Hi, does it require specifically in FSSC 22000 (Packaging) a vulnerability assessment to be conducted? Or are you being asked by a customer?
I think if you have an established business and operate a certfied GFSI Food Safety Management System you should have control of most if not all of any vulnerabilities, which in a packaging company are already significantly lower than in a food business. Do you use approved and monitored suppliers for your raw materials, what is the potential for substitution or fraud without you knowing? Are you transport chains to you and from you to customers know and secure? Do you have control of your premises, processes, personnel and visitors? Is your site secure?
Simply map it out in an excel.
The step, what is the potential vulnerability and what controls you have.
Keep it very simple.
At least if it is documented you can show you have considered it and it's a basis for customer/auditor scrutiny and discussion.