IWA 37-2:2022

IWA 37-2:2022
Date: 2022-07-14
Deleted:
Secretariat: SCC
Deleted: ¶
Safety, security and sustainability of cannabis facilities and operations — Part 2:
¶
Requirements for the secure handling of cannabis and cannabis products
¶
Deleted:
Deleted:
Deleted: ¶
Page Break
¶
¶
¶
¶
¶

---------------------- Page: 1 ----------------------
IWA 37-2:2022(E)
© ISO [2022]
Deleted: PC245 Secretariat
Deleted: SAC (Standards Administration of China)¶
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no
part of this publication may be reproduced or utilized otherwise in any form or by any means,
electronic or mechanical, including photocopying, or posting on the internet or an intranet, without
prior written permission. Permission can be requested from either ISO at the address below or ISO's
member body in the country of the requester.
ISO Copyright Office
CP 401 • CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland.

---------------------- Page: 2 ----------------------
IWA 37-2:2022(E)
CONTENTS
Foreword . v Deleted: Introduction ¶
1 Scope ¶
Introduction . vi
2 Normative references ¶
1 Scope. 1
3 Terms and definitions ¶
4 Risk assessment ¶
2 Normative references . 2
4.1 General ¶
3 Terms and definitions . 3
4.2 Risk identification ¶
4 Risk assessment . 13 4.3 Risk analysis ¶
4.4 Risk evaluation ¶
4.1 General . 13
4.5 Risk treatment ¶
4.2 Risk identification . 13
4.6 Security risk assessment ¶
4.3 Risk analysis . 14 4.7 Selection of risk treatment options ¶
4.8 Risk acceptance ¶
4.4 Risk evaluation . 15
5 Physical and technical controls ¶
4.5 Risk treatment . 15
5.1 General ¶
5.2 Security risk assessment ¶
4.6 Security risk assessment . 15
5.3 Physical controls – Specific requirements ¶
4.7 Selection of risk treatment options . 17
5.4 Technical/electronic controls- Specific
4.8 Risk acceptance . 17
requirements ¶
5.5 Cybersecurity controls for operational
5 Physical and technical controls . 17
technology ¶
5.1 General . 17
6 Administrative controls - General ¶
6.1 General ¶
5.2 Security risk assessment (SRA) . 18
6.2 Traceability system ¶
5.3 Physical controls – Specific requirements . 20
6.3 Security management documentation system ¶
5.3.1 Outer physical barriers . 20
7 Requirements for specific activities ¶
7.1 Cultivation ¶
5.3.2 Cultivation areas . 20
7.2 Processing ¶
5.3.3 Doors/portals . 20
7.3 Storage/Distribution ¶
5.3.4 Areas of protection and/or secure storage areas . 20
7.4 Research/Testing Laboratory ¶
7.5 Retail/Dispensary ¶
5.3.5 Lighting . 20
7.6 Transportation ¶
5.3.6 Security film . 20
Annex A (informative) - Threat and risk assessment
5.4 Technical/electronic controls - Specific requirements . 21 checklist and instructions ¶
Annex B (informative) - Administrative controls and
5.4.1 General . 21
security policies minimum required content, if
5.4.2 Electronic security systems . 21
applicable. ¶
Annex C (informative) - Physical and
5.4.3 Installation, maintenance, and inspection of the electronic security systems . 21
Technical/Electronic Controls ¶
5.4.4 Intrusion detection systems . 21
5.4.5 Access control systems . 22
5.4.6 Video surveillance systems . 22
5.5 Cybersecurity controls for operational technology . 23
5.5.1 General . 23
5.5.2 Roles and responsibilities . 24
5.5.3 Cybersecurity risk assessment . 25
6 Administrative controls . 26
6.1 General . 26
6.1.1 Continual improvement cycle . 26
6.1.2 Administrative controls table . 26
6.1.3 Security management policy . 26
6.1.4 Implementation and operation . 27
6.1.5 Preparing and implementing risk treatment plans . 28
6.1.6 Competence training and awareness . 28
6.2 Traceability system . 29
6.2.1 General . 29
6.2.2 General design considerations . 30
6.2.3 Minimum requirements . 31
6.2.4 Verification/ mass balance / products reconciliation . 34
6.2.5 Monitoring . 34
6.2.6 Key performance indicators . 34
Deleted: © ISO 2022 – All rights reserved 3¶
© ISO 2022 – All rights reserved iii

