HireSecurityNow.com
Security Post Orders Explained: What They Are & Why They Matter (2026)
Buying Guides

Security Post Orders Explained: What They Are & Why They Matter (2026)

18 min read

HireSecurityNow.com Editorial Team

July 5, 2026 · 18 min read· Fact-checked

In this guide

Post orders are the site-specific playbook for every security post. Here's what a strong set includes, who writes them, and why a provider without them is a red flag.

Quick answer

Post orders are the written, site-specific instructions that tell a security officer exactly what to do at a given post — who may enter, where and how often to patrol, what to log, whom to call, and how to handle emergencies. They are the single most important operational document in a guarding contract. A professional provider builds them for your site, delivers them at the post, and asks you to approve them; a weak one shows up without them. Insist on detailed, signed, site-specific post orders — and settle who owns them — before the first shift.

What post orders are and why they exist

Post orders are formal, site-specific, task-oriented written instructions that define the duties, responsibilities, and procedures for the security officers assigned to a particular location and shift. They are not the same thing as a company handbook or general policy. A handbook says how the security firm runs; post orders say what happens at your front desk, on your loading dock, at 2 a.m., when a specific situation occurs.

They exist because security is a job that runs 24/7 across rotating officers who may never have set foot on your property before their first shift. Without a written playbook, each officer relies on memory, guesswork, or whatever the last person told them — which produces inconsistency, missed duties, and avoidable incidents. A widely cited quality test is simple: could an officer who has never been to your site perform every duty correctly just by reading the post orders? If the answer is no, they are not detailed enough.

This is the one place the "site-specific" point needs to land, so we'll make it concrete here. Because every property has different access points, tenants, hours, and risks, post orders have to be tailored — a generic template creates blind spots by describing a building that isn't yours. A mobile patrol route through a construction yard with fuel and open fencing looks nothing like a fixed post at a corporate lobby, and a retail floor with a loss-prevention program is a different world from a warehouse. The value of post orders is precisely the detail a template cannot know. The clearest way to see the difference is to compare the same duty written two ways:

Sample: a weak instruction vs. a strong one (same duty)

Duty: visitor management at the main lobby. Apply the "first-time officer" test to each version.

Weak (a blind spot): "Monitor the lobby and greet visitors."

Strong (site-specific and executable): "For every visitor without a company badge: verify a government photo ID against the day's access list; if the name is not listed, call the host at their desk extension for authorization before granting entry; issue a numbered visitor badge; log name, company, host, time-in and time-out in the visitor register; direct the visitor to the east elevators only. Do not admit vendors before 8:00 a.m. or without a scheduled delivery on the dock manifest."

The first sentence can be performed a dozen different ways — or barely at all — and still be defended after an incident as "the lobby was monitored." The second can be audited line by line, and a brand-new officer can execute it correctly on shift one. Every strong instruction in your post orders should read like the second version.

Why post orders protect you

Post orders do four things that directly protect the buyer, not just the guard.

Consistency. Every officer on every shift performs the same core duties the same way — the night officer, the day officer, and the weekend relief all patrol the same route and check the same access points. Consistency is what turns "we have a guard" into "we have security."

Accountability. When duties are written down, you can measure whether they were performed. Patrol logs, tour-scan records, and shift reports become checkable against the post orders. This is how you hold a vendor to the service they sold you instead of paying for a body in a chair.

Liability protection. This is the part buyers underrate. When something goes wrong on a property — a theft, an assault, an injury — post orders are among the first documents pulled in litigation. In negligent-security and premises-liability cases, a security contractor's duty is generally defined not by the property owner's broad duty to keep premises safe, but by what the contractor actually undertook — and courts look closely at the service contract and the post orders to determine whether a duty existed and how far it extended. Detailed, followed post orders are evidence that the provider exercised reasonable care.

Vague language can cut the other way — and there is a hard lesson buried in exactly the phrasing many contracts use. Courts have held that scope-of-work language limited to "maintaining high visibility" and acting "as a deterrent" against criminal activity creates no legal duty to protect the people on the property, because it describes a property-focused undertaking rather than a promise to protect specific persons (see Hoisington v. TZ Winston-Salem Assocs., 133 N.C. App. 485 (1999)). That is a double-edged fact for buyers: deterrence wording may limit a provider's exposure, but if you are buying protection of people and your documents only promise "visibility," you may not be getting — or be able to enforce — what you think you paid for. Insurers rely on the same documents when evaluating risk and adjusting claims. (Liability outcomes are highly fact- and state-specific; this is general information, not legal advice, and you should have counsel review your contract and post-order language.)

Training and continuity. Post orders are a training and quality-control tool. A well-written set lets a trained officer step into an unfamiliar post and operate correctly on day one, and it preserves institutional knowledge when officers turn over — which, in this industry, they do often.

Buyer tip: Before you sign, ask the provider to walk you through how their post orders connect to their reporting. If duties are written but never logged or audited, you have documentation theater, not accountability. See our guide to security guard contracts and insurance for the clauses that make this enforceable.

What a strong set of post orders includes

Depth matters more than length, but a genuinely strong set covers all of the following. The third column turns this reference into a diagnostic: read what happens when a section is missing or vague, and you can grade any set of post orders in front of you.

SectionWhat it should containRed flag if missing or vague
Site overviewProperty name, address, layout, hours of operation, tenant/occupant list, key areas, and known site quirks (propped-open doors, chronic problem entrances, late-arriving vendors).Generic or copied from another site — a sign no real assessment happened and officers don't know the building.
Post-by-post dutiesExactly what the officer at each post does, shift by shift — lobby, gate, dock, control room — with specific tasks, not "monitor the area.""Monitor," "observe," "maintain a presence" with no concrete actions — unmeasurable and unauditable.
Patrol routes and frequencyNamed routes, checkpoints, tour intervals, and what to inspect at each point (locks, lighting, fire doors, hazards).No named checkpoints or intervals — patrols can't be verified and coverage gaps hide easily.
Access controlWho may enter and how they are verified; visitor check-in, contractor and delivery procedures, key/badge control, and restricted-area rules.No verification steps or restricted-area rules — the most common source of preventable losses.
Emergency and escalation proceduresStep-by-step response to fire, medical events, active threats, evacuations, power/utility failures, and severe weather — plus the escalation ladder: who is notified, in what order, and when to call 911.Missing scenarios or no notification order — the sections most likely to be tested in a real event and scrutinized afterward.
Reporting and loggingWhat gets documented and how — daily activity reports, incident reports, patrol/tour records — held to the standard of "facts, not opinions."No standard formats or timelines — reports arrive late, inconsistent, or not at all.
Use-of-force and detention limitsSite-specific limits stated in writing: no-pursuit rule, no physical restraints (or when they are allowed), loss-prevention dollar thresholds before a stop, and weapons-handling and holster rules for armed posts — plus a pointer to the firm's full use-of-force and detention policy.Silent, or "follow company policy" with no site limits — leaves officers improvising force and detention decisions your liability rides on.
ContactsClient contacts, property management, the security supervisor chain, local police/fire non-emergency numbers, and after-hours escalation.Out-of-date or one name only — no one to reach when it matters at 3 a.m.

The best post orders read like a quick-reference operating manual: specific, organized, and scannable — not a legalistic binder no one opens, and not a one-page sketch. If you're standing up armed coverage, expect the use-of-force and weapons sections to be substantially more detailed; compare the tradeoffs in armed vs. unarmed security and, for pricing, our security cost calculator.

How post orders relate to your contract and scope of work

Buyers often treat post orders as a standalone operational file, but legally and commercially they sit inside a document hierarchy — and getting that hierarchy right prevents the "which document controls?" fight after an incident.

  • Master Service Agreement (MSA) / contract — the commercial and legal terms: pricing and bill rates, term and termination, insurance and indemnification, liability limits, and confidentiality. This is the top of the stack.
  • Scope of Work (SOW)what you are buying: which posts, how many officers, hours of coverage, armed vs. unarmed, and the service standards. Usually an exhibit to the MSA.
  • Post ordershow the work is executed at each post, day to day. They operationalize the SOW at the officer level.

