ISO 22000 food safety is the internationally recognised framework organisations use to build, run and certify a food safety management system (FSMS) that keeps products safe from farm to fork. The current version is ISO 22000:2018, and it applies to any organisation in the food chain, regardless of size or the product it handles. This guide explains what the standard covers, how it is structured, how it relates to HACCP and FSSC 22000, and how to move toward certification with confidence.
What is ISO 22000 food safety management?
ISO 22000 is the international standard that specifies the requirements for a food safety management system. It gives any organisation in the food chain a common language and a consistent method for identifying, controlling and reducing food safety hazards to acceptable levels before products reach the consumer.
The standard is deliberately generic. A grower, a packaging supplier, a transport company, a manufacturer, a retailer and a catering business can all use the same framework, tailoring the controls to their own processes and risks. That universality is one of the main reasons the standard is adopted across such a wide range of sectors.
You can read the official overview from the standard’s publisher at the International Organization for Standardization (ISO).
The four pillars of ISO 22000 food safety
ISO 22000 food safety rests on four interconnected elements. Each supports the others, and a gap in one usually weakens the whole system.
- Interactive communication — structured information flow up and down the food chain, and internally, so that hazards identified at one stage are controlled at the right stage.
- System management — a managed FSMS aligned with the wider quality and management framework of the organisation.
- Prerequisite programmes (PRPs) — the basic conditions and activities needed to maintain a hygienic environment, such as cleaning, pest control, maintenance and personnel hygiene.
- HACCP principles — hazard analysis and the application of critical control points to control significant hazards.
When these pillars work together, hazards are addressed by the most appropriate combination of PRPs, operational PRPs and critical control points rather than by any single mechanism.
How ISO 22000:2018 is structured
ISO 22000:2018 follows the Harmonized Structure (previously called the High Level Structure) shared by modern ISO management system standards such as ISO 9001 and ISO 14001. This common layout makes it far easier to integrate a food safety system with other management systems you may already operate.
Rather than memorising individual clause numbers, it is more useful to understand the flow of the standard. Always verify the current version and exact clause numbering against your copy of the standard, but the logic broadly runs as follows.
| Area | What it covers |
|---|---|
| Context of the organisation | Understanding internal and external issues, interested parties, and the scope of the FSMS. |
| Leadership | Top management commitment, food safety policy, and clear roles and responsibilities. |
| Planning | Actions to address risks and opportunities, and food safety objectives. |
| Support | Resources, competence, awareness, communication and documented information. |
| Operation | PRPs, hazard analysis, the hazard control plan (HACCP plan and operational PRPs), traceability and emergency preparedness. |
| Performance evaluation | Monitoring, measurement, internal audit and management review. |
| Improvement | Correction, corrective action and continual improvement of the FSMS. |
A distinctive feature of the 2018 revision is that it applies risk-based thinking at two levels: operational risk (food safety hazards, handled through HACCP and PRPs) and organisational risk (business-level risks and opportunities to the FSMS itself).
PRPs, operational PRPs and critical control points
One of the most valuable concepts in ISO 22000 is the way it distinguishes between three types of control. Getting this right is central to a defensible hazard control plan.
Prerequisite programmes (PRPs)
PRPs are the foundational hygiene and operational conditions that keep the working environment suitable for producing safe food. They are not targeted at a specific hazard but create the baseline on which everything else depends.
Operational PRPs (OPRPs)
Operational PRPs are identified through hazard analysis to control specific significant hazards. They are managed with defined action criteria and monitoring, and they sit between general PRPs and critical control points in terms of rigour.
Critical control points (CCPs)
CCPs are steps where control is essential to prevent, eliminate or reduce a significant hazard to an acceptable level, and where measurable critical limits apply. Cooking to a validated temperature is a classic example.
ISO 22000 and HACCP
HACCP is not replaced by ISO 22000 — it is embedded within it. The Codex Alimentarius HACCP principles form the backbone of the hazard analysis and hazard control planning inside the standard. ISO 22000 then wraps HACCP in a full management system, adding leadership, communication, competence, internal audit and continual improvement.
