Home Certification Standards ISO 22000

Your Guide to Implementing ISO 22000

Benefits of Implementation

ISO 22000 helps organizations minimize food risks and improve performance as it relates to food safety.
It does so by providing a framework they can use to develop an FSMS, a systematic approach to addressing food safety issues. Compliance with ISO 22000 provides benefits such as:


Minimizing food risks leads to better health and safety outcomes for customers, other users, employees and others who may come into contact with food.

Having an FSMS helps you reliably deliver products that meet customer expectations.

Compliance with regulatory requirements is required to achieve certification to ISO 22000. Having an FSMS in place can help companies meet these requirements and understand how they impact the organization and its customers.

ISO 22000 links to various other international standards and guidelines and can help organizations meet the requirements of these systems as well.


ISO 22000 helps organizations improve the traceability of their products and achieve greater transparency regarding operations.

Having an FSMS in place can help organizations respond more quickly and efficiently to issues that may compromise food safety, helping them stop potential contamination before it occurs.

If contamination does occur, an FSMS helps organizations reduce the time it takes to investigate any food safety breaches, solving the problem faster.

The standard itself also offers several advantages over other systems:


The structure of ISO 22000 is similar to that of other international standards. It is designed to integrate seamlessly with other management systems from ISO, such as ISO 9001, ISO 45001 and ISO 14001.


ISO 22000 is a well-known, internationally recognized standard. Certification to it improves an organization’s reputability with customers, suppliers, investors, regulatory groups and other parties worldwide.


Certification to an international standard such as ISO 22000 opens doors for a business. Some organizations require certification before they will supply or otherwise work with a company.

Structural Changes on ISO 22000:Annex SL

The ISO 22000, as other recently revised international standards such as ISO 9001 and ISO 14001, has adopted the Annex SL structure during its 2018 revision.

The Annex SL was initially approved in 2012. This section of the ISO/IEC Directive describes the common structure of all ISO management systems standards in which the new or updated standards must be focused on when developing the relevant requirements.

Prior to the adoption of Annex SL there were many differences between the clause structure, requirements, terms and definitions used across the various management system
standards. This made it difficult for organizations to integrate the implementation and management of multiple standards; Environment, Quality, Health and Safety and Food safety being among the most common. This structure tries therefore to eliminate confusions, duplications and conflicts from the different interpretations of management system standards.


Annex SL consists of 10 core clauses:

  1. Scope

  2. Normative references

  3. Terms and definitions

  4. Context of the organization

  5. Leadership

  6. Planning

  7. Support

  8. Operation

  9. Performance evaluation

  10. Improvement

Of these clauses, the common terms and core definitions cannot be changed. Requirements may not be removed or altered, however discipline-specific requirements and recommendations may be added.

All management systems require a consideration of the context of the organization (more on this in section 4); a set of objectives relevant to the discipline, in this case food safety, and aligned with the strategic direction of the organization; a documented policy to support the management system and its aims; internal audits and management review. Where multiple management systems are in place, many of these elements can be combined to address more than one standard.

Additionally, ISO 22000:2018 has also introduced a specific introduction and annexes:

0. Introduction

0.1. General

0.2. FSMS Principles

0.3. Process Approach

0.3.1. General

0.3.2. Plan-Do-Check-Act Cycle

0.3.3. Risk-based thinking General

0.3..3.2. Organizational risk management Hazard Analysis
- Operational processes Relationship with other management system standards

Annex A Cross references between the CODEX HACCP and this document

Annex B Cross references between this document and ISO 22000:2005

Process Based Thinking/Audits

A process is the transformation of inputs to outputs, which takes place as a series of steps or activities which result in the planned objective(s). Often the output of one process becomes an input to another subsequent process. Very few processes operate in isolation from any other.

“Process: set of interrelated or interacting activities which transforms inputs to outputs”
- ISO 22000:2018 Terms and Definitions

Even an audit has a process approach. It begins with identifying the scope and criteria, establishes a clear course of action to achieve the outcome and has a defined output (the audit report). Using the process approach to auditing also ensures the correct time and skills are allocated to the audit. This makes it an effective evaluation of the performance of the FSMS.

“Understanding and managing interrelated processes as a system contributes to the organization’s effectiveness and efficiency in achieving its intended results.”

This also applies where processes, or parts of processes, are outsourced. Understanding exactly how this affects or could affect the outcome and communicating this clearly to the business partner (providing the outsourced product or service) ensures clarity and accountability in the process.

The final process step is to review the outcome of the audit and ensure the information obtained is put to good use. A formal Management Review is the opportunity to reflect on the performance of the FSMS and to make decisions on how and where to improve. The Management Review process is covered in more depth in Section 9 – performance evaluation.

Risk Based Thinking/Audits

Audits are a systematic, evidence-based, process approach to evaluation of your Food Safety Management System. They are undertaken internally and externally to verify the effectiveness of the FSMS. Audits are a brilliant example of how risk-based thinking is adopted within food safety management.


Internal audits are a great opportunity for learning within your organization. They provide time to focus on a particular process or department in order to truly assess its performance. The purpose of an internal audit is to ensure adherence to policies, procedures and processes as determined by you, the organization, and to confirm compliance with the requirements of ISO 22000.


Devising an audit schedule can sound like a complicated exercise. Depending on the scale and complexity of your operations, you may schedule internal audits anywhere from every month to once a year. There’s more detail on this in section 9 – performance evaluation.


