Last Updated on December 10, 2025 by Melissa Lazaro

ISO 22000 Mandatory Procedures List

I’ve spent years helping food-manufacturing companies, distributors, processors, and even small family-run operations get certified to ISO 22000. And here’s what I’ve noticed: most teams struggle not because the standard is complicated, but because they can’t find a simple, accurate list of the mandatory procedures they actually need.

If you’re trying to build or upgrade your Food Safety Management System (FSMS), it’s easy to feel unsure about what must be documented and what can stay informal. This article clears that up. You’ll see every ISO 22000 mandatory procedure in one place, explained in plain English, with practical notes that come from real implementation work—not theory.

By the time you finish reading, you’ll understand:

• Which procedures ISO 22000 requires
• What each procedure needs to cover
• Common mistakes that delay certification
• How to structure your documentation so it actually works on the factory floor

Let’s walk through each procedure with clarity and confidence.

ISO 22000 Document Control Procedure (Mandatory FSMS Documentation Requirements)

In my experience, this is the backbone of a clean, well-run FSMS. Document control isn’t just about filing papers—it ensures everyone uses the latest approved version of a procedure, form, or work instruction.

What this procedure must cover:

• How documents are created, reviewed, and approved
• How revisions are managed
• Where documents are stored
• Who has access to what
• How obsolete versions are removed

Pro Tip: Assign one owner per document. When responsibility becomes shared, approvals get stuck and outdated content slips into production.

Common Mistake: Teams often store documents in too many places—emails, USB drives, old folders. During audits, that leads to mixed versions and nonconformities.
A client once solved three audit findings just by centralizing every FSMS document in a single shared drive. Simple fix, big payoff.

Operational PRPs Procedure (Sanitation, Allergen Control & Environmental Hygiene)

PRPs form the foundation of food safety before you even reach hazard analysis. Think of them as the “preventive housekeeping” rules that keep contamination out of your operations.

Your PRPs procedure should define:

• Cleaning and sanitation methods
• Allergen control principles
• Pest control
• Supplier and raw-material handling
• Waste management
• Personal hygiene rules
• Facility hygiene and layout basics

Pro Tip: Tailor PRPs to specific zones. Production, warehouse, and utilities aren’t exposed to the same risks, so their rules shouldn’t be identical.

Common Mistake: Mixing up PRPs, OPRPs, and CCPs. When everything gets labeled “critical,” the team gets overwhelmed and monitoring becomes unrealistic.

Hazard Analysis Procedure (Food Safety Risk Assessment Requirements)

Hazard analysis is where the FSMS becomes site-specific. You’re identifying what can go wrong—biological, chemical, allergenic, and physical hazards—and deciding how serious and likely each hazard is.

What this procedure needs to include:

• How hazards are identified
• How severity and probability are scored
• How risk levels are determined
• How control measures are selected
• How updates are made after process changes

Pro Tip: Stick to one scoring matrix for the entire business. It keeps your analysis objective and consistent.

Common Mistake: Updating hazard analysis only once a year. Real risk changes happen after new equipment, ingredient changes, complaints, or process adjustments.

CCP & OPRP Determination Procedure (Critical Control Decisions)

After analyzing hazards, your next step is determining which ones require CCPs or OPRPs. This is where decision trees and scientific reasoning come in.

Your determination procedure should explain:

• How decision trees are applied
• How CCPs differ from OPRPs
• How control measures are validated
• How critical limits are established
• How decisions are documented

Pro Tip: Attach decision-tree evidence directly to your HACCP plan. Auditors always appreciate clear rationale.

Common Mistake: Overusing CCPs. It adds unnecessary workload and creates avoidable audit pressure.

Monitoring Procedure (CCPs, OPRPs & PRPs Monitoring Requirements)

Monitoring is where food safety moves from theory to daily execution. This procedure defines how your team checks that controls are working.

What to include:

• Who performs monitoring
• Frequency and timing
• Tools and instruments
• Acceptance limits
• How records are completed
• What happens if limits aren’t met

Pro Tip: Keep monitoring sheets simple. During busy shifts, operators don’t have time for long forms.

Common Mistake: Setting monitoring requirements without defining acceptance criteria. Without limits, monitoring becomes guesswork.

Corrective Action Procedure (Deviations & Nonconformity Management)

Corrective actions protect you when something has gone wrong—temperature deviations, failed sieve checks, sanitation issues, and more.

Your procedure must include:

• How deviations are detected
• Immediate containment steps
• Product disposition rules
• Root-cause investigation
• Follow-up verification

Pro Tip: Use simple root-cause tools. A clean 5 Whys often reveals more than a complex report.

Common Mistake: Jumping straight to fixes instead of understanding what caused the deviation.

Verification & Validation Procedures (Ensuring FSMS Effectiveness)

Verification and validation show that your Food Safety Management System isn’t just written—it actually works.

Verification methods include:

• Internal audits
• Sampling and testing
• Trend reviews
• Supplier evaluations

Validation includes:

• Scientific justification
• Evidence that control measures work
• Equipment capability checks

Pro Tip: Keep trend charts. They turn your data into meaningful insights, which auditors love.

Common Mistake: Treating internal audits as a once-a-year task. Problems grow when audits don’t happen regularly.

Emergency Preparedness & Response Procedure (Crisis & Recall Management)

Every facility needs a clear plan for emergencies—product contamination, equipment failures, power outages, and recall situations.

Your emergency procedure must include:

• Emergency types
• Roles and responsibilities
• Communication steps
• How to isolate and trace affected products
• Recall testing
• Recovery and follow-up actions

Pro Tip: Perform a mock recall at least once a year. It reveals communication gaps you’d never see in a meeting room.

Common Mistake: Forgetting external stakeholders—customers, regulators, suppliers—when writing emergency communication plans.

FAQs

Is there a fixed list of mandatory ISO 22000 procedures?

Yes. ISO 22000 requires several documented procedures because they support the core elements of hazard analysis, control measures, monitoring, corrective actions, verification, and emergency preparedness.

Do small businesses need all the same procedures?

They do. The level of detail scales with business size, but the procedures themselves remain mandatory.

What’s the difference between PRPs, OPRPs, and CCPs?

PRPs handle general hygiene.
OPRPs address significant hazards with specific controls.
CCPs manage hazards where failure would make food unsafe.

Conclusion 

The mandatory ISO 22000 procedures above form the backbone of a reliable and audit-ready Food Safety Management System. When these procedures are clear, consistent, and grounded in real practice, certification becomes far less stressful.

After helping many companies pass ISO 22000 audits, I’ve seen how strong documentation shortens timelines, improves team confidence, and prevents recurring problems.

If you’d like, I can prepare a complete ISO 22000 Mandatory Procedures Template Pack or help refine your existing procedures to meet certification requirements faster.