Post orders are the site-specific playbook for every security post. Here's what a strong set includes, who writes them, and why a provider without them is a red flag.
Post orders are the written, site-specific instructions that tell a security officer exactly what to do at a given post — who may enter, where and how often to patrol, what to log, whom to call, and how to handle emergencies. They are the single most important operational document in a guarding contract. A professional provider builds them for your site, delivers them at the post, and asks you to approve them; a weak one shows up without them. Insist on detailed, signed, site-specific post orders — and settle who owns them — before the first shift.
What post orders are and why they exist
Post orders are formal, site-specific, task-oriented written instructions that define the duties, responsibilities, and procedures for the security officers assigned to a particular location and shift. They are not the same thing as a company handbook or general policy. A handbook says how the security firm runs; post orders say what happens at your front desk, on your loading dock, at 2 a.m., when a specific situation occurs.
They exist because security is a job that runs 24/7 across rotating officers who may never have set foot on your property before their first shift. Without a written playbook, each officer relies on memory, guesswork, or whatever the last person told them — which produces inconsistency, missed duties, and avoidable incidents. A widely cited quality test is simple: could an officer who has never been to your site perform every duty correctly just by reading the post orders? If the answer is no, they are not detailed enough.
This is the one place the "site-specific" point needs to land, so we'll make it concrete here. Because every property has different access points, tenants, hours, and risks, post orders have to be tailored — a generic template creates blind spots by describing a building that isn't yours. A mobile patrol route through a construction yard with fuel and open fencing looks nothing like a fixed post at a corporate lobby, and a retail floor with a loss-prevention program is a different world from a warehouse. The value of post orders is precisely the detail a template cannot know. The clearest way to see the difference is to compare the same duty written two ways:
Duty: visitor management at the main lobby. Apply the "first-time officer" test to each version.
Weak (a blind spot): "Monitor the lobby and greet visitors."
Strong (site-specific and executable): "For every visitor without a company badge: verify a government photo ID against the day's access list; if the name is not listed, call the host at their desk extension for authorization before granting entry; issue a numbered visitor badge; log name, company, host, time-in and time-out in the visitor register; direct the visitor to the east elevators only. Do not admit vendors before 8:00 a.m. or without a scheduled delivery on the dock manifest."
The first sentence can be performed a dozen different ways — or barely at all — and still be defended after an incident as "the lobby was monitored." The second can be audited line by line, and a brand-new officer can execute it correctly on shift one. Every strong instruction in your post orders should read like the second version.
Why post orders protect you
Post orders do four things that directly protect the buyer, not just the guard.
Consistency. Every officer on every shift performs the same core duties the same way — the night officer, the day officer, and the weekend relief all patrol the same route and check the same access points. Consistency is what turns "we have a guard" into "we have security."
Accountability. When duties are written down, you can measure whether they were performed. Patrol logs, tour-scan records, and shift reports become checkable against the post orders. This is how you hold a vendor to the service they sold you instead of paying for a body in a chair.
Liability protection. This is the part buyers underrate. When something goes wrong on a property — a theft, an assault, an injury — post orders are among the first documents pulled in litigation. In negligent-security and premises-liability cases, a security contractor's duty is generally defined not by the property owner's broad duty to keep premises safe, but by what the contractor actually undertook — and courts look closely at the service contract and the post orders to determine whether a duty existed and how far it extended. Detailed, followed post orders are evidence that the provider exercised reasonable care.
Vague language can cut the other way — and there is a hard lesson buried in exactly the phrasing many contracts use. Courts have held that scope-of-work language limited to "maintaining high visibility" and acting "as a deterrent" against criminal activity creates no legal duty to protect the people on the property, because it describes a property-focused undertaking rather than a promise to protect specific persons (see Hoisington v. TZ Winston-Salem Assocs., 133 N.C. App. 485 (1999)). That is a double-edged fact for buyers: deterrence wording may limit a provider's exposure, but if you are buying protection of people and your documents only promise "visibility," you may not be getting — or be able to enforce — what you think you paid for. Insurers rely on the same documents when evaluating risk and adjusting claims. (Liability outcomes are highly fact- and state-specific; this is general information, not legal advice, and you should have counsel review your contract and post-order language.)
Training and continuity. Post orders are a training and quality-control tool. A well-written set lets a trained officer step into an unfamiliar post and operate correctly on day one, and it preserves institutional knowledge when officers turn over — which, in this industry, they do often.
