FSSC 22000 is a GFSI-recognized food safety certification scheme built from three parts: the ISO 22000 management system standard, sector-specific prerequisite program (PRP) standards from the ISO 22002 series, and FSSC's own additional requirements. Version 7 published May 1, 2026; Version 6 audits remain valid through April 30, 2027.
If BRCGS is the retailer's standard and SQF is the North American grocer's standard, FSSC 22000 is the ISO shop's standard, the choice of ingredient makers, multinationals, and any plant that already runs ISO 9001-style management systems and wants food safety certification built the same way. This guide covers the three-layer structure, the current version status, the three-year certification cycle, and how FSSC compares to the other big schemes.
What is FSSC 22000?
FSSC 22000 (Food Safety System Certification 22000) is a certification scheme owned by the Foundation FSSC a non-profit based in the Netherlands. The Foundation does not write the core requirements itself, that is the point. It packages international ISO standards into an auditable, certifiable scheme and adds the extra requirements needed to satisfy GFSI benchmarking then licenses certification bodies to audit against the package.
Because the backbone is ISO 22000, an FSSC certificate rides on a full management system: policy, objectives, planning, competence, operational control, performance evaluation, and improvement. That makes it the natural fit for companies that want one integrated management system across quality (ISO 9001), environment (ISO 14001), and food safety, rather than a standalone food safety code. It also means the scheme is pass/fail, there is no public letter grade the way BRCGS grades AA to D.
What are the three components of FSSC 22000?
Every FSSC 22000 certificate is built from the same three layers: ISO 22000, a sector PRP standard, and the FSSC additional requirements. You must conform to all three; the certificate covers the stack, not any single layer.
Layer 1: ISO 22000
The base is ISO 22000 the international food safety management system standard. It embeds HACCP methodology, hazard analysis, CCPs, validation, verification, inside the standard ISO management-system skeleton. If you hold HACCP certification today, you have the core of this layer; ISO 22000 adds the system around it.
Layer 2: sector PRPs (ISO 22002 series)
ISO 22000 deliberately keeps prerequisite programs generic, so the scheme bolts on a sector-specific PRP standard. For food manufacturers that has historically been ISO/TS 22002-1; with Version 7, the scheme moves to the updated ISO 22002 series published in 2025, which replaces the older technical specifications. These documents are the concrete stuff: building fabric, zoning, air and water, cleaning and sanitation, pest control, personnel hygiene, rework, warehousing. There are separate parts for packaging, storage and distribution, transport, farming, and catering, which is why FSSC can certify categories beyond manufacturing.
Layer 3: FSSC additional requirements
The Foundation's own clauses cover what GFSI requires but ISO does not spell out: food fraud mitigation, food defense, allergen management environmental monitoring, labeling, food safety and quality culture and management of purchased services. Version 7 updated these areas and added emphases including food loss and waste, equipment management, and packaging design considerations.
What is the current version of FSSC 22000?
Version 7, published May 1, 2026. The Foundation initiated the revision to incorporate the new ISO 22002 PRP series (2025) and to align with GFSI's updated benchmarking requirements. The transition rules matter for planning:
- Version 6 audits remain valid through April 30, 2027 a 12-month transition window from V7 publication.
- Each site upgrades at a scheduled audit in the window, so your certification body will map the transition onto your existing surveillance or recertification date.
- Version 6 history for context: V6 published March 31, 2023, with first audits from April 1, 2024. If your documentation still says v5.1, you are two versions behind.
Check the scheme documents yourself, the Foundation publishes them free at fssc.com which is one of the scheme's genuinely nice features (BRCGS and SQF sell theirs or gate them behind portals).
How does the FSSC 22000 certification cycle work?
FSSC runs on the ISO-style three-year cycle: a two-stage initial audit, annual surveillance audits, then a full recertification audit in year three. This is the biggest practical difference from BRCGS and SQF, which re-issue certificates every year.
Do not read “three-year certificate” as three quiet years. Surveillance audits are real on-site audits, GFSI-aligned schemes require at least one unannounced audit within each cycle, and a failed surveillance can suspend the certificate mid-cycle. The workload is annual either way, what the three-year cycle buys you is continuity: minor findings become corrective actions inside a living certificate rather than threats to this year's re-issue.
FSSC 22000 vs SQF vs BRCGS: how do you choose?
All three are GFSI-recognized, so any of them satisfies a customer's “GFSI certificate” requirement. Choose on structure and audience:
| FSSC 22000 | SQF | BRCGS | |
|---|---|---|---|
| Backbone | ISO 22000 management system | Proprietary code, HACCP-centered | Proprietary clause list |
| Certificate cycle | 3 years + annual surveillance | Annual recertification | Annual (6-month at low grades) |
| Result format | Pass/fail | Numeric score | Public letter grade (AA–D) |
| Scheme documents | Free to download | Purchased/portal | Purchased |
| Natural fit | ISO-integrated plants, ingredients, multinationals | North American retail suppliers | UK/EU retail suppliers |
Rules of thumb: if your customers are North American grocers, SQF is most often named. UK/EU retail, BRCGS. If you already run ISO management systems, sell ingredients globally, or want one integrated system across sites, FSSC 22000 usually costs the least additional effort. And if a specific buyer demands a specific scheme, that decision is made for you.
Who is FSSC 22000 for? Scopes and add-ons
FSSC 22000 is not just for food plants. Because the ISO 22002 PRP series has sector-specific parts, the scheme certifies organizations across the chain: food and pet food manufacturing, food packaging manufacturing, storage and distribution, transport, and catering, among other food chain categories defined in the scheme documents. That breadth matters when a customer wants your co-packer and your carton supplier certified too, one scheme can cover all of them, each against its own PRP standard.
Two program notes worth knowing before you commit:
- The scope is defined per site and per category. Your certificate names the site, the food chain category, and the products and processes covered. Anything you make outside that scope is not certified, so scope it honestly, auditors check.
- Quality can ride along. The Foundation offers an FSSC 22000-Quality option that folds ISO 9001 management-system requirements into the same audit, for plants that want one integrated certificate instead of parallel audits. If your customers ask for both food safety and quality certification, one combined cycle is usually cheaper than two.
Where FSSC tends not to be the first pick: small plants with no ISO history selling only to North American retailers who name SQF, or UK-retail suppliers whose buyers want a BRCGS grade to screen against. The scheme rewards management-system maturity; if your system today is a HACCP plan and a binder of SOPs, budget real time for the ISO 22000 layer, objectives, internal audit programs, management review, and documented improvement loops are audited as hard as the floor is.
How do you get FSSC 22000 certified? Six steps
- Download the scheme and scope yourself. Get the Version 7 documents from fssc.com, confirm your food chain category, and identify your sector PRP standard.
- Gap-assess all three layers. Plants with working HACCP usually find the biggest gaps in management-system elements (objectives, internal audit, management review) and in additional requirements like food fraud and culture.
- Build the system and the records. Close physical PRP gaps, write what is missing, and run the system long enough to generate months of live records, auditors certify evidence, not intentions.
- Run internal audits and a management review. Both are hard requirements before stage 2, and both must have found and fixed something to be credible.
- Choose a licensed certification body and take stage 1 + stage 2. Stage 1 checks readiness; stage 2 is the full audit. Clear nonconformities with corrective action evidence.
- Run the cycle. Surveillance in years one and two (at least one unannounced), recertification in year three, and transition to new versions at scheduled audits as the Foundation publishes them.
Key facts and dates to pin
- Version 7 published May 1, 2026; 12-month transition; V6 audits valid through April 30, 2027 (Foundation FSSC).
- Version 6 published March 31, 2023; first V6 audits April 1, 2024.
- V7 incorporates the ISO 22002 PRP series (2025) replacing the older ISO/TS 22002 technical specifications, and aligns with GFSI's updated benchmarking requirements.
- FSSC 22000 is GFSI-recognized; the ISO 22000 base standard is published by ISO.
What does an FSSC audit feel like on the floor?
ISO-based audits chase linkages. The auditor picks a thread, a CCP, a customer complaint, an allergen changeover, and follows it through your system: hazard analysis to control to monitoring record to trained operator to corrective action to management review. Gaps between documents and floor reality are where findings come from, and the most common ones are mundane: monitoring records filled in later, verification steps signed but not performed, culture and objectives that exist only in the binder.
That is a records problem before it is a food-safety problem, and it is why plants increasingly move checks, logs, and handoffs into structured digital workflows where records are timestamped as work happens, the approach Harmony takes when it digitizes paperwork and quality reporting on plant floors. When every record is live and searchable, surveillance audits stop being annual emergencies. The certificate then reflects what auditors actually want to see: a system that runs the same on audit day as on any other day.