ISO 22000 Certification: What It Takes to Build a Food Safety System That Actually Works

ISO 22000 is an international standard for food safety management systems. The International Organization for Standardization first published it in 2005, then revised it in 2018 to align with the High-Level Structure shared by ISO 9001, ISO 14001, and other management system standards. The current version is ISO 22000:2018.

Why does it exist? Because testing the finished product isn't enough. A contaminated batch that reaches consumers causes illness and recalls. Lawsuits follow. ISO 22000 shifts the focus upstream: identify hazards before they happen, control them at every stage, and keep records that prove you did it right.

Unlike a standalone HACCP plan, ISO 22000 wraps hazard analysis inside a full management system. You get leadership commitment, resource planning, competence requirements, internal audits, and a structured approach to corrective actions. It's HACCP with the management backbone it always needed. For a broader walkthrough of every clause, scope decision, and roadmap, see our complete guide to ISO 22000.

The standard applies to every organization in the food chain. Farm operators, transport companies, packaging suppliers, caterers, feed producers, even equipment manufacturers can implement and certify against ISO 22000.

ISO 22000:2018 follows the 10-clause High-Level Structure (HLS), the same framework you'll find in ISO 9001:2015. If you've already implemented another HLS-based standard, integration will feel familiar. The major clauses break down like this:

Clause 4 -- Context of the organization. You define external and internal issues, identify interested parties (regulators, customers, suppliers), and set the scope of your food safety management system.

Clause 5 -- Leadership. Top management establishes the food safety policy, assigns roles and responsibilities, and appoints a food safety team leader. This clause exists because systems fall apart when leadership treats them as someone else's problem.

Clause 6 -- Planning. You address risks and opportunities, set measurable food safety objectives, and plan how to achieve them.

Clause 7 -- Support. Resources, competence, awareness, communication, documented information. The unglamorous stuff that keeps the system running day to day.

Clause 8 -- Operation. The core. This is where prerequisite programmes (PRPs), hazard analysis, critical control points (CCPs), and operational prerequisite programmes (oPRPs) live. It's the most detailed clause and the one auditors spend the most time on.

Clauses 9 and 10 -- Performance evaluation and improvement. Internal audits, management review, nonconformity handling, continual improvement. The feedback loop that prevents your system from going stale.

The standard also integrates the Codex Alimentarius HACCP principles directly into Clause 8. That makes ISO 22000 the bridge between regulatory HACCP requirements and a structured management system.

In Ukraine, the national adoption is DSTU ISO 22000:2019. It's an identical translation of ISO 22000:2018, published by the national standardization body (UkrNDNC). For regulatory and commercial purposes, the two are interchangeable.

Ukrainian food safety law, specifically the Law "On Basic Principles and Requirements for Food Safety and Quality" (Law No. 771/97-VR, as amended), requires operators to implement HACCP-based procedures. The law doesn't mandate ISO 22000 certification by name, but implementing DSTU ISO 22000:2019 satisfies and exceeds the HACCP requirement. It's the path most Ukrainian food businesses take to demonstrate compliance.

For companies targeting EU export, DSTU ISO 22000 certification is often the starting point. EU buyers recognize the standard, though some require GFSI-benchmarked schemes like FSSC 22000 for direct supply to major retail chains. Your choice depends on where you're selling and what your buyers ask for.

A growing number of Ukrainian retailers, including major national chains, now request ISO 22000 certification from suppliers as part of vendor qualification. This trend picked up speed after 2023, as supply chain transparency shifted from regulatory checkbox to commercial differentiator.

We hear this one constantly: "We already have HACCP. Do we need ISO 22000?" Short answer: HACCP lives inside ISO 22000. The long answer takes a bit of unpacking.

HACCP (Hazard Analysis and Critical Control Points) is a methodology, not a management system. It gives you seven principles for identifying food safety hazards and controlling them at critical points in production. It's been the backbone of food safety since the Codex Alimentarius Commission codified it in the 1990s.

ISO 22000 takes those seven HACCP principles and embeds them in a management system framework. The standard requires hazard analysis, CCP identification, critical limits, monitoring procedures, corrective actions, verification, and record-keeping. All the HACCP steps are there. But ISO 22000 goes further.

It adds three layers that standalone HACCP doesn't cover:

• Prerequisite programmes (PRPs): Basic conditions and activities for maintaining food safety, things like cleaning, pest control, personnel hygiene, facility maintenance. These are covered in more detail by the ISO 22002 series.
• Operational prerequisite programmes (oPRPs): Control measures identified through hazard analysis that don't qualify as CCPs but still need structured management.
• Management system elements: Leadership, planning, resource management, internal audit, management review, continual improvement.

So HACCP is the engine. ISO 22000 is the whole vehicle. You can run the engine on a bench, but you won't get far without the rest of the car around it.

Choosing between HACCP, ISO 22000, and FSSC 22000 isn't always straightforward. Each one targets a different purpose and market. The table below breaks down the differences so you can decide which fits your business.

HACCP is a legal requirement in Ukraine and the EU. ISO 22000 wraps HACCP in a management system and satisfies most domestic and regional market needs. FSSC 22000 builds on ISO 22000 with stricter PRP requirements and additional scheme rules, earning GFSI recognition, which major international retailers and food companies often require. We compare both schemes side by side in our breakdown of the difference between ISO 22000 and FSSC 22000.

If your buyers haven't specifically asked for GFSI recognition, ISO 22000 is usually the right call. It covers the full food safety management system, meets Ukrainian regulatory requirements, and is recognized internationally. If you're supplying multinational retailers or food service groups that need GFSI-benchmarked certification, then FSSC 22000 is the path forward. And since it builds on the ISO 22000 standard, the transition is incremental, not a restart.

ISO 22000 applies to any organization that plays a role in the food chain. That scope is wider than most people expect.

Food manufacturers and processors. Dairy plants, meat processors, bakeries, confectioneries, beverage producers, canning facilities. Any operation that transforms raw materials into food products. For most of these companies, ISO 22000 is the minimum standard buyers expect.

Agricultural producers and cooperatives. Farms, grain elevators, oilseed processors, agricultural cooperatives. ISO 22000 certification opens doors to premium buyers and export markets, and it's especially relevant for companies in Ukraine's agricultural sector looking to build credibility with European importers.

Logistics and storage operators. Cold chain providers, warehousing companies, transport operators handling food products. One temperature excursion during transit can compromise an entire shipment. ISO 22000 gives these companies a framework to prevent that from happening.

Food packaging and equipment manufacturers. If your product touches food, your customers care about safety. Packaging suppliers certified to ISO 22000 gain a real edge in supplier qualification processes.

Retail and food service. Supermarket chains, restaurants, caterers, institutional food services. Certification is less common in this segment than in manufacturing, but consumer pressure for transparency is changing that.

Feed producers. Animal feed safety has a direct impact on food safety. Feed mills and supplement manufacturers use ISO 22000 alongside feed-specific standards to meet both regulatory and commercial expectations.

The bottom line: if you're part of the food chain and your activities affect food safety, ISO 22000 applies to you.

Let's be direct: certification costs money and takes effort. So what does the business get in return?

Market access. Many B2B buyers, especially in the EU, require food safety certification from suppliers. Without it, you don't make the shortlist. ISO 22000 is accepted across Europe, the Middle East, Asia, and Africa. In Ukraine's domestic market, major retail chains increasingly include it in supplier qualification criteria.

Fewer incidents, lower losses. A functioning food safety management system catches problems before they become recalls. Recalls are expensive. You're not just losing product. You're paying legal fees, dealing with regulatory penalties, and then spending years trying to win back customer trust. Prevention is cheaper. Always.

Operational discipline. Implementing ISO 22000 forces you to document processes, define responsibilities, and actually monitor performance. Companies that go through this work report fewer production errors and less waste. Not glamorous, but it pays for itself.

Regulatory compliance. In Ukraine, DSTU ISO 22000:2019 implementation satisfies the HACCP requirements under national food safety law. One system covers both your regulatory obligations and your commercial needs.

Supply chain trust. Your certificate tells partners and customers that an independent auditor verified your system. That third-party validation carries weight in commercial negotiations and tender submissions.

Foundation for further growth. ISO 22000 is the base for FSSC 22000. If your market evolves and buyers start demanding GFSI recognition, you won't need to start from scratch. You'll add the FSSC requirements on top of what you already have.

Certification isn't a single event. It's a project with distinct phases, and skipping any of them will cost you later. Here's what it looks like in practice.

Step 1. Gap analysis. Before you commit to certification, find out where you stand. A gap analysis compares your current practices against ISO 22000:2018 requirements, clause by clause. The output is a prioritized list of what you need to fix, build, or document. Most companies discover they already cover 30-60% of the requirements, especially if they've been running a HACCP plan.

Step 2. System development and documentation. Based on the gap analysis, you develop or update your food safety management system. This covers the food safety policy, scope definition, PRPs, hazard analysis, CCP and oPRP identification, procedures, and record-keeping. One piece of advice: don't over-document. Auditors want to see a system that works, not a library nobody reads.

Step 3. Implementation and training. Documents on paper mean nothing if people on the production floor don't follow them. This phase is about training your team, running the system in real operations, and building the habit of following procedures. Plan for at least 2-3 months of live operation before the certification audit.

Step 4. Internal audit. Before the external auditor arrives, audit yourself. An internal audit catches nonconformities you can fix now instead of discovering them during the certification audit. Train at least two people as internal auditors, or bring in external support for the first cycle. Our ISO 22000/ISO 22002/ISO 19011 training course covers internal audit methodology in depth.

Step 5. Management review. Top management reviews the system's performance: audit results, customer feedback, food safety incidents, resource needs, improvement opportunities. This isn't a formality. Auditors check whether management actually engages with the review output.

Step 6. Certification audit (Stage 1 + Stage 2). The certification body conducts the audit in two stages. Stage 1 is a document review and readiness assessment, where the auditor checks whether your system is designed to meet the standard. Stage 2 is the on-site audit. The auditor verifies that the system actually works in practice. They'll interview staff, observe operations, review records, and trace processes from raw material to finished product.

Step 7. Corrective actions and certificate issuance. If the audit finds nonconformities, you'll have a defined timeframe (usually 60-90 days) to implement corrective actions and provide evidence. Once the certification body accepts your corrections, they issue the certificate, valid for three years, with annual surveillance audits.

Step 8. Surveillance and recertification. Your certificate requires annual surveillance audits to confirm the system is maintained. After three years, you go through recertification, a full audit cycle that renews the certificate for another three years. The point: your system needs to be alive every day, not just polished before the auditor's visit.

We've worked with dozens of food companies on ISO 22000 projects, and the same mistakes come up over and over. Here are the ones that waste the most time and money.

Over-documentation. Some companies create hundreds of pages of procedures that nobody reads or follows. ISO 22000 requires documented information, not a bureaucratic archive. Write procedures that are concise, practical, and aimed at the people who'll actually use them.

Ignoring PRPs. Companies often rush to the HACCP analysis while neglecting prerequisite programmes: cleaning, pest control, maintenance, personnel hygiene. PRPs are the foundation. If it's weak, your CCPs won't save you. Check your PRP alignment against the updated ISO 22002 series.

Weak management commitment. ISO 22000 explicitly requires top management involvement. When the CEO treats certification as "the quality manager's project," the system stalls. Auditors will interview top management. If leadership can't articulate the food safety policy or explain how they support the system, that's a nonconformity.

No real internal audit. Running a checkbox internal audit that finds zero nonconformities isn't helpful. It's a red flag. External auditors know what a genuine internal audit looks like. Train your internal auditors properly and give them the authority to report problems honestly.

Skipping the gap analysis. Jumping straight into documentation without understanding your starting point leads to wasted effort. You'll write procedures for things you already do well and miss the areas that actually need work. A structured pre-audit from a consultant at the start saves weeks of rework later.

Choosing the cheapest certification body. Price matters, but the cheapest option might mean a certificate your buyers don't recognize. Verify the body's accreditation, check whether your target markets accept their certificates, and ask for references in your industry. A certificate from an unrecognized body can be commercially worthless.

Treating certification as a one-time project. This is the biggest one. Companies that sprint to certification and then forget about the system until the surveillance audit fail predictably. ISO 22000 is a management system. It needs to run every day, not just before the auditor shows up.

For any food business serious about growth, yes. ISO 22000 certification isn't cheap and it isn't quick. But the alternative is worse: lost contracts, regulatory problems, and the constant risk of a food safety incident you weren't prepared for.

The standard gives you a system that works across the entire food chain, satisfies Ukrainian regulatory requirements through DSTU ISO 22000:2019, and is recognized by buyers worldwide. If your market later demands GFSI recognition, your ISO 22000 system becomes the foundation for FSSC 22000. No need to rebuild from zero.

Start with a gap analysis. Fix the fundamentals. Train your people. Then certify. That's the sequence that works.

Learn more about the standard and its full scope on the official ISO 22000 page at iso.org. For ongoing support after certification, explore our annual support service or get certification consulting from our experts.