What a strong set of post orders includes
Depth matters more than length, but a genuinely strong set covers all of the following. The third column turns this reference into a diagnostic: read what happens when a section is missing or vague, and you can grade any set of post orders in front of you.
| Section | What it should contain | Red flag if missing or vague |
|---|---|---|
| Site overview | Property name, address, layout, hours of operation, tenant/occupant list, key areas, and known site quirks (propped-open doors, chronic problem entrances, late-arriving vendors). | Generic or copied from another site — a sign no real assessment happened and officers don't know the building. |
| Post-by-post duties | Exactly what the officer at each post does, shift by shift — lobby, gate, dock, control room — with specific tasks, not "monitor the area." | "Monitor," "observe," "maintain a presence" with no concrete actions — unmeasurable and unauditable. |
| Patrol routes and frequency | Named routes, checkpoints, tour intervals, and what to inspect at each point (locks, lighting, fire doors, hazards). | No named checkpoints or intervals — patrols can't be verified and coverage gaps hide easily. |
| Access control | Who may enter and how they are verified; visitor check-in, contractor and delivery procedures, key/badge control, and restricted-area rules. | No verification steps or restricted-area rules — the most common source of preventable losses. |
| Emergency and escalation procedures | Step-by-step response to fire, medical events, active threats, evacuations, power/utility failures, and severe weather — plus the escalation ladder: who is notified, in what order, and when to call 911. | Missing scenarios or no notification order — the sections most likely to be tested in a real event and scrutinized afterward. |
| Reporting and logging | What gets documented and how — daily activity reports, incident reports, patrol/tour records — held to the standard of "facts, not opinions." | No standard formats or timelines — reports arrive late, inconsistent, or not at all. |
| Use-of-force and detention limits | Site-specific limits stated in writing: no-pursuit rule, no physical restraints (or when they are allowed), loss-prevention dollar thresholds before a stop, and weapons-handling and holster rules for armed posts — plus a pointer to the firm's full use-of-force and detention policy. | Silent, or "follow company policy" with no site limits — leaves officers improvising force and detention decisions your liability rides on. |
| Contacts | Client contacts, property management, the security supervisor chain, local police/fire non-emergency numbers, and after-hours escalation. | Out-of-date or one name only — no one to reach when it matters at 3 a.m. |
The best post orders read like a quick-reference operating manual: specific, organized, and scannable — not a legalistic binder no one opens, and not a one-page sketch. If you're standing up armed coverage, expect the use-of-force and weapons sections to be substantially more detailed; compare the tradeoffs in armed vs. unarmed security and, for pricing, our security cost calculator.
How post orders relate to your contract and scope of work
Buyers often treat post orders as a standalone operational file, but legally and commercially they sit inside a document hierarchy — and getting that hierarchy right prevents the "which document controls?" fight after an incident.
- Master Service Agreement (MSA) / contract — the commercial and legal terms: pricing and bill rates, term and termination, insurance and indemnification, liability limits, and confidentiality. This is the top of the stack.
- Scope of Work (SOW) — what you are buying: which posts, how many officers, hours of coverage, armed vs. unarmed, and the service standards. Usually an exhibit to the MSA.
- Post orders — how the work is executed at each post, day to day. They operationalize the SOW at the officer level.
The practical rule: your post orders should be referenced and incorporated by the contract (as a named exhibit or by reference), not left floating as a detached operational document the sales team hands over informally. Ask that the MSA or SOW state which document controls if they conflict — typically the higher-order contract and SOW govern commercial terms and the defined scope, while the post orders govern operational detail. If your post orders promise more (or less) than your SOW, resolve it before signing, because in litigation both will be read together.
Who writes them — the client's and provider's roles
Post orders are a collaboration, and getting the roles right separates a professional engagement from a commodity one. The security provider typically drafts the initial version after a physical site assessment — walking the property, mapping access points and vulnerabilities, and interviewing your staff and its own supervisors. That is its expertise: knowing what patrol coverage and emergency protocols should look like.
But the client is not a passive recipient. You supply the ground truth the provider cannot know — tenant relationships, sensitive areas, house rules, your risk tolerance — and you hold final review and approval. The post orders should be signed off by you, and every material update should go through the same collaborative loop. Building this into the relationship is part of hiring well; our step-by-step on how to hire a security guard company and the broader security guard services overview walk through what to expect. When you're ready to compare providers who work this way, you can get quotes or browse vetted security companies in your area.
Who pays to write them — and are updates billable?
