BRCGS Agents and Brokers Issue 3 is here!

Issue 3 was published on 1st October 2021 and becomes effective (which means it goes live) on 1st April 2022.

We’ve gone through the new Standard, word by word to compare Issue 2 with Issue 3 – so we can confidently share with you what the changes are. So, below we’ll go through with you – what the changes are, what they mean and let you know what you need to do next to comply.

Senior management commitment

There are a few main changes to this section:

  1. Culture has been added in line with the previous AB211 Position Statement.
  2. There is a new clause for the BRCGS logo.
  3. Authenticity has been added to the scope.


Having a culture plan was a requirement in the AB211 Position Statement. If you’d like to understand more about this topic, read the article; How to comply with food safety and quality culture.

BRCGS logo

In order to use the BRCGS logo you need to comply with the terms of use and also be approved to use it. This means you must request approval – the responsibilties section of the article; Management commitment, organisational structure and responsibilities explains how to do this.


The term authenticity has been added throughout the BRCGS Agents and Brokers Issue 3 Standard. So, wherever you would normally find the statement to ensure/ to meet/ for ‘food safety, quality and legality’ – you now need to add authenticity to this list.  This includes the Senior Management Commitment procedure and the Quality Policy.

Next steps

  1. Culture: You should already have a culture plan in place, but for your next audit your auditor will be expecting to see that it’s progressed. The best way to ensure this is to complete our mini training – Product Safety and Quality Culture eLearning.
  2. BRCGS logo and authenticy: Our Senior Management Commitment eDocs pack includes everything you need to update your systems to meet BRCGS Agents and Brokers Issue 3. Plus it includes the documents you need to create and maintain your culture plan.

Document management

There isn’t a great deal that’s changed in this section. A few things have been added to the interpretation. The main additions are:

  1. That digital documents need to be securely stored and backed up. You need to put detailed thought into how you’re going to manage digital documents and really think about what could go wrong. Cyber criminals hacking into business’ documentation is common practice now, so you need to seriously protecting your systems. We cover digital documents in the article; The product safety and quality management system.
  2. That although the Standard doesn’t say in that in each section, a procedure and records are needed – they are. So you need to make sure that you have a procedure to cover every section of the Standard.

Continuous improvement

There are three main changes to this section:

  1. Internal auditing
  2. Root cause analysis
  3. Non-conformances


Internal auditing

There are a few changes here. You now need a risk assessment which will define the frequency of each internal audit. And, where the interpretation in Issue 2 said you had to have at least 4 audit dates throughout the year, the Standard has now been updated to say you only need 2.

Plus, when documenting your audits you now must record evidence of conformance. This means you must record the references of the documents you’ve looked at, the names of people you’ve included etc.

Root cause analysis

You now need a procedure for root cause analysis. This means you must document when you’ll identify that root cause analysis is needed, how you’ll complete it and also train those involved in the process on the procedure.


You must now ensure that there are thorough records for non-conformances which detail elements such as investigations. Plus you must assess each non-conformance for consequence, so you now how it should be appropriately actioned.

Next steps

You need to make the appropriate changes to your systems to comply with the elements above. The easiest way of doing this, is to use Pack 3 Continuous Improvement eDocs. This ensures that you have a risk assessment for frequency of your internal audits. Plus the procedure includes root cause analysis so you can get started with training your team straight away. The procedure also provides you with a simple process for assessing non-conformances for consequence.

If you want a training course for root cause analysis – our Best Practice Internal Auditing eLearning will train your team on how to complete root cause analysis.

Contingency planning

The main changes to the incident, recall and withdrawal section are:

  1. You must record key things that happen during an incident.
  2. Root cause analysis must be applied following an incident.
  3. Where a recall occurs – the notification requirements have been expanded.
  4. The testing requirements have been clarified.

Incident records

When an incident happens you need to ensure that you record as much information as possible. After an incident you need to review what happened and make improvements, so having good records is essential. Our article Incidents, emergency situations, withdrawals and recalls provides lots more details about incidents.

