What is the primary objective of ISO 22000?

ISO 22000 enables organizations to provide safe products through a Food Safety Management System (FSMS) that prevents, eliminates, or reduces food safety hazards to acceptable levels. It integrates Codex HACCP principles with management system requirements, including PRPs, hazard analysis, CCPs/OPRPs, verification, and interactive communication across the food chain. Published June 19, 2018, it uses two PDCA cycles—organizational for governance and operational for hazard control—ensuring compliance with statutory, regulatory, and customer requirements while supporting certification.

Who is legally or professionally required to comply with ISO 22000?

No organization is legally mandated to comply with ISO 22000, as it is a voluntary international standard. It applies professionally to any entity directly or indirectly in the food chain, including primary producers, feed/animal food makers, processors, packaging providers, transporters, storage operators, retailers, caterers, and service providers affecting food safety. Certification demonstrates FSMS assurance to customers, regulators, and markets, often required by retailers or GFSI schemes like FSSC 22000.

Does ISO 22000 require an external audit or third-party certification?

ISO 22000 does not require external audit or third-party certification, but certification is performed by accredited bodies using a two-stage process. Stage 1 assesses readiness; Stage 2 verifies implementation. Post-certification includes annual surveillance audits and recertification every three years, confirming FSMS effectiveness across Clauses 4–10, including PRPs, hazard control plans, internal audits, and management reviews.

How often should an assessment for ISO 22000 be performed?

Internal audits for ISO 22000 must be conducted at planned intervals, with risk-based frequency targeting high-risk processes more often. Management reviews occur at predetermined intervals, typically annually or when significant changes arise. Verification of PRPs, CCPs/OPRPs, and monitoring is ongoing or periodic per control plan; full FSMS reassessments align with internal audits and reviews to ensure continual suitability, adequacy, and effectiveness.

What are the consequences of non-compliance with ISO 22000?

Non-compliance with ISO 22000 risks certification suspension, market exclusion, recalls, legal penalties under food laws, brand damage, and financial losses from incidents. As a voluntary standard, direct penalties stem from underlying regulatory failures (e.g., contaminated products), amplifying hazards due to weak PRPs, unvalidated controls, poor traceability, or inadequate communication, leading to consumer harm and supply chain disruptions.

Can ISO 22000 be mapped to other international frameworks?

Yes, ISO 22000:2018 aligns with the High-Level Structure (HLS) shared by other ISO management system standards, enabling integrated implementation. Its Annex SL structure supports combined audits and shared processes for Clauses 4–10, while Clause 8 integrates HACCP principles foundational to GFSI schemes like FSSC 22000, which mandates all ISO 22000 requirements plus sector-specific PRPs.

What is the first step to begin implementing ISO 22000?

The first step is determining the FSMS scope and organizational context per Clause 4, identifying internal/external issues and interested parties' requirements. Form a cross-functional food safety team, conduct a gap analysis against Clauses 4–10, and establish PRPs to create a hygienic baseline before hazard analysis.

What is the primary objective of ISO 28000?

ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) for supply chain security. The 2022 edition provides a risk-based framework to identify threats, vulnerabilities, and interdependencies across supply chains, protecting people, assets, goods, infrastructure, and information through PDCA cycles (Plan-Do-Check-Act). It emphasizes leadership commitment, risk assessment per ISO 31000 guidance, operational controls, performance evaluation via audits and reviews, and continual improvement.

Who is legally or professionally required to comply with ISO 28000?

No organization is legally mandated to comply with ISO 28000, as it is a voluntary international standard. Professional requirements arise indirectly through contractual obligations, such as government tenders, customs facilitation programs (e.g., C-TPAT equivalents), industry codes, or supplier demands in sectors like logistics, manufacturing, pharmaceuticals, energy, ports, and 3PL providers. It applies scalably to all organization sizes, from micro-enterprises to multinationals, where supply-chain security is a strategic priority.

Does ISO 28000 require an external audit or third-party certification?