The best way to consider frequency of audits is to look at the risks involved in the process or business area to be audited. Any process which is high risk, either because it has a high potential to go wrong or because the consequences would be severe if it did go wrong, then you will want to audit that process more frequently than a low risk process.

How you assess risk is entirely up to you. ISO 22000 doesn’t dictate any particular method of risk assessment or risk management, apart from addressing this concept on the already mentioned two levels, organizational and operational levels. However, the standard requires you to describe and retain as documented information the methodology used when conducting a risk assessment.


  • regular assessment to continually monitor and improve processes

  • credibility that the system can achieve its intended outcomes

  • reduced risk and uncertainty and increase market opportunities

  • consistency in the outputs designed to meet stakeholder expectations

The 10 Clauses of ISO 22000:2018

ISO 22000 is made of up 10 sections known as Clauses. As with most other ISO management system standards, the requirements of ISO 22000 that need to be satisfied are specified in Clauses 4.0 – 10.0.

Unlike most other ISO management system standards, an organization must comply with all of these requirements; this means they cannot declare one or more clauses as being not applicable to them. In ISO 22000, in addition to Clauses 4.0-10.0 there is a further set of requirements detailed mostly in Clause 8, which include the HACCP principles as per Codex Alimentarius. This is considered the core of the system as well as the operational level of the FSMS.

The following parts of this guide provide an overview explanation of the purpose of each clause, highlight the type of evidence an auditor would expect to see to confirm that you comply, and give tips on effective ways to comply with the requirements.

Section 1: Scope

A Food Safety Management System is primarily intended to ensure food is safe for consumption. It does this through the application of the processes determined by you as necessary for your operations, as well as the processes determined by the standard as necessary for continual improvement. A FSMS aims to assure conformity to applicable statutory, regulatory and customer requirements.

The 2018 version includes also feed producers and animal food producers within the scope.

The Scope section of ISO 22000 sets out:

  • the purpose of the standard;

  • the types of organizations it is designed to apply to; and

  • the sections of the standard (called Clauses) that contain requirements that an organization needs to comply with in order for the organization to be certified as “conforming” to it (i.e. being compliant).

ISO 22000 is designed to be applicable to all organizations in the food chain, regardless of size and complexity; this includes organizations that are directly or indirectly involved in one or more stages of the food chain. Small and/or less developed organizations can implement and maintain a FSMS that complies with ISO 22000.

Section 2: Normative References

ISO/IEC Directives, Part two, Section 6.2.2, defines the inclusion of a normative reference as, “This conditional element [of the Standard] shall give a list of the referenced documents… in such a way as to make them indispensable for the application of the document.

In other words, by citing something as a normative reference, it is considered as indispensable to the application of that particular Standard. Unlike ISO 9001, there are no normative references in ISO 22000; however, it would be useful for you to have a look at the following ISO family standards that will help to better understand its requirements:

  • ISO 22004:2014 - Guidance on the application of ISO 22000

  • ISO 22005:2007 Traceability in the feed and food chain - General principles and basic requirements for system design and implementation

  • ISO/TS 22002-1:2009 PRP on food safety - Food manufacturing

  • ISO/TS 22002-2:2013 PRP on food safety - Catering

  • ISO/TS 22002-3:2011 PRP on food safety - Farming

  • ISO/TS 22002-4:2013 PRP on food safety - Food packaging manufacturing

  • ISO/TS 22002-6:2016 PRP on food safety - Feed and animal food production

  • ISO/TS 22003:2013 FSMS - Requirements for bodies providing audit and certification of Food Safety Management Systems

  • ISO 10012:2003 Measurement management systems - Requirements for measurement processes and measuring equipment

  • ISO/TR 10013:2001 - Guidance for quality management system documentation

  • ISO 1015:1999 Quality Management - Guidelines for training

  • ISO 19011:2018 - Guidelines for auditing management systems

  • ISO 31000:2018 Risk management - Guidelines

Section 3: Terms and Definitions

This section sets out the terms and definitions that are used in the Standard which may need further clarification in order to apply the Standard to a particular organization. Some of them also include notes that seek to provide further information and clarity.If an electronic version of the Standard has been purchased the definitions are hyperlinked to other definitions so that there interrelationship can be seen.

There are some definitions that must be mentioned due to its relation with the changes on the 2018 version:

‘Significant food safety hazard’ - Food safety hazard identified by an organization through the hazard assessment that needs to be controlled by specific control measures

‘Control measures’ - Action or activity used to prevent a significant food safety hazard or reduce it to an acceptable level

‘Acceptable level’ - Level of a food safety hazard that must not exceed in the finished product

‘Action criterion’ - Measurable or observable specification for the monitoring of an operational prerequisite programme (OPRP). This action criterion is established to assess whether the OPRP is under control

‘Competence’ - Ability to apply knowledge and skills to get intended results

‘Interested party’ - Person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity

‘Outsource’ - Arrangement made where an external company (outside the scope of the management system) performs part of a function or internal process within the scope

‘Risk’ - Effect of uncertainty; whereas effect means a deviation from the expected (positive or negative), uncertainty is in fact a state, even partial, of deficiency of information related to the understanding or knowledge of an event, its consequence, or likelihood. Risk is no longer only applicable to the operational level of the organization, but it is implied in all aspects of the system that could affect food safety

Additionally, some terms have been redefined in order to provide a better understating to users:

‘Critical Control Point (CCP)’ - Step in a process at which a control measure can be applied and it is essential to prevent or reduce a significant food safety hazard to an acceptable level. Critical limits and measurement enable the application of corrections. Both, CCPs and OPRPs require monitoring, validation and verification

‘Operational Prerequisite Programme (OPRP)’ - Control measures identified through the hazard analysis as essential to prevent or reduce to an acceptable level the probability of introducing risks and/or contamination or
proliferation of a significant food safety hazard in food products or in the work environment.

