1. Home
  2. Resources
  3. ISO 22000 Standard in Food Safety

Regulatory Compliance

ISO 22000 Standard in Food Safety: Requirements, Certification & Updates

ISO 22000

Summary

So what is the ISO 22000 standard? ISO 22000 is a globally applicable food safety management standard that integrates HACCP principles into a structured management system. It applies to all organizations in the food chain, regardless of size or sector, and establishes requirements for leadership involvement, hazard control, documentation, monitoring, and continuous improvement. Certification is voluntary but widely required by customers and markets. The ISO 22000:2018 revision aligned the standard with Annex SL and strengthened risk-based thinking, while Amendment 1:2024 introduced climate action considerations into food safety management.

This page explains what ISO 22000 requires, who it applies to, how certification works, and how food and beverage brands can operationalize compliance at scale.

ISO 22000 Amendment

UPDATE ALERT ISO 22000 AMENDMENT 1:2024 — CLIMATE ACTION

ISO published Amendment 1:2024, introducing climate action considerations into food safety management.

Organizations certified to ISO 22000 must now assess how climate-related factors—such as extreme weather events, supply chain disruptions, or changing pathogen behavior—affect their food safety risks. This applies to both new certifications and surveillance audits.

Organizations preparing for their next certification or surveillance audit should begin integrating climate risk assessments into their FSMS documentation now to avoid nonconformities.

Entity & terms Definitions

ISO (International Organization for Standardization): An independent, non-governmental international organization that develops voluntary international standards.

ISO 22000: An international standard specifying requirements for an ISO 22000 food safety management system that integrates HACCP principles with management system processes.

FSMS (Food Safety Management System): A structured system of policies, procedures, and controls used to manage food safety risks.

HACCP (Hazard Analysis and Critical Control Point): A preventive approach to food safety developed by the Codex Alimentarius Commission to identify, evaluate, and control food safety hazards.

Codex Alimentarius Commission: A joint body of the Food and Agriculture Organization (FAO) and the World Health Organization (WHO), established in 1963 to develop international food standards, guidelines, and codes of practice.

GFSI (Global Food Safety Initiative): A private organization that benchmarks food safety certification schemes. GFSI recognition is widely required by major retailers and brand owners.

FSSC 22000: A GFSI-recognized food safety certification scheme that builds on ISO 22000 by adding sector-specific prerequisite programs and additional scheme requirements.

Annex SL: The common high-level structure used across ISO management system standards, enabling integration between standards such as ISO 22000, ISO 9001, and ISO 14001.

Trace One: A Product Lifecycle Management (PLM) and regulatory compliance platform serving 9,000+ brands in Food & Beverage, Chemicals, and Cosmetics. Trace One helps manufacturers bring market-leading products to shelves faster with compliance confidence that protects brand equity and accelerates retailer approvals.

BEST FOR: F&B manufacturers and food chain organizations pursuing or maintaining ISO 22000 certification, transitioning to FSSC 22000, or integrating food safety management systems with quality and environmental management standards. Particularly valuable for companies managing multi-site operations, complex supplier networks, or preparing for certification audits. 

 

ISO 22000 Standard

ISO 22000 Standard in Food Safety: What You Need to Know

ISO 22000 is an internationally recognized food safety standard that defines the requirements for a Food Safety Management System (FSMS). It applies across the entire global food chain and is designed to ensure that food is safe at the point of consumption. Whether you manufacture ingredients, process packaged goods, or handle distribution, it provides a systematic framework for identifying and controlling food safety hazards across your operations.

By aligning with ISO 22000, food safety management systems integrate Hazard Analysis and Critical Control Point (HACCP) principles developed by the Codex Alimentarius Commission. Established in 1963 by the Food and Agriculture Organization of the United Nations (FAO) and the World Health Organization (WHO), the Codex Alimentarius harmonizes national food safety regulations from different jurisdictions. By incorporating these globally accepted HACCP principles, ISO 22000 provides a unified approach to food safety management that resonates with regulators, retailers, and consumers worldwide. The ISO 22000 HACCP integration means organizations don’t need separate HACCP and management system programs—the standard unifies both.

For food and beverage manufacturers, ISO 22000 certification provides more than just compliance. It is a strategic asset that opens doors to new markets, strengthens brand reputation, and creates operational efficiencies that directly impact your bottom line. Understanding this standard is the first step toward transforming food safety from a regulatory obligation into a competitive advantage.

KEY TAKEAWAY 
ISO 22000 is not just a HACCP plan. It is a full management system that embeds HACCP principles into leadership responsibility, risk-based planning, documentation control, and continuous improvement. 

A global food and agriculture leader (160,000+ employees, 70 countries) transformed their approach by embedding compliance into product development from day one. “Regulatory compliance is at the heart of the tool because that’s where we’re feeding in our product development cycle,” their product development leader explained. The result: compliance risks identified during formulation—not after inspection or audit.

Who Does ISO 22000 Apply To

Who Does ISO 22000 Apply To?

ISO 22000 applies to any organization involved in the food chain, regardless of size or complexity. This includes agricultural producers, food and beverage manufacturers, ingredient and raw material suppliers, packaging manufacturers, transportation and logistics providers, warehouses, retailers, and food service operators.

Because of its broad applicability, ISO 22000 provides a common food safety language across supply chains. When multiple partners adopt the standard, audits become more efficient, traceability improves, and supplier qualification is simplified.

ISO 22000 is scalable. Small producers and global manufacturers are held to the same principles, while implementation depth and controls are adapted to the organization’s context, risks, and operations.

ISO 22000 Requirements: Clauses 4–10 Explained

ISO 22000 is structured into ten clauses, with the core requirements defined in Clauses 4 through 10. Together, these clauses guide organizations from understanding their operating context through continual improvement of their FSMS.

Clause 4 focuses on understanding the organization’s context. Companies must identify internal and external factors that affect food safety, define interested parties and their requirements, and clearly establish the scope of the FSMS.

Clause 5 establishes leadership responsibility. Top management must demonstrate commitment by defining a food safety policy, assigning roles and responsibilities, and ensuring food safety objectives are integrated into the organization’s strategic direction.

Clause 6 addresses planning. Organizations must identify risks and opportunities that could affect the FSMS, set measurable food safety objectives, and plan changes in a controlled manner. Risk-based thinking extends beyond individual hazards to system-level risks.

Clause 7 covers support. This includes ensuring competent personnel, adequate infrastructure, effective internal and external communication, and controlled documentation.

Clause 8 governs operations. Organizations must establish Prerequisite Programs, conduct hazard analysis, determine PRPs, OPRPs, and CCPs, and implement controls with traceability, monitoring, validation, and verification.

Clause 9 focuses on performance evaluation. Organizations must monitor and measure FSMS effectiveness through internal audits, management reviews, and performance indicators.

Clause 10 requires improvement. Nonconformities must be addressed through corrective actions that eliminate root causes, and organizations must continually improve their FSMS as risks and conditions evolve.

Learn more about FSMA compliance requirements and how they intersect with ISO 22000 food safety management.

A world leader in liquid food processing (24,000+ employees, operations in 160+ countries) was “spending thousands of hours on painstaking, manual monitoring of laws.” Now their teams use Trace One Regulatory Compliance for 24/7 automated monitoring and real-time alerts—the kind of systematic documentation and performance monitoring that Clauses 7, 9, and 10 require.

PRPs, OPRPs, and CCPs Terminology Explained

Within ISO 22000, hazard control relies on three distinct but complementary mechanisms: PRPs, OPRPs, and CCPs.

Prerequisite Programs (PRPs)

PRPs establish the basic environmental and operational conditions necessary to mitigate food safety risks across the food chain, including production, packaging, storage, and transportation. These include sanitation, pest control, maintenance, employee hygiene, and similar foundational controls that reduce the likelihood of hazards occurring.

Operational Prerequisite Programs (OPRPs)

OPRPs are more specific. They control identified hazards at defined steps in the process where control is essential but does not meet the criteria of a CCP. Examples include allergen segregation procedures or temperature controls designed to reduce microbial growth.

Critical Control Points (CCPs)

CCPs are steps where control is essential to prevent, eliminate, or reduce a food safety hazard to an acceptable level. CCPs require defined critical limits, real-time monitoring, and corrective actions when deviations occur.

KEY TAKEAWAY
PRPs create a safe operating environment, OPRPs manage specific hazards within processes, and CCPs provide measurable control points. Together, they form a layered system of food safety controls. 

