ISO 22000 Food Safety Management: Requirements and Implementation Guide

ISO 22000:2018 is the international standard for food safety management systems (FSMS). It applies to every organization in the food chain, from primary producers to retailers, food service operators, and the companies that make packaging and cleaning materials used in food production. If your business touches food at any point, ISO 22000 provides a framework for identifying, managing, and preventing food safety hazards before they reach consumers.

This guide covers the core requirements of ISO 22000:2018, how it integrates HACCP principles into a management system structure, and what implementation looks like in practice.

What is ISO 22000?

ISO 22000 is a Food Safety Management System standard developed by the International Organization for Standardization (ISO). The current edition, ISO 22000:2018, was published in June 2018 and replaces the original 2005 version.

The standard specifies requirements for an FSMS that enables an organization to plan, implement, operate, maintain, and update a system providing safe food and food products. ISO 22000 integrates the HACCP (Hazard Analysis and Critical Control Points) principles developed by Codex Alimentarius with a broader management system structure based on ISO's High Level Structure (HLS), the same framework used by ISO 9001 and ISO 14001.

According to ISO's official food safety management page, ISO 22000 can be used by any organization regardless of size or position in the food chain.

Who needs ISO 22000?

ISO 22000 applies to organizations that want to demonstrate their ability to control food safety hazards and provide consistently safe food. This includes:

  • Food manufacturers (beverages, processed foods, dairy, meat, seafood, baked goods)
  • Primary producers (farms, fishing operations, livestock)
  • Food packaging manufacturers
  • Food equipment and ingredient suppliers
  • Distributors, logistics providers, and cold chain operators
  • Retailers and food service operations
  • Cleaning and sanitation product suppliers for the food industry

ISO 22000 certification is increasingly required by major food retailers and brands as a condition of supplier approval. Organizations seeking FSSC 22000 certification (a GFSI-recognized scheme) must first meet ISO 22000 requirements, with FSSC adding sector-specific prerequisite programs.

The structure of ISO 22000:2018

ISO 22000:2018 uses the High Level Structure, giving it clause numbering and organization consistent with other ISO management standards. The ten main clauses are:

Clause 4: Context of the organization. Organizations must understand their internal and external context, identify interested parties and their requirements, and define the scope of the FSMS.

Clause 5: Leadership. Top management must demonstrate commitment to food safety, establish a food safety policy, and assign roles and responsibilities including the designation of a Food Safety Team Leader.

Clause 6: Planning. The organization must address risks and opportunities, set food safety objectives, and plan how to achieve them.

Clause 7: Support. Resource management, competence, awareness, communication, and documented information requirements.

Clause 8: Operation. This is the operational heart of the standard. It covers prerequisite programs (PRPs), hazard analysis, the HACCP system, and all production control activities.

Clause 9: Performance evaluation. Monitoring, measurement, internal audits, and management review requirements.

Clause 10: Improvement. Nonconformity, corrective action, and continual improvement.

The two core technical elements: PRPs and HACCP

ISO 22000 builds food safety management on two interconnected technical layers: Prerequisite Programs and the HACCP hazard control system.

Prerequisite Programs (PRPs)

PRPs are the foundational conditions and activities necessary to maintain a hygienic environment throughout the food chain. They control general food safety conditions before hazard-specific controls are applied. Common PRPs include:

  • Facility design and layout (preventing cross-contamination between raw and ready-to-eat areas)
  • Equipment maintenance and calibration programs
  • Pest control
  • Cleaning and sanitation procedures
  • Personal hygiene requirements for food handlers
  • Supplier control for raw materials and ingredients
  • Allergen management programs

ISO 22000 requires organizations to establish, implement, maintain, and review their PRPs. Sector-specific PRP requirements are defined in the ISO 22002 series (ISO 22002-1 for food manufacturing, ISO 22002-6 for feed and animal food production, etc.).

The HACCP system

The HACCP system addresses specific food safety hazards that PRPs alone cannot control. ISO 22000 Clause 8.5 requires a full hazard analysis process, including:

Hazard identification and assessment: The Food Safety Team identifies all biological, chemical, and physical hazards that could reasonably be expected to occur in the product or process, then assesses the severity and likelihood of each hazard.

Determination of critical control points (CCPs): Hazards that cannot be controlled by PRPs require CCPs where control can be applied and verified. Classic CCPs include thermal processing steps (pasteurization, cooking) and metal detection.

Critical limits: Each CCP must have established critical limits, the maximum or minimum value to which a biological, chemical, or physical parameter must be controlled to prevent or eliminate the occurrence of a food safety hazard.

Monitoring systems: The organization must establish how each CCP will be monitored, at what frequency, and by whom.

Corrective actions: When monitoring indicates a CCP is not under control, pre-defined corrective actions specify how to handle the affected product and how to restore control.

Verification: Activities confirming that the HACCP system is working as intended. This includes review of CCP monitoring records, calibration verification, and challenge testing.

Key changes in ISO 22000:2018 vs. 2005

The 2018 revision introduced the High Level Structure alignment, making ISO 22000 easier to integrate with ISO 9001 quality management systems. Other significant changes include:

Clearer separation of PRPs and CCPs: The 2018 version introduced Operational PRPs (OPRPs) as a formal category between general PRPs and CCPs, providing a more structured approach to hazard control selection.

