ISO 22000:2018 Food Safety Management
FSMS · HACCP · PRPs · CCP/OPRP Controls

ISO 22000:2018 is the international standard for Food Safety Management Systems (FSMS). It provides the framework for organisations in the food chain to identify, assess, and control food safety hazards — ensuring that food does not cause harm to the consumer at the point of consumption.

ISO 22000:2018 integrates three core elements:

• HACCP (Hazard Analysis and Critical Control Points): The Codex Alimentarius HACCP methodology for identifying, evaluating, and controlling food safety hazards (biological, chemical, physical, radiological)
• Prerequisite Programmes (PRPs): Foundational hygiene and infrastructure controls that provide a clean, safe operating environment — described in sector-specific ISO/TS 22002-x documents
• Management System Framework: The ISO Annex SL high-level structure (same as ISO 9001, ISO 14001, ISO 27001) covering leadership, planning, support, operation, performance evaluation, and improvement

The standard applies to all organisations in the food chain — from primary producers (farms, fisheries) through processors, packers, transporters, storage operators, retailers, food service establishments, and manufacturers of food-contact materials, packaging, and food ingredients.

ISO 22000:2018 replaced ISO 22000:2005. The 2018 version aligned the standard with Annex SL, clarified the two-level risk concept (business risk at system level, food safety risk at operational level), strengthened the distinction between PRPs, CCPs, and OPRPs, and improved requirements for communication, traceability, and recall.

Prerequisite Programmes (PRPs) are the foundational conditions and activities necessary to maintain hygienic food processing, handling, and storage environments. They control general food safety hazards common to the environment — rather than specific hazards associated with a particular product or process step.

PRPs create the baseline from which hazard analysis begins. Without effective PRPs, the hazard analysis will generate an unmanageable list of hazards that would need to be addressed at product-specific CCPs and OPRPs. Well-implemented PRPs simplify the HACCP study significantly.

Typical PRP categories covered in ISO 22000:2018 (Annex C examples):

• Construction and layout of buildings and associated utilities
• Layout of workspaces (including employee facilities and welfare)
• Supplies of air, water, energy, and other utilities
• Waste and sewage disposal
• Equipment suitability, cleaning, and disinfection
• Management of purchased materials
• Cross-contamination prevention
• Cleaning and disinfecting (cleaning and sanitising)
• Pest control
• Personnel hygiene
• Rework
• Product recall procedures
• Warehousing
• Contamination prevention, cross-contamination, and mislabelling
• Maintenance and corrective actions

ISO/TS 22002 sector-specific PRP guidance:

• ISO/TS 22002-1: Food manufacturing (the most widely used)
• ISO/TS 22002-2: Catering (food service)
• ISO/TS 22002-3: Farming (primary production)
• ISO/TS 22002-4: Food packaging manufacturing
• ISO/TS 22002-6: Feed and animal food production

PrecisionTech selects and implements the correct ISO/TS 22002 document(s) for your specific sector and uses them to build PRPs proportionate to your actual hazard profile and operating environment.

The HACCP study is the systematic, science-based process for identifying food safety hazards in your products and processes, evaluating their significance, and selecting appropriate control measures. ISO 22000:2018 Clause 8.5 specifies the HACCP methodology. The seven HACCP principles (from Codex Alimentarius) are embedded within the standard:

Step 1 — Preliminary steps:

• Assemble the HACCP team (multidisciplinary: production, quality, engineering, purchasing, logistics)
• Describe products and intended use — including vulnerable consumer populations (infants, immunocompromised, elderly)
• Construct and verify the process flow diagram — covering every process step, input, output, rework loop, and interface
• Confirm the flow diagram on-site (walk the process)

Step 2 — Hazard analysis (HACCP Principle 1):

• For each process step: identify all potential biological (pathogens, toxins), chemical (pesticides, allergens, cleaning agents, processing contaminants), physical (metal, glass, bone, plastic), and radiological hazards
• Evaluate each hazard for: severity (impact on consumer health) and likelihood (probability of occurrence without controls)
• Determine which hazards are "significant" — requiring control at a CCP or OPRP

Step 3 — Select control measures and classify as CCP or OPRP:

• CCP (Critical Control Point): A step where a control measure can be applied and is essential to prevent, eliminate, or reduce a significant hazard to an acceptable level. Has a measurable critical limit. Metal detection at final packing, pasteurisation temperature/time, pH control are classic examples.
• OPRP (Operational PRP): Controls a significant hazard but may not have a critical limit in the traditional HACCP sense — controlled through action criteria and monitoring. Allergen segregation, chilled storage temperature, incoming material inspection are typical OPRPs.

Steps 4–7 — CCP/OPRP control plans:

• Set critical limits (CCPs) or action criteria (OPRPs)
• Establish monitoring procedures, frequency, and responsibilities
• Define corrective actions and who decides product disposition when a deviation occurs
• Establish verification procedures to confirm controls are effective
• Maintain records as evidence (HACCP Principle 7)

PrecisionTech facilitates the full HACCP study with your team — ensuring the hazard analysis is product- and process-specific, justifications are documented, and the CCP/OPRP decision is defensible to a certification body auditor.

The distinction between a Critical Control Point (CCP) and an Operational Prerequisite Programme (OPRP) is one of the most commonly misunderstood aspects of ISO 22000 — and one of the most scrutinised by certification body auditors. Getting this classification right is essential for a defensible HACCP study.

