to ensure BC plans, processes and
teams areلeffectively ﻗﻴﺎس�ﺗﻘﻴﻴﻢthe recovery objectives of the organization.
achieving
�ا��ﺎﻃﺮ ﻗﺒﻮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
A Test and Exercise Plan should be documented before each test,
ا��ﺎﻃﺮ
highlighting the following:
Objectives;
Success criteria;
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
Timetable and schedule of activities;
Resources used; ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
Roles and responsibilities ���ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
Risks;
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ .اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
Assumptions; :ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
Exclusions.
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
A test and exercise report should be completed immediately after each
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
exercise. This report should contain (but not limited to):
Introduction .( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
.( وﻏ��هﺎ، ا��ﻮادم،• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت
Background
Results summary .• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
Summary of exclusions and.���ا�����واﻟﺪو issues • اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى
Corrective and Preventive Action Plan .��• اﻟ��ﺰ�اﳌﺎ
Independent observer report .• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
.• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
8.8.1. Tests
Tests
�اﺳﺘﻤﺮار�ﺔ should be conducted
اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ for،�ﻣﻊ�اﳌﻮﻇﻔ�ن
واﻷﻃﺮ،واﻟﻌﺎﻣﻠ�ن assessing the readiness, usability and
ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى
appropriateness of the tools,
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ technology, facilities, and infrastructure
اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
واﳌﻮاردrequired for the واﻟﺸﺮ�ﺎء
،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ implementation of the
، واﻷﺻﻮل،واﻟﻌﺎﻣﻠ�ن BC plans
،واﳌﻌﻠﻮﻣﺎت of the
،واﻷﻧﻈﻤﺔ organization. Post-
،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
Test reports should be developed, revised and remedial measures ىtaken,
.�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ اﻷﺧﺮ
when required.
57
39
57
A process that can be used to develop an effective test involves the
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
following steps:
Cooperate with Top Management to identify the organization’s
capability areas that would benefit from the increased awareness that
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
a test
�ا��ﺎﻃﺮ ﻗﺒﻮلwould provide. ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
Identify the BC plan elements, resources and procedures that will be
tested, e.g. resource allocation, emergency contact and
communication, or relocation to an alternative worksite.
Identify suitable tests for each element,
�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ ﻣﺴﺎر3 ﺷ�ﻞresource or procedure.
Identify the personnel or groups involved in the test.
If tests have been conducted in the past, review the supporting ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
documentation to avoid using
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل the same scenario or
��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ personnel
�اﺳﺘﻤﺮ and to
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩidentify the activities that require further ﺮexercising
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ / testing.
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤ
Create a timetable to ensure that,
:�اﻟﺘﺎﻟﻴﺔ over time,
�ﺣﺪوث�ا��ﺎﻃﺮ the
�ﻣﺼﺎدر scenarios are
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر
capitalized on, which would have the greatest.�اﻟﻌﺎﻣﻠ�ن impact on continuity
ﻋﺪم�ﺗﻮﻓﺮ • of
the organizations prioritized activities.
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
The frequency of tests dependent upon the nature, size and
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
complexity of the organization.
.( وﻏ��هﺎ، ا��ﻮادم،• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت
8.8.2. Exercises .• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
Exercising makes sure that the teams and ىpersonnel
.���ا�����واﻟﺪو are effectively
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮ • trained
for the usage and operation of the tools, equipment and .��ﺰ�اﳌﺎother
�� اﻟresources
•
required to accomplish their duties.
.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
BCM capability cannot be considered dependable until it has been
.• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
exercised. A planned Exercise Program is essential to make sure that all
aspects of the plans and personnel have been implemented over a period
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
of time, evading disruption to the entire business.
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
Exercises should be developed and conducted to:
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
Apparent weaknesses and strengthen the plans, operating
procedures, and the planning assumptions;
58
39
58
Ensure the organization’s BC Strategies are accurate and BC plans will
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
enable the organization to meet the recovery objectives defined in
the BIA;
Ensure cohesion and integration of plans in terms of interoperability;
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
Test
�ا��ﺎﻃﺮ and validate recently changed procedures;
ﻗﺒﻮل ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
Familiarize BC and Incident Management Teams with their processes
and procedures;
Ensure personnel and teams implementing the plans and procedures
have the requisite skills, authorityﻣﺴﺎر
�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ and3 ﺷ�ﻞ
experience to implement such
plans.
Enhance coordination among response agencies and support ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
organizations;
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل ���ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ
Validate
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ the training process and procedures
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ for evacuation,
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
response, incident management, communication,
:�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ and regaining of
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر
business continuity; and
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
Increase the organization’s awareness and understanding of the
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
threats which can impact and disrupt its prioritized activities.
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
Validate that all the contacts and information necessary to attain
.(وﻏ��هﺎresources
recovery ، ا��ﻮادم،�اﻟﺒﻴﺎﻧﺎت
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ
required by the plan, have been accounted • for.
.• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
The organization’s BC Exercise Program shouldاﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى
.���ا�����واﻟﺪو ensure that all personnel • and
elements of BC plans are exercised over a period of time in.���اﳌﺎ such a way• as to
اﻟ��ﺰ
avoid disruption to normal operations.
.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
.أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ •
A list of exercises types are given in table (8):
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
59
39
59
Type of Exercise Objectives of the exercise :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Table Top check the structure and elements of the plan
Walkthrough thoroughly discuss the theory of the plan to check
that it is usable
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ
Simulation use the plan to undertake ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ
theoretical response to
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
an incident
Limited rehearsal Confirm that a recovery procedure or the
recovery of a piece of
technology works
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
Live test Confirm that full recovery of a complete activities
of the organization ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
Table
�اﺳﺘﻤﺮ8�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ
ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل Types of exercises
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
A-9. Business Continuity Program Review :ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
The objective of BC Program review is the evaluation and theﻋﺪم�ﺗﻮﻓﺮ
.�اﻟﻌﺎﻣﻠ�ن identification
• of
the improvements of BC capability. .• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
Review can be classified into three types:
.(وﻏ��هﺎ ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
Annual Review
.( وﻏ��هﺎ، ا��ﻮادم،• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت
Review of Suppliers and Service providers
.• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
Compliance and internal Audit Review
.��• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو
Review and updates are obligatory when a change takes place.���اﳌﺎ inﺰthe
��• اﻟ
organization whether in terms of services /works or when a change
ﻋﺪم�ﺗﻮﻓﺮtakes
.�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ • place
within the Top Management. .• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
9.1. Annual
�اﺳﺘﻤﺮار�ﺔ Review: واﻷﻃﺮ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
Frequently, at least annually, the organization must carry out a review of
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
its:
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
60
39
60
Exercise reports :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Audit Reports
Changes to the business and risks that can result in business disruption
Review risk appetite
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
Review
�ا��ﺎﻃﺮﻗﺒﻮلbusiness continuity strategy ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
Approving response, incident response, business
continuity plan(s) tailored to achieve the organization’s
BCM objectives
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
This review is intended to make sure that all BC capability documents are
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
effective and in line with the strategic objectives of the organization.
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
9.1.1. It
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ is essential to establish a formal process
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ for maintaining the BCM
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
Program. The process of conducting :�اﻟﺘﺎﻟﻴﺔannual review
�ﺣﺪوث�ا��ﺎﻃﺮ �ﻣﺼﺎدرmust be assigned to an
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر
individual or team, and must comprise of: .• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
Review what has changed since the last update;
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
Analyze the impact of any changes;
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
Identify any changes to other areas;
.( وﻏ��هﺎ، ا��ﻮادم،• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت
Update the plans as and when required;
Provide training, awareness and/or communications .ﺮ�اﳌﻌﻠﻮﻣﺎتas
ﻋﺪم�ﺗﻮﻓ •
required;
If plans have been modified,.���ا�����واﻟﺪو ensure toاﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى
distribute the new versions • as
soon as possible; .��• اﻟ��ﺰ�اﳌﺎ
Identify the date for undertaking the next planned maintenance,
.�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ • ﻋﺪم�ﺗﻮﻓﺮand
schedule the maintenance. .• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
9.1.2.