Action criterion and measurement or observations enable effective control of these processes. (These are more specific to each organization than the PRPs)

‘Monitoring’ - Planned sequence of observations or measurements to evaluate whether a process is operating as intended. Monitoring shall be applied during an activity and provides information for action during a specified time frame (“present assessment”)

‘Validation’ - Obtaining evidence that a control measure will be capable of effectively controlling a significant food safety hazard. Validation shall be applied prior an activity and provides information about the capability to deliver intended results (“future assessment”)

‘Verification’ - Confirmation, through the provision of objective evidence, that specified requirements have been fulfilled. Verification shall be applied after an activity and provides information for confirmation of conformity (“past assessment”)

The following sections, 4 to 10, provide the requirements of the Standard. When reading the Standard it is important that as with past ISO 22000 versions, the word “shall” indicates the mandatory requirements that an organization must meet and external auditors, such as NQA, are required to verify conformance and effectiveness against.

In order to understand how each of the following clauses applies to each other the remaining text applies to this diagram:

Section 4: Context of the Organizations

This is a new concept in terms of ISO 22000:2018. This section requires the organization to analyse its context, determine its interested parties, define the scope of the food safety management system and a clear focus on the processes and requirements needed to achieve the food safety objectives.
The clause is sequential as there is a need to understand the organization and context (4.1), prior to identifying interested parties and understanding their needs and expectations (4.2), the output of both 4.1 and 4.2 allows determination of scope (4.3), and then ultimately designing the FSMS (4.4):

Understanding the context of the organization is usually conducted by top management with information about the business and activities gathered at every level of the organization. Discussion points focus on internal and external issues which have an impact on the FSMS system.


This section implies an analysis of the risks or issues that can impact our business, not just the internal but also the external issues that can affect the capability of the management system to get the intended results. As external issues we could include social, cultural and political trends, legal changes, technology advancements, etc. that can influence the achievement of the established food safety objectives.

As these issues may vary, its revision must be done regularly and now it is also mandatory as an input during your periodic management review meetings. We also must bear in mind that these issues can be positive or negative, but equally considered to define our context. Once the context is determined, this will facilitate the establishment of food safety objectives.

There are numerous methodologies that can be used to determine context, such as the SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis, the CPM (Competitive Profile Matrix) or PEST (Political, Economic, Socio-cultural and Technological) analysis, among others.

Even though documented information is not required with regard to context, this is extremely useful when your system is audited and to demonstrate your understanding and analysis of the mentioned issues, i.e.: meeting minutes, graphics, data analysis, etc.

  • External Issues

    • Cultural, social, political, legal, financial, technological, economic and natural surroundings including the environment in which the organization operates

    • Who the competitors are and any contractors, subcontractors, suppliers, partners and providers

    • National and international law

    • Industry drivers and trends which have influence on the organization

    • The organization products and services and their influence on food safety

    • Availability and variety of external providers of services/ products

    • Changes in consumption patterns

    • Capacity of changes regarding premises (landlord)

  • Internal issues

    • Governance, organizational structure, roles and accountabilities

    • Policies, objectives and the strategies in place to achieve them

    • Competence of personnel

    • Food Safety culture within the organization and the relationship with workers

    • Process for the introduction of new products, materials, services, tools, software, premises and equipment

    • Working conditions

    • Resources (under-utilisation of resources)

    • Retention of skilled employees

    • Number and variety of clients/ customers

    • Linkage to a certain activity, location and/or period


The concept of customer has disappeared to introduce the term of interested party. This section requires the determination of interested parties (commonly known “stakeholders”) that can influence FSMS positively and negatively. Once it has been decided which interested parties are relevant and significant, their needs and expectations within the FSMS should be addressed.

They will probably be shareholders, landlords, regulators, customers, employees, trade associations, competitors, suppliers, distributors, and consumers, among others. You need to identify all those parties and analyse how they can affect the achievement of the main objective of a FSMS that is to ensure food is safe.

Some needs and expectations of our interested parties are mandatory and incorporated into law and regulatory requirements therefore must be considered. The identified interested parties and their requisites must be obviously revised when defined and also when changes apply to the organization. Having defined who your Interested Parties are, ISO 22000 requires that you determine their potential and actual effects.

Interested parties can be documented in the form of a map:


This is not a new concept but it has been revised in order to refer to the physical and / or geographical site within which your operations take place, the products / services included in the FSMS, the relevant parties you have identified and the special characteristics such as type of packaging used, storage or shelf-life conditions of the product/s. Your scope statement must be maintained as documented information.

When the application to NQA is made to have the system audited for certification, it is necessary to declare the scope in a statement. This will ensure that they send the correct auditor with experience in your industry sector.

For example:
‘The fermentation, carbonation and packing of red wine into glass bottles’
Using this example, you can see that each step will incorporate many processes including workers, machinery, regulatory requirements, external providers, customers (end users) and competence which will be audited.


