Iso 22

ISO 22000:2018 Food Safety
Management Systems (FSMS)

Implementation Training Course
Learner Guide
ISO 22000:2018 FSMS ITC

LG 07-11-2018
ADMINISTRATION
CONTENTS PAGE
ISO 22000:2018 Food Safety Management Systems (FSMS) Implementation Training
Course .................................................................................................................................. 1
Course Administration ........................................................................................................... 3
Session One ....................................................................................................................... 13
ISO 22000:2018: Overview and Detail ................................................................................ 13
Session Two ....................................................................................................................... 71
Project Management Principles and their Application .......................................................... 71
Session Three ..................................................................................................................... 89
Project Steps involved in ISO 22000:2018 Implementation ................................................. 89
Session Four ..................................................................................................................... 103
Designing the Documented FSMS .................................................................................... 103
Session Five ..................................................................................................................... 111
Implementing New Procedures and Processes ................................................................. 111
Session Six ....................................................................................................................... 119
Reviewing and Assessing Implementation Progress ......................................................... 119
Session Seven .................................................................................................................. 131
The Certification Process and Preparing for it ................................................................... 131
Appendices ....................................................................................................................... 141
Page |2

LG 07-11-2018
ADMINISTRATION
Course Administration
Page |3

LG 07-11-2018
ADMINISTRATION
FOREWORD
The course is owned by SGS United Kingdom Ltd. and is provided internationally as SGS
Certification and Business Enhancement. The SGS policy and objectives with respect to
the course are given below.
Page |4

LG 07-11-2018
ADMINISTRATION
POLICY STATEMENT AND OBJECTIVES

The objective of this course is to provide learners with the knowledge and skills required
to better understand the requirements of ISO 22000:2018, and assist learners tasked with
implementing ISO 22000:2018 into their own organisations.
COURSE CRITERIA – OBJECTIVES
Upon completion of this course, learners will be able to:
 know and understand the requirements of the latest version of ISO 22000:2018;
 plan how to implement ISO 22000:2018 into any organisation.
Learners will need to demonstrate acceptable performance in these areas to complete

the course successfully.
PRIOR KNOWLEDGE
There is no required prior knowledge for this standard however some knowledge of
FSMS or QMS standard, food safety concepts and HACCP principles would be very
useful for the learners.
Page |5

LG 07-11-2018
ADMINISTRATION
COURSE BRIEF
1. LEARNER INTRODUCTIONS
At the start of the course, learners will be asked to introduce themselves. This
introduction should include information on the individual’s job function, organisation,
the organisation’s product or service, the organisation’s certification details, the
individual’s knowledge and understanding of the management systems standards
and their expectations upon completing the course.
2. PARTICIPATIVE LEARNING
This course is presented using techniques that have been designed to make
training an enjoyable as well as a beneficial experience. The approach is based on
scientific evidence as to how the human brain works and how people learn. A better
understanding of the standard is guaranteed.
3. SUCCESS CRITERIA
Learners will be graded based on full attendance of the course.
4. CONTINUOUS ASSESSMENT
Not applicable for this course.
5. LEARNING OBJECTIVES
Learning objectives describe in outline what learners will know and be able to do by
the end of the course.
Upon completion of this course, learners will be able to:
 know and understand the requirements of the latest version of ISO

22000:2018;
 plan how to implement ISO 22000:2018 into any organisation.
Page |6

LG 07-11-2018
ADMINISTRATION
6. EXAMINATION
The is no examination as part of this course.
7. COURSE CERTIFICATION
Learners who attend the full course will be issued with a “Certificate of Attendance”
and will receive their certificates within eight weeks of course completion.
8. REMINDER
The use of mobile phones, iPads, iPhones, Tablets, pagers etc. during the course is
not permitted.
9. CONTINUOUS IMPROVEMENT
Learners are given a Course Evaluation Form at the start of the course for
completion and submission at the end of the course. This provides SGS CBE with
important customer feedback for the continuous improvement of the course.
10. APPEALS AND COMPLAINTS
Learners may appeal or make a complaint about any aspect of the course. Appeals
and complaints should be addressed, in writing, to the local SGS Affiliate Office.
Page |7

LG 07-11-2018
ADMINISTRATION
COURSE TIMETABLE
DAY 1
08.45 Course Registration
09.00 Course Introduction

Objectives, activities, team-work, administration, learner introductions
09.30-10.45 Session 1 ISO 22000:2018 Principles and Detail

 ISO 22000 and the process approach
 Risk-based thinking
 FSMS principles
 The structure of ISO 22000:2018
 Scope and application of ISO 22000:2018
 Clause 4: Context of the organisation
 Clause 5: Leadership
 Clause 6: Planning
 Clause 7: Support
 Clause 8: Operation
 Clause 9: Performance evaluation
 Clause 10: Improvement
10.45-11.00 Break
11.00-12.00 Session 1 ISO 22000:2018 Principles and Detail, continued
12.00-12.30 Activity 1 Audit Evidence related to ISO 22000:2018 Clauses

12.30-13.00 Feedback
13.00-13.45 Lunch
13.45-14.30 Session 2 Project Management Principles and their

Application
 Project management
 Project stages
 Project planning
 Project control
 Project organisation
 Planning
 Estimating
 Cost estimating
Page |8

LG 07-11-2018
ADMINISTRATION
DAY 1, CONTINUED
14.30-15.15 Activity 2 Project Responsibilities for Involved Staff
15.15-15.30 Break
15.30-16.30 Activity 2 Feedback
16.30-17.00 Review of Day 1
17.00 END OF DAY 1
There will be a break of 15 minutes mid-morning and mid-afternoon.
Page |9

LG 07-11-2018
ADMINISTRATION
DAY 2
09.00-09.30 Recapitulation
09.30-10.15 Activity 3 Planning Key Implementation Project Activities

11.00-11.15 Break
11.15-12.45 Session 3 Project Steps involved in ISO 22000:2018

Implementation
 Project implementation steps
 FSMS risks
 Food safety legislation
 Significant risks
 Risk and legislation registers
 Gap analysis
 Gap analysis results
 Food safety issue responsibilities
 Steering group
 FSMS manual
 Procedures and work instructions
 Implementation and monitoring
 Internal audit programme
 Certifying body
 Management review
 Final assessment
12.45-13.30 Lunch
13.30-14.15 Session 4 FSMS Design

 Status evaluation
 System design changes
 Implementation
 Internal audits
 Project close-out
14.15-15.15 Activity 4 FSMS Documentation and Gap Analysis
15.15-15.30 Break
15.30-16.15 Activity 4 FSMS Documentation and Gap Analysis,

continued
P a g e | 10

LG 07-11-2018
ADMINISTRATION
DAY 2, CONTINUED
16.45-17.30 Session 5 Implementing New Procedures and Processes

 Importance of people
 Initiative
 Motivation and commitment
 Change management
17.30-18.00 Review of Day 2
18.00 END OF DAY 2
P a g e | 11

LG 07-11-2018
ADMINISTRATION
DAY 3
09.00-09.30 Recapitulation
09.30-10.00 Activity 5 Who should Write New Procedures and any Risk
Assessments
10.30-11.00 Session 6 Reviewing and Assessing Implementation

Progress
 Project process reviews
 Phase 1 and 2 activities
 Typical deliverables
 Internal audit schedule
11.00-11.15 Break
11.15-12.00 Activity 6 Resources Responsible for Deliverables

12.45-13.15 Activity 7 Developing an Internal Audit Schedule
13.15-14.00 Lunch
14.30-15.00 Session 7 The Certification Process and Preparing for this

 Stage 2 site certification audit
 Audit stages
 Outcomes of an audit
 Certification cost
 Key activities prior to a certification audit
15.00-15.30 Activity 8 Developing a Management Review Agenda
15.30-15.45 Break
16.15-17.00 Activity 9 Individual Action Plan

17.30-18.00 Course Review
18.00 END OF COURSE

P a g e | 12

LG 07-11-2018
SESSION ONE
Session One
ISO 22000:2018:
Overview and Detail
P a g e | 13

LG 07-11-2018
SESSION ONE
ISO 22000:2018 OVERVIEW AND DETAIL

OBJECTIVES
When you have completed this session, you will be able to:
 understand the development and benefits of ISO 22000:2018;
 understand the requirements of ISO 22000:2018, Clauses 4 to 10.
KEY POINTS
 ISO 22000 and the process approach.
 Risk-based thinking.
 FSMS principles.
 The structure of ISO 22000:2018.
 Scope and application of ISO 22000:2018.
 Clause 4: Context of the organisation.
 Clause 5: Leadership.
 Clause 6: Planning.
 Clause 7: Support.
 Clause 8: Operation.
 Clause 9: Performance evaluation.
 Clause 10: Improvement.
P a g e | 14

LG 07-11-2018
SESSION ONE
ISO 22000:2018 OVERVIEW AND DETAIL

1. INTRODUCTION
This course identifies the specific requirements for a FSMS based on ISO
22000:2018 as distinct from the general management system requirements set out
in the ISO organisation’s Annex SL developed as a template for management
system standards.
2. COMPATIBILITY WITH OTHER MANAGEMENT SYSTEM STANDARDS
ISO 22000:2018 has adopted the “high-level structure” of Annex SL (i.e. clause
sequence, common text and common terminology) developed by ISO to improve
alignment among its international standards for management systems. These are:
 understanding the context of the organisation, its FSMS and processes

(Clause 4);
 leadership, policy and responsibilities (Clause 5);
 processes for planning and consideration of risks, threats and opportunities

(Clause 6);
 processes for support activities, such as resources, people and

documentation (Clause 7);
 operational planning and control including HACCP and emergency

preparedness (Clause 8);
 processes for performance evaluation (Clause 9);
 processes for improvement (Clause 10).
The standard does not require organisations to follow an identical clause-by-clause

sequence when defining their documented FSMS, but are encouraged to use the
process approach, referenced specifically in Clause 0.4 of the standard.
ISO 22000;2018 enables an organisation to use the process approach, coupled

with the PDCA (Plan-Do-Check-Act) methodology and risk-based thinking to align
or integrate its FSMS with the requirements of other management system
standards.
P a g e | 15

LG 07-11-2018
SESSION ONE
3. INTRODUCTION TO ISO 22000:2018
ISO 22000:2018 points out that the adoption by organisations of a FSMS is

“intended to enable an organization to provide:
 safe food;
 meet all regulatory food safety requirements; and
 continually improve its FSMS performance”.
The purpose of an FSMS is “to provide a framework for managing food safety risks.
The intended outcomes of the FSMS are to prevent contamination or sub-standard
food causing injury and ill health to consumers; consequently, it is critically
important for the organisation to eliminate hazards and minimize FSMS risks by
taking effective preventive and protective measures.”
ISO 22000:2018 reiterates that this approach is founded on the Plan-Do-Check-Act

model of continual improvement which can be applied to all processes and to FSMS
as a whole. Appendix 1 shows the diagram from ISO 22000:2018:2018 that
illustrates how Clauses 4 to 10 can be grouped in relation to the PDCA cycle.
The PDCA cycle enables an organisation to ensure that its processes are
adequately resourced and managed and those opportunities for improvement are
identified and acted on.
3.1 PROCESS APPROACH
As with all current management system standards, ISO 22000:2018 promotes

the adoption of a process approach. The standard points out that
understanding and managing interrelated processes as a system contributes
to the organisation's effectiveness and efficiency in achieving its intended
results.
The approach enables the organisation to control the interrelationships and

interdependencies among the processes of the system, so that the overall
performance of the organisation can be enhanced.
Management of the processes and the system as a whole can be achieved

using the PDCA cycle with an overall focus on risk‐based thinking aimed at
taking advantage of opportunities and preventing undesirable results.
P a g e | 16

LG 07-11-2018
SESSION ONE
3.1 PROCESS APPROACH, CONTINUED
The application of the process approach in a FSMS enables:
a) understanding and consistency in meeting requirements;
b) the consideration of processes in terms of risk;
c) the achievement of effective process performance;
d) improvement of processes based on evaluation of data and information.
Appendix 1 shows a schematic representation of any process and shows the

interaction of its elements. The monitoring and measuring checkpoints, which
are necessary for control, are specific to each process and will vary
depending on the related risks.
This is where the HACCP (Hazard and Critical Control Points) concept fits
perfectly with food safety process control. Specific activities (processes) or
process to process interfaces are where risks to food safety are identified.
3.2 RISK‐BASED THINKING
ISO 22000:2018 argues that risk‐based thinking is essential for achieving an

effective FSMS. This is not new; the concept of risk‐based thinking is implicit
in all management system standards, for example:
 carrying out preventive action to eliminate potential nonconformities;
 analysing any non-conformities, incidents and near misses that do

occur; and
 taking action to prevent recurrence of problems.
However, to conform to the requirements of the new standard, an organisation

will need to plan and implement actions to address risks and opportunities.
This should not be new. It has not been adequate to identify risks in the past
and then fail to mitigate or remove their impact.
ISO 22000:2018 introduces the concept of managing risk in clauses 6.1 and
8.5.4 in particular.
P a g e | 17

LG 07-11-2018
SESSION ONE
3.2 RISK‐BASED THINKING, CONTINUED
The organisation shall establish, implement and maintain a hazard control

plan. The hazard control plan shall be maintained as documented information
and shall include the following information for each control measure at each
critical control point (CCP) or operational prerequisite programme (OPRP):
a) food safety hazard(s) to be controlled at the CCP or by the

OPRP;
b) critical limit(s) at CCP or action criteria for OPRP;
c) monitoring procedure(s);
d) correction(s) to be made if critical limits or action criteria are not

met;
e) responsibilities and authorities.
Addressing both risks and opportunities establishes a basis for increasing the
effectiveness of the FSMS, achieving improved results and preventing
negative effects.
Actions to address opportunities can also include consideration of associated

risks. Risk is the effect of uncertainty and any such uncertainty can have
positive or negative effects. A positive deviation arising from a risk can
provide an opportunity, but not all positive effects of risk result in
opportunities.
4. OVERVIEW
4.1 THE STRUCTURE OF ISO 22000:2018
ISO 22000:2018 comprises 10 Clauses in addition to the Introduction:
 0. Introduction
 1. Scope
 2. Normative reference
 3. Terms and definitions
 4. Context of the organisation
 5. Leadership
 6. Planning for the FSMS