---------------------- Page: 3 ----------------------
IWA 37-2:2022(E)
6.2.7 Audit scheduled . 34
6.2.8 Review. 35
6.3 Security management documentation . 35
6.3.1 General . 35
6.3.2 Document and data control . 35
6.3.3 Operational control . 36
6.3.4 Emergency response and security recovery . 37
7 Requirements for specific activities . 37
7.1 Cultivation . 37
7.1.1 Physical and technical/electronic controls for cultivation . 37
7.1.2 Administrative controls for cultivation security . 37
7.2 Processing . 40
7.2.1 Physical controls for processing . 40
7.2.2 Technical/Electronic controls for processing . 40
7.2.3 Administrative controls for processing . 40
7.3 Storage/distribution. 44
7.3.1 Physical and technical/electronic controls for storage/distribution . 44
7.3.2 Cybersecurity controls for storage/distribution . 44
7.3.3 Administrative controls for storage/distribution . 44
7.4 Research/Testing laboratory . 46
7.4.1 Physical controls for research/testing laboratory . 46
7.4.2 Technical/Electronic controls for research/testing laboratory . 47
7.4.3 Cybersecurity for research/testing laboratory . 48
7.4.4 Administrative controls for research/testing laboratory . 48
7.5 Retail/dispensary . 51
7.5.1 Physical controls for retail/dispensary . 51
7.5.2 Technical/electronic controls for retail/dispensary. 52
7.5.3 Cybersecurity controls for retail/dispensary . 54
7.5.4 Administrative controls for retail/dispensary . 54
7.6 Transportation . 55
7.6.1 Physical controls for transportation . 55
7.6.2 Technical controls for transportation . 57
7.6.3 Administrative controls for transportation . 58
Annex A (informative) Threat and risk assessment checklist and instructions . 60
Annex B (informative) Administrative controls and minimum required content of security
policy . 65
Annex C (informative) Physical and technical/electronic controls . 68
Bibliography . 72

Deleted: 4 © ISO 2022 – All rights reserved¶
iv © ISO 2022 – All rights reserved

---------------------- Page: 4 ----------------------
IWA 37-2:2022(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO
collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the Deleted:
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Deleted:
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any
patent rights identified during the development of the document will be in the Introduction and/or on the
ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
International Workshop Agreement IWA 37 was approved at a series of workshops hosted by the Deleted: 37-2 (ISO
Standards Council of Canada (SCC), in association with Underwriters Laboratories of Canada (ULC), held
Deleted:
virtually between December 2020 and June 2021.
Deleted: -2)
Deleted: developed and
A list of all parts in the IWA 37 series can be found on the ISO website.
Deleted: workshop
Deleted: partnership
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html. Deleted: UL
Deleted: Inc., conducted
Deleted: from
Deleted: to
Deleted:
Deleted: ¶
¶
Page Break
¶
Deleted: © ISO 2022 – All rights reserved 5¶
© ISO 2022 – All rights reserved v