As a result of the previous clauses, an organization then has to establish, implement, maintain and continually improve a FSMS.

This section mentions the need of focusing in the interaction of processes. All processes and their interactions included in the scope of the FSMS must be determined and controlled in order to get the intended results in accordance with the strategic direction of the organization and the food safety policy.

Section 5: Leadership

The standard states that top management shall demonstrate leadership and commitment with respect to the FSMS. But who is top management? According to ISO 22000, top management is the person or group of people who direct or control an organization at the highest level.


There is no longer an excuse for top management not being present during a certification audit. An external auditor will expect to discuss leadership with those who manage the organization.

The previous version of ISO 22000 already included examples of how leadership can be demonstrated within the FSMS management system:

  • Establishing the food safety policy

  • Demonstrating that food safety is supported by the objectives of the organization

  • Provision of appropriate and sufficient resources

  • Facilitating the culture of continual improvement

  • Communicating appropriately amongst interested parties

  • Ensuring the integration of the FSMS requirements into the organization’s business processes

  • Leading the management review meetings

Additionally, the 2018 version states that top management shall also:

  • Ensure that the strategic plans of the organization and the food safety objectives are compatible and integrated within the organization

  • Ensure the integration of the FSMS requirements into the organization’s business processes


Practically this requirement has not changed with respect to the previous version. A policy contains the intention and direction of an organization as formally expressed by its top management.

The food safety policy is approved by top management and will drive the controls that are in place and the actions that are carried out to improve it.

The standard specifically requires that the food safety policy, which shall be appropriate to the purpose and context of the organization, must include commitments to:

  • Provide a framework for setting and reviewing objectives of the FSMS

  • Satisfy applicable food safety requirements, including statutory and regulatory requirements and mutually agreed customer requirements related to food safety

  • Address internal and external communication

  • Continual improvement of the FSMS system

  • Ensure competencies related to food safety

Once the FSMS policy has been approved it must be communicated to all interested parties including operators, and also customers and external providers on request. In addition, periodically the food safety policy must be reviewed by top management to ensure it remains applicable to the context of your organization.

The top management commitment with respect to the FSMS must be visible and palpable. A good way to demonstrate commitment to clients, operators and general public is to ensure your food safety policy is visible and also well communicated in any or all of the following:

  • Recruitment packs

  • Induction packs

  • Supplier evaluations

  • Supplier contracts

  • Notice boards on site

  • Website / intranet site

  • Annual staff appraisals

Don’t forget your food safety policy must be available and maintained as documented information.


This section requires the organization to define clear roles, responsibilities and authorities throughout the organization. Top management shall also ensure that all responsibilities and authorities have been assigned and understood.

All personnel must know what it is expected from them (responsibilities) and what top management allows them to do (authorities). This can be easily implemented through an organigram and job descriptions of all staff of the organization with their duties and authorities described.

ISO 22000 does specify a requirement for a nominated food safety team leader that ensures the system is established, implemented, maintained and updated when required.

It certainly makes life easier for an external auditor to have a clear point of contact, and this person must have suitable authority to manage the system, ensure the work is managed as well as the relevant training and competencies of the food safety team, report on the effectiveness and suitability of the FSMS and make continual improvements as determined by top management.

Section 6: Planning

Planning is one of the key components of any management system. This section sets out a framework that asks an organization to analyse itself to determine the risks and opportunities of its activities and then how to address them.


If you’ve been thorough in your assessment of context and the needs and expectations of interested parties, then the potential risks and opportunities will likely have made themselves quite apparent. You’re looking to answer the following questions:

  1. What are we trying to achieve?

  2. What could stop us from achieving our objectives?

  3. How will we address these issues?

  4. How can risks be turned into opportunities?

  5. How can opportunities help us to improve?

  6. Who will be responsible for actions?

  7. When will we need to take action by?

  8. How will we know whether our actions were effective?

Addressing risks and opportunities and achieving your food safety objectives require an action plan.
First of all, plan all actions to address the identified risks and opportunities previously defined and then identify the way to integrate and implement them in your FSMS and evaluate their effectiveness.

Now risks not only involve food safety risks but also those risks than can impact your FSMS losing productivity and effectiveness. ISO 22000 differentiates between two types of risk management, the one that focuses just on the operational level and that can be controlled through the establishment and maintenance of PRPs, OPRPs, CCPs and emergency preparedness, and also the risks that affects the entire management system and could make an impact into food safety.

The latter are those that could happen but there is no history of them happening or, if they did, that was a sporadic event. Therefore, recurrent events are not to be considered as organizational risks and these must be controlled by the establishment of corrective actions. All actions taken to address the identified risks and opportunities must be proportionate to the potential impact on the conformity of product/s and service/s and customer satisfaction.


It is a requirement of the standard to set achievable food safety objectives with the means to periodically measure progress, demonstrating continuous improvement.

The objectives need to be:

  • Consistent with the food safety policy

  • Measurable

  • Consistent with applicable food safety requirements, including statutory, regulatory and customer requirements

  • Monitored and verified

  • Communicated

  • Maintained and updated

  • Documented

Additionally, the objectives must be realistic, so they can be achievable and also help you to identify possible opportunities of improvement.

An effective way to communicate food safety objectives is to include them in induction training, display them around your site or electronically via an intranet or similar.

