FSSC 22000

FSSC 22000 is a GFSI-benchmarked food-safety certification scheme owned by the Foundation FSSC, established in 2009 in the Netherlands. It bundles three things into a single certifiable system: ISO 22000:2018 (the food-safety management standard), sector-specific Prerequisite Programmes (typically from the ISO/TS 22002 series — 22002-1 for food manufacturing, 22002-2 for catering, 22002-3 for primary agriculture, 22002-4 for packaging, etc.), and a set of additional FSSC requirements that close gaps GFSI requires.

The result is a certifiable system that satisfies the major retailers and brand owners that require GFSI certification of their suppliers. Roughly 30,000 sites globally hold FSSC 22000 certification across more than 150 countries, making it one of the two largest GFSI schemes by site count alongside SQF.

FSSC 22000's selling point against peers is its ISO management-system DNA: a site already running ISO 9001 or ISO 14001 finds the Annex SL high-level structure familiar, which lowers integration cost. Multi-site companies with mixed regulatory environments (food + cosmetics + pharma) often choose FSSC because integration with the rest of their ISO-based management systems is straightforward.

An FSSC 22000 certification covers three layers:

• ISO 22000:2018 — management system requirements, the HACCP-based plan, leadership, planning, support, operation, performance evaluation, improvement.
• ISO/TS 22002-x — sector-specific PRPs covering construction and layout, utilities, waste, equipment suitability, pest control, hygiene, personnel hygiene, cleaning and sanitation, supplier control, transport.
• Additional FSSC requirements — food defence, food fraud mitigation, allergen management, environmental monitoring, transport/storage requirements, supplier control, product/process design, food loss and waste, communication of allergen information to customers.

Each PRP document is itself a long checklist of clauses. ISO/TS 22002-1 alone contains 18 clauses covering construction and layout, layout of premises and workspace, utilities, waste, equipment suitability and maintenance, management of purchased materials, measures for prevention of cross-contamination, cleaning and sanitising, pest control, personnel hygiene, rework, product recall procedures, warehousing, product information / consumer awareness, food defence / biovigilance / bioterrorism.

FSSC 22000 Version 6 (published April 2024, all audits from April 2025 onwards) introduced several material changes that align the scheme with the latest GFSI benchmarking, ISO updates, and emerging food-safety priorities:

Sites certified under Version 5.1 transitioned through 2024–2025; new certifications are issued under Version 6. The Foundation FSSC published a structured transition guidance document and audit-time-budget update at the same time.

• Management of services and purchased materials — risk-based approval and monitoring of all incoming materials and services.
• Product labelling — accurate to applicable regulation in the country of sale, including all mandatory allergen declarations.
• Food defence — vulnerability assessment for intentional adulteration and a mitigation plan (Threat Assessment Critical Control Points / TACCP).
• Food fraud mitigation — vulnerability assessment for economically motivated adulteration and a mitigation plan (Vulnerability Assessment Critical Control Points / VACCP).
• Logo and certification mark use — strict rules on how the FSSC mark may be applied to communications.
• Allergen management — full programme including segregation, changeover validation, label control, and rework rules.
• Environmental monitoring — zone-based, pathogen-and-indicator approach with documented action limits and trend response.
• Formulation of products containing animal substances — for products with animal-derived ingredients.
• Transport, storage and warehousing — temperature control, segregation, contamination prevention.
• Hazard control and measures for preventing cross-contamination — allergens, microbiological, chemical, physical.
• Personnel and processing area PRPs — supplemented for the relevant sector.
• Equipment management — sanitary design, commissioning, change control.
• Food loss and waste — measurement, reduction, donation programmes.

1. A complete and current HACCP-based food-safety plan, with hazards, CCPs, critical limits, monitoring, corrective action and verification.
2. PRP implementation evidence in every required category — cleaning records, pest-control reports, calibration, personnel hygiene, environmental monitoring data.
3. Food-safety culture programme with measurable indicators (annual survey, communication metrics, leadership engagement evidence).
4. Allergen control programme — segregation, changeover validation, label control, rework rules, communication to customers including unintentional presence.
5. Food fraud vulnerability assessment and mitigation plan, reviewed annually and after supply-chain changes.
6. Food defence vulnerability assessment and mitigation plan, reviewed annually.
7. Supplier control — approval, monitoring, performance review, with traceable specifications and CoA / CoC evidence.
8. Traceability — internally and externally; FSMA 204 expectations increasingly relevant in the US and explicitly cited in V6.
9. Equipment change control — sanitary-design review for new and modified equipment.
10. Management review, internal audit, corrective action, continual improvement, with documented inputs and outputs.

Version 6 explicitly requires an unannounced audit at least once per three-year certification cycle. Sites may opt for the alternative "voluntary unannounced" pattern in which both surveillance audits per cycle are unannounced.

• Hazard analysis missing emerging hazards (food fraud, supply-chain disruption, allergens added during co-packing).
• Environmental monitoring programme not driven by zone-based risk; sampling locations static rather than rotated.
• Allergen changeover validation never re-validated after process or formulation change.
• Food-safety culture programme exists on paper but no measurable outcomes; survey scores unchanged year on year with no improvement plan.
• Corrective actions closed without verifying effectiveness — recurrence rate not measured.
• Supplier monitoring lapsed for low-volume suppliers — the unloved 20% that often introduce contamination.
• Calibration overdue on equipment used to monitor CCPs.
• Food fraud vulnerability assessment last reviewed before the most recent supplier change.
• Equipment change control absent for line modifications — new equipment commissioned without sanitary-design review.
• Traceability mock-recall not run, or run but stopped before reaching the upstream supplier or downstream customer.

All three are GFSI-benchmarked, so the underlying acceptance by retailers is similar. The differences are operational:

Many large multi-site organisations hold more than one. Some hold all three to satisfy global customer demands without renegotiating per market. The audit-day burden is real but the back-office overlap is high — a site that runs a clean FSSC audit is usually 80% ready for SQF or BRCGS.

A site moving to FSSC 22000 from no GFSI baseline typically allocates 10 to 14 months from kickoff to Stage 2 audit. Sites already certified to SQF or BRCGS compress that to 6 to 9 months because the underlying PRPs and HACCP plan are already in place — what changes is the structure (ISO Annex SL high-level structure, management-system clauses, food-safety culture KPIs). The sequence below is the pattern that consistently lands a clean Stage 2.

The two implementation traps that most commonly delay certification: PRP build started before the gap analysis is fully understood (resulting in three PRP rewrites), and food-safety culture treated as a poster campaign rather than a measurable programme. Culture KPIs need a baseline, a target, an action plan when scores plateau, and visible leadership engagement — auditors will probe whether the GM, ops director and FSTL can speak credibly to the data.

FSSC 22000 supports multi-site certification when sites perform similar processes under a single management system. The Foundation FSSC and ISO 22003-1 set the sampling rules: the certification body audits the central function plus a square-root sample of sites (rounded up) per audit cycle, with surveillance audits sampling a different subset each year so every site is visited at least once across the cycle.

• Eligibility — sites must share the same management system, the same documented PRPs, the same HACCP framework, and a centrally controlled internal-audit programme.
• Central function — must conduct internal audits of every site annually; failure of the central function suspends multi-site certification immediately.
• Sampling formula — √(n) rounded up for initial certification, with adjustments for risk category and prior performance.
• Critical non-conformity — a single critical NC at any sampled site can affect the certification of the whole group, not just the audited site.
• Adding sites — new sites must pass an internal audit by the central function before being added to the certificate scope; certification body verifies on the next surveillance.

Group certification is a significant cost lever for multi-plant operators — a 12-site group might be audited at 4 sites per year rather than 12, cutting audit-day cost by two-thirds. The price of admission is the central function: a real, staffed, governing programme that holds every site to the same standard. Auditors who suspect the central function is a paper exercise will pull sample sites and audit them harder, which usually surfaces the gap.

FSSC 22000 grades audit findings into four bands. The grade dictates the close-out timeline and whether the certificate is impacted.

The grading is at the auditor's discretion within scheme guidance, and good corrective-action evidence (root-cause analysis, immediate containment, verified effectiveness) is what stops a recurring minor from being escalated to a major on the next visit. V5's CAPA workflow ties each audit NC to the corrective and preventive actions, the verification evidence, and the recurrence-rate metric the auditor will want to see at re-certification.