---------------------- Page: 5 ----------------------
IWA 37-2:2022(E)
Introduction
While cannabis has been fully legalized in Canada and in many states in the USA, it is a new and emerging Deleted: IWA 37 provides principles, guidance and approaches
for the safety, security and sustainability of buildings, premises,
industry that is moving at a very fast pace in many other parts of the world. While legalization is being
equipment, and operations utilized for the cultivation,
deliberated by governments and legislative bodies, companies are creating their own infrastructure in
production, processing and sales of cannabis and cannabis
products. IWA 37 consists of three parts:¶
anticipation of legal approval. Meanwhile, government regulators and the societies they serve are
Part 1: Safety of cannabis buildings, equipment, and oil extraction
grappling with the lack of consistent rules and guidance to deliver safety, security and sustainability of
operations¶
cannabis facilities and operations, while growers and producers use their own judgment on how to
Part 2: Secure handling of cannabis and cannabis products¶
Part 3: Good production practices (GPP) guide for cannabis¶
establish and operate facilities.
Moved down [1]: The cannabis product and the industry will
It has become very clear that the global cannabis market is opening up very rapidly. The cannabis product
become more and more ubiquitous as the global barriers start to
lower and come down.
and the industry will become more and more ubiquitous as the global barriers start to lower and come
down. If the current trend continues, it is predicted that well over one third of the globe will accommodate
Deleted:
cannabis by 2024.
Moved down [2]: If the current trend continues, it is predicted
that well over one third of the globe will accommodate cannabis
What is unique about this new and emerging industry is that it is coming from an illicit status into
by 2024.
decriminalization and evolving into a legitimate burgeoning business. Due to its pioneering status, very
Deleted: ¶
little exists in terms of research, studies, historical experience and best practices. Standardization is
Whereas
likewise very slow on the uptake and the cannabis industry remains severely underserved.
Deleted: ensure the
Deleted: these
There are therefore distinct challenges for the safety, security and sustainability of cannabis facilities and
operations, which the IWA 37 series seeks to address as follows:
Moved (insertion) [1]
Moved (insertion) [2]
— Part 1: Requirements for the safety of cannabis buildings, equipment and oil extraction operations;
Deleted: we are offered
— Part 2 (this document): Requirements for the secure handling of cannabis and cannabis products;
Deleted: ,
Deleted: in
— Part 3: Good production practices (GPP).
Deleted: ,
Deleted:
In addition to the requirements for facilities specified in this document, statutory and regulatory
requirements and codes can apply. Deleted: All of these provide
Deleted: premises,
Supporting material to accompany the IWA 37 series is available at the following website: IWA 37 — Safety,
Deleted: ,
security and sustainability of cannabis facilities and operations.
Deleted: .
A list of workshop participants is available from the Standards Council of Canada (SCC).
Deleted: It is expected that the facilities covered by this
document will additionally need to comply with local and country
legislation, regulations, and/or codes. ¶
This document includes both Normative (mandatory) and
Informative (non-mandatory) reference publications. Where
product and installation standards are identified within this
document, they should be considered in full, in part, or in
conjunction with good security practices. ¶
Users of this document should be aware that while every effort
has been made to accurately state the appropriate product and
installation standards, where applicable, this does not
automatically constitute acceptance by an overseeing entity
responsible for the enforcement of local codes, acts, regulations,
or other governing documents that may supersede this
publication. ¶
...
Deleted: 6 © ISO 2022 – All rights reserved¶
vi © ISO 2022 – All rights reserved

---------------------- Page: 6 ----------------------
Deleted: IWA 37-2:2022¶
International Workshop Agreement IWA 37-2:2022(E)

