Guide
FSSC 22000 v6: ISO 22000 Plus the Things Auditors Actually Score You On
FSSC 22000 is the GFSI-recognised food safety management certification scheme used by most multinational food brands as their supplier baseline. Version 6 of the scheme (effective April 2024 for audits) sharpened the additional FSSC requirements on food safety culture, quality control, food loss and waste, equipment management, and PRP (prerequisite programme) verification. This guide walks through the three pillars of the scheme — ISO 22000, the sector-specific PRPs (ISO/TS 22002 family or equivalent), and the additional FSSC requirements — and lays out a practical path from gap assessment to certification. It is written for food safety managers, plant directors, QA leads, and supplier-quality teams at food manufacturers, packagers, animal-feed producers, and food-service operators.
Start free trial Free trial, no credit card, onboard in days, not months.
How FSSC 22000 is structured
FSSC 22000 combines three parts. First, ISO 22000:2018, the food safety management system standard built on the High Level Structure and incorporating HACCP and the FSMA-style risk-based thinking. Second, a sector-specific PRP standard — ISO/TS 22002-1 for food manufacturing, 22002-2 for catering, 22002-4 for food packaging, 22002-6 for feed, plus PAS standards for sectors not yet covered. Third, the additional FSSC requirements, which are scheme-specific and updated with each version. All three are audited in a single audit. Companies who treat FSSC as 'ISO 22000 plus a few extras' undervalue the additional requirements, which are exactly where v6 sharpened the bar.
ISO 22000: HACCP inside an HLS-compliant management system
ISO 22000:2018 wraps HACCP in the High Level Structure used across ISO management-system standards (context, leadership, planning, support, operation, performance evaluation, improvement). The food-specific operational clauses (clause 8) cover the PRPs, the traceability system, emergency preparedness, hazard control, and verification. The HACCP plan sits inside clause 8.5 with hazard analysis, CCP determination, monitoring, corrective action, and validation/verification — but the surrounding HLS clauses are where most pre-FSSC HACCP implementations are weakest, because they were never built around top-management commitment, structured planning, or measurable performance indicators.
The ISO/TS 22002 sector PRPs
The sector PRP standards prescribe the operational prerequisite programmes the HACCP plan assumes — construction and layout, utilities, waste management, equipment suitability, cleaning and sanitation, pest control, personnel hygiene, recall procedures, warehousing, product information, and food defense. For ISO/TS 22002-1 (food manufacturing), every PRP must be implemented, monitored, and verified — the audit isn't satisfied by 'we have an SOP'. The recurring finding is a PRP implemented in the SOPs but with no documented monitoring schedule or verification frequency. Build each PRP as a workflow with frequency, owner, evidence, and verification — not as a procedure waiting to be inspected.
The FSSC additional requirements (v6 highlights)
FSSC v6 strengthened several additional requirements. Food safety and quality culture: documented objectives, plans, and measurable indicators reviewed by top management. Quality control: documented quality parameters consistent with the food safety system. Food loss and waste: organisation strategy to reduce food loss in operations and along the supply chain. Equipment management: change-management process for new equipment, including hygienic design considerations. Environmental monitoring: programme appropriate to the products and production environment, with documented verification. PRP verification: scheduled verification of PRP effectiveness on a defined cadence. These are the additional requirements that audit findings most frequently cite — companies who treat them as box-ticks lose minor non-conformities by the handful.
Supplier and outsourced process control
ISO 22000 clause 7.1.6 and the FSSC additional requirements together demand a documented supplier approval and verification process proportionate to the food safety risk of each ingredient, packaging material, and outsourced process. The expected evidence: a risk-tiered Approved Supplier List, supplier evaluation records, supplier verification activities (audit, COA review, on-receipt testing) appropriate to the risk tier, and change-management when a supplier is changed or substituted. FSSC also requires controls over services that can impact food safety (pest control, laundry, lab testing, transport, cleaning) with documented agreements and verification — services are a top blind spot.
Internal audit, management review, and corrective action
Clause 9 (performance evaluation) and clause 10 (improvement) cover the closing loop. Internal audits must cover the full FSMS at a planned interval, with auditor independence and competence documented. Management review must consider the inputs ISO 22000 specifies (audit results, monitoring data, supplier performance, customer feedback, KPI trends, opportunities for improvement) and produce documented decisions on changes to the FSMS, resource needs, and continual improvement actions. Corrective actions following non-conformities (internal audit, supplier non-conformance, customer complaint, deviation) must include root cause analysis, action verification, and effectiveness check.
A 6-month certification path
Months 1 to 2: gap assessment against ISO 22000, the applicable ISO/TS 22002 PRP standard, and the FSSC v6 additional requirements; identify documentation, monitoring and verification gaps. Month 3: close documentation gaps, build the PRP workflows, implement the additional-requirements workflows (culture KPIs, food loss tracking, equipment change management, environmental monitoring). Month 4: run internal audits and the first management review with real data; close findings. Month 5: stage 1 audit (documentation review) with the certification body, close minor findings. Month 6: stage 2 audit (on-site implementation review). Expect minor non-conformities; the certification body cares about the response, not the absence of findings.
Where this lives in V5 Ultimate
The clauses above aren't theoretical — every one maps to a shipped module and an industry profile. Jump to the parts of the product that turn this guide into evidence on a Monday morning.
Modules that do the work
Food safety
ISO 22000 HACCP plus ISO/TS 22002 PRPs as live, monitored workflows.
Supplier portal
Risk-tiered Approved Supplier List including services (pest, lab, transport).
Audits & corrective actions
Internal audit schedule and structured root cause / effectiveness check.
Recall & traceability
Mock recall on a schedule, evidence captured for FSSC verification.
Document control
Management review pack built from live data, signed and retained.
Compliance self-assessment
Score yourself against ISO 22000 and FSSC v6 additional requirements.
Industries this hits hardest
Frequently asked
How does FSSC 22000 differ from SQF and BRCGS?
All three are GFSI-recognised schemes. FSSC is built on ISO 22000 plus sector PRPs and additional requirements; SQF (Safe Quality Food) is a standalone code maintained by FMI; BRCGS (formerly BRC) is a prescriptive standard with detailed clause-by-clause requirements. Most multinational brands accept any of the three. The practical choice usually comes down to customer requirements, regional prevalence, and whether your operations are already ISO-style management-system mature (favours FSSC) or prefer a more prescriptive standard (favours BRCGS).
Is FSSC 22000 enough to satisfy FSMA Preventive Controls?
Not automatically — they overlap heavily but are governed by different bodies. A facility certified to FSSC 22000 will typically have most of the documentation, hazard analysis, monitoring, and supply-chain evidence FSMA Preventive Controls requires, but the FDA inspection still looks for the specific 21 CFR 117 deliverables (written food safety plan, PCQI signature, FDA-recognised hazard categories). The smart architecture builds both on shared master data with explicit cross-references.
Do we need an environmental monitoring programme under FSSC v6?
Yes — the additional requirements require an environmental monitoring programme appropriate to the products and production environment. The scope, frequency, and methodology must be risk-justified, the results trended, and corrective action taken on positive findings. For ready-to-eat and pathogen-sensitive products, the programme is non-negotiable; for low-risk products, a scaled-down programme with documented rationale is acceptable.
How often does FSSC v6 audit happen?
After initial certification, surveillance audits are annual. The scheme also requires at least one unannounced audit within each three-year certification cycle — typically the second surveillance audit. Recertification (a full-scope audit) occurs every three years. Plan resource availability for surveillance and unannounced audits as part of the QMS calendar.
See it on your shop floor.
Free trial, no credit card, onboard in days, not months.