Implementing FSSC 22000: A Practical Guide for South African Manufacturers

A practical, phase-by-phase guide to implementing FSSC 22000 in a South African food manufacturing operation. From gap analysis through certification — what to expect and how to plan.

FSSC 22000 is one of the most widely held food safety certifications in the world, and for good reason. It opens doors to supplying major retailers, global brand owners, and export markets that HACCP alone cannot unlock. But the path to certification is not always well understood — particularly in the South African context, where operations often arrive at FSSC from a compliance culture built around SANS 10330, basic HACCP, and retailer audits.

This guide walks through what implementation actually looks like, phase by phase, so you can plan realistically and avoid the mistakes that stall most first-time applicants.

What Makes FSSC 22000 Implementation Different

FSSC 22000 is not a standalone standard. It is a certification scheme built on three integrated layers:

1. ISO 22000:2018 — the Food Safety Management System (FSMS) framework
2. ISO 22002-1:2025 (for food manufacturers, Category C) — the sector-specific Prerequisite Programme requirements
3. FSSC 22000 Additional Requirements — scheme-specific requirements developed by Foundation FSSC and aligned with the 2024 GFSI benchmarking requirements

Version 7.0 of the scheme, published in May 2026, introduced significant updates including a new ISO 22002-x series, updated sustainability and food loss and waste requirements, and strengthened food safety and quality culture requirements. If you are implementing now, you are implementing against Version 7.

What makes this structure powerful — and demanding — is that all three layers carry equal weight at audit. You cannot satisfy ISO 22000 and neglect the Additional Requirements, or build solid PRPs but fail on the FSMS documentation structure. The auditor checks everything.

For South African manufacturers used to prescriptive retailer QA audits, the ISO 22000 framework can feel abstract at first. It is a management system standard, not a checklist. It asks you to demonstrate a functioning Plan-Do-Check-Act cycle across your entire food safety programme. The flexibility is genuine — you determine how to meet the intent — but it requires more thinking than filling in blanks.

Phase 1: Gap Analysis — Assessing Your Current System Against FSSC Requirements

Before any documentation is written or any programme is redesigned, conduct a structured gap analysis against all three layers of the scheme.

A credible gap analysis maps your current documented system and actual practice against:

• Every clause of ISO 22000:2018 (Clauses 4 through 10)
• Every clause of ISO 22002-1:2025 (the relevant PRP standard for food manufacturers)
• Every FSSC 22000 Additional Requirement under Part 2, Section 2.5

Work through clause by clause. For each requirement, assess whether you have documented evidence of implementation, partial implementation, or no implementation. The output is a prioritised gap list with three columns: the gap, the effort to close it, and who owns it.

Common findings in South African manufacturing operations at this stage:

• HACCP exists but is not structured as a hazard analysis within an FSMS (no risk and opportunity assessment, no FSMS policy, no documented food safety objectives)
• PRPs exist as procedures but lack defined monitoring frequencies, verification activities, and corrective action records
• No allergen management plan documented to the level now required (the Additional Requirements are explicit and detailed)
• No food fraud vulnerability assessment or food defense threat assessment — these are not optional
• No food safety and quality culture objective or plan — a common oversight that becomes a major non-conformity

The gap analysis is also where you assess your HACCP study structure. Under FSSC 22000, the number of HACCP studies affects both your documentation requirements and your audit duration calculation.

Phase 2: HACCP Plan Development (or Upgrade from Existing)

If your operation already has a HACCP plan, it almost certainly needs structural work to satisfy the ISO 22000 framework. An ISO 22000-aligned HACCP study is more rigorous in several specific ways.

ISO 22000 distinguishes between two types of control measures:

• PRPs — programmes that control the general hygienic condition of the production environment
• OPRPs (Operational Prerequisite Programmes) — control measures that control a food safety hazard but do not meet the criteria for a CCP
• CCPs — control measures at a critical control point with a measurable critical limit

This three-tier classification is not present in most SANS 10330-based HACCP plans, which typically bifurcate hazards into CCPs and PRPs only. Under ISO 22000, the hazard analysis must determine which tier each control measure falls into, and each must be monitored, verified, and corrected accordingly.

Your HACCP team must be multidisciplinary and documented. The food safety team leader must have demonstrated competence. For Version 7 audits, the CB will assess whether the food safety team's competence requirements are defined and whether training records support those requirements.

