Cannabis organizational security plan

Cultivation, processing and medical sales licences

On this page

Disclaimer: You need to read these pages along with the Cannabis Act and its Regulations. If there are differences, the Act and its Regulations are correct. If there are differences between this page and the Cannabis Tracking and Licensing System (CTLS), this page is correct.

What is it

The organizational security plan (OSP) captures the risk mitigation measures that are in place to prevent, identify and respond to potential incidents that could result in the diversion of cannabis to or from the illicit market. It outlines security measures in place beyond physical security including people requiring a security clearance and standard operating procedures (SOPs).

The Cannabis Regulations require you to have an OSP. You need to submit it to Health Canada as part of the licensing process and when changes are made.

Who needs it

Applicants and licence holders require an OSP for these cannabis licences:

What to include

There are 7 areas of information to cover in an OSP. Health Canada can request more information at any point beyond what's required.

You're encouraged to use this template for the OSP and follow the instructions provided. If you decide not to use this template, Health Canada will still accept other formats as long as they include the required information.

Important: The information submitted in the OSP and the CTLS need to be consistent. Discrepancies or inconsistencies can result in a delay in processing your application or change request.

Business overview

This section will provide Health Canada with understanding of your business. You need to include an overview of your business that covers:

People requiring a security clearance

You need to list all people requiring a security clearance based on the position they hold or will hold (once they receive a security clearance) for the:

The list needs to include each person's:

Tip: The position titles need to be specific. For example, chief executive officer, chief financial officer, president.

Tip: You need to include all the people listed who require a security clearance in your organizational chart. Discrepancies or inconsistencies can result in delays in the review of your application.

Head of security and alternate

You need to include the following information for the head of security and their alternate (if applicable):

Organizational chart

The organizational chart visually represents how authority, responsibility, and influence or decision-making flows within a formal organizational structure.

The organizational chart needs to differentiate each organizational level (such as parent company, applicant or licence holder company, and key site personnel). You can use different colours or lines to separate the different organizational levels.

Important: You don't need to include every employee at your site in the organizational chart. You need to identify both current and proposed (once they receive security clearance) people in your organizational chart. This includes:

  • all people requiring a security clearance from the:
    • parent (owning) company, if applicable
      • people that directly control or are in a position to directly control any partnership, corporation or cooperative
        • directors
        • officers
        • other positions
    • applicant or licence holder
      • people that directly control or are in a position to directly control any partnership, corporation or cooperative
        • directors
        • officers
        • other positions
    • key site personnel
      • responsible person and their alternate
      • head of security and their alternate
      • master grower and their alternate, if applicable
      • QAP and their alternates, if applicable
  • people at the site who have significant influence or decision making ability on (can include but isn't limited to managers or supervisors):
    • strategic business decisions
    • day-to-day operations
    • movement of significant amount of money or cannabis

The chart needs to include each person's:

Tip: The position titles need to be specific. For example, director, chief financial officer, director of operations, quality manager, responsible person. For key site personnel, include the official Health Canada titles (responsible person, head of security, master grower, QAP).

Tip: The people you identified as requiring a security clearance in the People requiring a security clearance section need to be included in your organizational chart. Discrepancies or inconsistencies can result in delays in reviewing your application.

Here's an example of an organizational chart. This only includes people requiring a security clearance and people at the site who have significant influence or decision-making ability. Your organizational chart may include other positions not in the example.

example org chart

Text description
  • Name 1, Name 2, Name 3 Board of directors (parent company)
  • Name Chief executive officer (parent company)
    • Name Chief financial officer (parent company)
    • Name Chief operating officer (parent company)
    • Name Chief information officer (parent company)
  • Name Chief executive officer, director, president (applicant/licence holder)
  • Name Director of quality
    • Name Quality assurance person (QAP)
      • Name Quality supervisor (A/QAP)
  • Name Cultivation manager
    • Name Master grower
  • Name Director of operations, responsible person
    • Name Security manager (Head of security)
      • Name A/Head of security

Important: If you're a micro-cultivation, nursery or micro-processing applicant or licence holder, or an individual/sole proprietor, include only what applies in your organizational chart.

Descriptions of roles and responsibilities

For each position in the organizational chart, you need to briefly describe the roles and responsibilities. You can't use a general summary for multiple positions. If an employee holds multiple positions, you need to describe each position separately. Include what the person has control over, what their decision making scope is, and what their responsibilities are. This can be 2 to 4 sentences or in a bullet list.

Tip: Here are some examples of descriptions of roles and responsibilities. Do not copy-paste these examples into your OSP.

Alex Doe, Cannabis Co., Chief financial officer

  • Manages the company's day-to-day finances and provides oversight of the financial department.
  • Collaborates with the CEO to optimize the company's financial performance and long-term company plans in the cannabis market.
  • Leads financial planning, monitors company cash flow, strategic planning, collaborations and partnerships with cannabis licence holders, financial risk management, key investor reporting, and financial reporting.

