The ISO 22000 certification process is the structured route an organisation follows to prove that its food safety management system (FSMS) meets the requirements of ISO 22000:2018 and to earn independent certification from an accredited body. Whether you are a grower, processor, packer, transporter, retailer or a supplier of ingredients and equipment, this guide walks through what to expect, how long it takes, and how to prepare.
ISO 22000:2018 is the current version of the international FSMS standard. It follows the Harmonized Structure (the common high-level format shared across modern ISO management-system standards), integrates HACCP principles with prerequisite programmes (PRPs) and operational PRPs, and emphasises interactive communication along the food chain alongside overall system management. Because it applies to any organisation in the food chain, the certification journey scales from small operators to multinational manufacturers.
Overview of the ISO 22000 certification process
At a high level, the ISO 22000 certification process moves from building the management system, to running it, to proving its effectiveness through an independent audit. Certification is issued by a third-party certification body, not by ISO itself. Always verify the current version of the standard and confirm your chosen certification body is accredited by a recognised national accreditation body.
The stages below are typical. Timelines vary widely with organisation size, scope and existing food safety maturity, so treat any duration as approximate.
| Stage | What happens | Typical focus |
|---|---|---|
| 1. Gap analysis | Compare current practices against ISO 22000:2018 | Identify missing PRPs, HACCP gaps, documentation needs |
| 2. Planning & scope | Define FSMS scope, products, sites and food safety team | Context, leadership commitment, resources |
| 3. System build | Develop policies, PRPs, hazard analysis and OPRPs/CCPs | Documented information, controls, monitoring |
| 4. Implementation | Operate the FSMS and generate records | Training, monitoring, verification |
| 5. Internal audit & management review | Check the system before external audit | Nonconformity correction, continual improvement |
| 6. Stage 1 audit | Certification body reviews readiness and documentation | Design adequacy, scope confirmation |
| 7. Stage 2 audit | On-site assessment of implementation and effectiveness | Evidence, records, conformity |
| 8. Certification decision | Body issues certificate if requirements are met | Corrective actions closed out |
| 9. Surveillance & recertification | Periodic audits maintain the certificate | Ongoing conformity and improvement |
Gap analysis and planning
Start by mapping your existing controls against the standard. A gap analysis reveals whether your prerequisite programmes, hazard analysis and documented information are adequate, or whether they need reworking. This early diagnostic keeps the rest of the ISO 22000 certification process focused and avoids surprises at the external audit.
Building and implementing the FSMS
Next, define the scope, establish leadership commitment, and appoint a competent food safety team. Develop your PRPs, conduct hazard analysis, and determine which hazards are managed by operational PRPs and which by critical control points. Implementation means actually running these controls and collecting the monitoring and verification records that auditors will later examine.
Internal audit and management review
Before inviting a certification body, run at least one full internal audit cycle and hold a management review. These confirm the FSMS is working, surface nonconformities while there is still time to correct them, and demonstrate the continual improvement that ISO 22000:2018 expects.
The two-stage certification audit
Accredited certification typically involves a two-stage audit. Stage 1 is largely a readiness and documentation review: the auditor confirms your scope, checks that the FSMS is designed correctly, and identifies areas to address before Stage 2. Stage 2 is the main on-site assessment, where the auditor gathers objective evidence that your system is implemented and effective in practice.
If nonconformities are raised, you correct them and provide evidence of corrective action. Once the certification body is satisfied, it makes the certification decision and issues the certificate. After that, periodic surveillance audits and a recertification audit (approximately every three years, but verify with your certification body) keep the certificate valid.
ISO 22000 versus FSSC 22000
Organisations targeting a scheme recognised by the Global Food Safety Initiative (GFSI) often ask about FSSC 22000. It is a separate certification scheme built on ISO 22000, adding sector-specific prerequisite programmes and additional scheme requirements. Choosing between them depends on customer and market expectations.
| Aspect | ISO 22000:2018 | FSSC 22000 |
|---|---|---|
| Type | International FSMS standard | Certification scheme built on ISO 22000 |
| GFSI recognition | Not GFSI-recognised on its own | GFSI-recognised |
| Additional PRPs | General PRP requirements | Sector-specific technical PRPs |
| Extra requirements | Standard requirements only | Additional scheme requirements |
For authoritative detail on the standard itself, see the official ISO page: ISO 22000 Food Safety Management.
How to prepare and reduce risk
- Secure genuine leadership commitment and adequate resources early.
- Build robust prerequisite programmes before refining HACCP-based controls.
- Keep documented information proportionate but complete and current.
- Train the food safety team and operators so records reflect real practice.
- Run internal audits and management review well before Stage 1.
- Choose an accredited certification body appropriate to your sector.
Frequently asked questions
How long does the ISO 22000 certification process take?
It varies with size, scope and food safety maturity. Many organisations take several months to build and implement the FSMS before the audit, but treat any figure as approximate and plan around your own readiness rather than a fixed timeline.
Does ISO issue the certificate?
No. ISO publishes the standard, but certification is granted by an independent certification body, ideally one accredited by a recognised national accreditation body. Accreditation adds credibility to the certificate.
Do I need HACCP before ISO 22000?
ISO 22000:2018 integrates HACCP principles within the FSMS, so a separate prior HACCP certificate is not required. However, sound hazard analysis and prerequisite programmes are essential foundations for a successful audit.
Is FSSC 22000 the same as ISO 22000?
No. FSSC 22000 is a separate GFSI-recognised scheme built on ISO 22000 plus sector-specific PRPs and additional requirements. If your customers require GFSI recognition, FSSC 22000 may be the better route.

Related guides
- ISO 22000 Food Safety Management System: A Complete Guide
- ISO 22000 Requirements Checklist for FSMS Readiness
- ISO 22000 and HACCP: How the Principles Fit Together
Ready to move faster? Our editable ISO 22000:2018 toolkit gives you ready-to-use policies, PRP and HACCP templates, and audit-ready documentation to accelerate every stage of the ISO 22000 certification process. Explore the ISO 22000 toolkit and start building your FSMS today.

