Last Updated on October 13, 2025 by Hafsa J.

Food Fraud and Food Defense in FSSC 22000 V6

If you’ve ever looked at your food safety documentation and thought, “Wait—is this food fraud or food defense?”—you’re not alone.

In fact, even seasoned teams sometimes confuse the two. And with FSSC 22000 Version 6, the requirements around both have gotten clearer—and stricter.

Let’s clear something up right away:

• Food fraud is about deception for economic gain—like substituting an ingredient with something cheaper.

• Food defense is about intentional harm—like someone trying to sabotage a product on purpose.

Very different motivations. Very different risks. And under FSSC 22000 V6? You need a separate, documented plan for each.

Over the last decade, I’ve helped teams move from vague, generic “fraud templates” to real, risk-based strategies that actually hold up in audits—and more importantly, help prevent serious incidents. And if there’s one thing I’ve learned, it’s this:

The plans don’t have to be complicated. But they do need to be real.

In this article, I’ll walk you through:

• What FSSC 22000 Version 6 requires for food fraud and food defense

• How to tell them apart (and why that matters)

• What your mitigation and defense plans should actually include

• Practical examples and mistakes to avoid

• How to keep your documentation tight—and your team engaged

If you’re building your plans from scratch—or updating for Version 6—this guide will help you get it done with confidence and clarity.

Let’s break it down.

What’s the Difference Between Food Fraud and Food Defense?

Let’s get this straight—food fraud and food defense are not interchangeable.
And if your current documentation lumps them into one catch-all plan, that’s something you’ll want to fix before your next FSSC 22000 audit.

So what’s the difference?

Food Fraud = Deception for Economic Gain

This is when someone intentionally alters, misrepresents, or substitutes a product to make money. It’s about cutting corners—not causing harm (though harm can still happen).

Common examples:

• Diluting olive oil with cheaper oils

• Substituting high-quality meat with lower-grade cuts

• Selling expired ingredients with new labels

• Counterfeit packaging to pass off lower-quality goods

Food fraud usually happens somewhere in your supply chain, not on your site. That’s why vulnerability assessments focus so much on ingredients, suppliers, and purchasing practices.

Food Defense = Intentional Harm to Consumers

Now we’re talking about acts of sabotage or intentional contamination—things done to cause fear, illness, or damage to your brand. It’s malicious and deliberate.

Examples include:

• Introducing allergens or toxins into a product

• Tampering with packaging

• Gaining unauthorized access to production areas to cause damage

Food defense is about protecting your site, your process, and your people from internal or external threats.

The motivation is key:

• Food fraud = to profit

• Food defense = to harm

Why the Distinction Matters Under FSSC 22000 V6

Version 6 makes it clear:
You need two separate assessments and two distinct mitigation plans—one for food fraud, and one for food defense.

Auditors expect:

• Clear definitions in your documentation

• Separate risk assessments

• Site-specific control measures

• Updated reviews when products, suppliers, or processes change

What FSSC 22000 V6 Requires: Food Fraud

Now that we’ve cleared up what food fraud is, let’s talk about what FSSC 22000 Version 6 actually expects from you when it comes to controlling it.

Spoiler alert: a generic template from the internet won’t cut it anymore.

The Core Requirement: A Documented Vulnerability Assessment and Mitigation Plan

Under Version 6, your organization is required to:

1. Identify which ingredients, raw materials, and supply chain inputs are vulnerable to fraud.

2. Assess the likelihood and impact of that fraud occurring.

3. Develop mitigation strategies for any materials you consider high or medium risk.

4. Review the assessment at least annually—or whenever you change suppliers, products, or sourcing practices.

If you haven’t already, now’s the time to retire the “everything is low risk” spreadsheet. Auditors are looking for thoughtful, product-specific logic—not blanket statements.

What Should a Food Fraud Vulnerability Assessment Include?

A strong assessment looks at factors like:

• Ingredient type and value
  (e.g., spices, oils, honey = high risk due to high profit margin potential)

• Supply chain complexity
  (more handoffs = more chances for fraud)

• Historical incidents
  (use databases like RASFF, Food Fraud Database, or HorizonScan)

• Supplier reliability
  (track record, certifications, testing history)

You don’t need a fancy system—a spreadsheet with a scoring matrix works fine as long as it’s logical, documented, and consistently applied.

