Last Updated on October 13, 2025 by Hafsa J.

HACCP Requirements within FSSC 22000 Version 6

Let’s be honest—HACCP has been around for decades, and if you’ve worked in food safety for any length of time, you probably feel like you already know it. But when it comes to FSSC 22000 Version 6, a lot of teams still ask me the same question:

“Do we still need HACCP—or does ISO 22000’s risk-based thinking replace it?”

Short answer? You absolutely need it.
Longer answer? You need to understand how HACCP fits into the bigger ISO-based food safety system—because if you treat it like a standalone checklist, you’ll end up with gaps, audit findings, or worse, a system that looks good on paper but falls apart in practice.

Over the last 10+ years, I’ve helped companies build and fix HACCP plans within ISO and GFSI frameworks, and I can tell you this: the best food safety systems don’t treat HACCP and ISO 22000 as separate ideas—they weave them together.

In this article, we’ll walk through:

• How HACCP fits into the FSSC 22000 structure,

• What’s required in Version 6,

• What auditors expect from your team and documentation, and

• Practical tips to make it work in the real world—not just the audit binder.

So if you’re tired of second-guessing your hazard classifications or wondering whether your HACCP plan is still up to par, you’re in the right place.

Let’s clear it up.

Where HACCP Fits into FSSC 22000 Version 6

Here’s where things can get a little confusing, especially if you’ve been working with HACCP long before FSSC 22000 or ISO 22000 were ever on your radar.

FSSC 22000 Version 6 doesn’t replace HACCP—it expands on it.

Think of it this way:
HACCP is the core method for controlling food safety hazards. ISO 22000 (which FSSC is built on) takes that core and wraps it in a broader Food Safety Management System (FSMS)—complete with leadership, communication, performance evaluation, and risk-based thinking at the organizational level.

HACCP Is Embedded in the Operational Control Layer

In the ISO 22000 framework, you’ll find HACCP principles built right into the section on “Operational Planning and Control.” This is where hazard analysis, control measures (CCPs and OPRPs), monitoring, and corrective actions all live.

So if you’re already doing HACCP well, you’re off to a good start—but you now need to show how it connects to the rest of your system.

I like to think of it as building a house:
HACCP is the kitchen—it has very specific, safety-critical functions.
But the rest of the FSMS is the house around it—walls, plumbing, electrical. You can’t live in just the kitchen, and you certainly can’t ignore it either.

What FSSC 22000 Requires

• A documented hazard analysis that follows Codex principles

• Clear distinction between PRPs, OPRPs, and CCPs

• Evidence that your HACCP team is trained, active, and multidisciplinary

• Procedures for monitoring, verification, and corrective action

• Alignment with broader FSMS policies and risk-based decision-making

Where People Get Stuck

• Treating HACCP like a separate system instead of fully integrating it

• Using outdated Codex logic without adjusting for ISO 22000’s structure

• Confusing CCPs with OPRPs (and making everything “critical” to play it safe)

Auditors will pick up on these disconnects quickly—especially if your documentation says one thing, but your process flow or staff understanding says another.

The 7 Codex HACCP Principles and How They’re Applied in FSSC 22000

Let’s break down the core of it all: the seven principles of HACCP.
If you’re already familiar with them, great. But within the FSSC 22000 Version 6 framework, it’s not enough to just list them. You need to show how they’re applied, documented, and aligned with the rest of your food safety system.

Here’s a quick refresher—plus how each one fits in under FSSC 22000.

1. Conduct a Hazard Analysis

You’re expected to identify potential hazards (biological, chemical, physical, and allergenic) at every step of your process.

What FSSC 22000 adds:
You must also assess likelihood and severity, and determine which hazards are significant—those that require specific control measures like OPRPs or CCPs.

Pro tip: Auditors often ask why a hazard was considered “not significant.” Make sure you document your reasoning.

2. Determine the Critical Control Points (CCPs)

These are the steps where control is essential to prevent or eliminate a food safety hazard—or reduce it to an acceptable level.

What FSSC 22000 expects:
A logical, documented method (often a decision tree) for deciding whether a step is truly a CCP—or if it should be managed as an OPRP instead.

Example: Cooking to a minimum core temperature is often a CCP; metal detection might be an OPRP, depending on risk.

3. Establish Critical Limits

For each CCP, you need defined limits—time, temperature, pH, etc.—that separate safe from unsafe.

Under FSSC 22000:
You also need evidence-based justification for these limits. Don’t just copy regulatory guidance—explain why that limit makes sense for your product and process.

4. Establish Monitoring Procedures

You must define how you’ll monitor each CCP, who’s responsible, and how frequently.

Auditor expectation:
Your monitoring must be timely enough to detect loss of control before unsafe product leaves your facility.

5. Establish Corrective Actions

Have a plan for what to do when monitoring shows a deviation. This includes fixing the immediate issue, controlling affected product, and addressing the root cause.

FSSC 22000 ties this into your corrective action system—it’s not just about fixing the one problem but making sure it doesn’t keep happening.

6. Establish Verification Procedures

You need to regularly verify that your HACCP plan works—this includes internal audits, record reviews, calibration, and sampling.

What matters:
You must document these activities and act on findings. Verification is often overlooked—but it’s where many audit findings come from.

7. Establish Record-Keeping and Documentation

Every step of the HACCP plan needs to be supported with clear, accessible records—flow diagrams, hazard analysis worksheets, monitoring logs, corrective actions, and more.

One company I worked with had a great HACCP plan—but couldn’t find their metal detector verification logs when the auditor asked. That oversight cost them a major nonconformity.

Key HACCP Documentation Required Under FSSC 22000

Let’s be honest—even the most well-designed HACCP plan doesn’t count for much if you can’t back it up with documentation.
And under FSSC 22000 Version 6, that documentation needs to be not just complete, but accurate, organized, and aligned with your actual practices on the floor.

Here’s what you need to have—and what auditors are going to look for.

1. Hazard Analysis Worksheets

This is your core document. It should clearly show:

• Process steps

• Identified hazards (biological, chemical, physical, allergenic)

• Likelihood and severity ratings

• Justification for significance (or non-significance)

• Control measures, and whether they’re handled as CCPs or OPRPs

Tip: If you’re using a spreadsheet, make sure it’s easy to read. I’ve seen some get rejected just because the logic wasn’t clear—even though the content was correct.

2. Process Flow Diagrams (with Verification)

FSSC 22000 requires a validated and verified flow diagram that reflects your actual operations. It should be reviewed on-site by your HACCP team to ensure it’s accurate.

Auditors may walk the floor and compare what’s happening in real time to what’s shown in the flow diagram. If they don’t match—you’ve got a problem.

3. CCP and OPRP Monitoring Records

This includes:

• Daily logs (manual or digital)

• Test results (e.g., metal detection checks, temperature records)

• Operator initials or sign-offs

• Time stamps and traceability links

If something goes wrong, these are the first records you’ll review—and so will your auditor.

4. Critical Limits and Their Justification

Document the scientific or regulatory basis for your limits. If you’re using internal data, include validation records or product testing reports.

5. Corrective Action Logs

Whenever a deviation occurs—whether from a CCP or OPRP—you need a documented record of:

• What went wrong

• What was done to fix it

• What happened to the affected product

• What long-term corrective action was taken to prevent recurrence

6. Verification Records

This includes:

• Internal audits

• Calibration checks

• Management review inputs

• Record reviews and trend analyses

These documents show that you’re not just running the system—but checking to make sure it’s working.

7. HACCP Plan Review and Updates

Under FSSC 22000, your HACCP plan must be reviewed:

• At least annually

• After any product, process, or equipment change

• Following any major nonconformance or food safety event

Keep a log of your reviews—who attended, what was discussed, and what updates were made.

Risk-Based Thinking vs. HACCP: What’s the Difference?

This is a question I hear all the time—especially from teams transitioning from traditional HACCP-based systems into the ISO 22000 or FSSC 22000 structure:

“If we’re already doing HACCP, aren’t we already managing risk?”

Yes… but not in the same way.

Let’s break it down.

HACCP Focuses on Product-Level Hazards

HACCP is all about identifying and controlling food safety hazards in your production process.
It zeroes in on things like:

• Contaminated raw materials

• Allergen cross-contact

• Undercooked product

• Foreign object risks

You conduct a hazard analysis, assign control measures (PRPs, OPRPs, or CCPs), and monitor them to protect the safety of the food.

Risk-Based Thinking Looks at the Bigger Picture

FSSC 22000 (through ISO 22000) expands the lens. Now, you’re not just looking at what can go wrong in the process—you’re also looking at what could threaten the effectiveness of the entire FSMS.

This includes:

• Supplier reliability

• Shifts in regulatory requirements

• Employee turnover

• Equipment breakdowns

• Information security (e.g., mislabeling from software issues)

This isn’t just food safety—it’s organizational risk that could impact food safety performance.

So… How Do They Work Together?

HACCP is a structured tool that sits within the larger FSMS framework.
You still need to follow the 7 principles of HACCP—but now you’re also expected to:

• Identify risks and opportunities at the system level

• Use that information to plan resources, training, and communication

• Continuously improve the FSMS beyond the scope of the product line

Think of HACCP as the operational engine of your food safety controls, while risk-based thinking is your strategic navigation system.

