This article is written to meet the following sections of the Standards:

BRCGS Food Safety Issue 85.4.2 Vulnerability assessment
5.4.3 Output from the vulnerability assessment
4.2.1 Documented assessment of security
4.2.2 Additional controls to mitigate risks
4.2.3 Authorised access (protection measures)
BRCGS Packaging Issue 63.8.2 Vulnerability assessment
3.8.3 Output from the vulnerability assessment
4.4.1 Risk assessment of security
4.4.2 Site access (protection measures)
4.4.3 External storage (protection measures)
BRCGS Agents & Brokers Issue 34.3.1 Product security/ food defence
4.8.2 Vulnerability assessments
4.8.3 Products at risk of adulteration or substitution
BRCGS Storage & Distribution Issue Output from the vulnerability assessment Vulnerability assessment Vulnerability assessment review
4.2.1 Threat assessment
4.2.3 Site security procedures
5.2.2 Vehicle security procedures
FSSC 22000 Version Assess food defence threats Assess food fraud threats Food defence plan Food fraud plan Develop and implement food defence protection measures Develop and implement food fraud protection measures
IFS Food Version 74.20.3* Implement controls
6.3 Control measures
SQF Edition iii) iv) v) vi) and vii) Protection methods

The requirements


The method of threat and vulnerability assessment must identify:

  • Significant vulnerabilities.
  • Protection measures to mitigate these.

Protection measures

To mitigate significant vulnerabilities, protection measures must be put in place, where possible.

These may include:

  • Proactive actions to remove the vulnerability, such as changes to the supply-chain.
  • Review of certificates of analysis from material suppliers.
  • Material testing.
  • Audits or enhanced supplier approval.
  • Tamper-proof packaging or vehicle seals.
  • Mass balance exercises with the material supplier.
  • Access controls; perimeter fencing, restricted access, locking off external storage areas.
  • CCTV.
  • Training.

Quality not quantity

If you’ve carried out your identification process correctly, you should end up with a limited number of vulnerabilities which require assessment.

It’s common to see assessments which have pages and pages of vulnerable threats (we’ve done it ourselves!) but as your thinking develops, so should the quality of what you’re producing.

The aim now is to go for quality and not quantity. In HACCP, you spend time working out what the relevant hazards are and then only assessing those. This is now what you must do with product defence. We’ve now developed more simplified systems to identify just the pertinent vulnerabilities and only put these into the assessment.

This results in a really focused and robust plan. It’s much better to have just handful of entries in your assessment with robust protection measures, rather than pages and pages of ‘tick box’ entries.


You must have a documented method which details how you’re going to assess the vulnerable threats that you’ve identified from:

  • Upstream.
  • Internally.
  • Downstream.

The method must establish which of the vulnerabilities are significant and therefore need protection measures.

The method should also look to remove the vulnerability wherever possible, for example, where a material is vulnerable because of where it’s processed – you could look to change supplier.


Where a significant vulnerability is determined, then you must put protection measures in place. Ideally these should be proactive, but where this isn’t possible then reactive measures should be considered.

Protection measures

The standards provide a list of the types of protection measures that are appropriate. These however are only suggestions, and not all of them will be relevant to you.

Examples of protection measures

Certificates of analysis

The one we would advise not to use, would be the review of certificates of analysis. This implies that you check the certificate to establish adulteration. If you think about this – if a supplier was trying to defraud you by sending you something that was inauthentic, they wouldn’t send you a certificate telling you so. They’d provide a fraudulent certificate too.

Audits, enhanced supplier approval and mass balance

Where significant vulnerabilities are identified upstream or downstream, this is a key protection measure. However, this doesn’t mean you can just chalk it down to the current systems – it means you must review what you’ve got and really think about whether it needs to be ‘enhanced’.

Want to know more about assessing and protecting vulnerable threats?

This article is an overview of the subject of assessing and protecting vulnerable threats. If you’re looking to gain in-depth knowledge on this subject, we’d recommend you purchase our eLearning course.

Product defence

Assessing and protecting vulnerable threats

On completion of this course, you’ll be able to assess the vulnerable threats that you’ve identified upstream, internally and in the downstream supply-chain, and then determine the necessary protection measures.

This course will teach you the methodology you need to assess vulnerable threats and determine those which are significant.

Buy the assessing and protecting vulnerable threats mini training now

Have your say…

One thought on “Assessing and protecting vulnerable threats

  1. interesting and look forward to going through the mini course. It is difficult to take proactive measures for materials that are coming from all over the world, changing supplier is not easy if the ingredient is an additive or soya/palm based that has a huge chain, as a small business we cannot physically audit the full chain, we can only use GFSI suppliers or agents and brokers. Testing is a needle in a haystack at times and costs of contaminant/heavy metal testing are prohibitive to a small business. It’s really difficult to score these risks with confidence at times, like you say if a manufacturer wishes to defraud so will their specification, lab report and assurances.

Share your thoughts…

Your email address will not be published.