Mitigation Strategies: What You Can (and Should) Do

Once you’ve flagged a material as higher risk, you’ll need to show what you’re doing about it. That might include:

• Requiring Certificates of Analysis (COAs)

• Increasing ingredient testing

• Buying from approved or certified suppliers

• Improving traceability and documentation

• Using tamper-evident packaging or anti-fraud labels

Real-world tip: Build fraud risk into your supplier approval and performance reviews. It keeps the topic active—not just a once-a-year document.

Auditors Will Expect to See:

• A current vulnerability assessment with dates, version control, and team sign-off

• A clear scoring or ranking system

• Evidence that mitigation actions match the risk level

• Review records showing annual or event-driven updates

What FSSC 22000 V6 Requires: Food Defense

Now let’s shift gears from fraud to defense—because protecting your facility from intentional harm is just as critical as preventing economic deception.

And under FSSC 22000 Version 6, food defense isn’t optional or vague—it’s a clear, documented requirement.

What Is a Food Defense Plan (According to FSSC 22000)?

A food defense plan is your strategy to identify and reduce the risk of intentional contamination within your facility.
This isn’t about product substitution—it’s about someone trying to cause harm on purpose.

Version 6 requires you to:

1. Conduct a threat assessment—looking at where your site may be vulnerable.

2. Develop and document control measures to reduce those risks.

3. Train your team on awareness, reporting, and prevention.

4. Review and update the plan regularly—especially after changes to layout, access points, or staffing.

What to Include in Your Threat Assessment

Auditors expect more than a checklist—they want a risk-based review that’s specific to your site.

Things to assess:

• Entry points and perimeter security

• Access to processing and storage areas

• Security of utilities (e.g., water, power)

• Visitor and contractor protocols

• Staff vetting and behavior monitoring

• Handling of rework, waste, and hold product

Tools like TACCP or CARVER+Shock can help you walk through this methodically, but you don’t need to overcomplicate it. The key is showing why you consider something high or low risk—and what you’re doing about it.

Typical Food Defense Controls

Your controls should be practical, effective, and fit the risk. Examples include:

• Locked doors or controlled access zones

• Surveillance cameras

• Background checks for new hires

• Sign-in sheets for visitors and vendors

• Tamper-evident seals on packaging or tanks

• Staff training on suspicious activity

Documentation Auditors Want to See

• A written food defense plan (not just a note in your HACCP)

• A site-specific threat assessment

• Evidence of implemented security measures

• Training records for staff involved in monitoring or access

• Review logs showing the plan is updated at least annually

One facility I supported included food defense checks in their monthly GMP audits—it kept the plan fresh and helped operators stay alert. That small step made a big difference.

Building and Maintaining an Effective Food Fraud Mitigation Plan

Having a food fraud mitigation plan isn’t just about checking a box for certification—it’s about proactively managing risk in a way that actually makes sense for your business. Under FSSC 22000 Version 6, that means going beyond a vague risk summary and building a plan that is site-specific, ingredient-aware, and kept up to date.

Here’s how to build one that auditors—and your supply chain—will trust.

Step 1: Conduct a Vulnerability Assessment

Start by reviewing your ingredients, packaging materials, and incoming goods for potential fraud risks. Focus on:

• Product value – Is there an economic incentive to substitute it?

• Supply chain complexity – The more handoffs, the more chances for fraud.

• Past incidents – Is this product or category known for issues?

• Supplier reliability – What’s their track record? How often are they audited?

• Ease of detection – If fraud occurs, would you know?

Use a scoring system to evaluate each item—simple scales like Low, Medium, High for likelihood and impact are enough, as long as they’re consistent and justifiable.

Step 2: Identify and Justify High-Risk Materials

Flag anything that ranks Medium or High in vulnerability. For these, you’ll need to take mitigation action.

Examples of high-risk items:

• Spices and herbs (common for adulteration)

• Honey or oil (often diluted)

• Imported ingredients with unclear traceability

Step 3: Apply Mitigation Measures

Mitigation doesn’t always mean testing everything—it means doing what’s reasonable and proportionate based on risk.

Controls might include:

• Requiring Certificates of Analysis (COAs)

• Conducting spot testing

• Sourcing only from approved or GFSI-certified suppliers

• Using tamper-evident packaging

• Incorporating fraud screening into your supplier approval and re-evaluation processes

Pro Tip: Build mitigation into your routine procurement practices—so your fraud plan doesn’t become a separate process no one uses.