Safety, security and sustainability of cannabis facilities and
operations — Part 2: Requirements for the secure handling of
cannabis and cannabis products
1 Scope
This document specifies minimum requirements for the security of sites and facilities that handle Deleted: provides
cannabis and cannabis products for the purposes of cultivation (indoor and outdoor), processing,
storage/distribution, transportation, retail sales, and research and testing, in order to prevent Deleted: as well as
harm and/or unauthorized access to assets including (but not limited to):
Deleted: .
— physical assets;
— personnel;
— cannabis and cannabis products;
— records and information.
NOTE Premises covered in this document include indoor and outdoor cultivation, processing/production
Deleted:
facilities and retail stores.
Deleted: and facilities
Deleted: /
The overall security programme and individual security measures addressed in this document
Deleted: ,
incorporate three types:
Deleted: The intent of maintaining security of sites and facilities
a) physical controls;
is to prevent harm and/or unauthorized access to assets
including but not limited to:¶
Physical assets;¶
b) technical controls;
Personnel;¶
Cannabis and cannabis products; and¶
Records and information.¶
c) administrative controls.
Deleted: program
This document specifies minimum requirements for general security of cannabis and cannabis
Deleted: Physical
products, up to and including:
Deleted: Technical
— physical security design/measures intended to deny, deter, delay, respond to, and recover
Deleted: and
from unauthorized access;
Deleted: Administrative
Deleted: provides
— design, installation and maintenance of electronic security systems intended to restrict access,
Deleted:
detect intrusion and visually monitor/record activity in security-sensitive areas;
— procedural security measures intended to instruct day-to-day security activities, both routine
Deleted: the enterprise
and emergency, across an organization;
— personnel security measures intended to ensure all personnel attending the facility are
properly screened, instructed and trained in security awareness; Deleted: and
Deleted:
© ISO 2022 – All rights reserved 1

---------------------- Page: 7 ----------------------
IWA 37-2:2022(E)
— the monitoring of the security status of cannabis and cannabis products throughout the
product lifecycle, from cultivation to retail sale, including transportation. Deleted: life cycle
Deleted:
This document provides guidelines for:
— the installation, maintenance and inspection of physical and electronic premises security and
Deleted: and
cybersecurity systems;
— the implementation of information security governance at organizational level to include Deleted: the organisational
policies, procedures, and standards to protect the confidentiality, integrity and availability of
records and information.
All requirements in this document are generic and intended to be applicable to all organizations in Deleted: ¶
the cannabis supply chain, regardless of size and/or complexity.
2 Normative references
The following documents are referred to in the text in such a way that some, or all, of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
Moved down [3]: ASTM D8205, Standard Guide for Video
IWA 37-1, Safety, security and sustainability of cannabis facilities and operations — Part 1:
Surveillance System¶
Requirements for the safety of cannabis buildings, equipment and oil extraction operations
ASTM D8218, Standard Guide for Intrusion Detection System (IDS)¶
Deleted: AENOR UNE-EN 1143-1, Secure storage units –
ISO 22005, Traceability in the feed and food chain — General principles and basic requirements for
Requirements, classification and methods of test for resistance to
system design and implementation
burglary – Part 1: Safes, ATM safes, strongroom doors and
strongrooms¶
BSI BS EN 50518, Monitoring and Alarm Receiving Centre¶
IEC 60839-11-1:2013, Alarm and electronic security systems — Part 11-1: Electronic access control
Deleted:
systems – System and components requirements
Deleted: -
IEC 60839-11-2, Alarm and electronic security systems — Part 11-2: Electronic access control
Deleted: , Standard for alarm
systems – Application guidelines
Deleted: –
Deleted:
IEC 62368-1, Audio/video, information and communication technology equipment — Part 1: Safety
Deleted: -
requirements
Deleted: Standard for alarm
IEC 62676-4, Video Surveillance Systems for Use in Security Applications — Part 4: Application
Deleted: –
Guidelines
Deleted:
Deleted: -
ANSI/UL 681, Standard for Safety Installation and Classification of Burglar and Holdup Alarm
Deleted: –
Systems
Deleted: 62443 series, Security for industrial automation and
control systems¶
ANSI/UL 687, Standard for Safety Burglary-Resistant Safes
IEC
Deleted: -
ANSI/UL 827, Standard for Safety Central-Station Alarm Services
Deleted: –
ASTM D8205, Standard Guide for Video Surveillance System Moved (insertion) [4]
Moved (insertion) [3]
ASTM D8218, Standard Guide for Intrusion Detection System (IDS)
CAN/ULC-S301:2018, Standard for Signal Receiving Centres Configurations and Operations
CAN/ULC-S302, Standard for the Installation, Inspection and Testing of Intrusion Alarm Systems
Deleted:
2 © ISO 2022 – All rights reserved

