Security Management of Radioactive Material in Use and Storage and of Associated Facilities

@
IAEA Nuclear Security Series No. 43-T
Technical Guidance
Security Management
of Radioactive Material
in Use and Storage
and of Associated Facilities
INTERNATIONAL ATOMIC ENERGY AGENCY
VIENNA
This publication provides guidance to States,
competent authorities and operators on the security
management for radioactive material in use and
storage and of associated facilities, including the
establishment and implementation of policies,
plans, procedures and processes to ensure that
the security systems is effective, reliably operated
and maintained. This technical guidance sets forth
security management as an essential tool to verify
that personnel, procedures and equipment operate
interdependently and in an integrated manner; as well
as to assist leadership and personnel responsible for
security to demonstrate high commitment towards
promoting a robust nuclear security culture. This
publication is also intended to assist regulatory
bodies in establishing regulations and guidance
on security management measures and to assist
operators in meeting these regulatory requirements.
IAEA
Nuclear
Security
Series
No.
43-T
Security
Management
of
Radioactive
Material
in
Use
and
Storage
and
of
Associated
Facilities

IAEA NUCLEAR SECURITY SERIES
Nuclear security issues relating to the prevention and detection of, and response
to, criminal or intentional unauthorized acts involving, or directed at, nuclear material,
other radioactive material, associated facilities or associated activities are addressed in the
IAEA Nuclear Security Series. These publications are consistent with, and complement,
international nuclear security instruments, such as the Convention on the Physical Protection
of Nuclear Material and its Amendment, the International Convention for the Suppression of
Acts of Nuclear Terrorism, United Nations Security Council resolutions 1373 and 1540, and
the Code of Conduct on the Safety and Security of Radioactive Sources.
CATEGORIES IN THE IAEA NUCLEAR SECURITY SERIES
Publications in the IAEA Nuclear Security Series are issued in the following categories:
●
Nuclear Security Fundamentals specify the objective of a State’s nuclear security
regime and the essential elements of such a regime. They provide the basis for the
Nuclear Security Recommendations.
●
Nuclear Security Recommendations set out measures that States should take to
achieve and maintain an effective national nuclear security regime consistent with the
Nuclear Security Fundamentals.
● Implementing Guides provide guidance on the means by which States could implement
the measures set out in the Nuclear Security Recommendations. As such, they focus on
how to meet the recommendations relating to broad areas of nuclear security.
● Technical Guidance provides guidance on specific technical subjects to supplement the
guidance set out in the Implementing Guides. They focus on details of how to implement
the necessary measures.
DRAFTING AND REVIEW
The preparation and review of Nuclear Security Series publications involves the IAEA
Secretariat, experts from Member States (who assist the Secretariat in drafting the publications)
and the Nuclear Security Guidance Committee (NSGC), which reviews and approves draft
publications. Where appropriate, open-ended technical meetings are also held during drafting
to provide an opportunity for specialists from Member States and relevant international
organizations to review and discuss the draft text. In addition, to ensure a high level of
international review and consensus, the Secretariat submits the draft texts to all Member States
for a period of 120 days for formal review.
For each publication, the Secretariat prepares the following, which the NSGC approves
at successive stages in the preparation and review process:
●
An outline and work plan describing the intended new or revised publication, its
intended purpose, scope and content;
●
A draft publication for submission to Member States for comment during the 120 day
consultation period;
●
A final draft publication taking account of Member States’ comments.
The process for drafting and reviewing publications in the IAEA Nuclear Security
Series takes account of confidentiality considerations and recognizes that nuclear security is
inseparably linked with general and specific national security concerns.
An underlying consideration is that related IAEA safety standards and safeguards
activities should be taken into account in the technical content of the publications. In particular,
Nuclear Security Series publications addressing areas in which there are interfaces with safety
— known as interface documents — are reviewed at each of the stages set out above by
relevant Safety Standards Committees as well as by the NSGC.
RELATED PUBLICATIONS
www.iaea.org/publications
OBJECTIVE AND ESSENTIAL ELEMENTS OF A STATE’S NUCLEAR
SECURITY REGIME
IAEA Nuclear Security Series No. 20
STI/PUB/1590 (15 pp.; 2013)
ISBN 978-92-0-137810-1 Price: €20.00
NUCLEAR SECURITY RECOMMENDATIONS ON RADIOACTIVE
MATERIAL AND ASSOCIATED FACILITIES
IAEA Nuclear Security Series No. 14
STI/PUB/1487 (27 pp.; 2011)
ISBN 978-92-0-112110-3 Price: €22.00
SECURITY OF RADIOACTIVE MATERIAL IN USE AND STORAGE AND
OF ASSOCIATED FACILITIES
IAEA Nuclear Security Series No. 11‑G (Rev. 1)
STI/PUB/1840 (105 pp.; 2019)
ISBN 978-92-0-110018-4 Price: €50.00
PREVENTIVE AND PROTECTIVE MEASURES AGAINST INSIDER
THREATS
IAEA Nuclear Security Series No. 8-G (Rev. 1)
STI/PUB/1858 (37 pp.; 2020)
ISBN 978-92-0-103419-9 Price: €24.00
SECURITY OF RADIOACTIVE MATERIAL IN TRANSPORT
STI/PUB/1872 (102 pp.; 2020)
ISBN 978-92-0-105119-6 Price: €42.00
NATIONAL NUCLEAR SECURITY THREAT ASSESSMENT, DESIGN
BASIS THREATS AND REPRESENTATIVE THREAT STATEMENTS
STI/PUB/1926 (39 pp.; 2021)
ISBN 978-92-0-131020-0 Price: €31.00
ENHANCING NUCLEAR SECURITY CULTURE IN ORGANIZATIONS
ASSOCIATED WITH NUCLEAR AND OTHER RADIOACTIVE MATERIAL
IAEA Nuclear Security Series No. 38-T
STI/PUB/1874
ISBN 978-92-0-105319-0 (206 pp.; 2021) Price: €69.00
Atoms for Peace

SECURITY MANAGEMENT
OF RADIOACTIVE MATERIAL
IN USE AND STORAGE
AND OF ASSOCIATED FACILITIES

AFGHANISTAN
ALBANIA
ALGERIA
ANGOLA
ANTIGUA AND BARBUDA
ARGENTINA
ARMENIA
AUSTRALIA
AUSTRIA
AZERBAIJAN
BAHAMAS
BAHRAIN
BANGLADESH
BARBADOS
BELARUS
BELGIUM
BELIZE
BENIN
BOLIVIA, PLURINATIONAL
STATE OF
BOSNIA AND HERZEGOVINA
BOTSWANA
BRAZIL
BRUNEI DARUSSALAM
BULGARIA
BURKINA FASO
BURUNDI
CAMBODIA
CAMEROON
CANADA
CENTRAL AFRICAN
REPUBLIC
CHAD
CHILE
CHINA
COLOMBIA
COMOROS
CONGO
COSTA RICA
CÔTE D’IVOIRE
CROATIA
CUBA
CYPRUS
CZECH REPUBLIC
DEMOCRATIC REPUBLIC
OF THE CONGO
DENMARK
DJIBOUTI
DOMINICA
DOMINICAN REPUBLIC
ECUADOR
EGYPT
EL SALVADOR
ERITREA
ESTONIA
ESWATINI
ETHIOPIA
FIJI
FINLAND
FRANCE
GABON
GEORGIA
GERMANY
GHANA
GREECE
GRENADA
GUATEMALA
GUYANA
HAITI
HOLY SEE
HONDURAS
HUNGARY
ICELAND
INDIA
INDONESIA
IRAN, ISLAMIC REPUBLIC OF
IRAQ
IRELAND
ISRAEL
ITALY
JAMAICA
JAPAN
JORDAN
KAZAKHSTAN
KENYA
KOREA, REPUBLIC OF
KUWAIT
KYRGYZSTAN
LAO PEOPLE’S DEMOCRATIC
REPUBLIC
LATVIA
LEBANON
LESOTHO
LIBERIA
LIBYA
LIECHTENSTEIN
LITHUANIA
LUXEMBOURG
MADAGASCAR
MALAWI
MALAYSIA
MALI
MALTA
MARSHALL ISLANDS
MAURITANIA
MAURITIUS
MEXICO
MONACO
MONGOLIA
MONTENEGRO
MOROCCO
MOZAMBIQUE
MYANMAR
NAMIBIA
NEPAL
NETHERLANDS
NEW ZEALAND
NICARAGUA
NIGER
NIGERIA
NORTH MACEDONIA
NORWAY
OMAN
PAKISTAN
PALAU
PANAMA
PAPUA NEW GUINEA
PARAGUAY
PERU
PHILIPPINES
POLAND
PORTUGAL
QATAR
REPUBLIC OF MOLDOVA
ROMANIA
RUSSIAN FEDERATION
RWANDA
SAINT LUCIA
SAINT VINCENT AND
THE GRENADINES
SAMOA
SAN MARINO
SAUDI ARABIA
SENEGAL
SERBIA
SEYCHELLES
SIERRA LEONE
SINGAPORE
SLOVAKIA
SLOVENIA
SOUTH AFRICA
SPAIN
SRI LANKA
SUDAN
SWEDEN
SWITZERLAND
SYRIAN ARAB REPUBLIC
TAJIKISTAN
THAILAND
TOGO
TRINIDAD AND TOBAGO
TUNISIA
TURKEY
TURKMENISTAN
UGANDA
UKRAINE
UNITED ARAB EMIRATES
UNITED KINGDOM OF
GREAT BRITAIN AND
NORTHERN IRELAND
UNITED REPUBLIC
OF TANZANIA
UNITED STATES OF AMERICA
URUGUAY
UZBEKISTAN
VANUATU
VENEZUELA, BOLIVARIAN
REPUBLIC OF
VIET NAM
YEMEN
ZAMBIA
ZIMBABWE
The following States are Members of the International Atomic Energy Agency:
The Agency’s Statute was approved on 23 October 1956 by the Conference on the Statute of the
IAEA held at United Nations Headquarters, New York; it entered into force on 29 July 1957.
The Headquarters of the Agency are situated in Vienna. Its principal objective is “to accelerate and enlarge
the contribution of atomic energy to peace, health and prosperity throughout the world’’.

