GFSIGlobal Food Safety Initiative

The Global Food Safety Initiative is an industry-led, retailer- and brand-owner-led initiative coordinated by The Consumer Goods Forum (CGF). Founded in May 2000 in the aftermath of a string of high-profile European food-safety failures (BSE, dioxin, Listeria), GFSI was created to answer a single commercial problem: every large retailer was running its own food-safety audit programme, suppliers were being audited four, five, ten times a year against overlapping standards, and there was no shared definition of "good enough."

GFSI does not write its own audit standard. It does not certify anyone. It does not perform audits. Instead, GFSI publishes a document called the Benchmarking Requirements that food-safety certification schemes must meet to be GFSI-recognised. Recognised schemes — FSSC 22000, SQF, BRCGS, IFS, PrimusGFS, GlobalG.A.P., CanadaGAP, ASC/MSC for seafood, and a handful of others — then operate certification through independent Certification Bodies accredited by an IAF-member accreditation body.

The output for a manufacturer is one certificate, accepted by many retailers, refreshed annually or semi-annually. The output for a retailer is the ability to require "GFSI certification to a recognised scheme" in supplier contracts and let the market decide which scheme to hold.

There are several more recognised schemes (Equitable Food Initiative scopes, JFS-C, FSSC 24000 for social) but for branded food manufacturing the practical big four are FSSC 22000, SQF, BRCGS and IFS. They cover well over 90% of GFSI-certified manufacturing sites worldwide.

The GFSI Benchmarking Requirements set out the food-safety elements a scheme must cover to be recognised. Each requirement is mapped to one or more scopes — primary, manufacturing, packaging, storage / distribution, etc. — because a scheme is recognised for specific scopes, not as a blanket.

The requirement areas a scheme must cover

• Food safety management system — documented policy, manual, document control, record control, internal audit, management review.
• Management responsibility — leadership commitment, food-safety culture, resources, training, communication.
• HACCP / hazard analysis and risk-based preventive controls — full Codex HACCP plus prerequisite programmes (PRPs).
• Good manufacturing / agricultural / hygienic practices — site, building, utilities, equipment, cleaning, pest control, personal hygiene.
• Allergen management — risk assessment, segregation, validated cleaning, label control, supplier control.
• Food defence (intentional adulteration) — threat assessment, mitigations, site security.
• Food fraud — vulnerability assessment, mitigation plan, supplier verification, raw-material authenticity testing.
• Environmental monitoring — pathogen / indicator programmes appropriate to product risk.
• Traceability and recall — one-step-back / one-step-forward, mock recall annually at minimum, defined timeframes.
• Supplier / outsourced process control — approval, ongoing monitoring, raw material risk assessment.
• Training and competence — programme, records, refresher cycle, auditor competence requirements on the CB side.
• Audit process — frequency, duration, scoring, unannounced cycle, non-conformance / corrective action handling.

A scheme that meets all of them in the relevant scopes earns GFSI recognition for that scope. GFSI does NOT standardise the audit process — different schemes still have different audit lengths, grading bands, fundamentals / critical clauses, announced/unannounced rules, and corrective-action timeframes. What is harmonised is the scope of what's covered, not how it's audited.

GFSI v2024.1 is the current Benchmarking Requirements edition (effective for scheme owners through 2025–2027 depending on scope and transition window). Three changes matter most for manufacturers:

1. Food-safety culture is no longer a soft expectation — it must be measured, with KPIs, and improvement tracked over time. SQF Ed 9, BRCGS Issue 9 and FSSC v6 all reflect this.
2. Unannounced audits are now the explicit baseline. Schemes must offer (and recognise within their certification cycle) at least one unannounced audit option per cycle. Many large retailers now require the unannounced option.
3. Food fraud and food defence are full clauses, not appendices. Both require a documented vulnerability/threat assessment plus a written mitigation plan reviewed annually.

Before GFSI, the global retailer landscape was a thicket of bilateral audit requirements. A mid-sized manufacturer serving Walmart, Tesco, Aldi, Carrefour and Metro might be audited five times a year against five overlapping but distinct standards, each with its own clause numbering, scoring rubric, and corrective-action format. The cost was huge — calendar days lost to audits, duplicate documentation, multiple corrective-action systems — and the result was not better food safety, just more audits.

GFSI's value proposition was simple: one credible audit, accepted by many. The 2000 founding members agreed in principle, the 2004–2007 benchmarking process delivered the first recognitions (SQF and BRC first, then IFS, then Dutch HACCP / FSSC 22000), and within a decade GFSI was the de-facto baseline for most national-brand supply chains in North America and Europe.

GFSI does not eliminate retailer audits entirely — most large retailers still run their own supplier-quality and ethical audits on top of GFSI certification — but it removes the duplicate food-safety audit burden and creates a global baseline that everyone agrees is, at minimum, table stakes.

GFSI certification is private; FSMA is US federal law. They overlap heavily — both rest on hazard analysis, preventive controls, traceability, supplier verification — but they are not interchangeable. A GFSI certificate does not exempt a US-facing manufacturer from FSMA Preventive Controls for Human Food (21 CFR 117) or FSMA 204 Traceability obligations.

Operationally, a well-run GFSI system makes FSMA compliance easier (the controls are largely the same) but FDA does not regulate by GFSI scheme. The two run side by side. A foreign supplier shipping into the US needs FSVP-compliant verification regardless of GFSI status. A domestic manufacturer needs Preventive Controls regardless of GFSI status. GFSI is the contract; FSMA is the law.

• What do your customers actually require? Many big retailers express a preference even though they accept any GFSI scheme — start there. Walmart historically prefers SQF; Tesco / Sainsbury's prefer BRCGS; Aldi / Lidl in DE prefer IFS; many multinationals require FSSC for ingredients suppliers.
• Where is your manufacturing located? FSSC dominates in EU manufacturing; SQF in US; BRCGS in UK / EU retail-facing; IFS in mainland Europe especially DACH and France.
• What's your existing system? If you already operate ISO 9001 / ISO 22000, FSSC 22000 builds on it most naturally (ISO 22000 + ISO/TS 22002 + FSSC additional requirements). If you've inherited a BRC system from a previous certification, BRCGS Issue 9 is the lowest-friction upgrade.
• Multi-site? Some large manufacturers hold multiple GFSI certifications across different sites to satisfy different customer mandates without retooling — e.g. SQF on US plants, BRCGS on UK plants, FSSC on EU plants.
• Audit style preference? BRCGS has a strict fundamentals-based scoring with grades AA/A/B/C; SQF uses % scoring with E / G / C / F levels; FSSC mirrors ISO non-conformance categorisation. Some operations cultures fit one style better than another.

There is no "best" scheme. There is the scheme your biggest customers accept with the least friction, in the regions you operate, layered on top of the management system you already have. Switching schemes is expensive and rarely worth it unless commercial pressure forces it.

• Treating GFSI as a once-a-year project — the auditor will spot a system that only ran for the eight weeks before the audit.
• Confusing scheme certification with regulatory compliance — a clean BRCGS audit does not protect you from an FSMA finding.
• No food-safety culture KPIs — under v2024.1 this is now a clause, not a suggestion.
• Mock recall once a year that always passes — auditors want to see realistic timed scenarios with off-shift coverage.
• Allergen cleaning validation that's expired or never had analytical verification (ELISA / lateral flow / ATP only).
• Food-fraud vulnerability assessment that lists "none identified" — every category has fraud risk.
• Supplier approval files missing the actual evidence (just a signed form) — auditors now ask to see the CoA, the audit report, the unannounced verification.

1. Year 1 audit (initial certification) — announced, full scope, full duration. Non-conformances closed within scheme-defined windows (typically 28 days for majors, 90 days for minors).
2. Surveillance / re-audit — annual cycle. Most schemes now require one unannounced audit per cycle.
3. Recertification — full audit cycle re-runs every 1–3 years depending on scheme.
4. Special audits — triggered by a Notification of Change (new product, new line, major site change), a serious complaint, a recall, or regulatory action.

The auditor's job is to verify that the system runs every day, not just during the audit. They will pull random batch records from random weeks, watch operators perform routine tasks (CCP checks, sanitation pre-op, allergen changeovers), interview line workers without the QA manager present, and chase one or two end-to-end traces from raw material to finished pallet.

All GFSI-recognised schemes deliver equivalent food-safety coverage by design — but they are not interchangeable from an operational, geographic or customer-acceptance standpoint. The wrong choice doesn't fail the audit; it adds 12–18 months of friction with the wrong CB, the wrong audit format, and the wrong base of customer recognition.

Two questions decide the scheme in 80% of cases. First: which scheme does your largest 2–3 customers explicitly demand? If they name one, that's your scheme — customer recognition matters more than internal preference. Second: do you already operate ISO 9001 / 14001 / 45001? If yes, FSSC 22000 inherits 60–70% of your existing management-system documentation, where SQF or BRCGS would require a parallel set. Sites that pick the scheme on cosmetic preference ("the auditor seemed nicer") routinely switch within 24 months under customer pressure — wasting one full certification cycle.

A GFSI certificate is not a regulatory authorisation, and confusing the two is a frequent source of inspection findings. FDA, USDA-FSIS, FSA (UK), EFSA / Member State competent authorities and equivalent regulators run their own inspection programmes regardless of GFSI status. The relationship is overlap, not substitution.

Two practical consequences. First: a fresh GFSI certificate does not buy you any leniency in an FDA inspection — the regulator will inspect the same plant against 21 CFR 117 regardless of the certificate on the wall. Second: a single well-built food-safety management system can satisfy both — about 75% of evidence is reusable. Sites that build parallel programmes (one for the auditor, one for the inspector) duplicate effort and create reconciliation risk at the edges.

A GFSI certificate is a three-year cycle, not a one-off event. Most sites that lose certification do so not at the initial audit but at year 2 or year 3, when the system that was tightly run for the kick-off audit has been allowed to drift. The maintenance discipline that holds the certificate:

1. Annual recertification audit — full scope, day-count proportional to site risk + size. Plan a 6-week prep window; finding density usually doubles if you only start prep 2 weeks out.
2. Unannounced surveillance audit — at least one per three-year cycle for GFSI v2024 Food Safety scope, scheduled inside a 30-day notification window. Continuous readiness is the only sustainable posture.
3. Internal audit programme — risk-based schedule covering 100% of clauses across the three-year cycle; high-risk clauses audited annually, low-risk every 2–3 years.
4. Quarterly management review — leadership-chaired, with KPI scoreboard, NCR aging, internal audit findings, supplier performance, complaint trending, training compliance and culture pulse. Don't roll this into another meeting; auditors look for the standalone artefact.
5. Change-control discipline on the FSMS — every new SKU, new line, new supplier, new packaging format, new regulatory requirement triggers a documented FSMS impact assessment. Sites that handle these informally accumulate undocumented drift that surfaces at recertification.
6. Year-2 self-assessment — at the midpoint of the cycle, run a full mock audit against the scheme's current edition. New editions almost always land mid-cycle and waiting for the recertification to discover the gap costs months.