Cannabis organizational security plan
Cultivation, processing and medical sales licences
On this page
Disclaimer: You need to read these pages along with the Cannabis Act and its Regulations. If there are differences, the Act and its Regulations are correct. If there are differences between this page and the Cannabis Tracking and Licensing System (CTLS), this page is correct.
What is it
The organizational security plan (OSP) captures the risk mitigation measures that are in place to prevent, identify and respond to potential incidents that could result in the diversion of cannabis to or from the illicit market. It outlines security measures in place beyond physical security including people requiring a security clearance and standard operating procedures (SOPs).
The Cannabis Regulations require you to have an OSP. You need to submit it to Health Canada as part of the licensing process and when changes are made.
Who needs it
Applicants and licence holders require an OSP for these cannabis licences:
- cultivation (micro, nursery and standard)
- processing (micro and standard)
- sale for medical purposes
What to include
There are 7 areas of information to cover in an OSP. Health Canada can request more information at any point beyond what's required.
You're encouraged to use this template for the OSP and follow the instructions provided. If you decide not to use this template, Health Canada will still accept other formats as long as they include the required information.
Important: The information submitted in the OSP and the CTLS need to be consistent. Discrepancies or inconsistencies can result in a delay in processing your application or change request.
Business overview
This section will provide Health Canada with understanding of your business. You need to include an overview of your business that covers:
- business summary: a general description of what your business will do or does with cannabis (what activities and types of cannabis). You need to include any business affiliations or relationships to other organizations such as companies, partnerships, and co-operatives involving cannabis. This includes but is not limited to any organization that controls or is controlled by the applicant or licence holder and other related companies. You need to include who they are and what they do for or with you. If you don't have any business affiliations or relationships to other organizations, indicate as such. This can be 2 to 4 sentences, or a bullet list. For example:
- "We want to cultivate and process cannabis and then sell cannabis oil that has been packaged and labeled to provinces and territories. We have no business affiliations or relationships to other organizations."
- "We have a partnership with Cannabis Co. We cultivate cannabis and sell dried cannabis in bulk to Cannabis Co. to create edible cannabis (chocolate bars)."
- cannabis-related activities: any authorized activities that you will conduct or are conducting. Include all that apply:
- cultivation activities such as:
- drying
- trimming
- milling
- other (for example, packaging and labelling for cannabis plants and seeds)
- processing activities such as:
- extracting
- packaging
- labelling
- other
- sale
- cultivation activities such as:
- intended market: any market that you will sell to or are selling to. Include all that apply:
- cultivator (micro or standard)
- nursery
- processor (micro or standard)
- analytical tester
- researcher
- sale for medical purposes
- cannabis drug licence
- provincial or territorial authorized retailers
- other: registered medical patients, hospital, personal or designated growers for medical purposes
- types of cannabis: any authorized types of cannabis that you will sell or are selling. Include all that apply:
- cannabis plants
- cannabis plant seeds
- dried cannabis
- fresh cannabis
- cannabis topicals
- cannabis extracts
- edible cannabis
People requiring a security clearance
You need to list all people requiring a security clearance based on the position they hold or will hold (once they receive a security clearance) for the:
- parent (owning) company, if applicable
- people that directly control or are in a position to directly control any partnership, corporation or cooperative
- directors
- officers
- other positions
- people that directly control or are in a position to directly control any partnership, corporation or cooperative
- applicant or licence holder
- people that directly control or are in a position to directly control any partnership, corporation or cooperative
- directors
- officers
- other positions
- people that directly control or are in a position to directly control any partnership, corporation or cooperative
- key site personnel
- responsible person and their alternate
- head of security and their alternate
- master grower and their alternate, if applicable
- quality assurance person (QAP) and their alternates, if applicable
The list needs to include each person's:
- name
- position titles
- CTLS account ID
- security clearance number
- SEC # for security clearance applications
- HSC # for granted security clearances
Tip: The position titles need to be specific. For example, chief executive officer, chief financial officer, president.
Tip: You need to include all the people listed who require a security clearance in your organizational chart. Discrepancies or inconsistencies can result in delays in the review of your application.
Head of security and alternate
You need to include the following information for the head of security and their alternate (if applicable):
- name
- work schedule including hours of work
- their email address and phone number in the case of emergency
Organizational chart
The organizational chart visually represents how authority, responsibility, and influence or decision-making flows within a formal organizational structure.
The organizational chart needs to differentiate each organizational level (such as parent company, applicant or licence holder company, and key site personnel). You can use different colours or lines to separate the different organizational levels.
