Field guides for BCM teams in regulated industries.
Written by practitioners for practitioners — clause-level walk-throughs of ISO 22301, the SAMA BCM Framework, BIA methodology and crisis-management playbooks. No fluff, no vendor-neutral hedging; every guide reflects what we've seen work inside KSA and GCC continuity programmes.
Pillar guides
Start with a cornerstone topic.
Each pillar is a 2,000-3,000 word reference. Cluster articles hang off each one.
Business Impact Analysis: A Practitioner's Guide to BIA Methodology
Every credible BCM programme rests on a defensible BIA. This pillar covers the impact matrix, criticality ratings, RTO/RPO/MTPD, dependency mapping, and the cadence that keeps a BIA from going stale.
Read the guideCrisis Management Playbook: From First Alert to Post-Incident Review
A pillar guide on running a credible crisis-management programme: command structure, activation criteria, communications, the recovery handshake, and the post-incident lifecycle that auditors actually look at.
Read the guideISO 22301:2019 Implementation Guide — From Clause 4 to Certificate
A practitioner's walk-through of ISO 22301:2019: every clause explained, the certification path, the gaps auditors find most often, and how to operationalise the standard.
Read the guideMissed the ISO 27001:2022 Deadline? The Recertification Path After 31 October 2025
The ISO 27001:2013-to-2022 transition window closed on 31 October 2025. A lapsed certificate isn't renewed — you re-enter as a new client and undergo a full initial audit. What that means in practice, and how to rebuild fast in Qatar and KSA.
Read the guideQatar NIA v2.1: The Annual Re-Certification Reality
Qatar's National Information Assurance Standard is now at v2.1, and certification is an annual discipline — not a one-off. What the current version means, how the v2.0-to-v2.1 re-certification works, and how to make annual NIA compliance sustainable rather than a yearly fire drill.
Read the guideQatar PDPPL and Business Continuity: Where Privacy Law Meets Your BCM Programme
PDPPL is a privacy law, not a continuity standard — but the two meet at one critical seam: the personal-data breach. This guide maps exactly where Qatar's PDPPL touches a BCM programme, where it doesn't, and how the incident module becomes the operational home for the 72-hour notification duty.
Read the guideThe SAMA BCM Framework: A Practitioner's Guide for KSA Banks and Fintechs
Every SAMA-licensed entity needs a defensible BCM programme. This guide walks through the five SAMA pillars, the documents auditors sample first, and how SAMA aligns with — and diverges from — ISO 22301.
Read the guidePillar · Business Impact Analysis
More on Business Impact Analysis
Business Impact Analysis Template: What Every BIA Record Needs
A working BIA template covering the impact matrix, dependency taxonomy, recovery objectives and review-cycle metadata. Use it as the starting point for your own BIA programme.
Read articleRTO vs MTPD vs MBCO vs RPO: Recovery Objectives Without the Confusion
Four acronyms, four different things. The most-confused vocabulary in BCM, explained with the operational distinctions that matter to planners, auditors and regulators.
Read articleBIA Dependency Mapping Without Losing Your Weekend
Dependency mapping is the half of the BIA that exposes the gaps. A practical method for mapping applications, vendors, locations, roles and data feeds without turning the BIA into a six-week exercise.
Read articlePillar · Crisis Management
More on Crisis Management Playbook
BCM vs Disaster Recovery: The Distinction That Actually Matters
BCM and DR are often used interchangeably — incorrectly. Understanding the distinction is the difference between a programme that recovers IT systems and one that keeps the business running.
Read articleWriting Crisis Activation Criteria That Hold Up at 3 a.m.
Vague activation criteria are the single biggest cause of delayed crisis response. A practical method for writing threshold-based criteria that a duty manager can apply under stress.
Read articleAfter-Action Reports That Drive Real Improvement
AAR theatre — written, filed, ignored — is the most common failure mode after a real incident or exercise. A working AAR template that produces improvement actions teams actually close.
Read articleThe Crisis Communications Playbook: Five Audiences, Five Approval Chains
Most crises are won or lost on the comms surface. A playbook covering the five audiences every comms function must manage during an incident, with pre-approved templates and explicit approval chains.
Read articlePillar · ISO 22301
More on ISO 22301
ISO 22301 §8.4.4 Fields, Explained Line by Line
The sub-clause that decides whether your BCPs survive audit. A practical walk-through of each §8.4.4 field, with examples and the common ways teams get them wrong.
