--- slug: iso-22000 type: concept summary: "The food-safety management-system standard that turns hazard control, prerequisite programs, traceability, and corrective action into an auditable operating file." created: 2026-05-06 updated: 2026-05-16 last_edited: 2026-05-16 section: certification_standards related: produce-safety-rule: relation: contrasts-with note: "ISO 22000 is a voluntary food-safety management-system standard, while FSMA and the Produce Safety Rule set U.S. legal duties for covered produce farms." globalgap: relation: complements note: "ISO 22000 supplies management-system vocabulary that complements GLOBALG.A.P.'s farm assurance file in produce channels." offtake-agreement-cea: relation: informs note: "ISO 22000 informs Offtake Agreement (CEA) when buyer terms require a documented food-safety management system, audit plan, recall procedure, or certificate." vertical-farm-economics: relation: informs note: "ISO 22000 informs Vertical Farm Unit Economics because food-safety management, audits, corrective actions, and recall drills add real operating cost." food-blockchain-traceability: relation: supported-by note: "ISO 22000 can be supported by Blockchain Traceability for Food when traceability records need to move across sites, buyers, and certification files." vendor-locked-traceability: relation: violated-by note: "ISO 22000 evidence is weakened by Vendor-Locked Traceability when records cannot be exported, tested, or audited outside one platform." controlled-environment-agriculture: relation: applies-to note: "ISO 22000 applies to controlled-environment operations when their buyer, processor, retailer, or certification route requires a food-safety management system." --- # ISO 22000 and Food-Safety Management > **Concept** > > Vocabulary that names a phenomenon. *ISO 22000 is the food-safety management-system standard that turns hazard control, prerequisite programs, traceability, and corrective action into an auditable operating file.* *Often confused with: FSSC 22000, BRCGS Food Safety, SQF, GFSI-recognized certification.* When a greenhouse lettuce operation or a regional processor starts selling to larger buyers, "we follow good food-safety practice" stops being enough. The buyer wants the named system: hazards, records, training, supplier approval, corrective actions, traceability, recall. ISO 22000 is one answer. Place it correctly before going further. ISO 22000 is the management-system standard. FSSC 22000 is the ISO-based certification scheme that many buyers recognize through the Global Food Safety Initiative, usually shortened to GFSI. BRCGS Food Safety and SQF are neighboring buyer schemes, not layers on top of ISO 22000. A facility that mixes those up isn't ready for the audit conversation. ## Definition ISO 22000 is an international standard for food-safety management systems, published by the International Organization for Standardization. The current base standard is ISO 22000:2018. It tells an organization what a food-safety management system, usually shortened to FSMS, has to include and how to keep it running. The standard combines three ideas that operators often manage separately. The management-system logic familiar from other ISO standards — policy, responsibilities, planning, operation, performance evaluation, internal audit, management review, continual improvement — sets the outer frame. Inside that frame, hazard analysis and control measures in the HACCP tradition do the food-safety work. Underneath both, prerequisite programs, or PRPs, create the basic hygiene and operating conditions that the hazard plan depends on. A food business showing that it can name its hazards, control them, monitor the controls, fix what fails, verify the whole, and keep records the auditor can read is what ISO 22000 looks like in practice. The standard can apply across the food chain: farms, packhouses, processors, ingredient suppliers, feed operations, packaging suppliers, storage, distribution, caterers, and service providers. The exact scope depends on the organization and certificate. ISO 22000 certification on its own isn't the same thing as GFSI-recognized certification. FSSC 22000 closes that gap by wrapping ISO 22000 with sector-specific prerequisite-program requirements and additional FSSC clauses, and the result is a scheme the Global Food Safety Initiative recognizes. In buyer language, a request for "FSSC" or "GFSI" usually means the buyer wants the recognized scheme, not only an ISO 22000 certificate. BRCGS Food Safety and SQF sit beside that route, not on top of