was successfully added to your cart.


In part 2 we’re going to cover how to comply with the changes to issue 8, for BRC site security and food defence section 4.2, which requires a threat assessment.

These changes are in line with the update to the GFSI benchmarking scheme, where food defence needs to be covered.

If you haven’t read part 1 of this article, which cover the changes – you can read that here:

What we have in place currently…

The first thing we need to do is to look at the security risk assessment that we had in place for issue 7. It’s more than likely that this won’t suffice anymore, and it will probably be easier, to start again.  If, however, you’ve already got food defence covered in your security risk assessment, to comply with other standards, such as customer COP’s for example, just make sure it complies with the elements that we’re going to talk through.

Threat assessment…

A threat assessment is a form of risk assessment.  So, the first thing that you’ll need is a risk assessment methodology for threats. Our book ‘Assessing Threats and Vulnerabilities for Food Defence’ provides a methodology for this, so you may find it helpful to use this.

Creating your own methodology…

If you create your own methodology, there are a number of things you need to take into consideration.

Firstly, you need to define what impact the threat will have.  Typically, in risk assessment we would think about the severity on the consumer.  But, with threats, the consumer might not be the only target, as some threats (such as sabotage) are aimed at hurting the business, rather than the consumer.  So, it’s a good idea to consider not just the impact on the consumer, but also the impact on your business too.

As we can’t always control a threat, i.e. we cannot stop it from happening, we also have to consider the likelihood of someone detecting that it has occurred.  This would be where protection measures such as seals or tamper evidence packaging would come in.  So, it’s a good idea to include detection in your methodology.

Finally, make sure your risk assessment method provides a result as to whether the threat that you are assessing, is significant or not.  As significant threats would need to go forward (like we do in HACCP) to determine if they need special consideration.

Creating your team…

Once you’ve got your methodology organised, you’ll need to create a team. Make sure those responsible for food defence, on site and also in the downstream supply-chain are on the team, such as technical, HR, operations and logistics.

Also, ensure that the team are aware that where new information comes to light which may impact on the threat assessment, that they need to highlight this to the rest of the team.  Agree a process of how this is going to be done and who the information should be reported to.

You’ll also need to have external information sources in place, like we do for vulnerability assessment so that; if incidents come to light in the industry, this information is received and assessed by the team. Make sure you also have a process defined (and documented) of who will receive this information, assess it and feed it into the team, if a wider review is needed.

Your team will also need training in the threat assessment procedure and the protective measures, once you agree them.

Identify the threats and apply protection measures…

As a team, map out the process that the materials go through, from the point at which they arrive to the point at which they are delivered to the customer, or where ever your responsibility ends. At that point, you can then look at what threats are applicable at each stage, using the information sources from your team or from external industry sources.

Once you’ve got your list of threats at each point in the process, you can assess them using your threat assessment methodology. Where a threat is deemed to be significant, as a team you’ll need to decide what protection measures you’re going to put in place. Where monitoring is required, this will also need writing into relevant procedures and records.


Ensure that at a minimum, an annual review is scheduled.  But also, make sure that reviews are conducted and recorded whenever new information comes to light that needs consideration.


Finally, make sure that all on-site personnel are trained in the sites security procedures and an awareness of food defence as a whole. An interesting point to note on this, is that our Level 2 food safety & GMP courses, already include site security procedures and food defence, so if you train your on-site personnel using these courses, you’ve already got it covered!

threat assessment
Please add your thoughts about food defence or any questions you have in the reply box below.  Other technie’s may find your comments helpful, or have the same questions as you, so please don’t be shy and add them below.

FREE – Site Security & Food Defence Awareness eLearning

We’ve developed food defence awareness training to meet the new requirement in Issue 8.  It’s free (we’re not joking!) for as many learners as you like – so you can train your whole site!  Please note, this training is designed for manufacturing sites, so is only available to manufacturing companies (sorry it’s not designed for individual learners/users).  The eLearning teaches the learner how to become a ‘Food Defender’ in only a few minutes and it includes a test – so it’s really time efficient! The learner can also download and print their certificate after completion.

Just complete the form to the right and we’ll email you a login to our free training dashboard and you’ll be able to add as many learners as you like to do the training. You will also be added to our food defence list so we can update you about our solutions for this area of compliance for BRC Issue 8. Please note – we will verify your site and send you a login manually, so please give us 24 hours to do this. 

Our new pack for Food Defence for BRC Issue 8 is released and is now available to purchase on our website, to view information and get your pack, Just click below…

Leave a Reply