The SMART term will guide you on the establishment of adequate objectives for your organization, so you should think of the following requirements when setting them as they should be:

  • Specific, as precise as possible

  • Measurable, quantifiable so we can monitor progress

  • Achievable, failure shall not be built into objectives

  • Realistic, possible for your organization

  • Timely, with a completion date established

Your action plan should include:

  • What will be done

  • What resources will be required (to the best of your understanding at the time)

  • Who will be responsible

  • When actions will be completed

  • How results will be evaluated

Putting these into a simple matrix can help to clarify the objectives, however if you already record this type of information somewhere else, there is no need for you to duplicate.


When you’ve put so much time and effort into all this planning, it would be a shame for an inadvertent change to mess it all up!

When there is change in the system, your organization must maintain the integrity of the FSMS, so the changes must be considered and a revision conducted to implement them.

In light of this, clause 6.3 expects that any changes that you determine are necessary to the food safety management system are carried out in a planned manner. This should take into account the extent of the changes deemed necessary, the potential impact on the existing system, how you will resource the changes and any effect this may have on current roles, responsibilities and authorities.

Section 7: Support

This section looks at the resource, competence, awareness, communication and documentation of a FSMS. The requirements really underpin a FSMS and ensure that it runs effectively.

You must determine the resources required for running your business by considering the capability and limits of your organization, the need of external support and the resources needed for every process and/or product. These processes and/or products must also be assessed in order to consider if changes on resources will be needed to improve them.

You must demonstrate your people are competent. Simply, do you have the right people with the necessary skills / attributes in appropriate roles? If you’re currently missing some specific skills, how do you plan to address this? Will you recruit or will you outsource? If you’re outsourcing, how will you communicate your requirements to your supplier? Bear in mind you must also maintain documented evidence to demonstrate competency, responsibility and authority of the external personnel.

When talking about infrastructure, this means determining, providing and maintaining the premises, equipment, software, transportation, storage, technology, etc. that are needed to carry out your business operations.
We need to consider how we are going to provide, manage and maintain the needs of every area and equipment to be able to perform our processes in an effective manner.

Ensuring you can cope with customer demands can be helped by the work you did to address clause 4 and clause 6. Some examples to demonstrate conformity are a list of equipment in use, resources planning, maintenance planning of premises and equipment, maintenance records, etc.

Regarding work environment, this isn’t referring to the great outdoors. This means providing an environment that is suitable for what you are trying to achieve. Whether that is a factory, office or any other type of working space, make sure you have the right atmosphere to enable you and your employees to operate effectively.

Adequate heat, light, airflow, hygiene, noise levels, hand- washing stations, etc. all contribute to an effective working environment. This can also include addressing some of the softer elements such as employee wellbeing, stress-reduction, clear lines of reporting, employee appraisals, rewards systems etc.
This section can be easily controlled by the implementation of prerequisite programmes.


The standard specifies that all elements of the FSMS developed externally shall be identified, controlled and documented (this includes for example measuring and monitoring equipment).

Same conditions apply to externally provided processes, products or services, since you will be required to ensure you set all required specifications and they shall be met before any agreement is done with an external provider.

This section focuses on ensuring that all external processes, services or products will not affect the safety of your finished products or services. The evaluation and continuous monitoring of performance of providers is a must.


An organization working effectively and efficiently must have competent personnel. In terms of FSMS it is essential that employees have access to information and have been suitably trained to prevent food safety hazards.

Competence can include consideration for:

  • Capability to fulfil the task based on defined job roles and clear understanding of the consequences of its performance in food safety

  • Knowledge and experience of the food safety team

  • Defined methods of recruitment with consideration for temporary or agency employees

  • Awareness of food safety hazards associated with the products and processes

  • Legal requirements

  • Individual capabilities including experience, language skills, literacy and diversity

The diversity of activities within the organization will determine the level of training required to fulfil competence. Training gaps are usually identified with the development of new processes, for example the introduction of new machinery or in achieving compliance with regulatory requirements. No matter how big or small the organization is, training records are essential as reference and evidence of the fulfilment of competence.

Consider an overview training matrix identifying fulfilled training gaps including refresher training dates. In addition, consider individual training records with signatory evidence from the employee to acknowledge completion and understanding of training including for example the training on OPRPs and CCPs of your process provided to specific operators.

You must not forget all this training shall be provided by qualified personnel, so evidence for their competence is also mandatory, and the monitoring of performance to evaluate effectiveness. The need for refresher training can be also detected by:

  • Corrective actions

  • Management review meetings

  • Results of Internal audits

  • Specific competence depending on the role

The organization must also consider the competence of external providers including the procurement of contractors conducting tasks on site. The organization’s procurement process may provide the structure for management of external providers; including evidence of capability, competence and on site, this may be supported with site induction training.

Either internally or externally, the organization’s top management must be confident that mechanisms are in place to provide workers with suitable and sufficient competency based food safety training.

Awareness can be addressed through ensuring your FSMS is explained during recruitment and induction, at regular appraisal or review meetings with line management, through regular meetings and / or communications relating to food safety policy, objectives, and their contribution to the effectiveness of the FSMS as well as the consequences of not complying with the requirements.


Effective and efficient internal and external communications are the “key” to running a FSMS. The Standard is helpful in providing a framework in order to depict the communication process within an organization. By turning this into a table and with reference to the “interested parties” or “stakeholder” analysis undertaken in 4.2 a communications “plan” can be formed:


Of course, the columns can be re-arranged if necessary!

