YOUR GUIDE TO IMPLEMENTING ISO

22000
Benefits of Implementation
Structural Changes on ISO 22000:Annex SL
Process Based Thinking Audits
Risk Based Thinking Audits
10 Clauses of ISO 22000:2018
Section 1 - Scope
Section 2 - Normative References
Section 3 - Terms & Definitions 
Section 4 - Context of the Organizations
Section 5 - Leadership
Section 6 - Planning
Section 7 - Support
Section 8 - Operation
Section 9 - Performance Evaluation
Section 10 - Improvement
Get the Most from Your Management System

Benefits of Implementation
ISO 22000 helps organizations minimize food risks and improve performance as it relates to
food safety.
It does so by providing a framework they can use to develop an FSMS, a systematic
approach to addressing food safety issues. Compliance with ISO 22000 provides benefits
such as:

IMPROVED HEALTH AND SAFETY

Minimizing food risks leads to better health and safety outcomes for customers, other users,
employees and others who may come into contact with food.
 
IMPROVED CUSTOMER SATISFACTION

Having an FSMS helps you reliably deliver products that meet customer expectations.
 
HELP MEETING REGULATORY REQUIREMENTS
Compliance with regulatory requirements is required to achieve certification to ISO 22000.
Having an FSMS in place can help companies meet these requirements and understand
how they impact the organization and its customers.
 
HELP MEETING OTHER STANDARDS AND GUIDELINES

ISO 22000 links to various other international standards and guidelines and can help
organizations meet the requirements of these systems as well.

ENHANCED TRANSPARENCY

ISO 22000 helps organizations improve the traceability of their products and achieve greater
transparency regarding operations.
 
IMPROVED RESPONSE TO RISKS

Having an FSMS in place can help organizations respond more quickly and efficiently to
issues that may compromise food safety, helping them stop potential contamination before it
occurs.
 
REDUCED INVESTIGATION TIME

If contamination does occur, an FSMS helps organizations reduce the time it takes to
investigate any food safety breaches, solving the problem faster.

The standard itself also offers several advantages over other systems:

CONSISTENT STRUCTURE

The structure of ISO 22000 is similar to that of other international standards. It is designed to
integrate seamlessly with other management systems from ISO, such as ISO 9001, ISO
45001 and ISO 14001.

GLOBAL RECOGNITION

ISO 22000 is a well-known, internationally recognized standard. Certification to it improves

an organization’s reputability with customers, suppliers, investors, regulatory groups and
other parties worldwide.

INCREASED BUSINESS OPPORTUNITIES

Certification to an international standard such as ISO 22000 opens doors for a business.
Some organizations require certification before they will supply or otherwise work with a
company.
Structural Changes on ISO 22000:Annex SL
The ISO 22000, as other recently revised international standards such as ISO 9001 and ISO
14001, has adopted the Annex SL structure during its 2018 revision.

The Annex SL was initially approved in 2012. This section of the ISO/IEC Directive describes
the common structure of all ISO management systems standards in which the new or
updated standards must be focused on when developing the relevant requirements.

Prior to the adoption of Annex SL there were many differences between the clause structure,
requirements, terms and definitions used across the various management system
 
standards. This made it difficult for organizations to integrate the implementation and
management of multiple standards; Environment, Quality, Health and Safety and Food
safety being among the most common. This structure tries therefore to eliminate confusions,
duplications and conflicts from the different interpretations of management system
standards.

HIGH LEVEL STRUCTURE

Annex SL consists of 10 core clauses:

1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10.Improvement

Of these clauses, the common terms and core definitions cannot be changed. Requirements
may not be removed or altered, however discipline-specific requirements and
recommendations may be added.

All management systems require a consideration of the context of the organization (more
on this in section 4); a set of objectives relevant to the discipline, in this case food safety,
and aligned with the strategic direction of the organization; a documented policy to support
the management system and its aims; internal audits and management review. Where
multiple management systems are in place, many of these elements can be combined to
address more than one standard.
Additionally, ISO 22000:2018 has also introduced a specific introduction and annexes:

0. Introduction

0.1. General

0.2. FSMS Principles

0.3. Process Approach

0.3.1. General

0.3.2. Plan-Do-Check-Act Cycle

0.3.3. Risk-based thinking

0.3.3.1. General

0. 3..3.2. Organizational risk management

0.3.3.3. Hazard Analysis

- Operational processes

0.3.3.4. Relationship with other management system standards

Annex A Cross references between the CODEX HACCP and this document

Annex B Cross references between this document and ISO 22000:2005

Process Based Thinking/Audits

A process is the transformation of inputs to outputs, which takes place as a series of steps or
activities which result in the planned objective(s). Often the output of one process becomes
an input to another subsequent process. Very few processes operate in isolation from any
other.

“Process: set of interrelated or interacting activities which transforms inputs to outputs”

- ISO 22000:2018 Terms and Definitions

Even an audit has a process approach. It begins with identifying the scope and criteria,
establishes a clear course of action to achieve the outcome and has a defined output (the
audit report). Using the process approach to auditing also ensures the correct time and skills
are allocated to the audit. This makes it an effective evaluation of the performance of the
FSMS.

“Understanding and managing interrelated processes as a system contributes to the

organization’s effectiveness and efficiency in achieving its intended results.”

This also applies where processes, or parts of processes, are outsourced. Understanding
exactly how this affects or could affect the outcome and communicating this clearly to the
business partner (providing the outsourced product or service) ensures clarity and
accountability in the process.

The final process step is to review the outcome of the audit and ensure the information
obtained is put to good use. A formal Management Review is the opportunity to reflect on the
performance of the FSMS and to make decisions on how and where to improve. The
Management Review process is covered in more depth in Section 9 – performance
evaluation.

