Module 1 Structure of the new ISO 22000 Standard, · 2020. 3. 30. · ISO 22000 certificate statistics 2772 15505 435 1414 11085 432 North America 9357 7083 4865 639 1.2. Revision

1

TD54 (V4)

1.1. ISO 22000 certificate statistics

1.2. Revision of the Standards

ISO standards are usually revised every 5 years. The revision of the 2005 version was only completed in 2018. The benefits of the new ISO 22000 Standard include:

Greater emphasis on leadership engagement

A structured approach to address organisational risks and opportunities

The use of simplified language, common structure and terms

The new Standard can be easily integrated with other management systems, such as

quality, environmental and health and safety.

Module 1 Structure of the new ISO 22000 Standard, key aspects and overview of the changes

133 266 356 717 637 802 9491130 1281 105992 247 257

414 451 585 639739 740 576

49 48 103181 231 321

344 533534

2782749

48656050

7083 73618307

935710181

1118111083

704

1541

5247

82718906

1108510306

12007

14666 15505

281

960

1393

14141330

15221936

2370

2772 2636

114

258

432

500435

656684

730

887 1002

,0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

ISO 22000 - Worldwide total

Middle East

Central and

South Asia

East Asia and

Pacific

Europe

North America

Central / South

America

Africa

2

TD54 (V4)

The main differences between the old and new Standards are:

• The new Standard adopted the new high-level structure

• There is an explicit requirement for risk-based thinking

• The new Standard has less prescriptive requirements

• There is more flexibility regarding documentation

• There is increased emphasis on the organisational context

• There are increased leadership requirements.

The FSSC 22000 version 5 was developed with inputs from stakeholders such as representatives from Certification Bodies, Accreditation

Bodies, training organisations and industry. The development project was managed by the FSSC 22000 team with guidance by the FSSC 22000 advisory Committee and Board of stakeholders.

1.3. New structure of the ISO 22000 Standard

ISO management system Standards will have the same structure in future. This structure makes it possible to address multiple management system requirements in a single system and provides

the opportunity of integrating management systems. Standardised core definitions will be used.

The Standard is divided into 10 clauses:

Clause 1 is the scope.

Clause 2 outlines normative references.

Clause 3 stipulates terms and definitions.

Clause 4 – 10 are the requirements that should be met by an organisation seeking ISO 22000

certification – these are outlined in the table.

The following must be considered when reading the ISO 22000 standard:

Clause ISO 22000:2005 clauses ISO 22000:2018 clauses

Clause 1: Scope Scope

Clause 2: Normative Reference Normative References

Clause 3: Terms and Definitions Terms and Definitions

Clause 4: Food safety management system Context of the organization

Clause 5: Management Responsibility Leadership

Clause 6: Resource Management Planning

Clause 7: Planning & realisation of safe

products Support

Clause 8: Validation, verification and

improvement of the FSMS Operation

Clause 9: - Performance evaluation

Clause 10: - Improvement

IMS

Food safety

Quality Environment

Health &

safety

SHALL

indicates a requirement

SHOULD

indicates a recommendation

MAY

indicates a permission

CAN

indicates a possibility or a

capability

NOTE

guidance in understanding or

clarifying the requirement

3

TD54 (V4)

Context of the organisation

•4.1 Understanding the organisation and its context

•4.2 Understanding the needs & expectations of interested parties

•4.3 Determining the scope of the FSMS

•4.4 FSMS

Leadership

•5.1 Leadership & commitment

•5.2 Policy

•5.3 Organisational roles, responsibilities & authorities

Planning

•6.1 Actions to address risks & opportunities

•6.2 Objectives of the FSMS & planning to achieve them

•6.3 Planning of changes

Support

7.1 Resources

7.2 Competence

7.3 Awareness

Operation

8.1 Operational planning & control

8.2 PRPs

8.3 Traceability system

8.4 Emergency preparedness & response

8.5 Hazard control

Performance evaluation of the FSMS

9.1 Monitoring, measurement, analysis & evaluation

9.2 Internal audit

9.3 Management review

Improvement of the FSMS

10.1 Nonconformity & corrective action

10.2 Continual improvement

10.3 Update of the FSMS

4

5

6

7

8

9

10

Pla

n

Do

C

he

ck

Act

7.4 Communication

7.5 Documented information

8.6 Updating the information specifying

the PRPs and hazard control plan

8.7 Control of monitoring & measuring

8.8 Verification related to PRPs & the

hazard control plan 8.9 Control of product & process

nonconformities

4

TD54 (V4)

1.4. Timeline for FSSC version 5 audits

• Companies will be audited against version 5 between 1 January and 31 December 2020.

• Initial audits (stage 1 and 2) must be performed against the same version requirements.

• Upgrade audits for surveillance and re-certification must be performed announced, unless the company would like it to be unannounced.

• Audits against FSSC 22000 version 4.1 are only allowed latest 31/12/19.

• Upgrade audits against FSSC 22000 version 5 must be performed between 1 January and 31 December 2020.

• Under extraordinary circumstances, the version 5 upgrade could take place in 2021, however this process must be completed in accordance with the FSSC scheme requirements and before the

29/06/21. After this date, version 4.1 certificates will expire and the certification process will start again to regain certification.

• It will not be mandatory to add additional on-site audit time to assess the implementation of FSSC 22000 version 5. The following scenarios are possible:

2018 2019 2020 2021 2022

Version 4.1, surveillance 1 upgrade

audit

Version 4.1, surveillance 2

unannounced audit Version 5 recertification

Version 5, surveillance 1 announced

or unannounced audit


or announced audit

Version 4.1, surveillance 2 upgrade

audit Version 4.1 recertification

Version 5, surveillance 1 upgrade

audit

Version 5, surveillance 2

unannounced audit Version 5 recertification

Version 4.1 recertification Version 4.1, surveillance 1

announced audit


audit Version 5 recertification


audit

Version 4.1 recertification Version 4.1, surveillance 1,

unannounced audit


audit Version 5 recertification


or unannounced audit

1.5. ISO 22000 terms & definitions

ISO 22000:2005 listed 17 definitions. There are now 45 definitions in ISO 22000:2018. An overview is provided:

ISO 22000:2018 ISO22000:2005

Clause no Comment

Term Description Clause

no

Acceptable level Level of a food safety hazard not to be exceeded in the end product provided by the organisation. 3.1 - New

Action criterion Measurable or observable specification for the monitoring of an OPRP. 3.2 - New

Audit Systematic, independent and documented process for obtaining audit evidence and evaluating it

objectively to determine the extent to which the audit criteria are fulfilled. 3.3 -

New in ISO22000, used as per

ISO9001

Competence Ability to apply knowledge and skills to achieve intended results. 3.4 - New in ISO22000, used as per

ISO9001

Conformity Fulfilment of a requirement. 3.5 - New in ISO22000, used as per

ISO9001

Contamination Introduction or occurrence of a contaminant including food safety hazard in product or processing

environment. 3.6 - New

5

TD54 (V4)

ISO 22000:2018 ISO22000:2005

Clause no Comment


no

Continual

improvement Recurring activity to enhance performance. 3.7 -


ISO9001, slightly adapted

Control measure Action or activity that is essential to prevent a significant food safety hazard or reduce it to an acceptable

level. 3.8 3.7 Adapted

Correction Action to eliminate a detected nonconformity. 3.9 3.13 No changes

Corrective action Action to eliminate the cause of a nonconformity and to prevent recurrence. 3.10 3.14 Slightly adapted

Critical control

point

Step in the process at which control measure(s) is (are) applied to prevent or reduce a significant food

safety hazard to an acceptable level, and defined critical limit(s) and measurement enable the application

of corrections.

