This article is written to meet the following sections of the Standards:
|BRCGS Food Safety Issue 8||4.2.1 Documented assessment of security|
5.4.1 Provision of knowledge and information
|BRCGS Packaging Issue 6||4.4.1 Risk assessment of security|
3.8.1 Obtaining information
|BRCGS Agents & Brokers Issue 3||4.3.1 Product security/ food defence|
4.8.1 Provision of knowledge and information
|BRCGS Storage & Distribution Issue 4||4.2.1 Security risk assessment|
|FSSC 22000 Version 5.1||184.108.40.206a) Identify food defence threats|
220.127.116.11a) Identify food fraud threats
|IFS Food Version 7||4.20.2* Fraud assessment scope|
4.20.3* Monitoring of food fraud
6.2* Food defence scope
6.3 Monitoring of food defence
|SQF Edition 9||18.104.22.168 i) and ii) Methods, responsibilities and criteria|
22.214.171.124 Food fraud mitigation plan
The assessment must consider internal and external threats and vulnerabilities due to fraud, sabotage and terrorism.
The assessment must consider the current security measures.
Horizon scanning must be used to identify any future potential threats and vulnerabilities internally. Where a new or increased threat is identified, this must be fed into the assessment.
Internal scope of custody
The scope of custody for the internal piece of the assessment must consider fraud (in the form of theft), sabotage and terrorism, where your business is responsible:
- For the physical custody of the materials.
- For the financial custody of the transactional activities (if you’re an agent and broker).
The scope of the internal assessment looks at all the business activities that you’re responsible for. This can be manufacturing, storing, distributing, or even processing transactions, such as customer orders.
The internal aspect is typically known as TACCP or your threat assessment – but as we explained in Understanding product defence TACCP doesn’t make any sense and you can’t have a threat assessment without considering vulnerabilities.
Threats and vulnerabilities
When assessing threats for vulnerability internally, you need to consider:
- Unauthorised access.
- Data tampering.
- Malicious contamination.
Vehicles must also be considered.
The members of the team which are essential for identifying vulnerable threats internally are the operational, HR, security and IT roles, as they have the necessary knowledge and experience.