This is a concrete purchasing question the sales conversation usually skips. The site assessment and initial post-order development take real hours, and providers handle the cost two ways: some bundle it into your hourly bill rate as part of onboarding/mobilization, while others charge a one-time setup or assessment fee as a separate line item. Neither is wrong — but you should know which one you're paying, so a "free" set isn't quietly priced into a higher rate, and a setup fee isn't sprung on you after you've committed.
Ask the second question too: are updates billable? Routine, expected revisions — the annual review, and updates after an incident or a site change — should generally be included in the service, not treated as change-order work you're nickel-and-dimed for. Get the answer in the SOW: who develops the orders, whether there's a setup charge, and that ordinary updates are covered. For how development and coverage costs fit into the overall number, run the scenarios in our security cost calculator.
Who owns the post orders — and can you take them when you switch?
Post orders codify your site's security knowledge — its access points, patrol logic, escalation contacts, and hard-won fixes for chronic problems. That makes ownership a live buyer concern the moment you consider changing providers. If the vendor treats the post orders as their proprietary work product, switching providers means your new firm rebuilds them from scratch — a fresh assessment, weeks of ramp-up, and the loss of everything the last team learned about your building.
Negotiate this up front, in the contract, not after the relationship sours. At a minimum, secure a copy-on-termination clause entitling you to the current post orders (and ideally the underlying site assessment and reporting history) in a usable format when the engagement ends. Better still, have the contract state that the site-specific post orders are your property or a joint work product you may take with you — while the provider keeps its generic templates, forms, and internal policies. This is the same "make it enforceable up front" logic covered in our guide to security guard contracts and insurance; treat ownership and portability as standard contract terms, not afterthoughts.
A complete set of post orders is effectively a map of your site's vulnerabilities — every access point, camera blind spot, problem entrance, and the exact steps to respond (or the gaps in that response). In the wrong hands that's a gift to anyone planning theft or worse. Treat the document accordingly: expect controlled distribution (officers get what their post requires, not the full binder for the property), secure storage (locked or access-controlled, digital copies behind authentication), and handling/NDA terms in the contract covering who may see, copy, or retain the orders — including after an officer leaves or the engagement ends. If a provider emails the full set around freely or leaves a printed binder open at the desk, that lax handling is itself a red flag.
Digital delivery and guard-management technology
Modern post orders increasingly live in a guard-tour or guard-management platform rather than a paper binder, and buyers should expect — and evaluate — that software layer. Done well, it is the strongest defense against documentation theater, because it ties the daily record directly back to the orders:
- Mobile post orders at the post — officers pull up the current instructions on a phone or tablet on shift, so there's no excuse of "the binder was outdated" and updates reach every post instantly.
- Electronic acknowledgment — each officer e-signs that they've read the orders (and each revision), creating a timestamped record of who knew what and when.
- Geo-tagged tour verification — NFC/QR/GPS checkpoints prove patrols actually happened, on the required interval, and map each scan back to the checkpoints your post orders define. That's how "patrol routes and frequency" stops being an aspiration and becomes provable.
- Real-time logs tied to the orders — daily activity and incident reports are captured against the specific duties, so you (and, later, an insurer or court) can check performance against the written standard rather than taking a shift report on faith.
When you compare providers, ask what platform they use, whether you get read access to reporting and tour data, and how mobile updates are pushed and acknowledged. A provider still running on an unauditable paper binder isn't disqualified — but a technology layer is now a reasonable buyer expectation, and it's what converts "we wrote it down" into "we can prove it happened."
Post orders, emergencies, use of force, and detention
This is where post orders stop being administrative and start being legally load-bearing.
Emergencies. Emergency and escalation procedures are the sections most likely to be tested in a real event and scrutinized afterward. They should spell out concrete actions and a clear notification order for each scenario type. There is also an OSHA dimension worth getting right for a contract-guard buyer. Under OSHA's General Duty Clause, Section 5(a)(1) of the Occupational Safety and Health Act, employers must furnish a workplace "free from recognized hazards" likely to cause death or serious harm, and OSHA uses this clause — backed by published enforcement guidance — to treat workplace violence as a recognized hazard (there is no dedicated workplace-violence standard). The attribution matters: for the guards themselves, that duty runs to the security firm as their employer, not to you; your own General Duty Clause obligation runs to your employees. What can extend some responsibility to you as the host business is OSHA's multi-employer worksite doctrine (Directive CPL 02-00-124), under which a "controlling" or host employer can be partly responsible for hazards it controls on its site — held to a reasonable-care standard that is deliberately lower than the one for protecting its own workers. The concrete tie to post orders: the emergency-response and escalation sections are a documented feasible-abatement measure — evidence that recognized hazards (an active threat, a medical event) were identified and addressed at the officer level.