�اﺳﺘﻤﺮار�ﺔ Post any incident
اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ or crisis,
واﻷﻃﺮ،واﻟﻌﺎﻣﻠ�ن thereﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى
،�ﻣﻊ�اﳌﻮﻇﻔ�ن should be a log maintained,
reviewed and analyzed to establish
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ the level of impact, and to identify the
اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
واﳌﻮاردcause as well asواﻟﺸﺮ�ﺎء
،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ any corrective and،واﳌﻌﻠﻮﻣﺎت
، واﻷﺻﻮل،واﻟﻌﺎﻣﻠ�ن preventative
، واﻷﻧﻈﻤﺔactions required. The
،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
results of this analysis should be recorded, summarized, and made available
.�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ اﻷﺧﺮى
as part of the BC Capability Evaluation Report and should include:
61
39
61
Assessment of management reaction in meeting the organization’s BC
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
objectives
Assessment of organization’s effectiveness in meeting BCM recovery
objectives
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
Identification
�ا��ﺎﻃﺮﻗﺒﻮل of required changes to ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ
improve its BC capability
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
62
39
62
Reviewing the supplier’s BC status and ensuring it is acceptable to the
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
organization. Integrating its Incident Management / Business
Continuity procedures with the supplier, to ensure there is a formal
process for timely notification by either party in the event of a
disruption; ﻗﻴﺎس�ﺗﻘﻴﻴﻢacceptable levels of cost effective resilience
implementing
�ا��ﺎﻃﺮ ﻗﺒﻮل ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
into the business operations to mitigate failure of the third-party.
Where the organizations supplies products to customers and clients,
its Incident Management and Business Continuity plans should be
reviewed based on the business objectives of the customers and
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
clients, so as to ensure the organization can meet their expectations
and fulfill the terms of its contracts and agreements with them, in -1
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
accordance with the organization’s
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل BIA. This capabilityﺮ�اﺳﺘﻤﺮshould
��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ also be
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃ
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩchecked through the previously mentioned
.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ exercises.
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
:ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
9.3. Compliance and Internal Audit Review
.• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
The audit process must be carried out . ﻣﻨﮫfrequently as defined
�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء by the•audit
ا��ﺴﺎﺋﺮ
and governance policies of the organization. The objective of a BCM audit is
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
to scrutinize the existing BCM Program of the organization; authenticate it
.( وﻏ��هﺎ، ا��ﻮادم،• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت
against predefined standards and criteria and provide a structured audit
report. .• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
.��• اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو
Audits should be conducted on a regular basis, as defined .���اﳌﺎin the •
اﻟ��ﺰ
organization’s audit and governance policies to.�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ ensure: • ﻋﺪم�ﺗﻮﻓﺮ
Compliance with the standard; .• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
Consistency with BCM objectives and policy;
Proper implementation,
�اﺳﺘﻤﺮار�ﺔاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ execution
واﻷﻃﺮ،واﻟﻌﺎﻣﻠ�ن and
،�ﻣﻊ�اﳌﻮﻇﻔ�ن sustainability; and
ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى
Effective fulfillment of the
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ organization’s BCM capability objectives.
اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
9.3.1. Annual Internal Audit .اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
The organization should conduct a complete annual internal audit of its
BCM Program. This audit should cover all requirements of the Standard. A
63
39
63
formal BC Audit process should ensure the organization has:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
an effective
Business Continuity capability program.
64
39
64
Identify the audit activity timetable and due dates.:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
Identify the audit evaluation criteria (standards).
Determine audit requirements by specialists and experts, as a third
party, to conduct audit process.
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
9.3.4. Internal Audit Report ا��ﺎﻃﺮ
To prepare the Internal Audit Report:
Provide a draft audit report for discussion with key stakeholders.
Provide an agreed-upon auditرreport
�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ incorporating
ﻣﺴﺎ3 ﺷ�ﻞ
recommendations as well as audit responses where differences of
opinion appear. ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
Provide an agreed-upon��ار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل remedial action plan including timescales
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮ
to implement the recommendations set
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ out in the audit report.
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
Identify a monitoring process, separateرfrom
:�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ the BC capability
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎد
maintenance program, to ensure appropriate follow-up
ﻋﺪم�ﺗﻮﻓﺮon• the
.�اﻟﻌﺎﻣﻠ�ن
audit action plan.
.• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
The following should be reported to Top Management:
An .(وﻏ��هﺎ ، ا��ﻮادم،�اﻟﺒﻴﺎﻧﺎت
independent ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ
BC audit report should include but not be• limited
to: .• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
o Executive summary of the audit
.���ا�����واﻟﺪو • اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى
o Summary of key findings .��• اﻟ��ﺰ�اﳌﺎ
o Summary of the key report recommendations
.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
o Detailed current state and review results (Detailed
.• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
Observations)
o Risks
واﻷﻃﺮاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
o Detailed recommendations
���اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ�ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
o List of staff interviewed
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
o Documents provided for interview
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
65
39
65
A-10. Top Management Review :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
66
39
66
10.1. Management review of BCM Program :ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
67
39
67
management review was carried out as part of the organization’s annual
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
capability evaluation, the output should be contained in its BC Capability
Evaluation Report. If the management review was, however, conducted
separately, the output will be contained in a separate document identifying
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
the:
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
Scope of the review;
Reasons for the review;
People involved in�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
the review; ﻣﺴﺎر3 ﺷ�ﻞ
Areas where issues exist, highlighting any raised risks;
Recommendations for corrective and preventative actions; ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
and -1
Brief review of tests and �exercises.
�ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل ��ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
This BC Management Review Report :�اﻟﺘﺎﻟﻴﺔshould serve
�ﺣﺪوث�ا��ﺎﻃﺮ as evidence
�ﻣﺼﺎدر for the
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر
organization’s BC Capability Certification. .• ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن
A-11. BCM Program Continual Improvement .• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
On a regular basis, at least annually, the organization is required to perform
.( وﻏ��هﺎ، ا��ﻮادم،• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت
a review of its BCM Program including the BIA, Risk Assessment, BC
Strategy, and BC Plans. This review is designed to .�اﳌﻌﻠﻮﻣﺎت
ensureﻋﺪم�ﺗﻮﻓﺮ •
all BC capability
documents are valid and consistent with
.���ا�����واﻟﺪو the organization’s • strategic
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى
objectives. .��• اﻟ��ﺰ�اﳌﺎ
This review should be formally conducted by .�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ the Internal Auditor
ﻋﺪم�ﺗﻮﻓﺮ • or BC
Manager. The review should result in a report to Top Management. Review
.• أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ
and update are necessary when a change occurs in the organization
whether
�اﺳﺘﻤﺮار�ﺔ in terms of services
اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ or works
واﻷﻃﺮ،واﻟﻌﺎﻣﻠ�ن or when
،�ﻣﻊ�اﳌﻮﻇﻔ�ن a change occurs within Top
ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى
Management.
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
واﳌﻮارد، واﻟﺸﺮ�ﺎء ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
11.1.Non-Conformities .اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
A comprehensive study should be conducted to identify nonconformities, to
develop a corrective action plan to address the problems, mitigate
68
39
68
consequences of nonconformity, and apply required changes to remove the
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
cause of nonconformity with the Standard.
The nature and timing of corrective action should be appropriate to the size
and nature of nonconformity and its potential consequences. Top
management ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮshould ensure corrective and preventive actions
ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ have been
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
implemented and that ا��ﺎﻃﺮ
there is systematic follow-up to evaluate their
effectiveness.
11.2.Corrective Actions
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
Preventive and corrective actions should be compared to BCM objectives
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
and policy to ensure continual conformity.
