Here’s what I’ve noticed while supporting organizations shifting from ISO 22000:2005 to ISO 22000:2018: the teams that run focused internal audits during the transition uncover issues early, avoid surprises during certification, and move through the process with far more confidence. Internal audits are the one tool that show you what’s working, what’s outdated, and what needs strengthening.
My experience has shown that companies often underestimate the transition until an internal audit exposes gaps they didn’t expect—especially around leadership, risk, updated terminology, and hazard classification. That’s why this guide walks you through how to audit effectively during the transition so your FSMS lines up cleanly with the 2018 requirements.
Now that we’ve set the context, let’s walk through what a transition-focused internal audit should actually look like.
Understanding the Role of Internal Audits in an ISO 22000:2018 Transition
During a transition, internal audits act like an early-warning system. They reveal gaps long before customers or certification bodies notice them. The 2018 version brought significant structural and conceptual shifts—Annex SL alignment, risk-based thinking at two levels, new leadership expectations, and refined control-measure decisions. Your internal audit has to reflect all of that.
A few years ago, I worked with a facility that ran a transition audit three months before certification. They discovered gaps in their context analysis, risk documentation, and training records—areas they thought were already covered. Because they caught these early, their certification audit went smoothly.
That’s the purpose of a transition audit: to test your system before someone else does.
Planning the ISO 22000 Transition Audit – What to Include in Your Audit Program
A good transition audit starts with a thoughtful plan. Your audit program should reflect both your current FSMS and the 2018 changes that still need to be integrated.
Key planning elements include:
Clear audit objectives focused on transition readiness
A defined scope that covers 2018-specific clauses
Competence requirements for auditors who understand both versions
Risk-based prioritization of processes, PRPs, and departments
Audit criteria that combine your current documents with new ISO 22000:2018 expectations
Pro Tip: Break your internal audits into phases so you can fix issues progressively instead of discovering everything at once.
Common pitfall: Reusing last year’s audit plan without considering the transition. ISO 22000:2018 requires a different lens.
Now that the plan is set, let’s look at how to audit the new requirements in practice.
Conducting the Audit – Techniques for Evaluating 2018-Specific Requirements
Your audit needs to go beyond basic document checks. ISO 22000:2018 introduced concepts that require deeper questioning and more evidence.
Key areas to evaluate include:
Leadership involvement and accountability
Context of the organization and interested-party analysis
Business-level risks versus operational hazards
Revised PRPs, OPRPs, and CCP logic
Updated documented-information requirements
When interviewing staff, ask questions that reveal understanding—not just memorized procedures. When reviewing records, confirm they reflect the 2018 terminology and logic.
Common pitfall: Focusing the audit on documents only. Food safety is lived on the floor, not just recorded on paper.
Auditing PRPs, OPRPs & CCPs Under the ISO 22000:2018 Hazard-Control Logic
ISO 22000:2018 refined how control measures are categorized. Your internal audit should verify that the new decision-making process has been applied correctly.
Focus on reviewing:
Updated hazard assessment steps
How the decision tree was used
Whether PRPs are still adequate
Whether OPRPs or CCPs were reclassified under 2018 logic
Monitoring and verification methods tied to each measure
Pro Tip: Compare classifications from the old system with the new logic. This reveals over-controlled or under-controlled hazards quickly.
Common findings:
CCPs that don’t meet CCP criteria
OPRPs that aren’t monitored consistently
PRPs that are outdated or incomplete
Now that the hazard logic is evaluated, we shift to documentation.
Reviewing Documented Information – Ensuring the FSMS Reflects 2018 Changes
ISO 22000:2018 replaced “documents and records” with “documented information,” which includes both. Internal audits should check that documentation aligns with this new expectation.
Focus on:
Version control and document approval
Updated clause references
Consistency between SOPs, forms, and monitoring logs
Training evidence for newly updated procedures
Communication pathways required under the new standard
Common pitfall: New procedures created for transition but old forms still used on the floor. This is one of the most frequent audit findings during transition periods.
Once gaps are identified, the next step is turning them into a transition plan.
Internal Audit Reporting – Turning Findings Into a Transition Roadmap
Internal audit results should do more than sit in a report—they should guide your transition strategy.
A good transition audit report includes:
Categorized findings (major, minor, opportunity for improvement)
Clear descriptions of evidence
Impact level related to certification readiness
Recommended corrective actions
Assigned owners and deadlines
Pro Tip: Don’t wait until all audits are completed before starting corrective actions. Progress should begin immediately after each department is audited.
A strong report leads naturally into the final stage: follow-up and verification.
Follow-Up Audits & Verification – Confirming ISO 22000:2018 Readiness
No transition audit is complete without verification. Follow-up audits confirm that corrective actions were implemented effectively and that the system is truly aligned with ISO 22000:2018.
This stage should include:
Rechecking high-risk findings
Validating updated PRPs, OPRPs, and CCPs
Confirming revised training and communication
Ensuring documented information is consistent
Performing a final “readiness audit” before certification
Common pitfall: Assuming corrective actions worked without reviewing evidence. Verification protects you from surprises during your external audit.
FAQs – ISO 22000 Internal Audits During Transition
Do we need to audit both versions during transition?
In the early phases, yes. As your documents shift to the 2018 version, your audit criteria should follow.
Who should conduct the transition internal audit?
Auditors who understand both the 2005 and 2018 versions—and who weren’t involved in rewriting key procedures.
How many internal audits are needed before certification?
Most companies benefit from at least three: a transition audit, a follow-up audit, and a final readiness audit.
Conclusion – Using Internal Audits to Ensure a Smooth ISO 22000:2018 Transition
A well-planned internal audit is one of the strongest tools you have during the ISO 22000:2018 transition. It uncovers gaps early, strengthens documentation, clarifies responsibility, and prepares your team for a smooth certification audit.
From my experience, organizations that use internal audits intentionally during transition move faster, experience fewer findings, and gain more confidence in their FSMS.
Melissa Lavaro is a seasoned ISO consultant and an enthusiastic advocate for quality management standards. With a rich experience in conducting audits and providing consultancy services, Melissa specializes in helping organizations implement and adapt to ISO standards. Her passion for quality management is evident in her hands-on approach and deep understanding of the regulatory frameworks. Melissa’s expertise and energetic commitment make her a sought-after consultant, dedicated to elevating organizational compliance and performance through practical, insightful guidance.
