NEW GUIDANCE ON ISO 22000:2018

The 10 things you

should know from
the new ISO 22000
handbook

By Colin Christmas and Nuno F. Soares

The 10 things you should
know from the new ISO
22000 handbook

A brief look to 10 of the most relevant

guidance provided by the updated handbook.

By Colin Christmas and Nuno F. Soares

Prologue

S
ince its introduction in 2005, the ISO 22000
standard has grown to be the most popular choice for
organizations who implement an internationally
recognized Food Safety Management System (FSMS). ISO
22000 has a total of 39,651 sites certified to the standard
(ISO Survey data, 2019). So why is ISO 22000 the leading
standard in industry when there are numerous schemes
available for organizations to choose from? Firstly, ISO
22000 and its supporting Technical Specifications (the ISO
22002 series) are purposely designed to be implemented
for any food category and any size of an organization.
Secondly, ISO 22000 is a voluntary consensus standard
with ISO having a membership of 165 national standards
bodies, and each member represents ISO in its country.

ISO standards are developed using the core World Trade

Organization (WTO) and Technical Barriers to Trade (TBT)
principles of transparency, openness, impartiality and
consensus, effectiveness and relevance, coherence, and
addressing the concerns of developing countries. This
enables the requirements of ISO standards to be truly
applicable and accepted globally. Finally, ISO Management
System Standards (MSS) are designed to be integrated.
Essentially you need a systems approach to support a food
system and all its interdepencies. This includes Quality (ISO
9001), Occupational Health & Safety (ISO 45001) with
consideration to the Environment (ISO 14000 family) and
Biodiversity (ISO/TC 331).

We see the requirements of the ISO 22000 standard as “the

WHAT” and the new Handbook as “the HOW” which is an
essential guideline that complements the standard. Whilst
the new ISO 22000 Handbook is targeted at Small to
Medium Size Enterprizes (SMEs), we believe this is a useful
guideline for any organization that is implementing or has
implemented any FSMS scheme.
1- Organizational Risk Management

Organizational Risk Management is one to the major

changes brought by the 2018 version of ISO. In the
operational level we have the well-known hazard
assessment where risks are identified and then measures
are taken to minimize their negative effects. When we are
talking about business risks, it is different, uncertainty can
lead to opportunities (positive consequences) and risks
(negative consequences). 

In the handbook it is clearly defined that business risks that

have an impact on the performance of the FSMS must
always be considered when applying the Standard”.

The Organization should then plan actions to enhance

opportunities identified and prevent business risks.  
2- Internal and External issues

This is also a new concept for the ISO 22000 and follows
the adoption of the High-Level Structure. Now Standards
like ISO 9001, ISO 14000 and ISO 22000 all have the same
10 clauses structure (see section 4).

The handbooks share examples of sources for relevant

information about external and internal issues (e.g., press,
websites, product specifications) and also information we
need to look for (e.g., food outbreaks, new technologies). 

There are some tools organizations may use as a

framework to identify internal and external issues. SWOT
(Strengths, Weaknesses, Opportunities and Threats) and
PESTEL (Political, Economic, Social, Technological, Legal,
Environmental) analysis are two of the most used tools for
this identification and are referred in the handbook.

Food Safety Professionals aren’t so used to manage topics

such as Internal and External issues and this may be
challenging especially at the beginning. Don’t be
discouraged by it. By the contrary, use this to increase Top
Management awareness to the impact (besides food safety)
the Food Safety Management System can have in the
organization.
3- Interested Parties

Interested Parties according to ISO 22000 definitions are

person or organization that can affect, be affected by, or
perceive Itself to be affected by a decision or activity. Food
safety professionals should look beyond the direct
customer/consumer and assess the needs and requirements
of those who have an impact in the ability of the
organization to provide safe food. 

But first the Interested Parties need to be identified. The

handbook provides several examples of possible interested
parties. 

Some Interested Parties may be quite obvious such as: 

• Consumers
• Customers
• Ingredients/Packaging materials providers
• Transport and logistics providers
• Maintenance, human resources
• Regulatory agencies

Examples of interested parties that may not be on food

safety professionals top of mind are: 

• Uniform providers
• External/internal trainers
• Internal/external Lab services
• Neighbours
 • Information technology services

The organization shall collect relevant information to

understand the requirements, needs and expectations of
the interested parties. For that, consider defining to each
interested party what, when, how, who and with whom
you communicate.

4- Commitment and Leadership of

Top Management

It is important to note terminology changed from

“Management Commitment” in ISO 22000:2005 to
“Leadership” in ISO 22000:2018. This was a shift for all ISO
Management System Standards (MSS) with the introduction
of Annex SL (now referred to as Annex L or High-Level
Structure) that was designed to harmonize structure,
clauses, text and terms and definitions:
 
• Clause 1 Scope
• Clause 2 Normative references
• Clause 3 Terms and definitions
• Clause 4 Context of the organization
• Clause 5 Leadership
• Clause 6 Planning
• Clause 7 Support
• Clause 8 Operation
 • Clause 9 Performance evaluation
• Clause 10 Improvement
 
ISO defines “Leadership is the person or group of people
who directs and controls an organization at the highest
level. Top management has the power to delegate authority
and provide resources within the organization”. 

So why the change? The answer, because there is a

fundamental difference bet ween leadership and
management. Management is about managing processes.
Leadership is about behaviors. Management of processes is
demonstrated by data points that are measurable, whereas
leadership is more about attitude and personal character.
Essentially, leadership can drive behaviors of an
organization. This in turn drives culture. In this case, the
food safety culture of an organization. 

Top management establish and communicate the food

safety policy. There must be evidence to support key
communications related to food safety truly comes from
leadership. If not, whether there a disconnect with ‘Top
management’.  In addition, leadership must define the
scope of the integration process to ensure roles and
responsibilities are defined and allocated appropriately
across the organization. Otherwise, if delegated to the food
safety team leader, food safety could operate in a functional
silo. There must be evidence that various functions are
supporting food safety as per their defined responsibilities.
With Top management  as the overall accountable for food
safety.  

In the handbook are provided as examples of evidence of

Management commitment and leadership: supply of
required resources, formulation of policies and objectives
of FSMS, management reviews and communication of the
importance of satisfying the food safety requirements.

5- Risks, Opportunities and Objectives

Risk is inherent in all aspects of a food safety

management system. There are risks in all systems,
processes and functions. Therefore, it is important risk-
based thinking is applied throughout the management
system. This ensures these risks are identified, considered
and controlled throughout the design, planning and
execution of the food safety management system. 

Risk-based thinking is part of the process approach. Not

all the processes of a food safety management system
represent the same level of risk in terms of the
organization’s ability to meet its objectives. Certain food
safety processes need more planning and controls than
others. 

Risk is commonly understood to have only negative

consequences; however, the effects of risk can be either
negative or positive. Risks and opportunities are often cited
together, however, opportunity is not the positive side of
risk. An opportunity is a set of circumstances which makes
it possible to do something. Taking or not taking an
opportunity then presents different levels of risk.

By considering risk throughout the food safety

management system and all processes the likelihood of
achieving stated objectives is improved, output and the
expected outcome of safe food is more consistent and
customers can be confident that they can trust the food
product. For further reading:
 ISO 31000:2009 Risk Management – Principles and
guidelines
ISO/TR 31004:2013 Risk management - Guidance for the
implementation of ISO 31000
ISO 31010:2010 Risk management - Risk assessment
techniques

But where and when we consider risks? Is probably an

everyday tasks right but strategy meetings, management
reviews, or food safety related meetings are good
comments to look in a structured way to risks (examples
included the handbook). Risks can be documented in a risk
register which is shared with Top management driving
transparency and accountability.

6- Food Safety Policy

The 2018 version of ISO 22000 brought some new

requirements to the Food Safety Policy namely, for
example, addressing the need to ensure competencies
related to food safety and including a commitment to
continual improvement.

Nonetheless, probably the most interesting change

related to food safety policy is the mandatory requirement
for the Food Safety Policy to be understood (and not only
communicated).
 The handbook provides very interesting examples of
evidence of communication and understanding the policy.
For the first evidence can be posters, e-mails, notice boards
or meetings, and for the later interviews, internal audits,
quizzes or tests. 

7- Externally developed elements of

the FSMS

The new version from ISO 22000 has broadened the use
of externally developed elements of the FSMS. In the 2005
version was included the possibility of small and/or less
developed food businesses such as small farm, small retail
among others use externally developed combinations of
control measures. The 2018 version describes in clause 7.1.5
conditions for the use of any externally developed elements
in the Food Safety Management System.

Examples of externally developed elements of the FSMS

and sources provided by ISO Handbook (see figure).

All these externally developed must be:

• In conformance with ISO 22000:2018 requirements
• Applicable and adapted to the organization
• Implemented, maintained and updated
• Retained as documented information.
8- Management of documented
information

ISO Management System Standards (MSS) in general is

dependent on documented information. ISO 22000 follows
a process approach which means it is well suited to a
Process Framework Model. Here is an example were
processes are divided into 5 levels.

A Food Safety Management System requires the

disciplined organization of the following criteria; processes,
documents, records and reviews. By using a process
framework, it provides the structure for process owners to
update the criteria they are responsible for to meet defined
food safety requirements. This same structure is used for
all other management system requirements like Quality
(ISO 9001), Occupational Health & Safety (ISO 45001) and
Environmental Management (ISO 14001). This process
framework supported by integrated management systems
breaks down the functional silos.

There are several recommendations in the hand book

related with management of documented information, for
example:

1. Clear definition on how documented information

should be changed, how long and how they should be
store and how to be destroyed
2. Documenting records of destruction
3. Standardized format for procedures and work
instructions
4. Procedure for creation, updating and control of
documented information.
 5. Definition of retention time according with applicable
laws and regulations
6. Follow the rule of 3 U’s (Useful, Useable and Utilized)

9- Flow Diagrams

Process flow diagrams are discussed in the Handbook in

Task 5.3. Flow Diagrams and Process Mapping are critical
for a Food Safety Management System. The ability to
visualize a process flow will ultimately determine how
robust an organization's hazard analysis is and its ability to
produce safe food.  

ISO 22000 allows multi-site certification, where large

organizations can improve performance and streamline
operations with less resources. Essentially multi-site will
generate one certificate for multiple locations for under a
single organization under the same legal entity. One of the
key requirements is performing similar activities. This is
where templates and flow diagrams and mapping processes
need to be managed centrally.

  Model HACCP plans can be developed and deployed

across a large organization and adapted locally. This
approach allows a corporate food safety entity to confirm
the accuracy of process flow diagrams.

The handbook includes suggestions for what should be

aimed for in this section. Among others is described the
importance of describing the steps of the procedure using
5M method (Methods, Machinery, M-environmental,
Materials, Manpower), describe process parameters that
may affect food safety and describe the existing control
measures.

10- Verifications

The PDCA cycle is critical for all Food Safety Management

Systems. ISO 22000 benefits for two PDCA cycles. One
PDCA for the overall framework (management of the
system) and one PDCA operational processes within the
food safety system. 

This is where verification fits in. If you think in terms of

PDCA, verification is all about checking operational food
safety processes. This check then leads to act when the
verification determines whether or not the operational
food safety processes are under control.

When you think in PDCA terms for operational food

safety processes, often an organization is stronger in some
parts of the PDCA cycle than others. In this case the effort
that must be made for validation (plan) must be equally
supported by the effort for verification (check). With this in
mind PDCA questions that can be applied to ISO 22000 to
determine the effectiveness of cycle which can focus on
verification criteria.
When an organization is committed with continuous
improvement and specially if it has a Management System like
ISO or FSSC 22000 it should adopt an approach incorporating
the Plan-Do-Check-Act (PDCA) cycle and risk-based thinking.
Food Safety Professionals should know some questions they
can use to assess the implementation of the process approach
in the organization.

Examples of PDCA questions

Plan: What information do you need to start your work?

Plan: How do you know how to do your job?
Plan: Where does the information come from?
Do: Can you explain to me what you do?
Do: What decisions are you responsible to make?
Do: Who receives the result of your work?
Check: What is the result of your work?
Check: How do you know if you’ve done your job correctly?
Check: What kind of verifications do you perform?
Check: What records are kept?
Act: Are there changes, how and why?
Act: What can go wrong and what would you do?

The handbook suggests as examples of verification

activities:

1. Review and evaluation of documents OPRP and/or

CCP records
2. Measurements and evaluations activities to ensure
PPRs or process are operating within parameters
3. Internal and external audits
4. Evaluation of indicators
5. Evaluate verification results and audits reports.
About the Authors

C
olin Christmas is a Managing Director at EAGLE Certification
Group. In addition, working in a voluntary role as co-convener
of the International Accreditation Forum (IAF) Food Working
Group. He is an experienced professional with 20+ years in the food
manufacturing industry where he developed an excellent
understanding for process, systems, and standardization. He worked in
a regional operational role supporting implementation and
sustainability of Management Systems (ISO 9001, ISO 14001, ISO 45001
and ISO/FSSC 22000), and a director role for Supplier Management
driving both compliance and improvement.

N
uno F. Soares, Ph.D. is the founder of The Why of Food Safety—
Become the SLO initiative and author of several books and
articles on food safety, namely FSSC 22000 V5 and ISO
22000:2018 Blueprint and Food Safety in the Seafood Industry (Wiley).
He is an author, consultant, and trainer in food safety with more than
21 years background in the food industry as a food safety/quality and
plant manager. He works exclusively to help food safety professionals
achieving a more fulfilled career based on improving knowledge,
improving competences and a growing mindset.