CCP (Critical Control Point):

• A step in the process where a control measure is applied and is essential to prevent, eliminate, or reduce a food safety hazard to an acceptable level
• Has a defined, measurable critical limit — the value at which the control measure must perform (e.g., pasteurisation at 72°C for 15 seconds; metal detector sensitivity of 2.5mm Fe)
• Deviation from the critical limit = potential unsafe food — product must be held and assessed; corrective action is mandatory
• Monitoring must be continuous or at a frequency sufficient to detect deviations before the product leaves control
• Examples: cooking/pasteurisation, metal detection, retort processing, water activity control, pH control

OPRP (Operational PRP):

• Controls a significant hazard that cannot be managed by the PRP infrastructure alone, but does not meet the full CCP criteria
• Has an action criterion rather than a critical limit — the criterion at which corrective action is taken to prevent the process from becoming out of control
• Deviation from action criterion = process becoming out of control, but product disposition is assessed based on the nature and extent of the deviation
• Monitoring may be less frequent than CCPs, and may involve visual checks or records rather than continuous measurement
• Examples: allergen changeover and cleaning verification, incoming raw material temperature, refrigerated storage temperature, supplier approval for high-risk ingredients

Decision factors (ISO 22000:2018 Annex B guidance):

• Is the hazard significant (high severity, likely to occur without this control)?
• Can the control measure be monitored in real time with a measurable parameter?
• Is there a critical limit that, if exceeded, indicates unsafe food?
• Is the step specifically designed to prevent, eliminate, or reduce the hazard?

If all answers are yes — CCP. If significant hazard but no measurable critical limit, or the control is broader — OPRP. Many organisations over-classify as CCPs, creating an unmanageable number of critical control points. Proper OPRP classification, where justified, simplifies the system without compromising safety.

ISO 22000:2018 Clause 8.9.4 requires the organisation to establish and implement a traceability system that enables identification of product lots and their relationship to raw materials, processing and delivery records. Traceability is both a legal requirement in many jurisdictions (Food Safety and Standards Act 2006 in India; EU Regulation 178/2002 for exports) and a critical food safety control — enabling targeted, fast recalls rather than broad market withdrawals.

What traceability must cover:

• Forward traceability (trace forward): From a raw material batch — which finished product lots were made using it? Where did those lots go (customer, distributor, retailer)?
• Backward traceability (trace back): From a finished product lot — which raw material batches were used? Which supplier supplied them? When were they received?
• Process records linkage: Which process batch records, monitoring records, and CCP logs are associated with a given production lot?

Minimum traceability records typically required:

• Incoming material receiving records (lot/batch number, supplier, date, quantity)
• Production batch records linking input material lots to finished product lot codes
• Rework records (if rework is incorporated into production)
• Finished product distribution records (lot code, customer, dispatch date, quantity)
• CCP and OPRP monitoring records linked to production lot

Traceability testing (mock traceability exercises):

ISO 22000:2018 requires that traceability be verified — meaning you must periodically test the system to prove it works. Mock exercises should:

• Be conducted at planned intervals (at minimum annually; many certification bodies and customers expect twice annually)
• Test both forward and backward traceability
• Define a time target (e.g., "trace any lot within 4 hours")
• Document results including time taken, % of lot accounted for, any gaps identified
• Result in corrective action if the system fails to meet the defined performance target

Indian regulatory context: The Food Safety and Standards (Licensing and Registration of Food Business) Regulations under FSSAI require food business operators to maintain records for traceability. ISO 22000 traceability requirements align with and exceed FSSAI requirements.

PrecisionTech designs traceability systems appropriate to your production complexity — from simple lot-coding for single-product SMEs to multi-ingredient, multi-shift production environments with ERP integration.

Allergen management is one of the highest-risk food safety areas — undeclared allergens are a leading cause of food recalls worldwide, and allergic reactions can be life-threatening. ISO 22000:2018 requires allergen hazards to be identified in the hazard analysis and controlled through the FSMS.

The 14 major allergens (EU list — also reference for Indian export markets):

Cereals containing gluten (wheat, rye, barley, oats), crustaceans, eggs, fish, peanuts, soybeans, milk (and lactose), nuts (almonds, hazelnuts, walnuts, cashews, pecans, pistachios, macadamia nuts), celery, mustard, sesame seeds, sulphur dioxide / sulphites, lupin, molluscs.

India FSSAI allergen requirements: FSSAI Food Safety and Standards (Labelling and Display) Regulations 2020 require mandatory declaration of major allergens on packaged food labels.

What a compliant allergen management programme requires:

• Allergen risk assessment: Identify all allergens present in raw materials (including packaging materials, carriers, processing aids), assess cross-contact risks within the facility, and document the allergen matrix for all products
• Raw material specification management: Require suppliers to declare all allergens in supplied materials; update specifications when formulations change; verify allergen status of new suppliers
• Physical segregation: Separate storage, handling areas, and equipment for allergen-containing ingredients where feasible. Define traffic flow to prevent cross-contact.
• Scheduling controls: For shared production lines, run allergen-free products before allergen-containing products. Define the changeover protocol.
• Cleaning validation: Validate that cleaning procedures effectively remove allergen residues to acceptable levels. Use allergen-specific test kits (ELISA or lateral flow) to confirm cleaning effectiveness. Validate the cleaning procedure — not just verify individual cleanings.
• Labelling: Ensure all products are correctly labelled for allergen content and any "may contain" precautionary allergen labelling (PAL) is based on risk assessment — not applied as a blanket disclaimer.
• Visitor and contractor controls: Brief visitors and contractors on allergen policy; control outside food brought into production areas.
• Rework controls: Define rules for rework — which products can rework from which lots; ensure allergen status of rework is known and managed
• Training: Train all production staff, procurement staff, and QA team on allergen hazards, segregation requirements, and the consequences of cross-contact

PrecisionTech conducts allergen risk assessments, builds allergen matrices, designs cleaning validation protocols, and trains teams — addressing the full allergen management cycle within your FSMS.