Key discipline for HACCP development under FSSC 22000:

• Hazard identification must be exhaustive — biological, chemical, physical, and allergen hazards for each process step
• Every identified hazard must proceed through a risk assessment to determine significance
• Significant hazards must be controlled by PRPs, OPRPs, or CCPs — and the assignment must be documented and defensible
• Critical limits must be based on scientific or regulatory evidence — not on convenience
• Corrective actions must be defined in advance, not determined after the fact

If your operation produces multiple product categories with different process flows, each requires its own HACCP study. Each HACCP study is counted separately in the audit duration calculation.

Phase 3: PRP Implementation — ISO 22002-1:2025 for Food Manufacturers

ISO 22002-1:2025 is the normative PRP standard for food manufacturing operations under Category C (which covers processed ambient, chilled, and frozen products). It is mandatory. Version 7 of FSSC references the 2025 revision of this standard.

The ISO 22002-1 PRPs cover:

• Construction and layout of buildings and associated utilities
• Layout of workspaces, including employee facilities and welfare areas
• Supplies of air, water, energy, and other utilities
• Waste and sewage disposal
• Equipment suitability, cleaning, and maintenance
• Management of purchased materials
• Cross-contamination prevention measures
• Cleaning and disinfecting
• Pest control
• Personnel hygiene
• Rework
• Product recall procedures
• Warehousing
• Product information and consumer awareness
• Food defence, biovigilance, and bioterrorism

For each programme, you need a documented procedure, defined monitoring requirements, records, and a corrective action protocol. A procedure that defines what to do but not how often to check, what records to keep, or what to do when something is out of specification does not meet the standard.

South African manufacturers frequently underestimate this phase. A set of PRP procedures that satisfies a retailer QA audit does not automatically satisfy ISO 22002-1. The standard is technically detailed. Read it clause by clause against each programme you have.

Phase 4: FSSC Additional Requirements — The Layer Most People Underestimate

The FSSC 22000 Additional Requirements are the scheme-specific requirements that sit on top of ISO 22000 and ISO 22002-1. They are listed in Part 2, Section 2.5 of the scheme document, and they are frequently the source of major non-conformities at Stage 2 audits.

The Additional Requirements that require the most preparation for food manufacturers (Category C) are:

Allergen Management (2.5.6)

You must have a documented allergen management plan that includes a site allergen register, a risk assessment covering all sources of cross-contamination, validated and verified control measures, verification testing where multiple products with different allergen profiles share production areas, and annual review. This is not a PRP procedure — it is a specific, documented plan that integrates with your FSMS. Precautionary labelling does not substitute for controls.

Food Defense (2.5.3)

A threat assessment and a food defense plan are required. Version 7 aligns this with ISO 22002-100:2025, clause 16.2. Personnel conducting the threat assessment must have documented competence. The plan must be implemented, supported by the FSMS, and kept current.

Food Fraud Mitigation (2.5.4)

A vulnerability assessment and mitigation plan are required. Again, the personnel must have documented competence, and the plan must be integrated into the FSMS. For South African manufacturers supplying export markets or retail chains with own-brand products, this requirement has direct commercial significance beyond certification.

Food Safety and Quality Culture (2.5.8)

Senior management must establish, implement, and maintain a food safety and quality culture objective supported by a documented plan with targets, timelines, and performance measures. This must feed into management review. An auditor will look for evidence that the culture objective is real — not a paragraph on a wall.

Quality Control (2.5.9)

A quality policy and quality objectives are required. Quality parameters for finished products must be defined, monitored, and reviewed. Internal audits must include quality elements. This extends the scope of your FSMS beyond food safety into quality management.

Environmental Monitoring (2.5.7)

For food manufacturers (Category C), a risk-based environmental monitoring programme for relevant pathogens, spoilage organisms, and indicator organisms is mandatory. This must include trend analysis and trigger-based review.

Food Loss and Waste (2.5.16)

A documented policy and measurable objectives for reducing food loss and waste within the organisation and supply chain are required. This is new in Version 7 and reflects alignment with the UN Sustainable Development Goals.

Equipment Management (2.5.15)

Documented purchase specifications addressing hygienic design must be in place. A risk-based change management process for new and modified equipment is required, with documented commissioning evidence.

Build time for each of these into your implementation plan. Each one requires a procedure or plan, supporting records, and demonstrable implementation — not paper compliance.

Phase 5: Documentation — Building Your Food Safety Management System

FSSC 22000 does not prescribe a particular document structure, but it does require documented information at specific points throughout ISO 22000 and the Additional Requirements. The challenge is building a system that is coherent, controlled, and navigable under audit — not a folder of disconnected procedures.

A functional FSMS document structure for a single-site food manufacturer typically includes:

Level 1: Policy and scope documents

• Food safety policy (required by ISO 22000 Clause 5.2)
• Quality policy (required by Additional Requirement 2.5.9)
• FSMS scope statement
• Food safety and quality culture objective and plan (required by 2.5.8)

Level 2: Procedures

• One procedure per PRP (ISO 22002-1 requirements)
• Allergen management plan (2.5.6)
• Food defense plan (2.5.3)
• Food fraud mitigation plan (2.5.4)
• Environmental monitoring programme (2.5.7)
• Internal audit procedure (ISO 22000 Clause 9.2)
• Corrective action and non-conformance procedure (Clause 10.2)
• Management review procedure (Clause 9.3)
• Emergency preparedness procedure (Clause 8.4.2 and 2.5.17)
• Product recall and withdrawal procedure (Clause 8.9.5)
• Traceability procedure (Clause 8.3)
• Customer communication and complaint procedure (Clause 8.4.2)
• Supplier approval and management procedure (Clause 7.1.6)
• Product design and development procedure (if applicable, 2.5.13)

Level 3: HACCP documentation

• Food safety team member competence records
• Process flow diagrams with verification records
• Hazard analysis worksheets
• OPRP monitoring sheets
• CCP monitoring records and critical limit evidence

Level 4: Operational forms and records

• A monitoring form for every monitoring requirement in every procedure

Document control is a specific requirement under ISO 22000 Clause 7.5. Every document must be identified, approved, version-controlled, and accessible to the people who need it. Outdated versions must be prevented from use. This sounds administrative, but a disorganised or poorly controlled document set will generate non-conformities at audit independent of what the documents say.

Phase 6: Implementation and the 3-Month Operating Requirement

Documentation alone does not satisfy FSSC 22000. The scheme requires that the FSMS is implemented and that records demonstrating operation exist. In practice, certification bodies expect to see evidence of system operation — typically a minimum of three months of records — before Stage 2 audit.

This three-month operating period is not a formality. It is where the system either proves itself or exposes weaknesses.

During this period, your operation must generate:

• Monitoring records for every CCP and OPRP
• PRP monitoring and verification records
• Internal non-conformance records and corrective action evidence
• Traceability exercise records
• Allergen verification records (where required)
• Environmental monitoring data (where required)
• Supplier approval and evaluation records
• Any complaint or incident records with corrective actions

Gaps in records are gaps in implementation. An auditor reviewing three months of records wants to see that monitoring happened every time it was supposed to, that deviations were captured and corrected, and that the system is operating as documented.

This phase also tests competence. Personnel responsible for monitoring CCPs and OPRPs must be trained and must understand not only what to do but why the limit exists and what to do when it is exceeded. The CB will interview workers during the Stage 2 audit — if they cannot describe the monitoring activity or the corrective action response, that is an audit finding regardless of what the records show.

Phase 7: Internal Audit and Management Review Before Stage 1

FSSC 22000 requires a complete internal audit of the FSMS (ISO 22000 Clause 9.2) before initial certification can proceed. This is not a pre-audit walkthrough — it is a formal, documented audit of all scheme requirements conducted by a competent internal auditor.

Internal auditor competence requirements:

The scheme is specific. For single-site operations, your internal auditor must have:

• Demonstrated food industry work experience
• Formal internal auditor training (minimum 16 hours covering audit principles, practices, and techniques)
• FSSC Scheme training covering ISO 22000, the relevant ISO 22002-x standard, and the FSSC Additional Requirements (minimum 8 hours)

The lead auditor for multi-site organisations has additional requirements (a 40-hour FSMS, QMS, or FSSC 22000 Lead Auditor course), but for single-site operations, the 16-hour internal auditor course is the baseline.