 

ISO 22000 PRPs OPRPs and CCPs
ISO 22000 vs. FSSC 22000 and Other GFSI Standards

ISO 22000 vs. FSSC 22000 and Other GFSI Standards

ISO 22000 serves as a foundational food safety management framework applicable across the food chain. On its own, ISO 22000 is not recognized by the Global Food Safety Initiative (GFSI), which can limit acceptance by certain retailers and brand owners.

FSSC 22000 builds on ISO 22000 by adding sector-specific PRPs and additional scheme requirements. Because of this, FSSC 22000 is GFSI-recognized and commonly required by large retailers.

Organizations already certified to ISO 22000 can transition to FSSC 22000 with reduced audit effort.

Other GFSI-recognized standards, such as BRCGS and IFS, are retailer-driven and often market-specific. GlobalG.A.P. applies primarily to primary production.

ISO 22000 often serves as the starting point, with additional certifications added as market requirements evolve.

Discover how Trace One helps F&B brands centralize documentation and supplier management across food safety standards. Book a demo.

ISO 22000 Certification Process

Understanding how to get ISO 22000 certification starts with a structured process that typically takes from a few to several months, depending on organizational size, complexity, and existing management systems.

Organizations begin with a gap analysis to assess current practices against ISO 22000 requirements. This is followed by FSMS development and documentation, implementation and employee training, internal audits, and management review.

Certification audits occur in two stages. Stage 1 reviews documentation and readiness. Stage 2 verifies effective implementation through on-site assessment. Once certified, organizations undergo annual surveillance audits, with recertification required every three years.

Organizations already certified to ISO 9001 or converting from ISO 22000 to FSSC 22000 often experience shorter timelines and fewer nonconformities.

Preparing for your ISO 22000 certification audit? Learn how a global food and agriculture leader excels at compliant product development with PLM and Regulatory Compliance platform from Trace One.

A top 5 global dairy company ($20B+ revenue, operations in 140+ countries) achieved 13 full-time employee equivalents in annual time savings on regulatory searches and documentation by replacing fragmented files with a single source of truth. When auditors request documentation, the difference between fragmented files and a centralized system determines whether you respond in minutes or scramble for days—exactly the audit readiness ISO 22000 Clause 9 demands.

What Changed in ISO 22000:2018 and Amendment 1:2024?

ISO 22000:2018 aligned the standard with Annex SL, the common high-level structure used across ISO management system standards. This alignment simplifies integration with standards such as ISO 9001 and ISO 14001 and strengthens leadership and risk-based thinking requirements.

The 2018 revision also clarified terminology around PRPs, OPRPs, and CCPs and reinforced communication and leadership engagement.

In 2024, ISO published Amendment 1, introducing climate action considerations into food safety management. Organizations must now assess how climate-related factors, such as extreme weather events or changing pathogen behavior, affect food safety risks.

KEY TAKEAWAY
ISO 22000 now explicitly requires organizations to consider climate-related risks as part of food safety management, reinforcing the link between food safety, resilience, and sustainability

ISO 22000 Documentation and Version Control

Documentation is central to ISO 22000 compliance. Clause 7.5 requires organizations to maintain documented information that supports the operation and control of their FSMS. During certification and surveillance audits, auditors expect manufacturers to produce complete, accurate, and current records demonstrating consistent compliance over time.

Comprehensive documentation includes HACCP plans, hazard analyses, PRP records, OPRP monitoring records, CCP verification data, supplier certifications, Certificates of Analysis, product specifications, formulations, SOPs, and traceability records. These documents must be accessible and audit ready.

Version control is essential. Managing fragmented documentation across teams and suppliers—especially through manual systems—creates significant risk. Using outdated or unauthorized documents can lead to nonconformities during audits, mislabeling, and allergen control failures.

Modern compliance platforms centralize documentation in secure systems with automated version tracking and audit trails. This ensures teams always work from the latest approved documents while supporting supplier collaboration and change management.

The 6th largest global spirits company (150+ years, 190 markets) replaced decentralized tracking across 56 offices with a single source of truth. “We had great people doing great work. But they were working in silos,” their VP of Global Regulatory Affairs explained. Trace One Regulatory Compliance provides centralized, version-controlled documentation with full audit trails across specifications, labels, Certificates of Analysis, and supplier records—so auditors can clearly see what changed, when it changed, and who approved it.