P a g e | 18

LG 07-11-2018
SESSION ONE
4.1 THE STRUCTURE OF ISO 22000:2018, CONTINUED
 7. Support
 8. Operation
 9. Performance evaluation
 10. Improvement
Each of these is divided into a number of sub-clauses containing specific

requirements. There are two annexes and a bibliography:
 Annex A (informative) cross references between the CODEX HACCP

and this document;
 Annex B (informative) cross references between this document and

ISO 22200:2005;
 Bibliography.
4.2 SCOPE OF ISO 22000:2018
Clause 1 of ISO 22000:2018 specifies the application of the standard and

does not in any way relate to the scope of an organisation’s FSMS.
The requirement of ISO 22000:2018 is for an organisation to establish and

maintain an effective FSMS. The scope of that system must be clearly defined
– see clause 4.3. This must be based on the risks and processes of the
organisation.
Evidence of effectiveness could be obtained as follows:
 top management leadership, commitment, responsibilities and

accountability;
 top management developing, leading and promoting a culture in the

organisation that supports the intended outcomes of the FSMS;
 communication;
 consultation and participation of workers, and, where they exist,

workers’ representatives;
 allocation of the necessary resources to maintain it;
P a g e | 19

LG 07-11-2018
SESSION ONE
4.2 SCOPE OF ISO 22000:2018, CONTINUED
 FSMS policies, which are compatible with the overall strategic

objectives and direction of the organisation;
 effective process(es) for identifying hazards, controlling FSMS risks and

taking advantage of FSMS opportunities;
 continual performance evaluation and monitoring of the FSMS to

improve FSMS performance;
 integration of the FSMS into the organisation’s business processes;
 FSMS objectives that align with the FSMS policies and take into
account the organisation’s hazards, FSMS risks and FSMS
opportunities;
 the number and nature of incidents, accidents and non-conformances;
 compliance with its legal and other requirements.
4.3 SUBSEQUENT CLAUSES OF ISO 22000:2018
4. Context of the organisation
4.1 Understanding the organisation and its context
4.2 Understanding the needs and expectations of interested

parties
4.3 Determining the scope of the FSMS
4.4 FSMS
5. Leadership
5.1 Leadership and commitment
5.2 Policy
5.2.1 Establishing the food safety policy

5.2.2 Communicating the food safety policy
5.3 Organisational roles, responsibilities and authorities
P a g e | 20

LG 07-11-2018
SESSION ONE
4.3 SUBSEQUENT CLAUSES OF ISO 22000:2018, CONTINUED
6. Planning
6.1 Actions to address risks and opportunities
6.2 Objectives of the FSMS and planning to achieve them
6.3 Planning of changes
7. Support
7.1 Resources
7.1.1 General
7.1.2 People
7.1.3 Infrastructure
7.1.4 Work environment
7.1.5 Externally developed elements of the FSMS
7.1.6 Control of externally provided processes,

products or services
7.2 Competence
7.3 Awareness
7.4 Communication
7.4.1 General
7.4.2 External communication
7.4.3 Internal communication
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
7.5.3 Control of documented information
P a g e | 21

LG 07-11-2018
SESSION ONE
8. Operation
8.1 Operational planning and control
8.2 Prerequisite programmes (PRPs)
8.3 Traceability system
8.4 Emergency preparedness and response
8.4.1 General
8.4.2 Handling of emergencies and incidents
8.5 Hazard control
8.5.1 Preliminary steps to enable hazard analysis
8.5.2 Hazard analysis
8.5.3 Validation of control measure(s) and

combinations of control measures
8.5.4 Hazard control plan (HACCP/OPRP plan)
8.6 Updating the information specifying the PRPs and the

hazard control plan
8.7 Control of monitoring and measuring
8.8 Verification related to PRPs and the hazard control plan
8.8.1 Verification
8.8.2 Analysis of results of verification activities
8.9 Control of product and process nonconformities
8.9.1 General
8.9.2 Corrections
8.9.3 Corrective actions
8.9.4 Handling of potentially unsafe products
8.9.5 Withdrawal/recall
P a g e | 22

LG 07-11-2018
SESSION ONE
9. Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1.1 General
9.1.2 Analysis and evaluation
9.2 Internal audit
9.3 Management review
9.3.1 General
9.3.2 Management review inputs
9.3.3 Management review outputs
10. Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement
10.3 Update of the FSMS
Annex A – Cross references between CODEX HACCP and ISO

22000:2018
Annex B – Cross references between ISO 22000:2018 and ISO

22000:2005
Appendix 2 shows the clauses of ISO 22000:2018 compared with the clauses
of ISO 22000:2005.
P a g e | 23

LG 07-11-2018
SESSION ONE
5. ISO 22000:2018 REQUIREMENTS: CLAUSES 4 TO 10
This part identifies the overall FSMS related requirements in ISO 22000:2018. For
ease of reference, the paragraph numbers follow the clause numbers of ISO
22000:2018 and direct quotations from ISO 22000:2018 are shown in italics.
 Note: Changes in FSMS specific requirements arising as a result of

transitioning from FSMS standard ISO 2000:2005 to ISO 22000:2018 will be
clear from the exposition of the text here below.
However, as a quick note, the following clauses are new or changed in a

significant way:
 Clause 4 – to meet Annex SL requirements;
 Clause 6 – risk (not just direct hazards) and opportunities;
 Clause 8 – changes in traceability, emergency management and

analysis, but enhanced requirements on pre-requisite programmes and
hazard and critical control point planning.
See also Annexe B of ISO 22000:2018 for a table of differences from the
2005 standard.
6. CLAUSE 4: CONTEXT OF THE ORGANISATION
4.1 UNDERSTANDING THE ORGANISATION AND ITS CONTEXT
Clause 4 of 22000:2018 focuses on the planning aspects of the FSMS overall.

It requires an organisation to establish the context of its FSMS as well as to
determine its needs and those of interested parties, requirements and scope.
The organisation must have a conceptual understanding of the important

issues that can affect, either positively or negatively, the way it manages its
health and safety responsibilities.
Issues (internal and external) are important topics for the organisation. These
may include problems and changing circumstances that can affect the
organisation’s purpose, or be affected by its food management aspects.
Issues can be:
 external: cultural, social, political, legal, regulatory, financial,

technological, economic, natural and competitive issues, whether
international, national, regional or local;
P a g e | 24

LG 07-11-2018
SESSION ONE
4.1 UNDERSTANDING THE ORGANISATION AND ITS CONTEXT
 internal: characteristics or conditions of the organisation, such as its

activities, products and services, facilities and equipment, strategic
direction, culture and capabilities (people, knowledge, processes,
system).
The organization shall consider any conditions that may impact on the
likelihood of the organisation’s output to have a negative effect on food safety.
In this context the organisation shall identify and determine actions to address
risk associated with threats and opportunities, in addition to risks and hazards
and compliance obligations (see 6.1).
4.2 UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED

PARTIES
Clause 4.2 places particular focus now on the needs and expectations of
interested parties that can affect, or be affected by, the organisation.
An organisation is expected to gain a general understanding of the expressed

needs and expectations of those internal and external interested parties that
have been determined to be relevant so that the knowledge gained can be
considered when determining its statutory and regulatory requirements (see
6.2.1), as all relevant requirements of relevant interested parties with whom
the organisation decides to comply.
Interested party requirements are not necessarily requirements for the

organisation. There is no expectation that the organisation shall subsequently
comply with all the relevant interests of relevant interested parties, unless
these are contractual, legal or policy requirements.
Interested parties may include:
 management and policy makers (e.g., parent company);
 staff;
 staff representatives;
 contractors;
 visitors;
P a g e | 25

LG 07-11-2018
SESSION ONE
4.2 UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED

PARTIES, CONTINUED
 customers;
 legislators;
 shareholders, bankers and insurers.
4.3 DETERMINING THE SCOPE OF THE FSMS
Critical to the conduct of the audit is the determination of the scope of the
FSMS (and, thereby, the scope of any auditing). The organisation has the
freedom and flexibility to define its boundaries. It can be part of a larger
organisation at a given location.
The scope of the FSMS is intended to clarify the spatial and organisational
boundaries to which the FSMS will apply. It should be factual and
representative of the organisation’s operations included within its FSMS
boundaries so that it does not mislead interested parties.
A documented scope shall be available to interested parties. An auditor will

expect that the scope has taken into consideration:
 the parts of the organisation to be included;
 statutory and regulatory requirements;
 organisational units, functions and boundaries;
 services;
 activities (especially those with risk);
 the needs and expectations of interested parties; and
 its authority and ability to exercise control and influence.
P a g e | 26

LG 07-11-2018
SESSION ONE
4.4 FSMS
The organization shall establish, implement, maintain and continually improve

a FSMS, including the processes needed and their interactions, in accordance
with the requirements of this international standard (Clause 4.4).
Following the definition of a process (see Appendix) the processes that are
needed for the FSMS and their application will need to be determined
including:
 determine the inputs required and the outputs expected from these
processes;
 determine the sequence and interaction of these processes;
 determine and apply the criteria and methods (including risk mitigation,
monitoring, measurements and related performance indicators) needed
to ensure the effective operation and control of these processes;
 determine the resources needed for these processes and ensure their
availability;
 assign the responsibilities and authorities for these processes;
 address the risks and opportunities as determined in accordance with

the requirements of 6.1;
 evaluate these processes and implement any changes needed to

ensure that these processes achieve their intended results;
 improve the processes and the FSMS.
Documented information will need to be maintained to the extent necessary to

support the operation of processes and retained documented information to
the extent necessary to provide confidence that the processes are being
carried out as planned.
The issues and requirements identified here will be addressed in Clauses 6.1,
Planning (for the FSMS) and 6.2, FSMS objectives. These should include:
 the organisation’s goals and intended outcomes;
 internal and external issues;
 the relevant interested parties and their requirements; and
 the scope of the FSMS.
P a g e | 27

LG 07-11-2018
SESSION ONE
4.4 FSMS, CONTINUED
This should not be just a tick-list because considered in their entirety these
considerations will provide a key insight into the organisation. These matters
will form the base on which the organisation’s policy, objectives and
management system requirements will be built.
7. CLAUSE 5: LEADERSHIP
The requirements in ISO 22000:2018, Clause 5, follow the wording and thereby the
requirements as set out in Annex SL. However, Clause 5.1(d) contains some
interesting points.
5.1 LEADERSHIP AND COMMITMENT
5.1.1 GENERAL
Top management shall demonstrate leadership and commitment with

respect to the FSMS by:
 ensuring that the FSMS policy and related FSMS objectives are
established and are compatible with the strategic direction of the
organization;
 ensuring the integration of the FSMS requirements into the

organization’s business processes;
 ensuring that the resources needed to establish, implement,

maintain and improve the FSMS are available;
 communicating the importance of effective food safety

management and conforming to the FSMS requirements,
applicable statutory and regulatory requirements, and mutually
agreed customer requirements related to food safety;
 ensuring that the FSMS is evaluated and maintained to achieves

its intended outcome(s);
 directing and supporting persons to contribute to the effectiveness

of the FSMS;
 ensuring and promoting continual improvement;
 supporting other relevant management roles to demonstrate their

leadership as it applies to their areas of responsibility;
P a g e | 28

LG 07-11-2018
SESSION ONE
5.1.1 GENERAL, CONTINUED
Auditors might want to verify the understanding of top management in

respect of these concepts to ensure that the promotion is effective. ISO
22000:2018 contains this additional requirement to those in Annex SL.
5.2 FOOD SAFETY MANAGEMENT POLICY
The FSMS policy demonstrates the commitment of management. The policy

should be appropriate to the purpose of the organisation (Clause 5.2) and
provide a framework for establishing FSMS objectives.
The auditor will need to evaluate if top management has given consideration
in developing the policy to:
 establishing an overall sense of direction and principles for action in the

context of the organisation;
 taking into account business, legal, regulatory requirements and

contractual obligations;
 committing to continual improvement to enhance food and safety

performance.
The policy defines top management commitment to key FSMS issues and in
so doing, not only provides direction for the system, but also provides the
“ultimate accountability”.
The expectation is that organisations adopt proactive initiatives, the emphasis

of the whole standard being on ‘prevention’.
The auditor must, therefore, ensure and seek evidence to confirm that the
policy has been established by the organisation’s “top” management, i.e.,
management with the authority to allocate appropriate financial and human
resources to FSMS control and improvement.
It is usual, though not mandatory, for an organisation to demonstrate

management commitment to the policy objectively via the approval signature
of the most senior manager responsible for the scope of activities embraced
by the policy.
The policy should set out the overall sense of direction and the principles for
action. It should establish how objectives are set, the responsibilities and
performance required for the FSMS. The policy should also demonstrate the
formal commitment of management towards continual improvement.
P a g e | 29

LG 07-11-2018
SESSION ONE
5.2 FOOD SAFETY MANAGEMENT POLICY, CONTINUED
 The food and safety policy's link to risks and hazards
It is clear from these criteria that the food and safety policy is directly
linked to risk. As the food and safety policy must be relevant to an
organisation’s activities, products and services and their associated
risks, the policy should logically be drafted only after a complete review
of risk and hazards has been undertaken.
In a mature FSMS, it is not usually necessary to complete a

comprehensive review because the existing FSMS programme should
ensure that the policy has taken all current and future issues into
account.
The auditor should therefore, establish when, or whether, a FSMS

review was undertaken and the time relationship of that review to the
formulation of the FSMS policy.
If the policy were completed prior to any aspects review having been
undertaken and no modifications to the policy were subsequently made,
the auditor will need to refer to the policy on a more frequent basis to
ensure the implemented management system abides by the
organisation’s policy commitments.
The auditor will also need to ensure that policy and FSMS are, indeed,
relevant to the risks and hazards observed.
The FSMS policy must be available as documented information and

communicated within the organisation.
The auditor must ensure that employees at all levels of the organisation
are aware of the FSMS policy and that the issues contained within it are
understood, implemented and maintained.
The means by which the policy is made publicly available must be

identified by the organisation and can vary from site to site. The policy
may be available only upon request, be published in a report, or
displayed in a public place.
There will also be a need to check that the policy is communicated to

everyone working for, or on behalf of, the organisation, such as sub-
contractors, temporary staff and remote workers and that they are
aware of its implications for their own role and responsibilities.
P a g e | 30