ISO 22000:2018 Clause 8.9.5 requires organisations to establish documented withdrawal and recall procedures for products that have been identified as potentially unsafe after they have left the control of the organisation.

Withdrawal vs Recall — the distinction:

• Withdrawal: Removing products that have NOT yet reached the end consumer (e.g., still in distribution, at wholesaler, at retailer). Faster and less costly than a recall.
• Recall: Retrieving products that have already reached consumers. Requires consumer communication, media engagement, and regulatory notification. Higher reputational and cost impact.

What the recall procedure must cover:

• Trigger criteria — what situations initiate a withdrawal/recall (e.g., CCP deviation, complaint trend, regulatory alert, positive pathogen test)
• Recall team roles and responsibilities — who leads, who communicates with customers, who communicates with regulators (FSSAI in India), who manages the media
• Traceability integration — how to identify all affected lot codes within the defined time target
• Communication templates — customer notification, regulatory notification, public recall notice (if required)
• Regulatory notification requirements — FSSAI recall/withdrawal reporting obligations
• Product hold and disposition — how recalled/withdrawn product is stored, assessed, and disposed of or reworked
• Root cause investigation and corrective action — preventing recurrence
• Documentation requirements — all actions, quantities, destinations, disposal certificates

Mock recall/withdrawal exercises:

ISO 22000:2018 requires that recall and withdrawal procedures be periodically tested. A compliant mock exercise:

• Selects a specific product lot from a defined date in the past
• Tests backward traceability (to identify all raw material batches used) and forward traceability (to identify all distribution destinations)
• Calculates the % of the lot that can be accounted for (100% is the target)
• Times the exercise against a defined performance target (e.g., 4 hours to full traceability)
• Documents results, any gaps, and corrective actions
• Tests communication — are the recall team contacts current? Can the team reach each other outside working hours?

PrecisionTech facilitates mock recall exercises, assesses results against your defined performance targets, and raises corrective actions for any gaps found — ensuring your recall system will work in a real crisis.

Validation and verification are two concepts in ISO 22000:2018 that are frequently confused but serve fundamentally different purposes. Getting them right is critical — auditors specifically test whether organisations understand and have implemented both correctly.

Validation (ISO 22000:2018 Clause 8.5.3 / ISO 22004 guidance):

• What it is: Confirming that control measures (individually or in combination) are capable of achieving the intended control of the food safety hazard they are designed to address
• When it happens: Before implementation — or when significant changes are made to the process, product, or control measure
• Question it answers: "Is this control measure capable of controlling this hazard?" or "If we follow this cooking protocol, will it eliminate Listeria monocytogenes to an acceptable level?"
• Evidence: Scientific literature, mathematical modelling, challenge testing, supplier data, regulatory guidance, in-process studies
• Examples: Validating that cooking at 75°C internal temperature for 15 seconds achieves a 6-log reduction of Salmonella in your specific product matrix. Validating that your allergen cleaning procedure reduces peanut protein below 10ppm in a swab test. Validating that your metal detector at given sensitivity will detect the relevant contaminant in your product.

Verification (ISO 22000:2018 Clause 8.8):

• What it is: Confirming that the validated control measure is being implemented correctly and achieving its intended effect in ongoing operations
• When it happens: Routinely — at planned intervals during normal operations
• Question it answers: "Is this control measure working in practice, and do we have evidence it is being followed correctly?"
• Evidence: Review of CCP/OPRP monitoring records, calibration records, environmental monitoring results, product testing against specifications, internal audits, complaint trend analysis
• Examples: Reviewing CCP temperature records weekly to confirm critical limits are met. Calibrating the cooking oven thermometer monthly. Environmental pathogen testing quarterly. Allergen swab testing after allergen changeover cleaning.

Why the distinction matters:

• An organisation that has verification records (e.g., monitoring logs) but cannot demonstrate validation of the control measure has a major gap — the monitoring proves the process is running, but cannot prove the process would control the hazard even if the critical limit were met
• A CCP critical limit that is not validated (e.g., a cooking temperature set arbitrarily rather than based on scientific evidence) is not a defensible control measure

PrecisionTech ensures all CCPs and OPRPs have both validation evidence and verification plans — with validation studies documented to a standard that withstands auditor scrutiny.

ISO 22000:2018 uses the Annex SL 10-clause structure. Clauses 1–3 are informative. Clauses 4–10 are mandatory requirements:

Clause 4 — Context of the Organisation: Understand internal and external issues relevant to food safety (regulatory landscape, customer requirements, market conditions, technology, supply chain risks). Identify interested parties (regulators, customers, consumers, NGOs, suppliers) and their needs. Define FSMS scope — product categories, processes, sites, and supply chain boundaries.

Clause 5 — Leadership: Top management must actively lead the FSMS. Establish food safety policy and objectives. Assign roles — including a Food Safety Team Leader responsible for HACCP team activities and external communication. Ensure the organisation communicates the food safety importance to all staff.