Step 4: Keep It Up to Date

Review and update your fraud mitigation plan:

• Annually, at minimum

• Any time you add a new material or supplier

• After fraud alerts (e.g., RASFF notices or industry incidents)

Keep version-controlled records of who reviewed it, what changed, and why.

Step 5: Train Your Team

Your procurement and QA teams should understand:

• What fraud looks like

• What red flags to watch for

• How to respond if something seems off

Even a short in-house session can boost awareness and engagement.

Developing a Site-Specific Food Defense Plan

If your food defense plan is just a few paragraphs tucked into your GMP manual—or worse, borrowed from a generic template—you’re going to run into problems during your FSSC 22000 V6 audit.

FSSC 22000 now expects your food defense plan to be tailored to your specific site, products, and risks.
Here’s how to do it without overcomplicating things.

Step 1: Start with a Threat Assessment

Think like a risk manager, not a security guard. You’re not looking for Hollywood-style sabotage—you’re identifying where someone with ill intent could cause harm inside your operation.

Use a framework like:

• TACCP (Threat Assessment and Critical Control Points)

• CARVER+Shock (Criticality, Accessibility, Recuperability, Vulnerability, Effect, Recognizability)

Ask questions like:

• Could someone access exposed product?

• Are ingredients stored securely?

• Could someone access mixing or packaging lines without detection?

• Are your waste or rework areas vulnerable to tampering?

Tip: Don’t limit yourself to external threats—insider actions (intentional or careless) are often the real risk.

Step 2: Identify and Prioritize Vulnerabilities

Group your findings into risk levels. For example:

• High risk: unlocked access to blending tanks

• Medium risk: unsupervised visitor access to packaging area

• Low risk: secured ingredient storage with camera coverage

Use your risk levels to focus your mitigation efforts where they matter most.

Step 3: Define Control Measures

Your controls should match the severity of the threat. Examples include:

• Restricted access zones with badge entry

• Tamper-evident seals on storage and transport units

• Locking valves, control panels, or ingredient hoppers

• Staff training to recognize and report suspicious behavior

• Visitor logs and escort policies

• Surveillance systems and periodic security checks

One facility I worked with color-coded floor zones to control access visually. It was simple, cheap, and highly effective—especially during training and audits.

Step 4: Develop a Response Plan

Auditors want to see that you’ve planned for action—not just prevention. Your defense plan should outline:

• Who to notify in the event of a suspected incident

• How to isolate affected product

• When and how to involve regulatory authorities

• What investigation steps you’ll follow

Make sure this plan aligns with your crisis management and recall procedures.

Step 5: Train and Engage Your Team

Security is everyone’s responsibility. Train your staff to:

• Know what suspicious activity looks like

• Understand who to report it to

• Follow visitor protocols and product security steps consistently

Pro Tip: Include food defense as a standing topic in your GMP audits or monthly safety meetings—it keeps awareness alive without extra meetings.

Step 6: Review and Update Regularly

Your food defense plan should be reviewed:

• At least annually

• After any layout, staffing, or process change

• Following any security breach or incident

Keep records of each review: date, what changed, and who signed off.

Pro Tips and Insider Insights for Food Fraud & Food Defense Success

After helping dozens of companies prepare for FSSC 22000 audits (and recover from a few that didn’t go so well), I’ve picked up a few key strategies that make all the difference when it comes to food fraud and food defense.

These aren’t theory—they’re the small things that keep plans alive, practical, and audit-proof.

Pro Tip #1: Don’t Just Write the Plans—Test Them
Run a mock exercise.
Ask your team: “What would we do if a supplier shipped mislabeled product?”
Or: “What if we found a suspicious person in the staging area?”
Drills like these reveal gaps—and reinforce ownership.

Pro Tip #2: Use the Same Format for Both Plans
Create a simple structure for both your food fraud and food defense documentation—overview, assessment, mitigation actions, review history.
Consistency makes training, auditing, and reviewing so much easier.

Pro Tip #3: Link Plans to Real Incidents
Add a short “learning log” section where you record food fraud alerts (like from RASFF or your industry body) or internal near misses.
Auditors love seeing that you monitor external data and apply lessons learned.

