ISO 22000 Standard for Food Safety: Requirements, Certification, and How to Implement

Hundreds of food businesses look up ISO 22000 every month. Here is what you need to know in 2026: how the standard differs from HACCP, how much certification costs, and how to pass it within 90 to 180 days.

Over 12+ years working with food manufacturers across Ukraine and Eastern Europe, we have supported more than 200 ISO 22000, FSSC 22000, and HACCP implementation projects. This guide is built from real audits, not from certification body press releases. Everything you read below is something you can apply to your own audit preparation, contract negotiations with EU buyers, or an internal budget pitch to your CEO.

ISO 22000 is an international food safety management system (FSMS) standard that combines HACCP principles with a quality management framework based on the High Level Structure (HLS). The standard was developed by the International Organization for Standardization (ISO) and applies to any organization in the food chain, from primary production through retail and logistics.

The current revision is ISO 22000:2018. It is voluntary, but in many cases it becomes a mandatory contract condition with retailers, exporters, and public sector buyers.

The core idea behind ISO 22000 is bringing together two logics: systematic quality management (plan, do, check, act) and operational food safety control through hazard analysis. That makes the standard a universal tool that works equally well at a dairy plant or a logistics terminal.

ISO 22000 applies across the entire food chain. In practice, certification requests come from five groups:

• Food manufacturers, including meat processing, dairy, confectionery, beverages, and canned goods. Certification opens doors to national and international retail networks.
• Exporters to the EU, UK, and Gulf states, where most buyers ask for a GFSI-recognized scheme (FSSC 22000 or BRCGS), but ISO 22000 remains the baseline you cannot bypass.
• Suppliers to large retailers, such as Tesco, Carrefour, Lidl, Auchan, Metro, who require a documented food safety system. ISO 22000 closes that requirement faster than a HACCP-only approach.
• Animal feed and feed ingredient producers, where ISO 22000 combined with ISO 22002-6 (PRP for feed production) serves as a foundation for GMP+ or FAMI-QS.
• Food packaging and logistics providers, working under ISO 22002-4 (packaging) or ISO 22002-5 (transport and storage).

If your company falls into any of these categories, a food safety management system is no longer a nice-to-have, it is a market condition. This is especially true in export segments, where the certificate is checked alongside the quality declaration during the very first contact. Buyers often ask for a scan of your certificate before they even sign an NDA, since without it the supplier audit cannot begin.

ISO standards are typically adopted nationally with the same content; only the identifier changes. ISO 22000:2018 has been republished in many countries with no technical differences, only language and the national prefix. A few examples:

• United Kingdom, BS EN ISO 22000:2018, published by BSI, identical to the international version.
• United States, ANSI/ISO 22000:2018, published through ANSI.
• European Union, EN ISO 22000:2018, harmonized across member states by CEN.
• Ukraine, DSTU ISO 22000:2019 (IDT), an identical Ukrainian translation of ISO 22000:2018 used for domestic procurement and food safety inspections.

In practice this matters when:

• Domestic procurement and national regulators, use the local identifier (BS EN, ANSI, DSTU). The certification body will issue a certificate referencing the national code, which inspectors recognize.
• Cross-border trade and multinational retailers, use the international ISO 22000:2018 identifier. Foreign buyers expect to see the international code on the certificate, not a national variant.
• Dual-marking certificates, many companies request both codes on a single certificate. This does not double the cost, since technically it is the same audit, but it requires confirmation from an accredited certification body.

If you plan for both domestic operations and exports, ask your certification body to include both codes on the certificate. The cost is the same as single-marking, but it eliminates 80% of buyer questions.

ISO 22000:2018 follows the High Level Structure (HLS, Annex SL), the same framework used by ISO 9001, ISO 14001, ISO 45001, and ISO 27001. That means the same 10-clause structure repeats across all ISO management system standards, which dramatically simplifies integration.

Here is the full structure:

Clause 8 is the heart of the standard. Here ISO 22000 incorporates the seven classical HACCP principles, originally documented in Codex Alimentarius back in the 1990s:

1. Hazard analysis
2. Identification of critical control points (CCP)
3. Establishment of critical limits
4. CCP monitoring
5. Corrective actions when deviations occur
6. System verification
7. Documentation and records

The difference from "plain HACCP": ISO 22000 adds a layer of management above these principles, including context, leadership, planning, and management review. That is what turns it into a full management system rather than just an operational tool. In practice this looks like the following: a HACCP team can build a perfect hazard analysis plan, but without a policy, objectives, and an internal audit program at the higher level, the plan goes stale within a year. ISO 22000 forces the system to refresh itself through formal review cycles.

This is the most common point of confusion when implementing ISO 22000. The standard has three levels of food safety control, and even experienced technologists mix them up. Let us go through them at the level of definitions and examples.

In short: PRP is the foundation. OPRP is operational protection. CCP is a critical point where a failure directly creates risk for the consumer.

ISO 22000:2018 itself does not contain detailed PRP requirements; it only states that the organization must establish them. Specifics come from the ISO 22002 series, namely:

• ISO 22002-1, food manufacturing (published 2009, new edition 2025)
• ISO 22002-2, catering
• ISO 22002-3, farming
• ISO 22002-4, packaging manufacturing
• ISO 22002-5, transport and storage
• ISO 22002-6, feed production

For FSSC 22000, applying ISO 22002 is mandatory. For "plain" ISO 22000 it is recommended, but in practice without a sector-specific PRP document the auditor will raise questions as early as Stage 1. So even if your goal is just ISO 22000, buy ISO 22002 for your category right away. You will have a structure to reference in your FSMS documentation, rather than inventing your own.

The path to a certificate breaks down into five blocks. Depending on company size and process maturity, each step takes between 2 weeks and 2 months. Below is the real sequence we walk clients through.

An external consultant or trained internal auditor walks through every clause of ISO 22000 with a checklist and records the gaps: what is missing in documentation, which processes exist but are not documented, which CCPs need review. The output is a report with 30 to 80 items prioritized by criticality. Without this step, every later stage is blind: you do not know what implementation will cost, how long preparation will take, or what risks you face during the certification audit. Order a gap analysis before the audit if you want an objective picture in 5 to 10 working days. It is cheaper and faster than starting implementation "from scratch" only to discover that half the work was already done by a previous team.

This step covers the foundation: policy, objectives, register of interested parties, context analysis, HACCP plan, PRP documents, documented information procedures, internal audit program. For most companies, this stage takes 1.5 to 4 months. If a HACCP system is already in place, the workload drops by half.

Full implementation services include developing the complete document package tailored to your production format, not off-the-shelf templates. Template-based documentation guarantees problems during the certification audit: when an auditor sees an instruction stating "temperature check every 4 hours" while in practice it happens once per shift, the questions start immediately. Documentation must describe the real process, not a theoretically perfect one.

An FSMS does not work without a trained workforce. At a minimum, you need training on the 7 HACCP principles for everyone with a CCP in their area of responsibility, and ISO 19011 internal auditor training for the internal audit team (3 to 5 people depending on company size). A common mistake is training only the quality manager; when the auditor comes to interview a line operator and gets "I do not know, ask the supervisor" as an answer, a nonconformity is guaranteed.

Before the certification audit, the organization must conduct a full internal audit against every clause of ISO 22000 and close any nonconformities found. This is a mandatory standard requirement (Clause 9.2), and certification cannot proceed without it. The first management review also takes place at this stage. Standard duration is 2 to 4 weeks.

A piece of honest advice: run a mock audit with an external consultant 2 weeks before Stage 2. It simulates the scenario your team will face: questions in the format of a real auditor, production walkthroughs, record checks. About 80% of the team's uncertainty and stress dissolves at this stage. If a CCP operator "does not know how to show the log", you want to find that out before certification, not during Stage 2.

The certification body conducts the audit in two phases:

• Stage 1, readiness check: documentation, resources, preliminary scope assessment. 1 to 2 days on site. Produces a list of risk areas for Stage 2.
• Stage 2, full on-site audit: staff interviews, production walkthroughs, record checks, CCP verification. Lasts 2 to 8 days depending on the number of sites and process complexity.

The gap between Stage 1 and Stage 2 ranges from 2 weeks to 3 months, during which you close the items found in Stage 1. As a side note, audit support by a consultant cuts Stage 2 duration by 20 to 30%, since the team does not waste time hunting for documents and answers.

The most popular question, and the one nobody benefits from answering honestly in public sources. Let us break it down. ISO 22000 certification cost has two components: payment to the certification body (CB) and the consulting support for preparation. Below are indicative ranges from our 200+ projects over 12 years.

Four factors show up in every quote we issue:

• Number of sites. Multi-site certification requires a separate audit at each location, but allows a 20 to 40% cost reduction through the group scheme under IAF MD 1.
• Product complexity. Production with 3 CCPs costs less than production with 12. Each additional CCP adds documentation, monitoring, and audit time.
• HACCP system maturity. If HACCP is already implemented and working, the path to ISO 22000 is 30 to 50% shorter. If not, hazard analysis essentially starts from scratch.
• Integration with ISO 9001 / ISO 14001. Shared management elements (documentation, audits, management review) save up to 25% of time and budget when certifying in parallel.

For an accurate budget tailored to your operation, you need a short diagnostic call: 30 minutes and three to four clarifying questions. You can submit a request on the ISO 22000 implementation services page.

These three standards live side by side and are often confused. The short version: HACCP is a methodology. ISO 22000 is a management system. FSSC 22000 is a complete certification scheme that includes ISO 22000 plus ISO 22002-x plus additional FSSC Foundation requirements. The scheme is recognized by GFSI (Global Food Safety Initiative), meaning major retailers accept it without additional audits.

Detailed comparison below. If you need a deeper analysis of choosing between ISO 22000 and FSSC 22000, read the dedicated article on the difference and how to choose.

Across 200+ supported audits, we see the same mistakes regardless of industry. Here are the top 5 that show up in nonconformity reports more often than the rest:

• Outdated CCP records. Monitoring logs are filled in after the fact, backdated, or the form does not match the real process. An auditor spots this in a minute: ink the same color for a whole week, perfectly even handwriting, no temperature deviations across an entire year.
• Weak supplier evaluation. Raw material suppliers are not assessed against safety criteria, or the assessment exists only on paper. Verify that you have a documented supplier verification scheme; this is Clause 7.1.6 of ISO 22000.
• Poor documented information control. Document versions are not controlled; accounting has one revision of a procedure, the production line has a different one. The standard requires that every copy at workstations is current (Clause 7.5.3).
• Hazard analysis without updates. The HACCP plan was developed three years ago and has not been reviewed since, despite changes in recipes, suppliers, and equipment. ISO 22000 requires the HACCP analysis to be updated whenever significant changes occur.
• Internal audits "on paper". A report exists, but every item reads "complies with requirements" with not a single nonconformity for the year. This is a red flag for an external auditor, since a perfect system is statistically impossible.

Honestly, the typical picture goes like this: a company invests in documentation, is 90% audit-ready, and then trips on the simplest things, like a temperature record in a log or version control on a workshop wall instruction. Most findings are minor, but if there are ten of them, the auditor may issue a major because of the systemic nature of the problem.

A detailed breakdown of the 15 most common nonconformities with clause references is available in a separate article on typical ISO audit findings. If you are planning a certification audit in 90 days, start with the 90-day preparation plan, a ready-made week-by-week roadmap.

There is one global ISO 22000, but certification in any given country has its own quirks. Below is a snapshot for Eastern European operators and exporters, with practical notes that also apply to other emerging markets.

National accreditation vs international CB. A certification body can be accredited by a national accreditation body or by one that is part of the IAF MLA. A certificate without the IAF MLA mark is a much weaker position in export: foreign buyers may simply not recognize the document. Before signing a contract with a CB, check whether its accreditation body is on the IAF MLA signatories list. If you plan expansion across several countries, a certificate from an international CB (DQS, SGS, Bureau Veritas, TÜV) eliminates all recognition questions in one step.

Where local auditors dig deepest. From our experience, Stage 2 audits in Ukraine and neighboring markets pay extra attention to: pest control (especially in summer), documentation for imported raw materials, evidence of CCP operator competence (job orders, role descriptions, training logs), and product recall procedures. Prepare these blocks in advance, they take longer to close than others. Traceability of raw materials is its own subject, with auditors digging deeper into customs documentation, especially for imports from third countries.

Domestic regulators and ISO 22000. National food safety inspectors typically check for HACCP under local legislation, not ISO 22000. However, an ISO 22000 certificate effectively proves that a HACCP system is in place and often shortens the inspection scope. Some regional offices apply a simplified format when a current ISO 22000 certificate is presented. Important caveat: certification does not exempt you from the legal requirement to have HACCP, but it is strong evidence of compliance.

EU exports: the 2026 context. EU regulations, in particular Regulation (EC) 178/2002 and the Green Deal + CBAM package, are tightening requirements for traceability and the environmental footprint of food production. ISO 22000 by itself does not cover CBAM, but it creates a documented foundation that environmental reporting can be built on top of. Manufacturers planning exports beyond 2026 should look at integrating ISO 22000 with ISO 14001, closing both safety and environmental questions in one package.

Ukraine specifics. For domestic procurement and food safety inspections in Ukraine, use DSTU ISO 22000:2019, the identical national translation of ISO 22000:2018. The national accreditation body is NAAU. The food safety regulator is the State Service of Ukraine for Food Safety and Consumer Protection. We have written a practical approach to food safety certification and a step-by-step ISO 22000 certification preparation guide, both written from the Eastern European context.

We have collected answers to the questions clients and readers ask most often. If yours is not on the list, send it our way and we will add it to the next revision of this guide. Ongoing management system support, including annual support, also covers consulting on similar questions.