This guide was developed from the Entecom webinar, “What Your VACCP & TACCP Must Deliver in 2026,” presented by Lyndri Fourie. It is aligned to FSSC 22000 Version 6 and BRCGS Food Safety Issue 9, and is designed to help Food Safety Managers move beyond paper compliance — towards systems that are genuinely effective, defensible, and audit-ready.
Introduction
VACCP and TACCP are no longer background requirements. They have become standalone audit focus areas — and the gap between what is documented and what actually works is where most findings are now being raised. Across all GFSI-recognised standards, a clear shift has occurred: Food Fraud and Food Defence are now active, scrutinised components of every major certification audit.
Auditors are no longer asking: “Do you have a VACCP?” They are asking: “Show me your methodology. Show me how you assessed the risk. Show me what controls you have in place — and how you know they are working.” |
Standard | Requirement Focus |
GFSI | Food Fraud is now a standalone audit focus across all GFSI-benchmarked schemes. [1] |
FSSC 22000 V6 AR 2.5.3 & 2.5.4 | Food Defence (TACCP) and Food Fraud (VACCP) require documented methodology, a cross-functional team, and annual review evidence. [2] |
BRCGS Issue 9 Clauses 5.4.1 & 5.4.2 | Methodology, team competence, and annual review are explicitly required. You must be able to explain and justify your assessment — not just show it exists. [3] |
Local supply chains are becoming more complex — with more imported ingredients, more intermediaries, and greater pricing pressure — all of which create vulnerability. Documented cases in South Africa include honey diluted with cheaper syrups, substitution of fish and meat species upstream, spice adulteration with dyes and fillers, and finished products being diverted and re-entered into the market. These are not theoretical risks. They are predictable — which means they are manageable if your system is actually working.
A failed VACCP or TACCP system does not produce a minor administrative finding — it creates regulatory exposure (recalls, certificate suspension), commercial impact (lost contracts, retailer confidence), and reputational damage that can take years to recover from. Building systems that actually work is about protecting your product, your brand, and your business.
The confusion between these three systems is common — and understandable, because they share a similar structure. But they solve fundamentally different problems. The definitions below reflect the distinct origins and purposes of each system as established in the primary standards and guidance documents.
HACCP | VACCP | TACCP |
Accidental risk | Intentional fraud (financial gain) | Intentional harm (malicious) |
Process failure | Supplier/supply chain | Internal or external attacker |
Food Safety | Food Authenticity | Food Protection / Defence |
“What could go wrong?” | “Who could benefit financially?” | “Who could deliberately cause harm?” |
HACCP, as defined in the Codex Alimentarius General Principles of Food Hygiene [5], focuses on accidental risks: contamination, process failures, and equipment issues. No intent is involved. VACCP addresses intentional adulteration for financial gain — fraud in your supply chain, often before the product reaches you. TACCP, as defined in PAS 96:2017 [4], addresses intentional adulteration with malicious intent — someone with access deliberately causing harm. Same structure. Completely different threat. Completely different controls.
The most common audit finding in this area: VACCP embedded as a table inside HACCP. This immediately tells an auditor that the systems have not been properly understood. VACCP and TACCP must each stand alone as separate, dedicated assessments |
Standard clause references: FSSC 22000 V6 addresses Food Fraud in Additional Requirement 2.5.4 and Food Defence in AR 2.5.3 [2]. BRCGS Issue 9 addresses Food Fraud in Clause 5.4.2 and Food Defence in Clause 5.4.1 [3]. Under both standards, auditors now expect documented methodology, a cross-functional team, and clear evidence of review — not just a completed assessment.
VACCP is not about your process. It is about your supply chain. Your risk does not start at your factory door — it starts upstream, at the origin, through importers and brokers, and into processing and storage. Every step introduces potential for deliberate, financially motivated interference. [6] The fundamental VACCP question, as framed in the Elliott Review [6] and reflected in current GFSI requirements, is: Where could someone benefit financially from compromising my product?
