What is the primary objective of **ISO 22000**?

**ISO 22000 enables organizations to provide safe products through a Food Safety Management System (FSMS) that prevents, eliminates, or reduces food safety hazards to acceptable levels.** It integrates **Codex HACCP principles** with management system requirements, including **PRPs**, hazard analysis, **CCPs/OPRPs**, verification, and **interactive communication** across the food chain. Published June 19, 2018, it uses **two PDCA cycles**—organizational for governance and operational for hazard control—ensuring compliance with statutory, regulatory, and customer requirements while supporting certification.

Who is legally or professionally required to comply with **ISO 22000**?

**No organization is legally mandated to comply with ISO 22000, as it is a voluntary international standard.** It applies professionally to any entity directly or indirectly in the food chain, including primary producers, feed/animal food makers, processors, packaging providers, transporters, storage operators, retailers, caterers, and service providers affecting food safety. Certification demonstrates FSMS assurance to customers, regulators, and markets, often required by retailers or GFSI schemes like FSSC 22000.

Does **ISO 22000** require an external audit or third-party certification?

**ISO 22000 does not require external audit or third-party certification, but certification is performed by accredited bodies using a two-stage process.** Stage 1 assesses readiness; Stage 2 verifies implementation. Post-certification includes annual surveillance audits and recertification every three years, confirming FSMS effectiveness across Clauses 4–10, including **PRPs**, hazard control plans, internal audits, and management reviews.

How often should an assessment for **ISO 22000** be performed?

**Internal audits for ISO 22000 must be conducted at planned intervals, with risk-based frequency targeting high-risk processes more often.** Management reviews occur at predetermined intervals, typically annually or when significant changes arise. Verification of **PRPs**, **CCPs/OPRPs**, and monitoring is ongoing or periodic per control plan; full FSMS reassessments align with internal audits and reviews to ensure continual suitability, adequacy, and effectiveness.

What are the consequences of non-compliance with **ISO 22000**?

**Non-compliance with ISO 22000 risks certification suspension, market exclusion, recalls, legal penalties under food laws, brand damage, and financial losses from incidents.** As a voluntary standard, direct penalties stem from underlying regulatory failures (e.g., contaminated products), amplifying hazards due to weak **PRPs**, unvalidated controls, poor traceability, or inadequate communication, leading to consumer harm and supply chain disruptions.

Can **ISO 22000** be mapped to other international frameworks?

**Yes, ISO 22000:2018 aligns with the High-Level Structure (HLS) shared by other ISO management system standards, enabling integrated implementation.** Its **Annex SL** structure supports combined audits and shared processes for Clauses 4–10, while **Clause 8** integrates HACCP principles foundational to GFSI schemes like FSSC 22000, which mandates all ISO 22000 requirements plus sector-specific **PRPs**.

What is the first step to begin implementing **ISO 22000**?

**The first step is determining the FSMS scope and organizational context per Clause 4, identifying internal/external issues and interested parties' requirements.** Form a cross-functional food safety team, conduct a gap analysis against Clauses 4–10, and establish **PRPs** to create a hygienic baseline before hazard analysis.

What is the primary objective of **ISO 28000**?

**ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) for supply chain security.** The 2022 edition provides a risk-based framework to identify threats, vulnerabilities, and interdependencies across supply chains, protecting people, assets, goods, infrastructure, and information through PDCA cycles (Plan-Do-Check-Act). It emphasizes leadership commitment, risk assessment per ISO 31000 guidance, operational controls, performance evaluation via audits and reviews, and continual improvement.

Who is legally or professionally required to comply with **ISO 28000**?

**No organization is legally mandated to comply with ISO 28000, as it is a voluntary international standard.** Professional requirements arise indirectly through contractual obligations, such as government tenders, customs facilitation programs (e.g., C-TPAT equivalents), industry codes, or supplier demands in sectors like logistics, manufacturing, pharmaceuticals, energy, ports, and 3PL providers. It applies scalably to all organization sizes, from micro-enterprises to multinationals, where supply-chain security is a strategic priority.

Does **ISO 28000** require an external audit or third-party certification?

**ISO 28000 does not require external audits or third-party certification, which are optional for conformity demonstration.** Organizations may pursue certification via accredited Certification Bodies (CBs) per ISO 28003 requirements, involving Stage 1 (document review) and Stage 2 (implementation audit) processes, followed by annual surveillance audits. Internal audits (Clause 9.2) are mandatory at planned intervals to ensure SMS effectiveness.

How often should an assessment for **ISO 28000** be performed?

**ISO 28000 requires risk assessments to be maintained ongoing, with reviews at planned intervals or upon significant changes.** Internal audits occur via a risk-based program (Clause 9.2), typically annually or more frequently for high-risk processes. Management reviews (Clause 9.3) happen at planned intervals, often annually, incorporating performance data, audit results, and contextual changes like new suppliers or threats.

What are the consequences of non-compliance with **ISO 28000**?

**Non-compliance with ISO 28000 carries no direct legal penalties, as it is voluntary, but exposes organizations to operational, financial, and reputational risks.** These include supply-chain disruptions from theft, sabotage, or incidents; lost contracts or market access; higher insurance premiums; and regulatory scrutiny in high-risk sectors. Certification lapse risks surveillance audit failure and certificate revocation.

An **ISO 28000** be mapped to other international frameworks?

**Yes, ISO 28000:2022 aligns with the ISO High Level Structure (HLS), enabling mapping to frameworks like ISO 9001, ISO 14001, ISO 22301, and ISO/IEC 27001.** Shared elements include PDCA cycles, leadership, risk management (ISO 31000), internal audits (ISO 19011), and integrated documentation, supporting combined audits and unified governance for quality, resilience, and information security.

What is the first step to begin implementing **ISO 28000**?

**The first step is securing executive sponsorship and conducting a gap analysis against ISO 28000 clauses (Phase 0-1).** Appoint a Senior Responsible Owner, define SMS scope including supply-chain boundaries and external processes (Clause 4), map current controls, and produce a prioritized risk register and project charter with timelines and resources.

ISO 22000 vs ISO 28000

Standards Comparison

ISO 22000

Voluntary

2018

International standard for food safety management systems

ISO 28000

Voluntary

2022

International standard for supply chain security management systems.

Quick Verdict

ISO 22000 ensures food safety through hazard control and PRPs for food chain organizations, while ISO 28000 manages supply chain security risks and threats for logistics and manufacturing. Companies adopt them for certification, compliance, market access, and resilience.

Food Safety

ISO 22000

ISO 22000:2018 Food safety management systems

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Adopts High-Level Structure for integrated management systems
Implements two nested PDCA cycles for governance and operations
Integrates HACCP principles with PRPs, OPRPs, and CCPs
Emphasizes interactive communication across food chain
Distinguishes organizational risks from operational hazards

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain security management framework
PDCA cycle for continual improvement and audits
Supplier and third-party risk integration requirements
Alignment with ISO 22301 and 27001 standards
Incident response and recovery planning mandates

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 22000 Details

What It Is

ISO 22000:2018 is an international certification standard for Food Safety Management Systems (FSMS). It provides requirements for organizations in the food chain to ensure safe products through hazard control, compliance, and communication. Its risk-based approach uses **two nested PDCA cyclesorganizational for governance and operational for HACCP-aligned controls.

Key Components

Clauses 4-10 follow High-Level Structure (HLS) for integration with ISO 9001/14001.
Core elements: PRPs, hazard analysis, OPRPs/CCPs, traceability, verification.
Built on HACCP principles with strengthened leadership, risk planning, and communication.
Voluntary certification via accredited bodies with staged audits.

Why Organizations Use It

Meets customer/regulatory demands, enables market access (e.g., GFSI schemes).
Reduces recalls, enhances resilience, builds stakeholder trust.
Strategic benefits: efficiency, integration, competitive edge in global chains.

Implementation Overview

Phased: gap analysis, PRPs, hazard control plan, training, audits.
Applies to all food chain organizations; scalable by size.
Involves internal audits, management reviews; certification every 3 years.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international management system standard specifying requirements for establishing, implementing, maintaining, and improving a security management system (SMS) focused on supply chain security and resilience. It uses a risk-based, PDCA (Plan-Do-Check-Act) approach to protect people, assets, goods, infrastructure, and information.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, performance evaluation, and improvement.
Emphasizes risk assessment, security strategies, incident response, supplier controls, and continual improvement.
Built on ISO High Level Structure for integration with standards like ISO 22301 and ISO 27001.
Optional certification via accredited bodies per ISO 28003.

Why Organizations Use It

Reduces supply chain disruptions, theft, and sabotage risks.
Meets contractual, regulatory, and trade facilitation needs (e.g., C-TPAT).
Lowers insurance costs, enhances market access, and builds stakeholder trust.
Provides competitive edge in logistics, manufacturing, and retail.

Implementation Overview

Phased approach: scoping, gap analysis, risk assessment, control deployment, audits, certification.
Scalable for all sizes; 6-36 months typical.
Applies globally across industries like transportation and pharmaceuticals.

Key Differences

Aspect	ISO 22000	ISO 28000
Scope	Food safety hazards, HACCP, PRPs across food chain	Supply chain security risks, threats, resilience
Industry	Food chain: production, processing, logistics, retail	Logistics, manufacturing, retail, any supply chain
Nature	Voluntary FSMS certification standard	Voluntary security management system standard
Testing	Internal audits, hazard verification, management review	Risk assessments, internal audits, management review
Penalties	Loss of certification, market access denial	Loss of certification, supply chain exclusion

Scope

ISO 22000

Food safety hazards, HACCP, PRPs across food chain

ISO 28000

Supply chain security risks, threats, resilience

Industry

ISO 22000

Food chain: production, processing, logistics, retail

ISO 28000

Logistics, manufacturing, retail, any supply chain

Nature

ISO 22000

Voluntary FSMS certification standard

ISO 28000

Voluntary security management system standard

Testing

ISO 22000

Internal audits, hazard verification, management review

ISO 28000

Risk assessments, internal audits, management review

Penalties

ISO 22000

Loss of certification, market access denial

ISO 28000

Loss of certification, supply chain exclusion

Frequently Asked Questions

Common questions about ISO 22000 and ISO 28000

ISO 22000 FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

CMMC Level 3 Implementation Guide: Integrating NIST SP 800-172 Enhanced Controls for APT Defense

Step-by-step CMMC Level 3 guide for DIB contractors. Implement 24 NIST SP 800-172 controls on Level 2. Prep for DIBCAC, C3PAO scoping & 180-day POA&Ms. Boost cy

The Human-AI Synergy: How Modern Compliance Tools Amplify Your Team's Strategic Impact

Unlock human-AI synergy with modern compliance tools. Automate monitoring, cut non-compliance risks 3x, and boost strategic decision-making. Elevate your team's

Top 5 Unseen Complexities Modern Compliance Software Effortlessly Manages

Uncover top 5 unseen complexities modern compliance software manages effortlessly—from sensitive data mapping to real-time regulatory shifts. Automate audits, i

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

CSL (Cyber Security Law of China) vs GDPR UK

Discover CSL vs UK GDPR: China's data localization & CII rules vs UK's principles, rights & 4% fines. Strategies for global compliance success. Navigate now!

EMAS vs ISO 27017

EMAS vs ISO 27017: EMAS delivers verified environmental performance & transparency beyond ISO 14001. ISO 27017 adds cloud security controls. Compare benefits, choose wisely!

FDA 21 CFR Part 11 vs ISO 26000

Compare FDA 21 CFR Part 11 vs ISO 26000: Electronic records compliance meets social responsibility guidance. Unlock scope, controls, pitfalls & strategies for FDA-regulated firms. Dive in!

ISO 22000

ISO 28000

Quick Verdict

ISO 22000

Key Features

ISO 28000

Key Features

Detailed Analysis

ISO 22000 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 28000 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

ISO 22000 FAQ

What is the primary objective of ISO 22000?

Who is legally or professionally required to comply with ISO 22000?

Does ISO 22000 require an external audit or third-party certification?

How often should an assessment for ISO 22000 be performed?

What are the consequences of non-compliance with ISO 22000?

Can ISO 22000 be mapped to other international frameworks?

What is the first step to begin implementing ISO 22000?

ISO 28000 FAQ

What is the primary objective of ISO 28000?

Who is legally or professionally required to comply with ISO 28000?

Does ISO 28000 require an external audit or third-party certification?

How often should an assessment for ISO 28000 be performed?

What are the consequences of non-compliance with ISO 28000?

An ISO 28000 be mapped to other international frameworks?

What is the first step to begin implementing ISO 28000?

You Might also be Interested in These Articles...

CMMC Level 3 Implementation Guide: Integrating NIST SP 800-172 Enhanced Controls for APT Defense

The Human-AI Synergy: How Modern Compliance Tools Amplify Your Team's Strategic Impact

Top 5 Unseen Complexities Modern Compliance Software Effortlessly Manages

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

CSL (Cyber Security Law of China) vs GDPR UK

EMAS vs ISO 27017

FDA 21 CFR Part 11 vs ISO 26000