LG 07-11-2018
SESSION ONE
5.2 FOOD SAFETY MANAGEMENT POLICY, CONTINUED
 Policy – framework for continual improvement
The policy should provide the framework for continual

improvement in food and safety performance. Typically, the policy
would indicate those specific or critical areas where continual
improvement is being sought.
An auditor would expect the organisation to demonstrate that

management system improvements had the potential to improve
FSMS performance; that is, “cosmetic” system improvements
alone would not be acceptable.
The general approach to continual improvement through the

FSMS should be set by the policy and be reflected by the
individual elements of the objectives and targets.
The focus for the continual improvement as written into policy will
depend largely upon the nature of the organisation’s activities.
Supporting information should be available in the form of
documented objectives / targets and the process documentation.
During the review or audit of the FSMS, the policy will need to be
referred to frequently, in order to ensure that the objectives and
targets as well as the review itself are consistent with the policy
statements. It is therefore important that the wording of the policy
is unambiguous and does not contain lofty, esoteric statements
that are difficult to demonstrate, measure and achieve.
5.3 ORGANIZATIONAL ROLES, RESPONSIBILITIES AND AUTHORITIES
This clause contains additional wording to that in Annex SL.
5.3.1: Top management must ensure that the responsibilities and authorities
for relevant roles are assigned for:
a) ensuring that the FSMS conforms to the requirements of this document;
b) reporting on the performance of the FSMS to top management;
c) appointing the food safety team and the food safety team leader;
d) designating persons with defined responsibility and authority to initiate

and document action(s).
P a g e | 31

LG 07-11-2018
SESSION ONE
5.3 ORGANIZATIONAL ROLES, RESPONSIBILITIES AND AUTHORITIES,

CONTINUED
5.3.2: The food safety team leader shall be responsible for:
a) ensuring the FSMS is established, implemented, maintained and

updated;
b) managing and organizing the work of the food safety team;
c) ensuring relevant training and competencies for the food safety team
(see 7.2);
d) reporting to top management on the effectiveness and suitability of the

FSMS.
5.3.3: All persons shall have the responsibility to report problem(s) with
regards to the FSMS to identified persons.
8. CLAUSE 6: PLANNING
The requirements in ISO 22000:2018, clause 6, follow the wording and thereby the
requirements as set out in Annex SL.
6.1 ACTIONS TO ADDRESS RISKS AND OPPORTUNITIES
6.1.1: When planning for the FSMS, the organization shall consider the issues
referred to in 4.1 and the requirements referred to in 4.2 and 4.3 and
determine the risks and opportunities that need to be addressed to:
a) give assurance that the FSMS can achieve its intended result(s);
b) enhance desirable effects;
c) prevent, or reduce, undesired effects;
d) achieve continual improvement.
NOTE: In the context of this document, the concept of risks and opportunities
is limited to events and their consequences relating to the performance and
effectiveness of the FSMS.
P a g e | 32

LG 07-11-2018
SESSION ONE
6.1 ACTIONS TO ADDRESS RISKS AND OPPORTUNITIES, CONTINUED
Public authorities are responsible for addressing public health risks.

Organisations are required to manage food safety hazards (see 3.22) and the
requirements related to this process that are laid down in Clause 8.
There is little interpretation needed here. Risks need to be determined and

addressed – see also 6.1.2 below.
6.1.2: The organization shall plan:
a) actions to address these risks and opportunities;
b) how to:
1) integrate and implement the actions into its FSMS processes;
2) evaluate the effectiveness of these actions.
6.1.3: The actions taken by the organization to address risks and

opportunities shall be proportionate to:
a) the impact on food safety requirements;
b) the conformity of food products and services to customers;
c) requirements of interested parties in the food chain.
NOTE 1: Actions to address risks and opportunities can include: avoiding risk,
taking risk in order to pursue an opportunity, eliminating the risk source,
changing the likelihood or consequences, sharing the risk, or accepting the
presence of risk by informed decision.
NOTE 2: Opportunities can lead to the adoption of new practices (modification

of products or processes), using new technology and other desirable and
viable possibilities to address the food safety needs of the organization.
 Comment: actions need to be practical and reasonable. The auditor will

also need to understand the organisation’s activities and potential for
food safety issues. Therefore, the auditor will need to evaluate whether
the organisation has determined the appropriate depth of examination of
its hazards and risks in order to understand enough to allow effective
FSMS and the delivery of improvements.
P a g e | 33

LG 07-11-2018
SESSION ONE
6.1 ACTIONS TO ADDRESS RISKS AND OPPORTUNITIES, CONTINUED
In this respect, the organisation should consider those direct and indirect
aspects created by the organisation’s activities, products and services, such
as:
 handling and packaging of goods-in and goods-out;
 means of transportation of product and goods;
 food safety management performance and practices of contractors;
 dealing with visitors;
 mechanisms for dissemination of food safety management information

to personnel.
A key difficulty for virtually any FSMS (and thereby for the auditor) is the
ability of those setting up the system to predict risks and hazards.
Since this exercise is the fundamental element in establishing a relevant

FSMS, then the methodology used, and the judgement exercised is of crucial
importance.
The assessment of significance is always one of the most potentially

contentious issues for an organisation when identifying the actual or potential
impact of risks. Very often, it comes down to the opinion of the person(s)
making the assessment in, or that of the organisation.
The auditor may only review the methodology whereby the decisions are
reached. Hence there can be any number of personal and/or corporate
perspectives, opinions and prejudices and other factors which come into play,
and which can serve to complicate what is, in any event, a difficult exercise.
The auditor will wish to evaluate that the FSMS issues, which have been
identified, are assessed for significance on such criteria as:
 statutory and regulatory requirements;
 food management consequences and magnitude (risk);
 interested parties’ needs or requirements;
 local issues and safety potential for all personnel who could be involved;
 availability of information.
P a g e | 34

LG 07-11-2018
SESSION ONE
6.2 OBJECTIVES AND PLANNING TO MEET THEM
The commitment in the FSMS policy to continual improvement is achieved

through the setting and meeting of FSMS objectives.
FSMS objectives are set in the areas identified as having any significant
impact on the food chain. Although not specifically mandated by ISO
22000:2018, it is strongly inferred that food management objectives and
targets should be initially established for the activities presenting the greatest
risk and liability.
The FSMS auditor must therefore, ensure and seek evidence to confirm that
objectives and targets have been set at all relevant levels within the
organisation based upon legal/regulatory and other requirements and/or the
significant risks identified.
The objectives should be measurable if practical and consistent with the

FSMS policy. The objectives will need to consider the risks, compliance
obligations and threats and opportunities.
The objectives will need to define indicators to monitor progress towards

achievement (or demonstrate achievement) of objectives. Critically, the
organisation will have to integrate those actions to achieve objectives into the
organisation´s business processes.
Once decided, the objectives need to be communicated to the appropriate

people in a way that they are able to translate these objectives into their
individual contributions.
Objectives will need to be reviewed periodically and revised as necessary in

order to provide the means for the continual improvement of the FSMS.
The auditor must obtain evidence that appropriate plans have been
established in order that the objectives will be achieved. This evidence could
take the form of “retained documented information” (records) of the initial
setting up of the activities as well as results of the implementation, monitoring,
evaluation and review.
Note that planning of achievement of objectives (Clause 6.2.2) is included in

Section 6.2, the same section that requires objectives to be set (Clause
6.2.1).
P a g e | 35

LG 07-11-2018
SESSION ONE
6.3 PLANNING OF CHANGES
This section is really concerned with significant changes in the organisation

such as new products or equipment. In such circumstances, the organisation
needs to review its processes, procedures and staffing / training.
9. CLAUSE 7: SUPPORT
In general, Clause 7 in ISO 22000:2018 follows the text and requirements in Annex
SL (and more specifically the clauses of ISO 9001:2015, where clause 7.1 is
subdivided).
7.1 RESOURCES
The resources needed for the FSMS must be determined and provided. The
resources include the people needed for the effective operation of the system
and its processes; the infrastructure; the environment for the effective
operation of the processes; and the monitoring and measuring resources.
This will include resources to identify establish, implement and maintain the
FSMS, taking account of the need for the FSMS to address the capabilities
and constraints of internal resources as well as contractual and legal
obligations and commitments to interested parties. Consideration must also
be given to products or services delivered by external providers.
Auditors should trace backwards from problems in the system to determine

whether there is any link with lack of resources, both human and material. For
example, nonconformities often result from the provision of inadequate
resources.
Resources must be provided to carry out reviews of the FSMS, to react

appropriately to the result of these reviews and to continually improve the
effectiveness of food management. Resources include commentary on the
following:
 7.1.1 General;
 7.1.2 People;
 7.1.3 Infrastructure;
 7.1.4 Work environment;
 7.1.5 Externally developed elements of the FSMS;
 7.1.6 Control of externally provided processes, products or services.
P a g e | 36

LG 07-11-2018
SESSION ONE
7.1.1 GENERAL
The organization shall determine and provide the resources needed for
the establishment, implementation, maintenance, update and continual
improvement of the FSMS. The organization shall consider: a) the
capability of, and any constraints on, existing internal resources; b) the
need for external resources.
7.1.2 PEOPLE
The organization shall ensure that persons necessary to operate and

maintain an effective FSMS are competent (see 7.2). Where the
assistance of external experts is used for the development,
implementation, operation or assessment of the FSMS, evidence of
agreement or contracts defining the competency, responsibility and
authority of external experts shall be retained as documented
information.
7.1.3 INFRASTRUCTURE
The organization shall provide the resources for the determination,

establishment and maintenance of the infrastructure necessary to
achieve conformity with the requirements of the FSMS.
Note: Infrastructure can include: — land, vessels, buildings and

associated utilities; — equipment, including hardware and software; —
transportation; — information and communication technology.
7.1.4 WORK ENVIRONMENT
The organization shall determine, provide and maintain the resources

for the establishment, management and maintenance of the work
environment necessary to achieve conformity with the requirements of
the FSMS. NOTE A suitable environment can be a combination of
human and physical factors such as:
a) social (e.g. non-discriminatory, calm, non-confrontational);
b) psychological (e.g. stress-reducing, burnout prevention,

emotionally protective);
P a g e | 37

LG 07-11-2018
SESSION ONE
7.1.4 WORK ENVIRONMENT, CONTINUED
c) physical (e.g. temperature, heat, humidity, light, air flow, hygiene,

noise).
These factors can differ substantially depending on the products and

services provided.
7.1.5 EXTERNALLY DEVELOPED ELEMENTS OF THE FSMS
When an organization establishes, maintains, updates and continually

improves its FSMS by using externally developed elements of a FSMS,
including PRPs, the hazard analysis and the hazard control plan (see
8.5.4), the organization shall ensure that the provided elements are:
a) developed in conformance with requirements of this document;
b) applicable to the sites, processes and products of the

organization;
c) specifically adapted to the processes and products of the

organization by the food safety team;
d) implemented, maintained and updated as required by this

document;
e) retained as documented information.
7.1.6 CONTROL OF EXTERNALLY PROVIDED PROCESSES, PRODUCTS

OR SERVICES
The organization shall:
a) establish and apply criteria for the evaluation, selection,

monitoring of performance and re- evaluation of external providers
of processes, products and/or services;
b) ensure adequate communication of requirements to the external

provider(s);
c) ensure that externally provided processes, products or services do

not adversely affect the organization's ability to consistently meet
the requirements of the FSMS;
d) retain documented information of these activities and any

necessary actions as a result of the evaluation and re-evaluations.
P a g e | 38

LG 07-11-2018
SESSION ONE
7.2 COMPETENCE AND AWARENESS
Competency needs must be identified, reviewed and managed so that

personnel can perform their roles effectively (Clause 7.2).
Those individuals who work under the control of the organisation must be are
aware of the relevance and importance of their activities, and how they
contribute to the achievement of the FSMS objectives.
To operate effectively, individuals must understand the importance of the

FSMS policy, their contribution to effectiveness of the FSMS and the
implications of not conforming to requirements (Clause 7.3 Awareness).
Involving employees in the activities of the FSMS, through education, training

and experience, should generate an improved degree of understanding and,
therefore, commitment. Involvement of employees in all FSMS considerations
is a key part of ISO 22000:2018 – see Leadership, Section 5.1.
Before being able to evaluate the adequacy and effectiveness of competence

and awareness within an organisation, an auditor must have a good
understanding of the following issues:
 the FSMS policy;
 objectives and plans;
 the risks inherent in the activities of the organisation
 the controls operated by the organisation;
 the organisational structure and responsibility of key positions within the

organisation;
 the competencies needed including appropriate qualifications, training,

skills and knowledge required for specific functions and processes.
The auditor should verify whether employees are competent (as appropriate
to their positions) with respect to:
 FSMS policy and objectives being known and understood;
 relevant risk associated with threats and opportunities, and how

individuals’ actions affect the organisation’s FSMS performance;
P a g e | 39

LG 07-11-2018
SESSION ONE
7.2 COMPETENCE AND AWARENESS, CONTINUED
 defined individual responsibilities being understood, performed and an

ability to relate these to the FSMS policy and objectives; i.e., what is
expected of them and others, particularly how they should meet targets
and / or performance indicators;
 the skills and knowledge necessary to ensure FSMS objectives and

service levels are met.
Note: 7.3, awareness has effectively been covered in 7.2 above.
7.4 COMMUNICATION
This clause requires the organisation to determine what and how

communication about the FSMS will be managed to both internal and external
parties. Auditors will need to evaluate whether internal and external
communications to various parties including the media, are managed, and
that the receipt and provision of communications from interested parties is
handled appropriately.
Correct and complete information needs to be provided for key activities. The
right information has to be available in the right place to the right people at the
right time.
7.5 FOOD SAFETY MANAGEMENT DOCUMENTATION
In numerous clauses, ISO 22000:2018 calls for “documented information”.

Management system standards refer to ‘maintained documented information’
and ‘retained documented information’. Retained documented information
refers to ‘records’ and maintained documented information to ‘documents’ (ref
ISO 9001 and ISO14001, Annex A).
One of the tasks for the auditor is to be aware that the documentation is
structured to fit:
 the size of the organisation and complexity and type of activities;
 scope of the FSMS;
 competence of personnel.
P a g e | 40

LG 07-11-2018
SESSION ONE
7.5 FOOD SAFETY MANAGEMENT DOCUMENTATION, CONTINUED
Although ISO 22000:2018 does not call for many formal documented
procedures in support of any of the requirements, 22000:2018 does call for
“retained” documented information (records) in many areas.
Documented information may be presented on paper, magnetic tape,

computer disc, photograph, master samples or a combination of these.
The flexible approach of the standard is intended to enhance the

implementation, maintenance and improvement of the system. This being the
case, management should decide upon structure and format of the
documentation that is needed to support the FSMS.
The nature and extent of the documentation should depend upon, and meet,
the needs of the organisation.
So, if management decide that documented procedures are appropriate for

specific tasks and activities, that is largely their decision and not because of a
requirement in ISO 22000:2018.
7.5.1 DOCUMENTED INFORMATION AS STATEMENTS OF WHAT

SHOULD HAPPEN – DOCUMENTS
The following “documents” are required by the standard:
 the FSMS policy;
 FSMS objectives;
 risks and opportunities (normally a risk register);
 processes needed to address risks and opportunities ie, risk

assessments and method statements;
 process for assessment of risk;
 compliance obligations (ie, legislation and other requirements);
 emergency measures;
 an audit programme;
 the scope of the FSMS;
 organisational roles, responsibilities, accountabilities and

authorities.
P a g e | 41

LG 07-11-2018
SESSION ONE
7.5.1 DOCUMENTED INFORMATION AS STATEMENTS OF WHAT

SHOULD HAPPEN – DOCUMENTS, CONTINUED
There may be many other documents required by the organisation to

ensure the effective planning, operation and control of its processes.
Such documents may include:
 work instructions;
 hazard and critical control points;
 explanations of traceability controls;
 supplier and outsourcing evaluation methodologies;
 training programmes;
 identification of applicable legislation and contractual

requirements;
 register of FSMS risk / hazards;
 process flow charts;
 organisation charts;
 operating instructions;
 user manuals;
 routine safety inspection plans;
 monitoring arrangements;
 technical manuals;
 manufacturer’s recommendations;
 performance standards, etc.
P a g e | 42

LG 07-11-2018
SESSION ONE
7.5.2 DOCUMENTED INFORMATION AS EVIDENCE (RECORDS)
A record is a:
“statement of results or evidence of activities performed”.
The organisation needs to retain documented information (records) to

provide evidence of conformity to requirements and for determining the
effectiveness of the FSMS and enhance FSMS performance. From the
point of view of a third-party auditor, records are one of the system
attributes that ensure the FSMS is auditable and provides appropriate
information to management.
In some cases, an auditor will be required to use skill, judgement and

practical experience to evaluate whether minimal record-keeping
conforms with the requirements of the standard, and whether those
minimal records, together with evidence gathered by interview, and
witnessed practices, establish conformity of other elements within the
system.
To demonstrate conformance to the standard’s requirements there are

many needs for record keeping. ISO 22000:2018 requires the following
records:
 training records;
 evidence of its communications;
 records of monitoring and measurement;
 evidence of the compliance evaluation result(s);
 traceability records;
 emergency drills;
 non-conformities, incidents and investigations;
 corrective actions taken;
 internal audit records;
 management review minutes.
Records should be simple, legible readily identifiable and retrievable.

They should provide management with useful information for continual
improvement and data for improving FSMS processes. Records may be
held in any form which means that in many organisations, records will
be held electronically.
P a g e | 43

LG 07-11-2018
SESSION ONE
7.5.2 DOCUMENTED INFORMATION AS EVIDENCE (RECORDS),

CONTINUED
 7.5 Control of documented information
All documented information has to be controlled and the auditor will

need to ensure that appropriate controls are in place. For example: the
following criteria are used to control documents:
 title;
 number;
 issue status;
 page number and total number of pages;
 approval authority;
 issuing authority;
 issue date.
In some organisations the issuing and approval authorities may be the

same person. All FSMS documentation should be:
 identifiable – tiitle, number;
 up-to-date (documents);
 legible;
 understandable;
 logically laid out;
 clear in meaning;
 adequate;
 complete;
 self-consistent - within the purpose and scope of the system or

process;
 consistent with other documents;
 available (documents);
 retrievable (records).
P a g e | 44

LG 07-11-2018
SESSION ONE
10. CLAUSE 8: OPERATION

The types and degrees of operational control depend on the nature of the
operations, the risk and hazards encountered and compliance obligations.
8.1 OPERATIONAL PLANNING AND CONTROL – GENERAL
ISO 22000:2018 starts (clause 8.1.1) by making the general point that a
FSMS should plan, implement and control all necessary processes.
Change is emphasised in ISO 22000:2018. Management need to cover

temporary and permanent changes in their training and documentation. The
auditor will need to assess whether any planned changes are controlled and
actions taken to mitigate the consequences of unintended changes or any
other adverse effects.
The auditor will also want to evaluate that procurement is considered from a
health and safety standpoint. In particular, contractors and outsourcing must
be controlled.
8.2 PREREQUISITE PROGRAMMES (PRPS)
8.2: The organization shall establish, implement, maintain and update PRP(s)
to facilitate the prevention and/or reduction of contaminants (including food
safety hazards) in the products, product processing and work environment.
The PRP(s) shall be:
a) appropriate to the organization and its context with regard to food

safety;
b) appropriate to the size and type of the operation and the nature of the
products being manufactured and/or handled;
c) implemented across the entire production system, either as

programmes applicable in general or as programmes applicable to a
particular product or process;
d) approved by the food safety team.
When selecting and/or establishing PRP(s), the organization shall ensure that
applicable statutory, regulatory and mutually agreed customer requirements
are identified. The organization should consider:
a) the applicable part of the ISO/TS 22002 series;
b) applicable standards, codes of practice and guidelines.
P a g e | 45

LG 07-11-2018
SESSION ONE
8.2 PREREQUISITE PROGRAMMES (PRPS), CONTINUED
When establishing PRP(s) the organization shall consider:
a) construction, lay-out of buildings and associated utilities;
b) lay-out of premises, including zoning, workspace and employee

facilities;
c) supplies of air, water, energy and other utilities;
d) pest control, waste and sewage disposal and supporting services;
e) the suitability of equipment and its accessibility for cleaning and

maintenance;
f) supplier approval and assurance processes (e.g. raw materials,

ingredients, chemicals and packaging);
g) reception of incoming materials, storage, dispatch, transportation and

handling of products;
h) measures for the prevention of cross contamination;
i) cleaning and disinfecting;
j) personal hygiene;
k) product information/consumer awareness;
l) others, as appropriate.
Documented information shall specify the selection, establishment, applicable

monitoring and verification of the PRPs.
8.3 TRACEABILITY SYSTEM
The traceability system shall be able to uniquely identify incoming material

from the suppliers and the first stage of the distribution route of the end
product. When establishing and implementing the traceability system, the
following shall be considered as a minimum:
a) relation of lots of received materials, ingredients and intermediate

products to the end products;
b) reworking of materials/products;
c) distribution of the end product.
P a g e | 46

LG 07-11-2018
SESSION ONE
8.3 TRACEABILITY SYSTEM, CONTINUED
The organization shall ensure that applicable statutory, regulatory and

customer requirements are identified.
Documented information as evidence of the traceability system shall be

retained for a defined period to include, as a minimum, the shelf life of the
product. The organization shall verify and test the effectiveness of the
traceability system.
NOTE: Where appropriate, the verification of the system is expected to

include the reconciliation of quantities of end products with the quantity of
ingredients as evidence of effectiveness.
8.4 EMERGENCY PREPAREDNESS AND RESPONSE
8.4.1 GENERAL
Top management shall ensure procedures are in place to respond to

potential emergency situations or incidents that can have an impact on
food safety which are relevant to the role of the organization in the food
chain.
Documented information shall be established and maintained to

manage these situations and incidents.
8.4.2 HANDLING OF EMERGENCIES AND INCIDENTS
The organization shall:
a) respond to actual emergency situations and incidents by:
1. ensuring applicable statutory and regulatory requirements are

identified;
2. communicating internally;
3. communicating externally (e.g. suppliers, customers,

appropriate authorities, media);
b) take action to reduce the consequences of the emergency situation,

appropriate to the magnitude of the emergency or incident and the
potential food safety impact;
c) periodically test procedures where practical;
P a g e | 47

LG 07-11-2018
SESSION ONE
8.4.2 HANDLING OF EMERGENCIES AND INCIDENTS, CONTINUED
d) review and, where necessary, update the documented information

after the occurrence of any incident, emergency situation or tests.
NOTE: Examples of emergency situations that can affect food safety

and/or production are natural disasters, environmental accidents,
bioterrorism, workplace accidents, public health emergencies and other
accidents, e.g. interruption of essential services such as water,
electricity or refrigeration supply.
8.5 HAZARD CONTROL
8.5.1 PRELIMINARY STEPS TO ENABLE HAZARD ANALYSIS
8.5.1.1 GENERAL
To carry out the hazard analysis, preliminary documented information

shall be collected, maintained and updated by the food safety team.
This shall include, but not be limited to:
a) applicable statutory, regulatory and customer requirements;
b) the organization’s products, processes and equipment;
c) food safety hazards relevant to the FSMS.
8.5.1.2 CHARACTERISTICS OF RAW MATERIALS, INGREDIENTS

AND PRODUCT CONTACT MATERIALS
The organization shall ensure that all applicable statutory and regulatory
food safety requirements are identified for all raw materials, ingredients
and product contact materials.
The organization shall maintain documented information concerning all

raw materials, ingredients and product contact materials to the extent
needed to conduct the hazard analysis (see 8.5.2), including the
following, as appropriate:
a) biological, chemical and physical characteristics;
b) composition of formulated ingredients, including additives and

processing aids;
P a g e | 48

LG 07-11-2018
SESSION ONE
8.5.1.2 CHARACTERISTICS OF RAW MATERIALS, INGREDIENTS

AND PRODUCT CONTACT MATERIALS, CONTINUED
c) source (e.g. animal, mineral or vegetable);
d) place of origin (provenance);
e) method of production;
f) method of packaging and delivery;
g) storage conditions and shelf life;
h) preparation and/or handling before use or processing;
i) acceptance criteria related to food safety or specifications of

purchased materials and ingredients appropriate to their intended
use.
8.5.1.3 CHARACTERISTICS OF END PRODUCTS
The organization shall ensure that all applicable statutory and regulatory
food safety requirements are identified for all the end products intended
to be produced. The organization shall maintain documented
information concerning the characteristics of end products to the extent
needed to conduct the hazard analysis (see 8.5.2), including information
on the following, as appropriate:
a) product name or similar identification;
b) composition;
c) biological, chemical and physical characteristics relevant for food

safety;
d) intended shelf life and storage conditions;
e) packaging;
f) labelling relating to food safety and/or instructions for handling,

preparation and intended use;
g) method(s) of distribution and delivery.
P a g e | 49

LG 07-11-2018
SESSION ONE
8.5.1.4 INTENDED USE
The intended use, including reasonably expected handling of the end

product and any unintended use but reasonably expected mishandling
and misuse of the end product, shall be considered and shall be
maintained as documented information to the extent needed to conduct
the hazard analysis (see 8.5.2).
Where appropriate, groups of consumers/users shall be identified for

each product. Groups of consumers/users known to be especially
vulnerable to specific food safety hazards shall be identified.
8.5.1.5 FLOW DIAGRAMS AND DESCRIPTION OF PROCESSES
8.5.1.5.1 PREPARATION OF THE FLOW DIAGRAMS
The food safety team shall establish, maintain and update flow
diagrams as documented information for the products or product
categories and the processes covered by the FSMS.
Flow diagrams provide a graphic representation of the process. Flow

diagrams shall be used when conducting the hazard analysis as a basis
for evaluating the possible occurrence, increase, decrease or
introduction of food safety hazards.
Flow diagrams shall be clear, accurate and sufficiently detailed to the

extent needed to conduct the hazard analysis. Flow diagrams shall, as
appropriate, include the following:
a) the sequence and interaction of the steps in the operation;
b) any outsourced processes;
c) where raw materials, ingredients, processing aids, packaging

materials, utilities and intermediate products enter the flow;
d) where reworking and recycling take place;
e) where end products, intermediate products, by-products and

waste are released or removed.
P a g e | 50

LG 07-11-2018
SESSION ONE
8.5.1.5.2 ON-SITE CONFIRMATION OF FLOW DIAGRAMS
The food safety team shall confirm on-site the accuracy of the flow
diagrams, update the flow diagrams where appropriate and retain as
documented information.
8.5.1.5.3 DESCRIPTION OF PROCESSES AND PROCESS

ENVIRONMENT
The food safety team shall describe, to the extent needed to conduct
the hazard analysis:
a) the layout of premises, including food and non-food handling

areas;
b) processing equipment and contact materials, processing aids and

flow of materials;
c) existing PRPs, process parameters, control measures (if any)

and/or the strictness with which they are applied, or procedures
that can influence food safety;
d) external requirements (e.g. from statutory and regulatory

authorities or customers) that can impact the choice and the
strictness of the control measures. The variations resulting from
expected seasonal changes or shift patterns shall be included as
appropriate. The descriptions shall be updated as appropriate and
maintained as documented information.
8.5.2 HAZARD ANALYSIS
8.5.2.1 GENERAL
The food safety team shall conduct a hazard analysis, based on the
preliminary information, to determine the hazards that need to be
controlled.
The degree of control shall ensure food safety and, where appropriate,
a combination of control measures shall be used.
P a g e | 51

LG 07-11-2018
SESSION ONE
8.5.2.2 HAZARD IDENTIFICATION AND DETERMINATION OF

ACCEPTABLE LEVELS
8.5.2.2.1: The organization shall identify and document all food safety
hazards that are reasonably expected to occur in relation to the type of
product, type of process and process environment. The identification
shall be based on:
a) the preliminary information and data collected in accordance with

8.5.1;
b) experience;
c) internal and external information including, to the extent possible,

epidemiological, scientific and other historical data;
d) information from the food chain on food safety hazards related to

the safety of the end products, intermediate products and the food
at the time of consumption;
e) statutory, regulatory and customer requirements.
NOTE 1 Experience can include information from staff and external

experts who are familiar with the product and/or processes in other
facilities.
NOTE 2 Statutory and regulatory requirements can include food safety

objectives (FSOs). The Codex Alimentarius Commission defines FSOs
as “The maximum frequency and/or concentration of a hazard in a food
at the time of consumption that provides or contributes to the
appropriate level of protection (ALOP)”. Hazards should be considered
in sufficient detail to enable hazard assessment and the selection of
appropriate control measures.
8.5.2.2.2: The organization shall identify step(s) (e.g. receiving raw

materials, processing, distribution and delivery) at which each food
safety hazard can be present, be introduced, increase or persist. When
identifying hazards, the organization shall consider:
a) the stages preceding and following in the food chain;
b) all steps in the flow diagram;
c) the process equipment, utilities/services, process environment

and persons.
P a g e | 52

LG 07-11-2018
SESSION ONE
8.5.2.2 HAZARD IDENTIFICATION AND DETERMINATION OF

ACCEPTABLE LEVELS, CONTINUED
8.5.2.2.3: The organization shall determine the acceptable level in the

end product of each food safety hazard identified, whenever possible.
When determining acceptable levels, the organization shall:
a) ensure that applicable statutory, regulatory and customer

requirements are identified;
b) consider the intended use of end products;
c) consider any other relevant information. The organization shall

maintain documented information concerning the determination of
acceptable levels and the justification for the acceptable levels.
8.5.2.3 HAZARD ASSESSMENT
The organization shall conduct, for each identified food safety hazard, a
hazard assessment to determine whether its prevention or reduction to
an acceptable level is essential. The organization shall evaluate each
food safety hazard with regard to:
a) the likelihood of its occurrence in the end product prior to

application of control measures;
b) the severity of its adverse health effects in relation to the intended

use (see 8.5.1.4).
The organization shall identify any significant food safety hazards. The
methodology used shall be described, and the result of the hazard
assessment shall be maintained as documented information.
8.5.2.4 SELECTION AND CATEGORIZATION OF CONTROL

MEASURE(S)
8.5.2.4.1: Based on the hazard assessment, the organization shall

select an appropriate control measure or combination of control
measures that will be capable of preventing or reducing the identified
significant food safety hazards to defined acceptable levels. The
organization shall categorize the selected identified control measure(s)
to be managed as OPRP(s) (see 3.30) or at CCPs (see 3.11).
P a g e | 53

LG 07-11-2018
SESSION ONE
8.5.2.4 SELECTION AND CATEGORIZATION OF CONTROL

MEASURE(S), CONTINUED
The categorization shall be carried out using a systematic approach. For

each of the control measures selected, there shall be an assessment of
the following:
a) the likelihood of failure of its functioning;
b) the severity of the consequence in the case of failure of its

functioning; this assessment shall include:
1. the effect on identified significant food safety hazards;
2. the location in relation to other control measure(s);
3. whether it is specifically established and applied to reduce

the hazards to an acceptable level;
4. whether it is a single measure or is part of combination of

control measure(s).
8.5.2.4.2: In addition, for each control measure, the systematic

approach shall include an assessment of the feasibility of:
a) establishing measurable critical limits and/or measurable/

observable action criteria;
b) monitoring to detect any failure to remain within critical limit and/or

measurable/observable action criteria;
c) applying timely corrections in case of failure. The decision-making

process and results of the selection and categorization of the
control measures shall be maintained as documented information.
External requirements (e.g. statutory, regulatory and customer
requirements) that can impact the choice and the strictness of the
control measures shall also be maintained as documented
information.
P a g e | 54

LG 07-11-2018
SESSION ONE
8.5.3 VALIDATION OF CONTROL MEASURE(S) AND COMBINATIONS OF

CONTROL MEASURES
The food safety team shall validate that the selected control measures
are capable of achieving the intended control of the significant food
safety hazard(s). This validation shall be done prior to implementation of
control measure(s) and combinations of control measures to be
included in the hazard control plan (see 8.5.4) and after any change
therein (see 7.4.2, 7.4.3, 10.2 and 10.3). When the result of validation
shows that the control measures(s) is (are) not capable of achieving the
intended control, the food safety team shall modify and re-assess the
control measure(s) and/or combination(s) of control measure(s).
The food safety team shall maintain the validation methodology and
evidence of capability of the control measure(s) to achieve the intended
control as documented information.
Note: Modification can include changes in control measure(s) (i.e.

process parameters, rigour and/or their combination) and/or change(s)
in the manufacturing technologies for raw materials, end product
characteristics, methods of distribution and intended use of the end
products.
8.5.4 HAZARD CONTROL PLAN (HACCP/OPRP PLAN)
8.5.4.1 GENERAL
The organization shall establish, implement and maintain a hazard

control plan. The hazard control plan shall be maintained as
documented information and shall include the following information for
each control measure at each CCP or OPRP:
a) food safety hazard(s) to be controlled at the CCP or by the OPRP;
b) critical limit(s) at CCP or action criteria for OPRP;
c) monitoring procedure(s);
d correction(s) to be made if critical limits or action criteria are not

met;
e) responsibilities and authorities;
f) records of monitoring.
P a g e | 55

LG 07-11-2018
SESSION ONE
8.5.4.2 DETERMINATION OF CRITICAL LIMITS AND ACTION

CRITERIA
Critical limits at CCPs and action criteria for OPRPs shall be specified.
The rationale for their determination shall be maintained as documented
information. Critical limits at CCPs shall be measurable. Conformance
with critical limits shall ensure that the acceptable level is not exceeded.
Action criteria for OPRPs shall be measurable or observable.

Conformance with action criteria shall contribute to the assurance that
the acceptable level is not exceeded.
8.5.4.3 MONITORING SYSTEMS AT CCPS AND FOR OPRPS
At each CCP, a monitoring system shall be established for each control

measure or combination of control measure(s) to detect any failure to
remain within the critical limits. The system shall include all scheduled
measurements relative to the critical limit(s).
For each OPRP, a monitoring system shall be established for the

control measure or combination of control measure(s) to detect failure to
meet the action criterion. The monitoring system, at each CCP and for
each OPRP, shall consist of documented information, including:
a) measurements or observations that provide results within an

adequate time frame;
b) monitoring methods or devices used;
c) applicable calibration methods or, for OPRPs, equivalent methods

for verification of reliable measurements or observations (see 8.7);
d) monitoring frequency;
e) monitoring results;
f) responsibility and authority related to monitoring;
g) responsibility and authority related to evaluation of monitoring

results.
At each CCP, the monitoring method and frequency shall be capable of

timely detection of any failure to remain within critical limits, to allow
timely isolation and evaluation of the product (see 8.9.4).
P a g e | 56

LG 07-11-2018
SESSION ONE
8.5.4.3 MONITORING SYSTEMS AT CCPS AND FOR OPRPS,

CONTINUED
For each OPRP, the monitoring method and frequency shall be

proportionate to the likelihood of failure and the severity of
consequences. When monitoring an OPRP is based on subjective data
from observations (e.g. visual inspection), the method shall be
supported by instructions or specifications.
8.5.4.4 ACTIONS WHEN CRITICAL LIMITS OR ACTION CRITERIA

ARE NOT MET
The organization shall specify corrections (see 8.9.2) and corrective

actions (see 8.9.3) to be taken when critical limits or action criterion are
not met and shall ensure that:
a) the potentially unsafe products are not released (see 8.9.4);
b) the cause of nonconformity is identified;
c) the parameter(s) controlled at the CCP or by the OPRP is (are)

returned within the critical limits or action criteria;
d) recurrence is prevented.
The organization shall make corrections in accordance with 8.9.2 and

corrective actions in accordance with 8.9.3. 8.5.4.5 Implementation of
the hazard control plan. The organization shall implement and maintain
the hazard control plan, and retain evidence of the implementation as
8.6 UPDATING THE INFORMATION SPECIFYING THE PRPS AND THE

HAZARD CONTROL PLAN
Following the establishment of the hazard control plan, the organization shall
update the following information, if necessary:
a) characteristics of raw materials, ingredients and product-contact

materials;
b) characteristics of end products;
c) intended use;
d) flow diagrams and descriptions of processes and process environment.
P a g e | 57

LG 07-11-2018
SESSION ONE
8.6 UPDATING THE INFORMATION SPECIFYING THE PRPS AND THE

HAZARD CONTROL PLAN, CONTINUED
The organization shall ensure that the hazard control plan and/or the PRP(s)
are up to date.
8.7 CONTROL OF MONITORING AND MEASURING
The organization shall provide evidence that the specified monitoring and
measuring methods and equipment in use are adequate for the monitoring
and measuring activities related to the PRP(s) and the hazard control plan.
The monitoring and measuring equipment used shall be:
a) calibrated or verified at specified intervals prior to use;
b) adjusted or re-adjusted as necessary;
c) identified to enable the calibration status to be determined;
d) safeguarded from adjustments that would invalidate the measurement

results;
e) protected from damage and deterioration.
The results of calibration and verification shall be retained as documented

information. The calibration of all the equipment shall be traceable to
international or national measurement standards; where no standards exist,
the basis used for calibration or verification shall be retained as documented
information.
The organization shall assess the validity of the previous measurement

results when the equipment or process environment is found not to conform to
requirements.
The organization shall take appropriate action in relation to the equipment or

process environment and any product affected by the nonconformance. The
assessment and resulting action shall be maintained as documented
information.
Software used in monitoring and measuring within the FSMS shall be

validated by the organization, software supplier or third party prior to use.
Documented information on validation activities shall be maintained by the
organization and the software shall be updated in a timely manner.
P a g e | 58

LG 07-11-2018
SESSION ONE
8.7 CONTROL OF MONITORING AND MEASURING, CONTINUED
Whenever there are changes, including software configuration/modifications

to commercial off-the-shelf software, they shall be authorized, documented
and validated before implementation.
Note: Commercial off-the-shelf software in general use within its designed

application range can be considered to be sufficiently validated.
8.8 VERIFICATION RELATED TO PRPS AND THE HAZARD CONTROL PLAN
8.8.1 VERIFICATION
The organization shall establish, implement and maintain verification

activities. The verification planning shall define purpose, methods,
frequencies and responsibilities for the verification activities. The
verification activities shall confirm that:
a) the PRP(s) are implemented and effective;
b) the hazard control plan is implemented and effective;
c) hazard levels are within identified acceptable levels;
d) input to the hazard analysis is updated;
e) other actions determined by the organization are implemented and

effective.
The organization shall ensure that verification activities are not carried
out by the person responsible for monitoring the same activities.
Verification results shall be retained as documented information and
shall be communicated.
Where verification is based on testing of end product samples or direct

process samples and where such test samples show nonconformity with
the acceptable level of the food safety hazard (see 8.5.2.2), the
organization shall handle the affected lot(s) of product as potentially
unsafe (see 8.9.4.3) and apply corrective actions in accordance with
8.9.3.
P a g e | 59

LG 07-11-2018
SESSION ONE
8.8.2 ANALYSIS OF RESULTS OF VERIFICATION ACTIVITIES
The food safety team shall conduct an analysis of the results of

verification that shall be used as an input to the performance evaluation
of the FSMS (see 9.1.2).
8.9 CONTROL OF PRODUCT AND PROCESS NONCONFORMITIES
8.9.1 GENERAL
The organization shall ensure that data derived from the monitoring of
OPRPs and at CCPs are evaluated by designated persons who are
competent and have the authority to initiate corrections and corrective
actions.
8.9.2 CORRECTIONS
8.9.2.1: The organization shall ensure that when critical limits at CCP(s)
and/or action criteria for OPRPs are not met, the products affected are
identified and controlled with regard to their use and release. The
organization shall establish, maintain and update documented
information that includes:
a) a method of identification, assessment and correction for affected

products to ensure their proper handling;
b) arrangements for review of the corrections carried out.
8.9.2.2: When critical limits at CCPs are not met, affected products shall
be identified and handled as potentially unsafe products (see 8.9.4).
8.9.2.3: Where action criteria for an OPRP are not met, the following
shall be carried out:
a) determination of the consequences of that failure with respect to

food safety;
b) determination of the cause(s) of failure;
c) identification of the affected products and handling in accordance

with 8.9.4.
P a g e | 60

LG 07-11-2018
SESSION ONE
8.9.2 CORRECTIONS, CONTINUED
The organization shall retain results of the evaluation as documented

information.
8.9.2.4: Documented information shall be retained to describe

corrections made on nonconforming products and processes, including
the:
a) nature of the nonconformity;
b) cause(s) of the failure;
c) consequences as a result of the nonconformity.
8.9.3 CORRECTIVE ACTIONS
The need for corrective actions shall be evaluated when critical limits at
CCP(s) and/or action criteria for OPRPs are not met.
The organization shall establish and maintain documented information

that specifies appropriate actions to identify and eliminate the cause of
detected nonconformities, to prevent recurrence, and to return the
process to control after a nonconformity is identified.
These actions shall include:
a) reviewing nonconformities identified by customer and/or consumer

complaints and/or regulatory inspection reports;
b) reviewing trends in monitoring results that can indicate loss of

control;
c) determining the cause(s) of nonconformities;
d) determining and implementing actions to ensure that

nonconformities do not recur;
e) documenting the results of corrective actions taken;
f) verifying corrective actions taken to ensure that they are effective.

The organization shall retain documented information on all
corrective actions.
P a g e | 61

LG 07-11-2018
SESSION ONE
8.9.4 HANDLING OF POTENTIALLY UNSAFE PRODUCTS
8.9.4.1 GENERAL
The organization shall take action(s) to prevent potentially unsafe

products from entering the food chain, unless it can demonstrate that:
a) the food safety hazard(s) of concern is (are) reduced to the

defined acceptable levels;
b) the food safety hazard(s) of concern will be reduced to identified

acceptable levels prior to entering the food chain; or
c) the product still meets the defined acceptable level(s) of the food
safety hazard(s) of concern despite the nonconformity.
The organization shall retain products that have been identified as

potentially unsafe under its control until the products have been
evaluated and the disposition has been determined. If products that
have left the control of the organization are subsequently determined to
be unsafe, the organization shall notify relevant interested parties and
initiate a withdrawal/recall (see 8.9.5).
The controls and related responses from relevant interested parties and
authorization for dealing with potentially unsafe products shall be
retained as documented information.
8.9.4.2 EVALUATION FOR RELEASE
Each lot of products affected by the nonconformity shall be evaluated.

Products affected by failure to remain within critical limits at CCPs shall
not be released, but shall be handled in accordance with 8.9.4.3.
Products affected by failure to meet action criterion for OPRPs shall

only be released as safe when any of the following conditions apply:
a) evidence other than the monitoring system demonstrates that the

control measures have been effective;
b) evidence shows that the combined effect of the control measures

for that particular product conforms to the performance intended
(i.e. identified acceptable levels);
P a g e | 62

LG 07-11-2018
SESSION ONE
8.9.4.2 EVALUATION FOR RELEASE, CONTINUED
c) the results of sampling, analysis and/or other verification activities

demonstrate that the affected products conform to the identified
acceptable levels for the food safety hazard(s) concerned.
Results of evaluation for release of products shall be retained as

8.9.4.3 DISPOSITION OF NONCONFORMING PRODUCTS
Products that are not acceptable for release shall be:
a) reprocessed or further processed within or outside the

organization to ensure that the food safety hazard is reduced to
acceptable levels; or
b) redirected for other use as long as food safety in the food chain is
not affected; or
c) destroyed and/or disposed as waste. Documented information on

the disposition of nonconforming products, including the
identification of the person(s) with approving authority shall be
retained.
8.9.5 WITHDRAWAL/RECALL
The organization shall be able to ensure the timely withdrawal/recall of

lots of end products that have been identified as potentially unsafe, by
appointing competent person(s) having the authority to initiate and carry
out the withdrawal/recall.
The organization shall establish and maintain documented information

for:
a) notifying relevant interested parties (e.g. statutory and regulatory

authorities, customers and/or consumers);
b) handling withdrawn/recalled products as well as products still in

stock;
c) performing the sequence of actions to be taken.
P a g e | 63

LG 07-11-2018
SESSION ONE
8.9.5 WITHDRAWAL/RECALL, CONTINUED
Withdrawn/recalled products and end products still in stock shall be

secured or held under the control of the organization until they are
managed in accordance with 8.9.4.3.
The cause, extent and result of a withdrawal/recall shall be retained as

documented information and reported to the top management as input
for the management review (see 9.3).
The organization shall verify the implementation and effectiveness of

withdrawals/recalls through the use of appropriate techniques (e.g.
mock withdrawal/recall or practice withdrawal/recall) and retain
11. CLAUSE 9: PERFORMANCE EVALUATION
9.1 MONITORIONG, MEASUREMENT, ANALYSIS AND EVALUATION
9.1.1 GENERAL
The organization shall determine:
a) what needs to be monitored and measured;
b) the methods for monitoring, measurement, analysis and

evaluation, as applicable, to ensure valid results;
c) when the monitoring and measuring shall be performed;
d) when the results from monitoring and measurement shall be

analysed and evaluated;
e) who shall analyse and evaluate the results from monitoring and
measurement. The organization shall retain appropriate
documented information as evidence of the results.
The organization shall evaluate the performance and the effectiveness

of the FSMS.
P a g e | 64

LG 07-11-2018
SESSION ONE
9.1.2 ANALYSIS AND EVALUATION
The organization shall analyse and evaluate appropriate data and

information arising from monitoring and measurement, including the
results of verification activities related to PRPs and the hazard control
plan (see 8.8 and 8.5.4), the internal audits (see 9.2) and external
audits.
The analysis shall be carried out:
a) to confirm that the overall performance of the system meets the

planned arrangements and the FSMS requirements established
by the organization;
b) to identify the need for updating or improving the FSMS;
c) to identify trends which indicate a higher incidence of potentially

unsafe products or process failures;
d) to establish information for planning of the internal audit

programme related to the status and importance of areas to be
audited;
e) to provide evidence that corrections and corrective actions are

effective.
The results of the analysis and the resulting activities shall be retained
as documented information. The results shall be reported to top
management and used as input to the management review (see 9.3)
and the updating of the FSMS (see 10.3).
Note: Methods to analyse data can include statistical techniques.
9.2 INTERNAL AUDIT
The organisation must conduct internal audits at planned intervals to provide

information on whether the FSMS conforms to requirements of ISO
22000:2018 and is effectively implemented and maintained.
The application of internal audits is critical to the maintenance of the FSMS

and to demonstrate that requirement and objectives are being met, and that
the organisation is continually improvement is performance.
P a g e | 65

LG 07-11-2018
SESSION ONE
9.2 INTERNAL AUDIT, CONTINUED
This means the establishment of an audit programme taking into

consideration the FSMS objectives, the risk associated with activities and
opportunities and changes which impact on the organisation and the results of
previous audits. Audits must be objective and impartial and the means by
which auditors are selected must ensure that this objectivity is maintained.
The management responsible for the area being audited must ensure that any
necessary corrections and corrective actions are taken and within an agreed
time-fame. Follow up activities will include the verification of the actions taken
and the reporting of verification results.
Third-party certification auditors will need to ensure that these requirements

are being met fully and effectively.
9.3 MANAGEMENT REVIEW
The organisation’s top management is to review its FSMS at planned intervals

to ensure the continuing suitability, adequacy and effectiveness.
Typically, management review activities comprise a meeting to review data

and issues, though a “meeting” is not required by the organisation.
Auditors can learn a great deal about top management involvement and
commitment by examining the results and actions emanating from the
management review process.
Furthermore, because management review is a standalone, integral part of

the “Plan-Do-Check-Act” loop, accreditation criteria and certification bodies
place great importance on this process and its results, including the
completion of at least one management review prior to an initial certification
audit.
ISO 22000:2018 gives a good idea of the minimum agenda points which a
management review should cover – see Clause 9.3.2 itself.
P a g e | 66

LG 07-11-2018
SESSION ONE
12. CLAUSE 10: IMPROVEMENT
10.1 NONCONCORMITY AND CORRECTIVR ACTION
This clause addresses the final part of the P-D-C-A cycle.
The general requirement is that the organisation needs to determine

opportunities for improvement and implement any necessary actions resulting.
The standard starts with the premise of addressing incidents and non-
conformities and implementing corrective action.
Through the use of corrective actions to address nonconformity, the

organisation is able to improve the effectiveness of the FSMS.
Where nonconformities have occurred, the auditor must ensure that that
corrective action taken should have been the result of an investigation into the
root cause or causes of the nonconformity or incident. The corrective action
should not permit any recurrence of the problem or cause other similar FSMS
problems to arise.
The investigations into incidents and NCRs, together with the corrective
actions taken and along with outputs from the analysis and evaluation of
processes and outputs from the management review, should add impetus to
continual improvement in the suitability, adequacy or effectiveness of the
FSMS and enhance food management performance (Clauses 10.2 and 10.3).
10.2 CONTINUAL IMPROVEMENT
ISO 22000:2018 uses the almost standard Annex SL requirement to

“continually improve the suitability, adequacy and effectiveness of the FSMS”.
ISO 22000:2018 does, however, introduce FSMS specific points such as

promoting worker participation in improvement activities.
P a g e | 67

LG 07-11-2018
SESSION ONE
10.3 UPDATE OF THE FSMS
Top management shall ensure that the FSMS is continually updated. To

achieve this, the food safety team shall evaluate the FSMS at planned
intervals.
The team shall consider whether it is necessary to review the hazard analysis
(see 8.5.2), the established hazard control plan (see 8.5.4) and the
established PRPs (see 8.2). The updating activities shall be based on:
a) input from communication, external as well as internal (see 7.4);
b) input from other information concerning the suitability, adequacy and

effectiveness of the FSMS;
c) output from the analysis of results of verification activities (see 9.1.2);
d) output from management review (see 9.3).
System updating activities shall be retained as documented information and

reported as input to the management review.
P a g e | 68

LG 07-11-2018
SESSION ONE
ACTIVITY 1: AUDIT EVIDENCE RELATED TO ISO 22000:2018

CLAUSES
PURPOSE
 To understand how:
 to evaluate and understand an organisation’s context;
 an organisation identifies and evaluates the views of interested parties;
 this would apply to different types of organisations.
TASK
 In your teams:
 Consider what audit evidence / documented information you would expect to

see or gather when evaluating and verifying an organisation with reference to
the following clauses (your tutor will allocate different clauses to different
teams):
 4.1, understanding the organisation and its context;
 4.2, understanding the needs and expectations of interested parties;
 5.1, leadership and commitment;
 7.1.1 – 7.1.6, resources;
 8.5.1, hazard analysis and control’
 9.1, monitoring and measurement.
OUTPUT
 Present your conclusions for discussion by the whole class.
TIME ALLOWED
 Reading and preparation of findings: 30 minutes.
 Feedback: 30 minutes.
P a g e | 69

LG 07-11-2018
SESSION ONE
P a g e | 70

LG 07-11-2018
SESSION TWO
Session Two
Project Management Principles

and their Application
P a g e | 71

LG 07-11-2018
SESSION TWO
PROJECT MANAGEMENT PRINCIPLES AND THEIR APPLICATION

OBJECTIVES
 understand project management objectives, stages, planning, control and

organisation;
 understand the importance of people, training and motivation;
 understand project management tools and techniques.
KEY POINTS
 Project management.
 Project stages.
 Project planning.
 Project control.
 Project organisation.
 Planning.
 Estimating.
 Cost estimating.
P a g e | 72

LG 07-11-2018
SESSION TWO
PROJECT MANAGEMENT PRINCIPLES AND THEIR APPLICATION

1. INTRODUCTION
This is a general guide to the principles of project management. Any project which
requires monitoring and control may be guided by the principles laid out here. The
use of the information here is not dedicated to ISO 22000:2018 and may be applied
to other different projects.
The management style of any organisation is key to the introduction of any change.
The traditional and dictatorial styles which no management will admit to but which is
all too prevalent in the organisations is a major stumbling block to committed
change on the part of the work force. One of the most important initial steps in
assessing how to introduce a FSMS is to establish how much work needs to be
done with the senior people in the organisation before introducing new ideas to the
main body of the work force.
Unless the work-force believe that senior management are committed to the
introduction of FSMS and are willing to provide adequate resources for its
implementation, the project will either flounder very early or take an inordinate length
of time to achieve results which will be less than ideal. This means that the senior
people have to be given in-depth awareness training on the philosophy and
practicality of a FSMS along with clear guidance as to the commitment of resources
needed for full and effective working.
It is not easy to demonstrate or predict the benefits of introducing a FSMS - and

certainly not in financial terms. This means that management may find it less than
easy to convince a work force of the need for any change and formalisation
associated with FSMS.
An open management style where senior staff find it possible to discuss their
intentions with junior personnel is of considerable assistance when introducing any
form of change - and there will be changes when a FSMS is introduced. If a secretive
management style or tendency is perceived, the senior management will have to
think very seriously about redirecting their day to day management control to that of a
more open style.
If the work force is well established and is used to very little support from
management, any changes, however small, will be subject to some form of
resistance. Unless behaviour changes, nothing else will change. Everyone has to be
convinced that there will be some small benefit at least for them before any change
may be attempted.
P a g e | 73

LG 07-11-2018
SESSION TWO
2. PROJECT MANAGEMENT
2.1 INTRODUCTION
A project is a unique and essentially non-repetitive task which uses resources

such as labour, materials and money over a limited timescale to achieve
specific objectives.
This definition will fit many different activities and in each particular case the
organisation and procedures for control need to be designed specifically to
suit the complexity of the project and the number and range of participants
involved. Although company routines can be established they should always
be re-examined for every new project to ensure that they are applicable and
to consider if any elements can be altered in order to enhance the
achievement of particular objectives.
The non-repetitive element in the definition of a project is necessary because

of the difference in approach to a project and to normal operations when
determining the controlling factors of time and cost. In production, the
repetitive nature of the work enables time and cost elements to be calculated
from known data or actual measurement of identical activities. In
consequence, the time and cost elements used in project work are less
accurate because of the non-repetitive nature of project activities.
2.2 OBJECTIVES
The function of project management is to achieve specified objectives within

the limits of:
 FSMS – achievement of specified objectives;
 time – achievement of these results to an agreed and co-ordinated

timetable of start, duration, key event dates and completion;
 cost – conduct of the work within prescribed cost parameters of

cashflow, capital expenditure or revenue implications;
 resources – the personnel seconded either part time or full time to the
work; the money available; and the materiel available.
For successful projects it is imperative that the above parameters are agreed
at an early stage and are subsequently maintained. Clients must be made
aware that any change in project objectives or scope of work will affect one or
more of the FSMS, time and cost parameters.
P a g e | 74

LG 07-11-2018
SESSION TWO
2.2 OBJECTIVES, CONTINUED
Achieving the goals also requires:
 a defined organisation with clear responsibilities;
 control systems to monitor and report on progress;
 adequate resources (staff, time, money).
2.3 PROJECT STAGES
Projects are usually broken down into finite steps or stages to make them
more manageable. The number of stages, the terminology and the detail can
vary for each particular type of project, but there are three essential stages:
 planning stage – during which the feasibility of the project is assessed,

objectives agreed alternative solutions formulated and evaluated and an
execution programme prepared for the preferred solution;
 execution stage – in which the selected solution is implemented in

accordance with the prepared plans;
 commissioning or acceptance stage – when the completed project is put

into operation and proved against the functional and operational
specification requirements.
These three basic stages are then usually broken down into smaller steps
which vary according to the nature of the project.
For control purposes there should be an assessment at the end of each stage
by the consultant and Project Steering Committee of the organisation to
confirm that the work of the previous stage has been completed and that the
project should proceed to the next stage. A formal approval process should be
established so that those involved in the project continue to demonstrate their
commitment to its direction and objectives.
2.4 PROJECT PLANNING
A realistic and achievable plan is an essential requirement for any project and
frequently insufficient time is devoted to this stage. Depending on the
complexity of the project, plans will have to be prepared at different levels of
detail.
P a g e | 75

