TACCP vs VACCP: differences and how to document them
TACCP assesses intentional threats; VACCP, food fraud vulnerabilities. What each covers, how to document them, and what IFS, BRCGS and FSSC 22000 require.

Few pairs of acronyms generate as much confusion in a food plant as TACCP and VACCP. On paper they look similar: two evaluations, two risk matrices, two mitigation plans. In practice, many companies resolve them with a single document that mixes sabotage, adulteration and a couple of generic measures, and that mixture ends in deviation as soon as the auditor requests the two evaluations separately. Not because of lack of work, but because of a widespread misunderstanding: treating TACCP and VACCP as if they were the same.
They are not. They answer different questions, they are prepared by different profiles and the standards require them separately. This guide tells you what each one covers, how they differ from traditional HACCP, and how to document them so that they withstand any awkward question from any auditor.
What is TACCP and what is VACCP
TACCP (Threat Assessment and Critical Control Points) evaluates intentional threats: sabotage, deliberate contamination, a resentful employee, an intruder who reaches a production area. Its technical reference is PAS 96, the British guide that structures how to think about who would want to do harm and where they could enter. The key question is who has motive and opportunity to attack your product. That is why look at accesses, docks, visits, temporary staff and the points where the product is exposed without supervision.
VACCP (Vulnerability Assessment and Critical Control Points) evaluates food fraud vulnerabilities: adulteration of raw materials, substitution of ingredients for cheaper ones, false labeling, manipulated documentation of origin. Here the attacker is not looking to do harm, he is looking to make money. Think olive oil diluted with seed oil, spices with unauthorized coloring, or a supplier that changes the species of fish on the delivery note. The key question is where it is profitable for someone to deceive you in the supply chain.
The mental table: who attacks and what each one protects
The quickest way to avoid confusing them is to look at the intention of whoever generates the risk:
- HACCP: unintended risks. Nobody wants to pollute; It occurs due to process failures. Example: Listeria due to poorly executed cleaning on the slicing line.
- TACCP: intentional damage. Someone wants to harm the company or the consumer. Example: deliberate contamination in a packaging plant during the night shift.
- VACCP: deception for profit. No one seeks to do harm, although the shortcut may end up doing so. Example: honey adulterated with sugar syrups.
How to document each evaluation step by step
All three share a method: evaluate, prioritize, mitigate and review. But they protect against different actors: the typical error of merging them into a generic document ends in deviation, because the auditor expects two analyzes with their own equipment, criteria and measures.
The process is parallel for both, but not identical. Document each step, because if it's not written, it hasn't happened:
- Form the team: for TACCP you need quality, production, HR and maintenance; for VACCP, quality and purchasing, with someone who really knows the suppliers.
- Define the scope: which products, lines, raw materials and plant areas are included in the evaluation, and why.
- Score each threat or vulnerability with a probability matrix by impact, and leave the scoring criteria in writing so you can defend it.
- Establishes mitigation measures for high scores: access control, seals on cisterns, authenticity analysis, reinforced supplier approval.
- Set the review: at least annually, and whenever a supplier, an ingredient changes or an incident occurs in the sector.
Where do the rules ask for it?
IFS Food v8 dedicates clause 4.21 to Food Defense and expects a documented and periodically reviewed threat assessment. BRCGS Issue 9 addresses site security and Food Defense in clause 4.2, as well as requiring raw material fraud vulnerability analysis. FSSC 22000 adds additional Food Defense and food fraud requirements, with separate mitigation plans for each. And Regulation (EU) 2021/382, by introducing food safety culture in Regulation (EC) 852/2004, remembers that this is not one-day paperwork, but a living system.
The plan is only valid if you can prove it
You can have the best TACCP in the sector, but if the auditor asks who entered Pier 3 on Tuesday and the answer is an illegible sheet of paper, the plan falls apart. At SentyHub we connect the measures of the plan with its evidence: digital registration of accesses and visits, dock appointments with traceability, surveillance checklists in digital forms and VideoProof, which links each control with the video of the exact moment.
And if you're building your plan from scratch, on our templates page you have a free Food Defense template aligned with IFS Food v8 so you don't start with a blank sheet of paper.