What is the primary objective of FSSC 22000?

FSSC 22000's primary objective is to ensure certified organizations consistently provide safe food through a GFSI-benchmarked Food Safety Management System (FSMS). It integrates ISO 22000:2018 requirements (clauses 4–10 covering context, leadership, planning, operation, evaluation, and improvement), sector-specific PRPs (e.g., ISO/TS 22002-1 for food manufacturing), and FSSC Additional Requirements (e.g., food defense, food fraud, allergen management). This delivers independent third-party certification across food chain categories (B–K), promoting supply-chain trust via a public register of 40,059 certified sites.

Who is legally or professionally required to comply with FSSC 22000?

FSSC 22000 is not legally mandatory but professionally required for food chain organizations seeking GFSI recognition and buyer acceptance. It applies to categories per ISO 22003-1:2022 (e.g., C for manufacturing, G for transport/storage, I for packaging), including primary handling (BIII), catering (E), retail (FI), and bio/chemicals (K). Retailers and multinationals demand it for suppliers to reduce audit duplication and ensure FSMS integrity.

Does FSSC 22000 require an external audit or third-party certification?

Yes, FSSC 22000 mandates external audits and third-party certification by licensed Certification Bodies (CBs) accredited per ISO/IEC 17021-1 and ISO 22003-1:2022. Initial certification involves Stage 1 (readiness) and Stage 2 (implementation) audits, with at least 50% time on operational PRPs/control measures. Surveillance occurs annually (1/3 initial duration + TFSSC 1–1.5 days); recertification every 3 years (2/3 duration + TFSSC). 134 CBs support 40,059 sites.

How often should an assessment for FSSC 22000 be performed?

FSSC 22000 assessments occur via annual surveillance audits and full recertification every 3 years by licensed CBs. Internal audits must cover the full FSMS (ISO 22000, PRPs, Additional Requirements) at least annually, with multi-site central audits ensuring independence. PRP verification requires risk-based monthly site inspections; programs like environmental monitoring and food defense undergo annual reviews or upon changes/trends.

What are the consequences of non-compliance with FSSC 22000?

Non-compliance with FSSC 22000 results in nonconformities, certificate suspension/revocation, and market exclusion. Organizations must notify CBs within 3 working days of serious events (recalls, shutdowns). Major nonconformities demand timely closure; failures trigger Integrity Program actions. Loss of GFSI status blocks retailer contracts, risking revenue from uncertified supply chains.

An FSSC 22000 be mapped to other international frameworks?

Yes, FSSC 22000 maps directly to ISO-based frameworks due to its ISO 22000:2018 harmonized structure. Shared PDCA elements (clauses 4–10) align with ISO 9001 (quality) and ISO 14001 (environment), enabling integrated audits. PRP and Additional Requirements (e.g., quality control policy) support quality integration without duplication.

What is the first step to begin implementing FSSC 22000?

The first step is defining FSMS scope per ISO 22003-1:2022 categories and conducting a gap analysis against ISO 22000:2018, applicable PRPs, and FSSC Additional Requirements. Secure executive commitment via a Top Management meeting, then form a multidisciplinary team to map processes, identify PRPs (e.g., ISO/TS 22002-1), and produce a project plan with resources and timelines.

What is the primary objective of ISO 28000?

ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) for supply chain security. The 2022 edition (ISO 28000:2022) provides a risk-based framework using the PDCA cycle to identify threats, vulnerabilities, and interdependencies across supply chains, protecting people, assets, goods, infrastructure, and information.

Who is legally or professionally required to comply with ISO 28000?

ISO 28000 is voluntary and not legally mandatory, but often contractually required for organizations in supply chains. It applies to all sizes—from micro-enterprises to multinationals—in logistics, manufacturing, retail, pharmaceuticals, energy, ports, and 3PL/4PL providers, driven by tenders, customs programs like C-TPAT, insurance demands, or partner expectations.

Does ISO 28000 require an external audit or third-party certification?

ISO 28000 supports but does not require third-party certification; conformity can be verified internally or externally. Certification follows ISO 28003 via accredited bodies like ANAB, involving Stage 1 (readiness) and Stage 2 (effectiveness) audits, with 3-year validity and annual surveillance.

How often should an assessment for ISO 28000 be performed?

Risk assessments under ISO 28000 must be maintained continuously, with formal reviews at planned intervals or upon changes. Internal audits occur per a risk-based program, management reviews at least annually, and risk reassessments triggered by incidents, supply chain changes, or external factors.

What are the consequences of non-compliance with ISO 28000?

Non-compliance with ISO 28000 risks operational disruptions, financial losses, and reputational damage rather than direct legal penalties. Outcomes include supply chain incidents (theft, sabotage), contract losses, higher insurance premiums, regulatory scrutiny in trade programs, and litigation from security lapses.

Can ISO 28000 be mapped to other international frameworks?

Yes, ISO 28000:2022 aligns with the High Level Structure (HLS) for integration with ISO 9001, ISO 14001, ISO 22301, and ISO/IEC 27001. Shared elements like PDCA, risk management (ISO 31000), leadership, audits, and continual improvement enable unified processes, reducing duplication.

What is the first step to begin implementing ISO 28000?

The first step is executive commitment, scoping the SMS, and conducting a gap analysis against ISO 28000 clauses. Map supply chains, assess context/interested parties (Clause 4), appoint a Senior Responsible Owner, and produce a risk register and project charter.

Standards Comparison

FSSC 22000 vs ISO 28000

FSSC 22000

Voluntary

2023

GFSI-benchmarked certification scheme for food safety systems

ISO 28000

Voluntary

2022

International standard for supply chain security management systems.

Quick Verdict

FSSC 22000 ensures food safety via ISO 22000, PRPs, and audits for food chains, while ISO 28000 builds supply chain security management systems for all sectors. Companies adopt FSSC for GFSI compliance and market access; ISO 28000 for resilience and risk governance.

Food Safety

FSSC 22000

Food Safety System Certification 22000 Version 6

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

GFSI-benchmarked certification for food chain FSMS
Integrates ISO 22000 with sector-specific PRPs
Additional requirements address food defense, fraud, allergens
Covers categories B-K from farm to packaging
Mandates 50% operational audit time on PRPs

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems Requirements

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain security management framework
End-to-end supply chain mapping and interdependencies
Leadership commitment and security policy requirements
PDCA cycle for continual improvement
Integration with ISO 27001 and 22301 standards

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

FSSC 22000 Details

What It Is

FSSC 22000 (Food Safety System Certification 22000 Version 6) is a GFSI-benchmarked certification scheme for Food Safety Management Systems (FSMS). It applies across food chain categories from primary production to packaging, using a risk-based PDCA approach integrating ISO 22000:2018 requirements.

Key Components

**Three pillarsISO 22000 clauses 4-10, sector-specific PRPs (e.g., ISO/TS 22002 series), FSSC Additional Requirements (18 items covering defense, fraud, allergens, culture).
Over 100 combined requirements with HACCP-embedded hazard control.
Built on PDCA cycle; certification via licensed bodies per ISO 22003-1:2022.

Why Organizations Use It

Enables global market access and buyer acceptance.
Mitigates risks like recalls, fraud, contamination.
Builds supply-chain trust via public register.
Drives efficiency, sustainability (SDGs), quality integration.

Implementation Overview

Phased: gap analysis, FSMS build, PRPs, audits (Stage 1/2).
Applies to all sizes in food sectors worldwide.
Requires CB certification, surveillance/recertification cycles.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international management system standard specifying requirements for establishing, implementing, maintaining, and improving a security management system (SMS) focused on supply chain security and resilience. It uses a risk-based approach aligned with PDCA cycle, not prescriptive controls.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, improvement.
Emphasizes risk assessment, security strategies, incident response, supplier controls.
Built on ISO High Level Structure for integration; supports certification per ISO 28003.

Why Organizations Use It

Mitigates theft, sabotage, disruptions; reduces costs, insurance premiums.
Meets contractual, regulatory drivers like C-TPAT; enhances trade facilitation.
Builds stakeholder trust, competitive edge in logistics, manufacturing.

Implementation Overview

Phased: scoping, gap analysis, risk treatment, deployment, audits.
Scalable for all sizes/industries; 6-36 months typical.
Optional third-party certification with surveillance audits.

Key Differences

Aspect	FSSC 22000	ISO 28000
Scope	Food safety management systems, PRPs, hazards	Supply chain security risks, resilience, threats
Industry	Food chain: manufacturing, packaging, logistics	All sectors: logistics, manufacturing, any supply chain
Nature	GFSI-benchmarked certification scheme	Voluntary management system standard
Testing	CB audits, PRP verification, surveillance cycles	Internal audits, management reviews, optional certification
Penalties	Loss of certification, market access denial	No legal penalties, internal nonconformity actions

Scope

FSSC 22000

Food safety management systems, PRPs, hazards

ISO 28000

Supply chain security risks, resilience, threats

Industry

FSSC 22000

Food chain: manufacturing, packaging, logistics

ISO 28000

All sectors: logistics, manufacturing, any supply chain

Nature

FSSC 22000

GFSI-benchmarked certification scheme

ISO 28000

Voluntary management system standard

Testing

FSSC 22000

CB audits, PRP verification, surveillance cycles

ISO 28000

Internal audits, management reviews, optional certification

Penalties

FSSC 22000

Loss of certification, market access denial

ISO 28000

No legal penalties, internal nonconformity actions

Frequently Asked Questions

Common questions about FSSC 22000 and ISO 28000

FSSC 22000 FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

Using CIS Controls v8.1 as a ‘Compliance On-Ramp’: Map One Security Program to NIST CSF, ISO 27001, PCI DSS, and NIS2

Use CIS Controls v8.1 as your compliance on-ramp. Map one security program to NIST CSF, ISO 27001, PCI DSS, and NIS2 without duplicating work via practical mapp

CIS Controls v8.1 for Cloud & SaaS: A Practical Safeguard Playbook for AWS/Azure/GCP and Microsoft 365

Turn CIS Controls v8.1 into a cloud-first playbook for AWS, Azure, GCP & Microsoft 365. Get actionable IaaS/PaaS/SaaS safeguards, automation patterns, evidence

How to Implement CIS Controls v8.1 as a ‘Control Backbone’ for NIS2 & DORA (Step-by-Step Implementation Guide)

Deploy CIS Controls v8.1 as a control backbone for NIS2 & DORA compliance. Step-by-step roadmap (IG1→IG2), deliverables, metrics & evidence model for hybrid/clo

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how FSSC 22000 and ISO 28000 compare against other standards

Other FSSC 22000 Comparisons

Other ISO 28000 Comparisons

Key Components

**Three pillarsISO 22000 clauses 4-10, sector-specific PRPs (e.g., ISO/TS 22002 series), FSSC Additional Requirements (18 items covering defense, fraud, allergens, culture).

Over 100 combined requirements with HACCP-embedded hazard control.

Built on PDCA cycle; certification via licensed bodies per ISO 22003-1:2022.

What It Is

Aspect

FSSC 22000

ISO 28000

Scope

Food safety management systems, PRPs, hazards

Supply chain security risks, resilience, threats

Industry

Food chain: manufacturing, packaging, logistics

All sectors: logistics, manufacturing, any supply chain

Nature

GFSI-benchmarked certification scheme

Voluntary management system standard

Testing

CB audits, PRP verification, surveillance cycles

Internal audits, management reviews, optional certification

Penalties

Loss of certification, market access denial

No legal penalties, internal nonconformity actions