FSSC 22000 Surveillance Audits: What Happens Between Certifications

FSSC 22000 uses a 3-year certification cycle with annual surveillance audits. What auditors check during surveillance, how it differs from the initial audit, and how to stay certified.

Getting your FSSC 22000 certificate is the milestone, but it is not the finish line. The scheme keeps you in an active relationship with your certification body for the full three years of the cycle — and the surveillance audits in years one and two are where many organisations run into trouble, not because they have stopped caring about food safety, but because they stopped treating those audits with the same rigour they brought to the initial certification.

Here is what the 3-year cycle actually looks like, what auditors are doing during surveillance, and how to stay in good standing from certification decision to recertification.

The 3-Year Cycle Explained

FSSC 22000 operates on a mandatory three-year certification cycle, required under ISO/IEC 17021-1 §9.1.3. Within that cycle, four audits happen in sequence:

Stage 1 → Stage 2 → Surveillance 1 → Surveillance 2 → Recertification

The initial cycle begins at the certification decision date. From that date, the certificate is valid for three years minus one day. Your first surveillance audit must happen within 12 months of the certification decision date — not 12 months from when the Stage 2 took place, and not 12 months from when the certificate was issued. The certification decision date is the clock.

After that, the second surveillance audit must fall within the following calendar year, keeping the roughly annual cadence. If either surveillance audit is not delivered within the required timeframe, the certificate is suspended automatically. There is no grace period for late surveillance audits.

Recertification must happen preferably at least three months before the certificate expiry date, to allow enough time for the certification process to complete. If the certificate lapses before recertification activities are completed, the CB has a six-month window to restore certification — but if that window closes without completion, the organisation must restart with a full Stage 1 and Stage 2.

One thing the scheme makes explicit: you cannot skip a surveillance and replace it with an early recertification. The cycle must be respected in full, including both surveillance audits.

What Surveillance Audits Actually Cover

Here is where a common misconception causes problems. Many organisations assume surveillance audits are lighter-touch affairs — a spot check of the previous year rather than a full system review. Under FSSC 22000 Version 7, that assumption is wrong.

Each surveillance audit is a full system audit. All scheme requirements must be assessed — ISO 22000:2018, the relevant sector-specific PRP standard from the ISO 22002 series, and all FSSC 22000 additional requirements. There is no reduced scope for surveillance.

The audit duration formula, however, reflects a different time allocation. The basic surveillance audit duration is calculated as one-third of the Stage 2 duration (Ds) plus the FSSC additional time (TFSSC). A recertification audit uses two-thirds of Ds. So while the scope is full, the time on site is compressed relative to an initial certification. That compression means auditors work efficiently and sample purposefully — it does not mean anything gets skipped.

The practical implication: every element of your food safety management system must be maintained and current at all times, not refreshed in the months leading up to an audit. Surveillance audits are designed to catch systems that look good on paper but have drifted in practice.

How Surveillance Differs from Stage 2 and Recertification

The purpose of each audit type is distinct, even though the scope is the same.

Stage 2 establishes that the FSMS is implemented and functioning. The auditor is making a first certification decision — verifying that what was documented at Stage 1 has been put into practice.

Surveillance audits verify that the FSMS continues to fulfil scheme requirements and that certification integrity is maintained. The auditor is not starting from scratch. They arrive with context from the previous audit — the findings, the corrective actions, the areas of concern — and they are evaluating whether the system has held together and developed since then.

Recertification is again a full system review at the two-thirds duration level. It re-establishes the certificate for another three-year cycle and takes a broader evaluative view of system performance over the full cycle, not just the period since the last audit.

The key practical difference for surveillance is that the auditor's focus is shaped by what they already know. Previous nonconformities, near-misses flagged as observations, areas where the system was borderline — these will receive attention. A surveillance audit rewards organisations that have genuinely addressed past findings and grown their system. It exposes organisations that managed nonconformity paperwork without fixing the underlying problem.

What Auditors Specifically Look For

The FSSC 22000 CB audit report requirements (Annex 2) are detailed about what must be assessed and documented during every audit, including surveillance. Auditors are evaluating the following with particular attention:

Changes since the last audit. The auditor will ask what has changed — new product lines, new processing equipment, new suppliers, regulatory changes, staff turnover in key food safety roles, facility modifications. Significant changes to the FSMS or scope trigger specific requirements around how those changes were managed. The audit report must document examples of significant changes and the effect on the operational FSMS.

Status of corrective actions from the previous audit. Any nonconformities raised at the previous audit — minor, major, or critical — must have been closed with evidence of root cause analysis, correction, and systemic corrective action. The auditor will review whether the corrective action plan was actually implemented and whether the action was effective. A minor nonconformity that was closed on paper but never truly resolved is likely to be raised as a major nonconformity at surveillance.

Internal audit programme. The auditor reviews the internal audit programme in detail: whether audits are being conducted at risk-appropriate frequency, whether the programme covers all aspects of FSSC 22000 (ISO 22000, PRPs, additional requirements, and applicable Board of Stakeholders decisions), whether internal auditors are competent and impartial, and whether nonconformities from internal audits are being tracked, actioned, and verified. An internal audit programme that exists on paper but is running behind schedule is a serious finding.

Management review. Management review must happen at least annually. The auditor confirms that senior management participated, that all required inputs were addressed (including internal and external risks, significant changes, and food safety objectives), and that the outputs included concrete decisions and resource commitments. Management review is the mechanism through which top management demonstrates ongoing leadership of the FSMS — insufficient or perfunctory review records are a reliable indicator of a struggling system.

System effectiveness. Across every element reviewed — CCPs, OPRPs, PRPs, monitoring records, customer complaints, product nonconformities, recall system performance — the auditor is evaluating whether the system is actually achieving its intended results. Monitoring results, verification activity outcomes, trends in nonconforming products, and mock recall records all feed this assessment.

When Surveillance Becomes a Problem

Nonconformities can be raised at any audit, and surveillance is no exception. The grading and consequences are the same as at any other audit stage.

Minor nonconformity. The organisation must submit objective evidence of correction, a root cause analysis, and a corrective action plan. The CB must review and approve this within 28 calendar days from the last day of the audit. Exceeding this timeframe results in certificate suspension. Corrective actions are then verified at the next scheduled audit. If a minor nonconformity from a previous audit was not genuinely resolved and recurs, it will typically be raised as a major at surveillance.

Major nonconformity. The CB must conduct a follow-up to verify correction and effective implementation within 28 calendar days. If this cannot happen, the certificate is suspended. Where the corrective actions require more time, temporary controls must be evidenced and submitted within 28 days while permanent action continues.

Critical nonconformity. A critical nonconformity at a surveillance audit triggers immediate certificate suspension within three working days of being issued. The organisation has a maximum of six months to resolve the critical finding, demonstrated through a follow-up audit (a full on-site audit of at least one day, conducted six weeks to six months after the surveillance audit). If the critical finding is not effectively resolved within six months, the certificate is withdrawn. A follow-up audit that successfully closes the critical finding restores the certificate and the current cycle continues as planned — the follow-up audit is additional and does not replace an annual surveillance audit.

Certificate withdrawal can also result from an inability to lift suspension within six months, the organisation ceasing FSSC 22000 certification activities, or any situation where the integrity of the certificate or audit process is severely compromised.

The Unannounced Element — Which Year and How It Is Decided

One of the most discussed aspects of FSSC 22000 certification is the mandatory unannounced audit requirement. Under Version 7, the certification body must ensure that at least one surveillance audit is conducted unannounced within each three-year certification cycle. The initial certification audit (Stage 1 and Stage 2) cannot be unannounced.

The CB determines which of the two surveillance audits will be unannounced, taking into account the requirement that at least one unannounced audit occurs in every three-year period and that the calendar year requirement is met. The organisation is not told which year the unannounced audit will fall — that is the point. The site will not be notified in advance of the date, and the audit plan will not be shared until the opening meeting on the day.

There are limited exceptions. Where specific visa or security restrictions apply, contact with the organisation may be needed for visa processing, but even then, only a general time window of approximately 30 days may be shared, not specific dates.

Organisations can agree blackout days with their CB in advance — periods when the audit cannot feasibly take place, such as scheduled shutdowns or major religious observances. Beyond that, the organisation must be ready.

When the auditor arrives, the audit begins within one hour with an inspection of production facilities and premises. All production and service processes in operation at the time must be audited. If no production is running at the time of an unannounced visit, the audit cannot proceed and must be rescheduled.

