BUSINESS CONTINUITY MANAGEMENT SYSTEM

(BCMS)

POLICY

Date: 6/1/2019

Version: 1.0

CLASSIFICATION: Public

ATTENTION: This document contains information from Ministry of Community Development that is
confidential and privileged. The information is intended for the private use of Ministry of Community
Development. By accepting this document you agree to keep the contents in confidence and not copy,
disclose, or distribute this without written request to and written confirmation from Ministry of Community
Development. If you are not the intended recipient, be aware that any disclosure, copying, or distribution of
the contents of this document is prohibited.
Document Control
Item Description

Document Title: Business Continuity Management System Policy

Document Ref: MOCD/CS/BCMS

Document ID: MOCD-BCMS-POL V1.0 Version: 1.0

Classification  Public  Internal  Departmental  Confidential
Status: Type: DOC

Publish Date: Jan 06, 2019

Revision Date:

Document Publication History

(All revisions made to this document must be listed in chronological order, with the most recent revision
at the bottom)
Version
Date Author(s) Remarks
No.
Updated procedures
3.0 02/1/2019 Mrs. Aisha Khamis as per ISR and NESA
best practices

Document Review and Approval History

(All revisions should be approved. Review and Approval can be by internal source or by the customer.)

Version
Date Reviewer Remarks
No.
1.0 06/1/2019 Mr Saeed Abdulla Reviewed

Version
Date Approver Remarks
No.
1.0 06/1/2019 Mr Saeed Abdulla Approved

Document Revision Record

Version
Date Modified by Remarks
No.
Updated procedures
1.0 02/1/2019 Mrs. Aisha Khamis as per ISR and NESA
best practices

Distribution List
Name Designation Department
Mrs. Aisha Khamis Information Security Officer MOCD-ITD
All Staff -- All Departments
BUSINESS CONTINUITY MANAGEMENT SYSTEM POLICY

Table of Contents

1. PURPOSE .......................................................................................................................... 4
2. STATEMENT ...................................................................................................................... 4
3. REFERENCES ................................................................................................................... 4
4. DEFINITIONS ..................................................................................................................... 5
5. BUSINESS CONTINUITY MANAGEMENT POLICY .......................................................... 5
5.1 Purpose of the Business Continuity Management System ........................................... 5
5.1.1 MOCD Strategic Stages .................................................................................. ...... 5
5.1.2 MOCD Strategy Linkage ....................................................................................... 5
5.1.3 Business Continuity Objectives ............................................................................. 5
5.1.4 Business Continuity Management System Scope ................................................. 6
5.1.5 Business Continuity Management Key Services ................................................... 7
5.1.6 Business Continuity Management System Measures ............................................ 7
5.2 Responsibilities for Business Continuity Management ................................................. 7
5.2.1 General responsibilities: ........................................................................................ 7
5.2.2 Specific responsibilities: ........................................................................................ 7
5.3 Roles and Responsibilities of staff involved in Business Continuity ............................ 8
5.3.1 Divisional Directors (Sections Heads) ................................................................... 8
5.3.2 BCMS Champions ................................................................................................ 8
5.3.3 Subject Matter Expert
........................................................................................... 9
4.3.5 CIO ........................................................................ Error! Bookmark not defined.
5.3.5 Business Continuity Section .................................................................................. 9
5.3.6 Divisional Incident Management Teams ..............................................................10
5.3.7 Key Roles and Responsibilities for MOCD Business Continuity Champions ........10
5.3.8 Policy Communications ........................................................................................10
5.3.9 Support for BCMS Implementation .......................................................................10
6. ENFORCEMENT ...............................................................................................................10

MOCD/CS/BCMS Public
Version: 1.0 Page 3 of 10
BUSINESS CONTINUITY MANAGEMENT SYSTEM POLICY

1. PURPOSE
The purpose of the Policy document is to define the objectives, scope and basic rules for business
continuity management.

This Policy is applied to the entire Business Continuity Management System (BCMS).

Users of this document are all MOCD employees of, suppliers and outsourcing partners who have a role
in the BCMS.

2. STATEMENT
Ministry Of Community Development is committed to ensuring the effective availability of critical
business services. MOCD provides this Business Continuity Management System (BCMS) policy in
support of a comprehensive program for business continuity, disaster prevention and total business
recovery.