What the internal audit must cover:

Every clause of ISO 22000, every requirement of ISO 22002-1, and every FSSC Additional Requirement in scope. The audit must check both documentation and implementation — whether the procedures exist and whether they are being followed.

Non-conformances identified during the internal audit must be documented, root causes established, corrective actions implemented, and effectiveness verified before Stage 1. Do not sanitise the internal audit. An internal audit that finds no non-conformances is implausible and will raise questions from your CB about the rigour of the process.

Management review before Stage 1:

ISO 22000 Clause 9.3 requires management review, and the inputs are specific. Management review must cover the results of monitoring and measurement, internal audit findings, complaints, food safety performance, verification activities, and the status of previous corrective actions, among others. The additional requirement 2.5.9 requires quality control data as an additional input.

The management review minutes must demonstrate that top management reviewed the system, drew conclusions, made decisions, and assigned actions. A two-paragraph summary does not satisfy this requirement.

After the internal audit and management review, you are ready for Stage 1.

Common Implementation Mistakes in South African Operations

Starting with documentation, not understanding

Many operations begin by generating documents before their food safety team has understood the requirements. The result is procedures that satisfy the structure but miss the intent — and fall apart under questioning at audit.

Treating the Additional Requirements as a checklist

The FSSC Additional Requirements are not bolt-on extras. They must be integrated into the FSMS. A food fraud plan filed separately from the FSMS and never linked to supplier management, traceability, or management review is not integrated — and the auditor will notice.

Underestimating the allergen management requirement

The scheme's allergen management requirements under 2.5.6 are detailed and non-negotiable. Many operations arrive at Stage 2 without risk-assessed controls, without verification testing where required, and without annual review records. This is consistently one of the most common major non-conformances in manufacturing operations.

Insufficient competence records

ISO 22000 and the Additional Requirements both require documented competence for the food safety team, internal auditors, and personnel operating CCPs and OPRPs. Attending a training session is not documented competence — you need defined requirements, records of how they were met, and evidence that personnel can demonstrate the required knowledge.

No real management commitment to food safety and quality culture

The culture requirement (2.5.8) asks for evidence of management commitment — not a policy statement and a poster. If top management cannot describe the culture objectives and their role in meeting them, that is an audit finding.

Confusing certification body selection with certification readiness

Engaging a CB before the system is ready results in a failed Stage 1 or a Stage 2 audit with major non-conformances. Prepare first, then engage. Most South African CBs licensed for FSSC 22000 will conduct a pre-audit or readiness review on request — use it.

Misunderstanding the 3-year certification cycle and surveillance obligations

Initial certification is only the beginning. The first surveillance audit must occur within 12 months of the initial certification decision. Each surveillance is a full system audit. At least one surveillance audit in every three-year cycle will be unannounced. Build your ongoing compliance infrastructure before certification, not after.

Timeline: Realistic Planning for Greenfield vs Upgrade

Greenfield implementation (no existing food safety system)

Realistic total: 10–14 months from project start to Stage 2 audit, depending on operation size, complexity, and the pace at which the team can move. The six-month maximum interval between Stage 1 and Stage 2 means you need to arrive at Stage 1 with a strong system, not a half-built one.

Upgrade from existing system (existing HACCP and PRPs in place)

The upgrade timeline depends heavily on gap analysis findings. Common scenarios:

Best case — existing HACCP is ISO-aligned, PRPs are documented and verified, and the main gaps are Additional Requirements and FSMS framework documentation:

• Gap analysis to Stage 1 readiness: 4–6 months

Typical case — HACCP needs structural redesign, PRPs need monitoring upgrade and verification records, most Additional Requirements are missing:

• Gap analysis to Stage 1 readiness: 7–10 months

Complex case — multiple product categories with separate HACCP studies required, allergen management and food fraud programmes to build from scratch, competence gaps in the food safety team:

• Gap analysis to Stage 1 readiness: 10–14 months

In every case, allow three months minimum for the operating period after system implementation before scheduling Stage 1.

Planning Your Implementation

The organisations that reach certification in the shortest time are the ones that start with an honest gap analysis, plan by phase rather than by document, involve the food safety team from day one, and treat implementation as a real system change — not a documentation project.

If your operation is preparing for FSSC 22000 and you want a system built to survive the audit room rather than just reach it, that is exactly what we design for.

See how Figuro delivers flexible FSSC 22000 implementation support