it. They aren't ISO 22000 implementations, though they answer many of the same food-safety-management questions. BRCGS is widely used in manufacturing, processing, and packing. SQF has industry-specific codes and is common in North American retail supply chains. A buyer may accept one, require another, or list a narrow set by product, country, and customer. > **Confidence: medium** > > The core ISO 22000:2018 management-system structure is stable. Scheme versions, GFSI recognition status, buyer acceptance, audit protocol, and transition dates move. As of May 16, 2026, SQF Edition 10 had been published and was moving through benchmarking, while BRCGS Food Safety Issue 9 remained the named issue on BRCGS's food-safety page. Operators should check current scheme-owner, GFSI, certification-body, and buyer documents before budgeting an audit. ## Why It Matters ISO 22000 matters because food safety becomes a system before it becomes a certificate. A CEA operator can have clean rooms, water treatment, climate control, hairnets, stainless tables, and a recall binder and still lack a working FSMS. The standard asks whether those pieces are connected, owned, monitored, corrected, and reviewed. For controlled-environment operators, the standard is part of the retail scale-up path. Indoor production lowers some field risks and creates others: recirculating water, dense labor, reusable trays, shared harvest tools, condensation, drain design, sanitation chemistry, finished-product handling, cold-chain handoff, and software records. ISO 22000 gives the operator a way to turn that risk surface into a controlled file rather than a set of informal habits. Farmers and packers use the standard to separate three categories readers often blur. [FSMA and the Produce Safety Rule](produce-safety-rule.md) set U.S. legal duties for covered produce farms. [GLOBALG.A.P.](globalgap.md) is a private farm assurance system common in produce channels. ISO 22000 is a voluntary management-system standard. A business may need more than one. They don't answer the same question. Investors and program officers should treat ISO 22000 as diligence vocabulary. A borrower seeking capital for a packhouse, greenhouse, vertical farm, or regional food hub should be able to name the food-safety system, the owner, the certification path, the accepting buyer, the cost, and the corrective-action plan when something fails. If the answer is "our software handles that," the diligence isn't done. The cost line also matters. Certification isn't only the audit fee. It is gap assessment, staff time, consultant support in some cases, internal audits, document control, supplier approval, cleaning validation, environmental monitoring where applicable, recall exercises, traceability tests, corrective-action closure, certification-body scheduling, and surveillance. Those costs belong in [Vertical Farm Unit Economics](vertical-farm-economics.md) and the [Offtake Agreement (CEA)](offtake-agreement-cea.md), not in a vague overhead line. ## How It Shows Up **A leafy-greens greenhouse entering foodservice.** The facility has harvest logs, water tests, cleaning schedules, and lot codes. A national foodservice buyer asks for a recognized food-safety certificate and a current audit report. The operator now has to choose a route: ISO 22000, FSSC 22000, BRCGS, SQF, GLOBALG.A.P., or a buyer-specific audit. The right answer depends on the buyer's accepted list and the facility's scope. **A vertical farm with good internal software.** The farm tracks seed lots, nutrient batches, harvest crews, climate rooms, sanitation tasks, and shipments in one platform. That's useful. It doesn't prove the FSMS works. The auditor's questions stay the same: how records are controlled, how exceptions are reviewed, who approves corrective actions, how suppliers are assessed, whether traceability drills meet the buyer's time target, whether records can be exported without the vendor. This is where [Vendor-Locked Traceability](vendor-locked-traceability.md) becomes a food-safety risk. **A regional food hub.** A hub aggregates product from farms, repacks some lots, stores cold product, and sells to institutions. The FSMS boundary is now more complicated than a single farm's field file. Supplier approval, receiving checks, allergen or product-separation rules, temperature monitoring, cleaning, recall, customer complaints, and traceability across many suppliers all need owners. ISO 22000's management-system shape fits that multi-party setting better than an informal checklist. **A buyer comparing schemes.** A retailer may say "GFSI-recognized" when it means BRCGS, SQF, FSSC 22000, IFS, GLOBALG.A.P. GFS, or another accepted program for a specific scope. The supplier shouldn't guess. Ask for the accepted schemes, edition, scope, product category, certification-body rules, audit frequency, unannounced-audit expectations, certificate age, and transition deadline. **A traceability-system pitch.** A vendor says its platform makes the operation ISO 22000 ready. The claim is weak unless the platform supports the actual evidence file: document control, lot and batch identity, supplier approval, monitoring records, nonconformities, corrective actions, recall drills, exportable audit evidence, and version history. [Blockchain Traceability for Food](food-blockchain-traceability.md) can help with shared custody events, but it can't replace the FSMS. ## Caveats and Open Questions ISO 22000 isn't a farm-practice, environmental, regenerative, organic, animal-welfare, or labor standard. It can sit next to those systems, but it doesn't prove soil health, biodiversity, carbon storage, fair pricing, or worker welfare. A business using ISO 22000 language to imply a broader sustainability claim is stretching the certificate beyond its scope. Certification scope is easy to misread. A certificate applies to named sites, processes, products, and activities. It may cover processing but not farming, packing but not distribution, one crop but not another, or one facility but not the satellite cooler. The certificate, audit report, and buyer terms need to agree before anyone treats the file as market access. GFSI language also needs care. GFSI recognizes certification programs against benchmarking requirements; it doesn't certify individual facilities. The certificate comes from an approved certification body under a scheme owner's rules. When a buyer asks for a GFSI-recognized certificate, the supplier should identify the scheme, edition, scope, certifier, and accepted transition timing. Scheme churn is normal. FSSC, BRCGS, SQF, GLOBALG.A.P., IFS, and other programs revise requirements, scoring, audit protocols, culture expectations, traceability rules, and transition dates. A contract that names only "ISO" or "GFSI" without scheme, version, scope, and transition language invites disputes. Finally, food-safety certification isn't a recall shield. It reduces risk by forcing a system, but product can still be contaminated, records can still fail, and buyers can still reject a lot. The serious operator treats certification as a living control system, not a framed certificate near the office door. > **Disclaimer** > > Certification and food-safety descriptions are educational and do not determine > legal duties, certification status, buyer acceptance, or audit readiness. > Consult current scheme documents, approved certification bodies, buyer > requirements, qualified food-safety advisors, and counsel where needed. ## Sources - ISO's [ISO 22000:2018 standard page](https://www.iso.org/standard/65464.html) identifies the current food-safety management-system standard and its requirements for organizations in the food chain. - ISO's [Food safety management](https://www.iso.org/iso-22000-food-safety-management.html) overview explains ISO 22000's food-chain scope, management-system framing, and relationship to food-safety hazards. - FSSC's [FSSC 22000 scheme page](https://www.fssc.com/fssc-22000/) explains the ISO-aligned certification scheme built around food-safety management systems and used in global certification. - GFSI's [recognition page](https://mygfsi.com/how-to-implement/recognition/) explains benchmarking and recognition of certification programs, which is the distinction behind buyer requests for GFSI-recognized schemes. - BRCGS's [Food Safety standard page](https://www.brcgs.com/our-standards/food-safety/) describes the BRCGS Global Standard Food Safety, its manufacturing, processing, and packing scope, and its current Issue 9 position. - SQFI's [Food Safety Program](https://www.sqfi.com/what-is-the-sqf-program/sqf-food-safety-program/) explains the SQF codes, food-safety certification program, and Edition 10 transition context current in 2026. - FDA's [FSMA Final Rule on Produce Safety](https://www.fda.gov/food/food-safety-modernization-act-fsma/fsma-final-rule-produce-safety) supplies the U.S. legal comparison point for produce operations that may also use ISO 22000 or a GFSI-recognized buyer scheme. --- - [Next: FSMA and the Produce Safety Rule](produce-safety-rule.md) - [Previous: Demeter Biodynamic](demeter-biodynamic.md)