Author: Mark Bezzina
Medicinal cannabis is regulated as a Schedule 8 controlled drug in Australia, placing it under heightened scrutiny from multiple regulators. Security compliance is not an operational afterthought; it is a core requirement for licensing, ongoing approvals and audits. From cultivation through to manufacturing and distribution, organisations must demonstrate that diversion risks are understood, managed and documented. Failure to do so can delay licensing, trigger audit findings, or result in suspension of approvals. For cannabis operators, security is inseparable from the ability to operate and scale legally.
Why Medicinal Cannabis Is Regulated as a High-Security Product
Medicinal cannabis presents a unique risk profile compared to other regulated products. The combination of high-value stock, controlled drug scheduling, and public health implications elevates regulatory expectations regarding physical, procedural, and personnel security.
Diversion is a primary concern for regulators. Product loss, theft or unauthorised access has downstream impacts on patient safety, illicit markets and public confidence in the regulatory framework. As a result, cannabis facilities are expected to implement security controls that exceed those for standard commercial premises.
Regulators also recognise that medicinal cannabis operations often involve complex supply chains, multiple licence types and varying levels of maturity across organisations. Security controls must therefore be tailored, documented and demonstrably effective, rather than generic or vendor-driven. This is why formal risk assessments and management plans sit at the centre of compliance.
The Core Standards and Guidelines You Must Comply With
Security compliance in medicinal cannabis is best understood as three interlocking layers: how risk is managed, what regulators require, and where controls must be applied.
Risk Management (“How”)
Australian regulators expect medicinal cannabis operators to follow recognised risk management frameworks. AS/NZS ISO 31000:2018 provides the overarching structure for identifying, analysing and treating risks, while HB 167:2006 offers practical guidance on security risk management. Together, these standards underpin Security Risk Assessments (SRAs) and Security Risk Management Plans (SRMPs), ensuring controls are proportionate, evidence-based and defensible.
Federal Requirements (“What”)
At the federal level, the Office of Drug Control (ODC) sets specific expectations for the security of medicinal cannabis. These guidelines define minimum requirements for access control, monitoring, storage and response arrangements. Therapeutic Goods Orders, including TGO 93, also influence how facilities manage product integrity and traceability, particularly for GMP environments.
State and Facility Requirements (“Where”)
State health departments impose additional requirements that vary by jurisdiction, particularly around facility approvals and operational oversight. These must be reconciled with PIC/S GMP expectations for manufacturing sites and wholesaling codes for distribution operations. The challenge for operators is ensuring alignment across all applicable frameworks without creating gaps or contradictions.
What Regulators Expect During Licensing and Audits
During licensing and compliance audits, regulators look for clear evidence that security risks have been properly assessed and managed. SRAs and SRMPs are not optional documents, they are mandatory artefacts that must reflect the actual facility design, operations and threat environment.
Auditors expect to see documented diversion-prevention measures, traceable decision-making, and alignment with recognised standards. This includes clear procedures, training records, access controls and incident response arrangements. Importantly, regulators assess whether security controls are actively managed, reviewed and improved over time, rather than treated as static paperwork exercises.
Business Benefits of Getting Security Right
Strong security compliance delivers benefits beyond regulatory approval. Well-designed controls protect high-value assets, reduce operational disruptions and support insurance and investor confidence. For growing operators, robust security frameworks also enable expansion into new facilities, licence types or export markets without repeated rework.
Regulator trust is another critical advantage. Organisations that demonstrate mature security governance are better positioned during audits, variations and inspections. Over time, this credibility supports smoother regulatory engagement and fewer operational surprises.
Common Compliance Gaps Cannabis Operators Face
Many compliance issues arise not from a lack of effort, but from misinterpretation of requirements. Common gaps include incomplete or template-based SRAs, security designs led by vendors rather than risk analysis, and poor documentation linking controls back to identified risks.
Other issues include failing to reconcile federal and state requirements, outdated plans that no longer reflect operations, and insufficient audit trails. These gaps often surface during licensing reviews or TGA inspections, when remediation timelines are tight and costly.
How Agilient Supports Compliance End-to-End
Agilient works with medicinal cannabis operators across cultivation, manufacturing and distribution to deliver regulator-ready security frameworks. This includes conducting formal SRAs and developing SRMPs aligned to ISO 31000, ODC guidance and relevant state and GMP requirements.
Agilient’s approach focuses on clear interpretation of overlapping standards, practical control design and defensible documentation. Services also include gap analysis, audit preparation support and ongoing advisory as facilities evolve. With experience supporting regulated industries, Agilient helps clients move through licensing and audits with confidence.
Conclusion: Compliance That Protects Product and Growth
Security compliance in medicinal cannabis is about more than meeting minimum rules. It protects product integrity, supports regulator confidence and enables sustainable growth. By addressing security early and grounding decisions in recognised standards, operators can reduce risk, avoid delays and focus on building compliant, resilient operations.
FAQs
Which security standards apply to medicinal cannabis in Australia?
Operators must align with ISO 31000 risk management principles, ODC security guidelines, relevant state health requirements and PIC/S GMP standards where applicable.
Do all cannabis facilities need an SRA and SRMP?
Yes. Regulators expect formal risk assessments and management plans for all licensed activities involving medicinal cannabis.
How do ODC and state rules differ?
ODC requirements apply nationally, while state health departments impose additional, location-specific conditions that must be addressed together.
What is diversion prevention in practice?
It includes access control, monitoring, inventory management, procedures, and incident response, designed to prevent unauthorised access or loss.
When should security planning start for a new facility?
Security planning should begin during site selection and design, well before licence submission.
What happens if you fail a TGA audit?
Audit findings can lead to corrective actions, delays, increased scrutiny, or, in serious cases, the suspension of approvals.