Important: You don't need to include every employee at your site in the organizational chart. You need to identify both current and proposed (once they receive security clearance) people in your organizational chart. This includes:
- all people requiring a security clearance from the:
- parent (owning) company, if applicable
- people that directly control or are in a position to directly control any partnership, corporation or cooperative
- directors
- officers
- other positions
- people that directly control or are in a position to directly control any partnership, corporation or cooperative
- applicant or licence holder
- people that directly control or are in a position to directly control any partnership, corporation or cooperative
- directors
- officers
- other positions
- people that directly control or are in a position to directly control any partnership, corporation or cooperative
- key site personnel
- responsible person and their alternate
- head of security and their alternate
- master grower and their alternate, if applicable
- QAP and their alternates, if applicable
- parent (owning) company, if applicable
- people at the site who have significant influence or decision making ability on (can include but isn't limited to managers or supervisors):
- strategic business decisions
- day-to-day operations
- movement of significant amount of money or cannabis
The chart needs to include each person's:
- name
- position titles
Tip: The position titles need to be specific. For example, director, chief financial officer, director of operations, quality manager, responsible person. For key site personnel, include the official Health Canada titles (responsible person, head of security, master grower, QAP).
Tip: The people you identified as requiring a security clearance in the People requiring a security clearance section need to be included in your organizational chart. Discrepancies or inconsistencies can result in delays in reviewing your application.
Here's an example of an organizational chart. This only includes people requiring a security clearance and people at the site who have significant influence or decision-making ability. Your organizational chart may include other positions not in the example.
Text description
- Name 1, Name 2, Name 3 Board of directors (parent company)
- Name Chief executive officer (parent company)
- Name Chief financial officer (parent company)
- Name Chief operating officer (parent company)
- Name Chief information officer (parent company)
- Name Chief executive officer, director, president (applicant/licence holder)
- Name Director of quality
- Name Quality assurance person (QAP)
- Name Quality supervisor (A/QAP)
- Name Quality assurance person (QAP)
- Name Cultivation manager
- Name Master grower
- Name Director of operations, responsible person
- Name Security manager (Head of security)
- Name A/Head of security
- Name Security manager (Head of security)
Important: If you're a micro-cultivation, nursery or micro-processing applicant or licence holder, or an individual/sole proprietor, include only what applies in your organizational chart.
Descriptions of roles and responsibilities
For each position in the organizational chart, you need to briefly describe the roles and responsibilities. You can't use a general summary for multiple positions. If an employee holds multiple positions, you need to describe each position separately. Include what the person has control over, what their decision making scope is, and what their responsibilities are. This can be 2 to 4 sentences or in a bullet list.
Tip: Here are some examples of descriptions of roles and responsibilities. Do not copy-paste these examples into your OSP.
Alex Doe, Cannabis Co., Chief financial officer
- Manages the company's day-to-day finances and provides oversight of the financial department.
- Collaborates with the CEO to optimize the company's financial performance and long-term company plans in the cannabis market.
- Leads financial planning, monitors company cash flow, strategic planning, collaborations and partnerships with cannabis licence holders, financial risk management, key investor reporting, and financial reporting.
Sam Doe, Cannabis Co., Head of security
- Oversees security operations at the site including the site perimeter and areas where cannabis is present.
- Maintains the OSP to ensure individuals' information and risk mitigation measures are up to date.
- Ensures that the physical security measures comply with the Cannabis Regulations; this includes monitoring video surveillance systems, intrusion detection systems, and access controls systems.
Jordan Doe, Cannabis Co., Director of quality
- Oversees quality control- and quality assurance-related activities to ensure compliance with company standards and federal regulations.
- Makes decisions involving quality process changes, equipment and methods.
- Ensures that Quality staff are following procedures for verifying the quality of cannabis produced.
Descriptions of standard operating procedures (SOPs)
A standard operating procedure (SOP) is a documented procedure that instructs employees on how to do or complete a specific task. You need to have a system in place to review procedures on a regular basis and revise them as needed.
The descriptions of your SOPs need to capture the risk mitigation measures that are in place to prevent, identify and respond to potential incidents that could result in the diversion of cannabis to or from the illicit market.
You only need to submit descriptions of your SOPs, not copies of your SOPs. When describing the SOPs, you need to include enough detail to show that the procedure is able to prevent, identify and respond to potential security incidents.
The description can be 3 to 6 sentences long, or in a bullet list. The number of SOPs required for each area is up to you. If you have one SOP that addresses multiple areas, you need to describe how it addresses each area separately.
Health Canada has identified 23 areas divided into 5 themes that need to be addressed by your SOPs to help mitigate those risks:
Theme 1: Employee information
The description that you provide needs to show how the SOPs will address the following:
- 1.1 information received that could compromise an employee's security clearance
- 1.2 information received on a non-security cleared employee that could compromise the organization's security
Theme 2: Security measures
Important: This does not apply to the sale for medical purposes without possession licence.
The description that you provide needs to show how the SOPs will address the following:
People
- 2.1 entry to the site perimeter for employees and contractors
- 2.2 entry to the site perimeter for visitors
- 2.3 any security breaches to the site perimeter
- 2.4 access to operations and storage areas for employees and contractors
- 2.5 access to operations and storage areas for visitors
- 2.6 any security breaches to operations and storage areas
Cannabis movement
- 2.7 safekeeping of cannabis when being shipped, delivered or transported
- 2.8 validating that cannabis entering the site is from a legal source
- 2.9 unauthorized movement of cannabis including entering or leaving the site
- 2.10 detecting the loss or theft of cannabis
- 2.11 destruction including the method and handling of cannabis waste
Theme 3: Security awareness and training
Important: The descriptions for the SOPs that cover these areas need to include security training, site orientation programs, security reporting (concerns, incidents, and breaches) and investigation management.