One area that is often forgotten is communication with “persons doing work under the organization’s control”. As a “rule of thumb” it is advisable to treat contractors or outsourced operations as if they were “direct” employees and communicate in a manner that is effective and so that the communication is two-way. By adopting this philosophy it ensures that the “persons doing work under the organization’s control” can contribute to continual improvement.

There must be an efficient communication system with providers of services, products or processes, customers, and regulators among others interested parties, and also internally with the food safety team. In conclusion, the communication system shall include all interested parties; however, remember to clearly defined who will be the person that provides these communications.

The outcome of the relevant internal and external information must be used as input to the management review.


Previously the standard used to mention that the establishment or maintenance of specific documented procedures and records were required, now 2018 version refers to maintain or retain documented information. Put simply, maintain means that you must keep it up to date, for example your policy and food safety objectives. Retain means you must keep records as evidence that you have satisfied that particular requirement.

You must ensure that all documents relating to your FSMS are easily identifiable, are in a suitable format, are protected from unintended alteration or destruction, and are available to the right people in the right version at the point at which they are needed.

It also makes sense to keep a record of all your FSMS documentation along with its current version / issue number, when it was last updated, who is responsible for the content, a summary of any changes made during revisions, when it is next due for a review, how long it must be retained for and how it is to be disposed of.

There are clear instructions as to what minimum documented information the standard requires:

Clause Documentation Requirement
4.3 Determining the scope of the food safety management system
5.2.2 Food Safety Policy
6.2.2 FSMS Objectives
7.1.2 People
7.1.5 Externally developed elements of the food safety management system
7.1.6 Control of externally provided processes, products or services
7.2 Competence
7.4.2 External communication
8.1 Operational planning and control
8.2 PRPs
8.3 Traceability
8.4 Emergency preparedness and response Preliminary steps to enable hazard analysis Characteristics of raw materials, ingredients and product contact materials Characteristics of end products Intended use On-site confirmation of flow diagrams Description of processes and process environment Hazard identification and determination of acceptable levels Hazard assessment Selection and categorisation of control measures
8.5.3 Validation of control measure(s) and combinations of control measures Hazard control plan Determination of critical limits and action criteria Monitoring systems at CCPs and for OPRPs Implementation of the hazard control plan
8.7 Control of monitoring and measuring
8.8 Verification related to PRPs and the hazard control plan
8.9.2 Corrections
8.9.3 Corrective actions Handling of potentially unsafe products Evaluation for release Disposition of nonconforming products
8.9.5 Withdrawal/ recall
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal Audit
9.3 Management review
10.1 Nonconformity and corrective actions
10.3 Update of the FSMS

Section 8: Operation

This is the core of a FSMS, where mostly all HACCP principles are integrated and the moment when “doing” is the key after being planning your system.

Annex SL only provides a common requirement, operational planning and control, the rest of clauses are specific to each standard.

Therefore, the first step is to ensure you have fully understood all the requirements for your product or service. This will involve liaising with customers as well as implementing measures to ensure all applicable legal requirements are met. This means, establishing criteria for your processes. It is essential that you determine and review your organization’s ability to meet the necessary requirements before you commit to anything.

All controls you previously planned, that may be supported by PRPs, OPRPs and/or your HACCP plan, must be now in place and all relevant documented evidence will be available to demonstrate you did act as planned.


2018 version suggests the use of specific ISO/TS 22002 series depending on the sector you are working on, to determine the PRPs applicable to your organization that will assist in controlling food safety hazards. The idea is to implement PRPs that are appropriate to your context, size and activities conducted.

These prerequisites will be established before conducting the hazard analysis, and its selection, implementation, monitoring and verification must be also documented.

The standard provides a list of PRPs that every organization shall consider, easy and quite straight to the point, do not miss any of them!


Have you established a traceability system and also a procedure to respond to emergency situations? Let’s prove it!

Examples of emergency situations could be natural disasters, an earthquake, sabotage, blockage of main utilities, environmental accidents, etc.

When previously ISO 22000 did not require a test for these activities, now it is crystal-clear. Implement a system with procedures in place and challenge its effectiveness, so you will be able to see if they work when needed. The documented evidence of these tests will be retained for a defined period not less than the shelf-life of the product/s provided.

Bear in mind that if traceability is an important factor in your product or service delivery, then you must ensure that all monitoring and measuring equipment is fit for the activities undertaken and is suitably calibrated and maintained. You must maintain documented evidence of such equipment being fit for purpose.

At this point, the ISO/TS 22005:07 may be of help as it will provide you guidelines for the establishment of a good traceability system.


There is no much difference between the requirements established by the HACCP principles developed by Codex Alimentarius and the information you will find in this section. The food safety team will collect, maintain as documented and update preliminary information to continue with this point, such as scientific documentation, regulations applicable to the sector, customer needs, historical data of food safety hazards associated with the product or service, etc.

Before carrying out the analysis of hazards, do not forget to establish a multidisciplinary team with a defined leader. This is the first step of HACCP, and although ISO 22000 does not specify this requirement in this section, it is mandated as part of the responsibilities of top management.

Once established the characteristics of raw materials, end products, intended use and a very detailed flow diagram/s, as the standard now requires, it’s time to carry out the hazard analysis. You can find some notes that make clear from where the identification of hazards can be obtained, for example the experience that can refer to information from internal staff or experts in the matter.