How Trace One Supports ISO 22000 Compliance

Trace One PLM and Trace One Regulatory Compliance serve as ISO 22000 compliance software, centralizing product data, supplier information, and regulatory documentation in a single platform.

  • Centralized product and FSMS data: Trace One PLM serves as your single source of truth, consolidating formulations, product specifications, allergen data, supplier records, and compliance documentation into one secure platform—supporting Clause 7 documentation control and Clause 8 operational requirements.

  • Supplier collaboration and quality management: Structured supplier data collection, certification tracking with automatic expiration alerts up to 90 days in advance, audits, and nonconformity management strengthen the supply chain control ISO 22000 requires.

  • Documentation, traceability, and audit readiness: Version-controlled documentation and end-to-end traceability support efficient audits, faster recalls, and clear demonstration of hazard control effectiveness—the core of Clause 9 performance evaluation.

  • Regulatory intelligence: Access an extensive food regulatory database with 24/7 monitoring across 170+ countries. The Food News Monitoring System (FNMS) tracks 134,000+ food news items and 74,000+ food laws across 300+ global regulatory sites. The Food Law Library (FLL) provides access to over 37,000 legal statutes. REGDATA® screens formulations against 20,000+ global restricted substances with instant go/no-go assessments.

  • Sustainability and climate risk integration: Trace One supports the assessment and documentation of climate-related food safety risks, helping organizations align with ISO 22000 Amendment 1:2024.

“The thing that fascinated us was having regulatory capability inside the tool, not having all these different emails and separate fragmented systems,” explained a product development leader at a global food company (160,000+ employees, 70 countries).

Trace One Regulatory Compliance customers save up to 70% of time on regulatory-related searches and up to 50% time to market for new product launches.

One of the top 3 FMCG companies in the world ($90B+ revenue, 275,000+ employees) achieved up to 80% time savings on regulatory assessments for new market expansion and 30% time savings compared to manual data collection. “We basically replaced the call to regulatory for preliminary check with one click in the system.”

Book a 15-minute demo

See how Trace One centralizes documentation, traceability, and supplier management to support your ISO 22000 certification journey.

A Step-by-Step Roadmap to Technology-Enabled ISO 22000 Compliance

Building a sustainable ISO 22000 compliance program requires strategic planning and the right technology foundation. Follow this roadmap to transform food safety management from a reactive process into a proactive discipline.

  1. Conduct a gap analysis: Evaluate your current practices against ISO 22000 Clauses 4-10. Identify documentation gaps, assess hazard analysis capabilities, review supplier verification processes, and audit your traceability systems. Understanding where you stand is essential before implementation.
  2. Secure leadership commitment: Clause 5 requires top management to demonstrate commitment. Embed food safety into your organization’s strategic direction, allocate adequate resources, and ensure cross-functional support.
  3. Invest in centralized documentation and traceability: Leverage modern platforms like Trace One to centralize FSMS documentation, automate version control, and maintain end-to-end traceability. Digitizing these processes reduces audit preparation time and eliminates the risk of working from outdated documents.
  4. Implement structured supplier management: Establish supplier qualification processes with certification tracking, automatic expiration alerts, and nonconformity management. ISO 22000 requires control across the food chain, not just within your own operations.
  5. Train all departments on their FSMS roles: ISO 22000 Clause 7.2 requires competent personnel. Train all relevant staff—not just quality teams—on their role in the food safety management system through ongoing training, internal audits, and clear communication.
  6. Establish continuous monitoring and improvement: Set up automated alerts for regulatory changes, supplier non-compliance, and specification updates. Regular internal audits and management reviews ensure your FSMS evolves with changing risks—fulfilling the Clause 10 requirement for continual improvement.

Learn how one of the top three FMCG companies in the world transformed its product development process by making compliance a core business value 

Book a 15-minute demo

Identify your food safety management gaps and see how Trace One supports ISO 22000 readiness.

Frequently Asked Questions about ISO 22000 Food Safety

What is ISO 22000?

