Food Defense: What It Is, How to Implement It, and How to Manage It With Software
Food Defense is not the same as food safety. HACCP deals with accidental hazards — biological, chemical, or physical contamination that may occur unintentionally during processing. Food Defense deals with deliberate threats: intentional adulteration, sabotage, malicious contamination, or any act driven by economic, ideological, or personal motives.
They are complementary systems. And if your organization is pursuing or maintaining FSSC 22000 certification, Food Defense is not optional — it is an explicit requirement of the scheme (clause 2.5.3 of FSSC 22000 V6).
Why Food Defense matters
A single intentional adulteration incident can destroy a brand in hours. Unlike accidental hazards — where probability can be modeled with historical data — a deliberate threat depends on the attacker’s motivation, capability, and access. And those factors change.
Some real-world examples that justify a food defense plan:
- A disgruntled employee contaminating a production lot.
- Seal tampering during transport.
- Intrusion into SCADA systems that alter critical process parameters.
- Ingredient substitution by fraudulent suppliers.
- Extortion through threats linking to product contamination.
The question is not whether this could happen to you. The question is whether you would detect it in time and whether you have controls to prevent it.
TACCP: the methodology behind Food Defense
Just as HACCP has its hazard analysis methodology, Food Defense uses TACCP — Threat Assessment and Critical Control Points.
The key difference: HACCP evaluates likelihood × severity of accidental hazards. TACCP evaluates motivation, capability, and accessibility of a potential attacker against each organizational asset.
The TACCP process step by step
1. Form the food defense team
The HACCP team alone is not enough. An effective TACCP team requires specific profiles:
- Leader of the food defense team.
- Security coordinator (physical and facility security).
- HR representative — essential for evaluating insider threats.
- IT representative — for cyber threats.
- Operations — knows the vulnerable points of the process.
- Specialist — depending on context (logistics, quality, etc.).
Each member must have demonstrable competence. That means training records and evidence of their food defense education.
2. Inventory the assets to protect
What can be attacked? Do not think only about the finished product. Assets include:
- Products and ingredients.
- Packaging materials.
- Production equipment.
- IT systems (SCADA, ERP, traceability systems).
- Personnel (access, roles, trust level).
- Infrastructure (facilities, utilities, vehicles).
Each asset is classified by location, responsible custodian, and access level (public, restricted, or critical). A storage tank that anyone can access has a completely different risk profile from one inside a restricted area with CCTV.
3. Identify threats
The PAS 96 guidance provides a standard threat catalog organized by category:
| Category | Examples |
|---|---|
| Chemical contamination | Injection of toxic substances, water system poisoning, false labeling |
| Biological contamination | Pathogen introduction, intentionally contaminated ingredients |
| Physical sabotage | Equipment tampering, inserted foreign objects, seal breakage, cold chain interruption |
| Cyber attacks | SCADA/PLC manipulation, record falsification, system intrusion |
| Theft and diversion | Product substitution, re-labeling, unauthorized sales |
| Extortion | Threats conditioned on product contamination |
Actors can be internal (disgruntled employee), external (organized crime, activists), suppliers, contractors, or even opportunists.
4. Evaluate each threat × asset combination
This is the heart of TACCP. For each threat-asset pair, 4 criteria are scored on a 1–5 scale:
- Motivation: how motivated is the attacker to target this asset?
- Capability: does the attacker have the technical means to carry out the attack?
- Accessibility: how easy is it to reach the asset?
- Impact: what damage would a successful attack cause? (health, reputation, economic, operational)
The risk score is calculated as:
Likelihood = (Motivation + Capability + Accessibility) / 3
Risk = Likelihood × Impact
And classified into four levels:
- Low (≤5): periodic monitoring.
- Medium (≤10): basic controls and follow-up.
- High (≤17): requires a defense critical control point (DCCP).
- Critical (>17): requires a DCCP with reinforced verification and a response plan.
5. Define Defense Critical Control Points (DCCPs)
For every combination rated high or critical, a DCCP is established — the food defense equivalent of a CCP in HACCP.
Each DCCP defines:
- Control type: physical (locks, CCTV, seals), procedural (protocols, verifications), technological (monitoring systems), or behavioral (training, security culture).
- Acceptance criteria: what condition must be met to consider the control effective.
- Verification method and frequency: inspection, sampling, audit, record review, or drill.
6. Establish mitigation measures
Each DCCP can have multiple mitigation measures, classified into three types:
- Preventive: block the attack from happening. Example: biometric access control, personnel background checks, transport security seals.
- Detective: identify if an attack occurred. Example: CCTV, laboratory testing, unannounced audits, incoming inspection.
- Responsive: react to the incident. Example: product quarantine, recall protocol, forensic investigation, authority notification.
