It is a bit irritating that BRC has decided to add direct references to both fraud and malicious contamination into clause 2.7.1, in addition to the specific TACCP/food defence requirement already covered in detail in 4.2 and the VACCP/fraud ones in 5.4.
It's more annoying still that they've done so without providing any comment in the guide to changes ("typical types of hazard have been added for clarity" is, ironically, not especially clear...) or in the interpretation guide.
We've taken the same approach that you're considering - the hazard analysis will be expanded to note the potential for e.g. receipt of material that's been tampered with, and simply referencing that this is covered in the prerequisite program via the TACCP plan. Obviously this is an existing risk that has already been considered in the TACCP plan that we've had in place for several years, but I think there is perhaps some merit to making it absolutely clear, as audits are often that much easier if you can spoon-feed the information to the auditor in the exact form that they're expecting it