Sam Doe, Cannabis Co., Head of security

  • Oversees security operations at the site including the site perimeter and areas where cannabis is present.
  • Maintains the OSP to ensure individuals' information and risk mitigation measures are up to date.
  • Ensures that the physical security measures comply with the Cannabis Regulations; this includes monitoring video surveillance systems, intrusion detection systems, and access controls systems.

Jordan Doe, Cannabis Co., Director of quality

  • Oversees quality control- and quality assurance-related activities to ensure compliance with company standards and federal regulations.
  • Makes decisions involving quality process changes, equipment and methods.
  • Ensures that Quality staff are following procedures for verifying the quality of cannabis produced.

Descriptions of standard operating procedures (SOPs)

A standard operating procedure (SOP) is a documented procedure that instructs employees on how to do or complete a specific task. You need to have a system in place to review procedures on a regular basis and revise them as needed.

The descriptions of your SOPs need to capture the risk mitigation measures that are in place to prevent, identify and respond to potential incidents that could result in the diversion of cannabis to or from the illicit market.

You only need to submit descriptions of your SOPs, not copies of your SOPs. When describing the SOPs, you need to include enough detail to show that the procedure is able to prevent, identify and respond to potential security incidents.

The description can be 3 to 6 sentences long, or in a bullet list. The number of SOPs required for each area is up to you. If you have one SOP that addresses multiple areas, you need to describe how it addresses each area separately.

Health Canada has identified 23 areas divided into 5 themes that need to be addressed by your SOPs to help mitigate those risks:

Theme 1: Employee information

The description that you provide needs to show how the SOPs will address the following:

Theme 2: Security measures

Important: This does not apply to the sale for medical purposes without possession licence.

The description that you provide needs to show how the SOPs will address the following:

People

Cannabis movement

Theme 3: Security awareness and training

Important: The descriptions for the SOPs that cover these areas need to include security training, site orientation programs, security reporting (concerns, incidents, and breaches) and investigation management.

The description that you provide needs to show how the SOPs will address the following:

Theme 4: Storage of information

The description that you provide needs to show how the SOPs will address the following:

Theme 5: Information and operations management

The description that you provide needs to show how the SOPs will address the following:

Example

Here's an example of SOP descriptions for Theme 1: Employee information. In this example, SOP-SEC-01 addresses 2 areas (1.1 and 1.2) and SOP-SEC-04 addresses 1 area (1.2). The description included for each SOP is specific to the area being addressed.

Theme 1: Employee information
Area SOP names and titles SOP descriptions
1.1 Adverse information received that could compromise an employee's security clearance SOP-SEC-01 Employee security It outlines procedures for all employees to report and respond to compromising information for security cleared employees. It includes examples of information that could compromise an employee's security clearance including violation of any security rules, criminal activity or arrest, association with organized crime, inappropriate behaviour and more. The head of security will investigate the reports submitted and review them with the employees and management, and determine if any corrective actions are required.
1.2 Adverse information received regarding a non-security cleared employee that could compromise the organization's security SOP-SEC-01 Employee security It outlines procedures for all employees to report and respond to compromising information for non-security cleared employees. It includes examples of actions and behaviours that could pose a security risk including the misuse of company information and systems, violation of company security rules, inappropriate behaviour and more. The head of security will investigate the reports submitted and review them with the employees and management, and determine if any corrective actions are required.
SOP-SEC-04 Site security It outlines various measures that the head of security takes to ensure security risks are mitigated at the site. This includes consistently reviewing video surveillance systems, responding to employee concerns, and ensuring security procedures are followed. The head of security will investigate any adverse information or findings, determine if any corrective actions are required, and report their findings to management.

Attestation

You need to include a completed OSP attestation form. If you're using the template, the attestation is already included.

When to submit it

For applicants

You need to upload your OSP documents on the "Organizational Security Plan" page in the CTLS when you apply for a new licence. If you've reached the upload limit in the CTLS, submit your additional documents in the site evidence package.

Naming convention

Whether you decide to use this template for your OSP or submit your OSP using a different format, any attachments should be named, as applicable:

For licence holders

You need to update your OSP when a change impacting it is made (for example, if a person included in the organizational chart leaves or a new person is hired in a position that requires a security clearance). You need to tell Health Canada of the changes to your OSP by emailing licensing-cannabis-licences@hc-sc.gc.ca within 5 days of making the change. The subject line and the file name should be "Change to OSP Notification for LIC #". The email needs to include:

Important: Health Canada can also ask you to submit an updated copy of your OSP at any time.

Contact us

If you have any questions about the OSP or its requirements, please email us at licensing-cannabis-licences@hc-sc.gc.ca. The subject line of the email should be either:

Page details

Date modified: