PART 2

REQUIREMENTS
FOR
ORGANIZATIONS
TO BE AUDITED

FSSC 22000 Version 6.0 | April 2023 15 of 77

Part 2 | Requirements for Organization to be Audited

CONTENTS PART 2 REQUIREMENTS FOR

ORGANIZATIONS TO BE AUDITED

1 Purpose....................................................................................................................... 17

2 Requirements ............................................................................................................ 17

2.1 General .......................................................................................................................................17

2.2 Scheme Changes and Interpretation ......................................................................................17
2.3 ISO 22000 ...................................................................................................................................17
2.4 Prerequisite Programs ..............................................................................................................17
2.5 FSSC 22000 Additional Requirements.....................................................................................18

FSSC 22000 Version 6.0 | April 2023 16 of 77

Part 2 | Requirements for Organization to be Audited

1 PURPOSE
This part describes the Scheme requirements against which licensed Certification Bodies shall
audit the Food Safety Management System of the organization to achieve or maintain certification
for FSSC 22000.

2 REQUIREMENTS
2.1 GENERAL
Organizations shall develop, implement, and maintain all the requirements outlined below and
shall be audited by a licensed Certification Body in order to receive a valid FSSC 22000 certificate.

The audit requirements for FSSC 22000 certification consist of:

1) ISO 22000:2018 Food Safety Management System requirements;
2) Sector specific prerequisite program (PRPs) requirements (ISO/TS 22002-x series or other
specified PRP standard) and;
3) FSSC 22000 Additional requirements.

2.2 SCHEME CHANGES AND INTERPRETATION

The Board of Stakeholders (BoS) Decision list is a document which contains decisions applicable
to FSSC 22000 Scheme. The decisions overrule or provide further clarification on existing Scheme
rules and shall be implemented and applied within the defined transition period. The decision list
is dynamic and can be adjusted by the BoS when deemed necessary.

The Foundation publishes interpretation articles related to Scheme requirements that include
further clarification on requirements and the application and/or implementation thereof.
Certification bodies and Certified Organizations need to adhere to these interpretation articles as
applicable. It is the responsibility of the FSSC 22000 contact person to keep up to date with the
interpretation articles and communicate it to the relevant parties within the CB or to Certified
Organizations as appropriate.

2.3 ISO 22000

The requirements for the development, implementation, and maintenance of the Food Safety
Management System (FSMS) are laid down in the standard ISO 22000:2018 “Food safety
management systems - Requirements for any organization in the food chain”.

2.4 PREREQUISITE PROGRAMS

The Scheme specifies mandatory application of technical specifications detailing the pre-requisite
programs (PRPs) as referenced in clause 8.2 of ISO 22000:2018, with the exception of sub-category
FII. These PRP requirements are specified in the ISO/TS 22002-x series and/or the BSI/PAS 221
standards. Refer to Part 1, Table 1 of the Scheme.

FSSC 22000 Version 6.0 | April 2023 17 of 77

Part 2 | Requirements for Organization to be Audited

2.5 FSSC 22000 ADDITIONAL REQUIREMENTS

2.5.1 MANAGEMENT OF SERVICES AND PURCHASED MATERIALS (ALL

FOOD CHAIN CATEGORIES)
a) In addition to clause 7.1.6 of ISO 22000:2018, the organization shall ensure that where
laboratory analysis services are used for the verification and/or validation of food safety,
these shall be conducted by a competent laboratory (including both internal and external
laboratories as applicable) that has the capability to produce precise and repeatable test
results using validated test methods and best practices (e.g. successful participation in
proficiency testing programs, regulatory approved programs or accreditation to
international standards such as ISO 17025).
b) For food chain categories C, D, I, FII, G and K, the following additional requirement applies
to ISO 22000:2018 clause 7.1.6: The organization shall have a documented procedure for
procurement in emergency situations to ensure that products still conform to specified
requirements and the supplier has been evaluated.
c) For food chain categories C0, CI, CIII and CIV: In addition to ISO/TS 22002-1:2009 clause 9.2,
the organization shall have a policy for the procurement of animals, fish and seafood that
are subject to control of prohibited substances (e.g., pharmaceuticals, veterinary
medicines, heavy metals, and pesticides);
d) For food chain categories C, D, I, FII, G and K, the following additional requirement applies:
The organization shall establish, implement, and maintain a review process for raw
material and finished product specifications to ensure continued compliance with food
safety, quality, legal and customer requirements.
e) For food chain category I, in addition to clause 7.1.6 of ISO 22000:2018, the organization
shall establish criteria related to the use of recycled packaging as a raw material input into
the production of finished packaging material and ensure that relevant legal and customer
requirements are being met.

2.5.2 PRODUCT LABELING AND PRINTED MATERIALS (ALL FOOD CHAIN

CATEGORIES)
a) In addition to clause 8.5.1.3 of ISO 22000:2018, the organization shall ensure that finished
products are labelled according to all applicable statutory and regulatory requirements in
the country of intended sale, including allergen and customer specific requirements.
b) Where a product is unlabeled, all relevant product information shall be made available to
ensure the safe use of the food by the customer or consumer.
c) Where a claim (e.g., allergen, nutritional, method of production, chain of custody, raw
material status, etc.) is made on the product label or packaging, the organization shall
maintain evidence of validation to support the claim and shall have verification systems in
place, including traceability and mass balance, to ensure product integrity is maintained.
d) For food chain category I, artwork management and print control procedures shall be
established and implemented to ensure the printed material meets applicable customer
and legal requirements. The procedure shall address the following as a minimum:

i. Approval of artwork standard or master sample;

ii. Process to manage changes to artwork and print specifications, and to manage
obsolete artwork and printing materials;
iii. Approval of each print run against the agreed standard or master sample;
iv. Process to detect and identify printing errors during the run;
v. Process to ensure effective segregation of differing print variants; and

FSSC 22000 Version 6.0 | April 2023 18 of 77

Part 2 | Requirements for Organization to be Audited

vi. Process to account for any unused printed product.

2.5.3 FOOD DEFENSE (ALL FOOD CHAIN CATEGORIES)

2.5.3.1 THREAT ASSESSMENT

The organization shall:

a) Conduct and document the food defense threat assessment, based on a defined
methodology, to identify and evaluate potential threats linked to the processes and
products within the scope of the organization; and
b) Develop and implement appropriate mitigation measures for significant threats.

2.5.3.2 PLAN

a) The organization shall have a documented food defense plan, based on the threat
assessment, specifying the mitigation measures and verification procedures.
b) The food defense plan shall be implemented and supported by the organization’s FSMS.
c) The plan shall comply with applicable legislation, cover the processes and products within
the scope of the organization and be kept up to date.
d) For food chain category FII, in addition to the above, the organization shall ensure that
their suppliers have a food defense plan in place.

2.5.4 FOOD FRAUD MITIGATION (ALL FOOD CHAIN CATEGORIES)

2.5.4.1 VULNERABILITY ASSESSMENT

The organization shall:

a) Conduct and document the food fraud vulnerability assessment, based on a defined
methodology, to identify and assess potential vulnerabilities; and
b) Develop and implement appropriate mitigation measures for significant vulnerabilities.
The assessment shall cover the processes and products within the scope of the
organization.

2.5.4.2 PLAN

a) The organization shall have a documented food fraud mitigation plan, based on the output
of the vulnerability assessment, specifying the mitigation measures and verification
procedures.
b) The food fraud mitigation plan shall be implemented and supported by the organization’s
FSMS.
c) The plan shall comply with the applicable legislation, cover the processes and products
within the scope of the organization and be kept up to date.
d) For food chain category FII, in addition to the above, the organization shall ensure that
their suppliers have a food fraud mitigation plan in place.

FSSC 22000 Version 6.0 | April 2023 19 of 77

Part 2 | Requirements for Organization to be Audited

2.5.5 LOGO USE (ALL FOOD CHAIN CATEGORIES)

a) Certified organizations shall use the FSSC 22000 logo only for marketing activities such as
the organization’s printed matter, website, and other promotional material.
b) In case of using the logo, the certified organization shall request a copy of the latest FSSC
logo from their Certification Body, and comply with the following specifications:

Color PMS CMYK RGB #

Green 348 U 82/25/76/7 33/132/85 218455
Grey 60% black 0/0/0/60 135/136/138 87888a
Use of the logo in black and white is permitted when all other text and images are in black and
white.
c) The certified organization is not allowed to use the FSSC 22000 logo, any statement or
make reference to its certified status on:
i. a product;
ii. its labelling;
iii. its packaging (primary, secondary or any other form);
iv. certificates of analysis or certificates of conformance (CoA’s or CoC’s);
v. in any other manner that implies FSSC 22000 approves a product, process, or
service and
vi. where exclusions to the scope of certification apply.

2.5.6 MANAGEMENT OF ALLERGENS (ALL FOOD CHAIN CATEGORIES)

The organization shall have a documented allergen management plan that includes:
a) A list of all the allergens handled on site, including in raw materials and finished products;
b) Risk assessment covering all potential sources of allergen cross-contamination;
c) Identification and implementation of control measures to reduce or eliminate the risk of
cross-contamination, based on the outcome of the risk assessment; and
d) Validation and verification of these control measures shall be implemented and
maintained as documented information. Where more than one product is produced in the
same production area that have different allergen profiles, verification testing shall be
conducted at a frequency based on risk, e.g., surface testing, air sampling and/or product
testing;
e) Precautionary or warning labels shall only be used where the outcome of the risk
assessment identifies allergen cross-contamination as a risk to the consumer, even though
all the necessary control measures have been effectively implemented. Applying warning
labels does not exempt the organization from implementing the necessary allergen
control measures or undertaking verification testing;
f) All personnel shall receive training in allergen awareness and specific training on allergen
control measures associated with their area of work;
g) The allergen management plan shall be reviewed at least annually, and following any
significant change that impacts food safety, a public recall or a product withdrawal by the
organization as a result of an allergen/s, or when trends in industry show contamination
of similar products relating to allergens. The review shall include an evaluation of the
effectiveness of existing control measures and the need for additional measures.
Verification data shall be trended and used as input for the review.
h) For Food Chain Category D: Where there is no allergen-related legislation for the country
of sale pertaining to animal feed, this section of the Scheme requirements may be
indicated as ‘Not Applicable,’ unless a claim relating to an allergen status has been made
on the animal feed.

FSSC 22000 Version 6.0 | April 2023 20 of 77

Part 2 | Requirements for Organization to be Audited

2.5.7 ENVIRONMENTAL MONITORING (FOOD CHAIN CATEGORIES BIII, C,

I & K)
The organization shall have in place:
a) A risk-based environmental monitoring program for the relevant pathogens, spoilage, and
indicator organisms;
b) A documented procedure for the evaluation of the effectiveness of all controls on
preventing contamination from the manufacturing environment and this shall include, at
a minimum, the evaluation of microbiological controls present; and shall comply with legal
and customer requirements.
c) Data of the environmental monitoring activities, including regular trend analysis; and
d) The environmental monitoring program shall be reviewed for continued effectiveness and
suitability, at least annually, and more often if required, including when the following
triggers occur:
i. Significant changes related to products, processes, or legislation;
ii. When no positive testing results have been obtained over an extended period of
time;
iii. Trend in out of specification microbiological results, related to both intermediate
and finished products, linked to environmental monitoring;
iv. A repeat detection of pathogens during routine environmental monitoring; and
v. When there are alerts, recalls or withdrawals relating to product/s produced by the
organization.

2.5.8 FOOD SAFETY AND QUALITY CULTURE (ALL FOOD CHAIN

CATEGORIES)
a) In accordance with and in addition to clause 5.1 of ISO 22000:2018, as part of the
organizations’ commitment to cultivating a positive food safety and quality culture, senior
management shall establish, implement, and maintain a food safety and quality culture
objective(s) as part of the management system. The following elements shall be addressed
as a minimum:

• Communication,
• Training,
• Employee feedback and engagement, and
• Performance measurement of defined activities covering all sections of the
organization impacting on food safety and quality.

b) The objective(s) shall be supported by a documented food safety and quality culture plan,
with targets and timelines and included in the management review and continuous
improvement processes of the management system.

FSSC 22000 Version 6.0 | April 2023 21 of 77

Part 2 | Requirements for Organization to be Audited

2.5.9 QUALITY CONTROL (ALL FOOD CHAIN CATEGORIES)

a) The organization shall:
i. In addition to, and aligned with, clauses 5.2 and 6.2 of ISO 22000:2018, establish,
implement, and maintain a quality policy and quality objectives.
ii. Establish, implement and maintain quality parameters in line with finished product
specifications, for all products and/or product groups within the scope of
certification, including product release that addresses quality control and testing.
iii. In addition to, and aligned with, clauses 9.1 and 9.3 of ISO 22000:2018, undertake
analysis and evaluation of the results of the quality control parameters, as defined
under 2.5.9 (a)(ii) above, and include it as an input for the management review;
and
iv. In addition to, and aligned with, clause 9.2 of ISO 22000:2018, include quality
elements as defined in this clause, within the scope of the internal audit.
b) Quantity control procedures, including for unit, weight, and volume, shall be established,
and implemented, to ensure products meet the applicable customer and legal
requirements. This shall include a program for calibration and verification of equipment
used for quality and quantity control.
c) Line start-up and change-over procedures shall be established and implemented to
ensure products, including packaging and labelling, meet applicable customer and legal
requirements. This shall include having controls in place to ensure labelling and packaging
from the previous run have been removed from the line.

2.5.10 TRANSPORT, STORAGE AND WAREHOUSING (ALL FOOD CHAIN

CATEGORIES)
a) The organization shall establish, implement, and maintain a procedure and specified stock
rotation system that includes FEFO principles in conjunction with the FIFO requirements.
b) For food chain category C0, in addition to ISO/TS 22002-1:2009 clause 16.2, the
organization shall have specified requirements in place that define post-slaughter time
and temperature in relation to chilling or freezing of the products.
c) For food chain category FI, in addition to BSI/PAS 221:2013 clause 9.3, the organization
shall ensure that product is transported and delivered under conditions which minimize
the potential for contamination.
d) Where transport tankers are used, the following shall apply in addition to clause 8.2.4 of
ISO 22000:2018:
i. Organizations that use tankers for transportation of their final product shall have
a documented risk-based plan to address transport tank cleaning. It shall consider
potential sources of cross-contamination, and appropriate control measures,
including cleaning validation. Measures shall be in place to assess cleanliness of
the tanker at the point of reception of the empty tanker, prior to loading.
ii. For organizations receiving raw material in tankers, the following shall be included
in the supplier agreement as a minimum to ensure product safety and prevent
cross-contamination: tanker cleaning validation, restrictions linked to prior use
and applicable control measures relevant to the product being transported.

2.5.11 HAZARD CONTROL AND MEASURES FOR PREVENTING CROSS-

CONTAMINATION (ALL FOOD CHAIN CATEGORIES, EXCLUDING FII)
a) For food chain categories BIII, C and I, the following additional requirement applies to ISO
22000:2018 clause 8.5.1.3: The organization shall have specific requirements in place

FSSC 22000 Version 6.0 | April 2023 22 of 77

Part 2 | Requirements for Organization to be Audited

where packaging is used to impart or provide a functional effect on food (e.g., shelf-life
extension).
b) For food chain category C0, the following requirement applies in addition to ISO/TS 22002-
1:2009 clause 10.1: The organization shall have specified requirements for an inspection
process at lairage and/or at evisceration to ensure animals are fit for human consumption;
c) For food chain category D, the following requirement applies in addition to ISO/TS 22002-
6:2016 clause 4.7: The organization shall have in place procedures to manage the use of
ingredients/additives that contain components that can have an adverse animal health
impact.
d) For all food chain categories, excluding FII, the following requirements relating to foreign
matter management apply, in addition to clause 8.2.4 (h) of ISO 22000:2018:
i. The organization shall have a risk assessment in place to determine the need and
type of foreign body detection equipment required. Where the organization
deems no foreign body detection equipment is necessary, justification shall be
maintained as documented information. Foreign body detection equipment
includes equipment such as magnets, metal detectors, X-ray equipment, filters,
and sieves.
ii. A documented procedure shall be in place for the management and use of the
equipment selected.
iii. The organization shall have controls in place for foreign matter management
including procedures for the management of all breakages linked to potential
physical contamination (e.g., metal, ceramic, hard plastic).

2.5.12 PRP VERIFICATION (FOOD CHAIN CATEGORIES BIII, C, D, G, I & K)

The following additional requirement applies to ISO 22000:2018 clause 8.8.1:
• The organization shall establish, implement, and maintain routine (e.g., monthly) site
inspections/PRP checks to verify that the site (internal and external), production
environment and processing equipment are maintained in a suitable condition to
ensure food safety. The frequency and content of the site inspections/PRP checks shall
be based on risk with defined sampling criteria and linked to the relevant technical
specification.

2.5.13 PRODUCT DESIGN AND DEVELOPMENT (FOOD CHAIN CATEGORIES

BIII, C, D, E, F, I & K)
A product design and development procedure shall be established, implemented, and maintained
for new products and changes to product or manufacturing processes to ensure safe and legal
products are produced. This shall include the following:
a) Evaluation of the impact of the change on the FSMS taking into account any new food
safety hazards (incl. allergens) introduced and updating the hazard analysis accordingly,
b) Consideration of the impact on the process flow for the new product and existing products
and processes,
c) Resource and training needs,
d) Equipment and maintenance requirements,
e) The need to conduct production and shelf-life trials to validate product formulation and
processes are capable of producing a safe product and meet customer requirements. A
process for on-going shelf-life verification shall be in place, at a frequency based on risk.
f) Where a ready-to-cook product is produced, the cooking instructions provided on the
product label or packaging shall be validated to ensure food safety is maintained.

FSSC 22000 Version 6.0 | April 2023 23 of 77

Part 2 | Requirements for Organization to be Audited

2.5.14 HEALTH STATUS (FOOD CHAIN CATEGORY D)

In addition to ISO/TS 22002-6 clause 4.10.1, the organization shall have a procedure to ensure that
the health of personnel does not have an adverse effect on the feed production operations.
Subject to legal restrictions in the country of operation, employees shall undergo a medical
screening prior to employment in feed contact operations, unless documented hazards or medical
assessment indicates otherwise. Additional medical examinations, where permitted, shall be
carried out as required and at intervals defined by the organization.

2.5.15 EQUIPMENT MANAGEMENT (ALL FOOD CHAIN CATEGORIES,

EXCLUDING FII)
In addition to clause 8.2.4 of ISO 22000:2018, the organization shall:
a) Have a documented purchase specification in place, which addresses hygienic design,
applicable legal and customer requirements, and the intended use of the equipment,
including product handled. The supplier shall provide evidence of meeting the purchase
specification prior to installation.
b) Establish and implement a risk-based change management process for new equipment
and/or any changes to existing equipment, which shall be adequately documented
including evidence of successful commissioning. Possible effects on existing systems shall
be assessed and adequate control measures determined and implemented.

2.5.16 FOOD LOSS AND WASTE (ALL FOOD CHAIN CATEGORIES,

EXCLUDING I)
In addition to clause 8 of ISO 22000:2018, the organization shall:
a) Have a documented policy and objectives detailing the organization’s strategy to reduce
food loss and waste within their organization and the related supply chain.
b) Have controls in place to manage products donated to not-for-profit organizations,
employees, and other organizations; and ensure that these products are safe to consume.
c) Manage surplus products or by-products intended as animal feed/food to prevent
contamination of these products.
d) These processes shall comply with the applicable legislation, be kept up to date, and not
have a negative impact on food safety.

2.5.17 COMMUNICATION REQUIREMENTS (ALL FOOD CHAIN CATEGORIES)

In addition to clause 8.4.2 of ISO 22000:2018, the organization shall inform the certification body
within 3 working days of the commencement of the events or situations below and implement
suitable measures as part of their emergency preparedness and response process:
a) Serious events that impact the FSMS, legality and/or the integrity of the certification
including situations that pose a threat to food safety, or certification integrity as a result of
a Force majeure, natural or man-made disasters (e.g., war, strike, terrorism, crime, flood,
earthquake, malicious computer hacking, etc.);
b) Serious situations where the integrity of the certification is at risk and/or where the
Foundation can be brought into disrepute. These include, but are not limited to:
• Public food safety events (e.g., public recalls, withdrawals, calamities, food
safety outbreaks, etc.);
• Actions imposed by regulatory authorities as a result of a food safety issue(s),
where additional monitoring or forced shutdown of production is required;
• Legal proceedings, prosecutions, malpractice, and negligence; and

FSSC 22000 Version 6.0 | April 2023 24 of 77

Part 2 | Requirements for Organization to be Audited

• Fraudulent activities and corruption.

2.5.18 REQUIREMENTS FOR ORGANIZATION WITH MULTI-SITE

CERTIFICATION (FOOD CHAIN CATEGORIES E, F & G)
2.5.18.1 CENTRAL FUNCTION

a) The management of the central function shall ensure that sufficient resources are
available, and that roles, responsibilities and requirements are clearly defined for
management, internal auditors, technical personnel reviewing internal audits and other
key personnel involved in the FSMS.

2.5.18.2 INTERNAL AUDIT REQUIREMENTS

In addition to clause 9.2 of ISO 22000:2018, the organization shall adhere to the following
requirements relating to internal audits:

a) An internal audit procedure and program shall be established by the central function
covering the management system, central function, and all sites. Internal auditors shall be
independent from the areas they audit and be assigned by the central function to ensure
impartiality at site level.
b) The management system, centralized function and all sites shall be audited at least
annually or more frequently based on a risk assessment; and the effectiveness of
corrective action shall be demonstrated.
c) Internal auditors shall meet at least the following requirements, and this shall be assessed
by the CB annually as part of the audit:

Work experience: 2 years’ full-time work experience in the food industry including at least
1 year in the organization.
Education: completion of a higher education course or in the absence of a formal course,
have at least 5 years work experience in the food production or manufacturing, transport,
and storage, retailing, inspection, or enforcement areas.
Training:

i. For FSSC 22000 internal audits, the lead auditor shall have successfully completed
a FSMS, QMS or FSSC 22000 Lead Auditor Course of 40 hours.
ii. Other auditors in the internal audit team shall have successfully completed an
internal auditor course of 16 hours covering audit principles, practices, and
techniques. The training may be provided by the qualified internal Lead Auditor or
through an external training provider.
iii. FSSC Scheme training covering at least ISO 22000, the relevant prerequisite
programs based on the technical specification for the sector (e.g., ISO/TS 22002-x;
PAS-xyz) and the FSSC additional requirements – minimum 8 hours.

d) Internal audit reports shall be subject to a technical review by the central function,
including addressing the non-conformities resulting from the internal audit. Technical
reviewers shall be impartial, have the ability to interpret and apply the FSSC normative
documents (at least ISO 22000, the relevant ISO/TS 22002-x; PAS-xyz and the FSSC
additional requirements) and have knowledge of the organizations processes and
systems.
e) Internal auditors and technical reviewers shall be subject to annual performance
monitoring and calibration. Any follow-up actions identified shall be suitably actioned in
a timely and appropriate manner by the Central function.

FSSC 22000 Version 6.0 | April 2023 25 of 77