The evaluation of hazards, based on their severity of harm and probability of occurrence, will include the establishment of specific measures or combination of them to prevent or reduce the significant food safety hazards to acceptable levels. But make sure all implemented measure/s worked as expected! (Remember how validation is defined in section 3 of this guide).


An assessment of each of the control measures is needed to categorize them to be managed as OPRP or CCP, so you need to evaluate:

  • the probability of failure and how easy is to keep it under control

  • its severity when failing and what effect can cause the measure implemented

  • its location with respect to other activities implemented to reduce specific hazards

  • whether it’s specific for that particular hazard

  • if other measures are required to reduce the hazard to an acceptable level

  • the viability to establish measurable critical limits and/ or action criteria

  • the feasibility of monitoring to detect failures on the applicable determined limits and also corrections in case of failure

Don’t forget to maintain this decision-making process and results as documented information!

Your hazard control plan must contain, as a minimum, the following information for all identified CCPs and OPRPs:

  • what food safety hazard are you controlling with this CCP or OPRP

  • what measure have you put in place to do so

  • the critical limit/s or action criteria in place that can’t be exceed

  • how do you monitor this activity

  • which corrections and corrective actions will be carried out if critical limits or action criteria is not met

  • who is responsible for this activity (defined responsibilities and authorities)

  • what records do you maintain as monitoring evidence

As mentioned in section 3 when talking about definitions, the critical limits established for CCPs must be measurable. Likewise, the action criteria defined for the OPRPs must be also measurable or observable.
You need to define why you have selected those specific critical limits and action criteria and establish a monitoring system to defect any failure.

If visual inspections from staff are implemented as a monitoring system for a specific OPRP, you need to define what instructions or specifications were provided to personnel in order to ensure the system will be effective.
As usual, at this point, any failure will be considered non-conformity and you must follow it up establishing immediate corrections, retaining unsafe products under control, analysing the cause and implementing corrective actions to ensure recurrence is prevented.

Now that the PRPs, hazard control plan and all related requirements are established and documented when necessary, look back and make sure the preliminary information to enable the hazard analysis is still adequate!


First of all, ensure the person responsible for verification activities is not the same one that conducts their monitoring. Through verification you will be able to make sure that:

  • Input to hazard analysis is updated

  • PRPs are implemented and updated

  • OPRPS and CCPs are implemented and effective

  • Hazard levels are within identified acceptable levels

  • Every implemented procedure you established is effective

All these verification results must be assessed by the defined food safety team, so this will give you information with regard to how your system is performing.


We must start this section ensuring all staff responsible for corrections and corrective actions must be competent and have the authority to carry out these activities.

Within section 8 of the ISO 22000 standard, the specified corrective actions and corrections are focused at the operational level, so this will include all immediate actions to be taken when limits established for OPRPs and CCPs are exceeded and also actions that will be done to avoid their recurrence.

When critical limits for a CCP or action criteria for an ORP are not met, you must treat the product as potentially unsafe from entering the food chain. These products must be identified and retained at your organization at all times until its evaluation and disposition is determined.

Where monitoring shows that critical limits at CCPs are not met, you shall not release these products; instead their disposition must be documented and authorized ensuring:

  • their reprocessed to ensure the food safety hazard is reduced to an acceptable level,

  • other use that do not jeopardize food safety in the food chain, or

  • their destruction or disposal as waste

Likewise, when defined action criteria for an OPRP are not met, the identified non-conforming products won’t be released unless all established monitoring activities demonstrate that control measures were effective, the combined effect of control measures make the product suitable, or other verification activities can demonstrate the product/s conform/s to acceptable levels for the specific food safety hazard.

If they are already out of your premises, then you must initiate a withdrawal or recall and notify all relevant interested parties.

Section 9: Performance Evaluation

There are three main ways in which performance of a FSMS is evaluated. The first being process monitoring and measurement, the second being through internal audits and the third being the management review.


As an organization you will need to decide what you need to monitor and measure in order to be assured that your processes are operating as intended. You will also need to establish how often you will monitor and measure, what resources will be required, how results will be recorded, analysed and evaluated and who will carry out these evaluations.

This often results in a series of Key Performance Indicators (KPIs) which relate directly to your food safety objectives (set in section 6). You will need to retain documented information as evidence of the results of performance evaluation and use them as an input to the management review and the updating of the FSMS.


ISO 22000:2018 determines that internal audits must be carried out at planned intervals. It is for you, the organization to decide what those intervals should be. As an indication, you may wish to audit all processes at least once across an annual period, with higher-risk processes being audited more frequently. The purpose of internal audits is two-fold. Firstly to check that the management system conforms to the requirements specified by you, the organization as necessary for your operations; secondly to ensure conformity to the requirements of ISO 22000:2018.

Audit frequency should also be influenced by the results of previous audits and any changes which you are aware may affect the process. So, if you have a problematic process or area, it would make sense to audit it more frequently for a while until a solution is implemented and has been seen to be effective.

The Standard also says that auditors should conduct audits to ensure objectivity and the impartiality of the audit process. This is sometimes inherently difficult as internal auditors (by their name) have a close relationship with the organization being audited.

