Physical security measures for cannabis licences: Principles and practices
Overview of measures by licence and the principles and practices for physical security.
On this page
- Measures by licence
- Site design
- Physical barrier
- Restricted access
- Visual monitoring system and recording devices
- Intrusion detection system and devices
- Monitoring
- Appropriate measures
- Record of detected occurrences
- Record keeping for storage area only
- Retention of records
Measures by licence
The physical security requirements are different between licences.
Measures for micro-cultivation, nursery and micro-processing licences
- Physical barrier
- Restricted access
Measures for standard cultivation, standard processing and sale for medical purposes licences
- Physical barrier
- Restricted access
- Visual monitoring system and recording devices
- Intrusion detection system and devices
- Monitoring
- Record of detected occurrences
- Record keeping for storage areas only
- Retention of records
Measures for analytical testing licences
- Physical barrier
- Restricted access
Measures for research licences
- Restricted access
Measures for cannabis drug licences (depending on activities)
- Physical barrier
- Restricted access
- Visual monitoring system and recording devices
- Intrusion detection system and devices
- Monitoring
- Record of detected occurrences
- Record keeping for storage areas only
Site design
Consider the design of your site, including entries and exits, when determining how to control access to those authorized.
You should consider the rings of protection concept when designing your site. This is a common concept used when designing secure facilities. It requires building various rings or barriers of protection around the items being protected. It's usually designed so that the first barrier detects the breach. Then, the rest of the barriers slow the intruder down for the police to arrive before they have left with the goods.
Regardless of how you design your site, your security measures need to work together to keep your site safe and prevent unauthorized access.
Physical barrier
Physical barriers need to be built in a manner that prevents unauthorized access. They need to deter any attempted unauthorized access to the area. The construction of the barrier is meant to delay or stop intruders. The physical barrier needs to be continuous, and it needs to surround the entire area or site, if applicable.
Appropriate components
- Walls
- Strong enough to be an inefficient point of entry
- Doors
- Locks and frames are strong enough to prevent easy breaching
- Ceiling or service hatches are secured with a lock
- Hinge pins are inside the secured area
- If hinges are on the outside, security hinges are used to prevent the removal of the door
- Fences
- Continuous, well-maintained fences without breaks
- Bottom of the fence is close enough to the ground to prevent entry underneath
- If the fence passes over a trench or culvert, the opening is secured with fencing, metal grills or other barriers
- Constructed to prevent someone from easily jumping or climbing over it
- Windows
- Strong enough to prevent easy breaching
- Overall construction makes it a sturdy barrier such as thickness, number of panes and material (such as, wire glass, laminated glass, polycarbonate, composite)
- Bars, steel grills and other coverings can be used to secure windows
- Locks are inside the secured area
- Vent openings
- Constructed to prevent someone from crawling through
- Accessible openings are secured with protected coverings to prevent someone from crawling through such as metal grills, bars or metal mesh
Restricted access
Certain areas may have more restrictive access than your site as a whole. For example, an employee may need access to a grow area, but not to the storage areas. Consider roles and responsibilities when giving access to specific areas.
Appropriate components
- All access points leading into an area (doors, gates and ceiling hatches) have access control devices, such as:
- card or fob reader
- electromagnetic locks
- door with lock and key
- proximity card readers
- an intercom with camera
- keypads with electric door strikes
- Only specific people have access credentials or permissions to specific areas as required by their job duties
- Procedures are in place for granting temporary access and restricting access for visitors (for example, guests, vendors and contractors)
Visual monitoring system and recording devices
Visual monitoring systems and recording devices will capture evidence of an attempted or actual intrusion. They're also meant to act as a deterrent to intrusion attempts into the site.
For all devices: Principles or practices to show compliance
- Devices are appropriate for their intended use
- System captures videos clearly in both well-lit and dark conditions, which can include:
- night vision features such as near-infrared and infrared illumination
- building lighting to fix low light conditions (operating at all times)
- System and devices operate and monitor at all times (365 days a year, 24 hours a day) and during a power outage. This can include:
- a back-up generator
- an uninterruptible power supply
- technology to operate during a power outage
For outdoor devices: Principles or practices to show compliance
- Cameras can operate in your site's temperature range, both hot and cold weather
- Cameras are weatherproof and suitable for outdoor use. Ice build-up, water streaking, fogging or other environmental conditions won't affect camera footage
Intrusion detection system and devices
The intrusion detection system must immediately detect any unauthorized access to allow for a quicker response to mitigate the event.