---------------------- Page: 8 ----------------------
IWA 37-2:2022(E)
EN 1143-1, Secure storage units — Requirements, classification and methods of test for resistance to
Moved up [4]: ANSI/UL 827, Standard for Safety Central-
burglary — Part 1: Safes, ATM safes, strongroom doors and strongrooms
Station Alarm Services¶
Deleted: given in ISO/IEC Guide 2 and the following
EN 50518, Monitoring and alarm receiving centre
Deleted:
Deleted: …ISO Online browsing platform: available at
UL 972, Standard for Safety Burglary Resisting Glazing Material
https://www.iso.org/obp
...
Deleted: …IEC Electropedia: available at
https://www.electropedia.org/
...
3 Terms and definitions
Deleted:
Moved down [5]: duress alarm¶
For the purposes of this document, the following terms and definitions apply.
silent alarm signal generated by the manual entry of a designated
code at the system keypad in the event that the user needs
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
assistance, such as when being forced to disarm the burglar
alarm system against the user’s will to enter the premises¶
— ISO Online browsing platform: available at https://www.iso.org/obp
Note 1 to entry: A duress alarm can also be referred to as an
ambush alarm
...

INTERNATIONAL IWA
WORKSHOP 37-2
AGREEMENT
First edition
Safety, security and sustainability of
cannabis facilities and operations —
Part 2:
Requirements for the secure handling
of cannabis and cannabis products
PROOF/ÉPREUVE
Reference number
IWA 37-2:2022(E)
© ISO 2022

---------------------- Page: 1 ----------------------
IWA 37-2:2022(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
PROOF/ÉPREUVE © ISO 2022 – All rights reserved

---------------------- Page: 2 ----------------------
IWA 37-2:2022(E)
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 2
3 Terms and definitions . 2
4 Risk assessment .11
4.1 General . 11
4.2 Risk identification. 12
4.3 Risk analysis .12
4.4 Risk evaluation .13
4.5 Risk treatment . 13
4.6 Security risk assessment .13
4.7 Selection of risk treatment options . 14
4.8 Risk acceptance . . .15
5 Physical and technical controls .15
5.1 General . 15
5.2 Security risk assessment (SRA) . . 16
5.3 Physical controls – Specific requirements . 17
5.3.1 Outer physical barriers . . . 17
5.3.2 Cultivation areas . 17
5.3.3 Doors/portals . 17
5.3.4 Areas of protection and/or secure storage areas . 18
5.3.5 Lighting . 18
5.3.6 Security film . 18
5.4 Technical/electronic controls - Specific requirements . 18
5.4.1 General . 18
5.4.2 Electronic security systems . 18
5.4.3 Installation, maintenance, and inspection of the electronic security systems . 18
5.4.4 Intrusion detection systems . 18
5.4.5 Access control systems . 19
5.4.6 Video surveillance systems . 19
5.5 Cybersecurity controls for operational technology . 20
5.5.1 General .20
5.5.2 Roles and responsibilities . 21
5.5.3 Cybersecurity risk assessment . 22
6 Administrative controls .23
6.1 General .23
6.1.1 Continual improvement cycle . 23
6.1.2 Administrative controls table . 23
6.1.3 Security management policy . 23
6.1.4 Implementation and operation . 24
6.1.5 Preparing and implementing risk treatment plans . 25
6.1.6 Competence training and awareness . 25
6.2 Traceability system . 25
6.2.1 General . 25
6.2.2 General design considerations . 27
6.2.3 Minimum requirements .28
6.2.4 Verification/ mass balance / products reconciliation . 31
6.2.5 Monitoring . 31
6.2.6 Key performance indicators . 31
6.2.7 Audit scheduled . 31
6.2.8 Review . 31
iii
© ISO 2022 – All rights reserved PROOF/ÉPREUVE

