TACCP/VACCP: Practical Guide for Food Retail and Distribution in 2025

1. Introduction

Food retailers and distributors play a critical role in maintaining the integrity and safety of food throughout the supply chain. While HACCP (Hazard Analysis and Critical Control Points) focuses on unintentional hazards to food safety, the increasing risk of deliberate contamination and food fraud has led to the development of TACCP (Threat Assessment and Critical Control Points) and VACCP (Vulnerability Assessment and Critical Control Points).

These methodologies help organizations protect food products from malicious attacks, economically motivated adulteration, and integrity breaches.

1.1 What are the aims of TACCP and VACCP?

TACCP (Threat Assessment and Critical Control Points) aims to identify and control deliberate acts intended to harm consumers, brands, or supply chains (e.g. sabotage, bioterrorism, or malicious contamination).

VACCP (Vulnerability Assessment and Critical Control Points) focuses on preventing fraudulent activities, such as mislabelling, adulteration, or substitution for economic gain.

Both systems support a Food Defense and Food Fraud Prevention Plan, strengthening resilience and trust throughout the supply chain.

1.2 How does TACCP/VACCP compare to HACCP? Aspect HACCP TACCP VACCP Objective Control of unintentional hazards Control of intentional contamination Control of economically motivated adulteration Hazard Type Biological, chemical, physical Intentional acts (sabotage, terrorism) Fraudulent activities (substitution, mislabelling) Drivers Food safety Security and defense Ethics and economic integrity Team Food safety specialists Cross-functional (security, logistics, HR) Supply chain, procurement, QA Tools Hazard analysis Threat assessment Vulnerability assessment 1.3 Considerations When Conducting Your TACCP/VACCP

When conducting TACCP or VACCP studies, organizations should consider:

Legal and regulatory requirements (e.g. EU Food Defense guidance, ISO 22000:2018, ISO 22002-100/7:2025, GFSI).

Company size and complexity of operations.

Potential intentional and economically motivated threats.

Supply chain integrity and transparency.

Communication with authorities and partners.

1. Starting a TACCP/VACCP Study

Before starting, establish management commitment and allocate resources. The process typically involves:

Appointing a competent leader or coordinator.

Forming a multidisciplinary team.

Defining scope, boundaries, and objectives.

Conducting risk assessments.

Implementing mitigation measures and continuous review.

Top management must endorse the study, as the outcomes may require investments in physical security, supplier control, and traceability systems.

1. Team Selection

The TACCP/VACCP team should be multidisciplinary, including representatives from:

Food safety and quality assurance

Security and IT

Human resources

Logistics and warehousing

Procurement and supplier management

Senior management

Each member should understand their responsibility for identifying, assessing, and controlling threats and vulnerabilities. Confidentiality agreements are recommended due to the sensitive nature of the information handled.

1. Define the Scope of the TACCP/VACCP Study

Clearly define:

The products and services covered.

The facilities, departments, and external partners included.

The flow of goods (from supplier to consumer).

Boundaries (what is and isn’t under direct control).

A process flow diagram, similar to that used in HACCP, can be a useful visual tool to map where threats or vulnerabilities might arise.

1. Review Current TACCP/VACCP Measures in Place

Evaluate existing systems that already contribute to defense and fraud prevention:

Access control and visitor management procedures.

Supplier approval and audit programs.

Product authenticity testing.

Traceability systems and data integrity controls.

Incident response protocols.

This review identifies gaps and prevents duplication of efforts across food safety, quality, and security management systems.

1. Threat Characterisation

A detailed Threat Characterisation step ensures that the team identifies potential attack vectors, motives, and vulnerabilities. Threats can arise internally or externally and may target physical, chemical, biological, or cyber vulnerabilities.

6.1 Understanding the Threats and Vulnerabilities

Consider both intentional harm (TACCP) and fraudulent motivation (VACCP). Examples include:

Sabotage or contamination by disgruntled employees.

Substitution of ingredients with cheaper alternatives.

Theft or diversion of high-value goods.

Data tampering in electronic traceability systems.

6.2 Understanding the Attacker

Threats can originate from several domains:

6.2.1 Personnel

Disgruntled or coerced employees.

Temporary staff with minimal screening.

Contractors without adequate supervision.

Lack of awareness training on food defense.

6.2.2 Premises

Poor perimeter security (unlocked doors, inadequate lighting).

Lack of CCTV or intrusion detection.

Insecure waste disposal areas or loading bays.

6.2.3 Process

Uncontrolled access to raw materials or open product lines.

Poor segregation of high-risk areas.

Inadequate verification of cleaning or maintenance staff.

6.2.4 Services

Outsourced cleaning or pest control contractors without verification.

IT service providers with unmonitored system access.

6.2.5 Logistics

Unsealed transport vehicles.

Tampering during loading/unloading or cross-docking.

Use of unapproved third-party warehouses.

6.2.6 Cybercrime

Manipulation of digital traceability records.

Phishing attacks leading to falsified documentation.

Ransomware targeting food safety or warehouse management systems.

1. Mitigation Strategy Development

For each identified threat or vulnerability:

Assess the likelihood and impact.

Assign a risk level (e.g. low, medium, high).

Develop mitigation measures, such as:

Strengthened access control and CCTV coverage.

Enhanced supplier verification and testing.

Anti-tampering packaging or seals.

Staff vetting, training, and awareness campaigns.

Document responsibilities and review timelines.

1. Horizon Scanning for New and Emerging Threats

Implement a process for horizon scanning to identify emerging risks, such as:

New fraud techniques or adulteration trends.

Changes in geopolitical or economic conditions.

Emerging technologies affecting supply chain security.

Regulatory updates and enforcement actions.

Participation in industry networks and sharing information with authorities (e.g., RASFF, Food Industry Intelligence Platforms) enhances preparedness.

1. Implementation

Once mitigation measures are approved:

Integrate them into existing management systems (e.g., ISO 22000, ISO 9001, ISO 45001).

Update Standard Operating Procedures (SOPs).

Communicate responsibilities to all affected personnel.

Provide targeted training on defense and fraud awareness.

1. Recording and Documentation

All assessments and actions must be documented and retained. Records should include:

Team composition and meeting minutes.

Identified threats, vulnerabilities, and risk ratings.

Mitigation measures and verification results.

Training attendance and incident logs.

Documentation supports transparency, traceability, and audit readiness.

1. Audit and Review

Regularly audit and review the TACCP/VACCP system to ensure:

Effectiveness of control measures.

Updated risk assessments based on new intelligence.

Corrective actions following incidents or near misses.

Continuous improvement aligned with ISO 22000 and GFSI expectations.

Annual reviews are recommended, or immediately following major organizational or supply chain changes.

1. Further Reading

ISO 22000:2018 — Food Safety Management Systems.

ISO 22002-100:2025 — Common Prerequisite Programmes.

ISO 22002-7:2025 — Prerequisite Programmes for Retail and Wholesale.

BSI PAS 96:2017 — Guide to Protecting and Defending Food and Drink from Deliberate Attack.

Codex Alimentarius (2023) — HACCP and Food Safety Principles.

GFSI Benchmarking Requirements (Version 2023).

European Commission: Food Fraud Network and RASFF Portal.