BRCGS Issue 9: what auditors will be looking for

BRCGS Global Standard for Food Safety Issue 9 came into force on 1 February 2023 and it was built, deliberately, around the failure patterns that generated the most non-conformances under Issue 8. That matters for audit preparation: the areas where the standard tightened are precisely the areas auditors will probe most carefully. 

This article sets out what has changed, what auditors will expect to see in practice, and where sites are most likely to find themselves exposed.

The shift Issue 9 is asking for 

The central change in Issue 9 is not a list of new clauses. It is a philosophical shift: from compliance as documentation to compliance as demonstrated, living practice. A food safety plan on paper, a corrective action log that gets closed without root cause analysis, an internal audit report that sits in a folder — none of these will satisfy Issue 9 auditors the way they might have satisfied Issue 8. 

Issue 9 was designed to close gaps between what sites say they do and what sites actually do. For quality, technical and assurance professionals, the practical implication is straightforward: every system needs a verifiable chain of evidence, not just a document. 

Food safety culture: now measurable and auditable 

Under Issue 8, food safety culture was an implied expectation. Issue 9 makes it a standalone, documented, auditable requirement. 

A formal food safety culture plan is now mandatory. It must include communication processes, training, mechanisms for employee feedback, defined behaviours and, critically, measurable performance objectives. The plan must be reviewed at minimum annually. 

Senior management involvement is now auditable rather than assumed. The most senior production or operations manager must be present at the opening and closing meetings. A member of senior leadership must be available to discuss the culture plan's implementation — and auditors will ask substantive questions, not just confirm attendance. 

What auditors will look for 

• A documented culture plan with specific activities and named owners, not a generic statement of intent 
• Tracked metrics demonstrating progress against culture objectives over time 
• Evidence that leadership engages with the plan beyond the audit opening meeting 
• Employee feedback mechanisms that are active and generate recorded outputs 

A culture plan that lists 'toolbox talks' and 'food safety notice boards' without performance data or documented leadership engagement will not satisfy Issue 9. Specific activities, tracked metrics and evidence of continuous improvement are required. 

HACCP and food safety plans: validation before implementation 

Issue 9 introduces two changes to HACCP requirements that directly reflect the 2020 Codex Alimentarius update. First, where hazard control is achieved through prerequisite programmes or control measures other than CCPs, that control must be validated. Second — and operationally significant — HACCP or food safety plans must be validated prior to any changes that may affect product safety, not after. 

This creates a formal pre-implementation review gate that needs to be embedded in change management processes. If a site introduces a new ingredient, modifies an existing process or changes equipment and does not validate its HACCP plan before doing so, that is a non-conformance. 

For sites handling traded products, Issue 9 also introduces an explicit requirement: there must be either a standalone HACCP plan for traded products or a formal incorporation of traded products into the existing plan. A gap in coverage here will be visible.

What auditors will look for 

• Evidence that HACCP validation occurred before, not after, recent operational changes 
• A change management process with a documented trigger for HACCP review 
• Validation records for non-CCP control measures and prerequisite programmes 
• HACCP coverage for traded products if applicable 

Internal audits: from report to verified close-out 

The internal audit requirements in Issue 9 close a gap that generated repeated non-conformances under Issue 8: the gap between raising a finding and closing it out with verified corrective action. 

Issue 9 requires that internal audit results are reported to the responsible personnel, that corrective actions and implementation timescales are agreed and verified, and that results are reviewed in management review meetings. Fabrication inspections are also more clearly defined, specifically covering doors, walls, facilities and equipment. 

The internal audit is now expected to produce a verifiable chain: finding → assigned corrective action → agreed timescale → verified close-out → management review. An audit program that generates reports but does not demonstrate systematic follow-through will generate non-conformances. 

What auditors will look for 

• Evidence that findings have been communicated to the responsible person (not just recorded) 
• Corrective actions with agreed timescales and documented verification of close-out 
• Internal audit results as a standing item in management review records 
• Fabrication inspection records covering the specific scope Issue 9 describes 

Corrective and preventive actions: root cause is no longer optional 

Root cause analysis is now a procedural requirement in Issue 9, not a recommended practice. The corrective action procedure must explicitly include root cause analysis and the implementation of preventive action. 

Where a non-conformity places product safety, authenticity or legality at risk, or where there is an adverse quality trend, it must be investigated and recorded. That means the CAPA system needs to capture not just what corrective action was taken but what methodology was used, what evidence was considered and what preventive action was implemented. 