---------------------- Page: 3 ----------------------
IWA 37-2:2022(E)
6.3 Security management documentation . 31
6.3.1 General . 31
6.3.2 Document and data control . 32
6.3.3 Operational control . 32
6.3.4 Emergency response and security recovery . 33
7 Requirements for specific activities .33
7.1 Cultivation . 33
7.1.1 Physical and technical/electronic controls for cultivation .33
7.1.2 Administrative controls for cultivation security . 33
7.2 Processing . 36
7.2.1 Physical controls for processing .36
7.2.2 Technical/Electronic controls for processing .36
7.2.3 Administrative controls for processing .36
7.3 Storage/distribution .40
7.3.1 Physical and technical/electronic controls for storage/distribution .40
7.3.2 Cybersecurity controls for storage/distribution .40
7.3.3 Administrative controls for storage/distribution .40
7.4 Research/Testing laboratory . 41
7.4.1 Physical controls for research/testing laboratory. 41
7.4.2 Technical/Electronic controls for research/testing laboratory . 42
7.4.3 Cybersecurity for research/testing laboratory . 43
7.4.4 Administrative controls for research/testing laboratory .44
7.5 Retail/dispensary .46
7.5.1 Physical controls for retail/dispensary .46
7.5.2 Technical/electronic controls for retail/dispensary . 47
7.5.3 Cybersecurity controls for retail/dispensary .49
7.5.4 Administrative controls for retail/dispensary .49
7.6 Transportation .50
7.6.1 Physical controls for transportation .50
7.6.2 Technical controls for transportation . 52
7.6.3 Administrative controls for transportation . 52
Annex A (informative) Threat and risk assessment checklist and instructions .54
Annex B (informative) Administrative controls and minimum required content of security
policy .59
Annex C (informative) Physical and technical/electronic controls .62
Bibliography .64
iv
PROOF/ÉPREUVE © ISO 2022 – All rights reserved

---------------------- Page: 4 ----------------------
IWA 37-2:2022(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
International Workshop Agreement IWA 37 was approved at a series of workshops hosted by the
Standards Council of Canada (SCC), in association with Underwriters Laboratories of Canada (ULC),
held virtually between December 2020 and June 2021.
A list of all parts in the IWA 37 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
v
© ISO 2022 – All rights reserved PROOF/ÉPREUVE

---------------------- Page: 5 ----------------------
IWA 37-2:2022(E)
Introduction
While cannabis has been fully legalized in Canada and in many states in the USA, it is a new and emerging
industry that is moving at a very fast pace in many other parts of the world. While legalization is being
deliberated by governments and legislative bodies, companies are creating their own infrastructure
in anticipation of legal approval. Meanwhile, government regulators and the societies they serve are
grappling with the lack of consistent rules and guidance to deliver safety, security and sustainability
of cannabis facilities and operations, while growers and producers use their own judgment on how to
establish and operate facilities.
It has become very clear that the global cannabis market is opening up very rapidly. The cannabis
product and the industry will become more and more ubiquitous as the global barriers start to lower
and come down. If the current trend continues, it is predicted that well over one third of the globe will
accommodate cannabis by 2024.
What is unique about this new and emerging industry is that it is coming from an illicit status into
decriminalization and evolving into a legitimate burgeoning business. Due to its pioneering status, very
little exists in terms of research, studies, historical experience and best practices. Standardization is
likewise very slow on the uptake and the cannabis industry remains severely underserved.
There are therefore distinct challenges for the safety, security and sustainability of cannabis facilities
and operations, which the IWA 37 series seeks to address as follows:
— Part 1: Requirements for the safety of cannabis buildings, equipment and oil extraction operations;
— Part 2 (this document): Requirements for the secure handling of cannabis and cannabis products;
— Part 3: Good production practices (GPP).
In addition to the requirements for facilities specified in this document, statutory and regulatory
requirements and codes can apply.
Supporting material to accompany the IWA 37 series is available at the following website:
IWA 37 — Safety, security and sustainability of cannabis facilities and operations.
A list of workshop participants is available from the Standards Council of Canada (SCC).
vi
PROOF/ÉPREUVE © ISO 2022 – All rights reserved