Root cause

We’ve already said that there’s a new clause for root cause analysis – and this theme continues throughout the Standard. When an incident happens, root cause analysis to prevent reoccurrence is a must.

Recall notification

The Standard now provides details about the type of information that you must supply to your Certification Body, where your business is involved in a recall.


The interpretation now clarifies what is expected during a test of the system. This is to ensure that more than just a simple traceability is carried out and that the incident system is tested in full.

Next steps

Make sure that you have a record for when an incident, withdrawal or recall occurs. The record needs to prompt the right information to be recorded, including key activities or events.

Ensure your procedure states that root cause analysis will be applied following an incident and also that you’ll notify your Certification Body and any relevant authorities if a recall occurs, or if you get an enforcement notice.

Our Pack 4 Contingency Planning eDocs provides you with a perfect solution for compliance. It even provides you with a step-by-step process for testing your system. The incident report is a critical part of this pack and will ensure that you record everything that’s needed.

Supplier management

There are three main changes to this section:

  1. How often the risk assessment needs updating has been updated.
  2. Where materials are purchased from another agent or broker, they must have a GFSI recognised certificate or they must be assessed fully so they can be approved.
  3. The approval methods for low risk and not low risk have been updated, in line with the other food-related Standards.

Risk assessment

The risk assesssment must now be reviewed if there is a change which will affect it, if new risks emerge, following an incident which affects the risk assessment and also at least every 3 years.

Agents and brokers

The purpose of this update, is to stress that agents and brokers must provide the details required to approve them as a supplier – no matter who their customer is. The only way of not providing this information (to potential competitors) is for the agent or broker to be themselves, certified to a relevant GFSI certificate.

Approval methods

The methods have been aligned with the other Standards. What you can and can’t use to approve a supplier is fairly complex, so take a look at How to risk assess and approve your material and service suppliers for further information.

Next steps

This is a complicated topic and it’s critical for you to get this right, as it makes up the largest proportion of your compliance to the Standard. Therefore, to make sure you get it right we would highly recommend implementing Pack 8 Supplier Management eDocs. The pack will take you through this complicated subject, step-by-step – to make sure you approve and monitor each of your suppliers as needed.

Testing and inspection

4.4.2 has been updated to reiterate that where you rely on certificates of analysis from your suppliers (and therefore do not test the product yourself) you must risk assess whether you need to do additional verification. The risk assessment should look at what certification the testing lab adheres to. For example, if the site is BRCGS then there is less risk and if the lab is CLAS or UKAS approved, then you could argue there is minimal risk.

Next steps

Look at how your suppliers carry out their testing. If they do it in-house, or send  it to a certified lab. Then document a risk assessment to determine if you need to carry out your own testing, to verify the suppliers results.


There is only a slight change in this section, that where there are legal requirements you must follow them. This has been added to comply with FSMA, where a risk assessment for traceability is required.

And that’s it!

If you need any help with the changes in the new BRCGS Agents and Brokers Issue 3 Standard, please just get in touch, or add any questions or comments below. We’re happy to help.

Have your say…

2 thoughts on “BRCGS Agents and Brokers Issue 3

  1. General comment. To expect a Global Standard to encompass large trading companies and one-man-bands is not possible. To generate such a standard from the Food Standard, rather than a blank sheet of paper was another avoidable error.
    1.1.2. will be open to wild interpretation and expectation, and what does ” communication within the supply chain” mean?
    4.1.2. what is “low risk” which allows the approval to be done by questionnaire only? Our last auditor insisted that personal audits were done on all non GFSI supplier and providers

  2. 1_The biggest issue with BRC 8 is HACCP because it depends on Codex alimentarius which does not take any thing about OPRP and its dicession tree may be misled you to detect CCP or OPRP .
    2_ there is no good description of likelihood. I think most of people have problem to assess likelihood in risk assessment

Share your thoughts…

Your email address will not be published.