The objective of the Business Continuity Management System’s Policy of MOCD is designed to ensure
the continuity of critical business services during disasters and unpredicted incidents.

The intention also is to ensure minimum disruption to critical services; which is acceptable to
management by putting in place a robust and resilient business continuity strategy and framework. By
this means, BCMS team will make sure that MOCD meets necessary Legal, Regulatory, Contractual
and Statutory requirements, including moral obligations and non-contractual expectations of clients and
stakeholders.

MOCD is committed to embedding the business continuity culture within the organization and make the
necessary resources available to build and maintain the system as well as to train and develop its
employees’ knowledge and their capabilities in the area of business continuity.

Each department/business unit is responsible for current and comprehensive Business Continuity
Management, plans and embedding of BCMS culture.

When implemented; the Plans should include those procedures and support agreements (when
applicable), which ensure on-time availability and delivery of critical business services. Each plan must
be reviewed and certified annually with the Business Continuity Management System policy compliance
process through Business Continuity Management.

This policy shall be circulated to employees and parties concerned to implement the system according
to their assigned tasks through a set plan, which is reviewed and approved periodically to achieve
performance, continuous improvement and development efficiency.

MOCD/CS/BCMS Public
Version: 1.0 Page 4 of 10
BUSINESS CONTINUITY MANAGEMENT SYSTEM POLICY

3. REFERENCES
The following standards apply

AE/SCNS/NCEMA 7000:2015
ISO 22301:2012
ISO 27001:2013

4. DEFINITIONS
This document is to be read together with the MOCD-BCMS-Definitions document.

5. BUSINESS CONTINUITY MANAGEMENT POLICY

5.1 PURPOSE OF THE BUSINESS CONTINUITY MANAGEMENT SYSTEM

The purpose of business continuity management is to identify potential threats to the organization and
the impacts to business services those threats might cause, and to provide a framework for building
organizational resilience with the capability of an effective response.

5.1.1 MOCD Strategic Stages

The implementation of business continuity, MOCD aims to fulfill its vision and Strategic stages for
20172021 to implement its Sustainable Growth & Improvement.

Business continuity management system is implemented in compliance with the AE/SCNS/NCEMA

7000:2015 and ISO22301:2012 Standards.

5.1.2 MOCD Strategy Linkage

Having MOCD vision: “We are looking forward to be the Benchmark and role model for other local, federal
and regional government entities” and referring to its mission: “Deliver fast and high-quality services to
the organizational unites”; therefore, MOCD is committed to ensuring the continuity of its services to all
its prospective customers and associated partners, spanning from individuals to corporate and
governmental organizations.

Given the importance of MOCD operations, it’s vital that it continues running them with no delay. Effective
Business Continuity Management System (BCMS) across all tiers should be a priority that requires
attention.

5.1.3 Business Continuity Objectives

• To develop, implement, maintain, monitor, review and continually improve MOCD Business
Continuity Management System.
• Determine the minimum level of services that are acceptable to the company to achieve stakeholder
satisfaction during an unforeseeable incident.

MOCD/CS/BCMS Public
Version: 1.0 Page 5 of 10
BUSINESS CONTINUITY MANAGEMENT SYSTEM POLICY

• Appoint a Business Continuity Team and hold regular meetings to discuss monitor and review
business continuity progress.
• Appoint an Incident Management Team to be responsible in the event of an incident.
• Embark on an internal training Programme to generate a better understanding amongst our staff of
the importance of preventative measures to safeguard our business in the event of a crisis.
• Ensure that the support sector has full confidence in providing business continuity in the event of a
crisis through regular exercising of plans.
• Develop an emergency notification/communication plan.
• Enhance corporate credentials when tendering for business and open up access to new markets.
To adhere to NCEMA/ISO requirements of Business Continuity Management
• CIO is responsible for setting and reviewing those objectives at least once a year.
• Actions to achieve these objectives will be determined in the Risk Treatment Plan, Business
Continuity Plan, corrective and preventive actions according to Procedure for Corrective and
Preventive Action, and Management Review.

5.1.4 Business Continuity Management System Scope

Business Continuity Management System is implemented for all Services identified as part of the
organizational chart mentioned below, with special attention paid to services identified during Business
Impact Analysis based on the service catalogue produced during the workshops.

