IWA 37-2

Safety, security and sustainability of cannabis facilities and operations — Part 2: Requirements for the secure handling of cannabis and cannabis products

Scope

This document specifies minimum requirements for the security of sites and facilities that handle cannabis and cannabis products for the purposes of cultivation (indoor and outdoor), processing, storage/distribution, transportation, retail sales, and research and testing, in order to prevent harm and/or unauthorized access to assets including (but not limited to):
—    physical assets;
—    personnel;
—    cannabis and cannabis products;
—    records and information.
NOTE      Premises covered in this document include indoor and outdoor cultivation, processing/production facilities and retail stores.
The overall security programme and individual security measures addressed in this document incorporate three types:

a) physical controls;
b) technical controls;
c) administrative controls.

This document specifies minimum requirements for general security of cannabis and cannabis products, up to and including:
—    physical security design/measures intended to deny, deter, delay, respond to, and recover from unauthorized access;
—    design, installation and maintenance of electronic security systems intended to restrict access, detect intrusion and visually monitor/record activity in security-sensitive areas;
—    procedural security measures intended to instruct day-to-day security activities, both routine and emergency, across an organization;
—    personnel security measures intended to ensure all personnel attending the facility are properly screened, instructed and trained in security awareness;
—    the monitoring of the security status of cannabis and cannabis products throughout the product lifecycle, from cultivation to retail sale, including transportation.
This document provides guidelines for:
—    the installation, maintenance and inspection of physical and electronic premises security and cybersecurity systems;
—    the implementation of information security governance at organizational level to include policies, procedures, and standards to protect the confidentiality, integrity and availability of records and information.
All requirements in this document are generic and intended to be applicable to all organizations in the cannabis supply chain, regardless of size and/or complexity.