3.11 3.10 Adapted

Critical limit Measurable value which separates acceptability from unacceptability. 3.12 3.11 Slightly adapted

Documented

information

Information required to be controlled and maintained by an organisation and the medium on which it is

contained. 3.13 -


ISO9001

Effectiveness Extent to which planned activities are realised and planned results achieved. 3.14 - New in ISO22000, used as per

ISO9001

End product Product that will undergo no further processing or transformation by the organisation. 3.15 3.5 No changes

Feed

Single or multiple product(s), whether processed, semi-processed or raw, which is (are) intended to be

fed to food producing animals.

NOTE:

• Food is intended for consumption by humans and animals, and includes feed and animal food; • Feed is intended to be fed to food producing animals;

• Animal food is intended to be fed to non-food producing animals like pets.

3.16 - New

Flow diagram Schematic and systematic presentation of the sequence and interactions of steps in the process. 3.17 3.6 No changes

Food

Substance (ingredient), whether processed, semi-processed or raw, which is intended for consumption,

and includes drink, chewing gum and any substance which has been used in the manufacture,

preparation or treatment of “food” but does not include cosmetics or tobacco or substances (ingredients)

used only as drugs.

3.18 - New

Food, animal Single or multiple product(s), whether processed, semi-processed or raw, which is (are) intended to be

fed to non-food producing animals. 3.19 - New

Food chain Sequence of the stages in the production, processing, distribution, storage and handling of a food and

its ingredients, from primary production to consumption. 3.20 3.2 No changes

Food safety Assurance that food will not cause an adverse health effect for the consumer when it is prepared and/or

consumed in accordance with its intended use. 3.21 3.1 Slightly adapted

Food safety

hazard

Biological, chemical or physical agent in food with the potential to cause an adverse health effect.

Note 2: Food safety hazards include allergens and radiological substances.

3.22 3.3 Adapted

Interested party Person or organisation that can affect, be affected by, or perceive itself to be affected by a decision or

activity. 3.23 -


ISO9001

Lot Defined quantity of a product produced and/or processed and/or packaged essentially under the same

conditions. 3.24 - New

6

TD54 (V4)

ISO 22000:2018 ISO22000:2005

Clause no Comment


no

Management

system

Set of interrelated or interacting elements of an organisation to establish food safety policies and

objectives and processes to achieve those objectives. 3.25 - New

Measurement Process to determine a value. 3.26 - New in ISO22000, used as per

ISO9001

Monitoring Determining the status of a system, a process or an activity. 3.27 3.12 Adapted

Nonconformity Non-fulfilment of a requirement. 3.28 - New in ISO22000, used as per ISO9001

Objective Result to be achieved. 3.29 - New in ISO22000, used as per ISO9001

OPRP Control measure or combination of control measures applied to prevent or reduce a significant food safety hazard to an acceptable level, and where action criterion and measurement or observation enable

effective control of the process and/or product.

3.30 3.9 Adapted

Organisation Person or group of people that has its own functions with responsibilities, authorities and relationships

to achieve its objectives. 3.31 -


ISO9001

Outsource Make an arrangement where an external organisation performs part of an organisation’s function or

process. 3.32 -


ISO9001

Performance Measurable result. 3.33 - New in ISO22000, used as per

ISO9001

Policy Intentions and direction of an organisation as formally expressed by its top management. 3.34 3.4 No changes

PRP Basic conditions and activities that are necessary within the organisation and throughout the food chain

to maintain food safety. 3.35 3.8 Adapted

Process Set of interrelated or interacting activities which transforms inputs to outputs. 3.36 - New in ISO22000, used as per

ISO9001, but slightly adapted

Product Output that is a result of a process. 3.37 - New in ISO22000, used as per


Requirement Need or expectation that is stated, generally implied or obligatory. 3.38 - New in ISO22000, used as per

ISO9001

Risk Effect of uncertainty. 3.39 - New in ISO22000, used as per

ISO9001

Significant food

safety hazard

Food safety hazard identified through the hazard assessment, which needs to be controlled by control

measures. 3.40 - New

Top management Person or group of people who directs and controls an organisation at the highest level. 3.41 - New in ISO22000, used as per

ISO9001

Traceability Ability to follow the history, application, movement and location of an object through specified stage(s)

of production, processing and distribution. 3.42



Update Immediate and/or planned activity to ensure application of the most recent information. 3.43 3.17 No changes

Validation Obtaining evidence that a control measure (or combination of control measures), will be capable of effectively controlling the significant food safety hazard.

3.44 3.15 Slightly adapted

Verification Confirmation, through the provision of objective evidence, that specified requirements have been

fulfilled. 3.45 3.16 No changes

7

TD54 (V4)

1.6. ISO 22000 family of Standards The family of Standards include:

Because FSSC 22000 emphasises the concept that safe food can only be assured through a combined effort from all the

stakeholders in the food chain, technical Standards are developed for each sector in the food chain. The following Standards have

been developed:

1.7. ISO 22000 concepts

ISO 22000 acknowledges three concepts that embedded into the Standard.

Process approach

It is important to understand and manage interrelated processes as a coherent system to enhance effectiveness and efficiency in achieving

required results. Processes and their interactions should therefore be defined and managed. This will enable execution of food safety policy and

strategic direction of the organisation.

Food safety management systems - requirements for any organisation in the food chain

Pre-requisite programmes

Food safety management systems - requirements for bodies providing audit and certificationof food safety management systems

Food safety management systems - guidance on the application of ISO 22000

ISO/TS22002-1 Food manufacturing

ISO/TS22002-2 Catering operations

ISO/TS22002-3 Farming operations

ISO/TS22002-4 Food packaging manufacturing

ISO/TS22002-5 Transport & Storage

ISO/TS22002-6 Production of animal feed

ISO 22000

Process

approach

PDCA-

cycle

Risk-based

thinking

ISO/TS22004

ISO/TS22003

ISO/TS22002-x

8

TD54 (V4)

Plan-do-check-Act cycle

The PDCA cycle can be applied to all processes and to the food safety management system itself. It should be applied with an overall

focus on risk-based thinking aimed at taking advantage of opportunities and preventing undesirable results.

Establish the objectives of the system and its processes and the resources required to deliver results in accordancewith customer requirements and the organisations' policies, and identify and address risks and opportunities.

Implement what was planned.

Monitor and (where relevant) measure processes and the resulting products and services, analyse and evaluateinformation and data from monitoring, measuring and verification activities, and report the results.

Take actions to improve performance, as necessary.Act

Plan

Check

Do

9

TD54 (V4)

Risk-based thinking

Within the ISO 22000 context, there are two levels of risk:

1.8. FSMS principles

Food safety relates to the presence of food safety hazards at the time of consumption. These hazards can however occur at any stage of the food

chain and therefore, controls throughout the food chain is essential. Food safety can only be ensured through the combined efforts of all the parties

in the food chain. Key elements required are outlined in the diagram:

Organi-

sational

risk

Operational risk

Clause 6 -Planning

(risks & opportunities)

•Addressing risks establishes a basis for increasingthe effectiveness of the food safety managementsystem, achieving improved results andpreventing negative effects.

Clause 8 -Hazard analysis

•The steps of the hazard analysis can be consideredas necessary measures to prevent or reducehazards to acceptable levels to ensure safe food atthe time of consumption.

Interactive communication

System management

PRPs

Hazard analysis & critical control point (HACCP)

principles

10

TD54 (V4)

1.9. Management principles

ISO 22000 is based on 7 management principles which are common to ISO management system standards. These principles are fundamental rules or beliefs for an organisation, with the aim of

continually improvement performance over the long term through customer focus and addressing the needs of all other stakeholders. These principles are aimed to guide the organisation towards

improved performance. The management principles should be woven through the entire management system and should be applied consistently throughout the organisation. These are:

Principle 1: Customer focus

• Understand the needs of existing and future customers

• Align organisational objectives with customer needs and expectations

• Meet customer requirements

• Measure customer satisfaction

• Manage customer relationships

• Aim to exceed customer expectations

Principle 2: Leadership

Leaders at all levels establish unity of purpose and direction and create conditions in which people are engaged in achieving the

quality objectives of the organisation.

Principle 1:

Customer focus

Principle 2:

Leadership

Principle 3:

Engagement of people

Principle 4:

Process approach

Principle 5:

Improvement

Principle 6:

Evidence-based decision making

Principle 7:

Relationship management

The primary focus of quality management

is to meet customer requirements and to

strive to exceed customer expectations

11

TD54 (V4)

• Establish a vision and direction for the organisation

• Set challenging goals

• Model organisational values

• Establish trust

• Equip and empower employees

• Recognize employee contributions

There is a difference between management and leadership:

Aspect Manager Leader

1 Managers manage things, leaders lead

people

• Management is structural

• Management put emphasis on systems, tools, structures & functions in an organisation.

• Leadership is personal

• Leaders emphasise its people & their personalities & behaviours.

2 Managers divide things to get things done

leaders unite people to get things done

• Management is a process that consists of many steps to attain a certain goal

• Managers assign people.

• Leadership is a practice that involves influencing people to unite and take those steps to attains such goals

• Leaders align people.

3 Managers motivate, leaders inspire

• Managers use motivation

• They influence or force people to do the things they are supposed

to do, whether they like it or not, using a reward system

• Managers influence people from the outside.

• Leaders use inspiration – they influence or inspire people to do

the things they love to do using voluntarism.

• They practice self-leadership

• Leaders influence people from the inside.

4 Managers are reactive; while leaders are

proactive Managers innovate by adapting to change. Leaders innovate by creating change.

5 Managers minimise risks, leaders take

risks

• Managers are more focused on stability

• Managers are cautious.

• Leaders are more focused on creating a great change

• Leaders are curious.

6 Managers are timely, leaders are timeless

• Managers are more concerned about efficiency

• They follow deadlines & achievement of several short-term goals

• Managers must win a series of battles.

• Leaders are more concerned about integrity.

• They follow a goal

• Leaders must win the whole war.

7 Managers control; leaders serve • Managers take authority – they act as bosses

• Management is based on power and sharpness.

• Leaders take duty – they act as servants

• Leadership is based on humility and gentleness.

8 Managers transform a business; leaders

transform people Management is more concerned about the success of a business.

Leadership is more concerned about the success of the people inside

and out of the business.

9 Managers have sub-ordinates; leaders

have peers

Management ensures that every person in the organisation is well-

placed according to his position and authority.

Leadership ensures that every person enjoys equal treatment

regardless of his position or authority.

Every leader can be a manager;

but not every manager can be a

leader…

12

TD54 (V4)

Aspect Manager Leader

10 Managers administer people; leaders

empower them

Managers oversee their subordinates to see to it that they are doing

their jobs the way they want to be done or according to the

organisational blueprint.

Leaders develop their followers personally, trust them, and let them

work independently.

11 Managers hire and fire employees;

leaders welcome and keep friends Management is more about keeping the business alive. Leadership is more about keeping the relationships alive.

12 Managers do what is right, leaders do the

right thing Managers do the things that are generally acceptable or status quo.

Leaders do things based on his belief or convictions and they may

challenge or break what is generally acceptable.

13 Managers fulfil expectations; leaders

make a surprise

Managers give due punishment, while leaders can forgive and forget.

Managers give due credit or rewards to their subordinates.

Leaders give grace (rewards beyond what people deserve) to their

followers.

14 Managers focus on measurable things;

leaders focus on immeasurable things Managers are transactional and economical. Leaders are spiritual or immaterial.

15 Managers are specific; leaders are holistic Managers are more detailed persons. Leaders are more inclined to the big picture.

16 Managers rely on intelligence; leaders

rely on pure will

Management comes from the brain, probability, logic and common

sense.

Leadership comes from the heart, soul possibility, hope, faith and

love.

17 Managers explain, leaders prove Managers give more knowledge and choices. Leaders give more experiences and realisations.

18 Managers plan, leaders create a vision Managers are strategic, tactical and technical. They show the direction and are more focused on creating steps and procedures.

Leaders are deeper, broader and more focused on the ultimate things.

They show the destination and are more focused on objectives and

goals.

19 Managers expect result; leaders expect

growth Management is more about getting things done.

Leadership is more about getting the people, who get things done,

grow.

20 Managers can resign and retire, leaders

consider their job as a lifetime mission.

Management is a temporary job – its existence depends on the life of a

business, organisation or occupation. Leadership is a permanent job – its existence depends on one’s life.

Use the cards provided by the facilitator to distinguish between leaders and managers. 1

13

TD54 (V4)

Principle 3: Engagement of people

An interesting fact from a study performed in the US indicates that staff may not be engaged at all:

• Ensure that people’s abilities are used and valued

• Make people accountable

• Enable participation in continual improvement

• Evaluate individual performance

• Enable learning and knowledge sharing

• Enable open discussion of problems, constraints

This requires:

• Training in the skills necessary to carry out the additional responsibilities.

• Access to information on which decisions can be made.

• Initiative and confidence on the part of the employee to take on greater responsibility.

A good reference on employee engagement can be found at http://www.snacknation.com/blog/employee-

engagement-ideas/ for “59 employee engagement ideas you need to know about”.

It is essential for the organisation that all

people are competent,

empowered and engaged

in delivering value.

Competent, empowered

and engaged people

throughout the

organisation enhance its

capability to create

value.

45 % are NOT

engaged

26 % are

ACTIVELY

DISENGAGED

29 % of the

workforce is

ENGAGED

http://www.snacknation.com/blog/employee-engagement-ideas/http://www.snacknation.com/blog/employee-engagement-ideas/

14

TD54 (V4)

Principle 4: Process approach

• Manage activities as processes

• Measure the capability of activities

• Identify links between activities

• Prioritise improvement opportunities

• Deploy resources effectively

There are various processes in an organisation.

By identifying and controlling the inputs, providing adequate resources and applying suitable control methods, the desired output should be

achieved.

Value chains are activities that are directly linked to customer value. Integration of the value chain is essential to ensure

that the organisation’s desired outcomes can be reached. Each silo can impoverish the result by not delivering exactly

what the next silo in the chain requires.

An organisation is often seen in a functional view and processes are defined as functions – e.g. sales, marketing,

manufacturing, distribution, operations, systems, finance, legal, etc. However – business processes are streams of activities that flow across functional boundaries. This is

often why business processes are fragmented, functional silos. If organisations wish to remain competitive, they need to reduce the complexities resulting from widely dispersed

and often disparate business processes.

Staff should be given the opportunity to study their work in the context of the larger business process that their function supports. The methodology used to identify, derive

or create business processes will vary with the organisation’s size, industry and culture.

Organisations should move their view from functions to processes as indicated in the diagram:

Consistent and predictable results are achieved more effectively and efficiently when

activities are understood and managed as

interrelated processes that function as a

coherent system.

A process is any activity that transforms inputs into

outputs using resources and being subject to specific

controls

Process

Inputs, e.g.

materials

Resources, e.g.

equipment, staff

Outputs, e.g.

product, service, waste

Controls, eg measure-

ments, methods,

environment

There is little

chance of success

for a relay team

suffering from Silo

mentality

15

TD54 (V4)

Functional designs are:

Process designs are:

From this...

To this...

Inbound Logistics Quality HR Engineering Maintenance Distribution

Design Make Deliver

There is an urgent need to

transform people’s perception

of their role in the organisation,

because the simple fact is that

individual high performing

managers or even departments

do not by themselves create a

highly successful organisation.

16

TD54 (V4)

Principle 5: Improvement

• Improve organizational performance and capabilities

• Align improvement activities to objectives & expectations

• Empower people to make improvements

• Measure improvement consistently

• Celebrate improvements

Principle 6: Evidence-based decision making

Ensure the accessibility of accurate and reliable data

Use appropriate methods to analyse data

Make decisions based on analysis

Balance data analysis with practical experience.

Principle 7: Relationship management

• Identify and select suppliers to manage costs, optimise resources, and create value

• Establish relationships considering both the short and long term with all interested parties

• Share expertise, resources, information, and plans with partners

• Collaborate on improvement and development activities

Successful organi-

sations have an

ongoing focus on

improvement.

Decisions based on the analysis

and evaluation of data and information are more likely to

produce desired results.

For sustained success, organisations manage their relationships with

interested parties, such as suppliers.

17

TD54 (V4)

2.1 Understanding the organisation and its context

This is a new requirement (clause 4.1):

The company should determine internal and external issues relevant to its purpose and those that could affect is ability to achieve the intended results of the food safety management system.

Such information can include:

Module 2 Key changes to the ISO 22000 Standard – clause 4:

Context of the organisation

The organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended result(s) of its food safety management system.

The organisation shall identify, review and update information related to these external and internal issues.

NOTE 1: Issues can include positive and negative factors or conditions for consideration.

NOTE 2: Understanding the context can be facilitated by considering external and internal issues, including but not limited to legal, technological, competitive, market, cultural, social, economic

environments, cybersecurity and food fraud, food defence and intentional contamination, knowledge and performance of the organisation, whether international, national, regional or local.

Internal

•Corporate culture

•Governance

•Organisational structure

•Technologies

•Information systems & decision-making processes (both formal & informal)

•Intentional contamination

External

•Cultural

•Social

•Political

•Legal

•Regulatory

•Financial

•Technological

•Economic & competitive environment at international, national, regional or local level

•Food fraud, food defence, intentional contamination

18

TD54 (V4)

2.2 Understanding the needs & expectations of interested parties

This is a new requirement (clause 4.2):

Interested party Needs & expectations

Customers and/or

consumers

Employees

Shareholders/owners

Suppliers & partners

Government, society and

non-government

organisations

2.3 Determining the scope of the food safety management system

ISO 22000:2005 ISO 22000:2018

Clause Description Clause Description

4.1

The organisation shall define the scope of

the food safety management system. The

scope shall specify the products or product

categories, processes and production sites that are addressed by the food safety

management system.

4.3

The organisation shall determine the boundaries and applicability of the FSMS to establish its scope. The scope

shall specify the products and services, processes and production site(s) that are included in the FSMS. The scope shall

include activities, processes, products or services that can have an influence on the food safety of its end

products.

When determining this scope, the organisation shall consider: a) The external and internal issues referred to in 4.1;

b) The requirements referred to in 4.2.

The scope shall be available and maintained as documented information.

To ensure that the organisation has the ability to

consistently provide products and services that meet

applicable statutory, regulatory and customer

requirements with regard to food safety, the organisation

shall determine:

a) The interested parties that are relevant to the FSMS;

b) The relevant requirements of the interested parties

of the FSMS.

The organisation shall identify, review and update

information related to the interested parties and their

requirements.

Provide examples of needs and expectations of the listed interested parties.

2

19

TD54 (V4)

2.4 Food safety management system

ISO9001:2008 ISO 22000:2018


4.1 The organisation shall establish, document, implement and

maintain an effective FSMS and update it when necessary

in accordance with the requirements of this International

Standard.

4.4 The organisation shall establish, implement, maintain, update and continually improve a FSMS,

including the processes needed and their interactions, in accordance with the requirements of this

document.

An example is provided-

Customer/ client R&D processSourcing process

Procurement process

Receiving process

Manufacturing process

Dispatch & delivery

processes

Marketing & sales processes

Value chain processes

Finance process QC & QA process Engineering process HR processRegulatory & legal

processes

Data management & communication

processes

Support processes

20

TD54 (V4)

3.1 Leadership & commitment

ISO 22000:2005 ISO 22000:2018


5.1

Management commitment

Top management shall provide evidence of its

commitment to the development &

implementation of the FSMS & continually

improving its effectiveness by

a) Showing food safety is supported by the business objectives of the organisation

b) Communicating to the organisation the

importance of meeting the requirements of

this International Standard, any statutory

& regulatory requirements, as well as

customer requirements relating to food

safety

c) Establish the food safety policy

d) Conducting management reviews and

e) Ensuring the availability of resources.

5.1

5.1 Leadership and commitment

Top management shall demonstrate leadership and commitment with respect to the FSMS:

a) Ensuring that the food safety policy and the objectives of the FSMS are established and are compatible

with the strategic direction of the organisation;

b) Ensuring the integration of the FSMS requirements into the organisation’s business processes;

c) Ensuring that the resources needed for the FSMS are available;

d) Communicating the importance of effective food safety management and of conforming to the FSMS

requirements, applicable statutory and regulatory requirements, and mutually agreed customer requirements

related to food safety;

e) Ensuring that the FSMS is evaluated and maintained to achieve its intended results;

f) Directing and supporting persons to contribute to the effectiveness of the FSMS;

g) Promoting continual improvement; h) Supporting other relevant management roles to demonstrate their leadership as it applies to their

areas of responsibility.

NOTE: Reference to “business” in this document can be interpreted broadly to mean those activities that

are core to the purposes of the organisation’s existence.

Module 3 Key changes to the ISO 22000 Standard –

clause 5: Leadership

Identify how management can demonstrate leadership and commitment to the FSMS in practical ways.

3

21

TD54 (V4)

3.2 Policy

ISO 22000:2005 ISO 22000:2018


5.2

Top management shall ensure that

the food safety policy

a) Is appropriate to role of the

organisation in the food chain b) Conforms with both statutory

and regulatory requirements and

with mutually agreed food safety

requirements of customers;

c) Is communicated, implemented

& maintained at all levels of the

organisation

d) Is reviewed for continuing

suitability e) Adequately addresses

communication, and

f) Is supported by measurable

objectives.

5.2.1 &

5.2.2

5.2.1 Establishing the food safety policy

Top management shall establish, implement and maintain a food safety policy that:

a) Is appropriate to the purpose and context of the organisation;

b) Provides a framework for setting and reviewing the objectives of the FSMS;

c) Includes a commitment to satisfy applicable food safety requirements including statutory and regulatory requirements

and mutually agreed customer requirements related to food safety;

d) Addresses internal and external communication;

e) Includes a commitment to continual improvement of the FSMS;

f) Addresses the need to ensure competencies related to food safety.

5.2.2 Communicating the food safety policy

The food safety policy shall:

a) Be available and maintained as documented information;

b) Be communicated, understood and applied at all levels within the organisation;

c) Be available to relevant interested parties as appropriate.

22

TD54 (V4)

3.3 Organisational roles, responsibilities & authorities

ISO 22000:2005 ISO 22000:2018


5.4 &

5.5

5.5.1 Responsibility & authority

Top management shall ensure that responsibilities & authorities are defined & communicated within the organisation to ensure the

effective operation and maintenance of the FSMS.

5.5.2 Food safety team leader

Top management shall appoint a food safety team leader, who,

irrespective of other responsibilities, shall have responsibility &

authority

a) To manage a food safety team and organise its work

b) To ensure relevant training & education of the food safety team members

c) To ensure that the FSMS is established, implemented, maintained

& updated and,

d) To report to the organisation’s top management on the

effectiveness & suitability of the FSMS.

5.4 All personnel shall have responsibility to report problems with the

FSMS to identified person(s). Designated personnel shall have defined

responsibility and authority to initiate and record actions.

5.3

5.3.1 Top management shall ensure that the responsibilities and authorities for relevant roles

are assigned, communicated and understood within the organisation.

Top management shall assign the responsibility and authority for:

a) Ensuring that the FSMS conforms to the requirements of this document; b) Reporting on the performance of the FSMS to top management;

c) Appointing the food safety team and the food safety team leader;

d) Designating persons with defined responsibility and authority to initiate and

document action(s).

5.3.2 The food safety team leader shall be responsible for:

a) Ensuring the FSMS is established, implemented, maintained and updated;

b) Managing and organising the work of the food safety team;

c) Ensuring relevant training and competencies for the food safety team (7.2);

d) Reporting to top management on the effectiveness and suitability of the FSMS.

All persons shall have the responsibility to report problem(s) with regards to the FSMS to identified

person(s).

23

TD54 (V4)

4.1 Actions to address risks and opportunities

ISO 22000:2005 ISO 22000:2018


5.4.2

Top management

shall ensure that

a) Planning of the

FSMS is carried out in order to

meet the re-

quirements gi-

ven in 4.1, as

well as the

objectives of

the organi-

sation that

support food safety, and

b) The integrity of

the FSMS is

maintained

when changes

to the FSMS are

planned &

implemented.

6.1

6.1.1 When planning for the FSMS, the organisation shall consider the issues referred to in 4.1 and the requirements referred

to in 4.2 and 4.3 and determine the risks and opportunities that need to be addressed to:

a) Give assurance that the FSMS can achieve its intended result(s);

b) Enhance desirable effects;

c) Prevent, or reduce, undesired effects;

d) Achieve continual improvement.

NOTE: In the context of this document, the concept of risks and opportunities is limited to events and their consequences relating

to the performance and effectiveness of the FSMS. Public authorities are responsible for addressing public health risks. Organisations are required to manage food safety hazards (3.22) and the requirements related to this process are laid down in

clause 8.

6.1.2 The organisation shall plan:

a) Actions to address these risks and opportunities;

b) How to:

1) Integrate and implement the actions into its FSMS processes;

2) Evaluate the effectiveness of these actions.

6.1.3 The actions taken by the organisation to address risks and opportunities shall be proportionate to:

a) The impact on food safety requirements;

b) The conformity of food products and services to customers;

c) Requirements of interested parties in the food chain.

NOTE 1: Actions to address risks and opportunities can include: avoiding risk, taking risk in order to pursue an opportunity,

eliminating the risk source, changing the likelihood or consequences, sharing the risk, or accepting the presence of risk by

informed decision.

NOTE 2: Opportunities can lead to the adoption of new practices (modification of products or processes), using new technology

and other desirable and viable possibilities to address the food safety needs of the organisation or its customers.


clause 6: Planning

24

TD54 (V4)

ISO 22000 requires that the organisation must understand its context and determine risks and opportunities as a basis for planning of the food safety management

system. In essence, the food safety management system is a preventive tool. Risk is defined as the effect of uncertainty. An uncertainty can have positive or

negative effects. The Standard requires that the organisation plans and implements actions that will address risks and opportunities.

In the context of ISO 22000, risks and opportunities are focused on events and their consequences relating to the performance and effectiveness of the food

safety management system. A formal methodology for risk assessment was not provided by ISO 22000. ISO31000 (Risk management – principles & guidelines)

and ISO31010 (Risk management – risk assessment techniques) can be used as guidance.

4.1.1 Why is managing risk important?

When an organisation adopts a risk-based approach, it becomes proactive rather than reactive, preventing or reducing undesired effects and promoting continual improvement. Risk is embedded in

all processes and activities of an organisation. Risk must be understood and mitigated to achieve the objectives of the FSMS.

4.1.2 What should be done?

The Standard requires that an organisation must be able to demonstrate that risk-based thinking was applied:

4.1.3 Risk management process

The risk management process should be an integral part of management that is embedded in the culture and practices of the organisation and tailored to the business processes of the organisation.

In this section, 3 steps of risk management will be discussed, as outlined in the diagram:

Effect of uncertainty OR a deviation from the

expected (positive or negative)

Identify risks and opportunities -depending on the context of the

organisation.

Analyse and prioritise risks and opportunities. What is acceptable and what is not?

Plan actions to address risks. How can risk be avoided, eliminated or

mitigated?

Implement the plan by taking the necessary

actions.

Check the effectiveness of the actions. Does it work? Audit the approach, learn from experience &

improve

25

TD54 (V4)

Establish the context

Risk identification

Risk analysis

Risk evaluation

Risk treatment

Com

munic

ation &

consultation

Monitoring &

revie

w

Risk assessment

1

2

3

2.1

2.2

2.3

26

TD54 (V4)

• Step 1: Establish the context

The organisation must understand both the external and internal context as a basis for the development of the risk assessment. The following steps are required:

Identify the relevant stakeholders that are involved in or impacted by the organisation.

Identify internal and/or external environmental factors that may influence the way in which risk will be managed.

The following considerations may be important:

• Step 2: Risk assessment

Risk assessment is the overall process of risk identification, risk analysis and risk evaluation.

Various models and techniques may be used for risk assessment. The organisation should adapt a model and work with that model. Risk assessment is an iterative (repetitive) process that must

respond to change.

• Step 2.1: Risk identification

The organisation should identify the sources of risk, areas of impacts, events (including changes in circumstances) and their causes and potential consequences. A comprehensive list of risks must

be generated that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives. When an opportunity is not pursued, this may also be a risk! Typical considerations

during risk identification are listed:

What could happen: What might go wrong, or what might prevent the achievement of the relevant objectives? What events or occurrences could threaten the intended outcomes?

How could it happen: Is the risk likely to occur at all or happen again? If so, what could cause the risk event to recur or contribute to it happening again?

Where could it happen: Is the risk likely to occur anywhere? Or is it a risk that is dependent on a location, physical area or activity?

Why might it happen: Which factors would need to be present for the risk to happen or occur again? Understanding why a risk might occur or be repeated is important if the risk must be

managed.

External context

•Social & cultural, political, legal, regulatory, financial, technological, economic,natural & competitive environment (international, national, regional/local),

•Key drivers & trends having an impact on the objectives of the organisation

•Relationships with, perceptions & values of external stakeholders.

Internal context

•Governance, organisational structure, roles & accountabilities,

•Policies, objectives & strategies to achieve these

•Capabilities, understood in terms of resources & knowledge (e.g. capital, time, people, processes,systems & technologies)

•Relationships with & perceptions & values of internal stakeholders and organisational culture

•IT systems, information flows & decision making processes,

•Standards, guidelines & models adopted by the organisation

•Form and extent of contractual relationships

27

TD54 (V4)

What might be the impact: If the risk were to occur, what impact or consequences would, or might this have? Will the impact be felt only in certain areas/departments, or will it impact the

entire organisation? Areas of impact to consider include: human impact, financial consequences, compromises to legal or contract compliance, adverse impact on brand and reputation for

failure to meet or achieve strategic objectives.

Who does or can influence the food safety management system or changes to it? How much is within the organisation’s control or influence? Make sure that those who control,

and influence are at least informed, if not actively involved.

• Step 2.2: Risk analysis

Risk analysis evaluates the likelihood and severity of the consequences of risk. Existing controls should be determined to

mitigate the impact of the current risk. Controls may be strong or weak and can include aspects such as legislation, policies and procedures, staff training, segregation of duties, personal protective

measures and equipment and structural or physical barriers. The effectiveness of controls should further be considered.

The assessment of likelihood and consequence is mostly subjective but can be supported by data or information that is available within the organisation, audits, inspections, personal experience,

corporate knowledge, knowledge of previous events, data generated by surveys and other internal and external information.

Assess the likelihood

An example of a model that can be used for assessing the likelihood of a risk is provided:

Score Description

A Almost certain Highly likely to happen, possibly frequently

B Likely Will probably happen, but not a persistent issue

C Possible May happen occasionally and in foreseeable future

D Unlikely Not expected to happen, but is a possibility

E Rare Very unlikely this will ever happen (only in exceptional circumstances)

Controls do not always require something special.

Often, controls are already present as a natural part of the

management of an issue or area or it can be embedded into

normal management practices.

28

TD54 (V4)

Assess the severity of the consequence

An example of the model that can be used for assessing the consequence is provided:

Score Generic impact

description

Area of impact – description of consequence

Supply chain Human Brand reputation Finance Compliance

5 Extreme

Event or circumstance

with potentially

disastrous impact on

business or significant material adversely

impacted in a key area

• Huge loss in raw material

and/or final products

• Irreparable impact on

relationship with

suppliers and/or cus-

tomers

• Serious harm or death

• Loss of significant number of

people

• Staff/employee industrial

action

• Loss of significant number of

key staff impacting on skills,

knowledge & expertise

• Long-term damage to

reputation

• Sustained negative

media attention

• Brand or image

nationally or

internationally affected

• Recall

• Huge financial loss

• Significant budget

overrun with no capacity

to adjust within existing

budget or resources

• May attract adverse

findings from external

regulators or auditors

• Serious breach of contract

or legislation

• Significant prosecution &

fines likely

• Potential for litigation

including class actions

• Suspension of certificate

4 Major

Critical event or

circumstance that can

be endured with proper management

• Significant loss in raw

material and/or final

products

• Serious long-term

damage to supplier

and/or customer

relationships

• Serious harm and/or recall

• Threat of industrial action

• Loss of some key staff

resulting in skills, knowledge &

expertise deficits

• Sustained damage to

brand, image or

reputation nationally or

internationally

• Adverse national or

local media coverage

• Major financial loss

• Requires significant

adjustment to approved

or funded projects/

programmes

• Major breach of contract,

regulatory or statutory

requirements

• Expected to attract

regulatory attention

• Investigation, prosecution

and/or major fine possible

3 Moderate

Significant event or

circumstance that can

be managed under normal circumstances

• Significant loss or

reduction of raw material

or final product

• Significant but short-term

damage to supplier

and/or customer relation-

ships

• Potential recall

• Severe staff morale issues or

increase in workforce

absenteeism

• Short-term loss of skills,

knowledge & expertise

• Employee dissatisfaction

• Significant but short-

term damage to

reputation

• Stakeholder concerns

• Sustained or prominent

local media coverage

• Significant financial loss

• Impact may be reduced

by reallocating resources

• Significant breach of

contract, regulatory or

statutory requirements

• Potential for regulatory

action or suspension of

certificate

2 Minor

Event with consequences that

can be readily

absorbed but requires

management effort to minimise the impact

Moderate reduction in raw

material and/or final products

• Health implications

• Potential for liability claims

• Some loss of staff members

with tolerable loss

• Dialogue required with

industrial groups

• Some short-term

negative media

coverage

• Concerns raised by

stakeholders

• Some financial loss

• Requires monitoring &

possible corrective action

within existing resources

• Minor non-compliances or

breaches of contract,

regulatory or statutory

requirements

• May result in infringement

notice

1 Insignificant

Some loss, but not

material; existing controls and

procedures should be

able to cope with

event or circumstance

Minor reduction in raw material

and/or final product

• Complaint without minor

health implication

• Negligible skills or knowledge

loss

• Dialogue with industrial

groups may be required

Minor damage to brand,

image or reputation

Unlikely to impact on the

budget

Unlikely to result in adverse

regulatory response or action

29

TD54 (V4)

Rate the risk level

A model (risk matrix) can be developed to combine likelihood and consequence level of risks to determine the significance of the risk.

Consequence

Likelihood

1 2 3 4 5

Insignificant Minor Moderate Major Extreme

A Almost certain (frequent) M M H E E

B Likely (probable) L M H H E

C Possible (occasional) L M M H H

D Unlikely (uncommon) L L M M H

E Rare (remote) L L L L M

• Step 2.3: Risk evaluation

The purpose of risk evaluation is to assist with decision making as to whether a risk should be treated and the priority for the treatment. Whether a risk is acceptable or unacceptable depends on

the risk appetite. The following model can be used:

Risk Action

Extreme Immediate attention & response needed, risk assessment & management plan must be prepared

High Risk to be given appropriate attention & demonstrably managed

Medium Determine whether current controls are adequate or if further action or treatment is needed, monitor and review locally, e.g. through regular business practices or local area

meetings

Low Manage by routine procedures, report to local managers, monitor & review locally as necessary

30

TD54 (V4)

• Step 3: Risk treatment

Risk treatment involves the selection of one or more options for modifying risks and subsequent implementation of the treatment option. Treatment options not applied to the source or root cause

of a risk are likely to be ineffective and promote a false belief within the organisation that the risk is controlled.

It could be decided that specific treatment is necessary or that the risk can be adequately treated with standard management procedures and activities where it is embedded into the daily practices

or processes. It is advisable to modify existing standard practices to ensure control.

A risk may be acceptable or tolerable in the following circumstances:

No treatment is available

Treatment costs are prohibitive (especially relevant to lower ranked risks)

The level of risk is low and does not warrant using resources to treat it

The opportunities involved significantly outweigh the threats.

The organisation must determine what the goal is in treating the risk – whether it is to avoid it completely, reduce the likelihood or

consequence, transfer the risk (to someone else such as an insurer or contractor) or accept the level of risk. The type of risk treatment

chosen will depend on the nature of the risk and the tolerance for that risk.

If the goal is to reduce the likelihood or possibility of the risk, it could require modifying the approach to the activity by identifying

the causes of the threat and the links between the threat and its impact. If it is not possible to change the approach of the project or

activity, it may be possible to take other intervening actions that will mitigate the event from occurring or reduce the likelihood of the threat.

If the goal is to reduce the consequence or impact of the risk, contingency plans might be required to respond to a threatening event if it occurs. This planning may be performed in

combination with other controls, e.g. even if steps have been taken to minimise the likelihood of the risk, it may still be worthwhile to have a plan in place to reduce the consequences if the

event actually occurs.

If the goal is to share the risk, involving another party such as an insurer or contactor may help. Risk can be shared contractually, by agreement and in a variety of ways that meet all

parties’ needs. Sharing the risk does not remove the obligations of the organisation if something unexpected happens.

If the goal is to eliminate or avoid the risk altogether, the options are limited to changing the project, choosing alternative approaches or processes to render the risk irrelevant or

abandoning the activity. It is not often that a risk can be completely eliminated, and balance is an important part of the risk assessment exercise.

If a decision is made to accept or tolerate the risk, thought should be given to contingency planning to deal with and reduce the consequences, should they arise.

Treatment options

Avoid risk by not starting or continuing an

activity

Take or increase risk to pursue an opportunity

Remove the risk source Change the likelihood

Change the consequence

Share the risk, e.g. through insurance,

contracts, financing

Retain the risk by informed decision (accept

the risk)

Actively treat the risk

31

TD54 (V4)

Once the treatment options have been identified, a risk treatment plan must be prepared that should include:

The reasons for selection of treatment options, including expected benefits to be gained

Those who are accountable for approving the plan

Those who are responsible for implementing the plan

Proposed actions

Resource requirements including contingencies

Performance measures and constraints

Reporting and monitoring requirements and

Timing and schedule.

Treatment plans should clearly identify the priority order in which individual risk treatments should be implemented and should be integrated with

the management processes of the organisation. They should be discussed with appropriate stakeholders. Monitoring must be an integral part of the

risk treatment plan to give assurance that the measures remain effective.

Once any options requiring authorisation for resourcing, funding or other actions have been approved, treatments should be implemented by those identified as having the responsibility to do so.

Finally, monitoring and review is part of the risk management process and responsibilities for these should be clearly defined.

4.1.4 Risk-based thinking…in conclusion

• Is not something new

• Is something that is done by organisations already

• Is an ongoing process

• Ensures greater knowledge of risks and improves

preparedness

• Increases the probability of reaching objectives

• Reduces the probability of negative results

• Makes prevention a habit

• Risk-based thinking is not restricted to management

– it must become an integral part of the

organisational culture

The following template can be used for to summarise risks in the business:

Risk description Existing

controls Impact score

Likelihood

score Level of risk

Additional controls

(treatment) required

Responsibility (for

additional controls)

Due date (for additional

controls)

32

TD54 (V4)

4.2 Objectives of the food safety management system and planning to achieve them

ISO 22000:2005 ISO 22000:2018


5.2

Top management

shall ensure that

the food safety

policy is sup-

ported by mea-

surable objec-tives.

6.2

6.2 Objectives of the food safety management system and planning to achieve them

6.2.1 The organisation shall establish objectives for the FSMS at relevant functions and levels.

The objectives of the FSMS shall:

a) Be consistent with the food safety policy;

b) Be measurable (if practicable);

c) Take into account applicable food safety requirements including statutory, regulatory and customer requirements;

d) Be monitored and verified;

e) Be communicated;

f) Be maintained and updated as appropriate.

The organisation shall retain documented information on the objectives for the FSMS.

6.2.2 When planning how to achieve its objectives for the FSMS, the organisation shall determine:

a) What will be done;

b) What resources will be required;

c) Who will be responsible;

d) When it will be completed;

e) How the results will be evaluated.

A food safety management system must be designed within the context of the organisation. The diagram identifies how different aspects fit together:

33

TD54 (V4)

FSMS

Measurable objectives

Food safety policy

Strategic direction of the

organisation

Internal & external issues Needs & expectations of

interested parties Risks & opportunities

34

TD54 (V4)

It is important to ensure that objectives are set in a balanced manner – as required by the Standard, at relevant FUNCTIONS, LEVELS

and PROCESSES. To explain the balanced approach to measurable objectives, information from Drs Kaplan and Norton is provided:

An outline of the balanced scorecard concept is provided:

Financial Customer

Learning & growth Internal Business Processes

Many things are measurable.

That does not make them key

to organisational success “The balanced scorecard retains traditional financial measures. But financial measures tell the story of past events, an adequate story for industrial age companies for which investments in long-term capabilities and customer relationships were not critical for

success. These financial measures are inadequate, however, for guiding and evaluating the journey that information age

companies must make to create future value through investment in customers, suppliers, employees, processes, technology and

innovation.”

Drs Kaplan & Norton

Provide examples of food safety objectives in each category. 4

FINANCIAL

To succeed financially, how should we appear to our shareholders?

CUSTOMER

To achieve our vision, how should we appear

to our customers?

LEARNING & GROWTH

To achieve our vision, how will we sustain our ability to change

& improve?

INTERNAL BUSINESS

PROCESSES

To satisfy our shareholders and customers, what

business processes must we excel at?

35

TD54 (V4)

The following table could be useful to summarise the objectives:

Objective Actions to be taken Resources required Responsibility Due date Evaluation method

1

2

4.3 Planning of changes

ISO 22000:2005 ISO 22000:2018


5.3

Top management shall ensure that

a) planning of the food safety management system is carried out to meet

requirements given in 4.1 as well as the objectives of the organization that

support food safety, and

b) the integrity of the food safety management system is maintained when

changes to the food safety management system are planned and

implemented.

6.3

When the organisation determines the need for changes to the FSMS, including personnel changes, the changes shall be carried out and communicated in a

planned manner. The organisation shall consider:

a) the purpose of the changes and their potential consequences;

b) the continued integrity of the FSMS;

c) the availability of resources to effectively implement the changes;

d) the allocation or re-allocation of responsibilities and authorities.

Change management is addressed in the following clauses:

Clause 6.3: FSMS changes and personnel changes to be performed and communicated in a timely manner.

Clause 7.4.3: Specific changes (a-m), timely communication of changes to the FS team to ensure updating of the system.

Clause 7.5.3: Version control when document changes are made.

Clause 8.1: Control of planned changes to operations and review of the consequences of unintended changes.

Clause 8.5.3: Re-validation when control measures (OPRPs/CCPs) change.

Clause 8.7: Authorisation, documentation and re-validation, before implementation of changes related to monitoring and

measuring equipment.

Clause 9.2: Consideration of changes in the FSMS when reviewing the internal audit programme and vice versa.

Clause 9.3.2: Including changes in external and internal issues and changes in the organisation and its context in management review.

Clause 10.1: Make changes to the FSMS after nonconformity and corrective actions where necessary.

Prior to making a change: consider

unintended consequences After the change: monitor the change to

determine its effectiveness & identify any

additional problems that might be created

36

TD54 (V4)

Changes can cause chaos if they are not carefully planned. The following considerations are required:

Consequences of the change

Likelihood of the consequence

Impact on customers

Impact on interested parties

Impact on food safety objectives

Effectiveness of processes that are part of the FSMS

Forum Frequency Persons responsible for providing information and

participating/attending Topics/changes covered

Which forums can be used in an organisation to ensure that the integrity of the system can be maintained when changes are planned and implemented? 5

37

TD54 (V4)

5.1 Resources

5.1.1 General

ISO 22000:2005 ISO 22000:2018


6.1

The organization shall provide adequate resources

for the establishment, implementation,

maintenance and updating of the food safety

management system.

7.1.1

The organisation shall determine and provide the resources needed for the establishment, implementation, maintenance, update and continual improvement of the FSMS.

The organisation shall consider:

a) The capability of, and any constraints on, existing internal resources;

b) The need for external resources.

5.1.2 People

ISO 22000:2005 ISO 22000:2018


6.2.1

The food safety team and the other personnel carrying out activities having

an impact on food safety shall be competent and shall have appropriate

education, training, skills and experience.

Where the assistance of external experts is required for the development,

implementation, operation or assessment of the food safety management

system, records of agreement or contracts defining the responsibility and authority of external experts shall be available.

7.1.2

The organisation shall ensure that persons necessary to operate and maintain an

effective FSMS (see 7.2).

Where the assistance of external experts is used for the development, implementation,

operation or assessment of the FSMS, evidence of agreement or contracts defining the

competency, responsibility and authority of external experts shall be retained as

documented information.


clause 7: Support

38

TD54 (V4)

5.1.3 Infrastructure

ISO 22000:2005 ISO 22000:2018


6.3

The organization shall provide the

resources for the establishment and

maintenance of the infrastructure needed

to implement the requirements of this

International Standard.

7.1.3

The organisation shall provide the resources for the determination, establishment and maintenance of the infrastructure

necessary to achieve conformity with the requirements of the FSMS.

NOTE: Infrastructure can include:

• Land, vessels, buildings and associated utilities; • Equipment, including hardware and software;

• Transportation;

• Information and communication technology.

5.1.4 Work environment

ISO 22000:2005 ISO 22000:2018


6.4

The organization shall provide the

resources for the establishment,

management and maintenance of

the work environment needed to

implement the requirements of

this International Standard.

7.1.4

The organisation shall determine, provide and maintain the resources for the establishment, management and maintenance of

the work environment necessary to achieve conformity with the requirements of the FSMS.

NOTE: A suitable environment can be a combination of human and physical factors such as:

a) social (e.g. non-discriminatory, calm, non-confrontational);

b) psychological (e.g. stress-reducing, burnout prevention, emotionally protective);

c) physical (e.g. temperature, heat, humidity, light, air flow, hygiene, noise).

These factors can differ substantially depending on the products and services provided.

5.1.5 Externally developed elements of the food safety management system

This is a new requirement (clause 7.1.5):

When an organisation establishes, maintains, updates and continually improves its FSMS by using externally developed elements of a FSMS, including PRPs, the hazard analysis and hazard

control plan (see 8.5.4), the organisation shall ensure that the provided elements are:

a) Developed in conformance with requirements of this document;

b) Applicable to the sites, processes and products of the organisation;

c) Specifically adapted to the processes and products of the organisation by the food safety team;

d) Implemented, maintained and updated as required by this document; and

e) Retained as documented information.

39

TD54 (V4)

5.1.6 Control of externally provided processes, products or services

ISO 22000:2005 ISO 22000:2018


4.1

7.2.3 f

Where an organization chooses to outsource any process that may affect end

product conformity, the organization shall ensure control over such processes.

Control of such outsourced processes shall be identified and documented within

the food safety management system.

The organization shall consider the following when establishing these

programmes:

management of purchased materials (e.g. raw materials, ingredients, chemicals

and packaging), supplies (e.g. water, air, steam and ice), disposals (e.g. waste and sewage) and handling of products (e.g. storage and transportation);

7.1.6

The organisation shall:

a) Establish and apply criteria for the evaluation, selection, monitoring of

performance, and re-evaluation of external providers of processes,

products and/or services; b) Ensure adequate communication of requirements to the external

provider(s);

c) Ensure that externally provided processes, products or services do not

adversely affect the organisation’s ability to consistently meet the

requirements of the FSMS;

d) Retain documented information of these activities and any necessary

actions as a result of the evaluations and re-evaluations.

5.2 Competence

ISO 22000:2005 ISO 22000:2018


6.2.2 &

7.3.2

6.2.2 The organization shall

a) identify the necessary competencies for personnel whose activities have an impact

on food safety,

b) provide training or take other action to ensure personnel have the necessary

competencies, c) ensure that personnel responsible for monitoring, corrections and corrective

actions of the food safety management system are trained,

d) evaluate the implementation and the effectiveness of a), b) and c),

e) ensure that the personnel are aware of the relevance and importance of their

individual activities in contributing to food safety,

f) ensure that the requirement for effective communication (see 5.6) is understood

by all personnel whose activities have an impact on food safety, and

g) maintain appropriate records of training and actions described in b) and c).

7.3.2 A food safety team shall be appointed.

The food safety team shall have a combination of multi-disciplinary knowledge and

experience in developing and implementing the food safety management system. This

includes, but need not be limited to, the organisation’s products, processes, equipment

and food safety hazards within the scope of the food safety management system.

Records shall be maintained that demonstrate that the food safety team has the

required knowledge and experience.

7.2

The organisation shall:

a) Determine the necessary competence of person(s), including external

providers, doing work under its control that affects its food safety

performance and effectiveness of the FSMS;

b) Ensure that these persons, including the food safety team and those

responsible for the operation of the hazard control plan, are competent

on the basis of appropriate education, training and/or experience. c) Ensure that the food safety team has a combination of multi-disciplinary

knowledge and experience in developing and implementing the FSMS,

including, but not limited to the organisation’s products, processes,

equipment and food safety hazards within the scope of the FSMS;

d) Where applicable, take actions to acquire the necessary competence, and

evaluate the effectiveness of the actions taken;

e) Retain appropriate documented information as evidence of competence.

NOTE: Applicable actions can include, for example, the provision of

training to, the mentoring of, or the re-assignment of currently employed persons; or the hiring or contracting of competent persons.

40

TD54 (V4)

5.3 Awareness

ISO 22000:2005 ISO 22000:2018


6.2.2

The organization shall

a) identify the necessary competencies for personnel whose activities have an impact on food safety,

b) provide training or take other action to ensure personnel have the necessary competencies, c) ensure that personnel responsible for monitoring, corrections and corrective actions of the food safety

management system are trained,

d) evaluate the implementation and the effectiveness of a), b) and c),

e) ensure that the personnel are aware of the relevance and importance of their individual activities in

contributing to food safety,

f) ensure that the requirement for effective communication (see 5.6) is understood by all personnel

whose activities have an impact on food safety, and

g) maintain appropriate records of training and actions described in b) and c).

7.3

The organisation shall ensure that all relevant persons

doing work under the organisation’s control shall be

aware of:

a) The food safety policy;

b) The objectives of the FSMS relevant to their

task(s);

c) Their individual contribution to the effectiveness of

the FSMS, including the benefits of improved

food safety performance;

d) The implications of not conforming with the

FSMS requirements.

The organisation should create a food safety culture to ensure that staff is aware of the importance of their individual activities in contributing to food safety. This means that

all staff:

Handle food in such a way that they would consume it themselves

Do the right things even when nobody is watching

Influence others to do the right things

Make no compromises with regards to food safety.

5.4 Communication

The purpose of communication is to ensure that the necessary interactions occur and that staff within the

food chain and inside the organisation have information relevant to their role. There are four important

considerations when it comes to communication, highlighted in the diagram. The introductory section of

this requirement is new (clause 7.4.1):

The organisation shall determine the internal and external communications relevant to the FSMS, including:

a) On what it will communicate;

b) When to communicate; c) With whom to communicate;

d) How to communicate;

e) Who communicates.

The organisation shall ensure that the requirement for effective communication is understood by all persons whose activities have an impact on food safety.

Timeous information Targeted agenda Forums (levels, within functions,

cross-functional)

Method (notice boards, newsletters, intranet, meetings)

41

TD54 (V4)

5.4.1 External communication

ISO 22000:2005 ISO 22000:2018


5.6.1

To ensure that sufficient information on issues concerning food safety is available

throughout the food chain, the organization shall establish, implement and maintain

effective arrangements for communicating with

a) Suppliers and contractors, b) Customers or consumers, in particular in relation to product information

(including instructions regarding intended use, specific storage requirements

and, as appropriate, shelf life), enquiries, contracts or order handling including

amendments, and customer feedback including customer complaints,

c) statutory and regulatory authorities, and

d) other organizations that have an impact on, or will be affected by, the

effectiveness or updating of the food safety management system.

Such communication shall provide information on food safety aspects of the organization's products that may be relevant to other organizations in the food

chain. This applies especially to known food safety hazards that need to be controlled

by other organizations in the food chain. Records of communications shall be

maintained.

Food safety requirements from statutory and regulatory authorities and customers

shall be available.

Designated personnel shall have defined responsibility and authority to

communicate externally any information concerning food safety. Information obtained through external communication shall be included as input to system

updating (see 8.5.2) and management review (see 5.8.2).

7.4.2

The organisation shall ensure that sufficient information is communicated externally

and is available for interested parties of the food chain. The organisation shall

establish, implement and maintain effective communications with:

a) External providers and contractors;

b) Customers and/or consumers, in relation to:

1) Product information related to food safety to enable the handling,

display, storage, preparation, distribution and use of the product within

the food chain or by the consumer;

2) Identified food safety hazards that need to be controlled by other

organisations in the food chain, and/or consumers;

3) Contractual arrangements, enquiries and orders, including their

amendments; 4) Customer and/or consumer feedback, including complaints;

c) Statutory and regulatory authorities;

d) Other organisations that have an impact on, or will be affected by, the

effectiveness or updating of the FSMS.

Designated persons shall have defined responsibility and authority for the external

communication of any information concerning food safety. Where relevant,

information obtained through external communication shall be included as input for

management review (see 9.3) and for updating the FSMS (see 4.4 & 10.2).

Evidence of external communication shall be retained as documented information.

The following table could be useful to summarise external communication:

Stakeholder Information/topics Source/forum/method of communication Frequency of communication Responsibility for communication

42

TD54 (V4)

5.4.2 Internal communication

ISO 22000:2005 ISO 22000:2018

Clause Description Clause

Documents

Module 1 Structure of the new ISO 22000 Standard, · 2020. 3. 30. · ISO 22000 certificate statistics 2772 15505 435 1414 11085 432 North America 9357 7083 4865 639 1.2. Revision