LG 07-11-2018
SESSION TWO
2.4 PROJECT PLANNING, CONTINUED
At the highest level, a master plan is required showing principal activities and
their timescale and especially key event dates. These plans may be in either
network or bar-chart form according to the complexity of the project.
At the lowest level, individual project team members require their own bar-
chart or even task sheets specifying exactly what they have to achieve on
each activity together with the elapsed timescale and the resource input
required.
On large projects, intermediate levels may be required covering say a specific

stage or expanding for control purposes a complex activity from the master
plan.
In addition to the activity plan, resource plans are required to demonstrate that
the activity plan is achievable with the resources available. They also serve to
inform and gain commitment from those providing resources to the project.
An example of a bar-chart plan is given in Document D06: ISO 22000:2018

Implementation Plan.
2.5 PROJECT CONTROL
Control is the process by which we ensure that the work is being done
according to the plan, thus achieving the end objectives within time and cost.
The steps in the control loop are to:
 measure actual progress;
 compare with planned progress;
 quantify and report deviations;
 re-programme to achieve original plan.
The basic requirement for control is a sound plan at a level of detail that
allows a shortfall in progress to be identified and quantified very quickly in
relation to the stage of the project.
Control is normally exercised through regular reports to the 'project manager'

and these should include any suggestions for correcting any deviation.
Remedial action can be discussed and agreed at routine progress meetings
held by the project manager.
P a g e | 76

LG 07-11-2018
SESSION TWO
2.5 PROJECT CONTROL, CONTINUED
More formal assessments are made less frequently at meetings between the
project manager and the organisation, typically at the end of a project stage or
a key event. Any requirement for revised objectives or changes to the FSMS,
time or cost parameters would be discussed at these meetings.
2.6 PROJECT ORGANISATION
At the start of any project an organisation structure should be established

which defines for all parties involved their roles, responsibilities and the
reporting structure.
The method of organising a project will depend upon the nature of the project
and the company organisation structure. However, the key to successful
project management lies in the way in which a project involving a number of
different disciplines or specialisations is managed through all its stages.
There is rarely one end user of a project and an essential part of the
organisation is a board or steering group representing all end users and
having financial authority and responsibility for the direction of the project.
This group meeting from time to time is for decision making and top level
progression.
The project manager reporting directly to this committee is responsible for the
day to day running of the project, managing the project team. Depending upon
the scale of the project, the manager may have no technical input to activities
producing the end result.
An essential function is monitoring and reporting progress to all parties,

forcing decisions where necessary so that specified objectives can be
achieved on time and within budget.
P a g e | 77

LG 07-11-2018
SESSION TWO
2.7 SUMMARY
Project Management has many similarities with business management in the

basic concepts of:
 planning;
 operating;
 controlling.
There is a need for increased emphasis during the project definition stage so
that clear objectives are agreed with an identified steering committee. The
non-repetitive nature of the work means that estimates of time and cost are
less reliable than with routine activities, thus requiring much greater attention
to planning in the early stages and control throughout the life of the project.
The non-repetitive element demands increased communication between

participants together with the coordination of activities and disciplines not
used to working together.
The management of these activities involves an understanding of some of the

basic project management tools such as:
 planning;
 estimating;
 costing;
 work packages;
 contract management (e.g. of trainers or consultants);
 progressing;
 monitoring/recording.
P a g e | 78

LG 07-11-2018
SESSION TWO
3. PROJECT MANAGEMENT TOOLS ANDTECHNIQUES
3.1 PLANNING
We need to be able to identify key activities and arrange them in sequence in

which we wish to carry them out. Almost always, it is required to run certain
activities in parallel. It is not intended that these notes contain a justification of
the need to plan a project such as the introduction of ISO 22000:2018.
To embark on a FSMS project without a clear vision of the goals and activities
along the way is simply asking for trouble: much repeated work and delays
would be inevitable without a plan.
It is most helpful to display plans in diagrammatic form and many techniques

have been developed over the years to do this. The common forms of
schematic plan are:
 bar charts;
 precedence networks; and
 arrow diagrams.
For ISO 22000:2018 implementation projects it is not normally an advantage

to expend the extra time required in formulating precedence or network plans
as compared with simple bar charts.
Typically, two bar charts are used in the implementation of an ISO

22000:2018 project: the first shows a general outline plan of the project
leader's activities up to the point where all documentation is produced; and
the second shows a general plan of activities required from commencement of
implementation up to the point of certification.
Before drawing up plans, it is recommended that specific activities involved in

the introduction of ISO 22000:2018 be listed. It may be helpful to start with a
general list of items covering a number of activities each. Then these may be
broken down into more specific tasks if necessary.
Once this list is available, the activities should be drawn up on paper in such a
way as to identify the approximate sequence. It is recommended that parallel
or overlapping activities be written onto the paper level with each other (rather
than under or over each other) so that the final result may appear somewhat
less than perfectly neat.
P a g e | 79

LG 07-11-2018
SESSION TWO
3.1 PLANNING, CONTINUED
Once this 'sequence' is established, a diagrammatic plan may be drawn up. It

then remains to put timescales and resources onto this framework.
With all diagrammatic plans, it must be remembered that there is a difference

between elapsed time and time spent on the activity/work. In other words, bar-
charts, for example, do not show clearly the actual amount of time which will
be spent on an activity: they will show the starting time and estimated finish
date. The actual time has to be noted in a separate column on a bar-chart or
listed separately.
It is recognised that it will be an out-of-the-ordinary activity for most personnel

managing an ISO 22000:2018 project to make time estimates for such work
as procedure writing and training. Nevertheless, this must be done. Targets
are needed. That these may well need adjustment in the future does not
invalidate the need for them. The issue here is that staff must feel that they
are contributing to an integrated effort. Without any target dates, work simply
does not get done.
3.2 ESTIMATING
This is used in connection with COST, TIMESCALES AND RESOURCES.

Estimating these factors is not usually easy. It is recognised that precision in
this area is rarely achieved. However, it is still most important to set target
dates by which work should be accomplished. The imposition of targets on
other members of staff should be avoided: they must be involved in the
process of setting dates for their own contributions.
Most effort is often put into the estimation of dates for completion of
documentation on ISO 22000:2018 projects, whereas the real problem area is
that of implementation: trial runs with new work instructions, new work
practices and changes for staff to cope with. It is recommended that more
than adequate time be given to allow for procedures to be tried out and
modified in conjunction with the users.
It is important to remember that it is not possible to introduce everything at

once: this is especially significant from the point of view of the project leader
who cannot be everywhere at the same time. Furthermore, existing work has
to be handled by the organisation. Normal output cannot be suspended for the
whole of the ISO 22000:2018 implementation period! The implementation plan
must not overload the project leader or the organisation.
Estimating is largely about confidence and experience. Experience of such a

narrow topic is not readily available.
P a g e | 80

LG 07-11-2018
SESSION TWO
3.2 ESTIMATING, CONTINUED
Formal estimating techniques are many and varied and include:
 definitive;
 curves;
 factoring.
Almost all rely on historical data.
Estimates often include 'estimates' of their degree of uncertainty. Estimators

will include either percentage variation comments or maximum and minimum
figures.
However, as it is unlikely that a very similar ISO 22000:2018 implementation

exercise will have been undertaken before, at least by the staff responsible,
the only technique of any value to us here, is the 'so-called' definitive
technique.
Definitive estimates are the most useful and accurate, but are time consuming
to prepare. Definitive estimation involves the analysis of all activities and the
working out of time and labour factors.
Whilst senior management may be interested in cost, once the decision to go

for ISO 22000:2018 implementation has been made, the time frame is often
the critical factor. This then dictates the labour requirement and thus cost.
This is really the only practicable technique for ISO 22000:2018 projects.
Nevertheless, it must be accepted that estimating activities which have not

been tackled before will inevitably introduce a high degree of uncertainty.
Typically, such estimates will be no better than plus or minus 30%.
Curves require considerable historical data and rely heavily on good labour
estimates. They are not normally a practical technique with ISO 22000:2018
implementation projects and the same comment as above applies: it is very
difficult to draw conclusions from ‘previous’ similar projects as they may well
have been none.
Factoring is usually associated with projects where hardware is concerned:

previous costings are simply adjusted for inflation. This technique is
unsuitable for ISO project purposes.
P a g e | 81

LG 07-11-2018
SESSION TWO
3.3 COST ESTIMATING
This will be needed more and more as the profit centre ethos pervades. It is
important to explain that with project work; complete accuracy is not a
reasonable proposition.
It is not common to make accurate cost estimates when embarking on ISO

22000:2018 implementation projects, but there will be increased pressure for
this in future: hence the inclusion of this section. It is time-consuming to do
and may be very inaccurate as a result of inexperience in estimating the type
of activity involved in ISO 22000:2018 project work.
All good estimates whether involving cost or not should contain a

'contingency' factor. Contingency is usually taken to mean the possibility of an
uncertain event occurring. When producing definitive estimates, it is usual for
contingency factors of 10 to 30% to be included in every calculation. In very
formal work this may be stated on the cost/time/resource sheet.
Estimating accuracy and contingency can be done in various ways. The usual
method is as follows:
 high estimate (unlikely to be exceeded);
 most likely estimate;
 low estimate (unlikely to under-run).
If there is time it is possible to produce three estimated values for each

activity. The three values must reflect a well-defined basis and be clearly
related to available information.
With ISO 22000:2018 implementation projects, concentration is normally

levied on time rather than cost estimates.
Time overruns may cause a number of difficulties not the least being
increased expenditure. Additionally, depending upon the reason for
embarking on ISO 22000:2018 it may well be that market requirements are
not met (customer deadlines not met) or that safety and Food and Safety
policy targets are not met. Time overruns need to be considered. Besides
miss-estimation, other causes of delay may include:
 organisational changes;
 change in management style;
 industrial relations;
 market condition variations.
P a g e | 82

LG 07-11-2018
SESSION TWO
3.3 COST ESTIMATING, CONTINUED
Contingency may form the largest item in any estimate and forecasting has to
be based on experience. It is important to give individual estimates (e.g. using
cost/time/resource sheets) for each activity so that rescheduling or re-phasing
in the event of any problems does not have a major effect on the total
programme.
Work packages are a very useful way of delegating specific project activities
to individuals other than the project leader. This technique lends itself
particularly well to the early phases of an ISO 22000:2018 implementation
project. This is a very simple technique which relies on a very clear
description of a discreet piece of work being given to the 'doer'. For example,
if someone is being asked to produce a work instruction, the work package
may consist of:
 the scope of the work instruction;
 the timescale for its production;
 the timescale for its review;
 the committee to review it;
 format for producing the work instruction;
 request for report on total time expended.
Monitoring / progressing project implementation will mean that the project

leader has to review all work packages at regular intervals to see where
bottlenecks occur and where help and support is needed. In the event of
problems / difficulties it may well be that authority is needed to place a higher
priority on ISO 22000:2018 work. Alternatively, in extremis, extra resourcing
may need to be sought to maintain programme.
The “STEPS” referred to in the project plans (see attachment D09) lend
themselves to being described as work packages. See Session 3 for details.
For ISO 22000:2018 projects, shading in bars on bar charts is a better way of
monitoring progress. There are various graphical techniques which may be
used for measuring actual results against planned progress.
Typically, the first 90% of any activity occupies 90% of the planned time and
the final 10% of the activity takes up another 90% of the planned time. It is not
recommended that S-curve techniques be used for ISO 22000:2018
implementation projects. Nevertheless, the project leader has to have an
overall feel for actual versus planned progress.
P a g e | 83

LG 07-11-2018
SESSION TWO
3.3 COST ESTIMATING, CONTINUED
It is very important to identify potential problem areas so that action may be

taken ahead of time to prevent any effects on the overall project timescales.
The project leader will need to have an overall picture of progress on all
activities and packages at any one time and this should be related to the bar
chart which was suggested it would be advisable.
Typically, methods of assessing progress and recording that progress would

result in a simple technique such as that of shading in the bars on a planning
chart to indicate percentage achievement of any particular activity.
P a g e | 84

LG 07-11-2018
SESSION TWO
ACTIVITY 2: PROJECT RESPONSIBILITIES FOR INVOLVED STAFF

PURPOSE
 To allow you the opportunity to determine project responsibilities.
TASK
 In your teams, determine the project responsibilities for each of the following
individuals or groups involved in an ISO 22000:2018 implementation project:
 project leader;
 internal auditors;
 senior management;
 steering committee member;
 all staff.
OUTPUT
 Feedback of your findings to the class.
TIME ALLOWED
P a g e | 85

LG 07-11-2018
SESSION TWO
P a g e | 86

LG 07-11-2018
SESSION TWO
ACTIVITY 3: PLANNING KEY IMPLEMENTATION PROJECT

ACTIVITIES
PURPOSE
 To allow you the opportunity to develop sequential activities for the implementation
of ISO 22000:2018 in a medium sized company.
TASK
 In your teams, without recourse to the material discussed in the learner guide or
attached documents, devise a list of sequential activities which you believe would
take a medium sized organisation through a project to implement ISO 22000:2018.
OUTPUT
TIME ALLOWED
P a g e | 87

LG 07-11-2018
SESSION TWO
P a g e | 88

LG 07-11-2018
SESSION THREE
Session Three
Project Steps involved in ISO

22000:2018 Implementation
P a g e | 89

LG 07-11-2018
SESSION THREE
PROJECT STEPS INVOLVED IN ISO 22000:2018 IMPLEMENTATION

OBJECTIVES
 understand and explain the steps of a possible plan for implementing ISO
22000:2018 FSMS.
KEY POINTS
 Project implementation steps.
 FSMS risks.
 Food safety legislation.
 Significant risks.
 Risk and legislation registers.
 Gap analysis.
 Gap analysis results.
 Food safety issue responsibilities.
 Steering group.
 FSMS manual.
 Procedures and work instructions.
 Implementation and monitoring.
 Internal audit programme.
 Certifying body.
 Management review.
 Final assessment.
P a g e | 90

