A clear and practical guide for the transition to the ISO 22000:2018 standard
The transition to ISO 22000:2018 may seem complex at first. This isn’t because food safety has suddenly changed, but because the structure, requirements, and assessment methods of the system have evolved. Many organizations know they need to make this transition , but they don’t know where to start or what the actual scope of the changes will be.
I have supported manufacturers, processors, distributors, and catering companies through this transition, helping them identify gaps, modernize their systems, conduct internal audits, and prepare for certification. My teaching is simple: the transition becomes manageable when approached step by step, with clarity and structure.
This guide was designed specifically for this purpose. It accompanies you throughout the transition to the ISO 22000:2018 standard: the changes, the updates, the readiness verification and the certification process with confidence, without unnecessary complexity.
Now that we agree on the objective, let’s start with what actually changed in the 2018 revision.
The ISO 22000:2018 standard was not a mere cosmetic update. It was a structural and conceptual overhaul aimed at aligning food safety management with modern management system principles.
The most significant changes are as follows:
Adoption of the high-level structure (Annex SL)
Increased accountability of leaders
Explicit reflection based on two levels of risk
Improved harmonization between PRPs, OPRPs and CCPs
More flexible but stricter control of documented information
Here is the key element that many organizations missed at the beginning: the review did not require more controls , but a clearer logic .
I’ve seen teams initially approach the transition as a simple document update. Once they understood that leadership, risk, and structure were just as important as hazard analysis, everything became simpler and audits went much more smoothly.
Given this context, the first concrete step is to understand where your system stands today.
A structured transition always begins with a gap analysis. Without this, teams tend to update documents haphazardly, leading to duplicates and overlooked requirements.
At this stage, you are trying to understand:
How does your current Food Safety Management System (FSMS) align with the requirements of ISO 22000:2018?
Whether or not your structure follows Annex SL
How leadership responsibilities are defined and demonstrated
How are risks identified and documented?
The question of whether PRPs, OPRPs and CCPs still make sense within this new logic remains open.
The quality of the control of your documented information
This is not about evaluating performance, but about clarity.
Pro tip: Use concrete evidence to assess compliance. A document alone is not proof if it is not implemented and understood.
A common mistake: jumping straight into rewriting procedures without knowing what actually needs to change.
Once the flaws are visible, the next priority is to repair the structure.
Step 2 – Alignment of your FSMS structure with the SL annex (high-level structure)
The ISO 22000:2018 standard follows the same structure as the ISO 9001 and ISO 14001 standards. This facilitates integration, but only if the structure of your service security management system (SMS) is properly updated.
Structural alignment has effects on:
Your FSMS manual or system overview
Article numbering and references
Document hierarchy
contributions to the management review
internal audit planning
When the structure is in place from the start, everything else becomes easier to manage.
Pro tip: Update your higher-level Food Safety Management System (FSMS) structure before revising individual procedures. This avoids duplication and subsequent confusion.
A common pitfall is keeping the 2005 structure and simply adding the new 2018 requirements. Auditors spot this immediately.
Once the structure is in place, attention turns to leadership and risk management.
Step 3 – Updating leadership, context, and risk-oriented thinking
The ISO 22000:2018 standard imposes a clear responsibility on management. Management is required to actively support, review, and improve the food safety management system (FSMS), and not just approve it.
This step focuses on:
Define leadership roles and responsibilities
Demonstrate your involvement through management reviews
Understanding the internal and external issues
Identify the stakeholders and their expectations
Distinguishing between risks related to the business and hazards to food safety
This distinction is essential. Strategic risks affect the food safety management system (FSMS) as a whole. Operational risks directly affect food safety. Combining them weakens both processes.
Pro tip: Implement two separate risk management processes. One for the organization, the other for food safety. This will make audits much clearer.
A common mistake is reducing risk analysis to the HACCP method alone. The ISO 22000:2018 standard requires more.
Once leadership and risks are clarified, the next step is to tackle the foundations of the system: the PRPs.
Step 4 – Review and update of PRPs for ISO 22000:2018
Strong prerequisite programs form the backbone of ISO 22000:2018. When these programs are outdated or inadequate, hazard classification becomes confusing and audits difficult.
This step involves reviewing and updating the PRPs related to:
Hygiene and sanitation
Allergen control
Infrastructure and planning
Equipment maintenance
Pest control
staff practices
Materials supplier and handling
The PRPs must comply with the applicable guidelines of the ISO/TS 22002 standard and reflect the actual operation of your business today.
Pro tip: Update your PRPs before reassessing your CCPs and OPRPs. Robust PRPs simplify everything downstream.
Common pitfall: reusing old preparation plans without checking if the risks, schemes or processes have changed.
Once the PRPs are well established, risk control can be properly examined.
Step 5 – Reassessment of risk analysis, OPRPs and CCPs
The ISO 22000:2018 standard refines the classification of control measures. The decision tree is clearer, but it often leads to reclassification.
This step involves:
Review of risk identification and assessment criteria
Apply the revised decision tree correctly
Re-evaluation of existing PRPs, OPRPs and CCPs
Update on monitoring, verification and validation activities
The goal is not to reduce controls, but to ensure that each control is justified and effective.
Pro tip: Let yourself be guided by the decision tree, even if the result seems unpleasant at first glance.
A common mistake is maintaining central counterparties unchanged “because they always have been.” Auditors expect a justification consistent with the 2018 rationale.
Once the controls are clarified, the documentation must reflect the updated system.
The ISO 22000:2018 standard replaces “documents and records” with “documented information.” This offers greater flexibility but also strengthens the requirements for control and consistency.
At this stage, you should consider:
Standard procedures and operating methods
Registers and journals
Forms and templates
Version control and approvals
Deleting obsolete documents
Archives de communication
Everything must conform to the updated structure and terminology.
Pro tip: Delete outdated documents immediately. Older versions are among the most common audit findings.
A common pitfall: updating procedures but forgetting to update the forms used in the field.
Once the documentation is harmonized, internal audits become tangible proof.
Internal audits are your best asset during the transition. They allow you to verify the effectiveness of the changes before they are reviewed by certification bodies.
Internal audits focused on the transition should assess:
Leadership involvement and evidence
Documentation on the context and risks
PRP updated
OPRP and CCP reclassified
Consistency of documented information
Evidence of training and competence
Pro tip: Perform at least one readiness audit after major updates are finalized.
Common mistake: using old audit checklists that do not reflect the ISO 22000:2018 standard.
Once the gaps have been filled, the final step is preparing for certification.
Certification bodies are approaching the transitions to the ISO 22000 standard with a strong emphasis on the logic and consistency of the system.
Auditors typically examine closely:
Management’s understanding of the FSMS
A reflection based on risks at both levels
PRP effectiveness
justification for risk control
Results of the internal audit
Effectiveness of corrective measures
The preparation should prioritize clarity, not perfection.
Pro tip: Prepare your managers for interviews. Their trust and understanding are essential.
FAQ – Explaining the transition to the ISO 22000:2018 standard
Do we need to rebuild our entire Facility Security Management System (FSMS) for the transition? No. Most systems require structured updates, not a complete rebuild.
How long does the transition usually take? Generally, from 3 to 6 months, depending on the maturity of the financial services security management system and the level of preparedness of internal audits.
Can ISO 22000:2018 be integrated with other ISO standards? Yes. Annex SL greatly facilitates this integration.
Conclusion – A practical path to compliance with ISO 22000:2018
The transition to ISO 22000:2018 is manageable when approached with clarity and structure. By understanding the changes, assessing gaps, harmonizing the structure, strengthening leadership and risk management processes, updating business continuity plans (BCPs) and hazard control measures, and verifying their readiness through internal audits, organizations can make this transition with confidence.
Drawing on concrete experience of transition, the highest-performing organizations follow a clear roadmap and approach change intentionally, not reactively.
The next step is simple: start with a structured transition plan and proceed step by step. This is how ISO 22000:2018 becomes an improvement, not a constraint.
Melissa Lazaro 