Pro Tip #4: Involve Procurement Early
Many companies leave food fraud mitigation to QA—but purchasing has a huge role.
Bring them into the discussion when evaluating ingredient risks and setting supplier controls.

Pro Tip #5: Track Changes with a Simple Review Table
Auditors want to see that your plans are living documents. Use a simple log that shows:

• Date reviewed

• What changed

• Who approved

• Why the update was made

Even small updates (like a new supplier or added raw material) should be tracked.

Pro Tip #6: Avoid “Copy-Paste” Templates
It’s tempting to grab a generic food fraud or defense plan online—but these fall apart during audits. Build your plans around your products, your processes, and your site layout.

One client who used a downloaded plan had a food defense map showing doors that didn’t even exist. That led to a major finding and a lot of scrambling. Lesson learned.

Common Mistakes and FAQs About Food Fraud & Food Defense

Even experienced food safety teams can trip up on these two plans—especially with FSSC 22000 Version 6 raising the bar. Here’s what to avoid, and the questions I hear most from real-world clients.

Common Mistakes to Avoid

Mistake #1: Combining Food Fraud and Food Defense into One Document
It might seem efficient, but it’s not compliant. These are two separate risks with different motivations, controls, and auditor expectations.

Mistake #2: Using Generic Templates with No Site-Specific Details
Auditors can spot these in seconds. If your plan doesn’t reflect your actual ingredients, suppliers, layout, or team—you’ll likely be flagged.

Mistake #3: Calling Every Risk “Low” Without Explanation
A plan where every material is marked “low risk” without a clear scoring system or justification usually signals one thing: lack of effort.

Mistake #4: Not Updating Plans When Things Change
New supplier? New ingredient? Changed production line? That’s a trigger to update both your food fraud and food defense plans. Skipping this is a common cause of nonconformities.

Mistake #5: No Team Involvement
If only one person knows your fraud and defense plans, that’s a red flag. Auditors will ask operators, security, and purchasing staff how the plans apply to them.

Frequently Asked Questions

Q1: How often should we review our food fraud and food defense plans?
A: At least once a year—and any time there’s a change in products, suppliers, layouts, or after any incident (internal or industry-wide).

Q2: Can we use the same scoring matrix for both assessments?
A: Yes—many companies do—but make sure the criteria fit the risk type. Food fraud might focus more on economic incentives, while food defense focuses on access and exposure.

Q3: What kind of training is required for food defense and food fraud?
A: You need to train relevant staff on both awareness and response. For fraud, that’s usually QA and procurement. For defense, it includes production, security, and any staff with access to exposed product.

Q4: What if we have no history of fraud or defense incidents?
A: That’s great—but your plans still need to be in place, regularly reviewed, and ready to activate if something does happen. A “nothing has ever gone wrong” mindset is not enough.

Q5: Are these plans only required for manufacturers, or also for storage/distribution?
A: Both. FSSC 22000 V6 requires all certified sites—regardless of activity—to assess and control these risks where relevant.

Turning Compliance into Real Protection

Here’s the big takeaway:
Food fraud and food defense aren’t just paperwork exercises—they’re active parts of a mature, trustworthy food safety system.

And with FSSC 22000 Version 6, you’re expected to show real thinking, real planning, and real control. The days of vague templates and one-size-fits-all checklists are behind us.

What we’ve covered today gives you a clear roadmap to meet (and exceed) expectations:

• You now know the critical difference between food fraud and food defense.

• You’ve seen what FSSC 22000 V6 actually requires—no fluff, just what matters.

• You’ve got practical steps for building assessments, mitigation strategies, and team engagement.

• And you know what auditors will ask for before they even step on-site.

That’s how you build trust. Not just with your auditor—but with your customers, your supply chain, and your team.

What You Can Do Next

✔ Still working from a generic plan?
Download our free Food Fraud & Defense Assessment Template—customizable and audit-ready.

✔ Need help evaluating your current documentation?
Book a 30-minute review session with one of our FSSC 22000 specialists—we’ll walk through what you’ve got and spot any red flags before your auditor does.

✔ Training a team?
Ask about our onsite or virtual workshops to get everyone aligned, engaged, and ready to act.

FSSC 22000 V6 is raising the bar—and that’s a good thing.
When your food fraud and defense plans are grounded in real risk, practical controls, and team awareness, you’re not just compliant. You’re resilient.

Let’s get you there.