Clause 6 — Planning: Address food safety risks at the strategic/business level (separate from operational hazard analysis). Define FSMS objectives with measurement plans. Plan changes to the FSMS in a controlled manner.

Clause 7 — Support: Provide resources. Ensure infrastructure (buildings, equipment, utilities) supports food safety. Ensure personnel are competent. Establish internal and external communication plans (including with regulators, customers, suppliers). Manage documented information.

Clause 8 — Operation: The core operational requirements — PRPs (8.2), Hazard Analysis (8.5.2), HACCP controls (CCPs: 8.5.4, OPRPs: 8.5.4), monitoring plans, control of monitoring and measuring equipment, verification activities (8.8), control of product and process nonconformities, withdrawal and recall (8.9.5). This is where the majority of FSMS implementation work lives.

Clause 9 — Performance Evaluation: Monitor and measure FSMS performance. Define food safety KPIs. Conduct internal FSMS audits. Management review covering all required inputs (objectives, KPIs, audit results, recall exercises, complaints, regulatory changes, external communication outcomes).

Clause 10 — Improvement: Nonconformity and corrective action — including root cause analysis and verification of corrective action effectiveness. Continual improvement of FSMS suitability, adequacy, and effectiveness. Update the FSMS when new hazards, regulatory requirements, or business changes occur.

ISO 22000:2018 distinguishes between "maintained" documented information (policies, procedures, plans — living documents kept current) and "retained" documented information (records — historical evidence of activities performed).

Key "maintained" documented information (procedures and plans):

• FSMS scope (Clause 4.3)
• Food safety policy (Clause 5.2)
• Roles and responsibilities (Clause 5.3)
• FSMS objectives (Clause 6.2)
• PRP documentation for each PRP area (Clause 8.2)
• HACCP study — flow diagram, product descriptions, hazard analysis, CCP/OPRP determination (Clause 8.5)
• CCP/OPRP control plan — critical limits/action criteria, monitoring method/frequency, corrective actions, responsibilities (Clause 8.5.4)
• Traceability system description (Clause 8.9.4)
• Withdrawal and recall procedure (Clause 8.9.5)
• Emergency preparedness and response (Clause 8.4.2)
• Internal audit programme (Clause 9.2)

Key "retained" documented information (records):

• Competence evidence — training records, qualifications (Clause 7.2)
• HACCP study review records — meeting minutes, change history (Clause 8.5.2)
• CCP and OPRP monitoring records — continuous evidence that control measures are operating within critical limits/action criteria (Clause 8.5.4)
• Corrective action records for CCP/OPRP deviations (Clause 8.9.3)
• Calibration and verification records for monitoring equipment (Clause 8.7)
• Validation evidence for control measures (Clause 8.5.3)
• Supplier evaluation and incoming material verification records (Clause 8.6)
• Traceability records — production batch records, distribution records, mock traceability exercise results (Clause 8.9.4)
• Mock recall/withdrawal exercise records (Clause 8.9.5)
• Internal audit records — programme, audit reports, NCRs, corrective action evidence (Clause 9.2)
• Management review records (Clause 9.3)
• Nonconformity and corrective action records (Clause 10.1)
• Customer complaint records and resolution (Clause 8.9.2)

PrecisionTech develops all required documented information — including templates and record-keeping systems tailored to your organisation — as part of the FSMS implementation.

ISO 22000:2018 has strong alignment with Indian food safety regulations — particularly the Food Safety and Standards Act (FSSA) 2006 and subordinate regulations issued by FSSAI (Food Safety and Standards Authority of India).

FSSAI regulatory alignment:

• FSSAI Schedule 4 (GMP/GHP requirements): The manufacturing, storage, and hygiene requirements in FSSAI Schedule 4 directly map to the PRP requirements in ISO 22000:2018. Implementing ISO 22000 PRPs per ISO/TS 22002-1 typically ensures Schedule 4 compliance simultaneously.
• FSSAI Food Safety Management Systems Regulations: FSSAI has been progressively requiring HACCP-based food safety management for licensed food businesses — aligning with the hazard analysis methodology at the core of ISO 22000.
• FSSAI Labelling Regulations: ISO 22000 traceability and allergen management requirements align with FSSAI Food Safety and Standards (Labelling and Display) Regulations 2020 — including mandatory allergen declaration requirements.
• Food Business Operator (FBO) License: ISO 22000 certification demonstrates a systematic approach to food safety that supports FSSAI high-risk license compliance requirements.

Export market alignment:

• Codex Alimentarius (international): ISO 22000 HACCP methodology is aligned with Codex Alimentarius General Principles of Food Hygiene — the international reference framework accepted in all food import markets
• EU Regulation 178/2002: Traceability requirements (one-step back, one-step forward as minimum) are a subset of ISO 22000 traceability requirements
• US FDA FSMA (Food Safety Modernisation Act): The Preventive Controls for Human Food rule aligns substantially with ISO 22000 — hazard analysis, preventive controls, monitoring, corrective actions, verification, and supply chain controls map directly
• APEDA (Agricultural and Processed Food Products Export Development Authority): Export of processed food products often requires buyers to have HACCP or ISO 22000 certification. APEDA-registered exporters benefit from ISO 22000 for buyer qualification.

FSSC 22000 (GFSI-recognised scheme): Some Indian export customers (particularly major EU, US, UK retailers) require GFSI-recognised certification. FSSC 22000 is built on ISO 22000:2018 with additional PRP requirements and scheme-specific additions. PrecisionTech can implement ISO 22000 as a foundation and then support the FSSC 22000 additional requirements for organisations targeting GFSI-recognised certification.

Food transport and cold chain logistics are explicitly within the ISO 22000:2018 scope — whether the transport company is seeking certification itself or a food manufacturer is managing outsourced logistics within its FSMS scope.

Transport and logistics requirements under ISO 22000:

• Temperature control (critical for chilled and frozen products): Define required storage and transport temperatures for each product category. Monitor and record temperatures throughout the cold chain — pre-cooling of vehicles, loading temperature, continuous monitoring during transport, unloading temperature verification. Define action criteria for temperature deviations (how long, how much above limit, product disposition decision process).
• Vehicle and container hygiene: Verify vehicles are clean, odour-free, pest-free, and dry before loading. Maintain cleaning and sanitising schedules for vehicles and loading equipment. Prevent cross-contamination from non-food cargo.
• Product integrity: Prevent physical damage to packaging (which could allow contamination). Use tamper-evident seals where required. Maintain segregation of different product categories (raw vs ready-to-eat; allergen-containing vs allergen-free).
• Traceability in transit: Maintain consignment documentation linking product lot codes to delivery destinations. Ensure goods can be recalled or redirected if a recall is initiated during transit.
• Driver training: Train drivers in food hygiene requirements, cold chain requirements, what to do if a temperature excursion occurs, and how to handle damaged goods.
• Outsourced transport controls: If transport is outsourced, the food manufacturer must include transport requirements in supplier/service provider contracts, qualify logistics providers, and verify performance (temperature records, audit rights).

Cold chain break management:

• Define what constitutes an acceptable cold chain break (duration, temperature, product type)
• Specify the decision process for product disposition following a documented cold chain excursion
• Maintain records of all temperature deviations and product disposition decisions

PrecisionTech has experience implementing ISO 22000 for food manufacturers with complex cold chain logistics operations — including contract cold storage, third-party distribution, and multi-temperature delivery networks.

ISO 22000:2018 is fully applicable to food service organisations — hotels, restaurants, caterers, institutional kitchens, cloud kitchens, airline catering, and hospital catering. The relevant PRP document is ISO/TS 22002-2 (Catering).

Food service-specific FSMS requirements and challenges:

Menu and product variety:

• Food service organisations have wide and frequently changing menus — the HACCP study must cover food categories (not individual recipes), with hazard profiles for each category (raw meat, ready-to-eat, bakery, cold desserts, etc.)
• Control measures must be clearly communicated to kitchen staff — CCPs in a restaurant context are typically cooking temperatures and cross-contamination prevention procedures

PRPs for catering (ISO/TS 22002-2 specific requirements):

• Kitchen layout — separation of raw and cooked food preparation areas
• Temperature control — refrigeration, hot holding, reheating requirements
• Personal hygiene — hand washing, illness reporting, exclusion from food handling if sick
• Cleaning and disinfection of food contact surfaces
• Allergen management — menu communication, cross-contact prevention during preparation
• Consumer special diets — management of requests for allergen-free meals or special dietary requirements

Key CCPs for food service:

• Cooking to safe internal temperature (core temperature verification for high-risk products)
• Chilling after cooking (rapid chilling within defined time-temperature criteria)
• Hot holding (maintained above 63°C continuously)
• Cold storage (maintained below 5°C)

Allergen communication:

• Mandatory allergen information must be available to consumers (FSSAI requirement for food service)
• Clear process for handling allergen-free orders — dedicated utensils, separate preparation, communication through service chain to kitchen

PrecisionTech has implemented ISO 22000 for catering and food service operations — including multi-site catering companies, hotel chains, and institutional kitchens — managing the challenges of menu variety, rapid staff turnover, and real-time allergen communication.

FSSC 22000 (Food Safety System Certification 22000) is a GFSI-recognised food safety certification scheme built on ISO 22000:2018 with additional requirements. It is owned and managed by the Foundation FSSC in the Netherlands.

Structure of FSSC 22000 Version 6 (current):

• ISO 22000:2018: The core food safety management system standard (all requirements fully apply)
• ISO/TS 22002-x: Sector-specific PRP documents (22002-1 for manufacturing, 22002-2 for catering, etc.) — mandatory and more prescriptive than ISO 22000 alone
• FSSC 22000 Additional Requirements: Scheme-specific requirements added on top of ISO 22000, including: food fraud vulnerability assessment, food defence threats, allergen labelling verification, product labelling review, environmental monitoring programme, supervision of personnel, management of allergens
• GFSI benchmarking: FSSC 22000 is benchmarked and recognised by GFSI — making it accepted by Walmart, Costco, Tesco, Carrefour, Metro, and hundreds of major food retailers worldwide

ISO 22000 vs FSSC 22000 — which to choose:

• ISO 22000 is sufficient when: Your customers require a recognised food safety management system but have not specified GFSI; when entering Indian domestic markets; when engaging with institutional buyers, government tenders, or hospitality chains that accept ISO 22000; for organisations not yet ready for the additional FSSC requirements
• FSSC 22000 is required when: You supply to major international retailers (EU/UK/US supermarket chains); when customers specifically require GFSI-recognised certification; when tendering for private label contracts with global FMCG companies; when exporting to markets where GFSI is the buying standard

Migration path: ISO 22000 → FSSC 22000 is well-established. If you implement ISO 22000 correctly (with ISO/TS 22002-1 PRPs and full hazard analysis), the additional FSSC requirements are a relatively small incremental step. PrecisionTech can plan your FSMS implementation with FSSC 22000 as the eventual target — even if you certify to ISO 22000 first.

While ISO 22000:2018 does not explicitly require a formal food fraud vulnerability assessment, it does require organisations to identify hazards from all relevant sources — including intentional adulteration for economic motivation. FSSC 22000 V6 makes food fraud and food defence explicit additional requirements.

Food Fraud (Economically Motivated Adulteration — EMA):

• Definition: Deliberate substitution, addition, tampering, or misrepresentation of food, ingredients, or packaging for economic gain — motivated by financial benefit rather than intent to harm (though harm may result)
• Indian examples: Adulteration of milk with urea, formalin, or synthetic milk; honey adulteration with sugar syrup; spice adulteration with artificial dyes (Sudan red in chilli powder); edible oil adulteration; counterfeit branded products
• Vulnerability assessment: Assess each raw material and ingredient for fraud vulnerability (economic incentive, historical precedent, detection difficulty, supply chain complexity, geographic risk). Prioritise higher-risk materials for enhanced supplier verification (e.g., additional testing, supplier audits, authenticity testing)

Food Defence (intentional adulteration with intent to cause harm):

• Definition: Intentional contamination of food with physical, chemical, biological, or radiological agents by disgruntled employees, terrorists, or activists — intended to cause harm to consumers or the organisation
• Food defence assessment (TACCP — Threat Assessment Critical Control Point): Identify vulnerable points in the production process where intentional contamination is most feasible. Assess access controls, CCTV, visitor management, raw material security, and employee security awareness
• Control measures: Physical access restrictions to production areas; employee vetting; anomaly monitoring; secure storage of hazardous chemicals; restricted access to water supply, utilities, and storage areas

FSSAI context: FSSAI has been strengthening food adulteration controls — the FSSAI food safety regulations explicitly prohibit adulteration (FSSI Act 2006, Section 3(1)(a)). ISO 22000 implementation with food fraud vulnerability assessment supports FSSAI compliance and demonstrates due diligence in cases of food safety incidents.

PrecisionTech facilitates food fraud vulnerability assessments (VACCP) and food defence threat assessments (TACCP) as part of a comprehensive FSMS — particularly valuable for export-oriented food manufacturers targeting GFSI recognition via FSSC 22000.

Understanding common non-conformities helps organisations focus their preparation and avoid the most frequent certification blockers. Patterns across ISO 22000:2018 certification audits in India and globally reveal consistent problem areas:

Stage-1 (documentation review) common major non-conformities:

• Incomplete or generic hazard analysis: Hazard analysis that does not cover all products and process steps in scope; hazards identified generically without reference to your specific raw materials, process conditions, and customer base; significance assessment not justified with criteria
• CCP/OPRP rationale not documented: CCP decision made without reference to a decision tree or documented criteria; auditor cannot see why a step was or was not classified as a CCP
• Critical limits not validated: CCP critical limits set without validation evidence — auditor asks "how do you know this temperature/time combination eliminates the hazard in your product?" and the answer is not documented
• PRP documentation gaps: PRPs mentioned but not fully documented against ISO/TS 22002 requirements; no monitoring procedures or records specified for PRP areas
• Missing traceability procedure: Traceability described generically but no written procedure specifying how tracing is done, who is responsible, and what the performance target is
• Allergen management not in hazard analysis: Allergens present in raw materials but not assessed as hazards in the hazard analysis

Stage-2 (implementation) common major non-conformities:

• CCP monitoring records incomplete or not timely: CCP records exist but are not filled in at the time of monitoring — evidence suggests retrospective completion. Critical limits exceeded with no documented corrective action.
• PRPs not fully implemented: Document says cleaning schedule is daily; records show weekly. Pest control traps on plan but not maintained or recorded. Drainage blocked; premises not matching PRP standard.
• Allergen cross-contact not controlled: Allergen changeover cleaning procedure exists but has never been validated. Allergen matrix not up to date with current formulations. Staff unaware of allergen segregation requirements.
• Traceability mock exercise not conducted: Or conducted but result is incomplete — cannot account for 100% of the lot. Mock recall timing target not met.
• Corrective actions not root-cause based: CCP deviation documented but corrective action is "product held and assessed" without root cause investigation and systemic action to prevent recurrence.
• Equipment calibration overdue: CCP monitoring equipment (thermometers, metal detectors, checkweighers) not calibrated on schedule; records show gaps.

ISO 22000:2018 is built on the Annex SL high-level structure — the same framework used by ISO 9001:2015 (Quality Management), ISO 14001:2015 (Environmental Management), ISO 45001:2018 (Occupational Health and Safety), and ISO 27001:2022 (Information Security). This common structure enables powerful integration.

Shared processes in an Integrated Management System (IMS):

• Documented information management: One document control procedure covers policies, procedures, and records for ISO 9001, ISO 22000, ISO 14001, and ISO 45001 — rather than four separate systems
• Internal audit: One integrated audit programme, one set of trained internal auditors conducting combined system audits — reducing audit burden significantly
• Management review: One combined management review covers quality performance, food safety performance, environmental performance, and OH&S performance — one agenda, one set of documented outputs
• CAPA (Corrective and Preventive Action): One CAPA procedure handles non-conformities from all management systems
• Risk and opportunity management: Integrated risk register at the strategic level covers business risks for quality, food safety, environment, and safety — with system-specific risk assessment (HACCP for food safety, environmental aspect/impact for ISO 14001) handled at the operational level
• Competence and training: Combined training needs analysis and training records system
• Context and interested parties: Shared analysis of organisational context — with system-specific interested parties added for each standard

Benefits of IMS for Indian food companies:

• Single set of management system documentation — lower maintenance burden
• Fewer audits — combined certification audits are typically more efficient than separate audits
• Consistent messaging to staff — one management system, not three or four "different things the QA department does"
• Cost efficiency — combined certification body fees are lower than three separate certifications
• ISO 9001 supports customer satisfaction, product quality specifications, and complaint management — natural complement to ISO 22000 food safety controls
• ISO 14001 is increasingly required by export customers and by Indian regulatory frameworks for food manufacturers (waste management, wastewater discharge, hazardous chemical handling)

PrecisionTech designs and implements Integrated Management Systems — implementing ISO 22000 as a standalone standard or as part of a combined ISO 9001 + ISO 22000 or ISO 9001 + ISO 22000 + ISO 14001 IMS, typically certified in combined audits with a single NABCB-accredited certification body.

ISO 22000:2018 Clause 9.3 requires top management to conduct reviews of the organisation's FSMS at planned intervals to ensure its continuing suitability, adequacy, effectiveness, and alignment with the strategic direction of the organisation. Management review is one of the most commonly observed areas in certification audits — auditors want evidence that top management is genuinely engaged with FSMS performance, not just a passive audience for a QA presentation.

Required management review inputs (what must be reported to top management):

• Status of actions from previous management reviews — are they completed? Effective?
• Changes in external and internal issues relevant to food safety — regulatory changes, new hazards, market changes, infrastructure changes, supply chain changes
• Information on FSMS performance and effectiveness (including food safety KPIs, trends)
• Results of internal FSMS audits and assessments (by external parties including certification body)
• Performance of external providers (suppliers, logistics, co-packers) — complaints, issues, audit findings
• Customer feedback and complaints — trend analysis by category and severity
• Status of corrective actions, nonconformities, and recall/withdrawal events
• Adequacy of resources for FSMS operation
• Emergency situations or incidents affecting food safety since last review
• Review of the food safety policy — is it still appropriate?
• Opportunities for improvement

Required management review outputs (decisions and actions):

• Decisions on continual improvement opportunities
• Resource needs — additional equipment, personnel, training, infrastructure
• Revisions to the FSMS — policy updates, objective changes, procedure changes
• Updates to FSMS scope if business has changed
• Specific corrective actions assigned with owners and timelines

Documentation requirements: Evidence of management review (meeting minutes with attendance, date, agenda, discussion summary, all required inputs addressed, decisions and action owners documented) must be retained.

PrecisionTech facilitates management reviews — preparing the review pack, managing the agenda to ensure all required inputs are covered, and documenting outputs in audit-ready format.

ISO 22000:2018 Clause 9.1 requires organisations to monitor, measure, analyse, and evaluate FSMS performance. Effective KPIs provide early warning of FSMS deterioration, demonstrate objective evidence of system performance to auditors, and enable data-driven management review decisions.

Key FSMS KPI categories and examples:

Hazard control effectiveness:

• CCP deviation rate (number of critical limit exceedances per month / per shift / per 1,000 units)
• OPRP action criterion breach rate
• Product rejections from CCP/OPRP deviation as % of total production
• Metal detector challenge test pass rate (quarterly)

Microbiological and chemical safety:

• % product batches meeting microbiological specification at release
• Environmental monitoring positive results trend (Listeria, Salmonella, Enterobacteriaceae)
• Pesticide residue compliance rate on incoming produce (where applicable)
• Allergen swab test results post-changeover cleaning (ppm of allergen protein)

PRP and GMP performance:

• Internal hygiene inspection scores by area (weekly/monthly)
• Pest activity findings per inspection (traps, bait stations)
• Cleaning schedule compliance rate (% of planned cleans completed on time)
• Equipment calibration compliance rate (% of instruments calibrated on schedule)

Traceability and recall readiness:

• Mock traceability exercise results — % of lot accounted for; time to complete trace
• Mock recall exercise completion time vs target
• Batch record completeness rate at production close

Supply chain performance:

• Supplier non-conformance rate per incoming material category
• % incoming material lots accepted without deviation
• Supplier audit completion rate vs programme
• Certificate of Analysis (COA) received on time rate

Customer and regulatory feedback:

• Food safety-related customer complaint rate (per million units or per quarter)
• % complaints investigated within defined SLA
• FSSAI inspection findings — critical vs major vs minor
• Regulatory non-compliance incidents per year

Competence and training:

• Food safety training completion rate vs programme (% of personnel trained on schedule)
• HACCP team training currency (when were team members last trained?)
• New employee food safety induction completion rate within first week

PrecisionTech designs a KPI dashboard that is realistic for your organisation's size and resources — tracking the metrics that genuinely indicate FSMS health rather than generating meaningless paper trails.

ISO 22000:2018 explicitly includes primary production (farming, horticulture, aquaculture, livestock rearing) within its scope. The relevant sector-specific PRP document is ISO/TS 22002-3 (Farming). Primary production environments have distinct hazard profiles and control measure approaches compared to food processing facilities.