The practical rule: your post orders should be referenced and incorporated by the contract (as a named exhibit or by reference), not left floating as a detached operational document the sales team hands over informally. Ask that the MSA or SOW state which document controls if they conflict — typically the higher-order contract and SOW govern commercial terms and the defined scope, while the post orders govern operational detail. If your post orders promise more (or less) than your SOW, resolve it before signing, because in litigation both will be read together.

Buyer tip: Have your counsel confirm the contract expressly incorporates the current, signed post orders by reference and names a conflict-resolution order. A post-order file that no contract points to is the first thing a defense — or a plaintiff — will exploit.

Who writes them — the client's and provider's roles

Post orders are a collaboration, and getting the roles right separates a professional engagement from a commodity one. The security provider typically drafts the initial version after a physical site assessment — walking the property, mapping access points and vulnerabilities, and interviewing your staff and its own supervisors. That is its expertise: knowing what patrol coverage and emergency protocols should look like.

But the client is not a passive recipient. You supply the ground truth the provider cannot know — tenant relationships, sensitive areas, house rules, your risk tolerance — and you hold final review and approval. The post orders should be signed off by you, and every material update should go through the same collaborative loop. Building this into the relationship is part of hiring well; our step-by-step on how to hire a security guard company and the broader security guard services overview walk through what to expect. When you're ready to compare providers who work this way, you can get quotes or browse vetted security companies in your area.

Who pays to write them — and are updates billable?

This is a concrete purchasing question the sales conversation usually skips. The site assessment and initial post-order development take real hours, and providers handle the cost two ways: some bundle it into your hourly bill rate as part of onboarding/mobilization, while others charge a one-time setup or assessment fee as a separate line item. Neither is wrong — but you should know which one you're paying, so a "free" set isn't quietly priced into a higher rate, and a setup fee isn't sprung on you after you've committed.

Ask the second question too: are updates billable? Routine, expected revisions — the annual review, and updates after an incident or a site change — should generally be included in the service, not treated as change-order work you're nickel-and-dimed for. Get the answer in the SOW: who develops the orders, whether there's a setup charge, and that ordinary updates are covered. For how development and coverage costs fit into the overall number, run the scenarios in our security cost calculator.

Who owns the post orders — and can you take them when you switch?

Post orders codify your site's security knowledge — its access points, patrol logic, escalation contacts, and hard-won fixes for chronic problems. That makes ownership a live buyer concern the moment you consider changing providers. If the vendor treats the post orders as their proprietary work product, switching providers means your new firm rebuilds them from scratch — a fresh assessment, weeks of ramp-up, and the loss of everything the last team learned about your building.

Negotiate this up front, in the contract, not after the relationship sours. At a minimum, secure a copy-on-termination clause entitling you to the current post orders (and ideally the underlying site assessment and reporting history) in a usable format when the engagement ends. Better still, have the contract state that the site-specific post orders are your property or a joint work product you may take with you — while the provider keeps its generic templates, forms, and internal policies. This is the same "make it enforceable up front" logic covered in our guide to security guard contracts and insurance; treat ownership and portability as standard contract terms, not afterthoughts.

Confidentiality: your post orders are sensitive security documentation

A complete set of post orders is effectively a map of your site's vulnerabilities — every access point, camera blind spot, problem entrance, and the exact steps to respond (or the gaps in that response). In the wrong hands that's a gift to anyone planning theft or worse. Treat the document accordingly: expect controlled distribution (officers get what their post requires, not the full binder for the property), secure storage (locked or access-controlled, digital copies behind authentication), and handling/NDA terms in the contract covering who may see, copy, or retain the orders — including after an officer leaves or the engagement ends. If a provider emails the full set around freely or leaves a printed binder open at the desk, that lax handling is itself a red flag.

Digital delivery and guard-management technology

Modern post orders increasingly live in a guard-tour or guard-management platform rather than a paper binder, and buyers should expect — and evaluate — that software layer. Done well, it is the strongest defense against documentation theater, because it ties the daily record directly back to the orders:

  • Mobile post orders at the post — officers pull up the current instructions on a phone or tablet on shift, so there's no excuse of "the binder was outdated" and updates reach every post instantly.
  • Electronic acknowledgment — each officer e-signs that they've read the orders (and each revision), creating a timestamped record of who knew what and when.
  • Geo-tagged tour verification — NFC/QR/GPS checkpoints prove patrols actually happened, on the required interval, and map each scan back to the checkpoints your post orders define. That's how "patrol routes and frequency" stops being an aspiration and becomes provable.
  • Real-time logs tied to the orders — daily activity and incident reports are captured against the specific duties, so you (and, later, an insurer or court) can check performance against the written standard rather than taking a shift report on faith.