For all system and devices: Principles or practices to show compliance
- System is designed to minimize false alarms
- System produces an alarm report that contains:
- its unique identifier
- the date and time it was triggered
- System detects all attempted and actual tampering of the system, such as:
- cutting power
- disrupting signal or communication lines
- System sends a distress alert, notification or alarm signal to the system monitor if it detects tampering
- Devices have a sufficient detection ranges and coverage, for example:
- traditional motion detectors for big areas such as a field
- motion detector with a long range or multiple detectors for a long fence or wall
- curtain motion detectors for surfaces such as walls, doorways, and other smaller areas
- Devices are installed following the manufacturer's instructions or recommendations, for example:
- wall-mounted motion detectors shouldn't be placed on other surfaces
- seismic detectors shouldn't be placed on certain wall materials depending on their ability to transmit vibrations
- Devices are organized into partitions to allow for the arming and disarming of zones. Your perimeter should be its own partition, and must never be disarmed
- System and devices operate and monitor at all times (365 days a year, 24 hours a day) and during power outages. This can include:
- a back-up generator
- an uninterruptible power supply
- technology to operate during a power outage
For outdoor devices: Principles or practices to show compliance for outdoor devices
- Devices can operate in your site's temperature range, both hot and cold weather
- Devices are weatherproof and suitable for outdoor use
Examples of intrusion detection devices
- Video analytics
- Seismic sensors
- Glass break sensors
- Door or gate contacts
- Curtain motion detectors
- Microphonic cable sensors
- Photoelectric beam sensors
- Fence intrusion detection sensors
- Passive infrared motion detections
Monitoring
Principles or practices to show compliance
Someone must monitor your intrusion detection system at all times (365 days a year, 7 days a week and 24 hours a day). You can:
- use a third-party security alarm monitoring company
- have an on-site monitoring station
- use a self-monitored system that pushes notifications to the mobile device of specific people
- combine on-site monitoring and a third-party alarm monitoring service
Appropriate measures
You must develop a procedure to outline actions to take when an unauthorized security incident is detected. Consider including the following actions when developing your response:
- investigating the alarm
- making a record of the event
- ensuring cannabis inventory is accounted for
- escalating the case to the local authorities, if applicable
- notifying the appropriate people (for example, head of security)
- addressing any security vulnerabilities (for example, corrective and preventive actions)
Record of detected occurrences
You must maintain records of all required security incidents. Consider the following elements when developing your procedure for recording incidents:
- granting access to records
- creating and maintaining records (electronic or paper)
- retaining records that contain:
- the date and time of the occurrence
- the measures taken in response to it and the date and time when they were taken
Record keeping for storage area only
You must keep a record of each person entering and exiting a storage area.
Principles or practices to show your compliance
- Access logs contain:
- area being accessed
- identity of the person
- date and time of entry and exit
- specific access point (for example, door, gate), especially if there are many access points
- Procedures are in place for logging visitors (for example, guests, vendors, and contractors)
- Access logging devices are on both sides of every door to the storage area
Examples of access logging devices
- Electronic sign-ins
- Proximity card readers
Retention of records
Consider the following elements when retaining security documents:
- physical storage location
- access to the records
- retention (electronic or paper)
- retrieving information when required
- storage capacity and archiving procedures
You need to retain security related recordings, documents and information for a minimum amount of time after they've been recorded or prepared.
- Visual recordings: minimum 1 year
- Storage area access logs: minimum 2 years
- Records of detected occurrences: minimum 2 years
General rules and additional record keeping requirements associated with physical security measures in Part 11 of the Cannabis Regulations.
- Section 221: Manner of retention
- Section 222: Requirement to continue to retain
- Section 230: Organizational security plan
Page details
- Date modified: