Course Manual

FSSC 22000 V6 Lead Auditor Training Course
Course Manual
COURSE MANUAL
FOOD SAFETY MANAGEMENT SYSTEM
Auditor / Lead Auditor Training Course

A training course for those wishing to undertake auditing of
Food Safety Management System
to recognized
Food Safety Management System Standard
(BASED on FSSC 22000 V 6)
TUV NORD CERT GmbH
Course Manual Rev. Page 1 from 88

CONTENT
1. FOREWORD .............................................................................................................................. 3
2. COURSE AIMS AND OBJECTIVES .......................................................................................... 4
3. CQI-IRCA & THE AUDITOR REGISTRATION SCHEME ........................................................... 8
4. CQI PROFESSIONAL CODE OF CONDUCT........................................................................... 10
5. SECTION 1............................................................................................................................... 13
5.1. Introduction CQI and IRCA..................................................................................................... 13
6. SECTION 2.............................................................................................................................. 14
6.1. INTRODUCTION ...................................................................................................................... 15
6.2. Difference Between FSSC additional requirements of V 5.1 & V 6 ...................................... 16
7. OVERVIEW ISO 22000:2018 ................................................................................................. 23
7.1. 4 CONTEXT OF THE ORGANIZATION ................................................................................... 23
7.2. 5 LEADERSHIP........................................................................................................................ 26
7.3. 6.PLANNING ............................................................................................................................ 30
7.4. 7 SUPPORT ............................................................................................................................. 34
7.5. 8. OPERATION ........................................................................................................................ 38
7.6. 9. PERFORMANCE EVALUATION .......................................................................................... 48
7.7. 10. IMPROVEMENT ................................................................................................................. 51
8. SECTION 3............................................................................................................................... 54
8.1. Introduction to FSMS Auditing .............................................................................................. 55
8.2. Certification of an FSMS to FSSC 22000 ............................................................................... 59
8.3. Planning the Audit .................................................................................................................. 62
8.4. Undertaking the Audit ............................................................................................................ 67
8.5. Reporting the Audit ................................................................................................................ 81
8.6. Corrective Action, Audit Follow-Up and Close Out .............................................................. 82
9. SECTION 4 - FOOD SAFETY MODERNIZATION ACT (FSMA) .............................................. 85
Page 2 from 88
1. FOREWORD
Welcome to your CQI and IRCA Certified FSMS based on FSSC 22000 version 6 Auditor/Lead Auditor
Training course.
TÜV NORD CERT GmbH has been independently assessed and approved by the CQI and IRCA. This
means they have the processes and systems in place to deliver certified courses to the highest standard.
About the CQI and IRCA
The CQI is the only chartered professional body dedicated entirely to quality.
IRCA is its specialist division dedicated to management system auditors.
Find out more about the CQI and IRCA at www.quality.org
Today, auditing is recognized as an extremely powerful technique that may be used by managers
alongside other management techniques to ensure adequacy of operations and assist in the
achievement of objectives.
Auditing is no longer confined to financial operations, in relation to which it is an accepted and respected
practice the need for which is well understood and demanded in senior management circles. With the
explosion of quality improvement throughout the world, auditing has received much attention as a means
of ensuring that plans and systems for the achievement of customer satisfaction are being followed and
are fully effective. In addition, the increasing legal requirement that must be met by organizations and
individuals has resulted in the setting up of regulatory authorities’ who need to establish if such
compliance obligations are being met. The approach adopted to gain this information is to use audit
techniques, basically, similar to those adopted by those with an interest in Quality Improvement.
There is therefore a need to ensure that when auditing is required, for whatever purpose, those
delegated the task are adequately equipped by way of training in the tools and techniques necessary to
perform audits in a fully satisfactory manner. Audits need to be conducted efficiently and effectively to
gain information in the least disruptive manner to those subject to audit activity. It is also necessary to
ensure that those who are to undertake such a task are the “right type of person” capable of seeking out
the information in a manner that is fully acceptable to those under scrutiny, without causing antagonism
or ill feeling, and fostering a culture of partnership and no blame.
This course is one of a series of modules offered by TÜV NORD CERT GmbH (TN Cert) providing
training for auditors, the series being based on the modular approach to auditor training adopted by the
U.K. International Register of Certificated Auditors (IRCA). TN Cert is a Registered Training Organization
under the IRCA scheme (Approved Training Partner 1180156).
We hope you enjoy the courses, even though it will require a good deal of hard work on your part. Our
tutors have been selected for their experience and ability to impart knowledge to others. You are in
capable hands. We wish you every success and look forward to seeing you on future courses.
Page 3 from 88
2. COURSE AIMS AND OBJECTIVES
The aim of this course is to provide learners with the knowledge and skills required to perform first,
second and third-party audits of food safety management systems against the FSSC 22000 scheme, in
accordance with ISO 19011, ISO 22003-1 and ISO 17021-1, as applicable.
The scheme includes ISO 22000, sector specific requirements (ISO/TS 22002-x series) and FSSC 22000
additional requirements.
Learners who complete this CQI and IRCA Certified FSSC 22000 Lead Auditor Training course
successfully (within the five years prior to making an application to become a certificated auditor) will
satisfy the training requirements for initial certification as an IRCA FSMS auditor.
For the full requirements, please refer to quality.org/IRCA-grades.
This 5-day Food Safety Management System (based on FSSC 22000) Auditor/Lead Auditor Training
Course has been designed specifically for members of food safety teams and internal auditors of
companies with FSMS, FSMS consultants, FSMS auditors of Certification Bodies and any person who
wish to develop their knowledge and skills related to FSMS based on FSSC 22000 Audit process.
The World Standard for FSMS (based on FSSC 22000) requires that audit protocols and procedures are
followed so that the performance of the FSMS based on FSSC 22000 can be assessed. Training needs
of food safety audit teams are obviously of prime importance. This provides delegates with the ability and
confidence to ask the right questions, to evaluate food safety information and to undertake effective
FSMS based on FSSC 22000 audits which meet the requirements of the international auditing
standards.
A combination of concise lectures and presentations will be made together with group and individual
exercises. Delegates will be divided into FSMS audit teams who will work on a Case study.
An FSMS based on FSSC 22000 audit will be undertaken as a simulated exercise.
Various aids will be available and at the end of the week each audit team will present findings to the
other groups.
The total course duration is five days, and includes some evening work to be undertaken by delegates
working in syndicate groups, and comprises a combination of formal tuition coupled with participative
activities such as syndicate working, group discussion and simulated audit activities.
By the end of the course students will have the knowledge and skills to:
Knowledge
 Explain the purpose of a food safety management system, of food safety management
systems standards and the business benefits of the improved performance of the food safety
management system including its relationship with the Sustainable Development Goals
(SDGs) of organizations.
 Explain the role of an auditor to plan, conduct, report and follow up a food safety management
system audit within an audit programme in accordance with FSSC 22000, ISO 22003-1, ISO
17021- 1, and the guidelines in ISO 19011.
Page 4 from 88
Skills
 Plan, conduct, report and follow up an audit of a food safety and quality control management
system to establish conformity (or otherwise) with FSSC 22000 and in accordance with ISO
22003-1, ISO 17021-1, and the guidelines in ISO 19011.
With regards to FSSC 22000:
Explain the requirements of FSSC 22000.
Explain what is ISO 22000.
Explain the sector specific PRPs required by FSSC 22000.
Explain the FSSC 22000 additional requirements.
Explain difference in FSSC 22000 additional requirements of V5.1 and V 6
Explain the relationship between PRP ISO TS 22002-x series or PAS xyz , FSSC 22000 and ISO 22000
Explain the definitions in FSSC 22000 Appendix 1.
With regards to ISO 22000:
Explain the Plan-Do-Check-Act Framework.
Explain the interrelationship between management responsibility, organization’s context, needs of

interested parties, food safety policy, planning & risk assessment, food safety objectives, operational
controls, HACCP, control of monitoring & measuring, management review and continual improvement.
Explain the terminology defined in the standard.
Plan, conduct, report, follow up and close an audit of a food safety management system based on FSSC
22000 version 6 requirements and in accordance with ISO/IEC 17021-1, ISO 19011 and ISO 22003.
Introduction of ISO 22003 -1 :2022 and ISO 22003 – 2:2022 Food safety
SECTION 1
IRCA
SECTION 2
UNDERSTANDING FSSC 22000
Introduction
FSSC 22000
Overview of ISO 22003 – 1: 2022 & ISO 22003 – 2:2022
FSSC 22000 V6 Additional Requirements
Difference between V5.1 and V6 additional requirements
ISO 22000 - Context of the Organization
Page 5 from 88
ISO 22000 - Leadership
ISO 22000 - Planning
ISO 22000 - Support
ISO 22000 - Operation
ISO 22000 - Performance Evaluation
ISO 22000 - Improvement
SECTION 3
THE FSMS AUDIT PROCESS
Introduction to FSMS auditing
Certification of an FSMS to FSSC 22000
Planning the audit
Undertaking the Audit
Reporting the Audit
Corrective Action, Audit Follow-Up and Close Out
SECTION 4
FOOD SAFETY MODERNIZATION ACT (FSMA)
DELEGATE ASSESSMENT
While participating on this course you will be subject to formal assessment as required by CQI-IRCA,
which will involve two separate elements:
Continuous assessment of each delegate undertaking the course by the tutor (s) throughout the
duration of the course while delegates are engaged in undertaking various case studies,
collectively or individually, and during the simulated audit exercise. It will also involve each
delegate providing a written summary report upon completion of the simulated FSMS audit of the
case study Company.
A formal examination to be undertaken by each delegate:

a) online with IRCA directly within 30 days after the last day of the course.
b) As paper exam directly after the course
The type of exam valid for your course is fixed by IRCA and depends on language of the
course. Please contact your course provider in case of any questions.
Page 6 from 88
If a delegate should pass the continuous assessment, but fail the examination, the delegate may re-sit
the examination at a later date. If a delegate fails the examination with a particularly low mark, the
delegate will be advised to re-take the entire course.
If a delegate should fail the continuous assessment the delegate will be advised not to sit the
examination. The delegate has to complete the whole course to attend the exam.
Re-sit of the examination must be taken within 12 months of the original course, and with the original
course provider.
Please Note: Delegates must be in attendance for the full duration of course. Poor timekeeping during
any session will be taken into account during continuous assessment.
Right of Appeal:
IRCA online Exams
The CQI and IRCA has introduced the “online Exams: Appeals Policy and Process” which you
find in the separate document “CQI and IRCA Online Exams: Learner guide”.
Paper Exams
Delegates who fail the re-sit examination have the right of appeal. In the first instance such an
appeal must be made to the original course organizer who will liaise with TN Cert to obtain the
examination mark. If the marks are less than 65%, the delegate will be informed of the marks
and that a further review of the delegate’s examination script will not be undertaken. In the
event that the marks are 65% or above then a review of the examination script will be
undertaken. Such a review will involve a TN Cert examiner who did not conduct the training
course attended by the appellant or undertake the first marking of the examination paper. The
decision of this examiner will be final. If the appellant considers that the decision is in some
way unjust they may then appeal directly to CQI-IRCA.
Page 7 from 88
3. CQI-IRCA & THE AUDITOR REGISTRATION SCHEME
It is in the interest of both accreditation bodies and third-party certification bodies, and society in general,
that those carrying out assessment activities involving the auditing of management systems are properly
qualified. It was to this end that the U.K. Institute of Quality Assurance set up a scheme for the training
and registration of auditors. These schemes had been an international success and have been
paralleled in many parts of the world.
The International Register of Certificated Auditors (IRCA) is the major international controlling body for
auditors lead auditor training organizations.
The Registration Scheme operates for the qualification and registration of auditors engaged in the
auditing of management systems. They may be engaged in undertaking audits within their own
organization or acting either for purchasing or Organizations conducting second party assessments, or
within independent certification bodies and similar organizations conducting third party assessments,
provided they are applying nationally or internationally recognized standards, for food safety
management system.
The scheme is administrated by the CQI-IRCA. Membership of the CQI is not a requirement for
registration. The scheme is recognized by the U.K. Department of Trade and Industry and is likely to
ultimately be subject to UKAS Accreditation.
The primary aim of the schemes is to improve the standard of, and to achieve a higher level of
consistency in, the audit and assessment of management systems. It is intended to help purchasers and
procurement bodies to accept, either in whole or in parts, audits undertaken by auditors who meet the
criteria for qualification and experience.
The scheme is limited to establishing the competence, proficiency and integrity of those registered to
conduct audits of managements systems, and where applicable to control and co-ordinate the
assessment practice and techniques. It does not attempt to determine the suitability or capability of
personnel to undertake specialized technical audits. Where a product or service is highly specialized, or
where stringent safety or statutory requirements or national or commercial security considerations are
involved, audit/assessment organizations may wish to add their own specific criteria.
As an extension to this registration of quality system auditors, IRCA has recognized the need to provide
registration of FSMS auditors who wish to undertake audits against FSSC 22000.
Accordingly, a scheme has been developed which provides professional recognition of the skills of food
safety management system auditors who are able to undertake effective FSMS audits against
recognized FSMS standards (ISO 22000, FSSC 22000).
Page 8 from 88
IRCA Registration
For delegates wishing to register as an FSMS Auditor or FSMS Lead auditor with IRCA there are some
important requirements that should be noted:
Following successful completion of this course delegates may apply to become registered as an Auditor
or a Lead Auditor with IRCA. This will require the submission to IRCA of the necessary documentary
evidence of education, work experience, audit experience etc., and in addition evidence of satisfactory
training, including documentary evidence of successful completion of this course in the form of a copy of
the certificate issued. (Application must be made within 5years of completion of the training
course – final day of course and not the day when the examination was passed. Refer IRCA/1000
for further information).
Delegates who successfully complete this course will be issued with a numbered certificate which bears
the CQI-IRCA logo and clearly states the IRCA course certification number, and indicates the delegate
has passed the examination. Delegates who fail to reach the necessary standard will be issued with a
certificate of course attendance which will not carry such details. Delegates who have failed to achieve
the minimum pass marks in the examination will be permitted to re-sit the examination on one occasion
which must be within twelve months of the original course attended and with the original course provider.
For full details of the IRCA Auditor Registration Scheme contact:
International Register of Certificated Auditor (IRCA)
Third floor
90 Chancery Lane,
Holborn,
London WC2A 1EU
Telephone: +44 (0)20 7245 8600
Email: applications@quality.org
www.quality.org
Page 9 from 88
4. CQI PROFESSIONAL CODE OF CONDUCT
It is a condition of registration that registrants rigorously observe the following
For the purposes of this code “members” refers to all individuals whose competence is recognised
formally by The Chartered Quality Institute (The CQI). This includes but is not restricted to CQI
members, IRCA registered auditors and individuals on other CQI registers, as well as all members
of the Board of Trustees, Advisory Council and other governance bodies.
Statement of Personal Responsibility
It is the ethical and professional responsibility of all members to demonstrate the required
professional competence and behaviours in discharging the responsibilities of their role. Members
must uphold the highest ethical standards and integrity in exercising their professional duties or
other activities which might impact on the reputation of the profession and of the CQI. In support of
these aims all members are expected to understand and comply with this code of conduct.
Furthermore, the CQI reserves the right to suspend or withdraw membership and all associated
benefits from members who fail to comply with this code of conduct, in accordance with the
Enforcement Processes detailed below.
Professional Competence and Behaviour
In recognising the values and requirements of this code of conduct members shall:
1.1. Maintain professional knowledge and competence in order to successfully undertake their role
1.2. Act with due skill, care and diligence and with proper regard for professional standards
1.3. Undertake appropriate continuing professional development and record it in an appropriate

manner
1.4. Ensure that clients, employers and others who may be affected by their activities are not
misled
or ill-informed with regard to their level of competence and capability to successfully discharge their
responsibilities
1.5. Seek appropriate support whenever they are aware that their level of competency (knowledge,
skills, behaviours and experience) might be lacking with respect to the responsibilities they are
assigned
1.6. Accept responsibility and accountability for their own professional actions and decisions
1.7. Always act in a way which supports and upholds the reputation of the Quality profession
1.8. Work to ensure that the credibility and reputation of the CQI and all of its stakeholders is
protected
1.9. Be mindful of the distinction between acting in a personal and in a professional capacity
Page 10 from 88
1.10. When managing a team, ensure that those working for them have the appropriate level of
competence, supervision and support
1.11. Co-operate fully with the Institute in assuring the effective implementation of this Code of
Conduct (including investigation and resolution of any alleged or actual breaches)
Ethical Standards and Integrity
In recognising the values and requirements of this code of conduct members shall:
2.1 Seek to establish, maintain and develop business relationships based on confidence, trust and
respect
2.2 Always act honestly in all matters relating to the Institute
2.3 Demonstrate sensitivity for the customs, working practices, culture and personal beliefs of
others
2.4 Safeguard all confidential, commercially-sensitive and personal data acquired as a result of
business relationships and not use it for personal advantage or for the benefit or detriment of third
parties
2.5 Comply with prevailing laws
2.6 Advise the CQI Executive in writing whenever there is a suspicion that this code of conduct has
been breached
2.7 Be mindful of their responsibilities as professional people towards the wider community
2.8 Ensure potential or known conflicts of interest are declared at the earliest opportunity to ensure
professional judgement is not compromised or perceived to be compromised
Processes for Enforcement of this Code
All members, by virtue of their association with the Institute, have agreed to abide by the following
enforcement processes.
1. CQI0070 details the Misconduct Handling process for:
a. Reporting breaches of misconduct to the CQI
b. Undertaking a Preliminary Investigation
c. Conducting a Disciplinary Hearing
d. Establish and acting on the Board’s decision
e. Grounds for appeal
2. CQI0058 details the Disciplinary Appeals process for:
a. Submitting an appeal to the Advisory Council
Page 11 from 88
b. Preliminary review of the appeal
c. Convening an appeal panel
d. Reviewing the appeal submission
e. Holding an appeal hearing
f. Making an appeal recommendation to the Advisory Council
g. Communicating the outcomes of the Appeal Panel (Preliminary Recommendation)
h. Council review of recommendation
i. Appeal decision announced and actioned
Page 12 from 88
5. SECTION 1
5.1. Introduction CQI and IRCA
The CQI is the chartered body for quality professionals. We improve the performance of organizations by
developing their capability in quality management.
With members all over the world, we are uniquely placed to define and lead the quality profession,
setting the standards for its capability and scope through the CQI Competency Framework. We
encompass the whole quality community, including quality management professionals (CQI members)
and management systems auditors, through our specialist division IRCA (the International Register of
Certificated Auditors).
In partnership with our stakeholders, we support the development of good governance, agile assurance
and a culture of continuous improvement through membership services, training, learning and thought
leadership.
Established in 1919 as the Institute of Quality Assurance, we gained a Royal Charter in 2006 and
became the CQI shortly afterwards in January 2007. The CQI is the only organization in the world that
can award chartered status to quality professionals – an unrivalled mark of excellence.
As a registered charity (no. 259678), the CQI exists to benefit the public by advancing education in,
knowledge of and the practice of quality in industry, the public sector and the voluntary sectors.
Page 13 from 88
6. SECTION 2
UNDERSTANDING FSSC 22000

Introduction-FSSC 22000
Sector Specific PRP’s required by FSSC 22000
FSSC 22000 additional requirements as per V6
Difference between FSSC 22000 additional requirements of
V5.1 & V 6
ISO 22000 – Context of the Organization
ISO 22000 – Leadership
ISO 22000 – Planning
ISO 22000 – Support
ISO 22000 – Operation
ISO 22000 – Performance Evaluation
ISO 22000 – Improvement
Page 14 from 88
6.1. INTRODUCTION
The FSSC 22000 Certification Scheme outlines the requirements for the audit and certification of food
safety management system (FSMS) [FSSC 22000] of organizations in the food supply chain.
This manual address the requirements of new version 6 of the FSSC22000 scheme, published in
April 2023.The main factors that initiated the development of this version have been –
 Incorporating the requirements of ISO22003-1:2022

 Strengthening the requirements to support organization’s in their contribution to meeting
the sustainable development goals (SDGs).
 Editorial changes and amendments as part of continuous improvement.
The Scheme is based on:
 ISO 22000 :2018 requirements for any organization in the food chain
 Relevant pre-requisite programmes (PRPs) based on technical specifications for the sector
(ISO/TS 22002-x or PAS xyz)
 FSSC 22000 Additional requirements
The food chain category description used by this scheme is defined according to ISO 22003-1:2022.
The ISO 22003:2022 replaced the second ISO/TS 22003:2013.
Refer to http://www.fssc22000.com and down load FSSC 22000 Scheme version 6
Difference between ISO and Foundation of FSSC 22000
ISO Foundation of FSSC 22000
 ISO is the International Organization for FSSC 22000 is owned by a legal entity under
Standardization. Dutch law, called the Foundation FSSC 22000.
 160 national standards institutes from The Foundation is governed by strict by-laws
countries across the world are members of ensuring the continuing independency, non-
ISO. profit nature and transparency. This also
 ISO’s portfolio of more than 18 000 ensures that the finances are properly
standards provides practical tools managed, all costs of the Scheme are as low
 ISO technical committee ISO/TC 34 Food as possible and there is no funding to other
products SC 17, Management system for organizations or individuals. The Foundation
food safety, is responsible for developing facilitates and owns the Scheme and manages
and maintaining the ISO 22000 family of its use by licensed certification bodies. The
standards. FSSC 22000 ownership of the Scheme has its
 An ISO standard is developed by a panel of legal ground in copy-, trademark- and other
experts, within a technical committee. Once intellectual property rights under Dutch and
the need for a standard has been international law.
established, these experts meet to discuss
and negotiate a draft standard. As soon as
a draft has been developed it is shared with The Foundation has its registered office in the
ISO’s members who are asked to comment Netherlands and its place of business at the
and vote on it. If a consensus is reached the Stephensonweg 14, 4207 HB, in the city of
draft becomes an ISO standard, if not it Gorinchem.
Page 15 from 88
goes back to the technical committee for The Foundation is governed by Dutch law and
further edits. is a not for profit, legal entity, which means the
ISO standards are developed by groups of Foundation has no shareholders or members.
experts, within technical committees (TCs).
TCs are made up of representatives of industry,
NGOs, governments and other stakeholders,
who are put forward by ISO’s members.
Benefits of FSSC 22000

• International Certification Scheme for Food Safety Management Systems with the flexibility to cover
the entire supply chain.
• Fully benchmarked by the Global Food Safety Initiative (GFSI).
• Incorporates the international standard ISO 22000 (for Food Safety Management Systems), which
includes the HACCP Principles of Codex Alimentarius, with ISO/TS 22002-x (the sector specific pre-
requisite requirements ) with the FSSC 22000 additional requirements.
• Delivers high quality and consistent audits monitored by a robust Integrity Program and assured by
licensed Certification Bodies and qualified auditors.
• Enhances transparency throughout the food supply chain facilitated by the use of the common ISO
22000 Standard.
• Requires adherence to relevant regulatory and statutory requirements.
• Is governed by a non-profit Foundation and managed by an independent Board of Stakeholders
As per FSSC 22000, the food chain categories and related supply chain sectors fall within the
scheme scope of certification and therefore the organization need to make use of the right PRP
and consider Additional Requirements applicability to the organization as shown in FSSC
scheme v 6 Table 1. Overview of (Sub)Categories.
6.2. Difference Between FSSC additional requirements of V 5.1 & V 6
FSSC ADDITIONAL REQUIRMENTS V6 V 5.1 CHANGE

2.5.1 MANAGEMENT OF SERVICES AND √ √
PURCHASED MATERIALS (ALL FOOD CHAIN
CATEGORIES
2.5.2 PRODUCT LABELING AND PRINTED √ √

MATERIALS (ALL FOOD CHAIN
CATEGORIES)
2.5.3 FOOD DEFENSE (ALL FOOD CHAIN √ √

CATEGORIES)
Page 16 from 88
2.5.4 FOOD FRAUD MITIGATION (ALL FOOD √ √
CHAIN CATEGORIES)
2..5.5 LOGO USE (ALL FOOD CHAIN √ √

CATEGORIES)
2.5..6 MANAGEMENT OF ALLERGENS (ALL FOOD √ √

CHAIN CATEGORIES)
2.5.7 ENVIRONMENTAL MONITORING (FOOD √ √
CHAIN CATEGORIES BIII, C, I & K)
2.5.8 FOOD SAFETY AND QUALITY CULTURE √ √ Addition of

(ALL FOOD CHAIN CATEGORIES) Quality
culture
2.5.9 QUALITY CONTROL (ALL FOOD CHAIN √

CATEGORIES)
2.5.10 TRANSPORT, STORAGE AND WAREHOUSING √ √ Addition of

(ALL FOOD CHAIN CATEGORIES) Transport
2.5.11 HAZARD CONTROL AND MEASURES FOR √ Addition of
PREVENTING CROSS CONTAMINATION food chain
(ALL FOOD CHAIN CATEGORIES, categories
EXCLUDING FII)
2.5.12 PRP VERFITICATION (FOOD CHAIN √ Addition of

CATEGORIES BIII, C, D, G, I & K) BIII category
2.5.13 PRODUCT DESIGN AND DEVELOPMENT √ Addition of
(FOOD CHAIN CATEGORIES BIII, C, D, E, F, I design
& K) category
BIII.
2.5.14 HEALTH STATUS (FOOD CHAIN CATEGORY D)

2.5.15 EQUIPMENT MANAGEMENT (ALL FOOD √ New
CHAIN CATEGORIES, EXCLUDING FII)
2.5.16 FOOD LOSS AND WASTE (ALL FOOD √ New
CHAIN CATEGORIES, EXCLUDING I)
2.5.17 COMMUNICATION REQUIREMENTS (ALL √ New

FOOD CHAIN CATEGORIES)
2.5.18 REQUIREMENTS FOR ORGANIZATION WITH √ A Category

MULTI-SITE CERTIFICATION (FOOD CHAIN removed
CATEGORIES A, E, F & G)
Page 17 from 88
ISO 22000 Family of Standards:
 ISO 22000 - Food safety management systems - Requirements for any organization in the food
chain.
 ISO 22001 - Guidelines on the application of ISO 9001:2000 for the food and drink industry
(replaces: ISO 15161:2001).
 ISO/TS 22002- Prerequisite programme on food safety—Part 1: Food manufacturing; Part 2:
Catering; Part 3: Farming; Part 4: Food packaging manufacturing; Part 5-Transport and Storage ;
Part 6: Feed and animal food production
 ISO TS 22003 - Food safety management systems for bodies providing audit and certification of
food safety management systems.
 ISO TS 22004 - Food safety management systems - Guidance on the application of ISO
22000:2005.
 ISO 22005 - Traceability in the feed and food chain - General principles and basic requirements
for system design and implementation.
 ISO 22006 - Quality management systems - Guidance on the application of ISO 9002:2000 for
crop production.
ISO 22000 is also used as a basis for the Food Safety Systems Certification (FSSC) Scheme FSSC
22000. FSSC 22000 is a Global Food Safety Initiative (GFSI) approved scheme.
An Overview of ISO 22000 standard
What is a Management System?
A management system is the framework of policies, processes and procedures used to ensure that an
organization can fulfill all tasks required to achieve its objectives.
Management System Standards (MSS)
 ISO management system standards provide a model to follow when setting up and operating a
management system.
 They are the result of international, expert consensus and therefore offer the benefit of global
management experience and good practices.
 These standards can be applied to any organization, large or small, whatever the product or
service and regardless of the sector of activity.
What is a Food Safety Management System?
set of interrelated or interacting elements to establish policy and objectives and to achieve those
objectives, used to direct and control an organization with regard to food safety
 Food safety management system enables an organization in the food chain to demonstrate its
ability to control food safety hazards in order to ensure that food is safe at the time of human
consumption
 Adoption of a food safety management system (FSMS) is a strategic decision for an organization
that can help to improve its overall performance in food safety.
 Employs the process approach , which incorporates the Plan-Do-Check-Act (PDCA) cycle and risk-
based thinking .
Page 18 from 88
What are the benefits of a Food Safety Management System?
The potential benefits to an organization of implementing a FSMS are:

o the ability to consistently provide safe foods and products and services that meet customer and
-applicable statutory and regulatory requirements;
o addressing risks associated with its objectives;
o the ability to demonstrate conformity to specified FSMS requirements.
 Reduce the risk of food borne illness
 Reduce product loss/recalls
 Reduce customer complaints
 Comply with the law
 Protection of business reputation and brand name
 Helps to open door to international trade market
THE PDCA MODEL
 Process approach enables an organization to plan its processes and their interactions.
 The PDCA cycle enables an organization to ensure that its processes are adequately resourced
and managed, and that opportunities for improvement are determined and acted on.
Page 19 from 88
Figure 1: Illustration of the Plan-Do-Check-Act Cycle at two levels (ISO 22000:2028)
Plan: establish the objectives of the system and its processes, provide the resources
needed to deliver the results, and identify and address risks and opportunities;
Do: implement what was planned;
Check: monitor and (where relevant) measure processes and the resulting products and
services, analyse and evaluate information and data from monitoring, measuring
and verification activities, and report the results;
Act: take actions to improve performance, as necessary.
History of ISO 22000
Page 20 from 88
1st edition
ISO 22000:2005
2nd edition
ISO 22000:2018
Notable Changes in ISO 22000:2018
CONTEXT (Clause 4)
 The organization is required to identify any external and internal issues that may impact the
ability of their FSMS to deliver its intended outcomes.
 The organization is also required to determine the relevant needs and expectations of their
relevant interested parties – ie, those individuals and organizations that can affect, be affected
by, or perceive themselves to be affected by, the organization’s decisions or activities.
LEADERSHIP (Clause 5)
 Top management are required to demonstrate that they engage in key FSMS activities as
opposed to simply ensuring that these activities occur.
 This means there is a need for top management to be actively involved in the operation of their
FSMS and be accountable for its results.
RISK-BASED THINKING (Clause 6)
 The organization must evidence that they have determined, considered and, where deemed
necessary, taken action to address any risks and opportunities that may impact (either positively
or negatively) their FSMS´s ability to deliver its intended outcomes.
COMMUNICATION (Clause 7)
 Communication with interested parties plays an important role in an effective FSMS.
 The organization needs to be sure that the information provided is consistent with the information
generated within the FSMS, that is ‘that the organization is telling it ‘as it is’.
 To ensure that the information communicated is reliable.
 Documented information needs to be retained i.e. records of communication have to be retained.
OPERATIONAL PLANNING AND CONTROL (Clause 8)
 Hazards to be controlled by PRPs, OPRPs and /or CCPs.

 Documentation of PRPs, OPRPs and CCPs is required.
 Operational planning and control, Traceability, Emergency preparedness and response, Hazard
Control ,Updating the information specifying the PRPs and hazard control, Control of monitoring
and measuring, Verification related to PRPs and the hazard control plan, Control of product
and process nonconformities in place.
IMPROVEMENT (Clause 10)
Page 21 from 88
 Organizations have been required to improve their FSMS in order to improve their performance
and the effectiveness of the FSMS.
 Through the use of communication, management review, internal audit , analysis of results of
verification activities, validation of control measure(s) and combination(s) of control measure(s)
corrective actions and FSMS updating .
TERMINOLOGY (Clause 3)
 This clause contains the terms and definitions used in the standard.
ANNEXES ISO 22000:2018 has two informative annexes.
Annex A Cross references between the CODEX HACCP and this document
Annex B Cross references between this document and ISO 22000:2005
DOCUMENTED INFORMATION
 References to requirements for documents and records have been replaced by the term
“documented Information”, which has to be “maintained” in the case of documents and “retained”
in the case of records.
CLARITY
 There has been a conscious attempt to revisit the wording of the standard with a view to making
the requirements easier to understand and to aid its translation.
Bibliography
Auditor should familiarize with important terms and definition in FSSC 22000 Appendix 1 (found in
FSSC website) and ISO 22000:2018 clause 3.
One o f t h e I S O 2 2 0 0 0 : 2 0 1 8 requirement is that organizations establish, implement and maintain

prerequisite programmes (PRP) to assist in controlling food safety hazards . ISO 22002 series are
Technical Specifications intended to be used to support management systems designed to meet the
requirements specified in ISO 22000:2018, and sets out the detailed requirements for those
programmes.
The PRPs need to be specified, documented, approved by Food Safety Team and verified to meet
FSSC 22000 additional requirements and ISO 22000:2018 requirements. Records related to PRP
need to be kept by the organization.
For example , as per ISO/ TS 22002-1 Prerequisite programmes on food safety —Part 1:Food
Manufacturing, the following PRPs need to be established by a food manufacturing company and details
on how to implement the PRPs are in ISO TS 22002-1.
1. Construction and lay-out of buildings

2. Layout of premises
3. Supplies
4. Supporting services
5. Equipment
6. Management of purchased materials
7. Prevention of cross-contamination
Page 22 from 88
8. Cleaning
9. Pest control
10. Personnel hygiene
11. Rework
12. Recall
13. Warehousing
14. Product information
15. Food defence, biovigilance, bioterrorism
For other sector specific PRP required in FSSC 22000 Refer to FSSC 22000 Scheme
version 6 , Part 1 Scheme Overview Table 1. Overview of (Sub)Categories
7. OVERVIEW ISO 22000:2018
7.1. 4 CONTEXT OF THE ORGANIZATION
Clause 4.1 Understanding the Organization and its context
This clause requires Organizations to determine external and internal issues that are relevant to its
purpose and that affect its ability to achieve the intended result(s) of its FSMS.
Implications to the Organizations
The standard requires the organization to consider the internal and external issues in
 Establishing the scope of the FSMS,
 Determination FSMS associated risks and opportunities.
Page 23 from 88
Implications to the Auditors
 They will need to understand the external and internal issues typically experienced in the various
Organizations.
 Evidence needs to be obtained to provide assurance that organizations are regularly reviewing
and updating their external and internal issues.
 Auditors will face a challenge to do this if the organization decides not to maintain documented
information on the issues. Standard has not stated any such requirement.
Clause 4.2 : Understanding the needs and expectations of interested parties
Who are the Interested parties
Customers / Communities / Non-Governmental Organizations (NGOs) / Suppliers / Regulators /

/Investors / Employees
2 types of requirements:
 obligatory - (legal requirements)
 voluntarily - (other requirements)
Know how to be used as an input for
 defining the scope of the FSMS
Page 24 from 88
Identifying the relevant requirements of relevant interested parties
 determining the associated risks and opportunities
 Auditors will need to spend additional time to prepare for audits in order to establish their
understanding of the organization´s relevant interested parties and their requirements before
starting the audit.
 Evidence needs to be obtained to provide assurance that organizations are reviewing and
updating regularly their interested parties requirements.
 Auditors will need to also find out if there are any concerns raised / complaints reported by the
relevant interested parties and whether these have been considered in their FSMS.
 Auditors will face a challenge to do this if the organization decides not to maintain documented
information. Standard has not stated any such requirement.
Clause 4.3 : Determining the Scope of FSMS
Organization is required to determine the boundaries and applicability of the FSMS to establish its scope.
 Clear understanding of internal and external issues
 Clear understanding of interested party requirements
 Decision on what to include and exclude in the scope of FSMS
 Finalize an apropriate documented scope of FSMS
Page 25 from 88
 Knowledge about organization’s products and services, processes and production site(s)
 Knowledge about activities, processes, products or services that can have an influence on the food
safety of the end products.
 Understanding of interested party requirements on how to document scope of FSMS
 Confirmation of scope of FSMS with client/auditee
Clause 4.4 Food Safety Management System
The organization has to establish a food safety management system that conform to the requirements of
ISO 22000:2018 including the processes needed and their interactions. Once in place the FSMS needs
to be implemented, maintained, updated and continually improved.
In establishing FSMS , following knowledge is required :
 relevant external and internal issues
 requirements of the interested parties
 processes needed for effective FSMS
 interaction between the processes
7.2. 5 LEADERSHIP
Clause 5.1 Leadership and Commitment
Page 26 from 88
Top management to demonstrate leadership and commitment with respect to the FSMS not only by
ensuring the integration of the FSMS requirements into the organization’s business processes and
ensuring that ressources are available. The full list is described in the ISO standard 22000.
Business can be interpreted broadly to mean those activities that are core to the purposes of the
organization’s existence.
Ensure means the responsibility can be delegated, but not the accountability
Implications to the Organization
 Active involvement of top management is expected
 Clear understanding about what can be & what cannot be delegated
 Routine audit of top management henceforth
 Audit will now cover a wider set of issues
 Clear understanding about what can be & what cannot be delegated
 Should gain good understanding of the organization and also management activities
 Need to interact with top management on wider issues
 For many auditors, this will involve developing new and enhanced competencies.
Clause 5.2 : Policy
Page 27 from 88
Top management to establish, implement and maintain a food safety policy covering all items as
required by the standard.
Food safety policy is available and maintained as documented information, communicated, understood
and applied at all levels within the organization.
Available to relevant interested parties, as appropriate.
To establish the Policy
 Top management to establish appropriate food safety policy
 Food safety policy to include commitments as per ISO 22000:2018
 Auditors to check the involvement of top management in Policy development and deployment
 Is it compatible to the purpose and context of the organization
 To verify the general understanding among employees
 Auditors should address this requirement with the top management and should not be diverted to
the food safety team leader.
Clause 5.3: Organizational roles, responsibilities and authorities
It is important that the top management assigns and communicates the responsibilities and authorities for
all relevant roles in the FSMS, to ensure conformance of the FSMS to the requirements of the standard
and receipt of proper reporting on the FSMS performance. A Food safety team leader with team is to
be appointed.
Page 28 from 88
The Food safety team leader is responsible for all tasks mentioned in 5.3.2 of the standard.
All persons have the responsibility to report problem(s) with regards to the FSMS to identified person(s).
FSMS identified person (s) can be the immediate supervisor, food safety team leader or anyone from the
food safety team.
 Responsibilities and authorities for relevant roles are assigned, communicated and understood
within the organization.
 Consider staff who cannot read and write in terms of communicating responsibilities and
authorities.
 Check staff if responsibilities and authorities are understood.
 Communication lines for reporting problems to be established.
Food Safety team leader to accomplish his responsibilities stated in the standard.

 Responsibilities and authorities for relevant roles are assigned, communicated and understood
within the organization.
 Consider staff who can not read and write in terms of communicating responsibilities and
authorities.
 Check staff if responsibilities and authorities are understood.
 Communication lines for reporting problems established.
 Food Safety team leader accomplishment of his responsibilities stated in the standard.
Page 29 from 88
7.3. 6.PLANNING
Clause 6.1: Actions to address risks and opportunities
When planning for the FSMS, the organization is required to consider

-internal and external issues
-the relevant requirements of relevant interested parties
-the scope of FSMS
Organization is required to determine the risks and opportunities that need to be addressed to:
-give assurance that the FSMS can achieve its intended result(s);
-enhance desirable effects;
-prevent, or reduce, undesired effects;
-achieve continual improvement.
Concept of risks and opportunities is limited to events and their consequences relating to the
performance and effectiveness of the FSMS. Organizations are required to manage food safety hazards
and the requirements related to this process that are laid down in operational planning and control
(clause 8).
The organization is required to:
-plan actions to address these risks and opportunities;
-plan how to integrate and implement the actions into its FSMS processes
Page 30 from 88
-plan how to evaluate the effectiveness of these actions.
The actions taken by the organization to address risks and opportunities is required to be proportionate
to:
-the impact on food safety requirements
-the conformity of food products and services to customers
-requirements of interested parties in the food chain.
Actions to address risks and opportunities can include: avoiding risk, taking risk in order to pursue an
opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or
accepting the presence of risk by informed decision.
Opportunities can lead to the adoption of new practices (modification of products or processes), using new
technology and other desirable and viable possibilities to address the food safety needs of the organization
or its customers.
IMPLICATIONS FOR AUDIT PROFESSIONALS:
Many new issues for auditors, who should seek evidence that confirms that an organization has a
methodology in place that enables them to effectively identify risks and opportunities in respect of the
planning of their FSMS. The role of the auditor is not to carry out their own determination of risks and
opportunities, but to ensure that the organization is applying their methodology consistently and
effectively. However, where the auditor’s knowledge of the context of the organization reveals that the
organization has failed to identify a familiar known risk or opportunity, they may call into question the
organization’s approach. Auditors should ensure that the organization is taking a planned approach to
addressing risks and realizing opportunities. For those actions that have been completed, auditors
should ensure that each action’s effectiveness (or otherwise) has subsequently been assessed. They
should also ensure that the action taken was proportionate to the risk or opportunity. Auditors must
ensure they have a good understanding of the concepts of risk and opportunity and of the range of
methodologies that organizations may use to manage these areas.
Page 31 from 88
Clause 6.2 Objectives of the food safety management system and planning to achieve them
The organization is required to establish objectives for the FSMS at relevant functions and levels.
The objectives of the FSMS are i.a. to be consistent with the food safety policy or being verifiable. All
requirements are mentioned in the standard.
It is the responsibility of the organization that documented information on the objectives are always
retained.
When planning how to achieve its objectives for the FSMS, the What, Who, When and How needs to be
determined.
Top management may establish food safety objectives at the strategic level, the tactical level or the
operational level. The strategic level includes the highest levels of the organization and the food safety
objectives can be applicable to the whole organization. The tactical and operational levels can include food
safety objectives for specific units or functions within the organization and should be compatible with its
strategic direction. Food safety objectives should be communicated to persons working under the
organization’s control who have the ability to influence the achievement of food safety objectives.
“Consistent with the food safety policy” means that the food safety objectives are broadly aligned and
harmonized with the commitments made by top management in the food safety policy, including the
commitment to continual improvement and to satisfy applicable food safety requirements, including
statutory and regulatory requirements and mutually agreed customer requirements related to food safety,
ensure competencies related to food safety etc. Indicators are selected to evaluate the achievement of
measurable food safety objectives. “Measurable” means it is possible to use either quantitative or
qualitative methods in relation to a specified scale to determine if the food safety objective has been
achieved. By specifying “if practicable”, it is acknowledged that there can be situations when it is not
Page 32 from 88
feasible to measure a food safety objective, however, it is important that the organization is able to
determine whether or not food safety objective has been achieved.
The definition of objective is “result to be achieved” and can apply at different levels - strategic,
organization-wide, project, product, service and process. An objective can be expressed in different
ways, e.g. as an intended outcome, a purpose, as a food safety objective, or by the use of other words
with similar meaning (e.g. aim, goal, or target).
The organization must undertake planning in order to determine how its food safety objectives will be
achieved. This planning includes determining the work required in order for the organization to realize its
food safety objectives, the resources necessary to undertake this work, who will be responsible for
ensuring that the work is done and when the work needs to be completed by. Additionally, the
organization must determine how it will evaluate the work done including the use of indicators and,
whenever possible, integrate these planned actions into the organization´s business processes.
IMPLICATIONS FOR THE ORGANIZATIONS:
It is important to clarify that the term “objective” is not necessarily applicable to improvement processes.
An organization can consider a decision to keep a process under control as an objective (ie not
improving the performance of a process but preventing a decrease in its performance). In other words,
an objective may be defined to improve or to maintain a certain level of performance.
The sub-clause focuses not just on what needs to be done, but also asks organizations to identify what
resources will be required to do it, who will do it, when it will be completed and how it will be evaluated in
order to determine if it has realized the objective.
Auditors will have to add to their current knowledge and skills because of these more robust
requirements. They will have to know how to audit a set of interrelated objectives, ensuring that they are
mutually consistent and that they are aligned with the strategic direction of the organization. Auditors
should look for evidence that effective planning is taking place to support the achievement of the
organization’s food safety objectives.
6.3 Planning of changes

All changes w.r.t. the FSMS need to be communicated and carried out in planned manner and always
under consideration of potential consequences, integration, resources and eventually changes in the
responsibilities.
Page 33 from 88
7.4. 7 SUPPORT
7.1 Resources
The organization must initially determine and then subsequently provide the resources necessary to
establish, implement, maintain and continually improve its FSMS. Resources can include human
resources, natural resources, infrastructure, technology and financial resources. Examples of human
resources include specialized skills and knowledge. Examples of infrastructure resources include the
organization’s buildings, equipment, underground tanks and drainage system. The organization has to
identify which resources it needs to make available in order to ensure the effective operation of the FSMS.
Resources are needed for the effective functioning and improvement of the food safety management
system and to enhance food safety performance. Top management should ensure that those with food
safety management system responsibilities are supported with the necessary resources.
IMPLICATIONS FOR ORGANIZATIONS:
During the development of an FSMS, particular care should be taken to identify the different types of
resources needed. This could be simply providing equipment for the production or raw materials, but it
could also include the acquisition and maintenance of knowledge essential to keep the FSMS moving in
the right direction.
Auditors should not merely look at the budget to check that some funding has been allocated to the
FSMS. They must dig deeper, checking if the organization has really identified all types of resources
required and that it has taken action to ensure that those resources will be available when needed.
Page 34 from 88
Clause 7.2: COMPETENCE
The competency requirements of this International Standard apply to person(s), including external
providers, doing work under its control like the
a) food safety team leader

b) food safety team
c) person monitoring CCP
d) person taking corrective action
e) person doing verification activities
f) all person doing work in the organization that affects its food safety performance and effectiveness of
the FSMS;
Once these competency requirements have been determined, the organization must then ensure that
those people possess the necessary competencies, either on the basis of their education, training or
/and experience. If those people are found not to be competent, the organization is required to take
action (e.g. remedial training, recruitment or the use of external people) in order to acquire the necessary
competence. The actions taken need to be evaluated for effectiveness in raising competence to the
required level.
Additionally, organizations are still required to retain evidence to demonstrate that people doing work
under its control are competent. This evidence needs to be retained as documented information.
CLAUSE 7.3 AWARENESS
Awareness has now been elevated from a constituent element of a sub-clause to a separate sub-clause
in its own right. The spirit remains the same, but some minor upgrading has been introduced. There are
explicit requirements for people performing work under the organization’s control to be aware of the
organization’s food safety policy, any food safety objectives that are relevant to their task, , how they are
contribution to the effectiveness of the FSMS, including the benefits of improved food safety
performance and the implications of not conforming with the FSMS requirements.
CLAUSE 7.4 COMMUNICATION
“Communication” encompasses all internal and external communication relating to FSMS. Organizations
need to develop and implement a process to determine those FSMS-related matters on which it wishes
to communicate. Once this has been done, consideration must then be given as to the timing of such
communications, their target audience and their method of delivery.
When developing this process, organizations need to consider its compliance obligations and need to
ensure the quality of the information to be communicated. Two key features of the quality of the
information are: reliability and consistency with the information generated by the FSMS. The process
must ensure that all communications received are responded to.
Internally, organizations have to communicate information relevant to the FSMS amongst all levels and
functions, including information on any change, as appropriate, and have to establish a mechanism to
enable all persons performing work under the organization’s control to contribute to continual
improvement.
Externally, organizations have to communicate as required by their compliance obligations.

Additionally, organizations may choose to communicate on other issues, as appropriate.
Page 35 from 88
Communication allows the organization to provide and obtain information relevant to its food safety
management system, including information related to food safety aspects, food safety performance,
compliance obligations and recommendations for continual improvement. Communication is a two-way
process, in and out of the organization. When establishing its communication process(es), the internal
organizational structure should be considered to ensure communication with the most appropriate levels
and functions. A single approach can be adequate to meet the needs of many different interested
parties, or multiple approaches might be necessary to address specific needs of individual interested
parties.
The information received by the organization can contain requests from interested parties for specific
information related to the management of its food safety aspects, or can contain general impressions or
views on the way the organization carries out that management. These impressions or views can be
positive or negative. In the latter case (e.g. complaints), it is important that a prompt and clear answer is
provided by the organization. A subsequent analysis of these complaints can provide valuable
information for detecting improvement opportunities for the food safety management system.
Documented information as evidence of its communications has to be retained by the Organization.
This clause requires the organization to determine on what it will communicate, when it will
communicate, with whom it will communicate and how it will communicate. Organizations should be
prepared to evidence these four elements (what, when, with whom and how), which collectively appear
as the basis for a procedure. Communications must be transparent, appropriate, truthful and not
misleading, complete, factual, accurate, able to be trusted and understandable to interested parties.
Auditors should ensure the organization has identified external communications as well as internal
communications that need to take place in respect of the operation of its FSMS. They should also ensure
that the organization has determined what it needs to communicate, when it will communicate, with
whom it will communicate and how it will communicate. Auditors should be aware that the quality of the
information is to be seen as a key factor of an effective communication process.
CLAUSE 7.5 DOCUMENTED INFORMATION
There is no list of documents to be included in the FSMS. Now, this clause simply says that the FSMS
shall include the documented information required in ISO 22000:2018 and documented information
identified by the organization as necessary for the effective operation of its FSMS. The extent of
documented information can differ between organizations due to their size, complexity and the
competency of their people.
An organization should create and maintain documented information in a manner sufficient to ensure a
suitable, adequate and effective food safety management system. The primary focus should be on the
implementation of the food safety management system and on food safety performance, not on a
complex documented information control system. In addition to the documented information required in
specific clauses of this International Standard, an organization may choose to create additional
documented information for purposes of transparency, accountability, continuity, consistency, training, or
ease in auditing.
Documented information originally created for purposes other than the food safety management system
may be used. The documented information associated with the food safety management system may be
Page 36 from 88
integrated with other information management systems implemented by the organization. It does not
have to be in the form of a manual.
When documented information is created or updated, the organization must ensure that it is
appropriately identified and described (e.g. title, date, author, reference number). It must be in an
appropriate format (e.g. language, software version, graphics) and on appropriate media (e.g. paper,
electronic).
Documented information must be reviewed and approved for suitability and adequacy.
The organization is required to control documented information in order to ensure that it is available
where needed and that it is suitable for use. It must also be adequately protected against improper use,
loss of integrity and loss of confidentiality. The organization must determine how it will distribute, access,
retrieve and use documented information. It must decide how it will store and preserve documented
information, and how it will control any changes to the documented information. It must also decide its
retention and disposal arrangements. The organization is also required to identify any documented
information of external origin that it considers necessary for the planning and operation of the FSMS.
Such documentation must be identified and controlled.
For documents to be retained (i.e. records) storage, preservation, retention and disposition has to be
appropriately defined.
For documents to be maintained (i.e. documents) controls related to preservation of legibility and control
of changes (e.g. version control) has to be appropriately defined.
Documented information related to external origin shall be identified and controlled appropriately. These
may include documents such as any national / international standards, customer specifications /
requirements, legal documents, MSDS, process, equipment and machinery operation & maintenance
manuals, etc. Control part might consist of identification, listing and distribution control.
IMPLICATIONS FOR THE ORGANIZATIONS :
No change – these requirements are already contained in ISO 22000:2005. The term “documented
information” includes as, a subset, all “documents”, including all “records”. The 2004 terms “documents”
and “records” are not used in the 2018 edition.
In addition to the documented information required by ISO 22000:2018, organizations may choose to
have additional documented information for different purposes: accountability, consistency, training or
transparency.
Documented information must be controlled. While ISO 22000:2005 contains requirements for controls in
respect of the availability of documents, the new edition extends these also to cover the “access” and
“usage” of documented information required by the organization’s FSMS and by ISO 22000:2018.
Access can imply “permission to view only”, or “permission to view and authority to change”. Where
organizations chose to hold their documented information in electronic forms, there may be a need to
revisit access controls (passwords/logins) and authorization levels in order to ensure current controls are
appropriate. Organizations will need to consider how such systems are to be protected when passwords
are lost and how access to the documented information can be preserved in the event of system
unavailability. They will also be required to demonstrate how the integrity of their documented
information is maintained.
Page 37 from 88
With most organizations moving to electronic documents that are maintained and accessed remotely
using passwords, etc; this may mean more controls need to be demonstrated if claiming compliance.
The new edition does not require the maintenance or retention of much documented information.
Auditors will have to learn how to audit non (or scarcely) documented FSMS, where the evidence will no
longer be conveniently located on a piece of paper or in a computer. They will need to learn how to
obtain evidence just talking to people or watching activities being carried out. Auditors should note that,
while the requirement for a documented procedure specifying how documents are to be controlled has
been removed, the requirements above are mostly unchanged from ISO 22000:2005. Auditors will
increasingly find themselves having to access and use electronic systems in order to evidence how
organizations are controlling their documented information. This could require a technical upskilling.
7.5. 8. OPERATION
Overview about clause no. 8
This clause is clarifying the requirements for making a safe product, it’s stating the operating criteria of
many clauses of ISO 22000, whatever has been planned in clause no.4,5,6,7 can be implemented in
clause no.8
The sequence of the subclauses have been established in a systematic approach starting from
operational planning in clause no. 8.1 as no operation without proper planning, then PRPs as per clause
no. 8.2 which provides the basic conditions to establish a strong food safety management system , then
traceability system as per clause 8.3 to have a proper identification of the incoming material from the
suppliers and the first stage of the distribution route of the end product , then clause emergency
preparedness & response as per clause no. 8.4 which is clarifying incase if you lost your control at
certain times how will you deal with the consequences but keep in mind that handling this emergency
situations cannot be done effectively if the traceability system has not been implemented properly , then
hazard control as per clause 8.5 in this part standard started to speak on how will you control the
hazards (the food enemies) including identifying the hazards and assessing them and establish controls,
validation process and monitoring criteria and in general we can say this part is explaining the HACCP
rules including the preliminary steps and principles with some little changes, then clause no. 8.6 is
clarifying that all previous subclauses including 8.2,8.3,8.4,8.5 should be kept up-to-date as per clause
8.6 and also should be monitored as per clause no. 8.7 and to be verified from time to time as per clause
no. 8.8 and after all of this the standard is clarifying in case of any deviation in the limits of OPRPS ,
CCPs so control of product and process environment will be required as per clause no. 8.9 by
implementing corrections and corrective actions and handling potentially unsafe products
Notes:
a- HACCP plan as per 2018 version has been changed into HACCP control plan as per 2020
version
b- Action criteria is a new term has been added in 2020 version
c- Incident term has been added in 2020 version
d- Business environment has been added in 2020 version
e- Hazards which has to be controlled are food hazards and hazards from business environment.
CLAUSE 8.1 OPERATIONAL PLANNING AND CONTROL
Page 38 from 88
The organization has to plan, implement, control, maintain and update the processes needed to meet
requirements for making a safe product by the establishing criteria for the processes, implementation of
control of the processes in accordance with the criteria as well as by keeping documented information to
the extent necessary to have the confidence to demonstrate that the processes have been carried out as
planned.
Not only that but also the organization shall control the planned changes, review the consequences of
unintended changes in raw materials, equipment, legal requirements, business environment.
The controls should be extended to cover any outsourced processes for example as a cleaning
companies, pest control, catering companies and external warehouses, etc. who are executing some of
the organizations activities as per clause no. 7.1.6.
For AUDIT PROFESSIONALS:
Auditors shall ensure that the organization is having a certain control measures for all relevant processes
related to the product safety, this controls are documented and implemented
Auditors shall ensure that any changes have been done in the system including the infrastructures or
materials or final products ,…etc. have been planned and controlled and communicated to Food safety
team
Auditors shall ask for which processes are outsourced and whether some controls including a criterion of
work and monitoring have been established for this
Clause 8.2: Prerequisite programmes (PRPS)
8.2.1 The organization shall establish, implement, maintain and update PRP(s) to facilitate the
prevention and/or reduction of contaminants (including food safety hazards) in the products, product
processing and work environment.
So, the hazards are not limited to the products only but also it covers the hazards from product
processing and work environment.
8.2.2
PRP(s) have to be chosen under consideration of the organization and the respective context of the food
safety. Furthermore size and type of operation as well as the nature of the manufactured products or the
handled products shall be considered. All PRP(s) have to be implemented as general programmes or to
particular products or processes across the entire production system.
The food safety team is responsible for the approval.
8.2.3
It is required that all statutory, regulatory and customer requirements are identified prior to establishing
PRP(s). the ISO 22002 series and other standards and guidelines have to be considered.
8.2.4
The standard defines the necessary items to be considered to establish PRP(s). It includes for example
construction, lay-out of buildings and associated utilities; lay-out of premises, including zoning,
Page 39 from 88
workspace and employee facilities; supplies of air, water, energy and other utilities and many more.
Refer to the standard for all details.
Documented information shall specify the selection, establishment, applicable monitoring and verification
of the PRP(s).
For AUDIT PROFESSIONALS:
Auditors shall observe, judge all the mentioned PRPs physically during the site tour and verify all
documents related to the monitoring and verification of each PRP as appropriate.
Auditor shouldn’t forget to visit the staff locker rooms including toilets to check the cleanliness and its
functioning properly
Auditor should be aware of ISO/TS 22002 series, all relevant codes of practice and guidelines
Clause 8.3: Traceability System
traceability system enables to follow the movement of any food product by documentation of each point
of food handling. When an incident occurs, the food traceability system could efficiently assist in the
recall of the food product(s) in question and assist in the investigation of the cause. Also transmitting and
verifying the relevant information would contribute to increasing reliability on the information of the label
and so on, and thus enables consumers to purchase food with a sense of security.
The organization shall ensure that applicable statutory, regulatory and customer requirements are
identified.
the following shall be considered as a minimum:

a) relation of lots of received materials, ingredients and intermediate products to the end products;
b) reworking of materials/products;
c) distribution of the product.
The following positive effects are expected by food business operators who achieve the traceability
system objectives:
The minimization of the impact on human health or society induced by food safety accidents or
nonconformance, as well as economic loss by facilitating prompt investigations and withdrawal/recall of
problem foods from the supply chain.
The elimination of misleading labeling or information through improvement of information reliability
including the operator’s product label.
The facilitation in handling other parties’ inquiries, such as complaints.
The contribution to continued positive business relationships, by ensuring trust of consumers and
customers.
The contribution to brand name protection through the same reason as above.
The connection and combining each operator’s existing systems (i.e. safety control system,
purchasing/processing/sales management system, and inventory management system), it allows
operators to improve operation, as well as save costs and increase employee awareness. Also this
enables the improvement of efficiency in existing systems.
The analysis on recorded history information contributes to technological improvement in production,
processing and storing.
Page 40 from 88
For AUDIT PROFESSIONALS
Auditors can observe, judge the traceability system through 2 techniques
1- Forward audit: by starting to test the traceability system for the product from the time of receiving
the raw materials till supplying the end product, or by
2- Backward audit: by starting to test the traceability system from the end product towards the raw
materials
8.4 Emergency preparedness and response

Food Safety Emergency?
is a situation whether accidental or intentional, that is identified, by a CA as constituting a serious and yet
uncontrolled foodborne risk to public health that requires urgent action.
(Codex Alimentarius, document CACGL-19)
Or
An unforeseen combination of circumstances that calls for immediate actions
(US FDA (2005))
Incident?
Any event there are concerns about actual or suspected threats to the safety and quality of food, require
intervention to protect consumers (Food Standards Agency of the UK (2009))
or
Any situation where is a risk, potential risk or perceived risk of illness or confirmed illness associated with
the consumption of food
(AUS – National Food Incident Response control (2007)
Page 41 from 88
Why emergency preparedness and response?
• Reduces the number of decisions during an emergency
• Enables timely & coordinated response
• Reduces confusion (and disagreement)
• Agreed structures, roles & responsibilities • Legislative authority & limitations understood
The stockholders (interested parties) are playing an important role in the planning and response to
emergency situations
Documented information shall be established and maintained to manage these situations and incidents.
Top management shall ensure procedures are in place to respond to potential emergency situations or
incidents
Examples of emergency situations that can affect food safety and/or production are
1- natural disasters, environmental accidents,

2- bioterrorism,
3- workplace accidents,
4- public health emergencies like (avian infleunza, cholera)
5- other accidents, e.g. interruption of essential services such as water, electricity or refrigeration
supply.
Page 42 from 88
Auditors can observe, judge the emergency preparedness through verifying the established documented
information of how to the organization is responding to the actual emergency situations and how it can
communicate this internally and externally and how to reduce the consequences of the emergency
situations , the frequency of testing this emergency response , before all of that who will be responsible
for handling this emergency situations
8.5 Hazard control
Consists of 8.5.1 Preliminary steps to enable hazard analysis with sections for Characteristics of raw
materials, ingredients and product contact materials (8.5.1.2), Characteristics of end products (8.5.1.3),
Intended us (8.5.1.4 and flow diagrams and description processes (8.5.1.5).
In any case the statutory and regulatory food safety requirements need to be identified by the
organization for all raw materials, ingredients and product contact materials as well as for all end
products intended to be produced. Documented information has to be maintained by the organization.
For the intended use it is important that the organization considers not only the intended use but also all
reasonably expected mishandling and misuse of the end product. Documented information shall be
retained.
The organization should consider whether the product is intended for supply to other food businesses or
direct to the final consumer. You should also consider whether target consumers fall into one of the
following vulnerable groups. Ask yourself “Do the consumers of my product have a particular food safety
requirement?” It is your responsibility to understand your target group and increase your knowledge and
awareness of hazards (physical, chemical, biological and allergens) that are of a concern to the
vulnerable group/s.
Is the product intended to be consumed by sensitive groups who may be allergic to

specific food ingredients? Are claims such as “free from” made on the product label and
Allergy
if so are such claims substantiated? Disclaimers such as “May Contain” should only be
sufferers
made where a thorough risk assessment identifies a residual risk of contamination by a
food allergen after all reasonable control measures have been applied.
Infants and young children are regarded as a vulnerable group when it comes to food
Young safety. You need to think about what additional hazards may be specific to this target
group (e.g. type of food, size of food, choking hazards, mineral levels).
If elderly people are going to consume the product think about hazards that are specific
to this group. Older adults are more susceptible to foodborne illness. The immune
Elderly system often weakens as you get older and stomach acid also decreases, stomach acid
plays an important role in reducing the number of bacteria in our intestinal tracts and the
risk of illness.
Page 43 from 88
Flow diagrams, established, maintained and updated by the food safety team, need to be available as
documented information for the FSMS.
The flow diagrams represent the processes and are valid input parameter and therefore must be as
detailed as necessary, clear and accurate enough for the hazard analysis. Refer clause 8.5.1.5. for the
details.
8.5.2 Hazard Analysis
Risk is a measure of the likelihood of a hazard doing harm and how much harm the hazard could do. Or,
another way of looking at it is to consider risk an estimate of the probability of a hazard being present. All
activities related to food production and handling involve some hazards. However, how we do something
or what we do determines the level of risk. By understanding how to reduce or eliminate food hazards,
it’s then possible to set up food safety controls. These will lower risks to consumers and these actions
are an important part of risk analysis.
Hazard analysis should be done through 3 steps
1- Hazard identification and determination of acceptable levels (8.5.2.2)

2- Hazard assessment (8.5.2.3)
3- Selection and categorization of control measure(s) (8.5.2.4)
Don’t forget after these 3 steps – Validation of the control measures and its combinations is required (8.5.3)
8.5.2.2 Hazard identification and determination of acceptable levels
All reasonably expected food safety hazard to occur (related to product type, process type and process
environment) shall be identified. As input for the same data collected according to 8.5.1, experience,
internal and external information, the food chain as well as statutory, regulatory and customer
requirements need to be considered.
All steps need to be identified as which food safety hazard can be present, introduced, increased or
persist.
Acceptable levels of food safety hazards in the end product have to be determined by the organization
for each identified hazard. Documented information have to be maintained for the same.
8.5.2.3 Hazard assessment
All food safety hazards have to be assessed w.r.t. adverse health effects as well as the likelihood of its
occurrence in the end product. Results of the hazard assessments done by the organization according to
ISO 22000 have to be documented and maintained.
8.5.2.4 Selection and categorization of control measure(s)
In two sub clauses the ISO 22000 defines the need of appropriate control measure(s) to prevent or
reduce the identified significant food safety hazards to defined levels.
8.5.4 Hazrad control plan (HACCP/OPRP plan)
In 5 sub clauses the ISO 22000 describes the need to establish, implement and maintain a hazard
control plan by the organization. Detailed requirements are provided for the determination of critical limits
Page 44 from 88
and action criteria, monitoring systems at CCPs and for OPRPs, actions when critical limits or action
criteria are not met as well the need for the implementation of the hazard control plan.
OPRPs controls are concerned with food safety hazards of processing environment while CCPs control
are concerned with the food safety hazards of the food manufacturing processes
Whereas PRPs are concerned with the manufacturing environment, CCPs are concerned with specific
hazards that could result in foodborne illness and are likely to occure . also one way can be considered
in certain cases to distinguish PRPs from CCPs is to consider which hazards should continue to be
controlled in the event of a power outage in a processing plant
Also OPRPs are not mandatory to be measurable for this reason no critical limit is required for each
OPRPs , it needs only An action criteria to be established to determine whether an OPRP remains in
control, and distinguishes between what is acceptable (criterion met or achieved means the OPRP is
operating as intended) and unacceptable (criterion not met nor achieved means the OPRP is not
operating as intended).
While CCPs are mandatory to be measurable so for each CCPs a critical limit should be
determined.
 Examples of CCPs
 Cooking/pasteurization
 Cooling
 pH level
 blanching
 metal detector
 Examples of OPRPs
 Temperature control
 Sanitation effectiveness (pathogen or allergen)
 Hand washing and sanitizing
 Glass policy , metal policy (not designated as CCP)
8.5.4.3 Monitoring systems at CCPs and for OPRPs
Page 45 from 88
 Some newer methods for monitoring OPRPs include:

■ Pest e-monitoring: device installed on top of the bait station that instantly sends a signal to a facility
device to alert that pest activity is occurring
■ Hand washing and sanitizing monitoring systems
■ Smart ID badges: zone movement monitoring, hand sanitizing monitoring by location or interval, and
bathroom/hand wash monitoring
■ Remote video monitoring (could improve food safety, quality and production efficiency)
■ ATP bioluminescence cleanliness monitoring
 Monitoring of CCPs
 Monitoring actions must be able to detect a loss of control at the CCP and provide rapid
results. This should be in time to allow corrective action to be taken, to regain control of the
process whilst the product is still under your control.
 Examples: On–line time, temperature.
 Off-line – Salt, pH, Aw, total solids.
 Generally microbiological testing is not considered to be suitable as a monitoring activity because
the results are not quick, even with the most rapid methods results are not
instant. Microbiological testing is useful as a verification activity (see principle 6).
 Continuous Monitoring Systems e.g. process temperatures recorded on thermograph.
 Discontinuous Monitoring System e.g. sample collection and analysis such as ph.
 Samples must be representative of the bulk product.
8.6 Updating the information specifying the PRPs and the hazard control plan
Auditors shall ensure that the applicable legal requirements and relevant code of practices have been
considered in all control measures including PRPs, OPRPs, CCPs
Auditors shall ensure that whatever have been required as per the hazard control plan have been
implemented effectively by the organization , its advisable that the auditor should carry the HACCP
control plan during his site tour to verify the control measures physically
Auditors shall ensure that all data in the HACCP control plan are Up to date
8.7 Control of monitoring and measuring

Auditors shall ensure that The monitoring and measuring equipment used shall be:
a) calibrated or verified at specified intervals prior to use;
b) adjusted or re-adjusted as necessary;
c) identified to enable the calibration status to be determined;
d) safeguarded from adjustments that would invalidate the measurement results;

e) protected from damage and deterioration.
Page 46 from 88
The results of calibration and verification shall be retained as documented information. The calibration of
all the equipment shall be traceable to international or national measurement standards; where no
standards exist, the basis used for calibration or verification shall be retained as documented
information.
The organization shall assess the validity of the previous measurement results when the equipment or
process environment is found not to conform to requirements. The organization shall take appropriate
action in relation to the equipment or process environment and any product affected by the non-
conformance.
The assessment and resulting action shall be maintained as documented information.
8.8 Verification related to PRPs and the hazard control plan
Verification definition:
confirmation, through the provision of objective evidence, that specified requirements (3.38) have been
fulfilled
verification is applied after an activity and provides information for confirmation of conformity.
The subcolauses of the ISO 22000 define the requirements for the verification and analysis of results of
verification activities.
8.9 Control of product and process nonconformities
Consisting of :
8.9.1 General
8.9.2 Correction
8.9.3 corrective action
8.9.4 handling of potentially unsafe products
8.9.4.1 General
8.9.4.2 Evaluation for Release
8.9.4.3 Disposition of Non-conforming products
8.9.5 Withdrawal / Recall
8.9.4 Handling of potentially unsafe products
In 4 sub clauses the ISO 22000 defines the requirements for handling of potentially unsafe products with
specifications of the evaluation for release, disposition of nonconforming products as well as withdrawal /
recall requirements.
Page 47 from 88
7.6. 9. PERFORMANCE EVALUATION
Clause 9.1: Monitoring, Measurement, Analysis and Evaluation
The organization has to determine what it needs to monitor and measure. Once this has been done, the
organization has to determine how it is going to carry out these monitoring and measurement activities in
order to ensure that the results obtained are valid. The requirement for methods to ensure valid results
also extends to the analysis and evaluation of the results obtained from the monitoring and
measurement activities. These methods may include, as appropriate, statistical techniques to be applied
to the analysis of those results. In addition, the organization must also determine when monitoring and
measurement should be carried out and at what stage the results of monitoring and measurement
should be analyzed and evaluated.
Finally, there is a requirement for organizations to evaluate their food safety performance and the
effectiveness of their FSMS. Monitoring and measurement equipment must be calibrated or verified, as
appropriate.
The organization is required to analyse and evaluate appropriate data and information arising from
monitoring and measurement, including the results of verification activities related to PRPs and the
hazard control plan, the internal audits and external audits.
The analysis is required to be carried out:
-to confirm that the overall performance of the system meets the planned arrangements and the FSMS
requirements established by the organization;
- to identify the need for updating or improving the FSMS;
-to identify trends which indicate a higher incidence of potentially unsafe products or process failures;
-to establish information for planning of the internal audit programme related to the status and
importance of areas to be audited;
Page 48 from 88
- to provide evidence that corrections and corrective actions are effective.
The results of the analysis and the resulting activities are required to be retained as documented
information which is to be reported to top management and used as input to the management review and
the updating of the FSMS . Methods to analyse data can include statistical techniques.
IMPLICATIONS FOR ORGANIZATIONS :
There are several elements of this clause that need careful review. Organizations should ensure that the
time spent planning monitoring and measurement is consistent with the variability of the organization’s
processes and is coordinated with the need for analysis and evaluation. The results of monitoring and
measurement have to be reliable, reproducible and traceable, in order to generate a consistent set of
data that can be analyzed, using solid statistical techniques when appropriate, in order to permit the
evaluation of conformance with pre-established requirements. There is no obligation to use sophisticated
statistical techniques, just to apply a “statistical analysis for decision making”.
IMPLICATIONS FOR AUDITORS:
Auditors should be aware that organizations now need to evidence both analysis and evaluation of raw
data obtained from monitoring and measurement. It is not sufficient to just monitor and measure without
carrying out an analysis and evaluation of the results. Auditors should have a basic knowledge of the
basic statistical techniques in order to evaluate the effectiveness of the processes related to this clause.
Clause 9.2: Internal Audit
There is a requirement for the Organization to carry out internal audits at planned intervals in order to
provide information as to whether the FSMS conforms to both the organization’s own requirements and
the requirements of ISO 22000:2018. Internal audits must also identify whether the FSMS is being
effectively implemented and maintained. This clause also sets out a series of requirements relating to
how audit programmes must be structured, what audits must cover, who should undertake audits and
how audits are to be reported. When designing an audit programme, organizations need to consider, the
importance of the processes concerned, changes within the organization, risks and opportunities, and
the results of previous audits. Each audit needs to have a defined scope and its own audit criteria. Audits
and auditors need to be impartial and objective.
Finally, the findings from audits need to be fed back to the relevant management and any required
corrections or corrective actions being taken in a timely manner. Documented information needs to be
retained to provide evidence that the audit programme has been implemented. Documented information
must also exist to provide evidence of the results of audits.
Food safety professionals should note that while the detailed requirements for internal audit are
essentially unchanged from ISO 22000:2005 there are two important revisions. In the 2005 version the
purpose of internal audit is to ‘determine’ whether the FSMS is conforming to requirements and is
effectively implemented and maintained, ie to actually make the judgement. In the 2018 version the
purpose of internal audit is to simply ‘provide information’ as to whether this is the case. The
determination is now done elsewhere (management review). Secondly the results of internal audit now
need to be fed back to the food safety team and ‘relevant management’ not ‘management’. Relevant
management are those individuals best to act on the audit findings.
Page 49 from 88
There is no longer a requirement for organizations to establish a documented internal audit procedure.
However, organizations may still choose to operate one if they wish so. Organizations should note the
need to retain documented information evidencing the implementation of an audit programme and also
the results of audits.
Auditors should not necessarily expect to find a documented internal audit procedure in place. However,
they must be able to access documented information confirming the implementation of an audit
programme by the organization. Documented information must also be available to evidence the results
of audits. Note the amended requirement to now feedback the results of audit to relevant management.
Note the revised purpose of internal audit – to provide information as to whether the FSMS complies with
requirements and is effectively implemented as opposed to determining whether this is the case.
Clause 9.3: Management Review
This clause requires reviews of the FSMS to be undertaken by top management at planned intervals in
order to ensure its continuing suitability, adequacy and effectiveness. Management review is to consider:
the status of actions from previous management reviews, changes in external and internal issues that are
relevant to the FSMS, including changes in the organization and its context, information on the
performance and the effectiveness of the FSMS, including several trends as detailed in the ISO 22000.
In addition the following need to be reviewed, the adequacy of resources, any emergency situation,
incident or withdrawal/recall that occurred, relevant information obtained through external and internal
communication, including requests and complaints from interested parties and opportunities for continual
improvement.
Presentation of data have to be organized in a way that the top management can review the same
compared to the stated objectives of the FSMS.
This clause also sets out specific requirements in respect of the outputs from management review like
decisions and actions related to continual improvement opportunities and any need for updates and
changes to the FSMS, including resource needs and revision of the food safety policy and objectives of
the FSMS.
It is interesting to notice that this requirement is no longer located in the “plan” part of the FSMS. Now it
appears in the “check/evaluation” part, since it is just an evaluation of the FSMS under the direct
responsibility of the top management. The implication for organizations is a more comprehensive
management review process. It should be noted that a lot of the information listed will already be
available in some organizations, but may not have been considered under ‘food safety management’ in
the past. Some organizations have for many years asked the Management Representative to prepare all
of the information needed for this review along with a draft of the conclusions. In such instances top
management just afforded the information a quick look and approved the draft report. Now, is it clear that
the information has to be provided by all relevant managers and the analysis made and the decision
taken by top management. This is another example of the more extensive involvement by top
management expected by the new edition of the standard.
Page 50 from 88
Auditors should expect to evidence a more strategically focused management review. Context, risks and
opportunities need to be considered, as well as the alignment of the FSMS to the organization’s overall
strategic objectives. These days, it is not unusual to see auditors audit this requirement during an
interview with the Management Representative, who typically has all necessary records to show them.
These new requirements expect auditors to audit this clause with Top Management. In order to do so
effectively they must be competent to discuss, face to face with one or more senior managers, strategic
issues that go beyond operational issues. Consequently auditors need to upgrade their skills. They also
need to gather as much information as possible on the context of the organization and its interested
parties as part of the audit preparation.
7.7. 10. IMPROVEMENT
Clause 10.1 : Non-Conformity and Corrective Action
This clause sets out how the organization is required to act when nonconformity is identified. In such
instances, the organization is required to take whatever action is necessary to control and correct the
nonconformity, and to deal with any resultant consequences. The organization should also determine if
similar non-conformity has occurred elsewhere and consequently whether it needs to take similar
corrective action. In the case of an emergency, the organization should trigger the emergency plan. The
organization has also to consider whether any further action is required to prevent a similar
nonconformity recurring at the same place or occurring somewhere else, at some point in the future. This
requires the organization to determine what caused the nonconformity and then to consider whether the
potential for a similar problem remains. The organization must then implement any actions identified as
necessary to eliminate the cause of the non-conformity, must review their effectiveness and must make
changes to the FSMS itself if so required. This clause also recognize that the actions organizations take
on nonconformities should be appropriate to the effect of those nonconformities.
Page 51 from 88
On discovering nonconformity, there is now an explicit requirement for organizations to determine whether
other similar nonconformities actually do or potentially could exist elsewhere. Documented information to
be retained are the nature of the nonconformities and any subsequent actions taken and the results of any
corrective action.
Auditors should evidence that, where nonconformities have been identified by an organization, an
investigation has been conducted to determine whether other similar nonconformities actually do or
potentially could exist. They should also evidence that where a non-conformity has occurred, the
organization has considered whether it needs to make changes tin the FSMS to prevent recurrence or
occurrence elsewhere. Ensure that the required documented information is available.
Clause 10.2: Continual Improvement
This clause requires the organization to work continually to improve its FSMS in terms of its suitability,
adequacy and effectiveness.
 “continual” means that this activity occurs over a period of time, but with potential intervals of
interruption, while “continuous” means duration without interruption
 ”suitability” means how the FSMS fits the organization, “adequacy” whether it meets the
requirements of ISO 22000:2018, “effectiveness” whether it is achieving the desired results.
Top management is required to ensure that the organization continually improves the effectiveness of
the FSMS through the use of communication , management review, internal audit, analysis of results of
verification activities, validation of control measure(s) and combination(s) of control measure(s)
corrective actions and FSMS updating .
Organization to use communication, management review, internal audit, analysis of results of verification
activities, validation of control measure(s) and combination(s) of control measure(s) corrective actions
and FSMS updating to improve its FSMS.
Auditors should evidence that organizations are using the outputs from their analysis and evaluation,
internal audit and management review processes to identify improvement opportunities and FSMS
underperformance. They should also verify that the organization is using suitable tools and
methodologies to support its investigations. They should also check whether the organization has
implement the identified opportunities for improvement in a controlled manner.
Clause 10.3 Update of the food safety management system

The ISO 22000 requires the top management involvement to ensure the continuous update of the
FSMS. Input for the update shall be e.g. internal and external communication or output from
management review. More items are mentioned in ISO 22000.
Page 52 from 88
Food safety team evaluates the FSMS at planned interval , keep records of system updating activities
and report as input to the management review .
Auditors to obtain evidence of Food safety team evaluation of the FSMS at planned interval records of
system updating activities that is reported as input to the management review .
Page 53 from 88
8. SECTION 3
THE FSMS AUDIT PROCESS

Introduction to FSMS auditing
Certification of an FSMS to FSSC 22000
Planning the audit
Undertaking the Audit
Reporting the Audit
Corrective Action, Audit Follow-Up and Close Out
Page 54 from 88
8.1. Introduction to FSMS Auditing
The Accreditation Body
Each national government is responsible for setting up an ACCREDITATION BODY to appoint and
control the activities of the Certification Bodies. The process of accreditation follows strict rules to ensure
that the system is for certification bodies as well as companies. In Germany, DAKKS is responsible for
accrediting certification bodies. In the UK, the United Kingdom Accreditation Service (UKAS) is
responsible for accrediting certification bodies.
Certification Bodies
These organizations are accredited by the Accreditation Body to undertake the CERTIFICATION of
management systems that meet the criteria of the respective standard (s) These organizations, (e.g.
TUV, LRQA, BSI, SGS, DNV, BVQI and others) carry out this work through the process of certification
audits (also termed third party audits).
The Certification Process
Organizations that wish to be certificated to ISO 22000:2018 must demonstrate that the FSMS has been
fully implemented and functions in the intended way.
These facts are established by undertaking an audit. This audit will establish if:-
Any nonconformity exists particularly if major non-conformities have been eliminated;
The Certification body can have confidence that all provisions in the FSMS standard have been met.
This will include compliance with the organization’s policy objectives and requirements;
The principle of continual ‘improvement ‘of food safety performance is evident
That a PRPs, OPRPs and CCP Hazard Control plan are in place and followed;
That all staff are aware of the organization’s food safety policy, FSMS and associated affects and
objectives;
All staff involved in managing food safety had been included in a training need analysis, and that the
training has been provided.
Guidance Document for Certification Bodies
ISO 19011:2018: Guidelines for auditing management systems is the guidance document for
auditing any management system.
 ISO 19011:2018 provides guidance on auditing management systems, including the principles of
auditing, managing an audit programme and conducting management system audits, as well as
guidance on the evaluation of competence of individuals involved in the audit process, including
the person managing the audit programme, auditors and audit teams.
 ISO 19011:2018 is applicable to all organizations that need to conduct internal or external audits
of management systems.
 The application of ISO 19011:2018 to other types of audits is possible, provided that special
consideration is given to the specific competence needed.
ISO/IEC 17021-1:2015: Conformity assessment -- Requirements for bodies providing audit and
certification of management systems
Page 55 from 88
 It is a Guidance document for Certification Bodies
 ISO/IEC 17021-1:2015 contains principles and requirements for the competence, consistency
and impartiality of bodies providing audit and certification of all types of management systems.
 Certification of management systems is a third-party conformity assessment activity and bodies

performing this activity are therefore third-party conformity assessment bodies.
 The ISO/IEC 17021-1:2015 replaces the second edition of ISO/IEC 17021:2011.
ISO / TS 22003:2013: Food safety management systems —Requirements for bodies providing audit
and certification of food safety management systems. NOW –
ISO /TS 22003:2013 is updated to ISO 22003 – 1:2022 – As a prerequisite for the license
application, the CB (certification body) shall hold a valid ISO/IEC 17021-1:2015 and ISO22003-
1:2022 accreditation for ISO22000.
ISO22003:2022 have two parts –
 ISO22003-1:2022 – Requirements for bodies providing audit and certification of food safety
management systems.
 ISO22003-2:2022 – Requirements for bodies providing evaluation and certification of

products, processes and services, including an audit of the food safety system.
 Intended for use by Certification bodies that carry out audit and certification of FSMS
 Defines the rules applicable for the audit and certification of a food safety management system
(FSMS) complying with the requirements given in ISO 22000 (or other sets of specified FSMS
requirements)
 All FSMS auditors should possess the generic competencies as well as the specific FSMS
knowledge described in this Technical Specification.
 Certification bodies will need to identify the specific audit team competence needed for the scope
of each FSMS audit.
 Defines the rules applicable for the audit and certification of a food safety
management system (FSMS) complying with the requirements given in ISO 22000 (or other
sets of specified FSMS requirements)
 Provides the necessary information and confidence to customers about the way certification of
their suppliers has been granted.
 Certification of FSMS is a third-party conformity assessment activity and bodies performing this
activity are third-party conformity assessment bodies.
 The ISO 22003:2022 replaced the second ISO/TS 22003:2013.
Page 56 from 88
Difference between ISO/IEC 17021-1 , ISO 22003 and ISO 19011
 ISO 17021-1 and ISO/IEC 22003 are requirements standard intended for use by accreditation
bodies to assess management systems certification bodies while ISO 19011 provides guidelines
for first-, second- and third-party auditors for auditing management systems. In doing so ISO
19011 identifies best practice and provides information on what should be done in carrying out an
audit without specifying how it must be done.
 The third-party certification industry will use ISO 22003 and ISO/IEC 17021-1 to define
requirements for audits and audit arrangements and accreditation bodies will determine whether
a certification body’s auditing arrangements and activities comply with those requirements.
An Overview of ISO 22003 & ISO/IEC 17021-1 standard
For Initial audit and certification
Pre- certification activities
1- Application
The certification body shall require the applicant organization to provide detailed information
concerning process lines, HACCP studies and the number of shifts.
2- Application review
- The certification body shall conduct a review of the application and supplementary information
for certification to ensure that:
a) the information about the applicant organization and its management system is sufficient to
develop an audit programme
b) any known difference in understanding between the certification body and the applicant
organization is resolved;
Page 57 from 88
c) the certification body has the competence and ability to perform the certification activity;
d) the scope of certification sought, the site(s) of the applicant organization’s operations, time
required
to complete audits and any other points influencing the certification activity are taken into account
(language, safety conditions, threats to impartiality, etc.).
- Following the review of the application, the certification body shall either accept or decline an
application for certification. When the certification body declines an application for certification
as a result of the review of application, the reasons for declining an application shall be
documented and made clear to the client.
- Based on this review, the certification body shall determine the competences it needs to
include in its audit team and for the certification decision.
The initial certification audit of an FSMS shall be conducted in two stages: stage 1 and stage 2
Stage 1 Certification audit
Once the decision to undertake an FSMS audit has been taken, an auditing organization (such as a
certification body) will need to identify a “Team Leader” to manage the process from start to finish. The
team leader should
 Start the planning process and allocate resources for a document review.
 Use the opportunity for immediate feedback of information to the client which may assist in the
certification process:
 Collect any necessary information regarding the operations, activities and products of the
organization.
The Objectives of Stage 1 audit are:
 Provide for the planning of the stage 2 Certification audit;
 Conduct FSMS documentation review against the requirements of the standard ISO 22000:2018;
 Check, verify and finalize the Scope of Company’s FSMS;
 Gain an understanding of the FSMS, the identified significant food safety hazards, policy
objectives and regulations;
 Check whether the relevant food safety licenses are in place;
 Ensure the FSMS is designed to achieve compliance with regulatory requirements and policy;
 Assess that the FSMS is ready for the certification audit;
 Confirmed that an internal audit process exists and can be relied upon;
It is also termed as a “Documental Review”, or “Document Adequacy Audit”
The document review process is very important and the auditors need to satisfy themselves that the
organization had planned, implemented, checked and is taking action to meet the commitments made in
the policy.
Page 58 from 88
Note: For FSMS, the stage 1 shall be carried out at the client’s premises to achieve the
objectives stated above. In exceptional circumstances, part of stage 1 can take place off-site and shall
be fully justified. The evidence demonstrating that stage 1 objectives are fully achieved shall be
provided. Exceptional circumstances can include very remote location, short seasonal production
The client shall be informed that the results of the stage 1 may lead to postponement or cancellation of
the stage 2, Any part of the FSMS that is audited during the stage 1 audit, and determined to be fully
implemented, effective and in conformity with requirements, may not need to be re-audited during the
stage 2 audit. However, the certification body shall ensure that the already audited parts of the FSMS
continue to conform to the certification requirements. In this case, the audit report shall include these
findings and shall clearly state that conformity has been established during the stage 1 audit.
Stage 2 – the On-site Audit
During the stage II Audit, the auditor should look for the following:-
 Verification planning and implementation of processes as per Organization’s FSMS requirements
 check whether food safety hazards are controlled and are within acceptable levels
 check whether risk and opportunities have been determined
 check the identification and fulfilment of legal requirements and customer requirements related to
food safety
 identification and mitigation plan and actual responses to emergencies
 to verify if monitoring, measuring and analysis and evaluation is carried out
 check the awareness and competence of personnel
 check how customer complaints regarding food safety is handled
 check the process of improvement
8.2. Certification of an FSMS to FSSC 22000

Requirements for the Certification Process as per FSSC 22000 Scheme Version 6 Part 3
1- Contract Process
2- Planning and Managing Audits
3- Audit report
4- Certification decision process
5- Portal data and documentation
Refer to http://www.fssc22000.com and down load FSSC 22000Scheme version 6 Part 3
Certification stage 1 and stage 2
The CB shall perform announced stage 1 and stage 2 audits for initial certification according to the
requirements of ISO /IEC 17021-1
Surveillance audits
Surveillance audits shall be conducted within the calendar year as per the requirements of ISO /IEC
17021-1. The CB shall ensure that for each certified organization at least one surveillance audit is
Page 59 from 88
undertaken unannounced after the initial certification audit and within each three (3) year period
thereafter.
Re-Certification Audit
Annual audits shall take place to ensure certificate validity or that recertification is granted before the
expiry date of the certificate. The 3 year certification cycle shall be respected.
Certification decision process
Refer to http://www.fssc22000.com and down load FSSC 22000 Scheme version 6 Part 3 section 7
Basics of FSMS Auditing
As per ISO 19011 auditing is defined as :
A systematic, independent and documented process for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled
In relation to auditing there are a number of key words that require emphasizing:
Systematic
An effective and efficient audit is dependent on good planning. Such planning needs to be methodical
and structured and will often involve the use of internal procedures and/or protocols. The audit protocol
would normally be developed as a generic package by the auditing firm, but you could develop you own
to suit your own practices.
Documented
There is a real need to document your findings. The reason being that if you find something contentious,
the audee may wish to challenge your findings and you will need to refer back to interview notes,
photographs and company records In addition, the entire audit may need close scrutiny in the way it was
conducted and hence procedures, records of the planning activities and post audit investigations need to
be preserved. The use of a checklist or questionnaire is important to ensure a comprehensive approach
however over-reliance can cause problems. The accurate and detailed recording of audit findings as the
audit progresses must be ensured.
Independent
The auditor undertaking the audit needs to have sufficient knowledge of the process, yet sufficiently
removed from the activity to facilitate an informed judgment to be made of the facts.
Objectivity
Investigation and evaluation of the evidence must be done in an Objective manner. Look for
substantiation and corroboration - never rely on hearsay or supported loose comments.
Audit evidence
Records, statement of facts or other information relevant to audit criteria and verifiable
(e.g. monitoring & measurement reports / site observations /information provided by the auditee, etc.)
Audit criteria
Page 60 from 88
Set of policies, procedures or requirements used as a reference against which audit evidence is
compared
(e.g. requirements specified in ISO 22000:2018 / Company’s FSMS requirements / legal requirements,
etc.)
Types of FSMS Audit
An FSMS audit is designed to assess an organizations FSMS to see if it is functioning and can deliver
improvements in food safety performance in line with stated policy and objectives.
There are separate types of FSMS audits:-
1st Party Audit
Internal audit: carried out within the company so that the business can maintain control of its food safety
performance and the FSMS.
2nd Party Audit –
Often associate with supply chain auditing and occurs where there is a contractual relationship between
the audited and the client. This is often between a customer and supplier .This is becoming an
increasingly common occurrence within food safety management
3rd Party Audit –
Audit of an organization by an independent certification body in order to issue certificate of approval that
the system meets the specification of the standard (ISO 22000:2018).
FSMS Audit Process
The Audit can be divided into the following sections and these should be addressed according to a set
methodology or audit plan:-
Objectives
 Define the goal

 Set the Scope of the audit
 Set priorities
Preparation
 Select and appoint the audit team

 Asses the need for external assistance
 Create a simple audit plan
The Site Visit
 Opening meeting to reconfirm scope and introduce the respective teams

 Visit areas to investigate situation
 Use Checklist and follow audit trails
 Assess the evidence
 Conduct factual and objective assessment of the data gathered.
 Closing meeting to present findings to the management
Prepare a Report
Page 61 from 88
 Objectives
 Scope
 Data requirements
 Techniques
 Quantitative findings
 Non-technical summary
 Conclusions
 Recommendations (if requested)
8.3. Planning the Audit

The first step in undertaking an effective FSMS audit is to understand the business being audited , its
scope of FSMS, its organizational structure, FSMS documentation including food safety controls applied
by the organizations through PRPs,OPRPS and CCPS, applicable food safety legal requirements.
The majority of successful food safety audits follow audit trails derived from documented information
review, PRPs, OPRPs, CCPs , observation during site visits, legal and customer requirements related to
food safety, regulatory inspections, customer complaints, emergency cases, recall/withdrawal, internal
and external audit records, – hence the requirement for knowledge of the business operation.
The mechanics of underrating an FSMS audit may be similar to a certain extent to the mechanics of
undertaking a QMS Audit but be mindful of the differences between the two:-
 QMS follows critical pathways of importance for maintaining product conformity

 FSMS Follows critical pathways of importance for maintaining specified and improving
levels of food safety performance
As a management tool, auditing can provide management with much valuable information regarding its
business and other interests. While auditing is conducted using similar techniques, the scope of each
style of audit will differ according to the type of audit being done and the business sector being
assessed.
In many larger companies it is not unusual to see an integrated approach being adopted to the auditing
practices with the “team” being comprised of numerous experts in their own fields including health &
safety, environment, quality, information security along-side the food safety issues. Such an approach is
accepted by International Standards Organization with the issue of ISO 19011, providing guidelines for
auditing Management Systems. For example however, quality auditors will need to be retrained in the
“art of food safety auditing”, as the two topics are very different. Where this retraining is not undertaken
there is always a danger that the quality auditor may do a quality audit on the FSMS and could miss
some vital points.
There are a number of different styles of food safety audits – the following is just a small representative
list:-
Food safety Compliance Auditing – in the food safety compliance audits, the objective is to verify the
degree of fulfillment of the food safety compliance obligations (food safety legal and other requirements).
This audit consists of initially verifying if all the applicable food safety compliance obligations have been
adequately determined by the Organization. The second part consists of verifying the degree of
compliance fulfillment. A formal report may be submitted to the Organization.
FSMS Auditing – this could be either undertaken “in house” as part of an FSMS audit programme or by
external bodies as part of the certification process. Some smaller companies that cannot afford to
employ or train specialists in auditing may on occasions ask for external consultants to undertake an
Page 62 from 88
FSMS audit on their behalf. FSMS Audits can include onsite, off-site, remote auditing techniques
as well.
Remote auditing has to follow the Annex 5 of FSSC V6 – Requirements for the use of ICT
(Information and Communication Technology). Remote auditing is limited to document review and
interviews with key personnel and preferably be carried out prior to the on site audit component. A
feasibility assessment need to be done by the CB together with the audited organization to ensure, that
ICT approach is a feasible option. It has to be ensured, that the involved audit team member are
mutually trained. In any case the remote audit shall be conducted by qualified auditors. The remote part
of the full audit duration can never be more than 50% of the total audit duration.
Responsibilities of the lead auditor

Select the audit team, participating in the document review, preparing audit plan, ensure that audit
checklist is ready, chair the opening meeting and closing meeting, responsible for the effective
communication between the audit team, solve any conflict during the audit, preparing the non-conformity
report (s) and audit report , making follow up audit if needed , close out the audit
Responsibilities in relation to the audit process
Whenever any audit is to be undertaken by a team of several auditors, a Team Leader should be
nominated to act in an overall managerial capacity to ensure that required objectives are met and the
audit is undertaken in a professional and fully acceptable manner. The necessity for a team of auditors to
undertake the on-site audit will vary depending upon the magnitude and complexity of the task, in some
cases technical experts may also need to be include to work with and assist the auditors, or auditors with
certain specialist knowledge.
Generally all auditors are responsible for
o Conformance with audit objectives and scope

o Planning for individual audit assignments
o Carrying out individual assignments efficiently & effectively
o Documenting and communicating findings
o Remaining objective
o Cooperating with and supporting the Team Leader
If the client is not the subject of audit, as may be the case for the majority of second party audits, then it
will be the client who determines any requirement for corrective action and audit follow up.
This section looks in detail at the way in which an FSMS Audit reveals just how well the system is
operating to meet the requirements of the business.
At first these may appear to be very similar statements, and in practice they are indeed trying to ensure
that an organization is implementing the desired systems and practices necessary to achieve its
aims/objectives. However, when auditing, there is normally an assumption made that the FSMS is
sufficient to ensure that the objectives can be met by the engineered system, and food safety auditors
rarely establish if the chosen methods of working are fully effective. In other words, there is a strong
focus on what “Compliance” auditing rather than an assessment of the adequacy of the system.
Unfortunately, there has been a tendency for food safety auditors to feel much more comfortable with
verification of implementation of procedures than with setting out to establish their effectiveness.
There has been a popular misconception that food safety management system audit is only concerned
with auditing of systems. This is however not the case, and self-respecting world Class companies set
Page 63 from 88
up audit mechanisms that embrace auditing of products and key business processes as well as the more
systems oriented audits.
However, an FSMS can only manage those aspects identified by the organization – it cannot effect
control over unknown” issues or food safety impacts. Thus when auditing an FSMS, there is a need to
ensure that the systems or organization has been able to identify all significant food safety hazards in
addition to the “compliance basis” of a FSMS audit. This process is very similar to Health & Safety audits
where the emphasis is strongly on the identification and control of risks.
Thus unlike their quality counterparts, food safety auditors need sufficient technical competence not only
in generic food safety related sciences, but also current best practice, technologies, engineering and
chemical/biological processes. As a result, it is not uncommon to find that food safety audits may need
more lengthy and in-depth audit.
It is not unknown for food safety audits to be embodied with other disciples such as health and safety,
environment or quality.
Some major organizations are actively pursuing the approach of undertaking audits less frequently but
more in–depth and involving a multi- disciplined team of auditors. One of the major benefits of team
audits is that they focus management attention on the audit results far more than frequently performed
audits focusing on a smaller audit scope.
Food safety audits may focus on whether the organization’s policy, objectives and strategies are suited
to satisfy food safety legislation and /or best practice. Food safety audits may also examine the technical
processes to establish their suitability.
Planning the site visit.
On completion of the Document Review (stage1), you should have some idea of the general outline of
the business and its aspects and impacts. Now is the time to start planning of the sit visit (Satge2). This
planning process includes:-
Selection of an audit team;
Obtaining further background information on the organization (if not already completed for stage 1 - e.g.
process Flow Diagrams, geological survey maps of public records etc.);
Development of an overall audit strategy;
The preparation of a site visit schedule (assessment Visit Schedule);
The development of checklists;
Interview planning.
Selection of an audit Team
 As discussed above, the Lead auditor must ensure the audit team comprises sufficient
experience and skills including knowledge of the food business to be audited, culture of the
country (if auditing outside your own country). These skills must match with the scope of the audit
-Cover areas requiring special expertise (EAC / NACE Scopes).
Site visit & the Visit Schedule.
The audit visit schedule is a key component of the food safety auditing process. It provides an outline of
the areas to be examined by the team and individual auditors. It is the product of an evaluation of the
Page 64 from 88
business process and the significance of associated impacts to be audited using the output from the
stage I audit and /or initial research of the company and knowledge of the processes/ activities
undertaken on the site. The following information will help with the development the audit plan: -
Time available;
Composition of the audit team (Including. Skill available)
Details or the site (e.g. size, complexity and issues)
Type of audit being undertaken (e.g. FSMS certification)
An assessment of where objective evidence will be found within the business.
This schedule should be communicated to both the team and the auditee, as it will help clarify what is to
be investigated and by whom. It is also a requirement of ISO19011.
Preparing the audit plan
 One simple process to help clarify where best to locate the evidence Is to complete a matrix
comparing the key parts of the business (e.g. Managing Director, Food Safety Team Leader,
Production Units, Maintenance Department, etc.) with the requirements of FSSC 22000 version 6
Part 2 , ISO 22000:2018 and ISO TS 22002 or Publicly Available Specification (PAS). This will at
least provide an initial indication that some areas of the business will require more time allocated
to them than others. But please be careful, you will rarely get more than say 30 minutes with the
most senior members of the business. A blank matrix is included in the Delegate Information
Pack.
 Once the matrix has been completed, you will be in a better position to assess where your
specialist auditors (if any) may be required and how long they will need to complete individual
tasks.
 It is at this point you will develop the individual sections within the team and allocate areas to
investigate and place these in an overall schedule.
 Now you will have some idea of who within the audit team “must interview” whom-e.g. the Lead
Auditor should interview the more senior sections of the business and the specialists must audit
their area of specialization. Using the data form the matrix and the stage 2 audit, you should have
some idea of the length of time required within these areas – you can now start to plan the time
allocated to the audit remembering that there are some key meetings that need to be allowed for.
 Opening Meeting;
 Closing Meeting;
 Auditors Internal Meeting (s)
 Refreshment breaks
Planning the Individual Audit Tasks
The preliminary planning should now be complete and the Lead Auditor should have established the
scope and criteria for the whole audit, established an audit plan and allocated responsibilities and areas
of investigation to the team. It is now the responsibility of each team member to undertake detailed
planning of his or her own activities. The methodology adopted is as follows:
Step 1: Develop Document Review Checklist.
Step 2: Decide Plan of Action.
Step 3: Develop Detailed Checklist
Page 65 from 88
Step 4. Undertaking the audit
Audit Checklist :
Advantages:
 Ensures Systematic Approach
 Keeps Audit & Auditor on track
 Useful check to ensure scope is delivered
 Enables focus to be maintained
 Useful starting points for interviews
Disadvantages:
 Can restrict auditors view
 Prevent looking beyond the questions
 Could become cumbersome
Step 1: Develop Document Review Checklist.
Document Review Checklist can be based on
 The requirements of ISO 22000:2018 standard
 FSSC 22000 additional requirements
 The requirement of sector specific PRP based on ISO/TS 22002 or PAS
 The requirements of Company FSMS Documentation
This Checklist can be used during
 Document Review
 Stage 1 Audit
 RC Audit
Document Review
What to check?
Check the FSMS documentation of the Company against the requirements of FSSC 22000,ISO
22000:2018 standard and requirement of sector specific PRP based on ISO/TS 22002 or PAS.
When to do it?
Page 66 from 88
 Usually during Stage 1 Audit
 Prior to Re-Certification Audit
 System upgradation
 Major Scope expansion
Importance of conducting a Document Review
 Verification of the basic FSMS documentation to check whether it fulfills the requirements of
FSSC 22000,ISO 22000:2018 standard and requirement of sector specific PRP based on ISO/TS
22002 or PAS. or not
 In case gaps exist then the documentation needs to be corrected
 FSMS implementation is based on the FSMS documentation
Faulty FSMS documentation may lead to faulty FSMS implementation
8.4. Undertaking the Audit
The site visit of any audit can be divided into three sections ;-
· The Opening Meeting
· The Site Investigation
· The Closing Meeting
The opening meeting allows the auditor(s) to set the scene for the audit; the site investigation involves
the collection of objective evidence to evaluate the FSMS against the agreed scope and criteria while the
closing meeting facilitates the primary verbal feedback to the auditee.
Page 67 from 88
Opening meeting
Following the initial receiving of the audit team, the Team Leader should hold an opening meeting with
the company management team or Food Safety Team. It must be remembered that from now on the
auditors are guests in the company, and as good guests they must always be on best behaviour. They
must not demand, only request. They may wish to hold meetings with company management but they do
not have the right to demand this or even attendance at any meeting by any one member of the
management team. However, when making such requests they should carefully note the response and
willingness on the part of the company to co-operate and meet such requests. The purpose of the
Opening Meeting is to introduce the Audit Team to company management and allow management to do
likewise. Also to re-state the purpose of the audit i.e. the objective and scope, how it will be undertaken
and how the results are to be communicated back to the company. It should be made quite clear at this
point if immediate feedback on nonconformities will be provided using some sort of “Nonconformity
Report Form” or “Corrective Action Request”, and how this is to be handled. Also the company should
know if a daily closing meeting will be held for a summary of the day’s findings, or if all findings will be
left for a final “Closing” meeting. (Preferable to leave until closing meeting).
It should be stated that the audit is only a limited 'sample' and conclusions reached at the end of the
audit can only be based on what is revealed by the sample taken by the auditors. This is a 'snapshot' at
this moment in time. General administrative arrangements, such as office facilities, breaks, starting and
finishing times should be addressed. It should also be established if the previously supplied audit plan
acceptable and if there are any reasons for making adjustments to this. Also will guides be available.
Company starting and finishing times should be re-checked together with possible staff/union difficulties
etc. The team leader should also ask if there are any Health & Safety requirements or considerations
that the audit team need to be aware of (safety hazards in the areas to be audited etc.).
Arrangements for final feedback of results at a formal “Closing” meeting should be discussed (time,
duration, who should be present etc.). If a report is to be produced it should be stated when this will be
provided. It should also be made clear to the company that everything seen and heard by the auditors,
and results obtained will be in total confidence and will not be revealed to any other parties. Finally, allow
Page 68 from 88
a period of time for questions from company managers. We want them to feel comfortable with the
process. Allow about 15 mins and then get on with the job!
The audit team leader should chair the meeting !
It is best to allow about 15 to 30 minutes for the meeting prior to starting the site investigation. The
meeting should always be chaired by the Lead Auditor, but be mindful that he/she is a guest of the
company and if the M.D. attempts to chair the meeting then do not fight against this, as it could be
helpful in keeping the meeting brief. However the Lead Auditor should try to retain discreet control.
Typical Opening Meeting Agenda:
 Introductions
 Objectives & Scope
 Audit plan
 Limitations
 General administrative arrangements
 Feedback of results
 Closing Meeting arrangements
 Confidentiality
 Questions
The format of the opening meeting will be, to some extent, governed by the type of audit being
undertaken: -
Internal audits - These types of audits tend to be more relaxed and informal and in many cases an
opening meeting may be deemed unnecessary, but this must be by agreement between the auditor and
auditee. The process will be governed by the company management style.
Second Party Audit - Where supply chain auditing is carried out, the client will investigate the procedures
covering a wide range of issues at the supplier’s site. The auditee is likely to be quite respectful and
helpful in this respect to ensure that the contract continues. An opening meeting is normally conducted,
but the participants may vary according to the site being audited (e.g. it may only be a small part of the
suppliers domain and the MD or CEO may not be present.
Certification Audit - This is normally a significant audit and of prime interest to the auditee. The Opening
meeting should always take place with the senior managers of the company being audited present. This
may be a small meeting with just the operational team or very large with all key players present. It will be
formal with the lead auditor driving the agenda.
Onsite Audit
Now the real task starts. It is important to retain control of the process and ensure that the following
areas are covered: -
• The agreed scope in full. Where it is apparent that the scope may be too limited for the type of audit
being undertaken, then it is for the Lead Auditor to address this issue with the auditee and client (if
different). It is the role of the audit team to proceed and audit against the scope until advised otherwise.
However, where compliance issues outside the scope are discovered, these should be recorded for
feedback at the closing meeting.
• A desk top assessment of available documentation where this has not already been undertaken.
Page 69 from 88
• Conduct the site investigation in accordance with the audit plan which has been created and agreed
with the site management. Any variations needed in the light of subsequent occurrences or findings
should be discussed with the auditee through the Lead Auditor.
• Follow the checklists – there will be a high-level checklist for the audit scope as well as individual high-
level and detailed checklists for the interviews and inspections – but be mindful to follow unexpected
audit trails.
• Follow the advice and guidance of the guides as they should make the navigation of the site more
efficient and ensure your health & safety needs are adequately covered.
Audit Evidence
Audits either confirm or prove otherwise that planned arrangements for the FSMS are being conformed
to. This will be done through the collection of objective evidence. In accordance with guidance contained
in ISO 19011, this evidence should be collected through: -
• Conducting interviews
• Examination of documents and records
• Observation of activities
• Observation of conditions and housekeeping
The detailed checklists and plans of action should steer the auditor through a range of activities allowing
the assessment of conformance against FSMS requirements.
The main requirement for undertaking audits is to obtain objective evidence: evidence that
exists, is factual, and can be verified.
Never rely on instinct or hearsay evidence alone – always seek to obtain verification or the facts.
How to collect audit (objective) evidence ?
Interview (HODs)
Examination (Documents / Records)
Question (Supervisors / Workmen)
Observe (Practices/Operations/Storage/Transportation)
Page 70 from 88
OBJECTIVE EVIDENCE
Auditor’s Task
INTERVIEWS
EXAMINATION QUESTIONS
VERIFY
OBSERVATION
Searching for evidence.
The audit involves examination of processes, asking relevant questions and examination of documented
information to at least arrive at a conclusion regarding the effectiveness of the FSMS.
It is important to ask the right” questions that allow the auditee to discuss issues openly. However,
caution should be taken not to allow discussions to develop into a one –side flow of irrelevant
information, and auditors, should be aware that an auditee may start to deliberately discuss a process in
great details where it has little to do with food safety performance-this may be with the aim of wasting
time.
The following guidance may help:-
General questions can be followed up by specific questioning about the operation or equipment.
Always try to ask “open questions – i.e. those that can’t be answered with either a “yes” or “no”
LISTEN CAREFULLY – adopt a process of active listening”
Discuss deficiencies and problems at the time they are identified rather than wait until the end of the
meeting.
It may be useful to ask a series of questions at the time they are identified rather than wait until the
meeting.
Obtain the necessary documentation.
If records are not seen during the audit they are unlikely to surface at a later date, so assume they don’t
exist.
Page 71 from 88
Don’t be blinded with science and technology. You should already be reasonably familiar with process so
retain control…
Use the audit Plan/time table to guide you around the site, but don’t stop inspecting a process or location
simply because the manager or guide does not think it is necessary. Continue until you understand what
is happening and you are happy all that all food safety hazards are identified and under control.
Personal Qualities and skills of the FSMS Auditor
Conducting Interview and Asking Questions
An auditor needs to be good in communication However, communication must be in both directions, and
it is necessary for the auditor to seek information by posing a question, and then to await and fully
understand the response to that question.
Example of poor auditing practice includes:
 Posing closed questions only. (i.e. those requiring only a YES/NO response).
 Posing and answering one’s own questions.
 Not giving the interviewee sufficient time to respond.
 Not asking questions at all, just continuing to chat or expressing opinions.
Do learn to formulate and pose open questions i.e. – those that promote feedback of information. Also
try to gauge how to gather additional information when feedback includes generalizations, distortions or
omissions.
Missing Information
The good auditor will recognize that information is missing or inconsistent with previous findings and
therefore he should ask more information. For example:
a. Why does the company do not undertake it own water potability test?
b. Because of the water tank cleaning company
c. What do you mean?
Key words
The following words when used in a question can help facilitate meaningful responses (i.e. an open
question).
WHY
WHEN
WHERE
WHO
WHAT
HOW
Alternatively, you could use starting words like SHOW ME……MAY I SEE…. SHOW ME
HOW…..questions to gain more in-depth responses or verification of what has been said before.
Thus:
Page 72 from 88
 How do you store allergenic raw materials?
 They are stored in a separately from non-allergenic raw materials.
 Show ME!
Testing the System
Sometimes in order to “probe”, the auditor need to use hypothetical questions such as-
What happens if ………………………….?
How would you respond when……….…?
Let us suppose that …………………..…?
Suppose………………………………….?
What if……………………………………..?
“I am sorry; I did not quite understand that, could you explain that again please”
The auditor also needs to be systematic. All questions that ought to be asked should be asked: if it is
on the checklist, then it must be addressed (provided you have compiled the checklist correctly).
The auditor should not shrink from asking the obvious questions.
In summary, we should use various questioning techniques aimed at establishing what is happening
and which encourages the free flow of information. Such questions may be:
 ABOUT A THEME
 SEEKING OPINIONS
 REPETITIVE
 HYPOTHETICAL
 CONFIRMATORY
 NON-VERBAL
Auditor techniques-Listening!
Once we have posed a question we must then give the auditee ample opportunity to respond, and most
important of all we must listen carefully to the response.
AUDITORS MUST LEARN TO LISTEN WITH THE MIND AS WELL AS THE EARS
Points to Remember
Talk to the appropriate person responsible for the job.
Don’t talk down to them.
Talk the language of the auditee (i.e. talk about the food safety implications)
Page 73 from 88
Speak clearly and coherently.
Rephrase the question when it is not understood.
Don’t confuse the auditee- pose one question at a time
Come back if information is not immediately available.
The psychology of auditing
For the auditors point of view the intention of the audit is to expose any weakness that there may be in
the FSMS or anything at the site which are thought to contravene any food safety legislation. However
from the auditees point of view it may be undesirable to observe weaknesses to be found by an external
auditor. Hence this may on occasions lead to a game that is often played! Managers in particular may
feel that their ability to manage is in question. People do not like being observed carrying out their day-
to-day tasks by those with a critical eye. It is not surprising therefore if the auditor sometimes finds they
are not welcome, or feels that the truth is being hidden.
We should try and remember a few simple rules that relate to the personal side of auditing:
 Be relaxed.
 Be human.
 Be courteous.
 Display interest in the auditee and work,
 Remain cool, calm and collected.
 Act professionally
Auditors Tactics
In order to remain in control, the auditors should remember the following:-
 Be well prepared and be on time

 Get on with the task
 Do not argue
 Use the checklist
 Discuss problems when they are found
Additionally, the following are points worthy of note.
Page 74 from 88
 If you can not get the information that you require in one part of the organization, seek it else
where
 If you are faced with non-cooperation from one person, try another.
 Verify statements made in a departments/sections in other departments/sections.
 Always seek evidence to verify comments made
 Follow trails to the ultimate conclusion
 Return to areas/people for more information when clarification or reconfirmation is required.
 Gain agreement with findings as you go.
Auditee Tactics
A successful audit is dependent not only upon the skill of the auditor, but also upon the degree of
openness and cooperation from the auditee. The auditor’s task can often be made more difficult
when faced with the following and a skillful auditor must learn how to successfully handle these
situations:-
Argumentative people
Outright aggression
Time wasters
One-upmanship
Planned/unplanned interruptions
Long explanations
Extended coffee/lunch breaks
Pleading of special cases
Missing documents and records
Remember, the most difficult people to audit are very often those who have been trained as auditors
themselves, they know all the tricks in the book. Auditing is about learning to talk to and handle
people, and it is worth noting that auditors should be selected from those who exhibit the necessary
attributes, as well as those who have received professional training.
Some Basic Rule for Auditors – Summary
 Undertake some PLANNING BEFORE THE AUDIT
Page 75 from 88
 Stick to the checklist/plan AVOID sidetracks
 Be objective and SEEK EVIDENCE
 Talk to your guide and AGREE FACTS
 Have a CONSTRUCTIVE APPROACH
 If people change, CHANGE STYLE of questioning to suit
 BRIEF MANAGEMENT after the team has talked through
 PROFESSIONALISM IS VITAL TO RETAIN CONTOL OF THE AUDIT
Desired Auditor code
 Ethical: fair / sincere /truthful / honest
 Open-minded: willing to consider alternative ideas or points of view
 Diplomatic: tactful in dealing with people
 Collaborative: effectively interacting with others
 Observant: actively aware of and able to understand situations
 Perceptive : instinctively aware of and able to understand situations
 Versatile : adjusts readily to different situations
 Tenacious : persistent and focused on achieving objectives
 Decisive : reaches timely conclusions based on logical reasoning and analysis
 Self-reliant : acts and functions independently
 Professional : exhibiting a courteous and generally business-like demeanour in the

workplace
 Morally courageous : willing to act responsibly and ethically even though these actions
may not always be popular and may sometimes result in disagreement or confrontation
 Organized : exhibiting effective time management, prioritization, planning and efficiency
Page 76 from 88
Taking notes and recording audit findings
It is important for auditors to take good notes throughout the audit process and to capture information
that may be needed later in the audit and in particular where the auditor believes that nonconformity
exist against FSMS requirements. Auditors will need to develop their own approaches to note taking,
and the use of recording devices and cameras may be considered, however permission for their use
MUST always be obtained prior to use.
Never rely on the memory to record such items as it is not particularly adapted at retaining large
amounts of data and you may need to demonstrate where and when the item was found at a later
stage. It is easy to become overwhelmed by what we see and hear during an audit situation and it
may be difficult to remember all of those interesting things that need to be investigated further. It is
therefore advisable to record this type of data in working notes.
 Do not trust your memory; write down information as you go

 Do not clutter your mind or notes with trivia
 Where appropriate, use your detailed checklist to record information
 The following should be recorded:
 Section/area audited
 Person (s) interviewed for processes scrutinized
 Documentation which relates to the control of the process
 Equipment identification
Page 77 from 88
 General housekeeping conditions
 In addition, the following impressions may be useful:
 Attitudes of employees
 Reactions to lines of questioning
 Organization – good or poor
 Condition of equipment
 Awareness and understanding of procedures used to ensure food safety
It is important for an auditor to differentiate between things that are of a serious nature and those that
are not. Auditor will often find information or make an observation that is not a non – conformance,
indicates that a potential weakness exists that could lead to a nonconformity if not addressed. Such
items need to be recorded in the auditors notes.
When an auditor feels that there is a nonconformity , the auditor should capture the essential facts to
enable the nonconformity to be communicated effectively to the management of the organization
being audited. Such instances for nonconformity are often termed “Audit findings” and are normally
reported in the form of “Nonconformity Statements”
Many auditors have great difficulty communicating instances of nonconformity, and it is noted that
many so called nonconformity statements are either auditor’s opinions or broad conclusions than the
actual facts found. It is important to ensure that nonconformity statements are clear, concise and
factual as these will be used as the basis for reaching conclusions and upon which the final audit
judgment will be decided. It should also be noted, that in the case of regulatory authorities
undertaking audits, it will; be the nonconformity statements that will be examined carefully by the
lawyers in the event of any legal proceedings.
Nonconformity – non-fulfillment of a requirement
NONCONFORMITY GRADING AS PER FSSC 22000
In accordance with the definitions in the Scheme and as defined below, the CB is
required to establish and maintain criteria as a reference against which to determine the
level of nonconformities resulting in three grading levels:
a) Minor nonconformity,
b) Major nonconformity,
Page 78 from 88
c) Critical nonconformity.
Opportunity for improvement
The use of opportunities for improvement during a FSSC 22000 audit is not allowed by
the Scheme.
Refer to http://www.fssc22000.com and down load FSSC 22000 Scheme version 6 Part 3 section
6.2
A nonconformity statement should contain three essential pieces of information:
 The factual evidence found by the auditor, (WHAT)

 Where this factual evidence has been found, (WHERE)
 The reference to the specified requirements that is not being met. (WHY)
Requirements specified in:
 FSSC 22000 REQUIREMENTS
 ISO 22000:2018 STANDARD
 ISO /TS 22002 -X STANDARDS
 PUBLICLY AVAILABLE SPECIFICATIONS X (PAS)
 COMPANY FSMS DOCUMENTATION
 LEGAL REQUIREMENTS
 CUSTOMER REQUIREMENTS
 ANY OTHER INTERESTED PARTY REQUIREMENTS
The Auditors’ Internal Meeting

At the end of the audit process (preferably at the end of each day if the audit is lasting more than one
day) the audit team should hold an internal and private meeting to discuss findings and to obtain an
overall perspective of organization. The lead auditor should collate all the information and determine
what to inform during the closing meeting and in the audit report. The need to exchange information,
confirm audit findings and re-check areas of particular concern is dependent of the complexity of the site,
the experience of the audit team and the scale of the audit.
The Team Leader should take full control and collate all the views of the team and to produce a
balanced view of the performance of the company in meeting the criteria set by the audit.
Page 79 from 88
Closing meeting
ISO 19011 & ISO/IEC 17021-1 refers to the need for a closing meeting which should take place after the
audit but before the audit report is written.
The purpose of the meeting is to:-
 Feedback the results of the audit

 Provide any conclusions reached
 Ensure that the company management are aware of and fully understand the findings and
associated implications
 The next steps to be taken
 Formally close the assessment.
In a similar style to the opening meeting, the Lead auditor should chair this formal meeting with company
management. Again it must be remembered that you cannot demand attendance at such a meeting of
management, however it is likely that they would not wish to miss such a meeting!
It is wise to re-introduce Team members to the management team, and allow them to do likewise and
then spend a few minutes explaining the purpose of the meeting (remember that there may be attendees
who were not present at the opening meeting)
The following should be provided during the feedback: -
 First thank the company for its co-operation, hospitality, provision of facilities, courteousness and
professionalism in their participation in the assessment process (even if they didn’t!)
 Always try to find some good news stories to give praise on
 Reiterate the objective and scope of the audit
 State that the audit is based on sampling of the activities of the company and hence not every
nonconformity that exists may had been found.
 The method of formally reporting the audit results
Page 80 from 88
 The non-conformances – these can be presented by each of the team members in turn, copies of
reports s may be supplied to save auditee management needing to take notes
 Allow time for discussion on the issues raised, but do not become embroiled in discussing on the
correction of the faults
 Finally, the Team Leader should present the summary; and make the final conclusions clear.
Typical Agenda for Closing Meeting:
 Introductions of new delegates who did not attend the opening meeting
 Record of Attendees
 Purpose of meeting
 Thank auditee / client for Cooperation, etc.
 Restate Objectives and Scope
 Limitations of Audit
 Report audit findings
 Summary of the Audit
 Non-Conformance Reports (if any)
 Recommendations with regards to certification
 Corrective action and follow up (if any NC issued)
 Opportunity for Auditee Questions
(See also ISO19011 and ISO/IEC 17021-1)
8.5. Reporting the Audit

It is important to formally record the findings of any audit in some form of report to the auditee and client.
The nature of the report will vary according to the type of audit undertaken and the requirements of the
client and auditee. However, the main purpose of the report is to clearly covey the findings and
conclusions to the interested parties. The report should not contain any surprises and accurately reflect
the feedback at the closing meeting.
There are a few points to consider when writing the report: -
REMEMBER WHO THE RECIPIENT IS
REMEMBER WHAT THEY NEED TO KNOW
SUMMARISE THE AUDIT FINDINGS
PROVIDE DETAILS WHERE REQUIRED
THINK BEFORE WRITING
WRITE CLEARLY AND CONCISELY
DRAW CONCLUSIONS
Page 81 from 88
Audit report
The Lead Auditor controls the preparation of the report and is responsible for its accuracy and
completeness. The audit report form in FSSC 22000 Annex 2 .
Refer to http://www.fssc22000.com and down load FSSC 22000 Annex 2 or 3
8.6. Corrective Action, Audit Follow-Up and Close Out

Corrections, corrective action plan (CAP), CAP approval
Corrections, corrective action plans and their approval shall be included as per Annex 2.
Refer to http://www.fssc22000.com and down load FSSC 22000 Annex 2
Page 82 from 88
NON-CONFORMITY
CORRECTIVE ACTION &
RAISED AUDIT CLOSE OUT
UNDERSTAND
ANALYSE
ROOT CAUSE
DETERMINATION
AUDITING
CORRECTIVE ACTION ORGANISATION
PROPOSAL
IMPLEMENT
FOLLOW UP AUDIT
VERIFICATION
NEXT SURVEILANCE AUDIT
The audited organization will need to work with reported nonconformity, and begin the process of a
corrective action determination. It will be necessary for audited organization to first understand each
nonconformity, and the auditors approach to organization to first understand each nonconformity, and
the auditors approach to writing clear and factual nonconformity statements is designed to ensure not
only objective audit reporting, but also nonconformity statements that are understandable to the auditees
and also to future auditors who may be called upon to undertake audit follow up verification activities.
Auditee management will need to ensure that each nonconformity situation is analyzed where necessary
gathering further relevant information initiating detailed investigations, and/or internal audits to provide
additional information to enable the root causes of the nonconformities to be determined. It is at this
state that management may wish to employ some of the various problem solving tools and techniques to
arrive at suitable fact based conclusion.
Once the root cause has been identified it is then necessary to determine a suitable course of action to
address the root cause and so eliminate the possibility of similar nonconformities in future (audit
nonconformities are the symptoms of problems, and by addressing the root cause the symptoms should
go away). .In the case of Second and Third party audits it is likely to be necessary to send the corrective
action proposals to the auditing or organization for their acceptance / agreement It is now that the
original auditor (s) may be called upon to review these proposals are realistic and likely to address the
suspected root cause (although it must be remembered that the auditors will not have access to the
detailed investigation results and so can only judge from their understanding of the company and similar
situations observed in other companies if the proposed corrective action(s) appear to be sensible and
also that there is evidence of detailed analyses having been performed and the company has not simply
resorted to adopting ’’Quick Fix” measures.
Page 83 from 88
If the auditing Organization is satisfied with the corrective action proposals (which should also include an
appropriate timescale) they should inform to the company and make arrangements for verification audit
to be performed at an appropriate time.
The audited organization will then need to implement their proposed corrective action and undertake
their own verification activity (which may involve audits) to clearly verify that the root cause has been
satisfactorily addressed and the symptoms first reported as the nonconformity(s) are no longer evident.
Once corrective action has been implemented then the auditing organization should arrange for formal
verification that it is effective in overcoming the original non-conformance.
Once the auditing organization are satisfied as to the effectiveness of corrective action taken, then this
should be formally recorded (preferably on the original audit report form) and the audit NC is closed out.
It may be useful to check effectiveness of any corrective action again at subsequent audits.
Corrections, corrective action plan (CAP) , CAP approval, corrective action review for the
nonconformities
Refer to http://www.fssc22000.com and down load FSSC 22000 Scheme version 6 Part 3 section
6.2
Page 84 from 88
9. SECTION 4 - FOOD SAFETY MODERNIZATION ACT (FSMA)
Page 85 from 88
FOOD SAFETY MODERNIZATION ACT (FSMA)
Please see https://www.fda.gov/food/guidanceregulation/fsma/
In USA, about 48 million people (1 in 6) get sick, 128,000 are hospitalized, and 3,000 die each year from
foodborne diseases, according to recent data from the Centers for Disease Control and Prevention. This
is a significant public health burden that is largely preventable.
The FDA Food Safety Modernization Act (FSMA) is transforming the nation’s food safety system by
shifting the focus from responding to foodborne illness to preventing it. Congress enacted FSMA in
response to dramatic changes in the global food system and in our understanding of foodborne illness
and its consequences, including the realization that preventable foodborne illness is both a significant
public health problem and a threat to the economic well-being of the food system.
FDA has finalized seven major rules to implement FSMA, recognizing that ensuring the safety of the
food supply is a shared responsibility among many different points in the global supply chain for both
human and animal food. The FSMA rules are designed to make clear specific actions that must be taken
at each of these points to prevent contamination.
Foundational Rules Summary Pages
 Accredited Third-Party Certification

 Current Good Manufacturing Practice and Hazard Analysis and Risk-Based Preventive Controls for
Human Food
 Current Good Manufacturing Practice and Hazard Analysis and Risk-Based Preventive Controls for
Food for Animals
 Foreign Supplier Verification Programs (FSVP)
 Mitigation Strategies to Protect Food Against Intentional Adulteration
 Sanitary Transportation of Human and Animal Food
 Standards for the Growing, Harvesting, Packing, and Holding of Produce for Human Consumption
 Voluntary Qualified Importer Program (VQIP)
FDA’s Accredited Third-Party Certification program is now accepting applications.
The FDA Food Safety Modernization Act (FSMA) rule on Accredited Third-Party Certification was
finalized in November 2015. The rule establishes a voluntary program for the accreditation of third-party
certification bodies, also known as third-party auditors, to conduct food safety audits and issue
certifications of foreign entities and the foods for humans and animals they produce. These requirements
are intended to help ensure the competence and independence of the accreditation bodies and
third-party certification bodies participating in the program.
FSMA specifies two uses for certifications under this program:
 Certifications may be used by importers to help establish eligibility for participation in the Voluntary
Qualified Importer Program (VQIP), which offers expedited review entry of food.
Page 86 from 88
 To prevent potentially harmful food from reaching U.S. consumers, the FDA can also require in
specific circumstances that a food offered for import be accompanied by a certification from an
accredited FDA’s Accredited Third-Party Certification program is now accepting applications.
The FDA Food Safety Modernization Act (FSMA) rule on Accredited Third-Party Certification was
finalized in November 2015. The rule establishes a voluntary program for the accreditation of third-party
certification bodies, also known as third-party auditors, to conduct food safety audits and issue
certifications of foreign entities and the foods for humans and animals they produce. These requirements
are intended to help ensure the competence and independence of the accreditation bodies and third-
party certification bodies participating in the program.
FSMA specifies two uses for certifications under this program:
 Certifications may be used by importers to help establish eligibility for participation in the Voluntary
Qualified Importer Program (VQIP), which offers expedited review entry of food.
 To prevent potentially harmful food from reaching U.S. consumers, the FDA can also require in
specific circumstances that a food offered for import be accompanied by a certification from an
accredited third-party certification body.
This rule establishes the framework, procedures and requirements for accreditation bodies seeking
recognition by the FDA, as well as requirements for third-party certification bodies seeking accreditation.
These requirements cover legal authority, competency, capacity, conflict-of-interest safeguards, quality
assurance and record procedures.
In limited circumstances, the FDA may directly accredit third-party certification bodies. For example, FDA
can directly accredit third-party certification bodies if the agency does not identify and recognize an
accreditation body to meet the requirements of the program within two years after establishing the
program.
In addition to 21 CFR 117 (Preventive Controls for Human Food (PCHF) regulation), other templates that
may help determine if third-party audit standards align with FSMA food safety standards are available on
the website.
 Seafood HACCP Template (PDF: 301KB)

 Juice HACCP Template (PDF: 309KB)
 Low-Acid Canned Food Template (PDF: 1MB)
 Acidified Food Template (PDF: 311KB)
 PC-Human Food Template (PDF: 667KB)
 PC-Animal Food Template (PDF: 820KB)
For PC-Human Food Template please see

https://www.fda.gov/downloads/Food/GuidanceRegulation/FSMA/UCM602404.pdf
Page 87 from 88
We hope you enjoyed your course
You will be contacted by the CQI and IRCA for feedback on the course and your Approved
Training Partner.
Completing this short survey will help to ensure the continuing high standards of
these courses.
You can also record your certificate and receive information about the CQI
and IRCA, auditing and quality news, ISO updates and much more.
To record your certificate, visit www.quality.org/record-your-certificate
Page 88 from 88

Course Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Course Manual

Uploaded by

Copyright:

Available Formats

FSSC 22000 V6 Lead Auditor Training Course

FOOD SAFETY MANAGEMENT SYSTEM

Auditor / Lead Auditor Training Course

TUV NORD CERT GmbH

Course Manual Rev. Page 1 from 88

About the CQI and IRCA

IRCA is its specialist division dedicated to management system auditors.

Find out more about the CQI and IRCA at www.quality.org

For the full requirements, please refer to quality.org/IRCA-grades.

An FSMS based on FSSC 22000 audit will be undertaken as a simulated exercise.

With regards to FSSC 22000:

Explain the requirements of FSSC 22000.

Explain what is ISO 22000.

Explain the sector specific PRPs required by FSSC 22000.

Explain the FSSC 22000 additional requirements.

Explain difference in FSSC 22000 additional requirements of V5.1 and V 6

Explain the definitions in FSSC 22000 Appendix 1.

With regards to ISO 22000:

Explain the Plan-Do-Check-Act Framework.

Explain the interrelationship between management responsibility, organization’s context, needs of

Explain the terminology defined in the standard.

UNDERSTANDING FSSC 22000

Overview of ISO 22003 – 1: 2022 & ISO 22003 – 2:2022

FSSC 22000 V6 Additional Requirements

Difference between V5.1 and V6 additional requirements

ISO 22000 - Context of the Organization

ISO 22000 - Planning

ISO 22000 - Support

ISO 22000 - Operation

ISO 22000 - Performance Evaluation

ISO 22000 - Improvement

THE FSMS AUDIT PROCESS

Introduction to FSMS auditing

Certification of an FSMS to FSSC 22000

Planning the audit

Undertaking the Audit

Reporting the Audit

Corrective Action, Audit Follow-Up and Close Out

FOOD SAFETY MODERNIZATION ACT (FSMA)

A formal examination to be undertaken by each delegate:

IRCA online Exams

For full details of the IRCA Auditor Registration Scheme contact:

International Register of Certificated Auditor (IRCA)

Telephone: +44 (0)20 7245 8600

It is a condition of registration that registrants rigorously observe the following

Statement of Personal Responsibility

Professional Competence and Behaviour

1.3. Undertake appropriate continuing professional development and record it in an appropriate

Ethical Standards and Integrity

2.2 Always act honestly in all matters relating to the Institute

2.5 Comply with prevailing laws

Processes for Enforcement of this Code

1. CQI0070 details the Misconduct Handling process for:

a. Reporting breaches of misconduct to the CQI

b. Undertaking a Preliminary Investigation

c. Conducting a Disciplinary Hearing

d. Establish and acting on the Board’s decision

e. Grounds for appeal

2. CQI0058 details the Disciplinary Appeals process for:

a. Submitting an appeal to the Advisory Council

c. Convening an appeal panel

d. Reviewing the appeal submission

e. Holding an appeal hearing

f. Making an appeal recommendation to the Advisory Council