V5 Ultimate
Guide

VACCP & TACCP: The Two Assessments GFSI Demands and Most Sites Underbuild

GFSI requires both — VACCP (Vulnerability Assessment Critical Control Point) for food fraud / economically motivated adulteration, and TACCP (Threat Assessment Critical Control Point) for food defense / intentional contamination. SQF Edition 9, BRCGS Issue 9 section 5.4, FSSC 22000 v6 and IFS Food v8 all demand documented assessments, mitigation strategies, and annual review. On top of that, FSMA's Intentional Adulteration rule (21 CFR 121) makes food defense vulnerability assessment a federal requirement for most covered facilities. Most sites carry a one-page VACCP/TACCP each and discover at audit that it doesn't survive a 30-minute interview. This guide is the operating manual for both.

Start free trial Free trial, no credit card, onboard in days, not months.

VACCP vs TACCP — same letters, different threat models

VACCP (food fraud) covers economically motivated adulteration: someone substitutes, dilutes, mislabels or otherwise alters a material for financial gain, without intent to harm. The horsemeat scandal (2013), Sudan dye contamination of spices, melamine in milk powder, fish species substitution, and EVOO/honey adulteration are the canonical examples. TACCP (food defense) covers intentional contamination — someone (disgruntled employee, malicious actor, ideological adversary) tries to harm consumers via the food product. The threat actor, the motive and the mitigation set are different. GFSI requires both as separate assessments; collapsing them into one document is a frequent BRCGS Issue 9 audit finding.

VACCP: building a vulnerability assessment that survives audit

BRCGS Issue 9 clause 5.4.1 and SQF 11.4 require a documented vulnerability assessment per raw material (or material group), reviewed annually and on change. The assessment must consider historical evidence of substitution or adulteration (FoodFraud.org / DECERNIS / HorizonScan), economic factors (price volatility, supply scarcity), ease of access, sophistication of routine testing, geographic source, and the nature of the material (refined products are harder to detect, single-source materials are higher risk). The output is a risk score and, for high-risk materials, a documented mitigation strategy — enhanced supplier audit, additional testing (DNA, isotope, NMR), supply-chain transparency requirements, or material substitution.

TACCP: the FSMA 121 layer most sites have to comply with

FSMA's Intentional Adulteration rule (21 CFR 121) requires most registered food facilities to conduct a vulnerability assessment to identify Significant Vulnerabilities (process steps where a contaminant could be introduced to cause wide-scale public health harm), implement mitigation strategies at those Actionable Process Steps, monitor and verify, and train the Food Defense Qualified Individual (FDQI). The compliance dates are past for most facilities (small-business 26 July 2021; large 26 July 2019). FDA inspections under FSMA 121 are now routine, and the most common 483 is 'no vulnerability assessment on file' or 'mitigation strategies present but no verification records'.

Mitigation strategies that actually do something

Weak mitigation strategies cited in audits: 'CCTV in operation' (with no evidence the footage is reviewed), 'restricted access to the production area' (with shared badge codes), 'employee background checks' (without renewal cadence), 'tamper-evident packaging' (without verification at receipt). Strong strategies: two-person rule at high-risk process steps, real-time monitoring with alarming, supplier transparency requirements with on-site audit, batch-level genuineness testing (DNA species ID, isotope ratio, NMR profile) for high-VACCP-risk materials, sealed and tracked tanker integrity for bulk liquids, role-based access on critical process control with logged override.

Horizon scanning and the annual review that catches the new threat

Both VACCP and TACCP require horizon scanning — what's been adulterated in the last 12 months, what's been threatened, what's new in the geopolitical and supply landscape that changes the threat model. Free sources: FDA Reportable Food Registry, RASFF (EU), FoodSafetyNews, Food Fraud Database (DECERNIS), HorizonScan. The annual review must show the inputs reviewed and the assessment updates that resulted — a 'no change' annual review with no horizon-scan evidence is a Major NC in BRCGS Issue 9.

A 45-day VACCP/TACCP build / refresh path

Days 1–10: raw material inventory; VACCP scoring per material against the BRCGS Issue 9 factors; high-risk list. Days 11–20: TACCP / FSMA 121 vulnerability assessment per process step; Actionable Process Steps identified; mitigation strategies documented. Days 21–30: verification activities defined per mitigation; horizon-scan source list and review cadence; FDQI training refresh. Days 31–40: integration with the supplier programme (VACCP) and the food defense plan (TACCP); recall plan cross-reference. Days 41–45: mock incident — a horsemeat-style supplier-substitution scenario and an intentional-contamination tabletop exercise.

Standards covered in this guide

Each standard, retailer code or assurance scheme referenced above has its own deep-dive page with scope, audit detail and common pitfalls.

BRCGS

GFSI-recognised food-safety standard — most common in UK and EU food retailing.

SQF

GFSI-recognised food-safety standard widely used in the US — SQFI runs the program.

FSSC 22000

GFSI-recognised food-safety standard combining ISO 22000, PRP and additional requirements.

Where this lives in V5 Ultimate

The clauses above aren't theoretical — every one maps to a shipped module and an industry profile. Jump to the parts of the product that turn this guide into evidence on a Monday morning.

Modules that do the work
VACCP/TACCP module

Separate assessments with horizon-scan integration.

Supplier vulnerability

Per-material VACCP risk and mitigation on the supplier file.

Mitigation verification

Each mitigation strategy has its own verification cadence.

Industries this hits hardest
Food & beverageIngredients & dry mixes

Frequently asked

Can I combine VACCP and TACCP into one document?
Auditors increasingly want them separate because the threat actor, motive and mitigation set differ. SQF Edition 9 and BRCGS Issue 9 both expect separate assessments. Combining them is a common cause of minor NCs and conversations the audit team has to defend in detail.
Does FSMA 121 apply to me?
Most registered food facilities under the FD&C Act are covered — exemptions exist for very small businesses (annual food sales averaging less than $10M), animal food facilities, alcoholic beverages where exempt under preventive controls, on-farm activities under specified thresholds, and storage of packaged food not exposed to the environment. Most US food manufacturers are in scope. Compliance dates have already passed.
How often do I need to update the vulnerability assessment?
BRCGS Issue 9, SQF Edition 9 and FSMA 121 all require annual review at minimum, plus an update on any change to the supply chain, process or threat landscape. A horsemeat-class supply-chain event in your category should trigger an off-cycle review.
What's the difference between food defense and food security?
Food defense is protection against intentional contamination (TACCP / FSMA 121). Food security is the assurance of supply itself (continuity, geopolitical risk, agricultural shock). They overlap on supplier transparency and dual-sourcing but the assessment frameworks are different.

See it on your shop floor.

Free trial, no credit card, onboard in days, not months.

Start free trialSee pricing →Browse all resources →
Related reading
Spot something off? .