Hilary Estall MBCI, IRCA BCMS Lead Auditor is a business continuity practitioner and seasoned management system Lead Auditor. Here she offers an insight into the recent publication of NCEMA 7000:2021, the third edition of the UAE National Emergency Crisis and Disasters Management Authority’s business continuity management standard.
Notification of NCEMA 7000’s latest revision (2021) came as a surprise to me. Not because it had been updated but because I’d never heard of it. This is from someone who has been in the Management System Standards industry for over 20 years. What does that say?
The National Business Continuity Management System AE/SCNS/NCEMA 7000:2021 is on its third outing. Unashamedly aimed at the UAE business community, a closer look suggests it is a valuable addition to other BCMS standards, not least ISO 22301:2019. Here are some of my thoughts, having read it. For the sake of brevity, I shall refer to the standard as ‘7000’.
- 7000 combines guidance information alongside requirements. Clearly distinguished in coloured boxes before requirements are listed, the guidance is set out clearly and succinctly. By reading both the guidance followed by the requirements, I felt an immediate appreciation for, and context of, what was required in terms of implementation. Requirements follow the familiar management system standard language of “shall” but the guidance avoids using “should” and thereby encourages the reader to take decisive action.
- 7000 has established a set of Terms and Definitions. They do not always mirror those in ISO 22300:2018 and I cannot see reference to where or how they have been developed. That said, they appear fair and reasonable and, again, are clear and succinct to read and understand.
- 7000 follows ISO 22301 clauses 3 to 10 in its structure. It makes clear statements to which clauses refer to business continuity management system requirements (3-7, 9, 10) and which focus on business continuity management system operational requirements (clause 8 only). For newcomers to a BCMS standard, this is made clear at the outset.
- Clause 3: Governance Framework. Here top management’s expectations are clearly managed through its accountabilities and demonstrable areas of commitment. Management System Planning (3.3) not only makes it clear an organization must plan how it will implement its management system in terms of work to be performed and people to do it, but it must also provide target dates by which it will be completed. Brilliant!
- Clause 4: Context of the Organization. In my experience as an auditor, this term remains an enigma for many despite being a phrase used for several years now. 7000 gives us clear guidance on how an organization should interpret this requirement. I quote “Context in this document refers to the environment and circumstances of the organization, including its culture and diversity, its management style, the financial resources available, requirements of interested parties and other issues of relevance”.
- Clause 5: Policy, Scope and Objectives is self-explanatory.
- Clause 6: Management System Support. There is plenty to like in this clause. For example; Competency. We all know what it is but determining competencies is an area some find challenging to articulate. 7000 gets straight to the point in its guidance statement. “People with management system responsibilities must have the competence necessary to perform their duties effectively. If they don’t, the management system will not be successful”. Is that direct enough for top management to grasp?
In clause 6.3 external providers get their own mention. Not only does an organization have to control the output from an external provider it also has to determine and apply criteria for selecting external providers. Oh, and they have to be available “when needed”. This sub-clause provides excellent clarity and manages the expectations of those involved in hiring external providers.
- Clause 7: Documented Information. Excellent guidance note which puts into context terms like processes, procedures, inputs, and outputs. Good clarity and space between document creation, and control/updating documents. A comprehensive list of what documented information is required is also provided (by clause). Again, unambiguous and easy to refer to.
- Clause 8: BCMS Operations. Again, useful guidance is offered. Where the resumption of a prioritised activity depends on a single external provider there is a requirement to evaluate their BCM arrangements “in relation to the dependency”. Solutions to address any identified vulnerabilities shall then be determined. Again, whilst not given much word space, the expectation is clear.
Clause 8.4.2 requires “competent people to evaluate and select strategies, people…and external providers needed to implement selected strategies”. There is also a requirement to determine the timing and capacity which resources are needed as well as the timing and capacity at which they are to be made available. Again, auditing experience tells me this is an area which can get lost in translation, often with a one-time only effort made to consider strategies, so I welcome such clarity.
Other clause 8 points worth mentioning are good clarity of response structure requirements, command and control and multiple references to various aspects of media management.
Clause 18.104.22.168 offers a useful guidance note on the Recovery of Technology Systems. The use of the term “recovery” differs to that in ISO 22301 in that it is part of the response process during, not after, the disruption.
- Clause 9: Review and Evaluation includes within the requirement, an extensive list of compliance elements against which performance indicators will be required so there is no room for doubt or oversight.
Overall, my first foray into NCEMA 7000 has given me a BCMS Requirements Management System Standard which is clear, concise, user friendly and, if I was so minded, open encouragement to implement my own BCMS. I welcome this new edition (and addition!) with open arms and hope you will take the opportunity to download (for free) NCEMA 7000:2021 and take a look for yourself. For those readers who have already implemented a BCMS, 7000 may well give you a few nuggets to add in to your existing system.
Hilary Estall is Director of Perpetual Solutions. Hilary is the author of Business Continuity Management Systems; Implementation and certification to ISO 22301. ISBN 9781780171463