BRC Issue 7 clarify this point.
The company shall undertake a documented assessment of the security arrangements and potential risks to the products from any deliberate attempt to inflict contamination or damage. Areas shall be assessed according to risk; sensitive or restricted areas shall be defined, clearly marked, monitored and controlled. Identified security arrangements to reduce risks shall be implemented and reviewed at least annually.
Thus you should have a risk assessment.
Identify areas ( High risk / high Care / Low risk,....), CCPs.
Determine measurments to control this points.