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ .ار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
The corrective action process should be initiatedاﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮ
as part of the investigation
after each incident or exercise. It:�اﻟﺘﺎﻟﻴﺔcan ﺮalso be initiated
�ﺣﺪوث�ا��ﺎﻃ (plan improvement)
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر
during the incident if such incident is going to extend over
.�اﻟﻌﺎﻣﻠ�ن a long •period of
ﻋﺪم�ﺗﻮﻓﺮ
time. .• ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،• اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء
The process should include:
.( وﻏ��هﺎ، ا��ﻮادم،• ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت
Development of a statement that describes the problem and
identifies its impact and reasons; .• ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت
Review of corrective action.���ا�����واﻟﺪو from previous اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى
evaluations and •
identification of solutions provided; .��• اﻟ��ﺰ�اﳌﺎ
Selection of a strategy, prioritization of action(s) to ﺮbe
.�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ taken according
ﻋﺪم�ﺗﻮﻓ •
to their importance based on specificأي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء
.���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ schedule; •
Identification of the resources required to implement the strategy;
Provision of authority
�اﺳﺘﻤﺮار�ﺔاف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ and resources
واﻷﻃﺮ،واﻟﻌﺎﻣﻠ�ن ،�ﻣﻊ�اﳌﻮﻇﻔ�نrequired to accomplish the
ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى
changes;
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
Monitoring واﻟﺸﺮ�ﺎء
واﳌﻮارد،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ progress of corrective
،واﻷﺻﻮل action through
، واﻟﻌﺎﻣﻠ�ن،واﳌﻌﻠﻮﻣﺎت completion;
، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
Verification that the problem is resolved through exercise or test
.�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ of
اﻷﺧﺮى
the solution once the corrective action is complete.
69
39
69
ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮNon-conformances and corrective actions that address :
them should be
recognized and dealt from time to time. If non-conformity is identified,
comprehensive study should be conducted in order to understand the
cause of the non-conformity and a corrective action should be created
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
immediately.
ﻗﺒﻮل�ا��ﺎﻃﺮ ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
ﺷ�ﻞ 3ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
-1ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ .و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ
ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ:
ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن. •
ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ. •
اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء ،واﳌﻴﺎﻩ ،وﻏ��هﺎ(. •
ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت ،ا��ﻮادم ،وﻏ��هﺎ(. •
ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت. •
اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو��. •
اﻟ��ﺰ�اﳌﺎ��. •
ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ. •
أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء ���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ. •
70
39
70
Right of use
:ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ
All training and consulting service providers shall seek NCEMA’s approval
All
All training
prior toand
training consulting
anduse if the service
consulting Business
service providers shall
shall seek
Continuity
providers NCEMA’s
NCEMA’s approval
Management
seek Standard
approval prior
prior– to
to
use Specifications
use if if the (AE/SCNS/NCEMA
the Business
Business Continuity 7000:2015).
Continuity Management
Management Standard
Standard –– Specifications
Specifications
(AE/SCNS/NCEMA
(AE/SCNS/NCEMA 7000:2015).
ﻗﻴﺎس�ﺗﻘﻴﻴﻢ
ﻗﺒﻮل�ا��ﺎﻃﺮ7000:2015). ﺗﺤﻠﻴﻞ�ا��ﺎﻃﺮ ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ
ا��ﺎﻃﺮ
ﻣﺴﺎر�ﻋﻤﻠﻴﺔ�ﺗﻘﻴﻴﻢ�ا��ﺎﻃﺮ3 ﺷ�ﻞ
ﺗﺤﺪﻳﺪ�ا��ﺎﻃﺮ-1
�ﻌﺘﻤﺪ�ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻋ���ﻧﺘﺎﺋﺞ�ﺗﺤﻠﻴﻞ�اﻟﺘﺄﺛ���ﻋ���اﻷﻋﻤﺎل�ﺣﻴﺚ�ﻳﺤﺪد�هﺬا�اﻟﺘﺤﻠﻴﻞ�ﺧﺪﻣﺎت�اﻷﻋﻤﺎل
و�ﺎﻟ�ﺴﺒﺔ�ﻟهﺬﻩ.اﻟ���ﻳﻨﻔﺬهﺎ�ﻓﺮ�ﻖ�أو�ﻗﺴﻢ�إدارة�اﺳﺘﻤﺮار�ﺔ�اﻷﻋﻤﺎل�ﻛﻤﺎ�ﻳﺤﺪد�أهﻤﻴ��ﺎ�ﻣﻦ�ﺣﻴﺚ�اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ
:ا��ﺪﻣﺎت�ﻳﻠﺰم�اﻷﺧﺬ����اﻻﻋﺘﺒﺎر�ﻣﺼﺎدر�ﺣﺪوث�ا��ﺎﻃﺮ�اﻟﺘﺎﻟﻴﺔ
.ﻋﺪم�ﺗﻮﻓﺮ�اﻟﻌﺎﻣﻠ�ن •
.ا��ﺴﺎﺋﺮ�اﳌﺪﻣﺮة�ﻟﻠﻤﺒ����ﻠﮫ�أو�أي�ﺟﺰء ﻣﻨﮫ •
.( وﻏ��هﺎ، واﳌﻴﺎﻩ،اﳌﺮاﻓﻖ�اﳌﺎدﻳﺔ�اﻷﺳﺎﺳﻴﺔ )اﻟﻜهﺮ�ﺎء •
.( وﻏ��هﺎ، ا��ﻮادم،ﻓﻘﺪان�ﻣهﺎم�ﺗﻜﻨﻮﻟﻮﺟﻴﺎ�اﳌﻌﻠﻮﻣﺎت�واﻻﺗﺼﺎﻻت )ﻣﺮﻛﺰ�اﻟﺒﻴﺎﻧﺎت •
.ﻋﺪم�ﺗﻮﻓﺮ�اﳌﻌﻠﻮﻣﺎت •
.��اﻷزﻣﺎت�أو�اﻟ�ﻮارث�ﻋ���اﳌﺴﺘﻮى�ا�����واﻟﺪو •
Contact NCEMA .��اﻟ��ﺰ�اﳌﺎ •
.• ﻋﺪم�ﺗﻮﻓﺮ�وﺳﺎﺋﻞ�اﻟﻨﻘﻞ
For additional
ForFor additional
additional information
informationand
information and guidance,
and guidance,
guidance, please
please
please
.���اﻟﻌﻤﻞ�أو�اﳌﻮردﻳﻦ contact
contact NCEMA,
contactNCEMA,
NCEMA,Safety
أي�ﻗﻀﺎﻳﺎ�أو�ﻣﺸﺎ�ﻞ�ﻣﻊ�اﻟﺸﺮ�ﺎء Safety
• andand
Safety and
Prevention
Prevention Department, Business Continuity Section at:
Prevention Department,
Department, Business Business Continuity
Continuity Section
Section at: at:
Telephone
Telephone :: +971: 4177000
2 2 971+
Telephone +971
اف�اﳌﻌﻨﻴﺔ����ﺗﺤﺪﻳﺪ�ﻣﺨﺎﻃﺮ�اﺳﺘﻤﺮار�ﺔ
E-mail 2 4177000
4177000
واﻷﻃﺮ، واﻟﻌﺎﻣﻠ�ن،ﻳﺠﺐ�اﺳﺘﺨﺪام�اﳌﻘﺎﺑﻼت�اﻟ��ﺼﻴﺔ�اﻟ���ﺗﺠﺮى�ﻣﻊ�اﳌﻮﻇﻔ�ن
: bcm@ncema.gov.ae
E-mail
E-mail :: bcm@ncema.gov.ae
bcm@ncema.gov.ae
����ا��ﺪدة�إ���ﺣﺪوث�ﻋﻄﻞ����اﻷ�ﺸﻄﺔ�ا��ﻴﻮ�ﺔ اﻷﻋﻤﺎل�و�ﻤﻜﻦ�اﺳﺘﺨﺪام�اﻻﺳﺘ�ﻴﺎﻧﺎت�ﻓ��ﺎ�ﺣﻴﺚ�ﺗﺆدي�هﺬﻩ�ا��ﺎﻃﺮ
Website : www.ncema.ae
Website
Website :: www.ncema.ae
واﳌﻮارد،ﻣﻦ�ا��هﺎت�ا��ﺎرﺟﻴﺔ www.ncema.ae
واﻟﺸﺮ�ﺎء، واﻷﺻﻮل، واﻟﻌﺎﻣﻠ�ن، واﳌﻌﻠﻮﻣﺎت، واﻷﻧﻈﻤﺔ،اﳌﺆﺳﺴﺔ�اﳌﺘﻌﻠﻘﺔ�ﺑﺎﻟﻌﻤﻠﻴﺎت
.اﻷﺧﺮى�اﻟ���ﺗﺪﻋﻢ�ﻋﻤﻠﻴﺎت�اﻟﻌﻤﻞ�اﳌﺎﺛﻠﺔ
71
85
39
71
71