Guide
ISO 22000:2018: Food Safety Management on the High-Level Structure
ISO 22000:2018 is the international standard for food safety management systems applicable to any organisation in the food chain — primary production, processing, transport, storage, retail, food service, packaging, ingredients and animal feed. The 2018 revision realigned the standard to the High-Level Structure shared with ISO 9001 and ISO 14001, sharpened the PDCA frame at two levels (the management system PDCA and the operational HACCP PDCA), and clarified the relationship between PRPs, operational PRPs and CCPs. ISO 22000 sits underneath FSSC 22000 (the GFSI-recognised scheme that adds PRPs and additional requirements) and is widely used in business-to-business ingredient supply where retail-scheme certification is not required. This guide walks through the ten clauses, the two-level PDCA, the PRP / oPRP / CCP hierarchy, and a practical readiness path. It is written for food safety team leaders, QA managers, technical managers and operations at food chain organisations of any size pursuing or maintaining ISO 22000 certification.
Start free trial Free trial, no credit card, onboard in days, not months.
The High-Level Structure and the two-level PDCA
ISO 22000:2018 organises requirements across ten clauses (1-3 informational; 4-10 auditable) following the High-Level Structure, with two simultaneously running PDCA cycles. The outer PDCA covers the management system itself — Plan (clauses 4-7), Do (clause 8.1), Check (clause 9), Act (clause 10). The inner PDCA covers the operational HACCP / hazard control system within clause 8 — Plan (8.2 PRPs, 8.5 hazard analysis, 8.6 hazard control plan), Do (8.7 verification of PRPs, 8.8 product information, 8.9 control of monitoring and measurement), Check (8.9 again), Act (8.9 corrections, 8.10 nonconforming products and processes). Auditors test the two PDCAs in sequence — the management system PDCA in the opening, the operational PDCA in the floor walk.
Prerequisite Programmes, Operational PRPs and Critical Control Points
The 2018 revision clarified the three-tier control hierarchy. PRPs (clause 8.2) are the basic conditions and activities necessary to maintain a hygienic environment — cleaning, pest control, premises maintenance, water quality, personnel hygiene. Operational PRPs (oPRPs) are control measures applied to prevent or reduce a significant food safety hazard, identified by the hazard analysis as necessary, but not meeting the criteria for a CCP. CCPs (8.6) are control measures essential to prevent or reduce a significant hazard to an acceptable level, with critical limits, monitoring, corrections and corrective action. The misclassification of oPRPs as CCPs (or vice versa) is the most common 2025 finding under the 2018 revision — and the hazard analysis is where the classification must be justified.
Context, interested parties and the scope (clause 4)
Clause 4 requires the organisation to determine external and internal issues relevant to its purpose, the interested parties relevant to the FSMS and their requirements, and the scope of the FSMS. For food safety the interested parties typically include customers, regulators, consumers (where direct), employees, suppliers, certification bodies, and increasingly NGOs and the public on issues like allergens and traceability. The scope must include the products and services, the processes and the sites covered, and any exclusions justified. Sites that pass over clause 4 with a one-line scope statement and no documented analysis miss the structural opening the entire standard hangs on.
Emergency preparedness, withdrawal and recall (clauses 8.4 and 8.9.5)
Clause 8.4 (Emergency preparedness and response) requires the organisation to establish, implement and maintain procedures to manage potential emergency situations and incidents that can impact food safety — supply disruptions, energy or water outages, contamination events, pandemics. Clause 8.9.5 (Withdrawal/recall) requires the ability to withdraw or recall affected lot(s) of finished products that have been identified as not meeting the required food safety level, with documented procedures, designated personnel, communications plans, and periodic exercises. The recall exercise expectation is increasingly tested by auditors with a 'show me the last recall exercise' request — sites that performed a paper exercise without actual lot tracing get the finding immediately.
