Whenever I help a company prepare for an ISO 22000 audit, I hear the same concerns: “What will the auditor focus on?” and “Where do most organizations fail?” After supporting plants, processors, and distributors across different food sectors, a pattern has become impossible to ignore—most non-conformities come from the same small set of weaknesses.
This article walks through the top ISO 22000 audit non-conformities I see year after year. You’ll understand why they happen, what root causes sit behind them, and—most importantly—how to prevent them. I’ll also bring in a few experiences from real audits because they show the difference between theory and what actually happens on the production floor.
Now that we’ve set the context, let’s unpack the biggest problem areas one by one.
Weak PRP Implementation: GMP, Hygiene, and Facility Controls
Here’s something I’ve noticed repeatedly: when PRPs are weak, everything else in the FSMS starts falling apart. PRPs are your base layer—your hygiene, cleaning, maintenance, allergen controls, and facility practices. When they aren’t implemented consistently, auditors see it immediately.
Typical findings include:
Missing or outdated sanitation records
Unlabeled cleaning chemicals
Allergen controls not followed in practice
Pest-control devices not monitored
Dirty or poorly maintained equipment
Inconsistent personal hygiene practices
One facility I supported had beautiful procedures, but their sanitation logs had a two-week gap. The auditor didn’t even need to look deeper—the message was clear: the system wasn’t operating as documented.
Root causes often include unclear responsibilities, rushed shifts, lack of supervision, or training that’s too theoretical.
Prevention tips:
Do a weekly PRP walkaround.
Keep simple, visible checklists at each area.
Train supervisors to reinforce hygiene practices daily.
This is the most common area for NCs because it reflects the everyday discipline of your food-safety culture.
CCP/OPRP Monitoring Gaps and Incorrect HACCP Application
If there’s one area where auditors become very serious, it’s CCPs and OPRPs. These controls protect consumers directly. When monitoring isn’t done properly, the auditor flags it instantly.
Common NCs include:
Missing CCP logs
Incorrect critical limits
Operators unsure how to monitor
No clear corrective actions
CCP validation outdated or missing
HACCP decisions not logically justified
I remember a ready-meal manufacturer whose metal-detection CCP had perfect written procedures—but the operator had no idea why the critical limits mattered. The auditor immediately raised a non-conformity, not because of the operator, but because the training system wasn’t effective.
Root causes: outdated HACCP studies, lack of refresher training, or not verifying monitoring practices regularly.
Prevention:
Run short operator refreshers every month.
Validate CCPs annually.
Verify monitoring records weekly, not just before audits.
When CCPs don’t align with daily operations, auditors see a system that isn’t protecting consumers.
Document Control and Record-Keeping Failures
This is where many organizations underestimate the severity of small mistakes. Auditors look for consistency and control. When documents or records feel chaotic, credibility drops immediately.
Common findings:
Multiple versions of the same procedure
Old instructions still in circulation
Records missing signatures or timestamps
Incomplete entries
Files saved in random folders with unclear ownership
One processor I worked with passed every operational check, but the auditor found three conflicting versions of their allergen-control procedure. That one issue triggered a deeper review that consumed half the audit day.
Root causes: lack of ownership, unclear version control rules, or relying on paper records without a tracking system.
Simple prevention steps:
Maintain a central FSMS index.
Use clear naming conventions.
Train staff to discard old copies immediately.
Document control issues may seem minor, but they signal deeper instability in the FSMS.
Incomplete or Ineffective Internal Audits and Management Reviews
In my experience, internal audits are often treated like a checkbox rather than a real evaluation. Auditors notice this instantly. They expect depth, objectivity, and evidence that issues were taken seriously.
Typical non-conformities:
Internal audits that skip high-risk processes
Findings without root-cause analysis
No follow-up on corrective actions
Management reviews that ignore data and trends
Minutes that lack decisions or assigned actions
I once reviewed a client’s internal audit report where every clause was marked “OK.” When I asked how they verified it, they admitted they didn’t test any CCP monitoring records. The auditor quickly caught the same thing.