Read articleISO 22301 Stage 1 vs Stage 2 Audit: What Each Auditor Actually Does
Stage 1 is documentation. Stage 2 is operational. Knowing the difference — and what each auditor will ask for — is the difference between a clean certification and an avoidable major finding.
Read articleISO 22301 §9.3 Management Review: A Template That Survives Audit
Management review is one of the most under-invested clauses in ISO 22301 — and one of the most-sampled. A practical template covering required inputs, decision capture and outputs.
Read articleThe BCM Lifecycle Explained: From Policy to Continual Improvement
The BCM lifecycle is the operating rhythm of every BCMS — the cycle that keeps plans, BIAs, exercises and reviews in motion together. A practical walk-through of the six phases.
Read articlePreparing for the Next ISO 22301: What's Actually Confirmed (and What Isn't)
A next edition of ISO 22301 is in the works, but the facts are narrower than the headlines suggest: the current standard is still 22301:2019 plus a 2024 climate-action amendment, and the revision project has no publication date. What's confirmed, what to do now, and what to ignore.
Read articlePillar · PDPPL
More on Qatar PDPPL and Business Continuity
The PDPPL 72-Hour Breach Notification Clock: An Incident-Response Walkthrough
When a personal-data breach hits, the PDPPL 72-hour clock to the NDPO starts at the same moment as your SAMA cyber-incident clock. A practical walkthrough of who decides, what gets evidenced, and how to stop an incident closing with a notification duty still open.
Read articleData Residency and PDPPL: Why On-Prem BCM Tooling Matters in Qatar
PDPPL's cloud-privacy regime — reinforced by the NCSA's 2026 Cloud Privacy Assessment Tool — pushes organisations to keep personal data from leaving their control. Here's why per-tenant isolation and on-prem AI inference turn a BCM platform's architecture into a residency feature.
Read articleQatar's NCSA Cloud Privacy Assessment Tool: What It Checks and How to Pass It
On 3 April 2026 the NCSA launched a free Cloud Computing Privacy Assessment Tool to help organisations evidence PDPPL compliance in the cloud. Here's what the tool actually assesses — data classification, access, encryption, third-party risk, cross-border transfers, incident response — and how to be ready for each.
Read articlePDPPL Enforcement Is Real: Penalties, Compliance Orders, and What Triggers Them
Qatar's PDPPL moved from statute to active enforcement in 2024–2025, with public compliance orders against ICT and e-commerce operators and penalties of QAR 1M–5M per violation. What the NDPO has actually done, what it expects, and the breach-response gap that draws the most risk.
Read articlePillar · SAMA BCM
More on The SAMA BCM Framework
Chartering a SAMA-Grade BCM Committee
SAMA expects a documented BCM committee with banking-sector composition and real decision rights. A working template for the charter — composition, mandate, cadence and decision authority.
Read articleWhat SAMA Examiners Ask First: The Opening Meeting Script
The first 60 minutes of a SAMA BCM examination set the tone for everything that follows. A walk-through of the typical opening questions and the artefacts to have ready.
Read articleHow to Implement ISO 22301 in Saudi Arabia
ISO 22301 is the international BCM standard. SAMA expects something that looks a lot like it, with KSA-specific additions. This article maps the overlap and explains how to run one programme that covers both.
Read articleLatest
Recently published.
The PDPPL 72-Hour Breach Notification Clock: An Incident-Response Walkthrough
When a personal-data breach hits, the PDPPL 72-hour clock to the NDPO starts at the same moment as your SAMA cyber-incident clock. A practical walkthrough of who decides, what gets evidenced, and how to stop an incident closing with a notification duty still open.
Read articleData Residency and PDPPL: Why On-Prem BCM Tooling Matters in Qatar
PDPPL's cloud-privacy regime — reinforced by the NCSA's 2026 Cloud Privacy Assessment Tool — pushes organisations to keep personal data from leaving their control. Here's why per-tenant isolation and on-prem AI inference turn a BCM platform's architecture into a residency feature.
Read articlePDPPL Enforcement Is Real: Penalties, Compliance Orders, and What Triggers Them
Qatar's PDPPL moved from statute to active enforcement in 2024–2025, with public compliance orders against ICT and e-commerce operators and penalties of QAR 1M–5M per violation. What the NDPO has actually done, what it expects, and the breach-response gap that draws the most risk.
Read article