However, sensible guidelines so that internal auditors do not audit their own processes should be strived for.
Internal audits are a great opportunity to spend some time investigating a specific process or area and evaluating its performance. It is an ideal way to find areas for improvement and to fix potential issues before they occur. Think of internal audits as keeping your finger on the pulse of your organization. Internal audit findings must be reported to the food safety team and relevant management and naturally form part of the management review agenda.

Where necessary, corrections and corrective actions must be taken without undue delay. If a long-term fix requires significant planning and maybe funding approval, consider whether a short-term fix is possible and appropriate.


Management Review is an essential element of the FSMS.

The aim of the review is for Top Management to assess the performance of the management system to ensure it has been effective, adequate and suitable for the needs of the business, ultimately preventing unsafe food products or services to consumers. The management review is also a planned activity to review objectives including compliance and to set new objectives.

Usually management review meetings are conducted annually, however many organizstions conduct management reviews every six months or quarterly to track the performance of the system. If more frequent meetings are conducted, often the meeting agenda is reduced with the full agenda occurring annually.

You will need to retain documented information on your management reviews; these would normally be meeting minutes or perhaps call recordings if you carry out conference calls.

ISO 22000:2018 includes new elements to be considered during management review meetings, apart from the inputs already mentioned in the previous version:

  • changes in context (internal and external issues) that may affect the FSMS

  • information on the performance and the effectiveness of the FSMS, including trends in:

    • review of identified risks and opportunities and effectiveness of actions taken

    • performance of providers of services, processes or products

    • non-conformities and corrective actions

    • monitoring and measuring results

    • whether the objectives have been achieved

  • the adequacy of resources

  • opportunities for continual improvement

With regard to outputs, your organization must consider the decisions and actions related to continual improvement opportunities and any other need for changes and updates of the FSMS.

Section 10: Improvement

This section requires your organization to determine and implement opportunities for improvement to comply with the determined intended purpose of the product, what it is expected from customers, and prevent and reduce undesired effects while continually improving the system.


Now ISO 22000:2018 refers to all those nonconformities that come up from the management system and not just from the operational level, as we discussed in the previous section.

A methodology to capture, manage and resolve needs to be undertaken and the Standard asks for the following:

  • React to the nonconformity and, as applicable:

    • take action to control and correct it

    • deal with the consequences, including mitigating adverse environmental impacts

  • Evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by:

    • reviewing the nonconformity

    • determining the causes of the nonconformity

    • determining if similar nonconformities exist, or could potentially occur

  • Implement any action needed

  • Review the effectiveness of any corrective action taken

  • Make changes to the FSMS, if necessary

The Standard says that this process should be documented. There are various ways to achieve this but usually this comprises a “Corrective Action Request” (CAR) for each corrective action and a “log” which is essential to record and manage the CAR’s. This is especially useful where numerous corrective actions are raised.

The “log” can be as simple as:

More complex systems can “code” different types of nonconformity. This can then be used to generate trend data that can be useful in on-going performance appraisal of the EMS and the Management Review process.


The standard says that “The organization shall continually improve the suitability, adequacy and effectiveness of the FSMS”.

In other words, if all the above sections are established and implemented as well as FSMS updating, then continual improvement will occur.


This section has not changed in 2018 version, as a summary, top management must provide the resources needed to ensure the system is continually updated. The food safety team shall evaluate the FSMS at planned intervals, considering the hazard analysis, and identified OPRPs and CCPs. The evaluation must be based on:

  • Internal and external communication

  • Conclusions from analysis of results of verification activities

  • Outputs from management review meetings

  • Any other information related to the adequacy and effectiveness of the FSMS

These updates must be retained as documented information and reported as input of the management review.

Get the Most From Your Management System

Top tips for the successful implementation of a FSMS

  1. To have an effective FSMS ensure that “Top Management” is committed to its establishment, implementation, update and continual improvement.

  2. Get everyone involved. Top Management for context, requirements, policy and objectives setting; food safety team and assigned personnel with valuable competence for hazard analysis and risk assessment, process control and procedure writing.

  3. Make sure your system includes two PDCA cycles at operational and organizational levels, and communication between them is established and maintain at all times.

  4. Remember to identify how you have selected the applicable food safety hazards within your system; these are specific to each process and product and also depending on applicable regulations and customer needs, so this information is not interchangeable!

  5. When changes to products or processes occurred, either planned or unintentionally, ensure your system is reviewed and established control measures still effective for the intended purpose of the FSMS.

  6. Review your monitoring and measuring devices are calibrated at specified frequency to ensure reliable results.

  7. Remember your suppliers. Some suppliers will help you enhance your FSMS, some will increase your risk. You need to ensure any high-risk suppliers have controls in place that are at least as good as yours. If they don’t then look for alternatives.

  8. Food Safety concepts are likely to be new for many or most of your employees. People may need to change habits ingrained over many years. A single awareness briefing is unlikely to be sufficient, so focus on your personnel competence as a fundamental key for the implementation of a good FSMS.

  9. Remember to allocate sufficient resources to routinely test your controls. The threats your organization faces will constantly change and you need to test whether you are able to respond to those threats.

To get a quote for ISO 22000 certification simply click here and complete our online quote form.

You can download a PDF of this implementation guide here: NQA ISO 22000 Implementation Guide.

Food Safety Toolkit

Food Safety Quote Request Form

Download Certification Logos

Guide to Transferring Certification

ISO 22000 Transition Gap Guide

ISO 22000 Transition Timeline

ISO 22000 Implementation Guide

Gap Analysis