ISO 28000 does not require external audits or third-party certification, which are optional for conformity demonstration. Organizations may pursue certification via accredited Certification Bodies (CBs) per ISO/IEC 17021-1 requirements, involving Stage 1 (document review) and Stage 2 (implementation audit) processes, followed by annual surveillance audits. Internal audits (Clause 9.2) are mandatory at planned intervals to ensure SMS effectiveness.

How often should an assessment for ISO 28000 be performed?

ISO 28000 requires risk assessments to be maintained ongoing, with reviews at planned intervals or upon significant changes. Internal audits occur via a risk-based program (Clause 9.2), typically annually or more frequently for high-risk processes. Management reviews (Clause 9.3) happen at planned intervals, often annually, incorporating performance data, audit results, and contextual changes like new suppliers or threats.

What are the consequences of non-compliance with ISO 28000?

Non-compliance with ISO 28000 carries no direct legal penalties, as it is voluntary, but exposes organizations to operational, financial, and reputational risks. These include supply-chain disruptions from theft, sabotage, or incidents; lost contracts or market access; higher insurance premiums; and regulatory scrutiny in high-risk sectors. Certification lapse risks surveillance audit failure and certificate revocation.

Can ISO 28000 be mapped to other international frameworks?

Yes, ISO 28000:2022 aligns with the ISO High Level Structure (HLS), enabling mapping to frameworks like ISO 9001, ISO 14001, ISO 22301, and ISO/IEC 27001. Shared elements include PDCA cycles, leadership, risk management (ISO 31000), internal audits (ISO 19011), and integrated documentation, supporting combined audits and unified governance for quality, resilience, and information security.

What is the first step to begin implementing ISO 28000?

The first step is securing executive sponsorship and conducting a gap analysis against ISO 28000 clauses (Phase 0-1). Appoint a Senior Responsible Owner, define SMS scope including supply-chain boundaries and external processes (Clause 4), map current controls, and produce a prioritized risk register and project charter with timelines and resources.

Standards Comparison

ISO 22000 vs ISO 28000

ISO 22000

Voluntary

2018

International standard for food safety management systems

ISO 28000

Voluntary

2022

International standard for supply chain security management systems.

Quick Verdict

ISO 22000 ensures food safety through hazard control and PRPs for food chain organizations, while ISO 28000 manages supply chain security risks and threats for logistics and manufacturing. Companies adopt them for certification, compliance, market access, and resilience.

Food Safety

ISO 22000

ISO 22000:2018 Food safety management systems

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based supply chain security management framework
PDCA cycle for continual improvement and audits
Supplier and third-party risk integration requirements
Alignment with ISO 22301 and 27001 standards
Incident response and recovery planning mandates

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Adopts High-Level Structure for integrated management systems
Implements two nested PDCA cycles for governance and operations
Integrates HACCP principles with PRPs, OPRPs, and CCPs
Emphasizes interactive communication across food chain
Distinguishes organizational risks from operational hazards

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 22000 Details

What It Is

ISO 22000:2018 is an international certification standard for Food Safety Management Systems (FSMS). It provides requirements for organizations in the food chain to ensure safe products through hazard control, compliance, and communication. Its risk-based approach uses two nested PDCA cycles—organizational for governance and operational for HACCP-aligned controls.

Key Components

Clauses 4-10 follow High-Level Structure (HLS) for integration with ISO 9001/14001.
Core elements: PRPs, hazard analysis, OPRPs/CCPs, traceability, verification.
Built on HACCP principles with strengthened leadership, risk planning, and communication.
Voluntary certification via accredited bodies with staged audits.

Why Organizations Use It

Meets customer/regulatory demands, enables market access (e.g., GFSI schemes).
Reduces recalls, enhances resilience, builds stakeholder trust.
Strategic benefits: efficiency, integration, competitive edge in global chains.

Implementation Overview

Phased: gap analysis, PRPs, hazard control plan, training, audits.
Applies to all food chain organizations; scalable by size.
Involves internal audits, management reviews; certification every 3 years.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international management system standard specifying requirements for establishing, implementing, maintaining, and improving a security management system (SMS) focused on supply chain security and resilience. It uses a risk-based, PDCA (Plan-Do-Check-Act) approach to protect people, assets, goods, infrastructure, and information.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, performance evaluation, and improvement.
Emphasizes risk assessment, security strategies, incident response, supplier controls, and continual improvement.
Built on ISO High Level Structure for integration with standards like ISO 22301 and ISO 27001.
Optional certification via accredited bodies per ISO/IEC 17021-1.

Why Organizations Use It

Reduces supply chain disruptions, theft, and sabotage risks.
Meets contractual, regulatory, and trade facilitation needs (e.g., C-TPAT).
Lowers insurance costs, enhances market access, and builds stakeholder trust.
Provides competitive edge in logistics, manufacturing, and retail.

Implementation Overview

Phased approach: scoping, gap analysis, risk assessment, control deployment, audits, certification.
Scalable for all sizes; 6-36 months typical.
Applies globally across industries like transportation and pharmaceuticals.

Key Differences

Aspect	ISO 22000	ISO 28000
Scope	Food safety hazards, HACCP, PRPs across food chain	Supply chain security risks, threats, resilience
Industry	Food chain: production, processing, logistics, retail	Logistics, manufacturing, retail, any supply chain
Nature	Voluntary FSMS certification standard	Voluntary security management system standard
Testing	Internal audits, hazard verification, management review	Risk assessments, internal audits, management review
Penalties	Loss of certification, market access denial	Loss of certification, supply chain exclusion

Scope

ISO 22000

Food safety hazards, HACCP, PRPs across food chain

ISO 28000

Supply chain security risks, threats, resilience

Industry

ISO 22000

Food chain: production, processing, logistics, retail

ISO 28000

Logistics, manufacturing, retail, any supply chain

Nature

ISO 22000

Voluntary FSMS certification standard

ISO 28000

Voluntary security management system standard

Testing

ISO 22000

Internal audits, hazard verification, management review

ISO 28000

Risk assessments, internal audits, management review

Penalties

ISO 22000

Loss of certification, market access denial

ISO 28000

Loss of certification, supply chain exclusion

Frequently Asked Questions

Common questions about ISO 22000 and ISO 28000

ISO 22000 FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

NIST CSF 2.0 Plain English Decoder: Translating Govern, Supply Chain, and Core Functions from Jargon to Actionable Insights

Demystify NIST CSF 2.0 jargon with plain English tables for Govern, Supply Chain & Core Functions. Actionable steps for risk oversight & vendor management. Empo

Measuring CIS Controls v8.1 in the Real World: KPIs, Dashboards, and Automated Evidence for Continuous Assurance

Master CIS Controls v8.1 measurement with essential KPIs, executive-ready dashboards, and automated evidence collection for continuous assurance. Make complianc

NIST CSF 2.0 Supply Chain Risk Management: Complete Playbook with Profiles, Tiers, and Vendor Assessment Templates

Master NIST CSF 2.0 ID.SC supply chain risk management with vendor assessment templates, profile gap analysis, and tier strategies. Mitigate third-party threats

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how ISO 22000 and ISO 28000 compare against other standards

Other ISO 22000 Comparisons

Other ISO 28000 Comparisons

What It Is

Key Components

Clauses 4-10 follow High-Level Structure (HLS) for integration with ISO 9001/14001.

Core elements: PRPs, hazard analysis, OPRPs/CCPs, traceability, verification.

Built on HACCP principles with strengthened leadership, risk planning, and communication.

Voluntary certification via accredited bodies with staged audits.

What It Is

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, performance evaluation, and improvement.

Emphasizes risk assessment, security strategies, incident response, supplier controls, and continual improvement.

Built on ISO High Level Structure for integration with standards like ISO 22301 and ISO 27001.

Optional certification via accredited bodies per ISO/IEC 17021-1.

Aspect

ISO 22000

ISO 28000

Scope

Food safety hazards, HACCP, PRPs across food chain

Supply chain security risks, threats, resilience

Industry

Food chain: production, processing, logistics, retail

Logistics, manufacturing, retail, any supply chain

Nature

Voluntary FSMS certification standard

Voluntary security management system standard

Testing

Internal audits, hazard verification, management review

Risk assessments, internal audits, management review

Penalties

Loss of certification, market access denial

Loss of certification, supply chain exclusion