---------------------- Page: 6 ----------------------
International Workshop Agreement IWA 37-2:2022(E)
Safety, security and sustainability of cannabis facilities and
operations —
Part 2:
Requirements for the secure handling of cannabis and
cannabis products
1 Scope
This document specifies minimum requirements for the security of sites and facilities that handle
cannabis and cannabis products for the purposes of cultivation (indoor and outdoor), processing,
storage/distribution, transportation, retail sales, and research and testing, in order to prevent harm
and/or unauthorized access to assets including (but not limited to):
— physical assets;
— personnel;
— cannabis and cannabis products;
— records and information.
NOTE Premises covered in this document include indoor and outdoor cultivation, processing/production
facilities and retail stores.
The overall security programme and individual security measures addressed in this document
incorporate three types:
a) physical controls;
b) technical controls;
c) administrative controls.
This document specifies minimum requirements for general security of cannabis and cannabis
products, up to and including:
— physical security design/measures intended to deny, deter, delay, respond to, and recover from
unauthorized access;
— design, installation and maintenance of electronic security systems intended to restrict access,
detect intrusion and visually monitor/record activity in security-sensitive areas;
— procedural security measures intended to instruct day-to-day security activities, both routine and
emergency, across an organization;
— personnel security measures intended to ensure all personnel attending the facility are properly
screened, instructed and trained in security awareness;
— the monitoring of the security status of cannabis and cannabis products throughout the product
lifecycle, from cultivation to retail sale, including transportation.
This document provides guidelines for:
— the installation, maintenance and inspection of physical and electronic premises security and
cybersecurity systems;
1
© ISO 2022 – All rights reserved PROOF/ÉPREUVE

---------------------- Page: 7 ----------------------
IWA 37-2:2022(E)
— the implementation of information security governance at organizational level to include policies,
procedures, and standards to protect the confidentiality, integrity and availability of records and
information.
All requirements in this document are generic and intended to be applicable to all organizations in the
cannabis supply chain, regardless of size and/or complexity.
2 Normative references
The following documents are referred to in the text in such a way that some, or all, of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
IWA 37-1, Safety, security and sustainability of cannabis facilities and operations — Part 1: Requirements
for the safety of cannabis buildings, equipment and oil extraction operations
ISO 22005, Traceability in the feed and food chain — General principles and basic requirements for system
design and implementation
IEC 60839-11-1:2013, Alarm and electronic security systems — Part 11-1: Electronic access control systems
– System and components requirements
IEC 60839-11-2, Alarm and electronic security systems — Part 11-2: Electronic access control systems –
Application guidelines
IEC 62368-1, Audio/video, information and communication technology equipment — Part 1: Safety
requirements
IEC 62676-4, Video Surveillance Systems for Use in Security Applications — Part 4: Application Guidelines
ANSI/UL 681, Standard for Safety Installation and Classification of Burglar and Holdup Alarm Systems
ANSI/UL 687, Standard for Safety Burglary-Resistant Safes
ANSI/UL 827, Standard for Safety Central-Station Alarm Services
ASTM D8205, Standard Guide for Video Surveillance System
ASTM D8218, Standard Guide for Intrusion Detection System (IDS)
CAN/ULC -S301: 2018, Standard for Signal Receiving Centres Configurations and Operations
CAN/ULC-S302, Standard for the Installation, Inspection and Testing of Intrusion Alarm Systems
EN 1143-1, Secure storage units — Requirements, classification and methods of test for resistance to
burglary — Part 1: Safes, ATM safes, strongroom doors and strongrooms
EN 50518, Monitoring and alarm receiving centre
UL 972, Standard for Safety Burglary Resisting Glazing Material
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
2
PROOF/ÉPREUVE © ISO 2022 – All rights reserved