Each measure has a responsible party, deadline, supporting evidence, and an implementation status that tracks whether it was actually executed.
7. Monitor continuously
A food defense plan is not a document reviewed once a year. Events that can change the risk profile happen constantly:
- Security incidents.
- Personnel changes (especially in critical areas).
- Supplier changes.
- Process modifications.
- External alerts (health, security, regulatory).
- Audit findings.
Each event is logged with its severity (informational, relevant, or critical) and can trigger a re-evaluation of the affected threat.
8. Review periodically
FSSC 22000 requires periodic reviews of the food defense plan. Frequency depends on context — it may be monthly, quarterly, semiannual, or annual — but the review must be documented with:
- Who conducted the review.
- What decision was made (maintain or update).
- Supporting evidence.
- Date of the next scheduled review.
How does Food Defense relate to HACCP?
They are parallel systems protecting the same product from different angles:
| HACCP | Food Defense (TACCP) | |
|---|---|---|
| Focuses on | Accidental hazards | Deliberate threats |
| Evaluates | Likelihood × Severity | Motivation × Capability × Accessibility × Impact |
| Controls through | CCPs (Critical Control Points) | DCCPs (Defense Critical Control Points) |
| Monitors | Measurable critical limits | Security and access conditions |
| Evidence | Monitoring records | Verifications, events, drills |
In practice, many process points where a HACCP CCP already exists also require a food defense DCCP. The difference is the type of control: HACCP monitors temperature, pH, or time; Food Defense monitors access, seal integrity, or behavior.
That is why both systems should share the same platform. If your HACCP hazard analysis and your TACCP assessment live in separate tools, you duplicate effort and lose traceability.
Implementing Food Defense with software: what changes
Managing TACCP on paper or in spreadsheets has the same problems as managing HACCP that way: version control is lost, there is no traceability, verifications are forgotten, and evidence gets scattered.
Specialized software changes the dynamic in several key areas:
Visual risk matrix
Instead of a static Excel table, an interactive 5×5 risk matrix lets you see at a glance where the highest-risk threat-asset combinations are concentrated. Colors immediately show what requires a DCCP and what is under control.
Pre-loaded threat catalog
In AdminISO, the Food Defense module includes a catalog of 18 PAS 96-based threats that you can load with one click. You do not start from scratch: you adapt the catalog to your context, add threats specific to your operation, and remove those that do not apply.
Supply chain diagram
A visual editor lets you map the complete flow from supplier to end customer: reception, storage, production, packaging, distribution. Each node in the chain is documented and linked to corresponding assets and threats.
Approval workflow and versioning
Each TACCP assessment goes through a workflow: draft → in review → approved → archived. Every version is recorded immutably, with a history of who approved, when, and with what observations.
Verifications and events with evidence
Periodic verifications of each DCCP are recorded with method, result, findings, and supporting files. Monitoring events (incidents, changes, alerts) are logged with severity and linked to the corresponding assessment.
Food defense dashboard
A dedicated control panel shows module KPIs:
- Active assessments and their approval status.
- Number of inventoried assets and cataloged threats.
- High and critical risk evaluations.
- DCCPs pending, active, and verified.
- Mitigation measures awaiting implementation.
- Critical events logged.
- Overdue and upcoming reviews.
This lets the food defense coordinator see in seconds whether the system is working or whether there are gaps to address — the same logic as the ISO 9001 dashboard applied to protection against deliberate threats.
What does FSSC 22000 require for Food Defense?
Clause 2.5.3 of FSSC 22000 states that the organization must:
- Conduct a threat assessment to identify and evaluate potential threats.
- Define mitigation measures for significant threats.
- Maintain a documented food defense plan.
- Verify the effectiveness of implemented measures.
- Review the plan periodically and in response to significant changes.
It is a certification requirement. If you do not have a documented Food Defense system with assessments, controls, and evidence, the FSSC 22000 audit will generate a nonconformity.
How to get started with Food Defense
If your organization already has HACCP implemented, you have a solid foundation. The steps to implement Food Defense on that foundation are:
- Form the TACCP team with the necessary profiles (security, HR, IT, operations).
- Inventory assets — use the process points you already identified in HACCP as a reference.
- Load the PAS 96 threat catalog and adapt it to your context.
- Evaluate each threat × asset combination using the 4-criteria methodology.
- Define DCCPs for high and critical risks.
- Implement mitigation measures — preventive, detective, and responsive.
- Set up the verification and review schedule.
- Document everything on a platform that generates the evidence you need for audit.
In AdminISO, the Food Defense module is integrated within the FSSC 22000 plan. You can link your TACCP assessment directly to your HACCP study, share the multidisciplinary team, and manage both systems from the same place.