Risk Based Thinking/Audits

Audits are a systematic, evidence-based, process approach to evaluation of your Food
Safety Management System. They are undertaken internally and externally to verify the
effectiveness of the FSMS. Audits are a brilliant example of how risk-based thinking is
adopted within food safety management.

1ST PARTY AUDITS - INTERNAL AUDITS

Internal audits are a great opportunity for learning within your organization. They provide
time to focus on a particular process or department in order to truly assess its performance.
The purpose of an internal audit is to ensure adherence to policies, procedures and
processes as determined by you, the organization, and to confirm compliance with the
requirements of ISO 22000.

AUDIT PLANNING

Devising an audit schedule can sound like a complicated exercise. Depending on the scale
and complexity of your operations, you may schedule internal audits anywhere from every
month to once a year. There’s more detail on this in section 9 – performance evaluation.

RISK-BASED THINKING

The best way to consider frequency of audits is to look at the risks involved in the process or
business area to be audited. Any process which is high risk, either because it has a high
 potential to go wrong or because the consequences would be severe if it did go wrong, then
you will want to audit that process more frequently than a low-risk process.

How you assess risk is entirely up to you. ISO 22000 doesn’t dictate any particular method
of risk assessment or risk management, apart from addressing this concept on the already
mentioned two levels, organizational and operational levels. However, the standard requires
you to describe and retain as documented information the methodology used when
conducting a risk assessment.

CERTIFICATION ASSURES

● regular assessment to continually monitor and improve processes

● credibility that the system can achieve its intended outcomes
● reduced risk and uncertainty and increase market opportunities
● consistency in the outputs designed to meet stakeholder expectations

The 10 Clauses of ISO 22000:2018

ISO 22000 is made of up 10 sections known as Clauses. As with most other ISO
management system standards, the requirements of ISO 22000 that need to be satisfied are
specified in Clauses 4.0 – 10.0.

Unlike most other ISO management system standards, an organization must comply with all
of these requirements; this means they cannot declare one or more clauses as being not
applicable to them. In ISO 22000, in addition to Clauses 4.0-10.0 there is a further set of
requirements detailed mostly in Clause 8 (Operation), which include the HACCP
principles as per Codex Alimentarius. This is considered the core of the system as
well as the operational level of the FSMS.

The following parts of this guide provide an overview explanation of the purpose of each
clause, highlight the type of evidence an auditor would expect to see to confirm that you
comply, and give tips on effective ways to comply with the requirements.

Section 1: Scope
A Food Safety Management System is primarily intended to ensure food is safe for
consumption. It does this through the application of the processes determined by you as
necessary for your operations, as well as the processes determined by the standard as
necessary for continual improvement. A FSMS aims to assure conformity to applicable
 statutory, regulatory and customer requirements.

The 2018 version includes also feed producers and animal food producers within the scope.

The Scope section of ISO 22000 sets out:

● the purpose of the standard;

● the types of organizations it is designed to apply to; and
● the sections of the standard (called Clauses) that contain requirements that an organization
needs to comply with in order for the organization to be certified as “conforming” to it (i.e.,
being compliant).

ISO 22000 is designed to be applicable to all organizations in the food chain, regardless of
size and complexity; this includes organizations that are directly or indirectly involved in one
or more stages of the food chain. Small and/or less developed organizations can implement
and maintain a FSMS that complies with ISO 22000.

Section 2: Normative References

ISO/IEC Directives, Part two, Section 6.2.2, defines the inclusion of a normative reference
as, “This conditional element [of the Standard] shall give a list of the referenced
documents… in such a way as to make them indispensable for the application of the
document.

In other words, by citing something as a normative reference, it is considered as

indispensable to the application of that particular Standard. Unlike ISO 9001, there are no
normative references in ISO 22000; however, it would be useful for you to have a look at the
following ISO family standards that will help to better understand its requirements:

● ISO 22004:2014 - Guidance on the application of ISO 22000

● ISO 22005:2007 Traceability in the feed and food chain - General principles and basic
requirements for system design and implementation
● ISO/TS 22002-1:2009 PRP on food safety - Food manufacturing
● ISO/TS 22002-2:2013 PRP on food safety - Catering
● ISO/TS 22002-3:2011 PRP on food safety - Farming
● ISO/TS 22002-4:2013 PRP on food safety - Food packaging manufacturing
● ISO/TS 22002-6:2016 PRP on food safety - Feed and animal food production
● ISO/TS 22003:2013 FSMS - Requirements for bodies providing audit and certification of
Food Safety Management Systems
● ISO 10012:2003 Measurement management systems - Requirements for measurement
processes and measuring equipment
● ISO/TR 10013:2001 - Guidance for quality management system documentation
● ISO 1015:1999 Quality Management - Guidelines for training
● ISO 19011:2018 - Guidelines for auditing management systems
● ISO 31000:2018 Risk management - Guidelines

Section 3: Terms and Definitions

This section sets out the terms and definitions that are used in the Standard which may need
further clarification in order to apply the Standard to a particular organization. Some of them
also include notes that seek to provide further information and clarity. If an electronic version
of the Standard has been purchased the definitions are hyperlinked to other definitions so
that there interrelationship can be seen.

There are some definitions that must be mentioned due to its relation with the
changes on the 2018 version:

‘Significant food safety hazard’ - Food safety hazard identified by an organization through
the hazard assessment that needs to be controlled by specific control measures

‘Control measures’ - Action or activity used to prevent a significant food safety hazard or
reduce it to an acceptable level

‘Acceptable level’ - Level of a food safety hazard that must not exceed in the finished
product

‘Action criterion’ - Measurable or observable specification for the monitoring of an

operational prerequisite programme (OPRP). This action criterion is established to assess
whether the OPRP is under control

‘Competence’ - Ability to apply knowledge and skills to get intended results

‘Interested party’ - Person or organization that can affect, be affected by, or perceive itself
to be affected by a decision or activity

‘Outsource’ - Arrangement made where an external company (outside the scope of the
management system) performs part of a function or internal process within the scope

‘Risk’ - Effect of uncertainty; whereas effect means a deviation from the expected (positive
or negative), uncertainty is in fact a state, even partial, of deficiency of information related to
the understanding or knowledge of an event, its consequence, or likelihood. Risk is no
longer only applicable to the operational level of the organization, but it is implied in all
aspects of the system that could affect food safety
Additionally, some terms have been redefined in order to provide a better
understating to users:

‘Critical Control Point (CCP)’ - Step in a process at which a control measure can be
applied and it is essential to prevent or reduce a significant food safety hazard to an
acceptable level. Critical limits and measurement enable the application of corrections. Both,
CCPs and OPRPs require monitoring, validation and verification

‘Operational Prerequisite Programme (OPRP)’ - Control measures identified through the

hazard analysis as essential to prevent or reduce to an acceptable level the probability of
introducing risks and/or contamination or
proliferation of a significant food safety hazard in food products or in the work environment.

Action criterion and measurement or observations enable effective control of these

processes. (These are more specific to each organization than the PRPs)

‘Monitoring’ - Planned sequence of observations or measurements to evaluate whether a

process is operating as intended. Monitoring shall be applied during an activity and provides
information for action during a specified time frame (“present assessment”)

‘Validation’ - Obtaining evidence that a control measure will be capable of effectively

controlling a significant food safety hazard. Validation shall be applied prior an activity and
provides information about the capability to deliver intended results (“future assessment”)

‘Verification’ - Confirmation, through the provision of objective evidence, that specified

requirements have been fulfilled. Verification shall be applied after an activity and provides
information for confirmation of conformity (“past assessment”)

The following sections, 4 to 10, provide the requirements of the Standard. When reading the
Standard, it is important that as with past ISO 22000 versions, the word “shall” indicate the
mandatory requirements that an organization must meet and external auditors, such as
NQA, are required to verify conformance and effectiveness against.

In order to understand how each of the following clauses applies to each other the remaining
text applies to this diagram:
Section 4: Context of the Organizations
This is a new concept in terms of ISO 22000:2018. This section requires the organization to
analyze its context, determine its interested parties, define the scope of the food safety
management system and a clear focus on the processes and requirements needed to
achieve the food safety objectives.
 
The clause is sequential as there is a need to understand the organization and context (4.1),
prior to identifying interested parties and understanding their needs and expectations (4.2),
the output of both 4.1 and 4.2 allows determination of scope (4.3), and then ultimately
designing the FSMS (4.4):

Understanding the context of the organization is usually conducted by top management

with information about the business and activities gathered at every level of the organization.
Discussion points focus on internal and external issues which have an impact on the FSMS
system.

4.1 UNDERSTANDING THE ORGANIZATION AND ITS CONTEXT

This section implies an analysis of the risks or issues that can impact our business,
not just the internal but also the external issues that can affect the capability of the
management system to get the intended results. As external issues we could include
social, cultural and political trends, legal changes, technology advancements, etc. that can
influence the achievement of the established food safety objectives.

As these issues may vary, its revision must be done regularly and now it is also mandatory
as an input during your periodic management review meetings. We also must bear in mind
that these issues can be positive or negative, but equally considered to define our context.
Once the context is determined, this will facilitate the establishment of food safety objectives.

There are numerous methodologies that can be used to determine context, such as the
SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis, the CPM (Competitive
Profile Matrix) or PEST (Political, Economic, Socio-cultural and Technological) analysis,
among others.

Even though documented information is not required with regard to context, this is extremely
useful when your system is audited and to demonstrate your understanding and analysis of
the mentioned issues, i.e.: meeting minutes, graphics, data analysis, etc.
● External Issues
o Cultural, social, political, legal, financial, technological, economic and natural surroundings
including the environment in which the organization operates
o Who the competitors are and any contractors, subcontractors, suppliers, partners and
providers
o National and international law
o Industry drivers and trends which have influence on the organization
o The organization products and services and their influence on food safety
o Availability and variety of external providers of services/ products
o Changes in consumption patterns
o Capacity of changes regarding premises (landlord)
● Internal issues
o Governance, organizational structure, roles and accountabilities
o Policies, objectives and the strategies in place to achieve them
o Competence of personnel
o Food Safety culture within the organization and the relationship with workers
o Process for the introduction of new products, materials, services, tools, software, premises
and equipment
o Working conditions
o Resources (underutilization of resources)
o Retention of skilled employees
o Number and variety of clients/ customers

o Linkage to a certain activity, location and/or period

4.2 UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED PARTIES

The concept of customer has disappeared to introduce the term of interested party. This
section requires the determination of interested parties (commonly known “stakeholders”)
that can influence FSMS positively and negatively. Once it has been decided which
interested parties are relevant and significant, their needs and expectations within the FSMS
should be addressed.

They will probably be shareholders, landlords, regulators, customers, employees, trade

associations, competitors, suppliers, distributors, and consumers, among others. You
need to identify all those parties and analyze how they can affect the achievement of the
main objective of a FSMS that is to ensure food is safe.

Some needs and expectations of our interested parties are mandatory and incorporated into
law and regulatory requirements therefore must be considered. The identified interested
parties and their requisites must be obviously revised when defined and also when changes
apply to the organization. Having defined who your Interested Parties are, ISO 22000
requires that you determine their potential and actual effects.
Interested parties can be documented in the form of a map:

Suppliers Shareholders

Landlords
Competitors

Regulators

FSMS
Consumers

Distributors

Trade
Associations
Customers
Employees
4.3 DETERMINING THE SCOPE OF THE FSMS

This is not a new concept but it has been revised in order to refer to the physical and / or
geographical site within which your operations take place, the products / services included in
the FSMS, the relevant parties you have identified and the special characteristics such as
type of packaging used, storage or shelf-life conditions of the product/s. Your scope
statement must be maintained as documented information.

When the application to NQA is made to have the system audited for certification, it is
necessary to declare the scope in a statement. This will ensure that they send the correct
auditor with experience in your industry sector.

For example:
‘The fermentation, carbonation and packing of red wine into glass bottles’
Using this example, you can see that each step will incorporate many processes including
workers, machinery, regulatory requirements, external providers, customers (end users) and
competence which will be audited.

4.4 FOOD SAFETY MANAGEMENT SYSTEM

As a result of the previous clauses, an organization then has to establish, implement,

maintain and continually improve a FSMS.

This section mentions the need of focusing in the interaction of processes. All processes and
their interactions included in the scope of the FSMS must be determined and controlled in
order to get the intended results in accordance with the strategic direction of the organization
and the food safety policy.

Section 5: Leadership
The standard states that top management shall demonstrate leadership and commitment
with respect to the FSMS. But who is top management? According to ISO 22000, top
management is the person or group of people who direct or control an organization at the
highest level.

DEMONSTRATING LEADERSHIP AND COMMITMENT

There is no longer an excuse for top management not being present during a certification
audit. An external auditor will expect to discuss leadership with those who manage the
organization.
 The previous version of ISO 22000 already included examples of how leadership can be
demonstrated within the FSMS management system:

● Establishing the food safety policy

● Demonstrating that food safety is supported by the objectives of the organization
● Provision of appropriate and sufficient resources
● Facilitating the culture of continual improvement
● Communicating appropriately amongst interested parties
● Ensuring the integration of the FSMS requirements into the organization’s business
processes
● Leading the management review meetings

Additionally, the 2018 version states that top management shall also:

● Ensure that the strategic plans of the organization and the food safety objectives are
compatible and integrated within the organization
● Ensure the integration of the FSMS requirements into the organization’s business processes

SETTING THE FOOD SAFETY POLICY

Practically this requirement has not changed with respect to the previous version. A policy
contains the intention and direction of an organization as formally expressed by its top
management.

The food safety policy is approved by top management and will drive the controls that are in
place and the actions that are carried out to improve it.

The standard specifically requires that the food safety policy, which shall be appropriate to
the purpose and context of the organization, must include commitments to:

● Provide a framework for setting and reviewing objectives of the FSMS

● Satisfy applicable food safety requirements, including statutory and regulatory requirements
and mutually agreed customer requirements related to food safety
● Address internal and external communication
● Continual improvement of the FSMS system
● Ensure competencies related to food safety

Once the FSMS policy has been approved it must be communicated to all interested parties
including operators, and also customers and external providers on request. In addition,
periodically the food safety policy must be reviewed by top management to ensure it remains
applicable to the context of your organization.

The top management commitment with respect to the FSMS must be visible and palpable. A
good way to demonstrate commitment to clients, operators and general public is to ensure
your food safety policy is visible and also well communicated in any or all of the following:
● Recruitment packs
● Induction packs
● Supplier evaluations
● Supplier contracts
● Notice boards on site
● Website / intranet site
● Annual staff appraisals

Don’t forget your food safety policy must be available and maintained as documented
information.

WHO IS REPONSIBLE FOR WHAT?

This section requires the organization to define clear roles, responsibilities and authorities
throughout the organization. Top management shall also ensure that all responsibilities and
authorities have been assigned and understood.

All personnel must know what it is expected from them (responsibilities) and what top
management allows them to do (authorities). This can be easily implemented through an
organigram and job descriptions of all staff of the organization with their duties and
authorities described.

ISO 22000 does specify a requirement for a nominated food safety team leader that ensures
the system is established, implemented, maintained and updated when required.

It certainly makes life easier for an external auditor to have a clear point of contact, and this
person must have suitable authority to manage the system, ensure the work is managed as
well as the relevant training and competencies of the food safety team, report on the
effectiveness and suitability of the FSMS and make continual improvements as determined
by top management.

Section 6: Planning
Planning is one of the key components of any management system. This section sets out a
framework that asks an organization to analyses itself to determine the risks and
opportunities of its activities and then how to address them.

ACTION!

If you’ve been thorough in your assessment of context and the needs and expectations of
interested parties, then the potential risks and opportunities will likely have made themselves
quite apparent. You’re looking to answer the following questions:
 

1. What are we trying to achieve?

2. What could stop us from achieving our objectives?

3. How will we address these issues?

4. How can risks be turned into opportunities?

5. How can opportunities help us to improve?

6. Who will be responsible for actions?

7. When will we need to take action by?

8. How will we know whether our actions were effective?

Addressing risks and opportunities and achieving your food safety objectives require an
action plan.
First of all, plan all actions to address the identified risks and opportunities previously defined
and then identify the way to integrate and implement them in your FSMS and evaluate their
effectiveness.

Now risks not only involve food safety risks but also those risks than can impact your FSMS
losing productivity and effectiveness. ISO 22000 differentiates between two types of risk
management, the one that focuses just on the operational level and that can be controlled
through the establishment and maintenance of PRPs, OPRPs, CCPs and emergency
preparedness, and also the risks that affects the entire management system and could make
an impact into food safety.

The latter are those that could happen but there is no history of them happening or, if they
did, that was a sporadic event. Therefore, recurrent events are not to be considered as
organizational risks and these must be controlled by the establishment of corrective actions.
All actions taken to address the identified risks and opportunities must be proportionate to
the potential impact on the conformity of product/s and service/s and customer satisfaction.

OBJECTIVES

It is a requirement of the standard to set achievable food safety objectives with the means to
periodically measure progress, demonstrating continuous improvement.