The organization’s business locations included in the scope:

Ministry of Community Development

Baghdad Road, Al Qusais 1 – Dubai.

MOCD/CS/BCMS Public
Version: 1.0 Page 6 of 10
BUSINESS CONTINUITY MANAGEMENT SYSTEM POLICY

5.1.5 Business Continuity Management Key Services

The key services provided by MOCD are listed in the Business Impact Analysis Report based on the
service catalogue document through interactive workshops with key stakeholders.

5.1.6 Business Continuity Management System Measures

MOCD will measure the following:

Whether the objectives set according to this Policy are fulfilled – at least once a year, normally before the
Management Review.

Effectiveness and adequacy of business continuity plans – at frequency set in the Business Continuity
Plan itself.

CIO will prepare a report of measurement results, while analysis and evaluation of the results will be done
at the Management Review.

5.2 RESPONSIBILITIES FOR BUSINESS CONTINUITY MANAGEMENT

5.2.1 General responsibilities:

• CIO is responsible for ensuring that business continuity management is established and implemented
according to this Policy, and for providing all necessary resources.

• CIO is responsible for operational implementation and maintenance of the Business Continuity
Management System.

• Management Review Team must review the BCMS at least once a year or each time a significant
change occurs, and prepare a review report. The purpose of management review is to establish the
suitability, adequacy and effectiveness of the BCMS.

5.2.2 Specific responsibilities:

• CIO along with Human Resources are responsible for adopting and implementing the Training and
Awareness Plan which applies to all persons who have a role in business continuity management

• Arrangements related to business continuity must be exercised and tested at least once a year using
various methods in order to assess whether they can protect organizations' activities – for this purpose
CIO must write an Exercising and Testing Plan which must be approved by top management; after each
exercising and testing, CIO must prepare an Exercising and Testing Report

• CIO is responsible for adopting and implementing the BCMS Maintenance and Review Plan so that all
BCMS elements are functional and up-to-date

• CIO is responsible for reviewing the effectiveness of business continuity management each time a
Business Continuity Plan, Recovery Plan or Incident Response Plan is activated.

MOCD/CS/BCMS Public
Version: 1.0 Page 7 of 10
 BUSINESS CONTINUITY MANAGEMENT SYSTEM POLICY

• Quality Representative is responsible for monitoring nonconformities, false alarms, actual incidents, etc.,
and for raising preventive actions as required.

5.3 ROLES AND RESPONSIBILITIES OF STAFF INVOLVED IN BUSINESS

CONTINUITY
5.3.1 Divisional Directors (Sections Heads)
Project • All Divisional Directors in MOCD are responsible for BCM strategy within their division
Planning & and ensuring integration across MOCD.
Implementation
• They are required to ensure that all supplier contracts, planning and delivering projects,
maintenance contracts and new investments include business continuity arrangements.
• Divisional Directors are required to nominate Divisional champions who are responsible
for Business Continuity Management across their Division.

Incidents Members of MOCD Management Team may be required to provide strategic direction if
requested to do so by the Incident team.

5.3.2 BCMS Champions

Project • Create and coordinate their Division’s Business Continuity Planning and to ensure that
Planning & an appropriate Divisional Incident Management Team is in place.
Implementation
• Regular review, updating and signing-off on behalf of their Directors of the Corporate
Service Prioritization Matrix.
• Ensure that all supplier contracts, planning and delivering projects, maintenance
contracts and new investments include business continuity arrangements.
• As part of the Business Continuity Lifecycle Divisional champions should ensure their own
division’s Business Continuity Plans:
o Are reviewed and signed off by Divisional Boards on a regular basis o Are validated that
they provide for the health, safety and welfare of staff and others on MOCD sites at all
times
o Are supported by Business Impact Analyses (BIAs) which ensure the Division’s key
business processes can be restored within required timescales by use of their Plans.
o Availability of systems to be assured by the use of appropriate resilience levels;
performance targets and Key Performance Indicators (KPIs).
o Are maintained, updated and tested at least annually. Where the Plans apply to critical
services, they are tested periodically.
Incidents Divisional champions may be called to represent their Division, provide the link between
the response team and their own Divisional Director and Divisional
Incident Management team.