IAEA NUCLEAR SECURITY SERIES No. 43‑T
SECURITY MANAGEMENT
OF RADIOACTIVE MATERIAL
IN USE AND STORAGE
AND OF ASSOCIATED FACILITIES
TECHNICAL GUIDANCE
INTERNATIONAL ATOMIC ENERGY AGENCY
VIENNA, 2022

© IAEA, 2022
Printed by the IAEA in Austria
March 2022
STI/PUB/1951
COPYRIGHT NOTICE
All IAEA scientific and technical publications are protected by the terms of
the Universal Copyright Convention as adopted in 1952 (Berne) and as revised
in 1972 (Paris). The copyright has since been extended by the World Intellectual
Property Organization (Geneva) to include electronic and virtual intellectual
property. Permission to use whole or parts of texts contained in IAEApublications
in printed or electronic form must be obtained and is usually subject to royalty
agreements. Proposals for non-commercial reproductions and translations are
welcomed and considered on a case-by-case basis. Enquiries should be addressed
to the IAEA Publishing Section at:
Marketing and Sales Unit, Publishing Section
International Atomic Energy Agency
Vienna International Centre
PO Box 100
1400 Vienna, Austria
fax: +43 1 26007 22529
tel.: +43 1 2600 22417
email: sales.publications@iaea.org
www.iaea.org/publications
IAEA Library Cataloguing in Publication Data
Names: International Atomic Energy Agency.
Title: Security management of radioactive material in use and storage and of
associated facilities / International Atomic Energy Agency.
Description: Vienna : International Atomic Energy Agency, 2022. | Series: IAEA
nuclear security series, ISSN 1816–9317 ; no. 43-T | Includes bibliographical
references.
Identifiers: IAEAL 21-01472 | ISBN 978–92–0–118221–0 (paperback : alk. paper) |
ISBN 978–92–0–118321–7 (pdf) | ISBN 978–92–0–118421–4 (epub)
Subjects: LCSH: Radioactive substances — Security measures. | Nuclear facilities —
Security measures. | Radioactive substances — Storage.
Classification: UDC 620.267:343.852 | STI/PUB/1951

FOREWORD
by Rafael Mariano Grossi
Director General
The IAEA Nuclear Security Series provides international consensus
guidance on all aspects of nuclear security to support States as they work to fulfil
their responsibility for nuclear security. The IAEA establishes and maintains this
guidance as part of its central role in providing nuclear security related
international support and coordination.
The IAEA Nuclear Security Series was launched in 2006 and is
continuously updated by the IAEA in cooperation with experts from Member
States. As Director General, I am committed to ensuring that the IAEA maintains
and improves upon this integrated, comprehensive and consistent set of up to
date, user friendly and fit for purpose security guidance publications of high
quality. The proper application of this guidance in the use of nuclear science
and technology should offer a high level of nuclear security and provide the
confidence necessary to allow for the ongoing use of nuclear technology for the
benefit of all.
Nuclear security is a national responsibility. The IAEA Nuclear Security
Series complements international legal instruments on nuclear security and serves
as a global reference to help parties meet their obligations. While the security
guidance is not legally binding on Member States, it is widely applied. It has
become an indispensable reference point and a common denominator for the vast
majority of Member States that have adopted this guidance for use in national
regulations to enhance nuclear security in nuclear power generation, research
reactors and fuel cycle facilities as well as in nuclear applications in medicine,
industry, agriculture and research.
The guidance provided in the IAEA Nuclear Security Series is based on
the practical experience of its Member States and produced through international
consensus. The involvement of the members of the Nuclear Security Guidance
Committee and others is particularly important, and I am grateful to all those who
contribute their knowledge and expertise to this endeavour.
The IAEA also uses the guidance in the IAEA Nuclear Security Series when
it assists Member States through its review missions and advisory services. This
helps Member States in the application of this guidance and enables valuable
experience and insight to be shared. Feedback from these missions and services,
and lessons identified from events and experience in the use and application of
security guidance, are taken into account during their periodic revision.

I believe the guidance provided in the IAEA Nuclear Security Series and its
application make an invaluable contribution to ensuring a high level of nuclear
security in the use of nuclear technology. I encourage all Member States to
promote and apply this guidance, and to work with the IAEA to uphold its quality
now and in the future.
EDITORIAL NOTE
This publication does not address questions of responsibility, legal or otherwise, for acts
or omissions on the part of any person.
Guidance issued in the IAEA Nuclear Security Series is not binding on States, but
States may use the guidance to assist them in meeting their obligations under international
legal instruments and in discharging their responsibility for nuclear security within the State.
Guidance expressed as ‘should’ statements is intended to present international good practices
and to indicate an international consensus that it is necessary for States to take the measures
recommended or equivalent alternative measures.
Security related terms are to be understood as defined in the publication in which they
appear, or in the higher level guidance that the publication supports. Otherwise, words are used
with their commonly understood meanings.
An appendix is considered to form an integral part of the publication. Material in an
appendix has the same status as the body text. Annexes are used to provide practical examples
or additional information or explanation. Annexes are not integral parts of the main text.
Although great care has been taken to maintain the accuracy of information contained
in this publication, neither the IAEA nor its Member States assume any responsibility for
consequences which may arise from its use.
The use of particular designations of countries or territories does not imply any
judgement by the publisher, the IAEA, as to the legal status of such countries or territories, of
their authorities and institutions or of the delimitation of their boundaries.
The mention of names of specific companies or products (whether or not indicated as
registered) does not imply any intention to infringe proprietary rights, nor should it be construed
as an endorsement or recommendation on the part of the IAEA.

CONTENTS
1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Background (1.1–1.3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Objective (1.4, 1.5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Scope (1.6–1.12) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Structure (1.13) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. ROLE AND PURPOSES OF SECURITY
MANAGEMENT (2.1–2.3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Effectiveness and sustainability (2.4, 2.5) . . . . . . . . . . . . . . . . . . . . . . 3
Integration (2.6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Nuclear security culture (2.7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. SECURITY MANAGEMENT SUB‑GOALS AND
MEASURES (3.1, 3.2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Access management (3.3–3.33) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Security plan (3.34–3.44) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Training and qualification of personnel (3.45–3.52) . . . . . . . . . . . . . . 15
Accounting and inventory (3.53–3.59) . . . . . . . . . . . . . . . . . . . . . . . . 16
Evaluation for compliance and effectiveness (3.60–3.70) . . . . . . . . . . 18
Management of nuclear security events (3.71–3.77) . . . . . . . . . . . . . . 20
4. ADDITIONAL GUIDANCE ON SECURITY
MANAGEMENT (4.1–4.3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Roles and responsibilities (4.4–4.6) . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Maintenance programme (4.7–4.14) . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Budget allocation and resource planning (4.15–4.17) . . . . . . . . . . . . 25
Performance testing (4.18–4.23) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Receipt and transfer procedures (4.24–4.26) . . . . . . . . . . . . . . . . . . . 28
5. CONTENTS OF A SECURITY PLAN FOR RADIOACTIVE
MATERIAL IN USE AND STORAGE (5.1, 5.2) . . . . . . . . . . . . . . 29
Introduction (5.3–5.5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Facility description (5.6–5.9) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Security management (5.10–5.19) . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Security system (5.20–5.26) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Security procedures (5.27–5.32) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Response (5.33) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Reference documents (5.34) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
ANNEX I: EXAMPLE ELEMENTS OF A BACKGROUND
CHECK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
ANNEX II: EXAMPLE FACILITY TRAINING PROGRAMME
FOR THE SECURITY OF RADIOACTIVE
MATERIAL IN USE AND STORAGE . . . . . . . . . . . . . 44
ANNEX III: EXAMPLE OF A PERFORMANCE TEST PLAN
FOR KEY CONTROL . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
ANNEX IV: EXAMPLE OF A SECURITY PLAN FOR A
UNIVERSITY MEDICAL CENTRE . . . . . . . . . . . . . . . 49

1. INTRODUCTION
BACKGROUND
1.1. The IAEA Nuclear Security Series provides guidance for States to assist
them in implementing national nuclear security regimes as well as in reviewing
and, when necessary, strengthening their regimes. The Series also serves as
guidance for States in fulfilling their obligations and commitments with respect to
binding and non‑binding international instruments adopted under the IAEA and
other auspices.
1.2. IAEA Nuclear Security Series No. 20, Objective and Essential Elements
of a State’s Nuclear Security Regime [1], provides the objective and essential
elements for a nuclear security regime. IAEA Nuclear Security Series No. 14,
Nuclear Security Recommendations on Radioactive Material and Associated
Facilities [2], provides recommendations for States and competent authorities on
developing, enhancing, implementing and maintaining a nuclear security regime
for radioactive material, associated facilities and associated activities. IAEA
Nuclear Security Series No. 11‑G (Rev. 1), Security of Radioactive Material in
Use and Storage and of Associated Facilities [3], provides guidance to States
and their competent authorities on how to implement the recommendations
contained in Ref. [2].
1.3. This publication supplements Ref. [3] by providing detailed guidance on
security management, including details on the development of a security plan for
radioactive material in use and storage and for associated facilities.
OBJECTIVE
1.4. The objective of this publication is to provide guidance to States, competent
authorities and operators on how to implement and maintain security management
measures, including details on the development of a security plan, for radioactive
material in use and storage and for associated facilities.
1.5. This publication is also intended to assist regulatory bodies in establishing
regulations and guidance on security management and to assist operators in
meeting these regulatory requirements.
1

