We are a co-packer for dry candy and snack foods that has a quasi food defense plan written. We were hit for not having a vulnerability assessment.
All of the bulk food and packaging is supplier by our customers and we just pack into retail packages.
I did a vulnerability assessment using KATs. I only had once actionable process step where we add seasoning to a cracker.
I don't think the auditor is going to accept this.
Is there another approach I should take seeing we don't manufacture any food but only package it?