Use of force and detention. The key fact for buyers is that, in the United States, a private security officer generally has no more legal authority than an ordinary private citizen. Their power to act comes from self-defense and defense-of-others law, the property owner's right (delegated to the guard) to deny entry and remove trespassers, and — for retail theft — state "shopkeeper's privilege" (merchant detention) statutes, which in most states allow a brief, reasonable detention on reasonable grounds or probable cause to investigate suspected theft, using only reasonable force, without it constituting an arrest. Citizen's-arrest authority is a separate and often stricter path that varies widely by state — commonly requiring that a felony was in fact committed, or that a breach-of-the-peace misdemeanor occurred in the officer's presence — and it carries greater liability. Any force used must be lawful, necessary, reasonable, and proportionate to the threat as it appeared at the time; even handcuffing is treated as a use of force. Unlawful or overlong detention (false imprisonment) and excessive force are among the most-litigated areas in the industry, and an employer can be liable for its officers' conduct under vicarious liability. Because these rules are state-specific, see whether security guards have arrest powers for the detail.
Post orders grant none of this authority — but they should reference the provider's use-of-force and detention policy and, critically, state the limits at your site. Many professional firms restrict by policy what statutes would otherwise permit (no-chase rules, dollar thresholds for loss-prevention stops, or restrictions on restraints) precisely to cap liability. For armed security, this section must be airtight.
How to keep post orders current
Post orders are living documents, not a one-time deliverable. Conditions change — tenants move, entrances get rekeyed, new risks emerge — and stale instructions can be as dangerous as none. The industry norm is to review post orders at least annually and after any of these triggers: a significant incident, a change in the site's physical layout or access, a change in hours or occupancy, a new risk or threat, or a change in the scope of the security program. Every revision should be dated, version-controlled, acknowledged by the officers on post, and re-approved by the client — exactly the kind of record a guard-management platform captures automatically. Also confirm the provider's training keeps pace with the orders; requirements vary by jurisdiction, which our state training requirements guide breaks down. Recognized industry frameworks such as the ASIS International Private Security Officer Selection and Training Guideline (current edition ASIS PSO-2019) offer a benchmark for how officers should be selected and trained to execute those orders.
The buyer's script: four questions to ask any provider
The fastest way to separate a professional firm from a weak one is to ask four questions during the sales process and listen for the difference between a strong answer and a weak one. Use this as a checklist:
| Ask this | Strong answer | Weak answer (walk away) |
|---|---|---|
| "Show me a sample post order and tell me how you'll build ours." | Produces a real, site-specific example and describes a physical site assessment before drafting, with your sign-off. | "Our guards know what to do." Offers a generic template, or nothing, and skips the walkthrough. |
| "How do the post orders connect to your daily reporting and tour verification?" | Shows logs, tour scans, and reports that map back to the written duties — ideally in a guard-management platform you can access. | Duties exist on paper but are never logged or audited — documentation theater. |
| "Is there a setup fee, and are updates billable?" | Clear on whether development is bundled or a line item, and confirms routine annual/post-incident updates are included. | Vague on cost, or treats every revision as billable change-order work. |
| "Who owns the post orders, and do I get a copy if we part ways?" | Agrees your site-specific orders are yours or provides a copy-on-termination clause, with confidentiality/handling terms. | Claims the orders as proprietary with no copy on exit — locking you in and resetting your institutional knowledge. |
If your incumbent provider can't produce current, signed, site-specific post orders on request — or can't answer these four questions cleanly — that is not a paperwork gap; it is a signal about the whole operation, and a reason to get competing quotes.
Frequently asked questions
What's the difference between post orders and the security contract or scope of work?+
Who pays to write post orders, and are updates billable?+
Who owns the post orders if I switch security providers?+
Where should post orders be kept and who can see them?+
Can vague post orders actually reduce a security company's liability?+
Share this guide
Sources
- OSHA — Workplace Violence Enforcement (General Duty Clause §5(a)(1); Directive CPL 02-01-058)
- OSHA — Multi-Employer Citation Policy, Directive CPL 02-00-124
- Martineau King PLLC — Security Guards in Premises Liability Cases (Hoisington v. TZ Winston-Salem Assocs., 133 N.C. App. 485 (1999); 'visibility/deterrent' scope-of-work language)
- Terry Brennan Law — Private Security Companies and the Threshold Element of a Negligence Claim (undertaking; protection of people vs. property)
- ASIS International — Private Security Officer Selection and Training Guideline (ASIS PSO-2019)