The objectives need to be:

● Consistent with the food safety policy
● Measurable
● Consistent with applicable food safety requirements, including statutory, regulatory and
customer requirements
● Monitored and verified
● Communicated
● Maintained and updated
● Documented

Additionally, the objectives must be realistic, so they can be achievable and also help you to
identify possible opportunities of improvement.

An effective way to communicate food safety objectives is to include them in induction

training, display them around your site or electronically via an intranet or similar.

The SMART term will guide you on the establishment of adequate objectives for your
organization, so you should think of the following requirements when setting them as they
should be:

● Specific, as precise as possible

● Measurable, quantifiable so we can monitor progress
● Achievable, failure shall not be built into objectives
● Realistic, possible for your organization
● Timely, with a completion date established

Your action plan should include:

● What will be done

● What resources will be required (to the best of your understanding at the time)
● Who will be responsible
● When actions will be completed
● How results will be evaluated

Putting these into a simple matrix can help to clarify the objectives, however if you already
record this type of information somewhere else, there is no need for you to duplicate.

MANAGING CHANGE

When you’ve put so much time and effort into all this planning, it would be a shame for an
inadvertent change to mess it all up!

When there is change in the system, your organization must maintain the integrity of the
FSMS, so the changes must be considered and a revision conducted to implement them.

In light of this, clause 6.3 expects that any changes that you determine are necessary to the
food safety management system are carried out in a planned manner. This should take into
account the extent of the changes deemed necessary, the potential impact on the existing
system, how you will resource the changes and any effect this may have on current roles,
responsibilities and authorities.

Section 7: Support
This section looks at the resource, competence, awareness, communication and
documentation of a FSMS. The requirements really underpin a FSMS and ensure that it runs
effectively.
 
RESOURCES INCLUDING PEOPLE, INFRASTRUCTURE AND WORK ENVIRONMENT

You must determine the resources required for running your business by considering the
capability and limits of your organization, the need of external support and the resources
needed for every process and/or product. These processes and/or products must also be
assessed in order to consider if changes on resources will be needed to improve them.

You must demonstrate your people are competent. Simply, do you have the right people with
the necessary skills / attributes in appropriate roles? If you’re currently missing some specific
skills, how do you plan to address this? Will you recruit or will you outsource? If you’re
outsourcing, how will you communicate your requirements to your supplier? Bear in mind
you must also maintain documented evidence to demonstrate competency, responsibility
and authority of the external personnel.

When talking about infrastructure, this means determining, providing and maintaining the
premises, equipment, software, transportation, storage, technology, etc. that are needed to
carry out your business operations.
We need to consider how we are going to provide, manage and maintain the needs of every
area and equipment to be able to perform our processes in an effective manner.

Ensuring you can cope with customer demands can be helped by the work you did to
address clause 4 and clause 6. Some examples to demonstrate conformity are a list of
equipment in use, resources planning, maintenance planning of premises and equipment,
maintenance records, etc.

Regarding work environment, this isn’t referring to the great outdoors. This means providing
an environment that is suitable for what you are trying to achieve. Whether that is a factory,
office or any other type of working space, make sure you have the right atmosphere to
enable you and your employees to operate effectively.

Adequate heat, light, airflow, hygiene, noise levels, hand- washing stations, etc. all
 contribute to an effective working environment. This can also include addressing some of the
softer elements such as employee wellbeing, stress-reduction, clear lines of reporting,
employee appraisals, rewards systems etc.
This section can be easily controlled by the implementation of prerequisite programmes.

CONTROL OF EXTERNAL PROVIDERS

The standard specifies that all elements of the FSMS developed externally shall be
identified, controlled and documented (this includes for example measuring and monitoring
equipment).

Same conditions apply to externally provided processes, products or services, since you will
be required to ensure you set all required specifications and they shall be met before any
agreement is done with an external provider.

This section focuses on ensuring that all external processes, services or products will not
affect the safety of your finished products or services. The evaluation and continuous
monitoring of performance of providers is a must.

COMPETENCE & AWARENESS

An organization working effectively and efficiently must have competent personnel. In terms
of FSMS it is essential that employees have access to information and have been suitably
trained to prevent food safety hazards.

Competence can include consideration for:

● Capability to fulfil the task based on defined job roles and clear understanding of the
consequences of its performance in food safety
● Knowledge and experience of the food safety team
● Defined methods of recruitment with consideration for temporary or agency employees
● Awareness of food safety hazards associated with the products and processes
● Legal requirements
● Individual capabilities including experience, language skills, literacy and diversity

The diversity of activities within the organization will determine the level of training required
to fulfil competence. Training gaps are usually identified with the development of new
processes, for example the introduction of new machinery or in achieving compliance with
regulatory requirements. No matter how big or small the organization is, training records are
essential as reference and evidence of the fulfilment of competence.

Consider an overview training matrix identifying fulfilled training gaps including refresher
training dates. In addition, consider individual training records with signatory evidence from
the employee to acknowledge completion and understanding of training including for
example the training on OPRPs and CCPs of your process provided to specific operators.
 You must not forget all this training shall be provided by qualified personnel, so evidence for
their competence is also mandatory, and the monitoring of performance to evaluate
effectiveness. The need for refresher training can be also detected by:

● Corrective actions
● Management review meetings
● Results of Internal audits
● Specific competence depending on the role

The organization must also consider the competence of external providers including the
procurement of contractors conducting tasks on site. The organization’s procurement
process may provide the structure for management of external providers; including evidence
of capability, competence and on site, this may be supported with site induction training.

Either internally or externally, the organization’s top management must be confident that
mechanisms are in place to provide workers with suitable and sufficient competency based
food safety training.

Awareness can be addressed through ensuring your FSMS is explained during recruitment
and induction, at regular appraisal or review meetings with line management, through
regular meetings and / or communications relating to food safety policy, objectives, and their
contribution to the effectiveness of the FSMS as well as the consequences of not complying
with the requirements.

COMMUNICATION 

Effective and efficient internal and external communications are the “key” to running a
FSMS. The Standard is helpful in providing a framework in order to depict the
communication process within an organization. By turning this into a table and with reference
to the “interested parties” or “stakeholder” analysis undertaken in 4.2 a communications
“plan” can be formed:

Of course, the columns can be re-arranged if necessary!

One area that is often forgotten is communication with “persons doing work under the
organization’s control”. As a “rule of thumb” it is advisable to treat contractors or outsourced
 operations as if they were “direct” employees and communicate in a manner that is effective
and so that the communication is two-way. By adopting this philosophy, it ensures that the
“persons doing work under the organization’s control” can contribute to continual
improvement.

There must be an efficient communication system with providers of services, products or

processes, customers, and regulators among others interested parties, and also internally
with the food safety team. In conclusion, the communication system shall include all
interested parties; however, remember to clearly defined who will be the person that
provides these communications.

The outcome of the relevant internal and external information must be used as input to the
management review.

DOCUMENTED INFORMATION

Previously the standard used to mention that the establishment or maintenance of specific
documented procedures and records were required, now 2018 version refers to maintain or
retain documented information. Put simply, maintain means that you must keep it up to date,
for example your policy and food safety objectives. Retain means you must keep records as
evidence that you have satisfied that particular requirement.

You must ensure that all documents relating to your FSMS are easily identifiable, are in a
suitable format, are protected from unintended alteration or destruction, and are available to
the right people in the right version at the point at which they are needed.

It also makes sense to keep a record of all your FSMS documentation along with its current
version / issue number, when it was last updated, who is responsible for the content, a
summary of any changes made during revisions, when it is next due for a review, how long it
must be retained for and how it is to be disposed of.

There are clear instructions as to what minimum documented information the

standard requires:
 

Clause Documentation Requirement

4.3 Determining the scope of the food safety management system

5.2.2 Food Safety Policy

 Clause Documentation Requirement

6.2.2 FSMS Objectives

7.1.2 People

7.1.5 Externally developed elements of the food safety management system

7.1.6 Control of externally provided processes, products or services

7.2 Competence

7.4.2 External communication

8.1 Operational planning and control

8.2 PRPs

8.3 Traceability

8.4 Emergency preparedness and response

8.5.1.1 Preliminary steps to enable hazard analysis

8.5.1.2 Characteristics of raw materials, ingredients and product contact materials

 Clause Documentation Requirement

8.5.1.3 Characteristics of end products

8.5.1.4 Intended use

8.5.1.5.2 On-site confirmation of flow diagrams

8.5.1.5.3 Description of processes and process environment

8.5.2.2 Hazard identification and determination of acceptable levels

8.5.2.3 Hazard assessment

8.5.2.4.2 Selection and categorisation of control measures

8.5.3 Validation of control measure(s) and combinations of control measures

8.5.4.1 Hazard control plan

8.5.4.2 Determination of critical limits and action criteria

8.5.4.3 Monitoring systems at CCPs and for OPRPs

8.5.4.5 Implementation of the hazard control plan

 Clause Documentation Requirement

8.7 Control of monitoring and measuring

8.8 Verification related to PRPs and the hazard control plan

8.9.2 Corrections

8.9.3 Corrective actions

8.9.4.1 Handling of potentially unsafe products

8.9.4.2 Evaluation for release

8.9.4.3 Disposition of nonconforming products

8.9.5 Withdrawal/ recall

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal Audit

9.3 Management review

10.1 Nonconformity and corrective actions

 Clause Documentation Requirement

10.3 Update of the FSMS

Section 8: Operation
This is the core of a FSMS, where mostly all HACCP principles are integrated and the
moment when “doing” is the key after being planning your system.

Annex SL only provides a common requirement; operational planning and control, the rest of
clauses are specific to each standard.

Therefore, the first step is to ensure you have fully understood all the requirements for your
product or service. This will involve liaising with customers as well as implementing
measures to ensure all applicable legal requirements are met. This means, establishing
criteria for your processes. It is essential that you determine and review your organization’s
ability to meet the necessary requirements before you commit to anything.

All controls you previously planned, that may be supported by PRPs, OPRPs and/or your
HACCP plan, must be now in place and all relevant documented evidence will be available
to demonstrate you did act as planned.

PREREQUISITE PROGRAMMES (PRPs)

2018 version suggests the use of specific ISO/TS 22002 series depending on the sector you
are working on, to determine the PRPs applicable to your organization that will assist in
controlling food safety hazards. The idea is to implement PRPs that are appropriate to your
context, size and activities conducted.

These prerequisites will be established before conducting the hazard analysis, and its
selection, implementation, monitoring and verification must be also documented.

The standard provides a list of PRPs that every organization shall consider, easy and quite
straight to the point, do not miss any of them!

BE READY TO EXPECT THE UNEXPECTED

Have you established a traceability system and also a procedure to respond to emergency
situations? Let’s prove it!

Examples of emergency situations could be natural disasters, an earthquake, sabotage,

blockage of main utilities, environmental accidents, etc.

When previously ISO 22000 did not require a test for these activities, now it is crystal-clear.
Implement a system with procedures in place and challenge its effectiveness, so you will be
able to see if they work when needed. The documented evidence of these tests will be
retained for a defined period not less than the shelf-life of the product/s provided.

Bear in mind that if traceability is an important factor in your product or service delivery, then
you must ensure that all monitoring and measuring equipment is fit for the activities
undertaken and is suitably calibrated and maintained. You must maintain documented
evidence of such equipment being fit for purpose.

At this point, the ISO/TS 22005:07 may be of help as it will provide you guidelines for the
establishment of a good traceability system.

HAZARD CONTROL

There is no much difference between the requirements established by the HACCP principles
developed by Codex Alimentarius and the information you will find in this section. The food
safety team will collect, maintain as documented and update preliminary information to
continue with this point, such as scientific documentation, regulations applicable to the
sector, customer needs, historical data of food safety hazards associated with the product or
service, etc.

Before carrying out the analysis of hazards, do not forget to establish a multidisciplinary
team with a defined leader. This is the first step of HACCP, and although ISO 22000 does
not specify this requirement in this section, it is mandated as part of the responsibilities of
top management.

Once established the characteristics of raw materials, end products, intended use and a very
detailed flow diagram/s, as the standard now requires, it’s time to carry out the hazard
analysis. You can find some notes that make clear from where the identification of hazards
can be obtained, for example the experience that can refer to information from internal staff
or experts in the matter.

The evaluation of hazards, based on their severity of harm and probability of occurrence, will
include the establishment of specific measures or combination of them to prevent or reduce
the significant food safety hazards to acceptable levels. But make sure all implemented
measure/s worked as expected! (Remember how validation is defined in section 3 of this
guide).
 OPRP OR CCP?

An assessment of each of the control measures is needed to categorize them to be

managed as OPRP or CCP, so you need to evaluate:

● the probability of failure and how easy is to keep it under control

● its severity when failing and what effect can cause the measure implemented
● its location with respect to other activities implemented to reduce specific hazards
● whether it’s specific for that particular hazard
● if other measures are required to reduce the hazard to an acceptable level
● the viability to establish measurable critical limits and/ or action criteria
● the feasibility of monitoring to detect failures on the applicable determined limits and also
corrections in case of failure

Don’t forget to maintain this decision-making process and results as documented

information!

Your hazard control plan must contain, as a minimum, the following information for all
identified CCPs and OPRPs:

● what food safety hazard are you controlling with this CCP or OPRP
● what measure have you put in place to do so
● the critical limit/s or action criteria in place that can’t be exceed
● how do you monitor this activity
● which corrections and corrective actions will be carried out if critical limits or action criteria is
not met
● who is responsible for this activity (defined responsibilities and authorities)
● what records do you maintain as monitoring evidence

As mentioned in section 3 when talking about definitions, the critical limits established for
CCPs must be measurable. Likewise, the action criteria defined for the OPRPs must be also
measurable or observable.
You need to define why you have selected those specific critical limits and action criteria and
establish a monitoring system to defect any failure.

If visual inspections from staff are implemented as a monitoring system for a specific OPRP,
you need to define what instructions or specifications were provided to personnel in order to
ensure the system will be effective.
As usual, at this point, any failure will be considered non-conformity and you must follow it
up establishing immediate corrections, retaining unsafe products under control, analysing
the cause and implementing corrective actions to ensure recurrence is prevented.

Now that the PRPs, hazard control plan and all related requirements are established and
documented when necessary, look back and make sure the preliminary information to
enable the hazard analysis is still adequate!
 VERIFIYING THE VERIFIED!

First of all, ensure the person responsible for verification activities is not the same one that
conducts their monitoring. Through verification you will be able to make sure that:

● Input to hazard analysis is updated

● PRPs are implemented and updated
● OPRPS and CCPs are implemented and effective
● Hazard levels are within identified acceptable levels
● Every implemented procedure you established is effective

All these verification results must be assessed by the defined food safety team, so this will
give you information with regard to how your system is performing.

CONTROL OF NON-CONFORMING PRODUCTS AND PROCESSES

We must start this section ensuring all staff responsible for corrections and corrective actions
must be competent and have the authority to carry out these activities.

Within section 8 of the ISO 22000 standard, the specified corrective actions and corrections
are focused at the operational level, so this will include all immediate actions to be taken
when limits established for OPRPs and CCPs are exceeded and also actions that will be
done to avoid their recurrence.

When critical limits for a CCP or action criteria for an ORP are not met, you must treat the
product as potentially unsafe from entering the food chain. These products must be identified
and retained at your organization at all times until its evaluation and disposition is
determined.

Where monitoring shows that critical limits at CCPs are not met, you shall not release these
products; instead their disposition must be documented and authorized ensuring:

● their reprocessed to ensure the food safety hazard is reduced to an acceptable level,
● other use that do not jeopardize food safety in the food chain, or
● their destruction or disposal as waste

Likewise, when defined action criteria for an OPRP are not met, the identified non-
conforming products won’t be released unless all established monitoring activities
demonstrate that control measures were effective, the combined effect of control measures
make the product suitable, or other verification activities can demonstrate the product/s
conform/s to acceptable levels for the specific food safety hazard.

If they are already out of your premises, then you must initiate a withdrawal or recall and
notify all relevant interested parties.
Section 9: Performance Evaluation
There are three main ways in which performance of a FSMS is evaluated. The first being
process monitoring and measurement, the second being through internal audits and the third
being the management review.

PROCESS PERFORMANCE

As an organization you will need to decide what you need to monitor and measure in order
to be assured that your processes are operating as intended. You will also need to establish
how often you will monitor and measure, what resources will be required, how results will be
recorded, analyzed and evaluated and who will carry out these evaluations.

This often results in a series of Key Performance Indicators (KPIs) which relate directly to
your food safety objectives (set in section 6). You will need to retain documented information
as evidence of the results of performance evaluation and use them as an input to the
management review and the updating of the FSMS.

INTERNAL AUDITS

ISO 22000:2018 determines that internal audits must be carried out at planned intervals. It is
for you, the organization to decide what those intervals should be. As an indication, you may
wish to audit all processes at least once across an annual period, with higher-risk processes
being audited more frequently. The purpose of internal audits is two-fold. Firstly to check that
the management system conforms to the requirements specified by you, the organization as
necessary for your operations; secondly to ensure conformity to the requirements of ISO
22000:2018.

Audit frequency should also be influenced by the results of previous audits and any changes
which you are aware may affect the process. So, if you have a problematic process or area,
it would make sense to audit it more frequently for a while until a solution is implemented
and has been seen to be effective.

The Standard also says that auditors should conduct audits to ensure objectivity and the
impartiality of the audit process. This is sometimes inherently difficult as internal auditors (by
their name) have a close relationship with the organization being audited.

However, sensible guidelines so that internal auditors do not audit their own processes
should be strived for.
Internal audits are a great opportunity to spend some time investigating a specific process or
area and evaluating its performance. It is an ideal way to find areas for improvement and to
fix potential issues before they occur. Think of internal audits as keeping your finger on the
pulse of your organization. Internal audit findings must be reported to the food safety team
and relevant management and naturally form part of the management review agenda.
 Where necessary, corrections and corrective actions must be taken without undue delay. If a
long-term fix requires significant planning and maybe funding approval, consider whether a
short-term fix is possible and appropriate.

MANAGEMENT REVIEW

Management Review is an essential element of the FSMS.

The aim of the review is for Top Management to assess the performance of the
management system to ensure it has been effective, adequate and suitable for the needs of
the business, ultimately preventing unsafe food products or services to consumers. The
management review is also a planned activity to review objectives including compliance and
to set new objectives.

Usually management review meetings are conducted annually, however many organizations
conduct management reviews every six months or quarterly to track the performance of the
system. If more frequent meetings are conducted, often the meeting agenda is reduced with
the full agenda occurring annually.

You will need to retain documented information on your management reviews; these would
normally be meeting minutes or perhaps call recordings if you carry out conference calls.

ISO 22000:2018 includes new elements to be considered during management review

meetings, apart from the inputs already mentioned in the previous version:

● changes in context (internal and external issues) that may affect the FSMS
● information on the performance and the effectiveness of the FSMS, including trends in:
o review of identified risks and opportunities and effectiveness of actions taken
o performance of providers of services, processes or products
o non-conformities and corrective actions
o monitoring and measuring results
o whether the objectives have been achieved
● the adequacy of resources
● opportunities for continual improvement

With regard to outputs, your organization must consider the decisions and actions related to
continual improvement opportunities and any other need for changes and updates of the
FSMS.
 Section 10: Improvement
This section requires your organization to determine and implement opportunities for
improvement to comply with the determined intended purpose of the product, what it is
expected from customers, and prevent and reduce undesired effects while continually
improving the system.

NONCONFORMITY AND CORRECTIVE ACTION 

Now ISO 22000:2018 refers to all those nonconformities that come up from the management
system and not just from the operational level, as we discussed in the previous section.

A methodology to capture, manage and resolve needs to be undertaken and the Standard
asks for the following:

● React to the nonconformity and, as applicable:

o take action to control and correct it
o deal with the consequences, including mitigating adverse environmental impacts
● Evaluate the need for action to eliminate the causes of the nonconformity, in order that it
does not recur or occur elsewhere, by:
o reviewing the nonconformity
o determining the causes of the nonconformity
o determining if similar nonconformities exist, or could potentially occur
● Implement any action needed
● Review the effectiveness of any corrective action taken
● Make changes to the FSMS, if necessary

The Standard says that this process should be documented. There are various ways to
achieve this but usually this comprises a “Corrective Action Request” (CAR) for each
corrective action and a “log” which is essential to record and manage the CAR’s. This is
especially useful where numerous corrective actions are raised.

The “log” can be as simple as:

More
complex systems can “code” different types of nonconformity. This can then be used to
generate trend data that can be useful in on-going performance appraisal of the EMS and
the Management Review process.
 CONTINUAL IMPROVEMENT

The standard says that “The organization shall continually improve the suitability, adequacy

and effectiveness of the FSMS”.

In other words, if all the above sections are established and implemented as well as FSMS
updating, then continual improvement will occur.

UPDATE OF THE FOOD SAFETY MANAGEMENT SYSTEM

This section has not changed in 2018 version, as a summary, top management must provide
the resources needed to ensure the system is continually updated. The food safety team
shall evaluate the FSMS at planned intervals, considering the hazard analysis, and identified
OPRPs and CCPs. The evaluation must be based on:

● Internal and external communication

● Conclusions from analysis of results of verification activities
● Outputs from management review meetings
● Any other information related to the adequacy and effectiveness of the FSMS

These updates must be retained as documented information and reported as input of the
management review.

Get the Most From Your Management System

Top tips for the successful implementation of a FSMS

1. To have an effective FSMS ensure that “Top Management” is committed to its

establishment, implementation, update and continual improvement.

2. Get everyone involved. Top Management for context, requirements, policy and
objectives setting; food safety team and assigned personnel with valuable competence
for hazard analysis and risk assessment, process control and procedure writing.

3. Make sure your system includes two PDCA cycles at operational and organizational
levels, and communication between them is established and maintain at all times.

4. Remember to identify how you have selected the applicable food safety hazards within
your system; these are specific to each process and product and also depending on
applicable regulations and customer needs, so this information is not interchangeable!
5. When changes to products or processes occurred, either planned or unintentionally,
ensure your system is reviewed and established control measures still effective for the
intended purpose of the FSMS.

6. Review your monitoring and measuring devices are calibrated at specified frequency to
ensure reliable results.

7. Remember your suppliers. Some suppliers will help you enhance your FSMS, some will
increase your risk. You need to ensure any high-risk suppliers have controls in place that
are at least as good as yours. If they don’t then look for alternatives.

8. Food Safety concepts are likely to be new for many or most of your employees. People
may need to change habits ingrained over many years. A single awareness briefing is
unlikely to be sufficient, so focus on your personnel competence as a fundamental key
for the implementation of a good FSMS.

9. Remember to allocate sufficient resources to routinely test your controls. The threats
your organization faces will constantly change and you need to test whether you are able
to respond to those threats.