SCOPE
1.6. This publication applies to security management of radioactive material in
use and storage and of associated facilities.
1.7. This publication covers radioactive material that includes sealed radioactive
sources and unsealed radioactive material under regulatory control, including
radioactive material over which regulatory control has been gained or regained.
1.8. The term ‘radioactive material’ is used throughout this publication, but the
application of this guidance to radioactive material other than sealed radioactive
sources will depend on national context and priorities.
1.9. This publication is intended primarily for application at facilities that use and
store Category 1, 2 and 3 radioactive sources, as defined in the Code of Conduct
on the Safety and Security of Radioactive Sources [4], and other radioactive
material. Although this publication does not specifically address the security
management of Category 4 and 5 radioactive sources, a State might choose to
apply the security management concepts and measures outlined in this Technical
Guidance to such material.
1.10. This publication does not cover preparedness and response to a nuclear or
radiological emergency triggered by a nuclear security event, which are addressed
in IAEA Safety Standards Series No. GSR Part 7, Preparedness and Response for
a Nuclear or Radiological Emergency [5].
1.11. This publication also does not address security management relating to the
transport of radioactive material, other than transport that is incidental to the use
of mobile or portable radioactive material. The topic of transport of radioactive
material is addressed in IAEA Nuclear Security Series No. 9‑G (Rev. 1), Security
of Radioactive Material in Transport [6].
1.12. This publication does not address security measures relating to radioactive
material out of regulatory control.
STRUCTURE
1.13. Section 2 explains the role and purposes of security management. Section 3
provides guidance on implementing security sub‑goals and measures. Section 4
provides additional guidance and good practices for security management.
2

Section 5 provides guidance on the contents of a facility security plan for
radioactive material in use and storage. The annexes provide examples of
documentation referred to in the main text.
2. ROLE AND PURPOSES OF SECURITY
MANAGEMENT
2.1. Security management of radioactive material in use and storage and of
associated facilities includes the establishment and implementation of policies,
plans, procedures and processes that provide personnel with the needed authority
and resources to establish and maintain an effective security system. Security
management should be a component of the operator’s overall management system.
2.2. Security should be integrated into the overall management system in a
manner that avoids, or at least minimizes, conflicts with other elements of the
management system, such as nuclear and radiation safety, and takes advantage
of potential synergies. In particular, the operator should ensure that, as far as
possible, security measures and safety measures do not conflict with one another
and are mutually supportive.
2.3. Security management has the following three main purposes:
(a) Ensuring the effectiveness and sustainability of the security system;
(b) Ensuring that personnel, procedures and equipment function effectively as
a system (integration);
(c) Promoting a robust nuclear security culture.
In the following subsections, each of these purposes is presented in more detail.
EFFECTIVENESS AND SUSTAINABILITY
2.4. The first purpose of security management is to ensure that the security
system is effective and sustainable. To achieve this, the security system should
be reliably operated and maintained, should be evaluated, should function as
intended and should meet regulatory requirements.
3

2.5. The operating organization’s leadership should provide staff responsible
for security with the requisite authority, support and resources to achieve this
purpose, including by doing the following:
(a) Ensuring that the security system provides protection against the threat at
a level commensurate with the potential consequences of malicious acts, is
appropriate to the specific conditions at the facility and meets the regulatory
requirements;
(b) Establishing and implementing policies and procedures governing the
operation of the security system, the training of individuals responsible for
security and the regular evaluation of regulatory compliance and security
system performance;
(c) Maintaining security equipment to manufacturer specifications, promptly
repairing equipment malfunctions and designing and implementing
compensatory measures that meet or exceed applicable security requirements
in the event of equipment failures or outages.
INTEGRATION
2.6. The second purpose of security management is to ensure that personnel,
procedures and equipment function effectively as a system. The operator should
take measures to ensure that personnel, procedures and equipment operate
interdependently and in an integrated manner.
NUCLEAR SECURITY CULTURE
2.7. The third purpose of security management is to promote a robust nuclear
security culture. Nuclear security culture is the “assembly of characteristics,
attitudes and behaviour of individuals, organizations and institutions which serves
as a means to support and enhance nuclear security” [7]. Security management
policies, plans, processes and procedures should promote a robust nuclear security
culture by the following:
(a) Demonstrating leadership commitment to security at the highest level of the
organization;
(b) Providing personnel responsible for security with the requisite authority to
perform their duties;
(c) Ensuring sufficient resources are available to effectively implement security
measures;
4

(d) Building security awareness and cultivating a sense of shared responsibility
for security among all staff;
(e) Holding staff and management accountable for security;
(f) Embedding a robust security culture within the overall organizational
culture.
3. SECURITY MANAGEMENT SUB‑GOALS
AND MEASURES
3.1. An effective security system should display an adequate level of
performance for security management as well as for each of the security
functions of detection, delay and response. This adequate level of performance
can be expressed via ‘sub‑goals’, as per the method for establishing a regulatory
programme for the security of radioactive material set out in sections 5 and 6
of Ref. [3]. These sub‑goals are also presented in Table 1 (reproduced from
Ref. [3]), with accompanying security measures that could be used to meet the
individual sub‑goals.
3.2. The following subsections provide additional guidance on implementing
these sub‑goals.
ACCESS MANAGEMENT
3.3. The first four security sub‑goals — access authorization, trustworthiness
assessment, access control and information protection — are arrangements through
which the operator limits access to radioactive material and sensitive information
only to those individuals who have been authorized for such access, based on a
demonstration of their operational need for such access and verification of their
trustworthiness and reliability.
3.4. These four sub‑goals are grouped together as access management in
this publication in order to emphasize their interdependency.
5

6
TABLE 1. SECURITY MANAGEMENT MEASURES
Security sub‑goal Security measures
Establish a process for granting
individuals authorized unescorted
access to radioactive material and/or
access to sensitive information
Procedures for determining the individuals who
need access, verifying that such individuals are
trustworthy and reliable and have received
necessary training, authorizing access,
withdrawing access as appropriate and
maintaining documentation
Ensure trustworthiness and reliability of
authorized individuals
Background checks for all personnel authorized
for unescorted access to radioactive material
and/or for access to sensitive information
Provide access controls that effectively
restrict unescorted access to radioactive
material to authorized persons only
Identification and verification measures
Identify and protect sensitive
information
Procedures to identify sensitive information and
protect it from unauthorized disclosure
Provide a security plan A security plan which addresses required topics,
is submitted or made available to the regulatory
body and is periodically exercised, evaluated and
revised as appropriate
Ensure training and qualification of
individuals with security responsibilities
Assessment of necessary knowledge, skills and
abilities; provision of corresponding training;
procedures for documenting and updating
training
Conduct accounting and inventory of
radioactive material
Procedures and documentation for verifying
presence of radioactive material at prescribed
intervals; establishment and maintenance of a
radioactive material inventory
Conduct evaluation for compliance and
effectiveness, including performance
testing
Process for verifying that all applicable security
requirements are met and for assessing the
effectiveness of the security system, employing
performance tests as appropriate
Establish a capability to manage and
report nuclear security events
Response plan addressing security related
scenarios and procedures for timely reporting of
nuclear security events

3.5. Access control measures or separation of duties should be used to ensure that no
single person or part of the operating organization has authority over all measures used
to manage the access to radioactive material or sensitive information. For example,
the operator of a storage facility may require that authorization be received from two
persons from two different units in order for an access authorization to be granted.
Access authorization
3.6. Certain personnel need to have unescorted access to radioactive material
and/or access to sensitive information in order to discharge their operational or
security related responsibilities. Access authorization is the process of granting
permission to only these specific personnel for unescorted access to radioactive
material and/or for access to sensitive information.
3.7. Regulatory bodies should require operators to limit unescorted access
to radioactive material and access to sensitive information to staff with a
demonstrated need for such access to perform their jobs, whose trustworthiness
has been verified and who have received appropriate security training, to reduce
the potential risk posed by insider threats.
3.8. Unescorted access to radioactive material and sensitive information should
only be permitted if an access authorization is granted by the operator. The
granting of access authorization should be limited to the minimum necessary
number of personnel.
3.9. The operator’s management should implement a process for granting access
authorization, including establishing and implementing procedures that provide
for the following:
(a) Determining that an individual needs such access in order to discharge his or
her responsibilities and defining the scope of his or her access, for example by
limiting it to specific locations, specific hours or circumstances during which
access is permitted or specific types of information that may be accessed;
(b) Obtaining verification that the individual is trustworthy and reliable (see
paras 3.12–3.18);
(c) Obtaining verification that the individual has received the necessary security
training (paras 3.45–3.52);
(d) Authorizing access using the processes described in (a), (b) and (c);
(e) Withdrawing access as appropriate, for example when an individual’s
responsibilities change or when employment is terminated;
7