A robust VACCP system — aligned to FSSC 22000 V6 AR 2.5.4 [2] and BRCGS Issue 9 Clause 5.4.2 [3] — follows this structure:
1. Scope | Cover every ingredient, packaging material, processing aid, and additive — not just the obvious high-risk ones. Scope must be comprehensive and defensible. |
2. Assess | Evaluate vulnerability using Opportunity (supply chain complexity), Motivation (financial incentive), and Detection (would your controls actually catch fraud?). This is not HACCP hazard thinking. |
3. Identify Risk | Determine what is significant. Not everything needs stringent controls — but everything must be evaluated and justified. Low-risk materials still need a documented rationale. |
4. Control | Implement controls proportionate to risk: supplier approval, authenticity testing, batch verification, or basic COA review. Avoid copy-pasting the same controls across all materials. |
5. Integrate | Controls must live in your operational system: supplier programmes, incoming goods procedures, and testing schedules. If a control is only in the VACCP document, it does not exist in practice. |
6. Review | Review annually at minimum — and whenever supply chain changes occur: new supplier, new country of origin, pricing pressure, or new product. Document review triggers and keep evidence. |
The three-factor vulnerability assessment framework below — Opportunity, Motivation, and Detection — is consistent with the SSAFE Food Fraud Vulnerability Assessment methodology [7] and is widely accepted under GFSI-benchmarked schemes [1] as a defensible approach to structured vulnerability scoring.
Factor | What to Consider | Scoring Guidance |
Opportunity | How complex is the supply chain? Multiple intermediaries, importers, or brokers increase opportunity. More steps = less visibility = more risk. | Low: single audited supplier Medium: 1–2 intermediaries High: multiple unaudited tiers |
Motivation | Is there a financial incentive? Consider ingredient value, pricing pressure, and known fraud history for this commodity. | Low: low-value, stable pricing Medium: seasonal price pressure High: high-value, known history |
Detection | Would you actually detect fraud? Controls that go beyond document review (COAs) and include independent testing score significantly lower risk. | Low: robust independent testing Medium: some verification steps High: reliance on paperwork only |
Different organisations use different scoring methodologies. What matters is not the scoring system — it is the thinking behind it. Auditors evaluate whether your conclusions are logical, consistent, and justifiable [2,3]. Every risk rating needs a documented rationale. A score without justification is indefensible.
The following categories consistently appear in global and local fraud databases and warrant careful consideration in your assessment [6,10]: spices and seasonings (dyes, fillers); honey, syrups, and sugars (dilution); oils and fats (substitution or blending); fruit juices and concentrates (dilution, mislabelling); dairy ingredients (protein inflation); fish and seafood (species substitution); and meat products (cheaper species represented as premium). Your assessment must reflect your specific supply chain — this is not an exhaustive list.
Controls must be proportionate, as required by both FSSC 22000 V6 AR 2.5.4 [2] and BRCGS Issue 9 Clause 5.4.2 [3]:
Controls must be embedded in your operational system — supplier programmes, incoming goods procedures, and testing schedules. If a control exists only in the VACCP document, it does not exist in practice. |
TACCP, as defined in PAS 96:2017 [4], requires you to think like someone motivated by harm, not financial gain. It deals with intentional adulteration with malicious intent. The threat may be internal (a disgruntled employee, a contractor with unsupervised access) or external. TACCP focuses on people, access, and behaviour — not ingredients or supply chain steps.
