This article is written to meet the following sections of the Standards:

BRCGS Food Safety Issue 84.2.1 Documented assessment of security
5.4.1 Provision of knowledge and information
BRCGS Packaging Issue 64.4.1 Risk assessment of security
3.8.1 Obtaining information
BRCGS Agents & Brokers Issue 34.3.1 Product security/ food defence
4.8.1 Provision of knowledge and information
BRCGS Storage & Distribution Issue 44.2.1 Security risk assessment Information
FSSC 22000 Version Identify food defence threats Identify food fraud threats
IFS Food Version 74.20.2* Fraud assessment scope
4.20.3* Monitoring of food fraud
6.2* Food defence scope
6.3 Monitoring of food defence
SQF Edition i) and ii) Methods, responsibilities and criteria Food fraud mitigation plan

The requirements


The assessment must consider internal and external threats and vulnerabilities due to fraud, sabotage and terrorism.

Protection measures

The assessment must consider the current security measures.

Horizon scanning

Horizon scanning must be used to identify any future potential threats and vulnerabilities internally. Where a new or increased threat is identified, this must be fed into the assessment.

Internal scope of custody

The scope of custody for the internal piece of the assessment must consider fraud (in the form of theft), sabotage and terrorism, where your business is responsible:

Internal scope

The scope of the internal assessment looks at all the business activities that you’re responsible for. This can be manufacturing, storing, distributing, or even processing transactions, such as customer orders.

The internal aspect is typically known as TACCP or your threat assessment – but as we explained in Understanding product defence TACCP doesn’t make any sense and you can’t have a threat assessment without considering vulnerabilities.

Threats and vulnerabilities

When assessing threats for vulnerability internally, you need to consider:

  • Unauthorised access.
  • Data tampering.
  • Malicious contamination.
  • Theft.

Vehicles must also be considered.


The members of the team which are essential for identifying vulnerable threats internally are the operational, HR, security and IT roles, as they have the necessary knowledge and experience.

Want to learn more about identifying internal vulnerabilities?

This article is an overview of the subject of identifying internal vulnerabilities. If you’re looking to gain in-depth knowledge on this subject, we’d recommend you purchase our eLearning course.

Product defence

Identifying internal vulnerabilities

Upon completion of this course, you’ll be able to identify the business activities which need to be assessed for the relevant threats and to identify the vulnerabilities ready for assessment.

This course will teach you the specifics of the internal supply-chain, so that you can create a focused threat and vulnerability assessment, which is compliant to the standards.

Buy the identifying internal vulnerabilities mini training now

Have your say…

Share your thoughts…

Your email address will not be published.