When you compare providers, ask what platform they use, whether you get read access to reporting and tour data, and how mobile updates are pushed and acknowledged. A provider still running on an unauditable paper binder isn't disqualified — but a technology layer is now a reasonable buyer expectation, and it's what converts "we wrote it down" into "we can prove it happened."

Post orders, emergencies, use of force, and detention

This is where post orders stop being administrative and start being legally load-bearing.

Emergencies. Emergency and escalation procedures are the sections most likely to be tested in a real event and scrutinized afterward. They should spell out concrete actions and a clear notification order for each scenario type. There is also an OSHA dimension worth getting right for a contract-guard buyer. Under OSHA's General Duty Clause, Section 5(a)(1) of the Occupational Safety and Health Act, employers must furnish a workplace "free from recognized hazards" likely to cause death or serious harm, and OSHA uses this clause — backed by published enforcement guidance — to treat workplace violence as a recognized hazard (there is no dedicated workplace-violence standard). The attribution matters: for the guards themselves, that duty runs to the security firm as their employer, not to you; your own General Duty Clause obligation runs to your employees. What can extend some responsibility to you as the host business is OSHA's multi-employer worksite doctrine (Directive CPL 02-00-124), under which a "controlling" or host employer can be partly responsible for hazards it controls on its site — held to a reasonable-care standard that is deliberately lower than the one for protecting its own workers. The concrete tie to post orders: the emergency-response and escalation sections are a documented feasible-abatement measure — evidence that recognized hazards (an active threat, a medical event) were identified and addressed at the officer level.

Use of force and detention. The key fact for buyers is that, in the United States, a private security officer generally has no more legal authority than an ordinary private citizen. Their power to act comes from self-defense and defense-of-others law, the property owner's right (delegated to the guard) to deny entry and remove trespassers, and — for retail theft — state "shopkeeper's privilege" (merchant detention) statutes, which in most states allow a brief, reasonable detention on reasonable grounds or probable cause to investigate suspected theft, using only reasonable force, without it constituting an arrest. Citizen's-arrest authority is a separate and often stricter path that varies widely by state — commonly requiring that a felony was in fact committed, or that a breach-of-the-peace misdemeanor occurred in the officer's presence — and it carries greater liability. Any force used must be lawful, necessary, reasonable, and proportionate to the threat as it appeared at the time; even handcuffing is treated as a use of force. Unlawful or overlong detention (false imprisonment) and excessive force are among the most-litigated areas in the industry, and an employer can be liable for its officers' conduct under vicarious liability. Because these rules are state-specific, see whether security guards have arrest powers for the detail.

Post orders grant none of this authority — but they should reference the provider's use-of-force and detention policy and, critically, state the limits at your site. Many professional firms restrict by policy what statutes would otherwise permit (no-chase rules, dollar thresholds for loss-prevention stops, or restrictions on restraints) precisely to cap liability. For armed security, this section must be airtight.

Buyer tip: Make sure the use-of-force and detention limits in your post orders match your actual risk appetite. If you don't want officers physically pursuing shoplifters, that instruction belongs in writing before an incident — not in a deposition after one.

How to keep post orders current

Post orders are living documents, not a one-time deliverable. Conditions change — tenants move, entrances get rekeyed, new risks emerge — and stale instructions can be as dangerous as none. The industry norm is to review post orders at least annually and after any of these triggers: a significant incident, a change in the site's physical layout or access, a change in hours or occupancy, a new risk or threat, or a change in the scope of the security program. Every revision should be dated, version-controlled, acknowledged by the officers on post, and re-approved by the client — exactly the kind of record a guard-management platform captures automatically. Also confirm the provider's training keeps pace with the orders; requirements vary by jurisdiction, which our state training requirements guide breaks down. Recognized industry frameworks such as the ASIS International Private Security Officer Selection and Training Guideline (current edition ASIS PSO-2019) offer a benchmark for how officers should be selected and trained to execute those orders.