TACCP requires scenario-based thinking: not “is this process controlled?” but “where could someone interfere with my product without being noticed, and who could do it?” |
Aligned to FSSC 22000 V6 AR 2.5.3 [2] and BRCGS Issue 9 Clause 5.4.1 [3], and drawing on the methodology set out in PAS 96:2017 [4]:
1. Identify Threats | Who could cause harm, and where could they act? Think from the perspective of someone intending harm — access points, secluded areas, critical handling steps. What could be done deliberately? |
2. Assess Risk | Is this a meaningful risk? Apply practical judgement: Is this realistic? Is there access? Is there opportunity? Scenario-based thinking — not complex scoring. |
3. Implement Controls | Focus on access, supervision, and prevention: restricted zones, CCTV, visitor management, access logs, staff screening, and escalation protocols. Controls must be proportionate to the threat. |
4. Training & Awareness | Staff must understand what to look for, what is unusual, and when to escalate. TACCP is about people — and people who are unaware cannot support your controls. |
5. Monitor & Review | Review after incidents, staff/access changes, facility modifications, new threats — and at a minimum, annually. Document reviews and retain evidence. Evolving threats need evolving controls. |
Every TACCP scenario assessment should address three questions, consistent with the assessment structure in PAS 96:2017 [4]:
THREAT | Who could cause harm? Employee, contractor, visitor, or external actor. Identifying the threat type shapes all controls that follow. |
VULNERABILITY | Where could they act? Access points, secluded areas, production lines, sampling points, rework zones — anywhere product could be interfered with undetected. |
IMPACT | What would happen? Consider product safety consequences, public health risk, brand damage, and operational disruption. Not all threats carry the same consequence. |
Consider unauthorised access to raw material storage. The threat is any person entering the area without authorisation — staff, contractor, or visitor. The vulnerability is poor access control: no restricted entry, no monitoring, limited supervision. The impact is potential intentional contamination, with consequences including product recall, consumer harm, and brand damage. This is not a storage management issue — it is a food defence risk requiring formal assessment and proportionate controls: clear access restrictions, an access log or register, basic CCTV coverage, and staff awareness of expected behaviour and escalation.
The following failures are the most frequently observed against BRCGS Issue 9 Clause 5.4.2 [3] and FSSC 22000 V6 AR 2.5.4 [2]:
# | The Failure | Why It Creates Audit Risk |
1 | VACCP embedded inside HACCP | Signals that the system has not been understood. VACCP deals with intentional fraud — HACCP with accidental risk. They cannot be treated as the same thing. |
2 | Focus is limited to inside the factory | VACCP assesses supply chain risk. Fraud happens upstream — by the time the product reaches you, it may already be compromised. |
3 | Generic, template-driven assessment | An assessment with no supplier context, no country-of-origin consideration, and no justification for scores cannot be defended. Every rating needs a rationale. |
4 | No risk prioritisation | Applying identical controls to everything — high- and low-risk alike — signals no real risk-based thinking. If everything is critical, nothing is. |
5 | Controls not integrated operationally | Controls listed in VACCP but absent from supplier programmes or testing schedules do not exist in practice. Integration is what makes them real. |
The following failures are most frequently observed against BRCGS Issue 9 Clause 5.4.1 [3] and FSSC 22000 V6 AR 2.5.3 [2]:
# | The Failure | Why It Creates Audit Risk |
1 | Treated like a HACCP hazard assessment | TACCP is about people, access, and intent. Assessing process contamination hazards instead of threat scenarios misses the entire purpose of the system. |
2 | Generic checklist with no scenario thinking | Tick-box exercises that do not walk through realistic threat scenarios will miss real risks. TACCP requires asking: what could actually happen here? |
3 | Internal threats not assessed | Most food defence incidents involve internal actors. A system focused entirely on external threats has a significant structural gap. |
4 | No staff training or awareness component | Controls without awareness are ineffective. Staff must know what unusual behaviour looks like and who to contact if something seems wrong. |
5 | Not reviewed when things change | Staff turnover, access changes, and facility modifications are all review triggers. A TACCP that was accurate when written may be dangerously outdated. |