Real-World Example

Let’s say your heat treatment process is a CCP. That’s HACCP.
But what if your only thermal processing technician quits—and no one else is trained to run the line?

That’s not a HACCP hazard—but it’s a risk to your food safety system.
Risk-based thinking helps you identify that vulnerability before it becomes a compliance or safety failure.

HACCP Team Competence and Roles

Let’s be real—your HACCP plan is only as strong as the team behind it.
You can have all the flowcharts, hazard analyses, and checklists in the world… but if your HACCP team doesn’t have the right mix of expertise, training, and clear roles, the entire system is at risk.

FSSC 22000 Version 6 takes this seriously—and so do auditors.

What the Standard Expects

Your HACCP team must be:

• Multidisciplinary: That means people from different departments—QA, production, maintenance, purchasing, etc.—not just one “HACCP person.”

• Trained and Competent: Team members need documented evidence of HACCP training appropriate to their role.

• Involved in the Full Process: From flow diagram verification to hazard analysis to plan review, the team should be actively engaged—not just rubber-stamping documents.

In one audit I supported, the company had a HACCP plan signed off by just the QA manager. The auditor asked for the team’s credentials… and there was no team. Result? Major nonconformity.

Key Roles You Need on the Team

• HACCP Team Leader
  Typically someone from QA or technical leadership, responsible for coordinating the plan, documentation, and training.

• Production Representative
  Knows the real-world process flow and equipment—and can spot practical risks others miss.

• Maintenance or Engineering
  Crucial for understanding equipment hazards, maintenance schedules, and design features.

• Purchasing/Supply Chain
  Can provide insight on raw material risks, supplier controls, and external impacts.

• Senior Management or FSMS Coordinator
  Ensures the HACCP plan is aligned with the broader FSMS and receives leadership support.

What Auditors Look For

• A HACCP team list with names, roles, and departments

• Training records for each member (internal or external HACCP training)

• Evidence that the team participated in creating and reviewing the plan

• Clear meeting notes or review records that show how decisions were made

Common Pitfalls to Avoid

• Assigning the HACCP plan to one person

• Letting the team go stale (same people, no new training, no reviews)

• Failing to update roles when people leave or change jobs

Remember: a strong HACCP team isn’t a checkbox—it’s a backbone. If your people aren’t informed and engaged, your food safety plan becomes just another binder on a shelf.

Auditing and Maintaining Your HACCP Plan

Here’s the thing—building a solid HACCP plan is only the beginning.
Under FSSC 22000 Version 6, that plan needs to be a living, breathing part of your food safety system. It’s not “set it and forget it.” If it’s sitting untouched for years, it’s a liability.

Let’s look at what ongoing maintenance really looks like—and what auditors are checking for.

Internal Audits: Your First Line of Defense

FSSC 22000 requires a structured internal audit program that includes your HACCP plan.
That means:

• Checking that your hazard analysis is still valid

• Confirming that CCPs and OPRPs are functioning as designed

• Verifying that corrective actions are being followed up and closed

• Ensuring documentation reflects what’s actually happening on the floor

Tip: Don’t audit your own area. Use cross-functional internal auditors so they’re more likely to spot issues you might overlook.

When to Review Your HACCP Plan

FSSC 22000 expects your HACCP plan to be reviewed:

• At least once a year

• Any time there’s a significant change, such as:

  • New products or ingredients

  • New equipment or processing steps

  • Regulatory updates

  • Customer complaints or audit findings

  • Changes in supplier risk or delivery

You should also review your plan after a food safety incident—even if it was successfully contained.

Real example: I worked with a frozen meals company that updated their HACCP plan after switching ingredient suppliers. Turns out the new supplier had inconsistent allergen controls—something that would’ve been missed without a proper reassessment.

Documentation You Need to Show

• Internal audit reports and findings related to HACCP

• Records of HACCP plan reviews (who was involved, what was changed, why)

• Evidence that corrective actions are closed, verified, and effective

• Trending data on CCP/OPRP performance (showing ongoing control)

Auditors will ask: “How do you know your HACCP plan still works?”
Make sure your team has a clear, confident answer—and documentation to back it up.

Pro Tips and Insider Insights for a Stronger HACCP System

Over the years, I’ve reviewed HACCP plans from every kind of food business—startups, global manufacturers, co-packers, you name it. And no matter the size or industry, the strongest systems all have a few key things in common.

Here are some of the most valuable tips I’ve shared during audits, training sessions, and one-on-one consulting calls:

Pro Tip #1: Build Your HACCP Plan from Your Verified Process Flow

Start with what’s real. Walk the production line with your team, verify the flow diagram, and then build your hazard analysis directly from it.

If your hazard plan includes steps that don’t exist—or misses actual ones—auditors will notice. So will your team.

Pro Tip #2: Don’t Just Train the Team—Test Them

Classroom HACCP training is great, but practical reinforcement is better. Run scenarios with your staff:
“What would you do if the CCP failed today?”
“What’s our critical limit here?”

This turns knowledge into action—and surfaces any confusion before it becomes a problem.

Pro Tip #3: Reassess Controls After Any Process Change

Even if the change seems minor—a different ingredient supplier, a new piece of equipment, a packaging tweak—it might affect your hazards or controls. Build reassessment into your change management process.

Pro Tip #4: Keep a Change Log for Your HACCP Plan

Every time your HACCP plan is updated, log the date, what changed, why, and who signed off. It shows auditors your system is active, reviewed, and leadership-backed.

Pro Tip #5: Use Internal Audits to Spot Weak Justifications

A common issue in audits? Vague hazard ratings like “low risk” with no explanation. During your internal audits, challenge the team: “Why did we classify this hazard as not significant?”
If the answer isn’t clear, you’ve got an opportunity to improve the logic—and the trust in your system.

Common Mistakes and FAQs About HACCP in FSSC 22000

Even well-established food safety teams can run into trouble with HACCP—especially when trying to align it with the broader FSSC 22000 structure. Here are the most frequent mistakes I see during audits, plus answers to the questions clients ask me over and over.

Common Mistakes to Avoid

Mistake 1: Treating HACCP as a Standalone System
HACCP isn’t separate from your FSMS—it is part of it. When your hazard plan doesn’t align with your quality procedures, training, or management review process, things fall apart fast.

Mistake 2: Calling Everything a CCP
Trying to “play it safe” by assigning CCP status to every control only creates confusion. It overloads your team and weakens focus on the truly critical points. Use your decision tree, and trust your logic.

Mistake 3: Skipping Written Justifications
Auditors don’t just want to see what decisions you made—they want to know why. If you marked a hazard as not significant or classified a control as an OPRP instead of a CCP, be prepared to explain it—clearly and confidently.

Mistake 4: Ignoring Process Changes
A new supplier, ingredient, or piece of equipment? That’s a flag to revisit your HACCP plan. Many nonconformities come from outdated hazard analyses that no longer reflect the real process.

Mistake 5: Weak HACCP Team Engagement
A single person owning the whole plan might feel efficient, but it’s risky. A multidisciplinary team isn’t just a requirement—it brings better insight, stronger decision-making, and shared accountability.

Frequently Asked Questions

Q1: Is HACCP still required under FSSC 22000, or does risk-based thinking replace it?
A: HACCP is absolutely still required. Risk-based thinking expands on it at the management level, but it doesn’t replace product-level hazard controls. You need both.

Q2: How often should we review our HACCP plan?
A: At least once a year, and whenever you make significant changes to products, processes, ingredients, equipment, or supplier relationships. Also after any major incident or nonconformity.

Q3: Can one person run the HACCP program?
A: No. FSSC 22000 requires a multidisciplinary HACCP team with documented roles and training. You can have one leader, but you still need input from operations, maintenance, procurement, and leadership.

Q4: What’s the difference between a PRP, OPRP, and CCP again?
A:

• PRP = general good practice (e.g., sanitation)

• OPRP = targeted control for a significant hazard that’s measurable, but doesn’t need CCP-level response

• CCP = critical control point with a must-not-fail limit for a high-risk hazard

Making HACCP Work Within FSSC 22000 V6

Here’s the bottom line: HACCP hasn’t gone anywhere—it’s evolved.
Under FSSC 22000 Version 6, HACCP is still the foundation for managing food safety hazards. But now it’s woven into a much broader system that expects more from leadership, documentation, and risk thinking.

If you treat HACCP like a standalone plan on a shelf, you’ll fall short. But if you treat it like a core component of a living food safety management system, you’ll not only meet auditor expectations—you’ll build a system that actually works in real operations.

We’ve covered the fundamentals:

• How HACCP fits into the ISO 22000-based structure

• What the seven Codex principles look like in practice

• How to document, maintain, and audit your plan

• The difference between HACCP and broader risk-based thinking

• And what makes a HACCP team strong (and audit-proof)

The next step? Make sure your HACCP plan is aligned, up to date, and fully integrated with the rest of your FSMS.

What You Should Do Next

• Not sure if your HACCP plan is audit-ready?
  Download our Free HACCP Alignment Checklist—designed specifically for FSSC 22000 V6.

• Need help reviewing your hazard analysis or classifying CCPs vs OPRPs?
  Book a 1:1 consultation with our food safety experts. We’ll walk through your plan and help you spot hidden gaps before your auditor does.

• Training a new HACCP team?
  Ask about our team workshops and internal auditor coaching—built to help your staff own their part in the food safety system with confidence.