(f) Maintaining current documentation of the results of this process and
providing it to those responsible for access control as needed.
Documentation of access authorization could include, for example, the names
of personnel with access authorization, their positions, the date of completion
of their background checks and security training, the scope of the access
authorization, the date from which that access is or was authorized and the date
and reason for which access was withdrawn, if applicable.
3.10. Individuals who are not authorized for unescorted access should be allowed
access to areas where radioactive material is present only if they are escorted or
observed by personnel authorized for such access, or if compensatory measures
for the security of the radioactive material have been implemented. This should
apply not only to visitors but also to individuals that may access the facility on a
regular basis, including maintenance, cleaning and repair staff and contractors.
3.11. More detailed guidance on this topic can be found in IAEA Nuclear
Security Series No. 8‑G (Rev. 1), Preventive and Protective Measures against
Insider Threats [8].
Trustworthiness assessment
3.12. Trustworthinessassessmentsareusedtoprovideaninitialassessment(during
the hiring process) and ongoing assessments (occurring periodically throughout
the employment period) of an individual’s integrity, honesty and reliability [8].
Such a determination is in addition to any identification verification or background
checks performed by the operator upon the initial hiring of employees.
3.13. Laws or regulations may define the minimum requirements, standards and
scope for the trustworthiness assessments or establish penalties for misrepresenting
material facts during the background check. The regulatory bodies and/or other
competent authorities should also establish a framework that enables to search
criminal and counterterrorism databases as part of the background check. The details
of these arrangements will vary depending on the State’s legislation and regulations
in this area. Example elements of a background check are provided in Annex I.
3.14. The regulatory body should require the operator to establish policies and
procedures, on the basis of the category of the radioactive material and following
a graded approach, to ensure that the trustworthiness and reliability of all
individuals authorized for unescorted access to radioactive material or access to
sensitive information have been confirmed through a trustworthiness assessment.
8

The regulatory body should ensure the availability of arrangements to enable
operators to implement this requirement, such as referral to law enforcement or
other external agencies for conduct of the review. In some States, this referral
process might require facilitation by the regulatory body. Moreover, as noted
in para. 4.18 of Ref. [8], “National laws might restrict the scope or conduct
of identity verification, personal document verification and trustworthiness
assessments in a State”.
3.15. The operator should establish policies and procedures for obtaining
trustworthiness assessments, documenting the results and managing the privacy
of information. The extent of the assessment should be proportional to the
sensitivity of the individual’s responsibilities, in accordance with applicable
regulations. The depth of the assessment should also account for the planned
extent of the individual’s access to radioactive material or sensitive information
and the security level of the radioactive material the individual would access.
3.16. The assessments should review the individual’s observance of the law and
adherence to the facility rules, as well as any behaviour or motivational factors
of concern. For example, the assessment should seek to identify motivational
factors such as financial problems or pressures (e.g. debts, wage cuts), adherence
to an ideology of concern, desire for revenge (e.g. a perceived injustice against
the individual), physical dependency (e.g. drugs, alcohol, sex), psychological
or psychiatric characteristics, severe dissatisfaction with private or professional
life and other factors due to which an individual could be coerced to commit
a malicious act. These motivational factors may be identified by a review of
information such as criminal records, personal and professional references,
past work history, financial records, on‑line and other social networks, medical
records and job performance reports, as well as information from colleagues
about observed behaviour [8].
3.17. Depending on the State’s laws and regulations, trustworthiness checks
may be performed only by the competent authority or entirely or partially by the
operator. When the operator takes part in this process, the regulatory body and/or
other competent authorities should consider developing a standard questionnaire
for the trustworthiness assessment, to ensure the consistency of the type of
information gathered by operators. Unwillingness to provide information and
concealment or misstatement of facts in the personal history disclosure are factors
that can raise serious concern when determining trustworthiness for access to
radioactive material or sensitive information.
9

3.18. The trustworthiness assessment for each individual should be carefully
documented and protected as sensitive information and retained for possible
inspection by the regulatory body. This documentation is also subject to national
legislation relevant to trustworthiness assessments, information security and
privacy of information.
Access control
3.19. Access control is intended to limit access to locations where radioactive
material or security sensitive information is present to authorized persons. Access
control typically consists of allowing authorized persons to temporarily disable
physical barriers such as a locked door only upon verification of the person’s
identity and access authorization [3]. Robust implementation of access control
rules and procedures can minimize the potential that an insider adversary has
access to sensitive material, systems and equipment.
3.20. The operator should establish and document strict access control rules
and procedures to limit unescorted access of persons without authorized access
to radioactive material, equipment used for processing or handling radioactive
material and systems relevant to safety or security.
3.21. The operator should define all facility areas to which unescorted access will
be limited to authorized persons. Each such area should consist of a physical space
that provides three dimensional containment, such as a locked room with no easily
defeated entry points (e.g. windows, false ceilings), and should be configured to
minimize the number of personnel who need access in order to perform their jobs.
For example, such an area for a teletherapy unit would generally consist of the
treatment room and sometimes an anteroom.
3.22. Once the areas are defined to which unescorted access is limited to authorized
persons, the operator should select and install barriers (e.g. locked doors) that can
be temporarily disabled by authorized persons during working hours to allow entry.
Some type of access credentials (e.g. keys, identification cards or a combination
of methods) should be needed to enable entry, and a method for verifying the
authorized person’s credentials should be implemented. The operator should
install the necessary equipment, issue access media to authorized individuals,
develop access control procedures for entry to the area, provide training on their
use for authorized individuals and conduct regular tests and maintenance.
3.23. According to para. 4.55 of Ref. [8], “Access control records should also be
maintained of all persons…who have access to, or are in possession of, keys, key
10

cardsandothercredentialsrelevantforaccessingothersystems,includingcomputer
systems that control access”. Procedures should be developed and implemented
for documenting and maintaining information on the access authorizations of
persons permitted to enter areas to which unescorted access is limited.
3.24. Access credentials should be returned and/or deactivated when access
authorization is no longer needed. In addition, physical access credentials
such as keys and cards should also be audited and access credentials should be
changed periodically. When it is discovered, reported or suspected that access
credentials have been lost or compromised, immediate action should be taken
to prevent unauthorized access, for example by changing locks, combinations or
system programming.
3.25. Rules and procedures for the operation and management of electronic access
control systems should also be put into place, if applicable.
3.26. The operator should designate personnel to develop and implement access
control procedures, to manage and operate access and entry control systems and
to design, install and operate physical access control measures. Management
should also provide resources, awareness, training and support to enforce policies
and procedures throughout the operating organization.
3.27. Access control rules should be defined for visitors, escorts and for abnormal
conditions such as response to emergencies and system outages [8]. The access
control rules should state that authorized individuals are responsible for escorting
individuals who do not have access authorization for the limited access area.
Persons without authorized access should be permitted to enter the limited access
area only if they have a specific need to do so, such as treatment, maintenance or
janitorial activities. Authorized individuals should accompany escorted persons at
all times that they are in the limited access area or should maintain constant visual
surveillance of the unescorted persons, for example through video monitoring.
Upon exit of escorted persons, authorized personnel should ensure the limited
access area is again secure or should maintain visual surveillance of the entry
until it is secured.
3.28. Further information on access control can be found in Ref. [8].
Information protection
3.29. Paragraph1.1ofIAEANuclearSecuritySeriesNo.23-G,SecurityofNuclear
Information [9], states that “Sensitive information is information, in whatever
11

form, including software, the unauthorized disclosure, modification, alteration,
destruction, or denial of use of which could compromise nuclear security”. The
sameappliestothesecurityofradioactivematerial.Suchinformationcouldinclude,
for example, the design of a security system, a list of staff with unescorted access
to the radioactive material, or details of an organization’s response capabilities
to a particular threat. Securing sensitive information is necessary because easy
access to inadequately secured information can help adversaries to plan or commit
malicious acts with relatively little effort or risk [9]. The operator’s security
policies and procedures direct information security activities. The security plan is
the primary tool to document these activities.
3.30. Paragraph 6.15 of Ref. [9] states that “Personnel security, including
trustworthiness checks, ensures that those who have access to sensitive information
are deemed by the State to be suitably trustworthy to do so”. Personnel should
protect sensitive information from unauthorized disclosure and report any actual
or suspected unauthorized release, compromise or failure to protect sensitive
information. Support of the leadership within the operating organization is needed
to provide the resources and training to enforce policies and procedures regarding
sensitive information throughout the organization.
3.31. Paragraph 3.4 of Ref. [9] states:
“The State’s relevant competent authorities should develop and issue policy
and requirements specific to the security of sensitive information at nuclear
material and other radioactive material associated facilities and activities.
These are usually based on, and in accordance with, any national security
policy and requirements issued by the national security authorities, but taking
into account the special nature of the activities that involve such materials”.
3.32. In accordance with Ref. [9], information protection measures should be
considered for information of at least the following types, which could affect
nuclear security:
(a) Details of physical protection systems and any other security measures in
place for nuclear material, other radioactive material, associated facilities
and activities, including information on guard and response forces;
(b) Information relating to the quantity and form of radioactive material in use
or storage, including accounting information;
(c) Details of computer systems, including communication systems, that
process, handle, store or transmit information that is directly or indirectly
important to safety and security;
12

(d) Security plan and information on the liaison with local law enforcement
agencies;
(e) Contingency and response plans for nuclear security events;
(f) Personal information about employees, vendors and contractors;
(g) Threat assessments and security alert information;
(h) Details of sensitive technology;
(i) Details of vulnerabilities or weaknesses that relate to the above topics;
(j) Historical information on any of the above topics.
3.33. Some of the above information, such as personal information, may
also be subject to specific security requirements under other national laws or
company policies [9].
SECURITY PLAN
3.34. The security plan enables operators to demonstrate to the regulatory body
their compliance with security requirements. A security plan is an important
tool for documenting the activities associated with establishing, implementing
and maintaining an effective, sustainable and integrated security system that
demonstrates the operator’s nuclear security culture.
3.35. Paragraph 4.20 of Ref. [2] states that “Operators should be required to
develop, implement, test, periodically review, revise as necessary a security plan
and comply with its provisions”. Similarly, the Code of Conduct [4] states that:
“Every State should ensure that the regulatory body established by its
legislation has the authority to […] require those who intend to manage
radioactive sources to seek an authorization, and to submit […] a security
plan or assessment as appropriate”.
3.36. Paragraph 3.33 of Ref. [2] states that “The regulatory body should ensure
that the operator’s security plan includes measures to effectively respond to a
malicious act consistent with the threat”. The security plan should describe the
security systems that are planned or are in place to protect radioactive material in
use and storage and associated facilities. It should also include descriptions of the
security management measures that are planned or are in place.
3.37. Each facility should develop its own security plan on the basis of applicable
regulations and facility policies and practices.
13

3.38. Applicable regulatory requirements for security, as well as any other
applicable national or local requirements, should be documented in the security
plan. Regulatory compliance should also be documented, including a description
of measures taken by the operator, where appropriate. The plan should set out any
policies and procedures established by the operator responsible for the radioactive
material that affect the security or the security management of the radioactive
material, as well as how these policies and procedures are implemented.
3.39. Senior management should designate individual(s) who will be responsible
for preparing and internally approving the security plan. Upon regulatory approval,
management should also provide sufficient resources for the implementation of
the plan. The designated individual(s) should be responsible for the drafting,
implementing, reviewing and updating of the security plan.
3.40. All staff with a defined role in the security plan should be aware of
their responsibilities, including any security procedures that apply to them. In
particular, response forces, both on‑site and off‑site, should be consulted during
the development of the security plan to ensure that their roles and responsibilities
are appropriately understood and documented.
3.41. The security plan should be coordinated with the facility’s emergency plans
and procedures to ensure consistency, and emergency response personnel should
be consulted during the development of the security plan.
3.42. Security plans contain sensitive information and should be protected
as such. Some information (e.g. threat information, vulnerability assessment
information) might be particularly sensitive and should be included in appendices
to which access is further limited to specific individuals with a need to know this
information in order to perform their duties.
3.43. The security plan should include a list of references used or referred to in the
body of the security plan. The security plan should include appendices (such as
procedures) that contain information that is too detailed or too sensitive to include
in the main body of the security plan.
3.44. Detailed guidance on a proposed format and contents of a security plan
following this approach is provided in Section 5 of this publication as well as in
appendix II of Ref. [3].
14

TRAINING AND QUALIFICATION OF PERSONNEL
3.45. All personnel should have sufficient security awareness to enable them to
understand the need for and importance of the security of radioactive material.
They should also be able to recognize a nuclear security event and know what
to do and who to contact if such an event occurs. Regular security awareness
training should be provided to all personnel. Personnel who have specific security
responsibilities or perform a particular security function — such as controlling
access media (e.g. cards, keys) — or are involved in the response to a security
event should be adequately qualified and have specialized training. These
individuals may include both staff and contractors.
3.46. Training is used to provide staff with the knowledge, skills and abilities
to effectively execute their responsibilities for security as well as to update
their knowledge, skills and abilities. Qualification is used to ensure that staff
with specific security responsibilities are capable of performing their assigned
security responsibilities to an acceptable standard. The contents and delivery of
training at each facility should take into account facility specific conditions and
qualification of personnel.
3.47. The operator should identify needs for training and qualification of
personnel. These should be based on an evaluation of the knowledge, skills and
abilities that individuals with security responsibilities need in order to effectively
perform their roles. Training and qualification should be documented, and training
records should be maintained.
3.48. The operator should establish and deliver a training programme for new
personnel and identify needs and timelines for conducting periodic refresher or
re‑qualification training (see para. 3.49). Development and delivery of security
training can be performed by qualified staff, external experts or a combination
of the two. All training should include a participant assessment to ensure that
learning objectives have been satisfied.
3.49. The content and methods of delivery of courses within the training
programme should consider the level of knowledge, skills and abilities needed by
the operator or required by the competent authority for personnel in specific roles.
The courses should include the following training content:
(a) Security awareness for all facility personnel;
(b) Security system and functions for personnel with specified security
responsibilities;
15

(c) Specialized or advanced training, such as for response personnel;
(d) Specific on‑the‑job training involving procedures or equipment instructions;
(e) Refresher training.
3.50. All training courses and materials should be regularly reviewed by the
operator for relevance of content and effectiveness of delivery. Suggested key
learning areas and their topics are provided in Annex II.
3.51. The operator’s qualification needs for personnel with specific security
responsibilities should generally include minimum educational and previous
experience and may also include physical and psychological aspects as well
as experience or training in the operation specific security equipment. The
management should assess each individual’s knowledge, skills and abilities as
well as other qualifications against the applicable needs before assigning that
individual to a position with security responsibilities. The competence of such
staff to perform their assigned duties should also be periodically re‑assessed
(re‑qualification).
3.52. The qualification process should also involve an assessment or verification
of the knowledge, skills and abilities needed by the operator. Performance testing
provides an additional means to evaluate or validate the application of knowledge
and skills of the staff during the performance of their duties (see paras 4.19–
4.23).
ACCOUNTING AND INVENTORY
3.53. An inventory is a current list of all radioactive material or items containing
radioactive material that an operator is authorized to possess.Accounting processes
are used to verify that all radioactive material in an operator’s inventory is present
at its authorized location, providing a means to detect the loss or unauthorized
removal of any radioactive material.
3.54. The regulatory body should specify accounting and inventory requirements
in its regulations for the security of radioactive material.
3.55. The operator should verify the presence of radioactive material at its
authorized location through such means as the following:
(a) Physical checks;
(b) Remote video monitoring;
(c) Examination of seals or other tamper indicating devices;
16

(d) Radiation measurements at designated measurement points.
The verification should take place at intervals prescribed by the regulatory body,
in accordance with a graded approach and following specific procedures. The
intervals at which this verification should take place for various types of material
are presented in Ref. [3].
3.56. Theregulatorybodyshouldrequiretheoperatortomaintainrecordsindicating
the results of each accounting verification, including the date, the individual
who carried out the verification and the means used to verify the presence of the
radioactive material. If the presence of the radioactive material cannot be verified,
the operator should be required to report the loss or unauthorized removal to the
regulatory body and/or other competent authorities in a manner and within a time
prescribed by the regulatory requirements and to initiate efforts to locate and
regain control of the material.
3.57. The operator should establish an inventory of all radioactive material
it possesses, noting for each radioactive material in the inventory the
following information:
(a) The location of the material;
(b) The radionuclide;
(c) The activity on a specified date;
(d) The serial number or unique identifier;
(e) The chemical and physical forms;
(f) The material use history, including movement into, within and out of the
operator’s facility;
(g) Receipt, transfer or disposal of the material;
(h) Other information, as appropriate, to enable the material to be identifiable
and traceable.
This inventory should be established as prescribed by the regulatory body and in
accordance with specific procedures summarized in the security plan.
3.58. The operator should also be required to adjust the inventory following any
transfers and receipts within a period of time specified by the regulatory body.
Annually or more frequently, as specified by the regulatory body, the operator
should be required to verify that the inventory is complete and accurate in all
respects and to adjust the inventory to reflect any discrepancies identified. The
operator should be required to report the results of these activities to the regulatory
body for inclusion in the national registry of radioactive material.
17

3.59. The operator should assign to one or more individuals the responsibility
for performing periodic accounting activities and for verifying the inventory of
radioactive material.
EVALUATION FOR COMPLIANCE AND EFFECTIVENESS
3.60. During an evaluation process, the operator should perform a self‑assessment
to verify that the facility is in compliance with all applicable security requirements.
The operator should also assess the effectiveness of the security system to identify
any weaknesses that should be corrected and identify any opportunities for
improvement, including the development of more effective protection measures.
3.61. Evaluation helps to ensure that the operator’s security system is reliably
operated and maintained, functions as intended, is effective and continues to meet
the regulatory requirements. Evaluation also assists the facility to prepare for
regulatory inspections and thus to avoid negative inspection results and possible
enforcement action. It may also identify opportunities for improving the cost
effectiveness of the security system. If the operator lacks the capability to perform
an evaluation of its system, the evaluation could be conducted by specialized
security subcontractors or by competent authorities, such as law enforcement.
3.62. The operator’s management should establish a process and schedule for
conducting evaluations and assign roles and responsibilities for their conduct.
Depending on the size of the facility and the complexity of the evaluation,
participants can include the following:
(a) An evaluation team leader with overall responsibility for the evaluation;
(b) Evaluation team members responsible for specific assigned evaluation
topics;
(c) A facility representative who serves as liaison between the evaluation team
and other facility staff;
(d) The facility safety officer who ensures that security evaluation activities,
such as performance tests, do not compromise safety.
All facility staff should cooperate as requested in the conduct of these evaluations.
3.63. As described in Ref. [3], performance tests are an especially useful means
of evaluating security measures to determine whether these measures can actually
perform as expected and produce the desired results. Guidance on performance
testing, which should be integral to the evaluation process, is provided in Section 4.
18

3.64. Over time, the operator should track trends and patterns in the evaluation
results to identify emerging problems and opportunities for improvement. The
operator should also incorporate evaluation results (both positive and negative),
as appropriate, into security awareness training for all staff, as well as in specific
training for staff with assigned security responsibilities.
3.65. The details of the evaluation process should be flexible and tailored
to the facility’s particular needs and constraints. The remainder of this
subsection describes an example of how an evaluation should be implemented.
Implementation of an evaluation
3.66. The operator’s management should define the scope of the evaluation and
identify the security requirements against which compliance is to be verified,
such as regulatory requirements, licence conditions and provisions of the facility
security. The scope should include the security system and security management
elements to be evaluated. Evaluation criteria and methods of evaluation should be
agreed with the regulatory body.
3.67. Once the scope of the evaluation is defined, the operator’s management
should assign a team leader to assume overall responsibility for the planning and
conduct of the evaluation. The team leader should prepare an evaluation plan
which sets out the evaluation method to be used for each topic to be addressed.
Evaluation methods might include: document review (e.g. review of accounting
records, access control procedures, training records), interviews (e.g. asking
questions of radiation protection officers), observations (e.g. watching personnel
entering the secured area) and security analysis tools and models, supported by
performance testing (e.g. testing of equipment, personnel or procedures1
). The
results of the evaluation should be integrated for analysis.
3.68. The evaluation plan should include assigned roles and responsibilities for
conducting the assessment, including, if appropriate, evaluation team members,
facility representatives, facility safety officers and facility staff responsible for
matters subject to the evaluation. For each evaluation team member, the plan
should specify the topics to be assessed by the team member, the requirements
applicable to each assigned topic, any good practices applicable to the topic which
have been followed by the operator, the methods to be employed for evaluating
1
Because of their key role in evaluations, performance tests are addressed separately
in paras 4.18–4.23. However, performance testing will be conducted as an integral part of the
evaluation process.
19

each topic and the schedule for preparing, performing and reporting on the
evaluation of each assigned topic.
3.69. Following the completion of the evaluation, the team leader should compile
the results and prepare an evaluation report. This report could, as applicable,
include the following:
(a) The scope and type of the evaluation;
(b) The topics evaluated;
(c) The requirements and the effectiveness of the measures or the good practices
applicable to each topic;
(d) The methods employed for evaluation with respect to each topic;
(e) The conclusions reached with respect to each topic with specific reference
to the basis for each conclusion;
(f) Recommendations for any follow‑up actions.
The evaluation team leader should review the results with the operator’s
management and adjust any follow‑up actions as directed. The operator’s
management could prepare a prioritized action plan to correct any problems
identified in the evaluation.
3.70. The regulatory body should consider if the findings necessitate changes in
the facility security system. If so, the findings arising from the evaluation of the
effectiveness of the security system should be incorporated into the operator’s
nuclear security plan to gain regulatory approval for changes to the security system.
MANAGEMENT OF NUCLEAR SECURITY EVENTS
3.71. Management measures related to nuclear security events consist of the
operator’s policies, plans and procedures to prepare for, respond to and report
on nuclear security events. These policies, plans and procedures should be well
defined and exercised.
3.72. The facility’s response plan should address management and reporting of
nuclear security events. Paragraph 3.124 of Ref. [3] states:
“The regulatory body should require the operator to establish, test and
implement measures to detect and respond to nuclear security events, using
a graded approach and in cooperation with State and local level emergency
20

and response plans. These measures should be documented in the operator’s
security plan or in a stand‑alone response plan”.
3.73. The operator’s response plan should take into account facility circumstances
(e.g. its location) and business operations, as well as the roles of the operating
personnel,externalsecurityresponsepersonnel,emergencyresponseorganizations
and the regulatory body. In developing the facility response plan, the operator
along with the external response organizations should determine the following:
(a) The types of nuclear security event to be addressed (such as suspected or
threatened malicious acts, unauthorized access to a limited access area,
attempted malicious acts and successful malicious acts);
(b) The means by which each type of nuclear security event might be identified
(such as detection and assessment of an alarm);
(c) The roles and responsibilities of the operating personnel in the initial
phase of each type of nuclear security event, including communications, as
appropriate, with the operator’s management, external response forces and
the regulatory body;
(d) Arrangements with external security response forces for their deployment
in response to each type of nuclear security event, including, as appropriate,
arrangements regarding the forces’ familiarity with the facility and targets,
estimated response times, capabilities, strategy and tactics;
(e) Communication methods to be used by operating personnel and external
security response forces;
(f) Procedures for reporting of nuclear security events to the regulatory body
as well as for notifying external response forces and emergency response
organizations, as appropriate, including timeframes for notification and
reporting commensurate with the significance of the event.
The operator should confer with the regulatory body to determine when and how
the regulatory body will be informed of and involved in the response to a nuclear
security event.
3.74. While the operator is responsible for developing, implementing and
regularly exercising the response plan, in most cases, the portion of the response
aimed at interrupting the adversary will be provided by external security response
forces, such as the local law enforcement. Accordingly, the operator should
jointly develop, implement and exercise the response plan in conjunction with the
organization responsible for the external response forces in order to ensure that
the planned response and division of responsibilities is agreed and coordinated.
The operator should also include emergency response organizations in the
21

development, implementation and exercise of the response plan for events that
might initiate a nuclear or radiological emergency. The regulatory body might
need to engage with the response force organization to facilitate the necessary
communications and coordination with the operator.
3.75. The operator should document arrangements with external organizations,
such as response force organizations, in memoranda of understanding or other
arrangements. The operator should make the response plan available in draft form
to the organization providing the external response and the regulatory body for
their review and comment, if required or requested.
3.76. The operator should exercise the response plan on a regular basis (at
least annually), with the participation of external security response personnel
and others, such as the regulatory body, as appropriate. The exercises should
also address nuclear security events that might initiate a nuclear or radiological
emergency, in order to evaluate the integration of the security response forces
with the emergency response organizations. Such exercises could be conducted
either as tabletop exercises or as field exercises, depending on the situation and
availability of resources. The regulatory body should facilitate the involvement
of external security response personnel and other external entities as necessary
and appropriate.
3.77. The operator along with external response personnel should review
the exercise results and modify the response plan as necessary to address any
identified deficiencies.
4. ADDITIONAL GUIDANCE ON SECURITY
MANAGEMENT
4.1. In addition to the security management sub‑goals and measures identified
in Ref. [3] and presented in Section 3, there are a number of other good practices
for security management, five of which are presented in the subsections to follow.
22

4.2. The operator’s management should support the promotion and strengthening
of nuclear security culture and the evaluation and continuous improvement of
nuclear security, including by doing the following:
(a) Establishing clear lines of responsibility and accountability for the
implementation of nuclear security requirements imposed by the regulatory
body;
(b) Setting security objectives and security performance goals;
(c) Periodically evaluating the management system for the security of
radioactive material;
(d) Allocating sufficient resources to guarantee the implementation of security
requirements;
(e) Conveying the importance of nuclear security and of fulfilling legal and
regulatory obligations;
(f) Creating and sustaining opportunities for learning and development for all
personnel;
(g) Encouraging feedback, both positive and negative, from facility personnel.
4.3. The operator’s management should continuously promote nuclear
security culture and a sustainable security system in which personnel turnover,
organizational changes or competing organizational priorities do not lead to a
loss of core competencies or weaken security culture. This effort should include
systematic knowledge management and succession planning.
ROLES AND RESPONSIBILITIES
4.4. The operator should assign roles and responsibilities for security and ensure
that the personnel are familiar with the equipment and procedures needed for these
roles and responsibilities to be carried out. In assigning roles and responsibilities
for security, the operator should ensure that the security system is effective and
that the personnel are held accountable for the proper performance of their duties.
4.5. The operator should analyse the security system to identify activities
associated with designing, implementing, operating and maintaining the security
system. On the basis of this analysis, the operator should then define, assign
and document all roles and responsibilities associated with the performance of
each activity. Roles and responsibilities should be described in a manner that is
clear, understandable, unambiguous, specific and complete, and the roles and
responsibilities should be clearly assigned to appropriate parts of the organization
or personnel. The assignment of roles and responsibilities should be summarized
23

in the security plan as well as in other documents that are accessible to facility
personnel with a need to know but without access to the security plan.
4.6. The operator should ensure that the facility personnel possess the authority,
training and resources needed to fulfil the responsibilities assigned to them. Once
roles and responsibilities have been assigned, performance expectations should be
established and assigned staff should be held accountable to them. The operator
should clearly convey to the personnel their roles and responsibilities related to
security and overall facility operations.
MAINTENANCE PROGRAMME
4.7. A maintenance programme is used to ensure that all security equipment is
kept in operational condition and that any security equipment that is
malfunctioning is identified as such and restored to its normal operating mode.
Most modern security system components have a lifecycle of several years. An
effective maintenance programme supports the sustainability of an operator’s
security system.
4.8. The operator should establish and implement a maintenance programme
that defines steps, procedures and schedules for ensuring that all components of
the security system are operating effectively. The maintenance programme should
also ensure that any components that are not operating effectively are repaired as
soon as possible and should include procedures for tracking and reporting system
faults. These procedures should include timelines for responding to component
or system failures. Until systems are returned to effective operation, the operator
should implement additional temporary security measures to ensure that overall
security effectiveness is not degraded.
4.9. The maintenance programme should be integrated as much as possible into
the overall management system of the facility, while recognizing the sensitive
nature of the security system.
4.10. The maintenance programme should address both preventive and corrective
maintenance. Security equipment should receive periodic routine preventive
maintenance to ensure reliable operation. The maintenance programme should
also include arrangements for corrective actions when a system or component
fails during normal operation or during testing.
24

4.11. Activities performed by security maintenance personnel should include
the following:
(a) Developing a schedule for preventive maintenance on the basis of
manufacturer specifications and experience with the equipment;
(b) Conducting preventive maintenance tasks, including development of
maintenance schedules and inspection of existing security equipment;
(c) Correcting faults and failures in a timely manner;
(d) Repairing, modifying or replacing faulty security equipment;
(e) Managing equipment and parts inventory;
(f) Keeping maintenance and warranty records;
(g) Interacting with technical support resources within the organization, security
equipment vendor or manufacturer.
4.12. More sophisticated systems, such as those that incorporate biometric sensors
or other special detection means, might need more frequent attention.
4.13. The maintenance programme can be carried out by qualified facility
technicians, suitable external contractors or a combination of the two. The
description of roles and responsibilities summarized in the security plan should
include information indicating which personnel have the overall responsibility
for maintenance as well as which personnel have the authority for conducting
each particular type of maintenance. If an external contractor is employed for
the maintenance of security equipment, the description should identify the
contract and the major tasks the contractor is to perform. If a combination of
facility technicians and external contractors performs maintenance tasks, then the
respective section of the security plan should describe explicitly which tasks are
assigned to facility technicians and which to external contractors.
4.14. All facility staff should be held responsible for noticing and immediately
reporting security equipment that does not function effectively or is not
being used properly.
BUDGET ALLOCATION AND RESOURCE PLANNING
4.15. Security budget allocation and resource planning should reflect the priority
given to security within the overall facility management system. Budget allocation
ensures that necessary funds are available for and dedicated to operating,
maintaining and continuously improving the security system. Resource planning
25

involves a detailed plan to identify, obtain and properly use financial and human
resources, training, equipment, and infrastructure for security.
4.16. The operator’s budget allocation and resource planning process should
include the following activities:
(a) Establishing objectives and goals for the security system that are consistent
with the policies of the organization;
(b) Determining the resources necessary to ensure the effectiveness of the
security system;
(c) Ensuring that all individuals with security responsibilities are trained and
competent to perform their duties;
(d) Providing the necessary resources to operate the security system;
(e) Establishing metrics to ensure the effective use of budget and resources;
(f) Reviewing regularly the expenditure of resources against budget and
resource projections and ensuring that action is taken to address deviations.
The information and knowledge of individuals within the organization should
also be managed as a resource so that it is retained over time.
4.17. Staff with security responsibilities should provide input into the budget and
planning process, as appropriate, as well as use resources efficiently.
PERFORMANCE TESTING
4.18. Paragraph 6.57 of Ref. [3] states:
“Performance testing, which should be integral to the evaluation process,
includes the investigation, measurement, validation or verification of one or
more of the following:
— Personnel, to verify that they understand the security system, follow
procedures and use the system properly and as intended;
— Procedures, to verify that the procedures produce the desired result
and that personnel understand and properly follow them;
— Equipment, to verify that equipment functions as intended and is
effective.”
Paragraph 6.58 of Ref. [3] states that “The regulatory body should require
the operator to develop and implement an evaluation process that includes
26

performance tests, as appropriate”. Facility personnel, contractors or a
combination thereof should be assigned the responsibility for scheduling and
implementing performance tests as part of the evaluation process.
4.19. The operator should conduct appropriate performance tests that include both
limited scope tests that focus on one component or a few components at a time
and system‑wide tests of the entire security system. For example, performance
tests may be conducted when the functionality or effectiveness of a particular
security system component or security management element is in question. The
results of all performance tests conducted should feed into the ongoing evaluation
process. Corrective action should be taken when performance testing indicates
that any of these items are defective or not performing adequately.
4.20. There are several types of performance tests, such as those testing the
following:
(a) Operability, to confirm the operability and functionality of an individual
component or system;
(b) Effectiveness, to determine how well the component or system performs;
(c) Simulated adversary testing, to test how a component, group of components
or the entire system performs against a specified threat scenario.
4.21. For each performance test, a specific plan should be developed,
including the following:
(a) Test objective(s) indicating what is to be accomplished by conducting the
performance test;
(b) References to the manufacturer’s performance specifications;
(c) The conditions for conducting the performance test;
(d) The test control measures taken to ensure the performance test is valid;
(e) A description of the resources that are needed to conduct the performance
test;
(f) Any coordination needs, such as who approves or acknowledges the conduct
of the performance test;
(g) The procedure for conducting the performance test;
(h) Criteria for evaluation of the results of the performance test.
An example of a performance test plan is provided in Annex III.
27

4.22. After conducting a performance test, the operator should document the
results, identify any deficiencies and determine corrective actions to address them.
The operator should retain all documentation relating to the performance tests.
4.23. Regular performance testing and the review of the results of sequential
performance tests can help to identify trends that might need to be addressed to
maintain system effectiveness.
RECEIPT AND TRANSFER PROCEDURES
4.24. The regulatory body should specify requirements for receipt and transfer
of radioactive material as part of its regulations for the security of radioactive
material, including requirements for radioactive material to be transferred only
to persons authorized by the regulatory body to receive the material. These
requirements may be included as part of general regulations or safety regulations.
These requirements are intended to prevent security from being compromised
when radioactive material is transferred outside the facility, a stage at which it is
especially vulnerable.
4.25. Procedures should be in place to ensure continuity of regulatory control
when radioactive material is received from or prepared for shipment. The operator
should develop, follow and document compliance with procedures to ensure that
the security and control of radioactive material is maintained when it is being
received from or prepared for shipment outside the facility and that it is only
transferred to persons authorized to receive it.2
4.26. These procedures should ensure at a minimum that the operator performs
the following actions:
(a) Determines in advance when radioactive material will be received or
transferred;
2
International transfers are addressed by export controls consistent with the
supplementary Guidance on the Import and Export of Radioactive Sources [10], which
is beyond the scope of this Technical Guidance. Transport security, including preparation
of radioactive material for transport and development of transport security plans has to be
addressed by measures consistent with IAEANuclear Security Series No. 9‑G (Rev. 1), Security
of Radioactive Material in Transport [6], which is also beyond the scope of this Technical
Guidance.
28

(b) Verifies that the recipient of any radioactive material to be transferred is or
will be authorized to receive it before the material is shipped;
(c) Identifies any security measures that will not be fully effective when the
radioactive material is being accepted or prepared for shipment and any
associated vulnerabilities;
(d) Establishes and implements compensatory security measures that address
any vulnerabilities identified;
(e) Restores normal security measures as soon as possible when acceptance or
transfer is complete;
(f) Updates the facility inventory and reports to the regulatory body that the
radioactive material has been received or transferred to another licensed
facility, to allow for updating of the national registry.
5. CONTENTS OF A SECURITY PLAN FOR
RADIOACTIVE MATERIAL IN USE AND STORAGE
5.1. This section contains guidance on the preparation of a security plan for
radioactive material in use and storage, including on the proposed structure
and contents of the plan. This section is structured under seven subsections,
corresponding to the sections of a facility security plan. This structure builds
on the guidance provided in appendix II to Ref. [3]. A detailed example facility
security plan is provided in Annex IV.
5.2. The security plan should take into account any applicable national regulatory
requirements. Each facility should develop its own security plan in accordance
with applicable regulations and facility policies and practices.
INTRODUCTION
5.3. In this section of the security plan, the facility to which the security plan
applies should be briefly identified, along with relevant background information
for the security plan. The regulatory requirements on which the security plan is
based should be described, as well as the objectives it satisfies and the scope of
the security plan.
5.4. As part of the elaboration of the plan’s scope, connections to other relevant
documentation or plans should be described, such as management, operational,
29

radiation protection or emergency arrangements. Areas where security interacts
with or impacts other management systems, especially those for safety,
should be addressed.
5.5. The process for developing, approving and updating the security plan should
also be described in this section, as well as how the security plan is reviewed and
updated. It should be specified that reviews and updates are to be undertaken
at a prescribed interval specified by the regulatory body, as applicable, and as
necessary to address new threat information, changes in facility operations or any
other development that could affect the effectiveness of the security system.
FACILITY DESCRIPTION
5.6. This section of the security plan should describe the purpose or mission
of the facility and its operating organization, the activities involving radioactive
material, the radioactive material to be protected as part of the plan, its location,
the level of protection required by the regulatory body for the material and the
physical and operational environment of the facility.
5.7. Information on the radioactive material and associated equipment or
devices covered by the security plan should include the radionuclide(s), the
current activity as well as the activity at the time that the source was imported
with associated reference dates, chemical and physical forms, radioactive source
or device serial number, equipment or device brand and model and manufacturer.
Further, the categorization of the radioactive material and the associated security
level should be identified, according to the applicable regulations, and the basis
for this identification should be explained.
5.8. In addition, the physical features of the facility and its surrounding
environment should be described in this section, including diagrams and scale
floor and building drawings and photographs. The physical descriptions should
indicate areas accessible to the public, roads and parking areas, nearest public
thoroughfares, the central security office, the building and site perimeter, access
points and physical barriers. In addition, the facility’s surrounding environment
should be described, including areas for industrial, commercial, residential or
other uses, approximate distances to nearest police stations and other response
services and the proximity to other buildings, roads and other features of security
or operational interest, such as other facilities with hazardous materials. Security
features should not be described in this section of the security plan, but rather in
the security system section.
30

5.9. Finally, a description of the facility operations should be provided,
including working and non‑working hours, the number and type of staff involved
in the facility’s operations and the typical number, type and frequency of visits
of non‑staff in the facility during scheduled operations or at any other time.
Non‑staff could include visitors, members of the public, patients, customers,
service personnel or contractors.
SECURITY MANAGEMENT
5.10. This section of the security plan should describe the security management
measures in place and the duties of management and staff that ensure the effective
implementation of these measures. This should include information on roles and
responsibilities, access authorization, trustworthiness assessment, information
protection, budget allocation and resource planning, evaluation for compliance
and effectiveness, and the maintenance programme for the security system.
Further information on these topics is provided in paras 5.11–5.19.
5.11. The assignment of all roles and responsibilities relevant to the security of
radioactive material should be documented in the security plan, including the
roles and responsibilities of the following:
(a) Leadership, management and supervisors;
(b) Staff directly responsible for the security of radioactive material;
(c) Staff with responsibility for regulatory matters, including the licensee,
radiation protection officer(s), security personnel, advisers, guards and staff
in positions specifically required by regulation.
These roles and responsibilities should be presented in the form of a table.
5.12. In addition, an organizational chart showing the staffing structure with lines
of authority and supervision should be included that demonstrates how the security
organization and responsibilities fit within the overall facility organization.
5.13. The process for authorizing personnel who need unescorted access to
radioactive material, secured areas and/or security sensitive information in order
to perform their duties (which might or might not be directly related to nuclear
security) should be described in the security plan, including information on how
to do the following:
(a) Identify which positions need unescorted access;
31

(b) Verify that the individuals holding the identified positions have the necessary
qualifications and training (see para. 5.14);
(c) Verify that the individuals holding the identified positions are trustworthy
(see para. 5.15);
(d) Perform the timely withdrawal of access for individuals who no longer
need it;
(e) Conduct periodic review and re‑evaluation for particular circumstances;
(f) Maintain up‑to‑date records of personnel authorized for unescorted access.
5.14. The information on how to verify that individuals holding positions that need
unescorted access have the necessary qualifications and training should cover the
following, drawing on the information on positions with security responsibilities
from paras 3.45–3.52:
(a) The established specifications for qualification of staff with security
responsibilities, including any qualifications required by the regulations or
licence conditions;
(b) The training to be provided to each individual, including the needed initial,
specialized, advanced or refresher training for each position with security
responsibilities;
(c) Security awareness training for all staff and any other relevant specific
on‑the‑job training, such as training involving procedures and work
instructions;
(d) The provider(s) of the identified training and how frequently each training
is to be conducted;
(e) The training records that document satisfactory completion of all security
related training.
This information can be presented in the form of a table.
5.15. The security plan should clearly describe the process that is used to verify
that individuals holding positions that need unescorted access are trustworthy,
including any requirements for periodic review or re‑evaluation for particular
circumstances. This description should cover the following:
(a) Identification of the individuals whose trustworthiness is to be assessed, on
the basis of their need for access authorization;
(b) Identification of the applicable requirements for trustworthiness in the
regulations for the security of radioactive material, licence conditions or
elsewhere, including any requirements that vary depending on the security
level or other factors;
32

(c) Indication of the method by which each individual is assessed;
(d) Stating which records are maintained and kept confidential as part of the
trustworthiness assessment.
5.16. Informationthatneedstobeprotectedbasedonregulatorybodyrequirements
or facility management policies should also be described. Examples of such
information include the following:
(a) Location and inventory of the radioactive material;
(b) Access authorization and access control measures;
(c) Security system design, equipment details and diagrams;
(d) Lock combinations and key codes;
(e) Information on the threat and vulnerability assessments;
(f) Temporary or long term weaknesses in the security system;
(g) Security staffing arrangements;
(h) The means of response to events or alarms;
(i) Planned dates, routes, and mode of shipment or transfer of radioactive
material;
(j) Security plan and procedures, response plans and related arrangements and
measures;
(k) Private information relating to individuals’ background checks.
5.17. In addition, measures used to protect this information should be described,
such as the following:
(a) How the protected information is identified, such as the use of markings
or other designators to ensure all users of this information recognize it as
needing protection;
(b) The particular forms of the protected information, such as paper documents,
electronic media or closed‑circuit television (CCTV) recordings;
(c) Where the protected information is stored and who has custody of it;
(d) Who has access to sensitive information and how that access is determined
(e.g. Is the information required to perform someone’s job? Do they have an
appropriate level of trustworthiness?);
(e) Which protection measures are in place to prevent unauthorized access when
the information is being used or is being stored (e.g. physical protection,
encryption);
(f) Which requirements are in place for preventing unauthorized access when
the protected information is being reproduced or transmitted within or
outside the facility;
33

(g) How the protected information is destroyed to prevent recovery when no
longer needed, including who is authorized to destroy it and by which means
the various forms of information will be destroyed.
5.18. Finally, the methods for conducting and implementing resource planning
for security should be summarized, including descriptions of how the objectives
and goals for the security system are established in accordance with the policies
of the organization and how the resources necessary to ensure the effectiveness
of the security system are determined and provided. All security related activities
of the security system should be considered, including human resources, training,
operational costs and equipment maintenance. In addition, a description of how
metrics are established to ensure the effective use of budget and other resources
should be included, as well as of how the expenditure of resources is reviewed
against budget and resource projections and how it is ensured that actions are
taken to address any deviations.
5.19. Instead of describing in detail the methods for conducting and implementing
resource planning for security in the security plan, references to appropriate
documentation can be considered to be sufficient.The process for verifying that the
facility security system is in compliance with all applicable security requirements
should be described, as well as the process for assessing the effectiveness of the
documented security system to identify any weaknesses that should be corrected
and any opportunities for continuous improvement, including arrangements for
performance testing.
SECURITY SYSTEM
5.20. This section of the security plan should include a description of how the
current security system is designed and implemented, in accordance with the
State’s applicable regulations for the security of radioactive material. This should
include any consideration given to the threat information provided to the facility
and a description of the security assessment methodology and the security system
design, including annotating layers of security on the facility layouts with their
associated access control, detection and delay measures. Each of these topics is
addressed in paras 5.21–5.26.
5.21. The threat information provided to the facility by the regulatory body or
other competent authorities should be summarized as well as how and when this
information was provided to the facility. To the extent that the threat information
is provided to the facility by the regulatory body or other competent authorities,
34

this information should be summarized in the security plan to indicate how the
security system is designed to protect against both external adversaries and
insider threats. Information should also be included addressing which personnel
at the facility are responsible for receiving threat information, including any
notifications from the regulatory body or other competent authorities of a specific
threat or of an increase in an existing threat, and how such information is to be
appropriately shared with facility personnel who have a need to know.
5.22. The description of the security assessment methodology should include
how the threat information provided to the facility is used in the assessment.
The description of the methodology should also include the results of the initial
security assessment that was used as input to the security system design, if
applicable. The evaluation and vulnerability assessments should be periodically
updated as part of any review or update of the security plan and in accordance with
licensing requirements. The security plan should address how the evaluation and
vulnerability assessments will be updated and how they will be adapted to address
any new threat information, any changes in the facility operations or any other
developments that could affect the security system performance or vulnerabilities.
5.23. The description of the security system design should note how a graded
approach and the concepts of security design, for example, defence in depth,
timeliness, robustness and balanced protection were taken into account including
description of the layers of protection provided around each secured area identified
in the facility layout.
5.24. The description of the security system design should include information
on the detection, delay and response measures deployed and how these measures
are implemented in an integrated and balanced way along security layers. The
description should include the following, for each of the layers of protection
around each secured area:
(a) The measures used to detect unauthorized access including, as applicable,
both intrusion detection systems and observation by facility personnel;
(b) The measures used to assess the detection of unauthorized access, including
personnel and equipment supporting the assessment;
(c) Any barriers or other delay measures used to increase the adversary task
time relative to the response time.
35

5.25. The description of the security system design should also include access
control measures across security layers, such as:
(a) How personnel are physically controlled at each access control point;
(b) Specific media used to authenticate the identity of authorized persons
such as key cards, personal identification numbers, biometric devices or
combinations of these;
(c) Procedures to be followed by authorized persons to access a secured area
including, where relevant, the application of the two‑person rule;
(d) Procedures to be followed for non‑routine access (e.g. medical emergencies,
fires, criticality alarms, security incidents);
(e) List of personnel who have access to radioactive material.
5.26. Threat information and the descriptions of the security assessment
methodology and security system design can be placed in appendices to which
access is limited to authorized personnel with a need to know.
SECURITY PROCEDURES
5.27. The written procedures that provide instructions to the personnel responsible
for operating and maintaining the security measures should be summarized in the
security plan. The procedures themselves should be separate documents and could
be included individually as appendices to the security plan. These procedures
include those for routine, off‑shift and emergency response, for opening and
closing the facility, for access control, for accounting and inventory and for receipt
and transfer of radioactive material.
5.28. The summary of the procedures for routine, off‑shift and emergency
response should include information on how the assigned personnel, such as
staff and contractors, will operate the security systems and discharge their other
security related responsibilities during regular business hours, non‑business hours
(off‑shift or after‑hours operations when staff are not ordinarily present, generally
at nights, on weekends, and during holidays), and during emergency response.
5.29. The summary of the procedures for the opening and closing of the facility
should include general information on procedures used for opening and closing
each secured area within the facility, particularly activities such as the unlocking
and locking of doors and other barriers and communications with the central
alarm station to deactivate and activate detection systems. The summary of the
procedures should identify who within the organization is responsible for opening
36

Security Management of Radioactive Material in Use and Storage and of Associated Facilities

Security Management of Radioactive Material in Use and Storage and of Associated Facilities

Recommended

Recommended

More Related Content

Similar to Security Management of Radioactive Material in Use and Storage and of Associated Facilities

Similar to Security Management of Radioactive Material in Use and Storage and of Associated Facilities (20)

More from VICTOR MAESTRE RAMIREZ

More from VICTOR MAESTRE RAMIREZ (20)

Recently uploaded

Recently uploaded (17)

Security Management of Radioactive Material in Use and Storage and of Associated Facilities