was successfully added to your cart.



In part 1 we’re going to cover the changes to issue 8, around the BRC site security section, which is now site security and food defence.

These changes are in line with the update to the GFSI benchmarking scheme, where food defence needs to be covered.


The clauses in this part of the standard have either been replaced, amended or there are new ones added, so let’s go through them…

Clause 4.2.1

The company shall undertake a documented risk assessment (threat assessment) of the potential risks to products from any deliberate attempt to inflict contamination or damage. This threat assessment shall include both internal and external threats.
The output from this assessment shall be a documented threat assessment plan. This plan shall be kept under review to reflect changing circumstances and market intelligence. It shall be formally reviewed at least annually and whenever:
  • a new risk emerges (e.g. a new threat is publicised or identified)
  • an incident occurs, where product security or food defence is implicated.

New Clause 4.2.2

Where raw materials or products are identified as being at particular risk, the threat assessment plan shall include controls to mitigate these risks. Where prevention is not sufficient or possible, systems shall be in place to identify any tampering.
These controls shall be monitored, the results documented, and the controls reviewed at least annually.

Clause 4.2.3

Areas where a significant risk is identified shall be defined, monitored and controlled. These shall include external storage and intake points for products and raw materials (including packaging).
Policies and systems shall be in place to ensure that only authorised personnel have access to production and storage areas, and that access to the site by employees, contractors and visitors is controlled. A visitor recording system shall be in place.
Staff shall be trained in site security procedures and food defence.

Clause 4.2.4

Where required by legislation, the site shall maintain appropriate registrations with the relevant authorities.

There’s a great deal that’s changed here, so let’s look at what it all means. First of all, the BRC site security section has been updated from just site security, to site security and food defence…

Definition of food defence

Before we go into the details, let’s just make sure we’re clear on what we mean by food defence. The BRC have defined food defence as:

“Procedures adopted to ensure the safety of raw materials and products from malicious contamination or theft.”

Definition of food fraud

Let’s not get this mixed up with food fraud, which the BRC define as:

“Fraudulent and intentional substitution, dilution or addition to a product or raw material, or misrepresentation of the product or material, for the purpose of financial gain, by increasing the apparent value of the product or reducing the cost of its production.”

What drives the assessment?

So, the BRC see the driver for food fraud, to be financial gain. Whereas they see the driver food defence is to cause harm. Whether that be harm to the consumer or harm to a business.

Why the BRC food defence terminology is confusing…

We think the terminology in this area is confusing.  In the 2nd Edition of our book assessing threat vulnerability for food defence, we have tried to clarify the terminology.

Food defence is the defence of food – The defence of food from any threat – The threat may be for financial gain, which is food fraud.

The threat may be to sabotage a company, which would be on site threats by visitors or employees for malicious reasons or, the threat may be to cause harm, which would be terrorism. Food fraud, food sabotage and food terrorism are all forms of threats, to which we need to apply food defence.

BRC definition of food defence, includes theft…

So, if we look at the BRC’s definition of food defence again, we can now see why their definition is a little more confusing than ours. They’ve said food defence are:

“Procedures adopted to ensure the safety of raw materials and products from malicious contamination or theft.”

Ok, so malicious contamination is what we would call food sabotage.  As people maliciously contaminate product, not really to hurt the consumer, but more to hurt a business or an organisation. However, theft is a different matter.  Theft could be to financially hurt a business or organisation, which is sabotage.  But, it could also be fraud, to be able to sell off the product for financial gain.  Which the BRC would say is food fraud.

What does all that matter?

BRC are saying in this section, that we need to consider malicious contamination, or food sabotage as we would call it. Plus, we need to consider food fraud in the supply chain after the material leaves us. But we would not include food fraud before the material arrives with us, as that would be considered in our vulnerability assessment of raw materials. So, food fraud needs to be considered in the supply chain, once the product leaves us and food sabotage needs to be considered both on site and in the supply chain when the product leaves us.

Right, let’s look at the clause changes now…

Threat Assessment

The BRC  have stated that we now need a threat assessment in the BRC site security and food defence section. We can use what we learnt from the implementation of the vulnerability assessment in issue 7 for this, as the principles of threat assessment and the vulnerability assessment are very similar, because in both cases we are assessing threats.

Information sources

We need to make sure there are inputs into the threat assessment, either from industry information or from your team.  So, like with the vulnerability assessment you will need to create a team.  The team will be different people to those on your vulnerability team, as they will need to include departments who look after site security, material security (such as locking of silos etc) and logistics.

Just like the vulnerability assessment, the threat assessment will need input from your information sources.  These information sources will again, be slightly different to those that you use for vulnerability, as the topic is different. They will need to be information from HR regarding the employee moral or contractual changes. Information from security on applicable incidents.  And, information from the logistics department on internal incidents or external industry incidents.  And then, information from quality or technical where applicable complaints or incidents have occurred.

Outputs of the assessment

Just like the vulnerability assessment, the BRC site security and food defence threat assessment also needs an output.  It should drive the requirements of your protection measures, where a risk is highlighted.  And these should be written into your procedures. Note here, that we have said protection measures, not control measures. This is because you cannot always control a threat, as you may not always be able to stop it from happening.  So, you can’t always protect the food.

But you can put protection measures in place to protect the consumer, such as tamper evidence packaging or seals on vehicles.  So, that where a threat has occurred, it can be detected and managed.


In order to comply with 4.2.3 external storage and intake points need to be locked.  The BRC have clarified that this must apply to packaging as well as raw materials, work in progress materials and finished product.


We now also need to provide evidence that we have trained all on site personnel in security procedures and give them an awareness of food defence.

Local Approval

And lastly, clause 4.2.4 has been clarified, to state that not only do you need to be approved by the authorities where applicable, but you also have to maintain this approval.

FREE – Site Security & Food Defence Awareness eLearning

We’ve developed food defence awareness training to meet the new requirement in Issue 8.  It’s free (we’re not joking!) for as many learners as you like – so you can train your whole site!  Please note, this training is designed for manufacturing sites, so is only available to manufacturing companies (sorry it’s not designed for individual learners/users).  The eLearning teaches the learner how to become a ‘Food Defender’ in only a few minutes and it includes a test – so it’s really time efficient! The learner can also download and print their certificate after completion.

Just complete the form to the right and we’ll email you a login to our free training dashboard and you’ll be able to add as many learners as you like to do the training. You will also be added to our food defence list so we can update you about our solutions for this area of compliance for BRC Issue 8. Please note – we will verify your site and send you a login manually, so please give us 24 hours to do this. 

  • (If multiple site)
food defence

Our new pack for Food Defence for BRC Issue 8 is released and is now available to purchase on our website, to view information and get your pack, Just click below…

BRC Site Security

In the next article we’ll look at what we need to actually do to comply with the BRC site security and food defence section. If you’d like to learn more about food defence, you will find our book really helpful, Assessing Threat Vulnerabilities for Food Defence, now updated and in its second edition.  It’s available in eBook and paperback – you can get your copy here:


Leave a Reply