MOCD/CS/BCMS Public
Version: 1.0 Page 8 of 10
BUSINESS CONTINUITY MANAGEMENT SYSTEM POLICY

They may be asked to provide appropriate subject matter experts within their divisions
for support.

Post incidents, they are responsible for incorporating lessons learnt into their business
continuity arrangements and ensuring their plans are updated accordingly.

5.3.3 Subject Matter Expert

Project (SMEs) are subject matter experts who provide advice and/or direction on the area of
Planning & expertise may be consulted. SMEs include HR, Building Facilities, Internal
Implementation Communications, Health and safety, Information Technology and Information Security.

Incidents SMEs may be asked to join incident management team; depending on the incident.

5.3.4 CIO

Project The CIO supports the Business Continuity Committee in discharging their Business
Planning & Continuity responsibilities. The CIO is responsible for the overall direction and
Implementation coordination of MOCD Business Continuity Management, including Business Continuity
sign-off for new investments and contracts. If the CIO is not available the Lead Business
Continuity takes the role.
Incidents The CIO Unit facilitates MOCD response to emergencies to support the Incident team.
Post incidents, the CIO ensures the lessons learnt from the incident are noted; reported,
disseminated and incorporated into MOCD Business Continuity Management and
arrangements.
If the CIO is not available, the Lead Business Continuity takes the role.

5.3.5 Business Continuity Section

Project Deliver and set the Business Continuity framework and policies, specifically:
Planning &
• Provide specialist Business Continuity guidance and advice – to business as usual;
Implementation
projects; and new investments outsourcing and contracts initiatives.
• Co-ordinate the corporate Business Continuity Management arrangements and
systems, including Incident Management, both within MOCD and with external
agencies
• Contribute to the corporate planning effort for specific corporate wide Business
Continuity threats (e.g. pandemic, industrial action)
• Review the Divisional level plans to ensure they integrate with overarching Plan
structure
• Maintain the Business Continuity Area (When Available)
• Organize, run and/or advise on Business Continuity rehearsals, focusing on:

MOCD/CS/BCMS Public
Version: 1.0 Page 9 of 10
BUSINESS CONTINUITY MANAGEMENT SYSTEM POLICY

o Loss/lack of human resources o Loss/lack of

building(s)
o Loss of other resources (technology, systems,
etc.) o Loss/lack of supplier

• Produce guidelines for Business Continuity standards.

• Collate and report on status of overarching Business Continuity threats in MOCD
• Maintain, co-ordinate and administer MOCD Emergency Operations Centers
• Brief the Executive on specific Business Continuity threats, and provide regular
Business
• Ensure that MOCD is aligned to NCEMA7000:2015 & ISO 22301:2012.

Incidents Support the Incident team includes:

The activation and running of the Emergency Operations Centre.
Post incidents: reporting on lessons learnt and updating the relevant plans and
arrangements.

5.3.6 Divisional Incident Management Teams

Project To keep abreast of the Business Continuity Plan that impact on their area of responsibility,
Planning & and may be involved in the reviewing and updating of these plans.
Implementation
Incidents Divisional Incident Management Teams are responsible for the operational response of
their division in the event of an incident. They control and deploy staff and implement
divisional and departmental plans within their areas of responsibility.
5.3.7 Key Roles and Responsibilities for MOCD Business Continuity Champions

The roles described in this section are mere roles and are not linked to a pre-defined position in MOCD.
The allocation of roles to positions can be done ad-hoc, for it depends on availability of key employees.

5.3.8 Policy Communications

Business Continuity Manager has to ensure that all employees of MOCD, as well as suppliers and
outsourcing partners who have a role in the BCMS are familiar with this Policy.

5.3.9 Support for BCMS Implementation

The Undersecretary hereby declares that all elements of BCMS implementation will be supported with
adequate resources in order to achieve all goals and objectives set according to this Policy, as well as
satisfy all identified requirements.

6. ENFORCEMENT
This policy should be communicated to all interested parties and be read and acknowledged formally by
all MOCD staff. Any employee found to have violated this procedure may be subject to disciplinary action,
up to and including termination of employment. A violation of this procedure by a temporary worker,
contractor, and intern, volunteer may result in the termination of their contract or assignment with MOCD.

MOCD/CS/BCMS Public
Version: 1.0 Page 10 of 10