Refusal to participate in an unannounced audit results in certificate suspension within three working days of the refusal. If the unannounced audit is then not conducted within six months of the suspension date, the certificate is withdrawn.

Once an unannounced audit has been conducted in the initial cycle, the dates appear on the certificate. In subsequent cycles, the certificate is updated with the dates of the most recent unannounced audit.

Organisations that are voluntarily committed to transparency can choose to conduct all their surveillance and recertification audits as unannounced. This is permitted under the scheme and may be viewed favourably by buyers and retail customers.

Continuous Improvement Evidence — What "Improvement" Means to Auditors

"Continual improvement" is a formal FSSC 22000 requirement under ISO 22000 clause 10.2, and auditors look for real evidence of it, not a section header in the management review minutes.

When the auditor reviews improvement at surveillance, they are looking for a coherent story: that the organisation identified gaps, understood why they existed, acted on them, and verified the actions worked. The story must be visible across multiple system elements.

Concrete evidence of continual improvement includes:

• Corrective actions from internal audits that were completed on time, verified effective, and did not recur as external audit findings
• Management review outputs that led to documented changes — to procedures, objectives, resource allocation, or scope — not just a record that a meeting took place
• Monitoring trends that were analysed, identified issues, and triggered responses before they became nonconformities
• Updates to the FSMS — revised HACCP studies, updated PRPs, amended procedures — that reflect operational changes, new risk information, or lessons learned
• Food safety objectives that are SMART, tracked, and showing measurable progress between audit cycles
• Nonconformity data that demonstrates the system is learning: root causes are being addressed systemically, not corrected in isolation, and repeat nonconformities are declining

What auditors do not accept as evidence of improvement: documents that were reviewed and unchanged, management review minutes with no outputs, corrective action records where "retrained staff" is listed as the root cause, or objectives that were set at initial certification and have not been revisited.

The surveillance audit is specifically designed to reveal whether improvement is real or performed. The time compression relative to Stage 2 means auditors apply pressure where the system is most likely to show strain — and a well-maintained system will hold.

Planning Your Audit Cycle Calendar for Three Years

Strategic planning across the full three-year cycle prevents the common pattern of reactive scrambling in the months before each audit. Here is a practical framework.

At certification decision:

Record the exact certification decision date. Calculate the 12-month window for Surveillance Year 1, the 24-month window for Surveillance Year 2, and the certificate expiry date (certification decision date plus three years, minus one day). Set calendar reminders at the 9-month mark before each audit.

For the unannounced audit:

Treat every surveillance audit in years one and two as a potential unannounced visit. That means production areas, personnel hygiene, monitoring records, and CCP control must be audit-ready on any operational day, not just in the weeks surrounding a scheduled audit date. Blackout days should be agreed with your CB at the start of the cycle and kept to a minimum.

Internal audit scheduling:

Your internal audit programme must cover all FSSC 22000 requirements within each calendar year, at risk-appropriate frequency. Build the internal audit schedule into your calendar at the start of each year, with buffer time for follow-up before the external surveillance audit. Internal audits that uncover findings before the external audit give you the opportunity to resolve them proactively — that is the system working correctly.

Management review timing:

Schedule management review at least once per year, far enough in advance of your surveillance audit to allow any resulting FSMS changes to be implemented before the auditor arrives. A management review held two weeks before a surveillance audit is a red flag, not a demonstration of diligence.

Corrective action close-out:

All corrective actions from the previous audit should be closed and verified well before the next surveillance. Build a 90-day close-out target for minor nonconformities and track effectiveness through your internal audit programme.

Pre-surveillance readiness review:

In the month before each surveillance audit, conduct a structured internal readiness review covering: outstanding corrective actions, changes to the FSMS since the last audit, status of all HACCP studies and PRP programmes, current monitoring records and trends, and any regulatory or customer changes that affected the system. This is not about creating last-minute documentation — it is about confirming that your system is functioning as it should be.

The organisations that maintain FSSC 22000 certification without drama are not those with the most resources. They are those who treat the system as a genuine operational tool rather than a compliance exercise, and who keep their management system current year-round rather than cycling through peaks of preparation and valleys of neglect.

Continuous improvement is not an audit requirement to satisfy — it is the mechanism that makes the three-year cycle achievable without crisis.

For support with building and maintaining a surveillance-ready food safety management system, see our Continuous Improvement resource in the Figuro gallery.