FSSC 22000 is a GFSI-recognized food safety certification scheme built from three parts: the ISO 22000 management system standard, sector-specific prerequisite program (PRP) standards from the ISO 22002 series, and FSSC's own additional requirements. Version 7 published May 1, 2026; Version 6 audits remain valid through April 30, 2027.

If BRCGS is the retailer's standard and SQF is the North American grocer's standard, FSSC 22000 is the ISO shop's standard, the choice of ingredient makers, multinationals, and any plant that already runs ISO 9001-style management systems and wants food safety certification built the same way. This guide covers the three-layer structure, the current version status, the three-year certification cycle, and how FSSC compares to the other big schemes.

What is FSSC 22000?

FSSC 22000 (Food Safety System Certification 22000) is a certification scheme owned by the Foundation FSSC a non-profit based in the Netherlands. The Foundation does not write the core requirements itself, that is the point. It packages international ISO standards into an auditable, certifiable scheme and adds the extra requirements needed to satisfy GFSI benchmarking then licenses certification bodies to audit against the package.

Because the backbone is ISO 22000, an FSSC certificate rides on a full management system: policy, objectives, planning, competence, operational control, performance evaluation, and improvement. That makes it the natural fit for companies that want one integrated management system across quality (ISO 9001), environment (ISO 14001), and food safety, rather than a standalone food safety code. It also means the scheme is pass/fail, there is no public letter grade the way BRCGS grades AA to D.

What are the three components of FSSC 22000?

Every FSSC 22000 certificate is built from the same three layers: ISO 22000, a sector PRP standard, and the FSSC additional requirements. You must conform to all three; the certificate covers the stack, not any single layer.

The three-layer structure of FSSC 22000 FSSC 22000 = three layers, one certificate 3 · FSSC Additional Requirements food fraud · food defense · allergens · culture · labeling · environmental monitoring · what GFSI needs beyond ISO 2 · Sector PRPs, ISO 22002 series the floor-level basics for your sector: hygiene, layout, pests, utilities, cleaning (e.g. ISO 22002-1 for food manufacturing) 1 · ISO 22000, the management system HACCP-based hazard control + policy, planning, competence, communication, performance evaluation, improvement audit covers the whole stack, conform to all three or no certificate
ISO 22000 supplies the management system, the ISO 22002 series supplies sector-specific prerequisite programs, and FSSC's additional requirements close the gaps GFSI benchmarking demands.

Layer 1: ISO 22000

The base is ISO 22000 the international food safety management system standard. It embeds HACCP methodology, hazard analysis, CCPs, validation, verification, inside the standard ISO management-system skeleton. If you hold HACCP certification today, you have the core of this layer; ISO 22000 adds the system around it.

Layer 2: sector PRPs (ISO 22002 series)

ISO 22000 deliberately keeps prerequisite programs generic, so the scheme bolts on a sector-specific PRP standard. For food manufacturers that has historically been ISO/TS 22002-1; with Version 7, the scheme moves to the updated ISO 22002 series published in 2025, which replaces the older technical specifications. These documents are the concrete stuff: building fabric, zoning, air and water, cleaning and sanitation, pest control, personnel hygiene, rework, warehousing. There are separate parts for packaging, storage and distribution, transport, farming, and catering, which is why FSSC can certify categories beyond manufacturing.

Layer 3: FSSC additional requirements

The Foundation's own clauses cover what GFSI requires but ISO does not spell out: food fraud mitigation, food defense, allergen management environmental monitoring, labeling, food safety and quality culture and management of purchased services. Version 7 updated these areas and added emphases including food loss and waste, equipment management, and packaging design considerations.

What is the current version of FSSC 22000?

Version 7, published May 1, 2026. The Foundation initiated the revision to incorporate the new ISO 22002 PRP series (2025) and to align with GFSI's updated benchmarking requirements. The transition rules matter for planning:

Check the scheme documents yourself, the Foundation publishes them free at fssc.com which is one of the scheme's genuinely nice features (BRCGS and SQF sell theirs or gate them behind portals).

How does the FSSC 22000 certification cycle work?

FSSC runs on the ISO-style three-year cycle: a two-stage initial audit, annual surveillance audits, then a full recertification audit in year three. This is the biggest practical difference from BRCGS and SQF, which re-issue certificates every year.

The FSSC 22000 three-year certification cycle Three-year certificate, audited every year stage 1 document & readiness review stage 2 full on-site audit → 3-yr certificate surveillance 1 year 1 · lighter scope, on-site surveillance 2 year 2 recertification year 3 · full audit, new certificate cycle repeats · at least one audit in the cycle is unannounced nonconformities at any audit require corrective action to keep the certificate
Initial certification is a two-stage audit; the certificate then runs three years with annual surveillance and a full recertification audit before expiry.

Do not read “three-year certificate” as three quiet years. Surveillance audits are real on-site audits, GFSI-aligned schemes require at least one unannounced audit within each cycle, and a failed surveillance can suspend the certificate mid-cycle. The workload is annual either way, what the three-year cycle buys you is continuity: minor findings become corrective actions inside a living certificate rather than threats to this year's re-issue.

FSSC 22000 vs SQF vs BRCGS: how do you choose?

All three are GFSI-recognized, so any of them satisfies a customer's “GFSI certificate” requirement. Choose on structure and audience:

FSSC 22000SQFBRCGS
BackboneISO 22000 management systemProprietary code, HACCP-centeredProprietary clause list
Certificate cycle3 years + annual surveillanceAnnual recertificationAnnual (6-month at low grades)
Result formatPass/failNumeric scorePublic letter grade (AA–D)
Scheme documentsFree to downloadPurchased/portalPurchased
Natural fitISO-integrated plants, ingredients, multinationalsNorth American retail suppliersUK/EU retail suppliers

Rules of thumb: if your customers are North American grocers, SQF is most often named. UK/EU retail, BRCGS. If you already run ISO management systems, sell ingredients globally, or want one integrated system across sites, FSSC 22000 usually costs the least additional effort. And if a specific buyer demands a specific scheme, that decision is made for you.

Who is FSSC 22000 for? Scopes and add-ons

FSSC 22000 is not just for food plants. Because the ISO 22002 PRP series has sector-specific parts, the scheme certifies organizations across the chain: food and pet food manufacturing, food packaging manufacturing, storage and distribution, transport, and catering, among other food chain categories defined in the scheme documents. That breadth matters when a customer wants your co-packer and your carton supplier certified too, one scheme can cover all of them, each against its own PRP standard.

Two program notes worth knowing before you commit:

Where FSSC tends not to be the first pick: small plants with no ISO history selling only to North American retailers who name SQF, or UK-retail suppliers whose buyers want a BRCGS grade to screen against. The scheme rewards management-system maturity; if your system today is a HACCP plan and a binder of SOPs, budget real time for the ISO 22000 layer, objectives, internal audit programs, management review, and documented improvement loops are audited as hard as the floor is.

How do you get FSSC 22000 certified? Six steps

  1. Download the scheme and scope yourself. Get the Version 7 documents from fssc.com, confirm your food chain category, and identify your sector PRP standard.
  2. Gap-assess all three layers. Plants with working HACCP usually find the biggest gaps in management-system elements (objectives, internal audit, management review) and in additional requirements like food fraud and culture.
  3. Build the system and the records. Close physical PRP gaps, write what is missing, and run the system long enough to generate months of live records, auditors certify evidence, not intentions.
  4. Run internal audits and a management review. Both are hard requirements before stage 2, and both must have found and fixed something to be credible.
  5. Choose a licensed certification body and take stage 1 + stage 2. Stage 1 checks readiness; stage 2 is the full audit. Clear nonconformities with corrective action evidence.
  6. Run the cycle. Surveillance in years one and two (at least one unannounced), recertification in year three, and transition to new versions at scheduled audits as the Foundation publishes them.

Key facts and dates to pin

What does an FSSC audit feel like on the floor?

ISO-based audits chase linkages. The auditor picks a thread, a CCP, a customer complaint, an allergen changeover, and follows it through your system: hazard analysis to control to monitoring record to trained operator to corrective action to management review. Gaps between documents and floor reality are where findings come from, and the most common ones are mundane: monitoring records filled in later, verification steps signed but not performed, culture and objectives that exist only in the binder.

That is a records problem before it is a food-safety problem, and it is why plants increasingly move checks, logs, and handoffs into structured digital workflows where records are timestamped as work happens, the approach Harmony takes when it digitizes paperwork and quality reporting on plant floors. When every record is live and searchable, surveillance audits stop being annual emergencies. The certificate then reflects what auditors actually want to see: a system that runs the same on audit day as on any other day.