So they consider that acceptable, so that's good.
If your own supplier approval policy considers ISO acceptable, then that's also going to be okay I would think? Not a BRC expert here.
BRC is pretty specific about GFSI requirements, with alternatives being "supplier audit" or, for those justifiably classified as low risk, a questionnaire.
The supplier audit component is a bit awkward in that it lists key areas that should be covered, which arguably could be encompassed in a combination of ISO22000/9001, but as these are not GFSI-benchmarked there is an obligation to not only obtain full audit reports but also to verify the competence of the auditor.
The OP might be able to structure a position that these third-party audits satisfy clause 3.7.2 and thus the suppliers aren't obliged to provide actual traceability exercises, but I'd think this would probably only be possible if they have the full audit reports including clear confirmation of trace exercises / verification, and can find a way around the auditor competency thing. It's a slightly strange requirement for a standard based in the UK, as the auditor component of the details would arguably fall within the scope of data protection regs so couldn't readily be shared...
Nonetheless the suppliers might be able to obtain some sort of statement from their certification bodies that outlines minimum qualifications and experience requirements for their audit team?
The key question IMO should be as to what the Code requires/states for the specific aspect. (I don't have current Packaging Standard to hand).
As discussed here previously a few times, afaik, unless specifically BRC-stated otherwise, the IG documentation, contains non-auditable material.
Yes, the IG isn't directly auditable, and whilst auditors do generally follow it, in the event of a dispute between this and the main standard or their training / positions they've been advised directly from BRC via their cert bodies, the standard itself most definitely takes precedence.