What auditors will look for 

• A CAPA procedure that explicitly requires root cause analysis methodology 
• CAPA records that document the investigation, not just the fix 
• Evidence of preventive action implemented as a result of root cause findings 
• Adverse trend identification and documented investigation where trends affect safety, authenticity or legality 

Incident management: defined timescales, documented process 

Issue 9 introduces specific timescales for incident notification and response. A significant food safety, authenticity or legality incident must be notified to the certification body within 3 working days. A full response — corrective action, root cause analysis and a preventive action plan — must be provided within 21 calendar days. 

These timescales require a documented incident management process that can be activated quickly. Organizations that handle incidents reactively, assembling information as they go, are at risk of breaching both windows. 

What auditors will look for 

• A documented incident management procedure that predates any incident 
• Clear ownership of the notification and response process 
• Evidence the process has been communicated and tested 
• For past incidents: complete records showing the 3-day and 21-day windows were met 

Other key changes in Issue 9 

Several other clause areas have been strengthened and are likely to be scrutinized at audit. 

Area	What Issue 9 requires	Likely audit focus
Outsourced processing (Clause 3.4)	Outsourced steps must be in the HACCP plan, covered by a service specification and subject to a goods-in acceptance procedure.	HACCP coverage, supply agreements, traceability through the outsourced step.
Equipment management (Clause 4.6)	New equipment requires documented purchase specifications, risk-based commissioning procedures and inspection before use. Mobile equipment and battery-charging equipment have specific requirements.	Purchase specs and commissioning records for recently acquired equipment; mobile and battery equipment management.
Food fraud vulnerability assessment (Clause 5.4)	The responsible person must understand vulnerability assessment principles. Assessment must be reviewed annually and whenever raw materials, suppliers or risks change.	Whether the responsible person can demonstrate understanding of the methodology, and whether the assessment is current following any changes.
Foreign body detection (Clauses 4.10.3 and 4.10.7)	X-ray equipment effectiveness must be verified. All other foreign body detection and removal equipment beyond metal detection and X-ray also requires effectiveness verification.	Documented effectiveness verification records for X-ray and all other detection technologies in use.
Site security (Clause 4.1)	A visitor recording system must be in place. All visitors must have a responsible person on site. Staff and contractors must be aware of access procedures.	Active visitor log, evidence that contractors and staff have been briefed on procedures.

New audit options under Issue 9 

Issue 9 replaces the two audit options that existed under Issue 8 with three formal options, which matters for how sites plan their readiness program: 

• Option 1 (announced): Standard announced audit with a mandatory unannounced audit every three years. The unannounced audit can occur at any point in the final four months of the cycle. Sites may nominate up to 10 non-audit days. 
• Option 2 (blended, new in Issue 9): Available for recertification audits only. Split into a remote document review (Part 1, conducted up to 56 days before the due date) and an on-site audit (Part 2, within 28 days of Part 1). Mandatory unannounced audit still required every three years. 
• Option 3 (fully unannounced): All audits without prior notification. Sites selecting this option must maintain readiness as a constant operational state. 

The blended audit option formalizes what COVID-19 accelerated. For technical and quality teams, it means document systems need to be remotely accessible and well-organized, not just physically available on audit day. 

Preparing for an Issue 9 audit: where to focus 

Based on the Issue 9 changes and the non-conformance patterns the standard was built to address, the highest-risk areas for audit performance are: 

• Food safety culture plan with no measurable objectives, performance data or evidenced leadership engagement 
• HACCP plans updated after operational changes rather than validated before implementation 
• Internal audit findings not followed through to verified corrective action close-out and management review 
• Corrective action records that address the immediate problem but document no root cause analysis or preventive action 
• Outsourced processing steps absent from the HACCP plan with no service specification or goods-in acceptance procedure 
• New equipment procured and commissioned without a documented purchase specification or commissioning procedure 
• Food fraud vulnerability assessments not reviewed following changes in raw materials, suppliers or emerging risks 
• Foreign body detection equipment, particularly X-ray, without documented effectiveness verification 
• Visitor and contractor management without a formal recording system 
• Incident management processes that have not been documented in advance and have no pre-planned notification procedure 

The common thread across these areas is the same shift Issue 9 is making overall: from documents that exist to systems that demonstrably work. Auditors will ask for the evidence, not the policy. 

Issue 9 raises the bar for manual systems 

Issue 9's requirements are more granular, more interconnected and more demanding of evidence than its predecessor. Sites where food safety management is genuinely embedded — where records are current, corrective actions are tracked to close-out and leadership is actively engaged — will find the standard manageable. Sites relying on manual processes, disconnected records and individual memory will find it harder to demonstrate the chains of evidence Issue 9 auditors need to see. 

Ideagen Food & Beverage is a unified food safety and supply chain platform built for GFSI-recognised standard compliance including BRCGS, SQF and FSSC 22000. It connects culture plan management, HACCP change control, internal audit close-out, CAPA workflows and incident management in a single integrated system — providing the verifiable audit trail Issue 9 requires.