ISO 22000 is an internationally recognized standard that defines the requirements for a food safety management system (FSMS). So what is ISO 22000 certification? It is the process by which an accredited body verifies that an organization’s FSMS meets ISO 22000 requirements. The standard helps organizations across the food chain identify and control food safety hazards, integrating HACCP principles with systematic management practices to ensure food is safe at the point of consumption.

What are the requirements of ISO 22000?

ISO 22000 requirements are found in Clauses 4-10. They cover organizational context, leadership commitment, planning, support resources, operational controls that include HACCP, performance evaluation, and continuous improvement. Organizations are responsible for establishing Prerequisite Programs (PRPs), conducting hazard analysis, determining Critical Control Points (CCPs) and Operational Prerequisite Programs (OPRPs) while maintaining documentation around procedures with full traceability.

Is ISO 22000 the same as HACCP?

No. ISO 22000 incorporates HACCP principles within a broader management system framework. While HACCP focuses specifically on hazard analysis and critical control points, ISO 22000 includes leadership requirements, risk-based thinking, documentation control, internal audits, and continuous improvement to provide a more comprehensive approach to food safety management.

ISO 22000 vs FSSC 22000: What’s the difference?

ISO 22000 is the baseline food safety framework applicable to all food chain organizations. FSSC 22000 builds on ISO 22000 by adding sector-specific PRPs and additional scheme requirements. As a result, it is recognized by the Global Food Safety Initiative (GFSI). FSSC 22000 is primarily designed for manufacturers, while ISO 22000 applies universally across the food chain.

Who can get ISO 22000 certified?

Any organization involved in the food chain can pursue ISO 22000 certification, regardless of size or sector. That includes agricultural producers, ingredient suppliers, food manufacturers, packaging companies, transportation providers, warehouses, retailers, and food service operators.

Is ISO 22000 certification mandatory?

ISO 22000 certification is voluntary, not legally mandated. Still, many retailers, brand owners, and international markets require suppliers to hold ISO 22000 or GFSI-recognized certifications like FSSC 22000. While not mandatory by law, it is often essential for market access and competitive positioning.

What changed in ISO 22000:2018?

The 2018 revision aligned ISO 22000 with Annex SL, the high-level structure used across ISO management standards, making integration with other systems easier. It emphasized risk-based thinking beyond hazard analysis, clarified terminology around Prerequisite Programs (PRPs), Operational PRPs (OPRPs), and Critical Control Points (CCPs), and strengthened requirements for leadership engagement and communication.

What is Amendment 1:2024 to ISO 22000?

Amendment 1:2024 introduces climate action considerations into ISO 22000. Organizations now need to assess how climate change impacts their food safety risks, for example, extreme weather’s effects on supply chains or changing pathogen behavior. This amendment aligns food safety management with broader environmental and sustainability goals.

How long does ISO 22000 certification take?

ISO 22000 certification typically takes from a few to several months, depending on your organization’s size, existing systems, and readiness. Many organizations engage an ISO 22000 consultant to accelerate preparation. Implementation includes gap analysis, FSMS development, employee training, internal audits, and management review before the certification body conducts stage 1 and stage 2 audits.

What are PRPs and OPRPs in ISO 22000?

Prerequisite Programs (PRPs) are foundational measures like cleaning, sanitation, and pest control that create safe conditions across the food chain, including production, packaging, storage, and transportation. Operational PRPs (OPRPs) are more targeted controls addressing specific hazards identified through hazard analysis. Both work with Critical Control Points (CCPs) to create layered food safety defenses.

Our Customers Include

  • Auchan
  • 29-barilla
  • Cargill
  • OceanSpray
  • 37-mars-wrigley
  • logo_ferrero
  • 04-sensient
  • Brown–Forman_Logo
  • McCormick
  • 30-continentalmills
  • Ghirardelli
  • 35-lindt
  • Bacardi
  • innoncent drinks logo file
  • Ahold_Delhaize_Logo
  • Europastry Logo
  • carrefour-supermarket-logo
  • Glico_logo.svg
  • Moet Hennessy Logo
  • UNFI-1
  • Monoprix_logo.svg
  • Logo_Francap
  • Logo_Franprix_2015
  • Tesco_Logo.svg
  • AAK-1
  • ElectroDepot_Logo
  • Compliance-Cloud-Campari
  • naos png
  • Post Consumer Brands

Let’s Get in Touch