Instant downloadAuditor-writtenSecure Stripe checkout
ISO 22000 Certification Process: Best Guide 2026 — ISO Toolkits

ISO 22000 Certification Process: Best Guide 2026

The ISO 22000 certification process is the structured route an organisation follows to prove that its food safety management system (FSMS) meets the requirements of ISO 22000:2018 and to earn independent certification from an accredited body. Whether you are a grower, processor, packer, transporter, retailer or a supplier of ingredients and equipment, this guide walks through what to expect, how long it takes, and how to prepare.

ISO 22000:2018 is the current version of the international FSMS standard. It follows the Harmonized Structure (the common high-level format shared across modern ISO management-system standards), integrates HACCP principles with prerequisite programmes (PRPs) and operational PRPs, and emphasises interactive communication along the food chain alongside overall system management. Because it applies to any organisation in the food chain, the certification journey scales from small operators to multinational manufacturers.

Overview of the ISO 22000 certification process

At a high level, the ISO 22000 certification process moves from building the management system, to running it, to proving its effectiveness through an independent audit. Certification is issued by a third-party certification body, not by ISO itself. Always verify the current version of the standard and confirm your chosen certification body is accredited by a recognised national accreditation body.

The stages below are typical. Timelines vary widely with organisation size, scope and existing food safety maturity, so treat any duration as approximate.

StageWhat happensTypical focus
1. Gap analysisCompare current practices against ISO 22000:2018Identify missing PRPs, HACCP gaps, documentation needs
2. Planning & scopeDefine FSMS scope, products, sites and food safety teamContext, leadership commitment, resources
3. System buildDevelop policies, PRPs, hazard analysis and OPRPs/CCPsDocumented information, controls, monitoring
4. ImplementationOperate the FSMS and generate recordsTraining, monitoring, verification
5. Internal audit & management reviewCheck the system before external auditNonconformity correction, continual improvement
6. Stage 1 auditCertification body reviews readiness and documentationDesign adequacy, scope confirmation
7. Stage 2 auditOn-site assessment of implementation and effectivenessEvidence, records, conformity
8. Certification decisionBody issues certificate if requirements are metCorrective actions closed out
9. Surveillance & recertificationPeriodic audits maintain the certificateOngoing conformity and improvement

Gap analysis and planning

Start by mapping your existing controls against the standard. A gap analysis reveals whether your prerequisite programmes, hazard analysis and documented information are adequate, or whether they need reworking. This early diagnostic keeps the rest of the ISO 22000 certification process focused and avoids surprises at the external audit.

Building and implementing the FSMS

Next, define the scope, establish leadership commitment, and appoint a competent food safety team. Develop your PRPs, conduct hazard analysis, and determine which hazards are managed by operational PRPs and which by critical control points. Implementation means actually running these controls and collecting the monitoring and verification records that auditors will later examine.

Internal audit and management review

Before inviting a certification body, run at least one full internal audit cycle and hold a management review. These confirm the FSMS is working, surface nonconformities while there is still time to correct them, and demonstrate the continual improvement that ISO 22000:2018 expects.

The two-stage certification audit

Accredited certification typically involves a two-stage audit. Stage 1 is largely a readiness and documentation review: the auditor confirms your scope, checks that the FSMS is designed correctly, and identifies areas to address before Stage 2. Stage 2 is the main on-site assessment, where the auditor gathers objective evidence that your system is implemented and effective in practice.

If nonconformities are raised, you correct them and provide evidence of corrective action. Once the certification body is satisfied, it makes the certification decision and issues the certificate. After that, periodic surveillance audits and a recertification audit (approximately every three years, but verify with your certification body) keep the certificate valid.

ISO 22000 versus FSSC 22000

Organisations targeting a scheme recognised by the Global Food Safety Initiative (GFSI) often ask about FSSC 22000. It is a separate certification scheme built on ISO 22000, adding sector-specific prerequisite programmes and additional scheme requirements. Choosing between them depends on customer and market expectations.

AspectISO 22000:2018FSSC 22000
TypeInternational FSMS standardCertification scheme built on ISO 22000
GFSI recognitionNot GFSI-recognised on its ownGFSI-recognised
Additional PRPsGeneral PRP requirementsSector-specific technical PRPs
Extra requirementsStandard requirements onlyAdditional scheme requirements

For authoritative detail on the standard itself, see the official ISO page: ISO 22000 Food Safety Management.

How to prepare and reduce risk

  • Secure genuine leadership commitment and adequate resources early.
  • Build robust prerequisite programmes before refining HACCP-based controls.
  • Keep documented information proportionate but complete and current.
  • Train the food safety team and operators so records reflect real practice.
  • Run internal audits and management review well before Stage 1.
  • Choose an accredited certification body appropriate to your sector.

Frequently asked questions

How long does the ISO 22000 certification process take?

It varies with size, scope and food safety maturity. Many organisations take several months to build and implement the FSMS before the audit, but treat any figure as approximate and plan around your own readiness rather than a fixed timeline.

Does ISO issue the certificate?

No. ISO publishes the standard, but certification is granted by an independent certification body, ideally one accredited by a recognised national accreditation body. Accreditation adds credibility to the certificate.

Do I need HACCP before ISO 22000?

ISO 22000:2018 integrates HACCP principles within the FSMS, so a separate prior HACCP certificate is not required. However, sound hazard analysis and prerequisite programmes are essential foundations for a successful audit.

Is FSSC 22000 the same as ISO 22000?

No. FSSC 22000 is a separate GFSI-recognised scheme built on ISO 22000 plus sector-specific PRPs and additional requirements. If your customers require GFSI recognition, FSSC 22000 may be the better route.

ISO 22000 certification process toolkit templates
The editable ISO 22000 Toolkit — FSMS policies, PRP, HACCP and audit templates.

Related guides

Ready to move faster? Our editable ISO 22000:2018 toolkit gives you ready-to-use policies, PRP and HACCP templates, and audit-ready documentation to accelerate every stage of the ISO 22000 certification process. Explore the ISO 22000 toolkit and start building your FSMS today.

Shopping Cart