In practice this means an organisation with a mature HACCP plan already holds much of the technical core of an ISO 22000 system, but will need to build out the surrounding management elements to meet the full standard.
ISO 22000 vs FSSC 22000
ISO 22000 and FSSC 22000 are frequently confused, but they are not the same thing. ISO 22000 is a standard you can build a system around and certify against. FSSC 22000 is a separate, Global Food Safety Initiative (GFSI) recognised certification scheme that is built on ISO 22000 plus additional requirements.
| Aspect | ISO 22000:2018 | FSSC 22000 |
|---|---|---|
| Type | International management system standard | Certification scheme |
| Basis | Standalone FSMS requirements | ISO 22000 plus sector-specific PRPs and additional scheme requirements |
| GFSI recognition | Not itself GFSI-recognised | GFSI-recognised |
| Typical driver | Broad food chain applicability and integration | Customers or retailers requiring GFSI-benchmarked certification |
If your customers demand a GFSI-recognised certificate, FSSC 22000 is often the destination — but ISO 22000 is the foundation you build first.
Who should implement ISO 22000 food safety?
Because the standard is generic, it fits organisations at every link in the food chain, including primary producers, feed and ingredient suppliers, manufacturers, packaging and equipment providers, logistics and storage operators, retailers and food service businesses.
It suits organisations that want a structured, auditable way to demonstrate food safety to customers and regulators, those integrating food safety with existing ISO management systems, and those preparing a stepping stone toward a GFSI scheme such as FSSC 22000.
Benefits of certification
- A single, internationally understood framework recognised across borders and sectors.
- Stronger, evidence-based hazard control through combined PRPs, OPRPs and CCPs.
- Easier integration with ISO 9001 and other Harmonized Structure standards.
- Improved traceability, recall readiness and emergency preparedness.
- Greater customer and regulator confidence, and a credible route toward GFSI schemes.
How to get started
A typical implementation begins with a gap analysis against the standard, followed by defining the FSMS scope, securing leadership commitment, and building or refining PRPs. From there you conduct hazard analysis, develop the hazard control plan, document procedures, train your team, run internal audits and a management review, and then engage a certification body for the audit stages. Treat the timeline and effort as approximate — they vary with the size and complexity of your operation.
Frequently asked questions about ISO 22000 food safety
Is ISO 22000 mandatory?
No. ISO 22000 is a voluntary standard. However, customers, retailers or supply-chain partners may require certification as a condition of doing business, which can make it effectively compulsory in practice.
What is the current version of ISO 22000?
The current version is ISO 22000:2018. Standards are periodically reviewed and revised, so always verify the current version before relying on any specific edition or clause reference.
Does ISO 22000 include HACCP?
Yes. The Codex Alimentarius HACCP principles are integrated within ISO 22000 as the core of its hazard analysis and hazard control planning, wrapped inside a full management system.
Is ISO 22000 the same as FSSC 22000?
No. ISO 22000 is a management system standard, while FSSC 22000 is a separate GFSI-recognised certification scheme built on ISO 22000 plus sector-specific PRPs and additional requirements.
How long does certification take?
It varies widely with the size, complexity and starting maturity of the organisation. Rather than assume a fixed duration, plan for an approximate timeline that includes gap analysis, implementation, internal audit and the certification body’s audit stages.
Can small businesses achieve ISO 22000?
Yes. The standard is designed to be scalable, so smaller organisations can apply the same principles with proportionate documentation and controls suited to their operations.

Related guides
- ISO 22000 requirements checklist: every clause area to prepare
- The ISO 22000 certification process, step by step
- How HACCP fits inside ISO 22000
- ISO 22000 vs FSSC 22000: which do you need?
- Understanding prerequisite programmes (PRPs) and operational PRPs
Ready to build your food safety management system faster? Our editable ISO 22000:2018 toolkit gives you ready-to-adapt policies, procedures, hazard analysis templates and audit tools mapped to the standard. Explore the ISO 22000 toolkit and start your implementation with a proven head start.