The following checklist reflects the explicit audit expectations of FSSC 22000 V6 AR 2.5.4 [2] and BRCGS Issue 9 Clause 5.4.2 [3], supplemented by the SSAFE vulnerability assessment framework [7]:
☐ | VACCP is a standalone document, separate from HACCP. [Ref 2, 3] |
☐ | Scope covers all raw materials, ingredients, packaging, and processing aids. [Ref 2, 3] |
☐ | Vulnerability assessed using documented factors (Opportunity, Motivation, Detection) — with justification for each rating. [Ref 7] |
☐ | Controls are proportionate to risk level — not identical across all materials. [Ref 2, 3] |
☐ | Controls are embedded in supplier programmes, incoming goods procedures, and testing schedules. [Ref 2, 3] |
☐ | Review frequency and triggers are defined; evidence of last review is available. [Ref 2, 3] |
☐ | Team competence: cross-functional team with documented roles. [Ref 2, 3] |
The following checklist reflects the explicit audit expectations of FSSC 22000 V6 AR 2.5.3 [2] and BRCGS Issue 9 Clause 5.4.1 [3], drawing on the threat assessment methodology in PAS 96:2017 [4]:
☐ | TACCP is a standalone Food Defence assessment, separate from VACCP. [Ref 2, 3] |
☐ | Threat assessment is scenario-based — not a generic checklist. [Ref 4] |
☐ | Both internal and external threats have been assessed. [Ref 4] |
☐ | Proportionate controls are in place and linked to site security procedures. [Ref 2, 3, 4] |
☐ | Staff training and awareness records are available and current. [Ref 2, 3] |
☐ | Escalation protocol is defined: staff know what to do and who to contact. [Ref 4] |
☐ | Review triggers and evidence of reviews are documented. [Ref 2, 3] |
The strongest systems share one characteristic: you can point to any line in the document and explain — in plain language — why that decision was made, what control addresses it, and where the evidence lives. That is what audit-readiness looks like. |
Most gaps in VACCP and TACCP systems can be addressed through structured thinking rather than complexity. Use the following action list as a starting point:
Entecom’s food safety consultants and cloud-based management platform are designed to help organisations build VACCP and TACCP systems that are visual, structured, and genuinely manageable — making them easier to maintain, easier to review, and easier to demonstrate during audits. Contact the Entecom team at info@entecom.co.za or visit our website at www.entecom.co.za to discuss your current system or request a demonstration.
REFERENCES
[1] Global Food Safety Initiative (GFSI). (2024). GFSI Benchmarking Requirements, Version 2020.1. Consumer Goods Forum, Paris, France. Available at: https://mygfsi.com/how-to-implement/benchmarking/benchmarking-requirements/
[2] Foundation FSSC 22000. (2023). FSSC 22000 Food Safety System Certification — Version 6. Foundation FSSC 22000, Gorinchem, Netherlands. Available at: https://www.fssc.com/fssc-22000/
[3] BRCGS. (2022). BRCGS Food Safety — Global Standard for Food Safety, Issue 9. BRCGS, London, United Kingdom. Available at: https://www.brcgs.com/our-standards/food-safety/
[4] BSI (British Standards Institution). (2017). PAS 96:2017 — Guide to Protecting and Defending Food and Drink from Deliberate Attack. BSI Standards Limited, London, United Kingdom. Available at: https://www.bsigroup.com/en-GB/insights-and-media/insights/brochures/pas-96-guide-to-protecting-and-defending-food/
.
[5] Codex Alimentarius Commission. (2020). General Principles of Food Hygiene (CXC 1-1969, Revision 2020). FAO/WHO, Rome, Italy. Available at: https://www.fao.org/fao-who-codexalimentarius/sh-proxy/en/?lnk=1&url=https%3A%2F%2Fworkspace.fao.org%2Fsites%2Fcodex%2FStandards%2FCXC%201-1969%2FCXC_001e.pdf
[6] Elliott, C. (2014). Elliott Review into the Integrity and Assurance of Food Supply Networks — Final Report: A National Food Crime Prevention Framework. HM Government, London, United Kingdom. Available at: https://www.gov.uk/government/publications/elliott-review-into-the-integrity-and-assurance-of-food-supply-networks-final-report
[7] SSAFE. (2019). Food Fraud Vulnerability Assessment — Guidance Document and Tool. SSAFE (Safe Supply of Affordable Food Everywhere), Brussels, Belgium. Available at: https://www.ssafe-food.org/our-programmes/food-fraud/food-fraud-vulnerability-assessment/
[8] ISO (International Organization for Standardization). (2018). ISO 22000:2018 — Food Safety Management Systems: Requirements for Any Organization in the Food Chain. ISO, Geneva, Switzerland. Available at: https://www.iso.org/standard/65464.html
.
[9] Van Bergen, S., Poelman, A., & Gutierrez, T. (2019). “Food Fraud Vulnerability and Risk Assessment.” In: Herrmann, S.S., et al. (eds.), Comprehensive Food Safety. Elsevier, Amsterdam.
[10] Food Standards Agency (FSA) / Food Safety Authority of Ireland (FSAI). (2014). Food Fraud — A Practical Guide for Food Business Operators. FSA/FSAI, London/Dublin. Available at: https://www.food.gov.uk/business-guidance/food-fraud-hub