---------------------- Page: 8 ----------------------
IWA 37-2:2022(E)
3.1
access control system
system designed to grant to authorized persons, or entities, entry to and/or exit from a security
controlled area (3.15) and deny such entry and/or exit to non-authorized individuals, or entities
[SOURCE: IEC 60839-11-1:2013, 3.63, modified – Second preferred term “electronic access control
system” and Note 1 to entry have been deleted.]
3.2
authority having jurisdiction
AHJ
organization (3.35), office, or individual responsible for enforcing the requirements (3.44) of a code or
standard, or for approving equipment, materials, an installation, or a procedure
Note 1 to entry: Note to entry: Also referred to as “competent authority”.
[SOURCE: ISO 7076-5:2014, 3.4, modified – Note 1 to entry has been added.]
3.3
cannabis
genus of flowering plants made up of many different phytocannabinoids and chemical compounds
Note 1 to entry: Research into cannabis by governing bodies and organizations (3.35) is ongoing around the
world, and drug classifications are constantly under review. Regulation of cannabis legalization frameworks can
vary between jurisdictions, based on the levels of tetrahydrocannabinol (THC) available in the plant.
3.4
cannabis derivative
secondary product (3.42) that can be extracted or obtained from a cannabis (3.3) biomass
Note 1 to entry: Classification of synthetically derived cannabinoids can vary between jurisdictions.
3.5
cannabis edible
food (3.24) which includes cannabis (3.3) or cannabis derivative (3.4) as an ingredient
Note 1 to entry: Dried cannabis, fresh cannabis, cannabis plants or cannabis plant seeds are not in themselves
considered food.
3.6
cannabis product
packaged goods containing cannabis (3.3) or cannabis derivative (3.4), available in multiple formats for
commercial and/or retail distribution
3.7
cannabis waste
solid, liquid or gaseous material that is a cannabis product (3.6), contains cannabis (3.3) or has come
into contact with cannabis, destined for disposal and not intended for sale or for use in any way other
than for agronomic purposes such as compost
Note 1 to entry: Definitions of cannabis waste can vary between jurisdictions. For example, in a jurisdiction that
sets a specific tetrahydrocannabinol (THC) threshold to define cannabis waste at a specific concentration of THC
(e.g. 10 μg/g), waste that has a concentration below that threshold is not considered to be cannabis waste.
3.8
chain of custody
process (3.41) by which inputs and outputs and associated information are transferred, monitored and
controlled as they move through each step in the relevant supply chain
[SOURCE: ISO 22095:2020, 3.1.1]
3
© ISO 2022 – All rights reserved PROOF/ÉPREUVE

---------------------- Page: 9 ----------------------
IWA 37-2:2022(E)
3.9
competence
ability to apply knowledge and skills to achieve intended results
[SOURCE: ISO 22000:2018, 3.4]
3.10
complete protection
electronic protection of any point at which entry can be gained without cutting or tearing down any
part of the premises structure, in order to detect entry through it, in addition to the detection of the
physical removal of any moveable or removable portion of the closure over the opening
3.11
conformity
fulfilment of a requirement (3.44)
[SOURCE: ISO 22000:2018, 3.5]
3.12
contamination
introduction or occurrence of a contaminant including a safety hazard (3.48) in a product (3.42) or
processing environment
[SOURCE: ISO 22000:2018, 3.6]
3.13
continual improvement
recurring activity to enhance performance (3.37)
[SOURCE: ISO 22000:2018, 3.7]
3.14
control measure
action or activity that is esse
...