Earlier this month, IFS published its new Product and Food Defense Guideline Version 2. I was noted as a contributor, especially in cybersecurity. Their guideline has many practical applications that will help you achieve compliance, including the risk assessment section and the focus on TACCP.
- Reference: IFS, International Featured Standards, (2024), Product and Food Defense Guideline, Version 2, Publication Date: July 2024, URL: https://www.csqa.it/getattachment/fa072a34-7928-4f5b-8348-c6936fd07f4c/IFS_Product_and_Food_Defence_guideline_v2_EN_1720443254.pdf?lang=it-IT
The International Feature Standards GmbH (IFS) is a joint venture between the French Retail Association and the German Retail Association. This is one of the four major GFSI-related standards for food safety management systems. IFS provides standards for a wide range of products, including food. The published guideline documents support the IFS Food Standard. Earlier this month, on July 8, 2024, they published an updated version of the IFS Product and Food Defense Guidance (version 2). I first met the IFS team at the GFSI annual conference in Houston in 2017, and we’ve stayed in touch. One of my activities includes volunteering to provide insight or feedback on new standards or related documents such as this guideline. In the preface to this guideline, they mentioned my contribution.
Food Defense Guideline Update
IFS makes sure to confirm that recommendations in the guidance are not mandatory. “This guideline is a supporting document related to the topic of product defense. It is not a normative document, and its implementation is not mandatory.” They also offer a clear reminder that meeting compliance for GFSI or this guidance does not necessarily equate to compliance with everything. “Food defense requirements are subject to different regulations in different countries and regions, which must be taken into account.”
The first version of the guidance was very thorough, so the updates were minor. The continued emphasis on considering the full range of hazards or threats is essential, as is comprehensive assessment and the emphasis on an overall management system, not just focusing on a few threats.
Specifically, the Example of a Product Defense Assessment uses the ISO 31000 Risk Management concepts of both likelihood and consequence. They include a starting point for the very low, low, medium, high, and very high categories. They note the importance of calibrating these criteria with the food safety assessment which, in turn, is calibrated to the company’s overall risk tolerance.
They also have a very practical checklist as a starting point: “Checklist for internal use on site.”
TACCP – Threat Assessment and Critical Control Point methodology
The IFS Food Defense guidance is consistent with the application of TACCP – or ‘HACCP-type’ activities but applied to food-related intentional acts intended to cause harm. “IFS recommends the TACCP method for product and food defense (while VACCP applies to food fraud mitigation). This approach includes a threat assessment and critical control points. “Weak points” are analyzed, and critical control points in the supply chain and processing activities are identified. TACCP is structured analogous to the classic HACCP; however, its focal point is the comprehensive site security.”
- TACCP: “Threat Assessment and Critical Control Points analyses threats such as deliberate contamination of food, sabotage of the supply chain or the use of food or for terrorist or criminal purposes.”
- VACCP: “Vulnerability Assessment and Critical Control Points to identify vulnerabilities for a food business due to food fraud.”
Expanded Cybersecurity Guidance
IFS expanded its cybersecurity guidance in part due to the expanded requirements in ISO 22000 Food Safety Management system standards. ISO 22000 expanded to explicitly include cybersecurity as a root cause of a food safety incident: ““(…) external and internal issues including but not limited to legal, technological, competitive, market, cultural, social, economic environments, cybersecurity, and food fraud, food defense and intentional contamination (…)”. (ISO 22000, Section 4.1, Note 1, 2018).” They present definitions of the different types of issues, including general cybersecurity, information technology (IT), operational technology (OT), and information and communication technology (ITC). The rest of the guidance and their other works are calibrated to other ISO and related standards. “The application of common risk management practices is helpful in identifying the weakness in product safety-related systems regarding cybersecurity. (John W. Spink, 2023)”
Takeaway Points
- Whether you follow the IFS Food standards or not, the new Food Defense Guidance is helpful for any food safety management system.
- The broad food defense management system is efficient and should be considered within the TACCP framework.
- Cybersecurity has food safety management system applications, but they are not to manage the entire IT/ OT/ ITC process.
Reference:
IFS, International Featured Standards, (2024), Version 2, Publication Date: July 2024, URL: https://www.csqa.it/getattachment/fa072a34-7928-4f5b-8348-c6936fd07f4c/IFS_Product_and_Food_Defence_guideline_v2_EN_1720443254.pdf?lang=it-IT