Validation, verification and improvement
Validation (8.5.3) confirms that the control measures (PRPs, oPRPs, CCPs) are capable of achieving the intended level of hazard control — done before implementation and after any change. Verification (8.8) confirms that the implemented control measures are operating as intended — monitoring data review, internal audit, sampling and testing. Improvement (clause 10) drives the system forward through nonconformity and corrective action, continual improvement, and updating the FSMS. The validation step is the one most sites skip — they have monitoring (verification) and they have corrective action (improvement) but the documented evidence that the control was scientifically capable of working in the first place is missing.
Integration with FSSC 22000 and with HACCP
FSSC 22000 (v6) is the GFSI-recognised scheme that takes ISO 22000:2018 plus sector-specific PRPs (ISO/TS 22002 series for the relevant sector) plus FSSC additional requirements (food safety culture, food defence, food fraud, environmental monitoring and others). A site holding ISO 22000 can move to FSSC 22000 by adding the PRP and FSSC layers without rebuilding the underlying management system. ISO 22000 itself includes HACCP within its operational clauses (8.5, 8.6) — it does not replace Codex HACCP, it incorporates it within the broader management-system frame. A site running Codex HACCP can move to ISO 22000 by wrapping the HACCP with the clauses 4-7 and 9-10 management-system requirements.
A 90-day readiness path
Days 1 to 15: gap assessment with priority on clauses 4 (context), 6 (planning, risks and opportunities), 8 (operation), 9.3 (management review); assess PRP / oPRP / CCP classification accuracy across all hazards; confirm recall exercise is current. Days 16 to 45: rebuild the hazard analysis with the 2018 hierarchy applied; refresh PRPs against the relevant ISO/TS 22002; validate control measures. Days 46 to 70: management system layer — context, interested parties, scope, risk-and-opportunities integration, management review template; internal audit covering all clauses. Days 71 to 90: management review; mock certification audit; recall exercise; pre-audit logistics.
Where this lives in V5 Ultimate
The clauses above aren't theoretical — every one maps to a shipped module and an industry profile. Jump to the parts of the product that turn this guide into evidence on a Monday morning.
Modules that do the work
Food safety management
Two-level PDCA implemented with one underlying QMS.
Audits & CAPA
Nonconformity and corrective action covering both PDCA cycles.
Document control
Hazard control plans and PRPs as live versioned records.
Supplier control
External provider control with risk-proportioned depth.
Compliance self-assessment
Score the FSMS against the 2018 clauses on demand.
Industries this hits hardest
Frequently asked
Is ISO 22000 GFSI-recognised on its own?
No — ISO 22000 alone is not GFSI-recognised. FSSC 22000 (which takes ISO 22000 plus PRPs and additional requirements) is the GFSI-recognised scheme. Sites that need GFSI recognition for retail or food-service customer approval should target FSSC 22000; sites in B2B ingredient supply where customers do not require GFSI may hold ISO 22000 alone.
What changed from ISO 22000:2005 to ISO 22000:2018?
The 2018 revision realigned to the High-Level Structure (Annex SL), introduced the two-level PDCA, clarified the PRP / oPRP / CCP hierarchy with sharper criteria, strengthened risk-based thinking at both the management-system level and the operational level, and improved alignment with ISO 9001 and ISO 14001 for integrated management systems.
Does ISO 22000 require a HACCP plan?
Yes — clauses 8.5 and 8.6 require a hazard analysis and a hazard control plan that operationalise HACCP within the management-system frame. The HACCP per Codex (CXC 1-1969) is the methodological reference; ISO 22000 wraps it with the wider clauses (context, leadership, planning, evaluation, improvement) that Codex HACCP itself does not cover.
How does ISO 22000 interact with national food law?
ISO 22000 is a voluntary management-system standard; national food law (EU 178/2002 and 852/2004, US FSMA 21 CFR 117, UK Food Safety Act regulations, Codex-member national laws) is mandatory. ISO 22000 certification does not replace legal compliance but provides a framework that helps an organisation meet its legal obligations consistently. The interested-parties analysis in clause 4 typically lists the applicable regulators and their requirements.
See it on your shop floor.
Free trial, no credit card, onboard in days, not months.