Key hazards at primary production level:

• Biological: Pathogenic microorganisms (Salmonella in poultry/eggs, E. coli O157:H7 in cattle/leafy vegetables, Listeria in dairy, Campylobacter in poultry), parasites, zoonotic diseases
• Chemical: Pesticide and herbicide residues, veterinary medicine residues (maximum residue levels — MRLs), mycotoxins (aflatoxin in groundnuts, maize; ochratoxin in wheat; deoxynivalenol in cereals), heavy metals from contaminated soil or irrigation water
• Physical: Field debris (stones, glass, metal fragments from machinery), pest contamination

PRPs for farming (ISO/TS 22002-3 specific areas):

• Land and site management — history of prior use, soil contamination assessment
• Water management — irrigation water quality testing (microbiological and chemical), water source protection
• Pesticide, herbicide, fertiliser management — approved products, pre-harvest intervals, application records, MRL compliance
• Veterinary medicine management — withdrawal periods, treatment records, residue testing
• Equipment maintenance and hygiene — harvest machinery, storage containers
• Worker hygiene — field toilet facilities, hand washing, health monitoring
• Storage conditions — temperature, humidity, mycotoxin risk management
• Pest management (both agricultural pests and food safety pests)

CCP examples at primary production:

• Pre-harvest interval compliance for regulated pesticides (where MRL exceedance is a significant hazard)
• Water quality monitoring for produce irrigated with surface water (biological hazard)
• Post-harvest chemical treatment application (fumigation, wax treatment)

Indian context: For Indian agricultural exporters (spices, fresh produce, seafood, tea, coffee, nuts), ISO 22000 at primary production level supports compliance with EU MRL requirements, US FDA FSMA Produce Safety Rule (for US exports), and APEDA/EIC inspection requirements.

The ISO 22000:2018 certification timeline depends on four key variables: (1) scope and product complexity, (2) current food safety maturity, (3) team availability and engagement, and (4) certification body scheduling. Realistic ranges for Indian food companies:

Small food businesses (single product, single site, SME):

• Starting from low maturity (no formal HACCP): 4–6 months to Stage-2 audit
• Existing informal HACCP or GMP practices: 3–5 months

Medium food processors (multi-product, single or dual site):

• Starting from low maturity: 6–10 months
• FSSAI compliant with documented GMP: 4–7 months

Complex food manufacturers (multi-product, multi-site, multiple hazard categories, export markets):

• 8–18 months depending on scope complexity, regulatory environment, and team capacity

What drives the timeline for food companies specifically:

• Hazard analysis scope: The HACCP study must cover every product family and every process step — for a multi-product manufacturer this is the most time-intensive phase
• PRP infrastructure gaps: If the physical premises need improvement (drainage, pest-proofing, equipment hygiene, separate allergen areas) — construction or modification timelines extend the project
• Validation requirements: CCP validation takes time — particularly if in-house challenge testing is needed rather than available literature
• Training delivery: All production, quality, and procurement staff must be trained before the certification audit
• Mock exercises: At least one mock traceability and one mock recall exercise must be completed and documented before Stage-2
• FSMS operational period: Most certification bodies require a minimum 3-month FSMS operation period with records before Stage-2, including at least one internal audit cycle and one management review
• Certification body scheduling: NABCB-accredited bodies typically have 4–8 week lead times for audit scheduling in peak periods

Common delays specific to Indian food companies:

• Physical PRP gaps requiring premises modification (more common in older facilities)
• Allergen management not previously formalised — building the programme from scratch
• Traceability system relying on manual lot-coding — designing and implementing a systematic approach
• High staff turnover in production — training completion timing

PrecisionTech creates a realistic milestone-based project plan at the project start — with clear owner, timeline, and completion criteria for every deliverable — and actively manages progress to maintain the certification schedule.

ISO 22000:2018 certification costs in India comprise two components: consulting fees (PrecisionTech's engagement) and certification body fees (the accredited body conducting the audit). Both are variable and depend on your specific context.

Factors that drive consulting cost:

• Organisation size (number of production staff, shift structure)
• Product complexity and number of product categories in scope
• Number of sites in scope
• Hazard profile — more complex hazards (allergens, ready-to-eat products, temperature-sensitive products) require deeper HACCP work
• Current FSMS maturity (FSSAI compliant with documented GMP vs minimal food safety controls in place)
• PRP infrastructure gaps requiring design assistance
• Whether allergen management or food fraud vulnerability assessment is required
• Cold chain complexity (if applicable)

Typical consulting fee ranges (India, 2025):

• Small food business (1 product, up to 20 production staff, single site): ₹20,000–₹60,000
• SME food processor (2–5 product categories, 20–100 production staff): ₹60,000–₹2,00,000
• Medium food manufacturer (multi-product, 100–500 staff, 1–2 sites): ₹2,00,000–₹6,00,000
• Complex / export-oriented / multi-site: ₹6,00,000+

Certification body fees (NABCB-accredited bodies):

• Driven by audit man-days — determined by IAF MD 11 for food safety management systems
• Man-days based on number of employees, product risk, and site complexity
• Typically ranges from ₹45,000–₹1,50,000 for initial certification (Stage-1 + Stage-2) for small to medium food companies
• Annual surveillance: approximately 50–60% of initial certification cost

Warning — beware of very low-cost ISO 22000 "packages":

• Certificates from non-accredited bodies (not in IAF CertSearch, not NABCB-accredited) are rejected by major Indian corporate buyers, export authorities, and government procurement
• A generic HACCP study generated from a template without analysing your actual products and processes will fail Stage-2 audit — wasting all consulting and certification body fees invested

PrecisionTech works exclusively with NABCB/IAF-accredited certification bodies and builds HACCP studies specific to your actual products and processes — not generic templates.