Stronger risk-based thinking: Clause 6 requires explicit identification of risks and opportunities at the organizational level, not just food safety hazards at the process level.

Communication requirements: Internal and external communication requirements are more explicit, including requirements for communication with customers, suppliers, and regulatory authorities about food safety matters.

Documented information: The 2018 version distinguishes between documents (information to be maintained) and records (information to be retained), aligning with ISO 9001 terminology.

The implementation process

A structured ISO 22000 implementation typically follows these stages:

Gap analysis: Compare current food safety practices against ISO 22000:2018 requirements. Identify which PRPs are already in place, where documentation is missing, and whether a HACCP system exists or needs to be built.

Food Safety Team formation: ISO 22000 requires a multidisciplinary Food Safety Team with knowledge of products, processes, and food safety hazards. The team leads hazard analysis and HACCP development.

PRP establishment: Document all prerequisite programs covering facility, equipment, hygiene, pest control, supplier controls, and allergen management. Verify that PRPs are effectively implemented.

Hazard analysis: The Food Safety Team conducts a systematic hazard analysis covering all raw materials, process steps, and finished products. Each hazard is assessed for severity and likelihood.

CCP and OPRP determination: Using a decision tree or equivalent methodology, the team determines which hazards require CCPs, which can be controlled by OPRPs, and which are adequately addressed by PRPs.

HACCP plan development: Document critical limits, monitoring procedures, corrective actions, and verification activities for each CCP.

Documentation system: Develop or update documented information to meet ISO 22000 requirements, including the food safety policy, objectives, HACCP plan, PRP documentation, and records.

Internal audit: Conduct an internal audit against ISO 22000 requirements to identify gaps before certification. According to the NQA ISO 22000 Implementation Guide, organizations should allow sufficient time between implementation completion and the certification audit to collect records demonstrating system operation.

Management review: Top management reviews the FSMS performance, including food safety objectives, audit results, nonconformities, and customer feedback.

Certification audit: An accredited certification body conducts a Stage 1 document review followed by a Stage 2 on-site audit. Successful completion results in ISO 22000 certification.

ISO 22000 and FSSC 22000: understanding the relationship

FSSC 22000 (Food Safety System Certification 22000) is a GFSI-recognized certification scheme that uses ISO 22000 as its foundation but adds sector-specific PRP requirements from the ISO 22002 series and FSSC-specific additional requirements.

Many major food manufacturers and retailers require suppliers to hold FSSC 22000 certification rather than ISO 22000 alone. The path to FSSC 22000 runs through full ISO 22000 implementation with added sector-specific PRPs.

How digital systems support ISO 22000 compliance

Managing an ISO 22000 FSMS across multiple product lines and facilities requires systematic control of HACCP plans, PRP documentation, monitoring records, nonconformity reports, corrective actions, and internal audit schedules.

Paper-based systems make it difficult to demonstrate consistent PRP implementation, track CCP monitoring trends, or respond quickly when a monitoring record shows a limit was approached or exceeded. Digital food safety management systems provide real-time visibility into HACCP control points and connect nonconformities to corrective actions automatically.

Cloudtheapp's cloud-based quality platform includes food safety management applications supporting ISO 22000 and FSSC 22000 compliance. With 60+ applications covering HACCP management, supplier qualification, document control, CAPA, and internal audits, regulated food manufacturers use Cloudtheapp to maintain audit-ready compliance across their operations.

To see how Cloudtheapp supports food safety compliance, request a demo.

Frequently asked questions

Is ISO 22000 certification mandatory?

ISO 22000 certification is voluntary from a regulatory standpoint. However, many major food retailers and brands require suppliers to hold ISO 22000 or FSSC 22000 certification as a condition of doing business.

How long does ISO 22000 certification take?

Most organizations need six to eighteen months from implementation start to certification, depending on the complexity of their products and processes and the maturity of existing food safety practices.

What is the difference between ISO 22000 and HACCP?

HACCP is a science-based hazard analysis methodology. ISO 22000 incorporates HACCP principles within a full management system that adds leadership commitment, communication requirements, PRP management, performance evaluation, and continual improvement requirements.

Can a small food company get ISO 22000 certified?

Yes. ISO 22000 applies to organizations of any size. The certification body will scale the audit scope to the organization's complexity. Smaller organizations may find that a simpler documented system meets the standard's requirements.

How does ISO 22000 relate to FDA food safety regulations?

ISO 22000 is an international voluntary standard. FDA's food safety requirements under the Food Safety Modernization Act (FSMA) are regulatory mandates in the United States. ISO 22000 certification does not ensure FSMA compliance, but the two frameworks share many principles. Organizations implementing ISO 22000 typically find that their FSMA compliance posture also strengthens.

Please complete the form to access the Case Study

Please complete the form to access the Case Study

You will receive the webinar link via email once your request has been approved

Sign Up for Cloudtheapp

New to Cloudtheapp?

Access to try Cloudtheapp can be granted after you request a demo to learn how it can transform your operations.

Existing Customer User?

You can proceed with signing up.

New to Cloudtheapp?

Access to try Cloudtheapp can be granted after you request a demo to learn how it can transform your operations.

Existing Customer User?

You can proceed with signing up.

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study