The description that you provide needs to show how the SOPs will address the following:
- 3.1 security awareness and training for all new employees and contractors
- 3.2 ongoing security awareness and training for all employees and contractors
- 3.3 security briefings for visitors
Theme 4: Storage of information
The description that you provide needs to show how the SOPs will address the following:
- 4.1 contingency if the record keeping system fails or goes down
- 4.2 ensure the protection of client information (including against loss), if applicable
- 4.3 storage and retrieval of video monitoring footage, if applicable
Theme 5: Information and operations management
The description that you provide needs to show how the SOPs will address the following:
- 5.1 cyber security measures
- 5.2 information technology (IT) disaster recovery
- 5.3 business continuity
- 5.4 other (as applicable)
Example
Here's an example of SOP descriptions for Theme 1: Employee information. In this example, SOP-SEC-01 addresses 2 areas (1.1 and 1.2) and SOP-SEC-04 addresses 1 area (1.2). The description included for each SOP is specific to the area being addressed.
| Area | SOP names and titles | SOP descriptions |
|---|---|---|
| 1.1 Adverse information received that could compromise an employee's security clearance | SOP-SEC-01 Employee security | It outlines procedures for all employees to report and respond to compromising information for security cleared employees. It includes examples of information that could compromise an employee's security clearance including violation of any security rules, criminal activity or arrest, association with organized crime, inappropriate behaviour and more. The head of security will investigate the reports submitted and review them with the employees and management, and determine if any corrective actions are required. |
| 1.2 Adverse information received regarding a non-security cleared employee that could compromise the organization's security | SOP-SEC-01 Employee security | It outlines procedures for all employees to report and respond to compromising information for non-security cleared employees. It includes examples of actions and behaviours that could pose a security risk including the misuse of company information and systems, violation of company security rules, inappropriate behaviour and more. The head of security will investigate the reports submitted and review them with the employees and management, and determine if any corrective actions are required. |
| SOP-SEC-04 Site security | It outlines various measures that the head of security takes to ensure security risks are mitigated at the site. This includes consistently reviewing video surveillance systems, responding to employee concerns, and ensuring security procedures are followed. The head of security will investigate any adverse information or findings, determine if any corrective actions are required, and report their findings to management. |
Attestation
You need to include a completed OSP attestation form. If you're using the template, the attestation is already included.
When to submit it
For applicants
You need to upload your OSP documents on the "Organizational Security Plan" page in the CTLS when you apply for a new licence. If you've reached the upload limit in the CTLS, submit your additional documents in the site evidence package.
Naming convention
Whether you decide to use this template for your OSP or submit your OSP using a different format, any attachments should be named, as applicable:
- business overview: "OSP_APP-#_BusinessOverview_YYYY-MM-DD.PDF"
- template or primary document: "OSP_APP-#_YYYY-MM-DD.PDF"
- people requiring a security clearance: "OSP_APP-#_PeopleSC_YYYY-MM-DD.PDF"
- head of security: "OSP_APP-#_HeadOfSecurity_YYYY-MM-DD.PDF"
- organizational chart: "OSP_APP-#_OrganizationalChart_YYYY-MM-DD.PDF"
- descriptions of roles and responsibilities: "OSP_APP-# _DescriptionsRoles_YYYY-MM-DD.PDF"
- descriptions of standard operating procedures (SOPs): "OSP_APP-#_SOPs_YYYY-MM-DD.PDF"
- attestation: "OSP_APP-#_Attestation_YYYY-MM-DD.PDF"
For licence holders
You need to update your OSP when a change impacting it is made (for example, if a person included in the organizational chart leaves or a new person is hired in a position that requires a security clearance). You need to tell Health Canada of the changes to your OSP by emailing licensing-cannabis-licences@hc-sc.gc.ca within 5 days of making the change. The subject line and the file name should be "Change to OSP Notification for LIC #". The email needs to include:
- a description of the changes to the OSP
- a description of what caused the changes
- if applicable, the CTLS CHG numbers for the licence amendments that caused you to have to change your OSP
- a copy of the updated section of the OSP, not the entire OSP
- Refer to the naming conventions. Licence holders should replace the APP # with their LIC #.
Important: Health Canada can also ask you to submit an updated copy of your OSP at any time.
Contact us
If you have any questions about the OSP or its requirements, please email us at licensing-cannabis-licences@hc-sc.gc.ca. The subject line of the email should be either:
- For applicants: "Organizational security plan query APP #"
- For licence holders: "Organizational security plan query LIC #"
Page details
- Date modified: