Developing a security plan for controlled goods

Registrants in the Controlled Goods Program must develop a security plan for every work site where controlled goods are examined, possessed or transferred.

What is in a security plan

The security plan must include the following information:

How to develop a security plan

The following steps are best practices designed to help you develop a security plan:

Step 1: Prepare a plan

Note: For the purpose of this step, “person” refers to an individual, a partnership or other business enterprises.

This is a guide to preparing your own security plan only, and should not be used as a template. Your plan should:

For more information on preparing a security plan:

Complete the following information for each site where you keep controlled goods:

Person’s name and site address

Responsibilities of the security organization

The responsibilities of the individuals listed above are as follows:

Procedures to monitor controlled goods

A brief statement outlining the registrant’s involvement with controlled goods, for example, “this company manufactures unpiloted air vehicles for the Department of National Defence and the Canadian Forces.”

In order to control the examination, possession and transfer of controlled goods and controlled technical data at (insert registered person's name), the following procedures have been implemented:


Officers, directors, employees, temporary workers, international students and visitors need to be reminded of the importance not to discuss controlled goods matters with employees or other individuals who have not been the subject of a security assessment, as the discussion is considered a transfer of information.

Information technology: Remote access

In order to control and protect controlled goods information, a minimum standard of information technology (IT) security must be exercised. The most accepted practices involve the use of a wide area network (WAN) dedicated to the company or a VPN, which allows secure access to corporate resources by establishing an encrypted tunnel across the Internet.

If a company permits remote access to controlled goods information by its personnel or another entity, which is registered/exempt from registration in the Controlled Goods Program, it should consider the following:

In order to minimize the risk of unauthorized examination, possession or transfer of controlled goods or controlled technical data via remote access, the following procedures are to be followed:

Breaches: Investigating and reporting

Security breaches are categorized as the unauthorized examination, possession or transfer of controlled goods. Examples of security breaches are: loss, willful damage, tampering and computer hacking or cyber attack. As a condition of registration under the Controlled Goods Regulations (insert registered person's name) must:

Download the security breach report form
Submit the security breach report form
More information


In order to maintain the person's awareness of controlled goods and/or controlled technical data, the officers, directors, employees, temporary workers and international students will be required to:

Security briefings

Visitors who have not received an exemption from the Controlled Goods Program will be informed that they will not be allowed to examine, possess or transfer controlled goods in the course of their visit.

Visitors who have received an exemption from the program will be reminded through (insert information that identifies the means of communication used by the registered person and list person's security issues, such as a confidentiality clause.)

Step 2: Responsibility of the plan

The registered person is responsible for establishing, implementing and maintaining the security plan.

Step 3: Reviewing and approval

The reviewing and approval of the security plan is the registered person's responsibility.

Step 4: Implementation

Establish target dates and put the plan into action. Make security both proactive and reactive. Officers, directors, employees, temporary workers, international students and visitors should only examine, possess or transfer controlled goods when it is necessary in order to perform their duties.

Step 5: Monitoring

Monitor the progress of implementing and reassessing the plan as needed. Look for opportunities to improve the plan and securities, especially if upgrading systems and software and expanding the capabilities of the local area network and/or the data risk changes. The process is ongoing and the registered person needs to continually reassess the situation as the internal and external environment changes.

It is important that the registered person works closely with technical staff and provides guidance to them, when necessary, to ensure the completion of the security plan.

More information

Date modified: