ISO 22000:2018

FOOD SAFETY MANAGEMENT SYSTEM IMPLEMENTATION GUIDE

53,000
CERTIFICATES TRANSPARENT 100
GLOBALLY
 Contents
Introduction to the standard P04

> ISO 22000:2018 Benefits of implementation

Structural Changes on ISO 22000: Annex SL
PDCA cycle
P05
P06
P07
IMPLEMENTATION GUIDE Process based thinking / audit P08
Risk based thinking / audits P09
The 10 Clauses of ISO 22000:2018 P10
SECTION 1: Scope P10
SECTION 2: Normative references P11
SECTION 3: Terms and definitions P12
SECTION 4: Context of the organization P14
SECTION 5: Leadership P18
SECTION 6: Planning P20
SECTION 7: Support P22
SECTION 8: Operation P26
SECTION 9: Performance evaluation P28
SECTION 10: Improvement P30
Get the most from your management systems P32
Next steps once implemented P34
Food Safety management training P36
Useful links P38

2 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 3

 INTRODUCTION BENEFITS OF
TO THE STANDARD IMPLEMENTATION
ISO 22000 is the food safety management system that can be easily applicable to any ISO 22000 helps organizations minimize food risks and improve performance as it relates to
organization in the food chain. ISO 22000 was initially developed on September 1st 2005 by food safety.
the ISO/TC 34/SC 17 as the first truly international FSMS standard. It does so by providing a framework they can use to develop an FSMS, a systematic approach to addressing food safety
issues. Compliance with ISO 22000 provides benefits such as:

The ISO 22000 family IMPROVED HEALTH AND SAFETY ENHANCED

In addition to ISO 22000 redaction, other standards were A brief history of ISO 22000 Minimizing food risks leads to better health and TRANSPARENCY
created, such as ISO 22004 “Guidance on the application of safety outcomes for customers, other users, ISO 22000 helps organizations improve the
ISO 22000 was initially published in 2005 as a
ISO 22000”, ISO 22005 “Traceability in the Feed and Food employees and others who may come into traceability of their products and achieve greater
response to:
Chain” and also technical specifications by sector, these contact with food. transparency regarding operations.
include farming, food manufacturing, catering, packaging, and
• a number of successive food crises, such as the
feed and animal food production. IMPROVED CUSTOMER
mad cow disease or adulteration of wines with IMPROVED RESPONSE
ethylene glycol and its derivatives, to name a few SATISFACTION TO RISKS
Currently, according to ISO Survey data, there are that occurred in the preceding years. Having an FSMS helps you reliably deliver Having an FSMS in place can help organizations
approximately 33,000 organizations worldwide that are
products that meet customer expectations. respond more quickly and efficiently to issues
ISO 22000 certified. • the globalisation of food supply chains creating that may compromise food safety, helping them
uncertainty with regard to the origin of food products HELP MEETING REGULATORY stop potential contamination before it occurs.
Revision steps • the need from the food industry to demonstrate
REQUIREMENTS
that systems were established and operating in Compliance with regulatory requirements is REDUCED INVESTIGATION
The revision of ISO 22000:2005 commenced in September required to achieve certification to ISO 22000. TIME
accordance to applicable laws and the requirements
2014. All participants, the technical committee and national Having an FSMS in place can help companies
specified by the Codex Alimentarius, and If contamination does occur, an FSMS helps
mirror committees, agreed on the need to revise the standard meet these requirements and understand how organizations reduce the time it takes to
with the purpose of addressing emergent food safety they impact the organization and its customers.
• a need to facilitate the harmonization of international investigate any food safety breaches, solving the
challenges.
food safety regulations problem faster.
After a long period of discussions, in June 2018 HELP MEETING OTHER STANDARDS
ISO 22000:2018 was published. One of the main motivations AND GUIDELINES
for its revision was the alignment of the strategic direction of an ISO 22000 links to various other international
organization with its food safety management. standards and guidelines and can help
organizations meet the requirements of these
Additionally, the adoption of the Annex SL structure allows an
systems as well.
easy integration with other international standards such as
ISO 9001, ISO 14001 and ISO 45001, making a smooth road
for auditors and auditees.
The standard itself also offers several advantages over other systems:
CONSISTENT GLOBAL INCREASED BUSINESS
STRUCTURE RECOGNITION OPPORTUNITIES
The structure of ISO 22000 is similar ISO 22000 is a well-known, Certification to an international
to that of other international standards. internationally recognized standard. standard such as ISO 22000
It is designed to integrate seamlessly Certification to it improves an opens doors for a business. Some
with other management systems from organization’s reputability with organizations require certification
ISO, such as ISO 9001, ISO 45001 customers, suppliers, investors, before they will supply or otherwise
and ISO 14001. regulatory groups and other work with a company.
parties worldwide.

4 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 5

 STRUCTURAL CHANGES PDCA CYCLE
ON ISO 22000: ANNEX SL The recently updated ISO 22000 requires that in addition to the organizational Plan-Do-
Check-Act (PDCA) cycle, also known by the Deming Cycle wheel or Shewhart cycle, and
The ISO 22000, as other recently revised international standards such as ISO 9001 and following the high level structure, another PDCA cycle must coexist covering the operational
ISO 14001, has adopted the Annex SL structure during its 2018 revision. processes within the food safety system.

The Annex SL was initially approved in 2012. This section standards. This made it difficult for organizations to integrate Organizational planning and control
of the ISO/IEC Directive describes the common structure of the implementation and management of multiple standards;
all ISO management systems standards in which the new or Environment, Quality, Health and Safety and Food safety being
updated standards must be focused on when developing the among the most common.
relevant requirements. PLAN (FSMS) DO (FSMS) CHECK (FSMS) ACT (FSMS)
This structure tries therefore to eliminate confusions, 4. Context of the organization 8. Operation 9. Performance 10. Improvement
Prior to the adoption of Annex SL there were many differences duplications and conflicts from the different interpretations of 5. Leadership evaluation
between the clause structure, requirements, terms and management system standards. 6. Planning
definitions used across the various management system 7. Support
(Including control of externally provided
processes, products or services)

High level structure Additionally, ISO 22000:2018 has

also introduced a specific introduction
Operational planning and control

and annexes: PRPs

Annex SL consists of 10 core clauses: Validation
Hazard
0. Introduction Traceability system Hazard
of control
control plan Verification
1. Scope 0.1. General
analysis
measures
(HACCP/ planning
Emergency preparedness OPRP plan)
2. Normative references 0.2. FSMS Principles & response
3. Terms and definitions 0.3. Process Approach
Plan (Food safety)
4. Context of the organization 0.3.1. General
5. Leadership 0.3.2. Plan-Do-Check-Act Cycle
0.3.3. Risk-based thinking Implementation of the PLAN
6. Planning (food safety)
0.3.3.1. General Updating of preliminary Verification activities
7. Support information and documents Control of monitoring
0.3.3.2. Organizational risk management specifying the PRPs and the and measuring
8. Operation 0.3.3.3. Hazard Analysis hazard control plan Analysis of results of
verification activities
9. Performance evaluation - Operational processes Control of product and
process nonconformities
10. Improvement 0.3.3.4. Relationship with other
Act (Food safety) Check (Food safety) Do (Food safety)
management system standards
Of these clauses, the common terms and core
definitions cannot be changed. Requirements may The 2018 version adds the general management principles to the previously isolated food safety
Annex A Cross references between the principles of a FSMS, Principles of a Food Safety Management System:
not be removed or altered, however discipline-specific
requirements and recommendations may be added.
CODEX HACCP and this document
Annex B Cross references between this 2005: 2018:
All management systems require a consideration of the
context of the organization (more on this in section 4); document and ISO 22000:2005 • Interactive Communication Retains the principles listed under ‘2005’ whilst adding
a set of objectives relevant to the discipline, in this case • System management the common ISO management system principles
food safety, and aligned with the strategic direction of • Prerequisite programmes
the organization; a documented policy to support the • Customer focus
• Hazard Analysis and Critical Control Points
management system and its aims; internal audits and • Leadership
(HACCP) principles
management review. Where multiple management • Engagement of people
systems are in place, many of these elements can be • Process approach
combined to address more than one standard. • Improvement
• Evidence-based decision making
• Relationship management

6 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 7

 PROCESS BASED RISK BASED
THINKING/AUDIT THINKING/AUDITS
A process is the transformation of inputs to outputs, which takes place as a series of Audits are a systematic, evidence-based, process approach to evaluation of your Food
steps or activities which result in the planned objective(s). Often the output of one process Safety Management System. They are undertaken internally and externally to verify the
becomes an input to another subsequent process. Very few processes operate in isolation effectiveness of the FSMS. Audits are a brilliant example of how risk-based thinking is
from any other. adopted within food safety management.

“Process: set of interrelated or

This also applies where processes, or parts of processes, are
outsourced. Understanding exactly how this affects or could
1st party audits
interacting activities which transforms affect the outcome and communicating this clearly to the – internal audits CERTIFICATION ASSURES:
inputs to outputs” business partner (providing the outsourced product or service)
ISO 22000:2018 Terms and Definitions ensures clarity and accountability in the process. Internal audits are a great opportunity for learning within • regular assessment to continually monitor
your organization. They provide time to focus on a particular and improve processes
The final process step is to review the outcome of the audit process or department in order to truly assess its performance.
Even an audit has a process approach. It begins with and ensure the information obtained is put to good use. A
identifying the scope and criteria, establishes a clear course
The purpose of an internal audit is to ensure adherence to • credibility that the system can achieve its
formal Management Review is the opportunity to reflect on policies, procedures and processes as determined by you, the intended outcomes
of action to achieve the outcome and has a defined output the performance of the FSMS and to make decisions on how organization, and to confirm compliance with the requirements
(the audit report). Using the process approach to auditing also and where to improve. The Management Review process is
ensures the correct time and skills are allocated to the audit.
of ISO 22000. • reduced risk and uncertainty and increase
covered in more depth in Section 9 – performance evaluation. market opportunities
This makes it an effective evaluation of the performance of the
FSMS. Audit planning • consistency in the outputs designed to
“Understanding and managing interrelated processes as a Devising an audit schedule can sound like a complicated meet stakeholder expectations
system contributes to the organization’s effectiveness and exercise. Depending on the scale and complexity of your
efficiency in achieving its intended results.” operations, you may schedule internal audits anywhere from
every month to once a year. There’s more detail on this in
section 9 – performance evaluation.

Risk-based thinking
The best way to consider frequency of audits is to look at the
risks involved in the process or business area to be audited.
Any process which is high risk, either because it has a high

£ potential to go wrong or because the consequences would

be severe if it did go wrong, then you will want to audit that
process more frequently than a low risk process. How you
assess risk is entirely up to you. ISO 22000 doesn’t dictate
any particular method of risk assessment or risk management,
apart from addressing this concept on the already mentioned
£ two levels, organizational and operational levels. However, the
standard requires you to describe and retain as documented
information the methodology used when conducting a risk
assessment.

8 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 9

 THE 10 CLAUSES SECTION 2:
OF ISO 22000:2018 NORMATIVE
ISO 22000 is made of up 10 sections known as Clauses. As with most other ISO
management system standards, the requirements of ISO 22000 that need to be satisfied are
specified in Clauses 4.0 – 10.0.
REFERENCES
ISO/IEC Directives, Part two, Section 6.2.2, defines the inclusion of a normative
Unlike most other ISO management system standards, an The following parts of this guide provide an overview
organization must comply with all of these requirements; this explanation of the purpose of each clause, highlight the type reference as, “This conditional element [of the Standard] shall give a list of the
means they cannot declare one or more clauses as being not of evidence an auditor would expect to see to confirm that referenced documents… in such a way as to make them indispensable for the application
applicable to them. In ISO 22000, in addition to Clauses 4.0- you comply, and give tips on effective ways to comply with the
10.0 there is a further set of requirements detailed mostly in requirements.
of the document.”
Clause 8, which include the HACCP principles as per Codex
Alimentarius. This is considered the core of the system as well
as the operational level of the FSMS.
In other words, by citing something as a normative
reference, it is considered as indispensable to the
application of that particular Standard. Unlike
ISO 9001, there are no normative references in
ISO 22000; however, it would be useful for you to
have a look at the following ISO family standards

SECTION 1:
that will help to better understand its requirements:
A Food Safety Management System
• ISO 22004:2014 - Guidance on the application
is primarily intended to ensure food of ISO 22000
is safe for consumption. It does

SCOPE
this through the application of the • ISO 22005:2007 Traceability in the feed and food
chain - General principles and basic requirements
processes determined by you as
for system design and implementation
necessary for your operations, as well
as the processes determined by the • ISO/TS 22002-1:2009 PRP on food safety
standard as necessary for continual - Food manufacturing
improvement. A FSMS aims to assure • ISO/TS 22002-2:2013 PRP on food safety
conformity to applicable statutory, - Catering
regulatory and customer requirements. • ISO/TS 22002-3:2011 PRP on food safety
The 2018 version includes also feed producers - Farming
and animal food producers within the scope. • ISO/TS 22002-4:2013 PRP on food safety
- Food packaging manufacturing
The Scope section of ISO 22000 sets out:
• the purpose of the standard; • ISO/TS 22002-6:2016 PRP on food safety
• the types of organizations it is designed - Feed and animal food production
to apply to; and • ISO/TS 22003:2013 FSMS - Requirements for
• the sections of the standard (called bodies providing audit and certification of Food
Clauses) that contain requirements Safety Management Systems
that an organization needs to comply
with in order for the organization to be • ISO 10012:2003 Measurement management
certified as “conforming” to it (i.e. being systems - Requirements for measurement
compliant). processes and measuring equipment
• ISO/TR 10013:2001 - Guidance for quality
ISO 22000 is designed to be applicable
management system documentation
to all organizations in the food chain,
regardless of size and complexity; this • ISO 1015:1999 Quality Management
includes organizations that are directly or - Guidelines for training
indirectly involved in one or more stages of • ISO 19011:2018 - Guidelines for auditing
the food chain. Small and/or less developed management systems
organizations can implement and maintain a
FSMS that complies with ISO 22000. • ISO 31000:2018 Risk management - Guidelines

10 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 11

 SECTION 3:
TERMS AND The following sections, 4 to 10, provide the requirements of the Standard. When reading

DEFINITIONS
the Standard it is important that as with past ISO 22000 versions, the word “shall”
indicates the mandatory requirements that an organization must meet and external
auditors, such as NQA, are required to verify conformance and effectiveness against.
In order to understand how each of the following clauses applies to each other the
remaining text applies to this diagram:
This section sets out the terms and definitions that are used in the Standard which may need
further clarification in order to apply the Standard to a particular organization. Some of them PLAN DO CHECK ACT
also include notes that seek to provide further information and clarity.If an electronic version
of the Standard has been purchased the definitions are hyperlinked to other definitions so 4 9
5 6 7 8 10
that there interrelationship can be seen. Context of the
Leadership Planning Support Operation
Performance
Improvement
organization & evaluation

8.1 9.1 10.1

There are some definitions that must be Additionally, some terms have been redefined 4.1
Understanding
5.1
Leadership
6.1
Actions to
7.1 Operational Monitoring, Nonconformity
Resources
mentioned due to its relation with the changes in order to provide a better understating the organization & commitment address risks planning and
control
measurement,
analysis and
and corrective
and its context & opportunities action
on the 2018 version: to users: evaluation
5.2 7.2 8.2 10.2
‘Significant food safety hazard’ ‘Critical Control Point (CCP)’ 4.2 Policy 6.2 Competence Prerequisite
9.2 Continual
Understanding programmes
Food safety hazard identified by an organization through the Step in a process at which a control measure can be applied the needs and
Objectives of
(PRPs) Internal audit improvement
the FSMS and
hazard assessment that needs to be controlled by specific and it is essential to prevent or reduce a significant food safety expectations the planning to
of interested 5.3
control measures hazard to an acceptable level. Critical limits and measurement Organizational achieve them 7.3 8.3 10.3
parties Awareness 9.3 Update the
enable the application of corrections. Both, CCPs and OPRPs roles, Traceability
Management FSMS
‘Control measures’ require monitoring, validation and verification responsibilities
6.3
system
review
and authorities
Action or activity used to prevent a significant food safety 4.3 Planning of
hazard or reduce it to an acceptable level ‘Operational Prerequisite Programme (OPRP)’ Determining changes 7.4
8.4
Emergency
the scope of Communication
Control measures identified through the hazard analysis the FSMS preparedness
‘Acceptable level’ as essential to prevent or reduce to an acceptable level and response
Level of a food safety hazard that must not exceed in the the probability of introducing risks and/or contamination or 4.4 7.5
finished product proliferation of a significant food safety hazard in food products Food Safety Documented 8.5
Management information Hazard control
or in the work environment. Action criterion and measurement
‘Action criterion’ System
or observations enable effective control of these processes.
Measurable or observable specification for the monitoring of an 8.6
(These are more specific to each organization than the PRPs) Updating the
operational prerequisite programme (OPRP). This action criterion
information
is established to assess whether the OPRP is under control ‘Monitoring’ specifying the
Planned sequence of observations or measurements PRPs and the
‘Competence’ hazard control
to evaluate whether a process is operating as intended. plan
Ability to apply knowledge and skills to get intended results
Monitoring shall be applied during an activity and provides
‘Interested party’ information for action during a specified time frame (“present 8.7
Person or organization that can affect, be affected by, or assessment”) Control of
monitoring and
perceive itself to be affected by a decision or activity
‘Validation’ measuring
‘Outsource’ Obtaining evidence that a control measure will be capable
Arrangement made where an external company (outside the of effectively controlling a significant food safety hazard. 8.8
Validation shall be applied prior an activity and provides Verification
scope of the management system) performs part of a function related to PRPs
or internal process within the scope information about the capability to deliver intended results and the hazard
(“future assessment”) control plan
‘Risk’
Effect of uncertainty; whereas effect means a deviation from ‘Verification’ 8.9
the expected (positive or negative), uncertainty is in fact a Confirmation, through the provision of objective evidence, Control of
state, even partial, of deficiency of information related to the that specified requirements have been fulfilled. Verification product and
process
understanding or knowledge of an event, its consequence, or shall be applied after an activity and provides information for nonconformities
likelihood. Risk is no longer only applicable to the operational confirmation of conformity (“past assessment”)
level of the organization, but it is implied in all aspects of the
system that could affect food safety

12 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 13

 SECTION 4:
CONTEXT OF THE 4.2 Understanding
the needs and
Interested parties can be documented in the form of a map:

ORGANIZATION
expectations of
interested parties
The concept of customer has SHAREHOLDERS
disappeared to introduce the term of
This is a new concept in terms of ISO 22000:2018. This section requires the organization to analyse interested party. This section requires
its context, determine its interested parties, define the scope of the food safety management system the determination of interested parties SUPPLIERS LANDLORDS
and a clear focus on the processes and requirements needed to achieve the food safety objectives. (commonly known “stakeholders”)
that can influence FSMS positively
The clause is sequential as there is a need to understand the organization and context (4.1), prior to identifying interested parties and negatively. Once it has been
and understanding their needs and expectations (4.2), the output of both 4.1 and 4.2 allows determination of scope (4.3), and then decided which interested parties are
ultimately designing the FSMS (4.4): relevant and significant, their needs
and expectations within the FSMS
Clause 4.2 should be addressed.
Clause 4.1 Clause 4.3 Clause 4.4 COMPETITORS REGULATORS
Understanding the needs
Understanding the organization Determining the scope Food Safety They will probably be shareholders,
and expectations of
and its context of the FSMS Management System
interested parties landlords, regulators, customers,
employees, trade associations,
competitors, suppliers, distributors, FSMS
Understanding the context of the organization is usually conducted by top management with information about the business and and consumers, among others.
activities gathered at every level of the organization. Discussion points focus on internal and external issues which have an impact
on the FSMS system. You need to identify all those parties
and analyse how they can affect the
CONSUMERS DISTRIBUTORS
achievement of the main objective of a

4.1 Understanding the these issues can be positive or negative, but equally considered
to define our context. Once the context is determined, this will
FSMS that is to ensure food is safe.

organization and its context facilitate the establishment of food safety objectives. Some needs and expectations of our
interested parties are mandatory and
This section implies an analysis of the risks or issues that can There are numerous methodologies that can be used to incorporated into law and regulatory
impact our business, not just the internal but also the external determine context, such as the SWOT (Strengths, Weaknesses, requirements therefore must be
issues that can affect the capability of the management system Opportunities and Threats) analysis, the CPM (Competitive considered. The identified interested TRADE
CUSTOMERS
to get the intended results. As external issues we could include Profile Matrix) or PEST (Political, Economic, Socio-cultural and parties and their requisites must be ASSOCIATIONS
social, cultural and political trends, legal changes, technology Technological) analysis, among others. obviously revised when defined and
advancements, etc. that can influence the achievement of the also when changes apply to the
Even though documented information is not required with EMPLOYEES
established food safety objectives. organization. Having defined who
regard to context, this is extremely useful when your system is your Interested Parties are, ISO 22000
As these issues may vary, its revision must be done regularly audited and to demonstrate your understanding and analysis requires that you determine their
and now it is also mandatory as an input during your periodic of the mentioned issues, i.e.: meeting minutes, graphics, data potential and actual effects.
management review meetings. We also must bear in mind that analysis, etc.

External Issues Internal Issues

• Cultural, social, political, legal, financial, technological, • Governance, organizational structure, roles and
economic and natural surroundings including the accountabilities
environment in which the organization operates • Policies, objectives and the strategies in place to
• Who the competitors are and any contractors, achieve them
subcontractors, suppliers, partners and providers • Competence of personnel
• National and international law • Food Safety culture within the organization and the
• Industry drivers and trends which have influence on the relationship with workers
organization • Process for the introduction of new products, materials,
• The organization products and services and their services, tools, software, premises and equipment
influence on food safety • Working conditions
• Availability and variety of external providers of services/ • Resources (under-utilisation of resources)
products • Retention of skilled employees
• Changes in consumption patterns • Number and variety of clients/ customers
• Capacity of changes regarding premises (landlord) • Linkage to a certain activity, location and/or period

14 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 15

 4.3 D
 etermining the scope of
the FSMS
This is not a new concept but it has been revised in order to
refer to the physical and / or geographical site within which
your operations take place, the products / services included
in the FSMS, the relevant parties you have identified and
the special characteristics such as type of packaging used,
storage or shelf-life conditions of the product/s . Your scope
statement must be maintained as documented information.

When the application to NQA is made to have the system

audited for certification, it is necessary to declare the scope in
a statement. This will ensure that they send the correct auditor
with experience in your industry sector.

For example:
‘The fermentation, carbonation and packing of red wine into
glass bottles’

Using this example, you can see that each step will incorporate
many processes including workers, machinery, regulatory
requirements, external providers, customers (end users) and
competence which will be audited.
New consideration for
4.4 F
 ood safety climate change
management system ISO has made changes to ISO 22000 to emphasise the
As a result of the previous clauses, an organization then has importance of addressing the effects of climate change
to establish, implement, maintain and continually improve a within the framework of organisational management
FSMS. systems.

This section mentions the need of focusing in the interaction of To enhance organisational awareness and response
processes. All processes and their interactions included in the to climate change, ISO has introduced two critical
scope of the FSMS must be determined and controlled in order changes within Clause 4:
to get the intended results in accordance with the strategic
direction of the organization and the food safety policy. Original Clause 4.1:
“Understanding the organisation and its context. The
organisation shall determine external and internal
issues that are relevant to its purpose and that affect
its ability to achieve the intended result(s) of its XXX
management system.”

This clause now explicitly includes the

statement: “The organisation shall determine
whether climate change is a relevant issue.”

Original Clause 4.2:

“Understanding the needs and expectations of
interested parties. The organisation shall determine:

• The interested parties that are relevant to the XXX

management system.
• The relevant requirements of these interested parties.
• Which of these requirements will be addressed
through the XXX management system.”

The clause now also states: “Note: Relevant

interested parties can have requirements
related to climate change.”

16 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 17

 SECTION 5:
Once the FSMS policy has been approved it must be
communicated to all interested parties including operators,
and also customers and external providers on request. In
Who is responsible for what?
addition, periodically the food safety policy must be reviewed This section requires the organization to define clear
by top management to ensure it remains applicable to the

LEADERSHIP
roles, responsibilities and authorities throughout the
context of your organization. organization. Top management shall also ensure that all
responsibilities and authorities have been assigned and
The top management commitment with respect to the
understood.
FSMS must be visible and palpable. A good way to
demonstrate commitment to clients, operators and general All personnel must know what it is expected from them
public is to ensure your food safety policy is visible and (responsibilities) and what top management allows
also well communicated in any or all of the following: them to do (authorities). This can be easily implemented
The standard states that top management shall demonstrate leadership and commitment through an organigram and job descriptions of all staff
• Recruitment packs
with respect to the FSMS. But who is top management? According to ISO 22000, top • Induction packs
of the organization with their duties and authorities
management is the person or group of people who direct or control an organization at the described.
• Supplier evaluations
highest level. • Supplier contracts ISO 22000 does specify a requirement for a nominated
food safety team leader that ensures the system is
• Notice boards on site
established, implemented, maintained and updated
• Website / intranet site
Demonstrating leadership • Annual staff appraisals
when required.

and commitment Setting the food safety It certainly makes life easier for an external auditor to
have a clear point of contact, and this person must
There is no longer an excuse for top management not being
policy Don’t forget your food safety policy must be available and
maintained as documented information. have suitable authority to manage the system, ensure
present during a certification audit. An external auditor will the work is managed as well as the relevant training
Practically this requirement has not changed with
expect to discuss leadership with those who manage the and competencies of the food safety team, report
respect to the previous version. A policy contains the
organization. on the effectiveness and suitability of the FSMS and
intention and direction of an organization as formally
make continual improvements as determined by top
expressed by its top management.
The previous version of ISO 22000 already included management.
examples of how leadership can be demonstrated within The food safety policy is approved by top management
the FSMS management system: and will drive the controls that are in place and the
• Establishing the food safety policy actions that are carried out to improve it.
• Demonstrating that food safety is supported by the
The standard specifically requires that the food
objectives of the organization
safety policy, which shall be appropriate to the
• Provision of appropriate and sufficient resources
purpose and context of the organization, must
• Facilitating the culture of continual improvement
include commitments to:
• Communicating appropriately amongst interested parties
• Ensuring the integration of the FSMS requirements into the • Provide a framework for setting and reviewing
organization’s business processes objectives of the FSMS
• Leading the management review meetings • Satisfy applicable food safety requirements, including
statutory and regulatory requirements and mutually
Additionally, the 2018 version states that top management
agreed customer requirements related to food safety
shall also:
• Address internal and external communication
• Ensure that the strategic plans of the organization and the • Continual improvement of the FSMS system
food safety objectives are compatible and integrated within
• Ensure competencies related to food safety
the organization
• Ensure the integration of the FSMS requirements into the
organization’s business processes

18 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 19

 ISO 22000:2018

SECTION 6:
PLANNING
Planning is one of the key components of any management system. This section sets out a
framework that asks an organization to analyse itself to determine the risks and opportunities
of its activities and then how to address them.

Addressing risks and opportunities and achieving your food

safety objectives require an action plan.
Action!
First of all, plan all actions to address the identified risks and
If you’ve been thorough in your assessment of context opportunities previously defined and then identify the way to
and the needs and expectations of interested parties, integrate and implement them in your FSMS and evaluate their
then the potential risks and opportunities will likely have effectiveness.
made themselves quite apparent. You’re looking to
answer the following questions: Now risks not only involve food safety risks but also those
risks than can impact your FSMS losing productivity and
effectiveness. ISO 22000 differentiates between two types of
1 What are we trying to achieve? risk management, the one that focuses just on the operational Objectives An effective way to communicate food safety objectives is to
include them in induction training, display them around your
level and that can be controlled through the establishment
2 What could stop us from achieving our objectives? It is a requirement of the standard to set achievable food safety site or electronically via an intranet or similar.
and maintenance of PRPs, OPRPs, CCPs and emergency
preparedness, and also the risks that affects the entire objectives with the means to periodically measure progress,
3 How will we address these issues? The SMART term will guide you on the establishment of
management system and could make an impact into food demonstrating continuous improvement.
adequate objectives for your organization, so you should
safety. The latter are those that could happen but there is no think of the following requirements when setting them as
4 How can risks be turned into opportunities? history of them happening or, if they did, that was a sporadic The objectives need to be:
they should be:
event. Therefore, recurrent events are not to be considered • Consistent with the food safety policy
5 How can opportunities help us to improve? as organizational risks and these must be controlled by the • Measurable • Specific, as precise as possible
establishment of corrective actions. • Consistent with applicable food safety requirements, • Measurable, quantifiable so we can monitor progress
6 Who will be responsible for actions?
including statutory, regulatory and customer requirements • Achievable, failure shall not be built into objectives
All actions taken to address the identified risks and • Realistic, possible for your organization
7 When will we need to take action by? opportunities must be proportionate to the potential impact • Monitored and verified
• Communicated • Timely, with a completion date established
on the conformity of product/s and service/s and customer
8 How will we know whether our actions • Maintained and updated
were effective?
satisfaction.
• Documented Managing change
Additionally, the objectives must be realistic, so they can be When you’ve put so much time and effort into all this
achievable and also help you to identify possible opportunities planning, it would be a shame for an inadvertent change to
of improvement. mess it all up!

When there is change in the system, your organization must

maintain the integrity of the FSMS, so the changes must be
Your action plan should include: considered and a revision conducted to implement them.

• What will be done In light of this, clause 6.3 expects that any changes that you
• What resources will be required (to the best of your determine are necessary to the food safety management
understanding at the time) system are carried out in a planned manner. This should take
• Who will be responsible into account the extent of the changes deemed necessary, the
• When actions will be completed potential impact on the existing system, how you will resource
• How results will be evaluated the changes and any effect this may have on current roles,
responsibilities and authorities.
Putting these into a simple matrix can help to
clarify the objectives, however if you already
record this type of information somewhere else,
there is no need for you to duplicate.

20 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 21

 SECTION 7:
SUPPORT The diversity of activities within the organization will determine The organization must also consider the competence of
This section looks at the resource, competence, awareness, communication and the level of training required to fulfil competence. Training gaps external providers including the procurement of contractors
are usually identified with the development of new processes, conducting tasks on site. The organization’s procurement
documentation of a FSMS. The requirements really underpin a FSMS and ensure that it
for example the introduction of new machinery or in achieving process may provide the structure for management of external
runs effectively. compliance with regulatory requirements. No matter how big providers; including evidence of capability, competence and
or small the organization is, training records are essential as on site, this may be supported with site induction training.
reference and evidence of the fulfilment of competence.
Either internally or externally, the organization’s top
Resources including people, environment. This can also include addressing some of the
softer elements such as employee wellbeing, stress-reduction,
Consider an overview training matrix identifying fulfilled training management must be confident that mechanisms are in place

infrastructure and work clear lines of reporting, employee appraisals, rewards

gaps including refresher training dates. In addition, consider
individual training records with signatory evidence from the
to provide workers with suitable and sufficient competency
based food safety training.
systems etc.
environment employee to acknowledge completion and understanding of
training including for example the training on OPRPs and CCPs Awareness can be addressed through ensuring your FSMS
This section can be easily controlled by the implementation of
You must determine the resources required for running your of your process provided to specific operators. is explained during recruitment and induction, at regular
prerequisite programmes.
business by considering the capability and limits of your appraisal or review meetings with line management, through
You must not forget all this training shall be provided by regular meetings and / or communications relating to
organization, the need of external support and the resources
needed for every process and/or product. These processes
Control of external providers qualified personnel, so evidence for their competence is also food safety policy, objectives, and their contribution to the
and/or products must also be assessed in order to consider if mandatory, and the monitoring of performance to evaluate effectiveness of the FSMS as well as the consequences of not
The standard specifies that all elements of the FSMS effectiveness. The need for refresher training can be also complying with the requirements.
changes on resources will be needed to improve them. developed externally shall be identified, controlled and detected by:
documented (this includes for example measuring and
You must demonstrate your people are competent. Simply, do
monitoring equipment). • Corrective actions
you have the right people with the necessary skills / attributes
in appropriate roles? If you’re currently missing some specific • Management review meetings
Same conditions apply to externally provided processes, • Results of Internal audits
skills, how do you plan to address this? products or services, since you will be required to ensure you • Specific competence depending on the role
set all required specifications and they shall be met before any
Will you recruit or will you outsource? If you’re outsourcing,
agreement is done with an external provider.
how will you communicate your requirements to your supplier?
Bear in mind you must also maintain documented evidence to This section focuses on ensuring that all external processes,
demonstrate competency, responsibility and authority of the
external personnel.
services or products will not affect the safety of your finished Communication
products or services. The evaluation and continuous
monitoring of performance of providers is a must. Effective and efficient internal and external communications are the “key” to running a FSMS. The Standard is
When talking about infrastructure, this means determining, helpful in providing a framework in order to depict the communication process within an organization. By turning
providing and maintaining the premises, equipment, software, this into a table and with reference to the “interested parties” or “stakeholder” analysis undertaken in 4.2 a
transportation, storage, technology, etc. that are needed to Competence & awareness communications “plan” can be formed:
carry out your business operations.
An organization working effectively and efficiently must have
What will be Who will When will it be To whom will it be How will it be
We need to consider how we are going to provide, manage competent personnel. In terms of FSMS it is essential that
communicated? communicate it? communicated? communicated? communicated?
and maintain the needs of every area and equipment to be employees have access to information and have been suitably
able to perform our processes in an effective manner. trained to prevent food safety hazards.

Ensuring you can cope with customer demands can be helped

by the work you did to address clause 4 and clause 6. Some Competence can include consideration for:
examples to demonstrate conformity are a list of equipment in Of course, the columns can be re-arranged if necessary!
use, resources planning, maintenance planning of premises • Capability to fulfil the task based on defined job roles
and equipment, maintenance records, etc. One area that is often forgotten is communication with “persons doing work under the organization’s control”. As a “rule of
and clear understanding of the consequences of its
thumb” it is advisable to treat contractors or outsourced operations as if they were “direct” employees and communicate
performance in food safety
Regarding work environment, this isn’t referring to the great in a manner that is effective and so that the communication is two-way. By adopting this philosophy it ensures that the
• Knowledge and experience of the food safety team
outdoors. This means providing an environment that is suitable “persons doing work under the organization’s control” can contribute to continual improvement.
• Defined methods of recruitment with consideration for
for what you are trying to achieve. Whether that is a factory, temporary or agency employees There must be an efficient communication system with providers of services, products or processes, customers, and
office or any other type of working space, make sure you have • Awareness of food safety hazards associated with the regulators among others interested parties, and also internally with the food safety team. In conclusion, the communication
the right atmosphere to enable you and your employees to products and processes system shall include all interested parties; however, remember to clearly defined who will be the person that provides these
operate effectively. • Legal requirements communications.
Adequate heat, light, airflow, hygiene, noise levels, hand- • Individual capabilities including experience, language
skills, literacy and diversity The outcome of the relevant internal and external information must be used as input to the management review.
washing stations, etc. all contribute to an effective working

22 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 23

 Documented Clause Documentation Requirement
information 4.3 Determining the scope of the food safety management system

Previously the standard used to mention 5.2.2 Food Safety Policy

that the establishment or maintenance 6.2.2 FSMS Objectives
of specific documented procedures
and records were required, now 2018 7.1.2 People
version refers to maintain or retain
7.1.5 Externally developed elements of the food safety management system
documented information.
7.1.6 Control of externally provided processes, products or services
Put simply, maintain means that you
must keep it up to date, for example 7.2 Competence
your policy and food safety objectives.
7.4.2 External communication
Retain means you must keep records
as evidence that you have satisfied that 8.1 Operational planning and control
particular requirement.
8.2 PRPs
You must ensure that all documents
8.3 Traceability
relating to your FSMS are easily
identifiable, are in a suitable format, are 8.4 Emergency preparedness and response
protected from unintended alteration
or destruction, and are available to the 8.5.1.1 Preliminary steps to enable hazard analysis
right people in the right version at the 8.5.1.2 Characteristics of raw materials, ingredients and product contact materials
point at which they are needed.
8.5.1.3 Characteristics of end products
It also makes sense to keep a record of
8.5.1.4 Intended use
all your FSMS documentation along with
its current version / issue number, when 8.5.1.5.2 On-site confirmation of flow diagrams
it was last updated, who is responsible
for the content, a summary of any 8.5.1.5.3 Description of processes and process environment
changes made during revisions, when 8.5.2.2 Hazard identification and determination of acceptable levels
it is next due for a review, how long it
must be retained for and how it is to be 8.5.2.3 Hazard assessment
disposed of.
8.5.2.4.2 Selection and categorisation of control measures
There are clear instructions as 8.5.3 Validation of control measure(s) and combinations of control measures
to what minimum documented
information the standard requires: 8.5.4.1 Hazard control plan
8.5.4.2 Determination of critical limits and action criteria
8.5.4.3 Monitoring systems at CCPs and for OPRPs
8.5.4.5 Implementation of the hazard control plan
8.7 Control of monitoring and measuring
8.8 Verification related to PRPs and the hazard control plan
8.9.2 Corrections
8.9.3 Corrective actions
8.9.4.1 Handling of potentially unsafe products
8.9.4.2 Evaluation for release
8.9.4.3 Disposition of nonconforming products
8.9.5 Withdrawal/ recall
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal Audit
9.3 Management review
10.1 Nonconformity and corrective actions
10.3 Update of the FSMS

24 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 25

 SECTION 8: OPRP or CCP?
An assessment of each of the control measures is
Verifying the verified!
First of all, ensure the person responsible for verification

OPERATION
needed to categorize them to be managed as OPRP activities is not the same one that conducts their
or CCP, so you need to evaluate: monitoring. Through verification you will be able to
• the probability of failure and how easy is to keep it make sure that:
under control
• its severity when failing and what effect can cause the • Input to hazard analysis is updated
measure implemented • PRPs are implemented and updated
• its location with respect to other activities • OPRPS and CCPs are implemented and effective
This is the core of a FSMS, where mostly all HACCP principles are integrated and the implemented to reduce specific hazards • Hazard levels are within identified acceptable levels
• whether it’s specific for that particular hazard • Every implemented procedure you established
moment when “doing” is the key after being planning your system. is effective
• if other measures are required to reduce the hazard to
an acceptable level
All these verification results must be assessed
• the viability to establish measurable critical limits and/
Annex SL only provides a common requirement, operational procedures in place and challenge its effectiveness, so you by the defined food safety team, so this will give
or action criteria
planning and control, the rest of clauses are specific to will be able to see if they work when needed. The documented you information with regard to how your system is
• the feasibility of monitoring to detect failures on the
each standard. evidence of these tests will be retained for a defined period not performing.
applicable determined limits and also corrections in
less than the shelf-life of the product/s provided.
Therefore, the first step is to ensure you have fully understood case of failure
all the requirements for your product or service. This will Bear in mind that if traceability is an important factor in your
Don’t forget to maintain this decision-making process
involve liaising with customers as well as implementing product or service delivery, then you must ensure that all
measures to ensure all applicable legal requirements are monitoring and measuring equipment is fit for the activities
and results as documented information!
Control of non-conforming
met. This means, establishing criteria for your processes. It is
essential that you determine and review your organization’s
undertaken and is suitably calibrated and maintained. You
must maintain documented evidence of such equipment being
Your hazard control plan must contain, as a
minimum, the following information for all identified
products and processes
ability to meet the necessary requirements before you commit fit for purpose. CCPs and OPRPs: We must start this section ensuring all staff responsible for
to anything. • what food safety hazard are you controlling with this corrections and corrective actions must be competent and
At this point, the ISO/TS 22005:07 may be of help as it will
CCP or OPRP have the authority to carry out these activities.
All controls you previously planned, that may be supported provide you guidelines for the establishment of a good
• what measure have you put in place to do so
by PRPs, OPRPs and/or your HACCP plan, must be now in traceability system. Within section 8 of the ISO 22000 standard, the specified
• the critical limit/s or action criteria in place that can’t
place and all relevant documented evidence will be available to corrective actions and corrections are focused at the
be exceed
demonstrate you did act as planned.
Hazard control • how do you monitor this activity operational level, so this will include all immediate actions to
• which corrections and corrective actions will be be taken when limits established for OPRPs and CCPs are
Prerequisite programmes There is no much difference between the requirements carried out if critical limits or action criteria is not met exceeded and also actions that will be done to avoid their
established by the HACCP principles developed by Codex
(PRPs) Alimentarius and the information you will find in this section.
• who is responsible for this activity (defined
responsibilities and authorities)
recurrence.

The food safety team will collect, maintain as documented • what records do you maintain as monitoring evidence When critical limits for a CCP or action criteria for an ORP are
2018 version suggests the use of specific ISO/TS 22002 series and update preliminary information to continue with this point, not met, you must treat the product as potentially unsafe from
depending on the sector you are working on, to determine such as scientific documentation, regulations applicable to the As mentioned in section 3 when talking about entering the food chain. These products must be identified and
the PRPs applicable to your organization that will assist in sector, customer needs, historical data of food safety hazards definitions, the critical limits established for CCPs must retained at your organization at all times until its evaluation and
controlling food safety hazards. associated with the product or service, etc. be measurable. Likewise, the action criteria defined for disposition is determined.
The idea is to implement PRPs that are appropriate to your the OPRPs must be also measurable or observable.
Before carrying out the analysis of hazards, do not forget to You need to define why you have selected those Where monitoring shows that critical limits at CCPs are
context, size and activities conducted. These prerequisites will establish a multidisciplinary team with a defined leader. This not met, you shall not release these products; instead their
be established before conducting the hazard analysis, and its specific critical limits and action criteria and establish a
is the first step of HACCP, and although ISO 22000 does not monitoring system to defect any failure. disposition must be documented and authorized ensuring:
selection, implementation, monitoring and verification must be specify this requirement in this section, it is mandated as part
also documented. of the responsibilities of top management. If visual inspections from staff are implemented as a • their reprocessed to ensure the food safety hazard is
monitoring system for a specific OPRP, you need to reduced to an acceptable level,
The standard provides a list of PRPs that every organization Once established the characteristics of raw materials, end • other use that do not jeopardize food safety in the food
shall consider, easy and quite straight to the point, do not miss define what instructions or specifications were provided
products, intended use and a very detailed flow diagram/s, to personnel in order to ensure the system will be chain, or
any of them! as the standard now requires, it’s time to carry out the hazard • their destruction or disposal as waste
effective.
analysis. You can find some notes that make clear from where
Be ready to expect the the identification of hazards can be obtained, for example the As usual, at this point, any failure will be considered Likewise, when defined action criteria for an OPRP are not
met, the identified non-conforming products won’t be released
unexpected experience that can refer to information from internal staff or
experts in the matter.
non-conformity and you must follow it up establishing
immediate corrections, retaining unsafe products unless all established monitoring activities demonstrate that
under control, analysing the cause and implementing control measures were effective, the combined effect of control
Have you established a traceability system and also a The evaluation of hazards, based on their severity of harm and measures make the product suitable, or other verification
corrective actions to ensure recurrence is prevented.
procedure to respond to emergency situations? Let’s prove it! probability of occurrence, will include the establishment of activities can demonstrate the product/s conform/s to
specific measures or combination of them to prevent or reduce Now that the PRPs, hazard control plan and all related acceptable levels for the specific food safety hazard.
Examples of emergency situations could be natural disasters,
the significant food safety hazards to acceptable levels. But requirements are established and documented when
an earthquake, sabotage, blockage of main utilities, If they are already out of your premises, then you must initiate
make sure all implemented measure/s worked as expected! necessary, look back and make sure the preliminary
environmental accidents, etc. a withdrawal or recall and notify all relevant interested parties.
(Remember how validation is defined in section 3 of this guide) information to enable the hazard analysis is still
When previously ISO 22000 did not require a test for these adequate!
activities, now it is crystal-clear. Implement a system with

26 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 27

 SECTION 9:
PERFORMANCE
EVALUATION
There are three main ways in which performance of a FSMS is evaluated. The first being
process monitoring and measurement, the second being through internal audits and the
third being the management review.

Process performance actions must be taken without undue delay. If a long-term fix
requires significant planning and maybe funding approval,
As an organization you will need to decide what you need to consider whether a short-term fix is possible and appropriate.
monitor and measure in order to be assured that your processes
are operating as intended. You will also need to establish how Management review
often you will monitor and measure, what resources will be
required, how results will be recorded, analysed and evaluated Management Review is an essential element of the FSMS.
and who will carry out these evaluations. This often results in a The aim of the review is for Top Management to assess the
series of Key Performance Indicators (KPIs) which relate directly performance of the management system to ensure it has been
to your food safety objectives (set in section 6). You will need effective, adequate and suitable for the needs of the business,
to retain documented information as evidence of the results ultimately preventing unsafe food products or services to
of performance evaluation and use them as an input to the consumers. The management review is also a planned activity to
management review and the updating of the FSMS. review objectives including compliance and to set new objectives.

Usually management review meetings are conducted annually,

Internal audits however many organizstions conduct management reviews every
six months or quarterly to track the performance of the system.
ISO 22000:2018 determines that internal audits must be carried
If more frequent meetings are conducted, often the meeting
out at planned intervals. It is for you, the organization to decide
agenda is reduced with the full agenda occurring annually.
what those intervals should be. As an indication, you may wish
to audit all processes at least once across an annual period, with You will need to retain documented information on your
higher-risk processes being audited more frequently. The purpose management reviews; these would normally be meeting minutes
of internal audits is two-fold. Firstly to check that the management or perhaps call recordings if you carry out conference calls.
system conforms to the requirements specified by you, the
organization as necessary for your operations; secondly to ensure
conformity to the requirements of ISO 22000:2018. ISO 22000:2018 includes new elements to be considered
during management review meetings, apart from the
Audit frequency should also be influenced by the results of
inputs already mentioned in the previous version:
previous audits and any changes which you are aware may affect
the process. So, if you have a problematic process or area, it • changes in context (internal and external issues) that
would make sense to audit it more frequently for a while until a may affect the FSMS
solution is implemented and has been seen to be effective. • information on the performance and the effectiveness of
the FSMS, including trends in:
The Standard also says that auditors should conduct audits to - review of identified risks and opportunities and
ensure objectivity and the impartiality of the audit process. This is effectiveness of actions taken
sometimes inherently difficult as internal auditors (by their name) - performance of providers of services, processes or
have a close relationship with the organization being audited. products
However, sensible guidelines so that internal auditors do not audit - non-conformities and corrective actions
their own processes should be strived for. - monitoring and measuring results
- whether the objectives have been achieved
Internal audits are a great opportunity to spend some time
• the adequacy of resources
investigating a specific process or area and evaluating its
• opportunities for continual improvement
performance. It is an ideal way to find areas for improvement and
to fix potential issues before they occur. Think of internal audits With regard to outputs, your organization must
as keeping your finger on the pulse of your organization. Internal consider the decisions and actions related to continual
audit findings must be reported to the food safety team and improvement opportunities and any other need for
relevant management and naturally form part of the management changes and updates of the FSMS.
review agenda. Where necessary, corrections and corrective

28 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 29

 SECTION 10:
IMPROVEMENT
This section requires your organization to determine and implement opportunities for
improvement to comply with the determined intended purpose of the product, what it is
expected from customers, and prevent and reduce undesired effects while continually
improving the system.

Nonconformity and corrective action

Now ISO 22000:2018 refers to all those nonconformities that • Evaluate the need for action to eliminate the causes of
come up from the management system and not just from the the nonconformity, in order that it does not recur or occur
operational level, as we discussed in the previous section. elsewhere, by:
- reviewing the nonconformity
A methodology to capture, manage and resolve needs to be - determining the causes of the nonconformity
undertaken and the Standard asks for the following: - determining if similar nonconformities exist, or could
potentially occur
• React to the nonconformity and, as applicable:
• Implement any action needed
- take action to control and correct it
• Review the effectiveness of any corrective action taken
- deal with the consequences, including mitigating adverse
• Make changes to the FSMS, if necessary
environmental impacts

The Standard says that this process should be documented. There are various ways to achieve this but usually this comprises
a “Corrective Action Request” (CAR) for each corrective action and a “log” which is essential to record and manage the CAR’s.
This is especially useful where numerous corrective actions are raised.

The “log” can be as simple as:

Audit date NC description Responsibility When due Action taken Date of closure

More complex systems can “code” different types of nonconformity. This can then be used to generate trend data that can be
useful in on-going performance appraisal of the EMS and the Management Review process.

Continual Update of the food safety

improvement management system
The standard says that “The This section has not changed in 2018 version, as a summary, top management must
organization shall continually provide the resources needed to ensure the system is continually updated. The food
improve the suitability, safety team shall evaluate the FSMS at planned intervals, considering the hazard
adequacy and effectiveness of analysis, and identified OPRPs and CCPs. The evaluation must be based on:
the FSMS”. • Internal and external communication
• Conclusions from analysis of results of verification activities
In other words, if all the above
• Outputs from management review meetings
sections are established and
• Any other information related to the adequacy and effectiveness of the FSMS
implemented as well as FSMS
updating, then continual These updates must be retained as documented information and reported as input of
improvement will occur. the management review.

30 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 31

 GET THE MOST
FROM YOUR
MANAGEMENT
SYSTEMS
Top tips for the successful implementation of a FSMS

1. To have an effective FSMS ensure that 6. Review your monitoring and measuring
“Top Management” is committed to its devices are calibrated at specified
establishment, implementation, update frequency to ensure reliable results.
and continual improvement.
7. Remember your suppliers. Some
2. Get everyone involved. Top suppliers will help you enhance your
Management for context, requirements, FSMS, some will increase your risk. You
policy and objectives setting; food need to ensure any high-risk suppliers
safety team and assigned personnel have controls in place that are at least
with valuable competence for hazard as good as yours. If they don’t then look
analysis and risk assessment, process for alternatives.
control and procedure writing.
8. Food Safety concepts are likely to
3. Make sure your system includes be new for many or most of your
two PDCA cycles at operational employees. People may need to change
and organizational levels, and habits ingrained over many years. A
communication between them is single awareness briefing is unlikely to
established and maintain at all times. be sufficient, so focus on your personnel
competence as a fundamental key for
the implementation of a good FSMS.
4. Remember to identify how you have
selected the applicable food safety
hazards within your system; these are 9. Remember to allocate sufficient
specific to each process and product resources to routinely test your controls.
and also depending on applicable The threats your organization faces will
regulations and customer needs, so this constantly change and you need to
information is not interchangeable! test whether you are able to respond to
those threats.
5. When changes to products or
processes occurred, either planned
or unintentionally, ensure your system
is reviewed and established control
measures still effective for the intended
purpose of the FSMS.

32 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 33

 NEXT STEPS ONCE
IMPLEMENTED
AWARENESS TRAINING INTERNAL AUDIT
1 • Your organization should raise awareness about
6 • A robust internal audit system for the organization is
various standards covered under FSMS. essential.
• You should hold separate training meetings for top • It is important to implement corrective actions for
management, middle management and junior level improvements, in each of the audited documents,
management, which will help to create a motivating in order to bridge gaps and ensure effectiveness of
environment, ready for implementation. FSMS.

ORGANISE A MANAGEMENT ‘SYSTEM’

POLICY AND OBJECTIVES 7 REVIEW MEETING
2 • Your organization should develop an Integrated Food
• Top management must review various official
business aspects of the organization, which are
Safety/ Quality/ Environmental and Health & Safety relevant to the standards being implemented.
Policy (if applicable) and relevant objectives to help
meet the requirements. • Review the policy, objectives, changes in context,
results from previous management meetings,
• For integrated systems, by working with top results of system updating activities, monitoring and
management your company should hold workshops measuring results, analysis of results of verification
with all levels of management staff to outline the activities related to PRPs and hazard control plan,
integrated objectives. results of internal and external audits, results of
process performance of external providers, results
of complaints/feedback/legal compliance, results of
risk and opportunities, adequacy of resources, and
INTERNAL GAP ANALYSIS develop an action plan and any need for changes or
3 • Your organization should identify and compare the
updates to the FSMS following the meeting - which
must be minuted.
level of compliance of existing systems against
requirements of the standards under your new FSMS.
• Relevant staff should all understand the operations
of the organization and develop process map for the
activities within the business. THOROUGH GAP ANALYSIS OF
8 IMPLEMENTED SYSTEMS
• A formal pre-certification gap analysis should be
conducted to assess effectiveness and compliance
of system implementation in the organization.
DOCUMENTATION / PROCESS DESIGN
4 • The organization should create documentation
• This final gap analysis will prepare your organization
for the final certification audit.
of the processes as per requirements of relevant
standard(s).
• You should write and implement a manual, functional
procedures booklet, work instructions, system CORRECTIVE ACTIONS
procedures and provide associated terms. 9 • Organization should be ready for final certification
audit, providing that the gap analysis audit
conducted in the last step and all the non-
conformities (NC) have been assigned corrective
actions.
DOCUMENTATION / PROCESS • Check that all the significant NCs are closed and the
5 IMPLEMENTATION organization is ready for the final certification audit.

• Processes / Documents developed in step 4 should

be implemented across the organization covering all
FINAL CERTIFICATION AUDIT
10
the departments and activities.
• The organization should hold a workshop on the • Once completed, your organization is hopefully
implementation as per applicable for the ISO recommended for registration to ISO 22000.
standard requirements.
• CONGRATULATIONS!

34 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 35

 NQA ASSOCIATE
PARTNER PROGRAMME
FOOD SAFETY
MANAGEMENT
TRAINING If you are looking for a
consultant to assist you
with a new or existing
Improve your skills and understand the clauses and requirements within popular Food
Safety standards, held in collaboration with iqms Learning.
management system,
NQA can help!
Our APP has consultants from all over
the country enlisted on it. The register is
designed to help you find experienced
COURSE DETAILS LVL. DURATION PRICE consultants who can help.

Food Labelling & Legislation 1 1 Day £425

HABC Level 2 Award in HACCP for Food Manufacturing (RQF) - In-House 1 1 Day £1595

Understanding & Implementing TACCP & VACCP 1 1 Day £425

Internal Auditor Training 2 2 Days £745

HABC Level 3 Award in HACCP for Food Manufacturing (RQF) 2 2 Days £625
We have been The professionalism Since being certified
HABC Level 3 Award in Food Safety in Manufacturing (RQF) 2 3 Days £895 using JMT Quality and work-ethic Clark to ISO 9001 and ISO
Consultants as our ISO from CBO Associates 14001 we have relied
ISO 22000:2018 Lead Auditor Training 3 5 Days £1550 external auditor for the showed during our on Martin Giddens
past couple of years ISO 9001 process from Morton Hodson
HABC Level 4 Award in HACCP for Management (CODEX Principles) (RQF) 3 5 Days £1395 and I wish that we had was excellent. Clark for support with our
done so much earlier! is a professional annual process auditing.
We have found them in his delivery, a Martin understands our
to be very professional, knowledgeable person business and always
providing not only a that offers a high advises us of which
comprehensive audit level of service which changes to guidance
report but additional makes him an ideal and regulations apply
ideas for improvement QHSE Consultant. and what we need to
and contacts for our His ideas and do to implement them.
company that we delivery are both Martin’s expertise
could additionally creative and effective. ensure that staying
benefit from. CLARK-IT,
compliant is simple.
ABERDEENSHIRE LONSDALE DIRECT
SAFETYBOSS
SOLUTIONS

To find a consultant to support you through ST

E D G LO B
A

U
your certification journey contact us on:

LL
TR

Y
0800 052 2424 (option 2) or email [email protected] YE ARS
SI

•
NC 8 8
E 19 0015

36 ISO 22000:2018 IMPLEMENTATION GUIDE ISO 22000:2018 IMPLEMENTATION GUIDE 37

 USEFUL LINKS
Food Standards Agency
https://www.food.gov.uk/

ISO - International Organization for Standardization

https://www.iso.org/home.html

Authored on behalf of NQA by: Marta Vaquero, NQA Food Safety Certification Manager

www.nqa.com