The buyer's script: four questions to ask any provider

The fastest way to separate a professional firm from a weak one is to ask four questions during the sales process and listen for the difference between a strong answer and a weak one. Use this as a checklist:

Ask thisStrong answerWeak answer (walk away)
"Show me a sample post order and tell me how you'll build ours."Produces a real, site-specific example and describes a physical site assessment before drafting, with your sign-off."Our guards know what to do." Offers a generic template, or nothing, and skips the walkthrough.
"How do the post orders connect to your daily reporting and tour verification?"Shows logs, tour scans, and reports that map back to the written duties — ideally in a guard-management platform you can access.Duties exist on paper but are never logged or audited — documentation theater.
"Is there a setup fee, and are updates billable?"Clear on whether development is bundled or a line item, and confirms routine annual/post-incident updates are included.Vague on cost, or treats every revision as billable change-order work.
"Who owns the post orders, and do I get a copy if we part ways?"Agrees your site-specific orders are yours or provides a copy-on-termination clause, with confidentiality/handling terms.Claims the orders as proprietary with no copy on exit — locking you in and resetting your institutional knowledge.

If your incumbent provider can't produce current, signed, site-specific post orders on request — or can't answer these four questions cleanly — that is not a paperwork gap; it is a signal about the whole operation, and a reason to get competing quotes.

Frequently asked questions

What's the difference between post orders and the security contract or scope of work?+
They sit in a hierarchy. The Master Service Agreement (contract) sets the commercial and legal terms — pricing, term, insurance, indemnification, confidentiality. The Scope of Work defines what you're buying — which posts, how many officers, hours, armed vs. unarmed. Post orders define how that work is executed at each post, day to day. Post orders should be referenced and incorporated by the contract as a named exhibit, not left as a detached file, and the contract should say which document controls if they conflict — usually the contract and SOW for commercial terms, the post orders for operational detail.
Who pays to write post orders, and are updates billable?+
The site assessment and initial development take real hours, and providers handle it two ways: bundled into your hourly bill rate as onboarding, or charged as a separate one-time setup/assessment fee. Ask which one you're paying so a 'free' set isn't quietly priced into a higher rate. Also confirm that routine updates — the annual review and post-incident or site-change revisions — are included in the service rather than billed as change-order work. Get all of this stated in the scope of work.
Who owns the post orders if I switch security providers?+
It depends on your contract, which is exactly why you should settle it up front. If the vendor treats the orders as proprietary, switching means your new firm rebuilds from scratch and you lose everything the last team learned about your site. At minimum, negotiate a copy-on-termination clause entitling you to the current post orders in a usable format when the engagement ends; better, have the contract state that your site-specific orders are your property (the provider keeps only its generic templates and internal policies).
Where should post orders be kept and who can see them?+
Treat them as sensitive security documentation — they map your access points, blind spots, and vulnerabilities. Expect controlled distribution (officers get what their post requires, not the full binder for the whole property), secure storage (locked or access-controlled physically, behind authentication digitally), and NDA/handling terms in the contract covering who may see, copy, or retain them, including after an officer leaves. Freely emailed or unattended binders are a red flag. Modern providers increasingly deliver post orders through a guard-management app with per-officer access and electronic acknowledgment.
Can vague post orders actually reduce a security company's liability?+
They can — which is a double-edged fact for buyers. In negligent-security cases, courts define a contractor's duty by what it actually undertook, reading the contract and post orders together. Language limited to 'maintaining high visibility' and acting 'as a deterrent' has been held to create no duty to protect the people on a property, because it describes a property-focused undertaking rather than a promise to protect persons (Hoisington v. TZ Winston-Salem Assocs., 1999). So if you are buying protection of people but your documents only promise 'visibility,' you may not be able to enforce what you thought you paid for. Have counsel align the post-order and contract language with the protection you actually want.

Share this guide

Need to hire a security company?

Get free quotes from licensed security companies in your area.

Get free quotes