Root causes: lack of competence, poor planning, or leadership focusing only on certification rather than improvement.
Prevention:
Train internal auditors properly.
Use evidence-based checklists.
Make management review a real discussion—KPIs, incidents, complaints, resources.
Strong internal audits prevent NCs better than anything else.
Traceability and Recall Weaknesses
Traceability tends to expose weaknesses that organizations overlook—especially packaging traceability, subcontracted steps, or rework loops. Auditors don’t just check documentation; they want to see speed and accuracy.
Common NCs:
Incomplete forward/backward traceability
Missing supplier lot numbers
Packaging not linked to final products
Recall simulation not completed or ineffective
No documented evaluation of recall success
I supported a company that tried a mock recall during the audit and discovered they couldn’t trace a raw-material batch beyond a distributor. It turned into a major NC.
Root causes: fragmented documentation, untrained personnel, or systems that rely on tribal knowledge instead of structured procedures.
Prevention:
Run quarterly traceability tests.
Practice one recall simulation per year.
Keep packaging traceability tight—it’s often forgotten.
Traceability issues are high-risk because they impact consumer safety and regulatory compliance.
Auditors don’t just look for nonconformities—they look at how you respond to them. Weak CAPA processes show that the organization is reactive instead of proactive.
Common NCs:
Root-cause analysis too shallow (“human error”)
Corrective actions implemented without verification
Repeated issues across departments
No tracking or trending of incidents
CAPAs closed prematurely
I remember a client who had repeated foreign-body complaints. Their CAPA form said “remind staff to check equipment.” The auditor immediately raised a major NC because the organization hadn’t addressed the real source of the problem.
Effective CAPA is proof of an engaged and mature FSMS.
Legal & Regulatory Compliance Gaps
This area causes more NCs than people expect. Auditors want to see that you actively monitor food-safety regulations and apply them correctly.
Common NCs:
Outdated permits
Incorrect allergen labeling
Missing supplier regulatory documents
No evidence of monitoring regulatory updates
Product specs not aligned with legal requirements
One company had updated product labels six months before the audit but didn’t include the revised allergen declaration rule. The auditor flagged it immediately.
Root causes: unclear ownership, limited regulatory knowledge, or no compliance register.
Prevention:
Maintain a simple regulatory tracking log.
Assign one person to monitor updates.
Review compliance quarterly.
Regulatory NCs can become major issues because they extend beyond ISO compliance.
FAQs
What’s the most common ISO 22000 non-conformity?
PRP failures—especially hygiene and sanitation—are the most frequently reported across all industries.
Are CCP non-conformities considered major?
Yes. Anything involving CCP/OPRP failures is typically escalated to major because it directly impacts food safety.
Why do minor NCs matter?
If the same minor NC appears year after year, auditors will treat it as ineffective CAPA and escalate it.
Conclusion: How to Stay Ahead of ISO 22000 Non-Conformities
Most non-conformities come from the same underlying issues: weak PRPs, inconsistent HACCP application, poor documentation control, ineffective internal audits, traceability gaps, and inadequate CAPA. The good news is that each of these areas can be strengthened with practical daily habits, clearer responsibilities, and periodic reviews.
If you build a rhythm around these checks, you don’t just reduce NCs—you build a safer, more reliable, and more confident food-safety system. And if you want, I can turn this into a Non-Conformity Prevention Checklist, a CAPA training module, or a full audit-readiness toolkit for QSE Academy.
Melissa Lavaro is a seasoned ISO consultant and an enthusiastic advocate for quality management standards. With a rich experience in conducting audits and providing consultancy services, Melissa specializes in helping organizations implement and adapt to ISO standards. Her passion for quality management is evident in her hands-on approach and deep understanding of the regulatory frameworks. Melissa’s expertise and energetic commitment make her a sought-after consultant, dedicated to elevating organizational compliance and performance through practical, insightful guidance.