LG 07-11-2018
SESSION THREE
PROJECT STEPS INVOLVED IN ISO 22000:2018 IMPLEMENTATION

1. INTRODUCTION
This session shows a plan of steps involved in implementing a FSMS. The plan is
also tabulated in the handouts, Document D06: ISO 22000:2018 Implementation
Plan and outlined at the end of Session 7.
2. A POSSIBLE PLAN FOR IMPLEMENTATION
2.1 STEP 1: ESTABLISHING AND LISTING FSMS RISKS
Focusing on individual processes, an organisation’s activities can be

represented by a box diagram showing:
 inputs(raw materials, and energy);
 activities;
 controls;
 outputs (products, intermediaries or services).
There is no substitute for walking around premises, especially externally

looking for actual and potential hazards to food safety.
2.2 STEP 2: DETERMINING AND LISTING APPLICABLE FOOD SAFETY

LEGISLATION
Managers must ensure that their organisation is operating within regulatory

guidelines. (Operating within legal requirements is also a minimum
requirement which will be needed to achieve certification to ISO 22000:2018.)
An organisation should initially review its activities / operations with respect to

food safety risks. Only after establishing which processes are significant is it
necessary to consider the regulatory register.
The register of food and safety regulations must be relevant to the

organisation, and should be drawn up by someone with knowledge of the
processes and operations involved, the relevant regulations and the
requirements governing them.
P a g e | 91

LG 07-11-2018
SESSION THREE
2.2 STEP 2: DETERMINING AND LISTING APPLICABLE FOOD SAFETY

LEGISLATION, CONTINUED
The sources of information are varied and include, among other things:
 company/organisation codes of practice;
 government consultation papers;
 government circulars;
 government guidance papers;
 government approved codes of practice;
 industry sector codes of practice;
 international conventions;
 regulators’ guidance notes;
 trade bodies and journals;
 municipal authorities (e.g., environmental health and trading standards

in the UK);
 the internet.
2.3 STEP 3: ESTABLISHING THE SIGNIFICANCE OF RISKS
The principal indication as to whether environmental effects are significant, is

if the effects are subject to food safety regulations. However, there are other
issues.
For details on establishing the significance of risks, see document D03 –

Assessing the Significance and Risk of Food Safety Issues.
P a g e | 92

LG 07-11-2018
SESSION THREE
2.4 STEP 4: FINALISING REGISTERS OF HAZARDS/RISKS AND

LEGISLATION AND PRODUCING A PLAN OF ACTION TO ADDRESS
ISSUES
Again, reference should be made to documents DO2 and DO3 – Assessing

the Significance and Risk of Food Safety issues.
2.5 STEP 5: PRODUCING PROCEDURES TO CONTROL, MAINTAIN AND

UPDATE THE REGISTERS OF RISKS AND LEGISLATION.
Those familiar with quality management systems will understand the need to
implement document control to maintain up to date information in the
business.
Formal document control procedures will be necessary to ensure that the

registers of effects and legislation are so maintained. If the organisation/
business has formal document control procedures, these may be adapted to
cover food safety issues.
2.6 STEP 6: GAP ANALYSIS OF CURRENT SYSTEMS
Document D05: ISO 22000:2018 Gap Analysis in the handouts contains a gap
analysis questionnaire. It is recommended that this is used to determine what
is needed to continue towards ISO 22000:2018 certification.
Note: the sections in the gap analysis on hazards/risks (section 6.1 in ISO
22000:2018) and legislation should NOT need to be covered as this work will
have been done during Phase 1, Steps 1 to 5 above.
2.7 STEPS 7, 8 AND 9: REVIEW OF GAP ANALYSIS RESULTS;

ESTABLISHMENT OF FOOD SAFETY ISSUE RESPONSIBILITIES; AND
PRODUCTION OF PLAN TO ACHIEVE ISO 22000:2018 CERTIFICATION
A consultant or internal project leader (or both) should analyse the results of
the gap analysis questionnaire and explain to the organisation’s management
exactly what is required to continue with the project to achieve ISO
22000:2018 certification.
At this stage, the consultant or internal project leader needs to ensure that
responsibilities for all food and safety issues are allocated to appropriate staff
and that arrangements are put in hand to inform junior staff of their
responsibilities too.
P a g e | 93

LG 07-11-2018
SESSION THREE
2.7 STEPS 7, 8 AND 9: REVIEW OF GAP ANALYSIS RESULTS;

ESTABLISHMENT OF FOOD SAFETY ISSUE RESPONSIBILITIES; AND
PRODUCTION OF PLAN TO ACHIEVE ISO 22000:2018 CERTIFICATION,
CONTINUED
The consultant or internal project leader can then plan in some detail all the
subsequent steps necessary to achieve certification. The plan needs to
specify the workload split between the various involved parties.
2.8 STEP 10: APPOINTMENT OF STEERING GROUP
As with a quality or environmental system implementation project, in the case

of larger organisations, a ‘steering’ committee of senior managers needs to be
set up to monitor the project's progress and authorise resource allocation to
the project.
Resourcing is a matter of money and personnel. The project plan should give
a very clear idea of resourcing required at each stage of the project.
The responsibility of the steering committee is to agree and monitor progress.

In a small organisation, the steering committee may be the project leader
alone.
However, it is vital that the most senior people in the organisation meet
regularly to support the project leader and ensure that work delegated to staff
is completed on time.
2.9 STEP 11: DETERMINE POLICIES AND PRODUCE A FSMS MANUAL
Most organisations work from a hierarchy of documented management

controls. At the top of the pyramid are set out the policies. Immediately below
these are procedures describing processes and their controls.
A FSMS manual is the vehicle usually used to set out all relevant detailed
policy matters affecting food management issues. The detailed policies on
each clause of ISO 22000:2018 are additional to the overall and general
FSMS policy statement (refer to Session 1 and ISO 22000:2018, clause 4.3).
Although there is no requirement in ISO 22000:2018 to have a ‘top level’

manual, it is found in practice to be very useful in setting the framework for the
FSMS.
P a g e | 94

LG 07-11-2018
SESSION THREE
2.9 STEP 11: DETERMINE POLICIES AND PRODUCE A FSMS MANUAL,

CONTINUED
There are various ways of structuring such a manual:
 following the index or structure of the relevant part of ISO 22000:2018.

This may not be functionally convenient, but ensures that all
requirements are covered;
 utilising an existing quality or environmental systems manual and

‘grafting’ onto it the policies and procedure references necessary to
address issues unique to environmental matters. Now that the Annex
SL clause structure of management system standards is very much the
same, we can assimilate food management requirements into an
existing manual relatively easily.
There are no rules concerning the content or structure of management system

manuals (as, indeed, there is no requirement to have one). Nevertheless,
there are now expectations and conventions surrounding manuals. In most
cases the manual is the vehicle used solely for the exposition of detailed
management policies.
However, in some smaller organisations it has proven highly successful to

include some procedures and even work instructions in this key document.
The purposes of a FSMS manual are to:
 interpret ISO 22000:2018 terminology in terms which local staff will

understand;
 inform certification bodies and auditors of their intents and policies.
An example of a food and safety policy manual is provided in the handouts.
P a g e | 95

LG 07-11-2018
SESSION THREE
2.10 STEP 12: CATALOGUING EXISTING MATERIAL AND LISTING

ADDITIONAL PROCEDURES AND WORK INSTRUCTIONS
Once the policies have been established and captured in a manual, it is

advisable to collect all existing documents, format sheets and forms in current
usage and which relate to food safety matters.
It is not to be expected that there will be very much. Nevertheless, this

exercise can avoid the effort of writing procedures on blank sheets of paper
and the unnecessary re-invention of wheels.
All useful material must be collected and catalogued. It should then be

possible to use this material as is, or use it to re-write procedures or additional
risk assessments and hazard analysis.
It is important to compare existing working practices with existing documents

and with the practices which management need implemented at this stage.
Again, any changes needed should be noted.
2.11 STEP 13: PLANNING THE TRAINING PROGRAMMES
Document D08: Training Package Specifications in the handouts details the

training necessary for staff at all levels. Nevertheless, some guidance is given
here.
 Senior staff training needs to include what the:
 philosophy of ISO 22000:2018 is (i.e., prevention of accidents);
 benefits of ISO 22000:2018 are and that these must be spelled

out to junior staff.
 Junior staff training needs to include simple, initial awareness training

concerned with the fact that it will be policy to introduce ISO
22000:2018, explaining in relatively little detail at this stage what it
means.
As junior staff become involved in procedure writing or review, it may be

necessary to give them more training in this area.
P a g e | 96

LG 07-11-2018
SESSION THREE
2.11 STEP 13: PLANNING THE TRAINING PROGRAMMES
 Summary:
 It is likely that the following training steps will need to be

addressed:
 ISO 22000:2018 awareness training for senior staff;
 procedure writing training for those involved;
 internal audit training for staff who will do this;
 short seminars at the beginning of the implementation

project to allay the fears of junior staff;
 on the job briefing/training for staff with new procedures/

work instructions to follow.
The timing of the training above is vital. Much of this training needs to take
place at quite an early stage of the project, if not the start. The consultant will
need to advise on this.
2.12 STEP 14: IMPLEMENT THE PLANNED TRAINING PROGRAMMES ABOVE
2.13 STEP 15: WRITING ALL NECESSARY PROCEDURES AND WORK

INSTRUCTIONS (ORGANISATION STAFF SHOULD DO MOST OF THIS)
Procedures must concentrate on key process activities and controls which

can cause damage to persons or cause ill-health. ISO 22000:2018 requires
objectives to be set for food and safety improvement and so ideally,
measurements need to be made where possible or statistics collected.
There are three common ways of presenting procedures and work

instructions:
 written words;
 photographs/diagrams/cartoons;
 flowcharts or similar.
P a g e | 97

LG 07-11-2018
SESSION THREE

INSTRUCTIONS (ORGANISATION STAFF SHOULD DO MOST OF THIS),
CONTINUED
Unless few written words are presented, it is often the case that personnel do
not read and thoroughly take on board the requirements specified. The result
of this is that what management think should happen does not. It is vital to
present written procedures and instructions in as digestible a form as
possible.
Photographs etc. are very useful where simple activities need to be described
(e.g. where people cannot read) or where physical work is concerned and the
safe use of tools, equipment and actions are difficult to explain otherwise.
Flowcharts often give the best picture where a sequence needs to be

described. The best procedures and instructions often combine these
methods.
A contents' list for a procedure may typically contain:
 purpose/introduction;
 scope;
 responsibilities;
 references and definitions;
 prerequisites;
 outline of the work
 how the job should be done in detail (instruction)
 records
 figures / proformae / tables / illustrations etc.;
 quality controls (or reference thereto).
The purpose will identify the objective(s) of the procedure (or work
instruction). The scope (what you 'look at') will itemise what activities and
work areas are covered. The references will include such items as company
documents, drawings etc., and national and international standards.
P a g e | 98

LG 07-11-2018
SESSION THREE

INSTRUCTIONS (ORGANISATION STAFF SHOULD DO MOST OF THIS),
CONTINUED
Records should be kept to 'demonstrate achievement of good performance'.

The extent of record keeping must be specified very carefully - it is easy to
overstate requirements here. What 'demonstrates achievement of quality' is a
management decision.
Figures etc. may assist with the implementation of the procedure.
Once it has been determined that a specific procedure or work instruction is

necessary, it is vital that the scope of the procedure or work instruction be
written. This will ensure that the procedure/work instruction:
 focuses on food and safety matters;
 does not overlap with other instructions;
 forms part of a coherent set of procedures;
 written by a group of people does not conflict with other procedures.
The importance of defining the scope of the procedure or work instruction at

as early a stage as possible cannot be over-emphasised. There will be
difficulties if this is not done.
The next step is to see if any existing written or verbal procedures are of use.
In the absence of these, current work practice must be carefully evaluated.
It is vital at this point to consult with the people who will use the procedure
and indeed ideal if they themselves can be persuaded to produce this
document:
 find out what exists in written or unwritten form;
 does it need changing?;
 consult the 'doers';
 ensure that procedures focus on environmental matters;
 persuade the 'doers' to document the procedure only if necessary.
P a g e | 99

LG 07-11-2018
SESSION THREE
2.14 STEP 16: IMPLEMENTING AND MONITORING PROCEDURES/WORK

INSTRUCTIONS
Wherever possible, procedures should be tried out in draft form before formal
approval and issue.
Note: If legal requirements dictate, there is no choice as to whether the

procedure has to be implemented or not. In this case, pilots are not ideal. The
whole organisation must implement the required procedure.
Legal requirement or not, implementation of a procedure is not simply a

matter of ‘throwing’ it to staff and expecting them to follow the instructions
implicitly. It may be necessary to follow through a number of activities:
 training;
 instruction; and
 supervision.
If difficulties are encountered with a procedure, it must be amended.

Implementation should not be underestimated – it is a very time-consuming
exercise for managers and supervisors.
The first step in monitoring procedure implementation is to ensure that

adequate records are maintained of the process/operation concerned. In
addition, supervision should be able to determine satisfactory operation.
Where changes are necessary, these should be discussed in detail with all
those concerned as per initial implementation. It should be noted that where
organisations are operating to ISO 22000:2018 and legal dictates, there may
be requirements which staff do not realise they cannot countermand. This
needs to be explained by management.
2.15 STEP 17: IMPLEMENTATION AND ASSISTANCE WITH THE INTERNAL

AUDIT PROGRAMME (EXCLUDES TRAINING OF ORGANISATION
STAFF)
This process will check that the FSMS controls of the organisation are
operating and are effective. This is an essential activity prior to assessment.
Certification bodies often insist on formal training in this area and provision
may have to be made for external training courses.
P a g e | 100

LG 07-11-2018
SESSION THREE
2.16 STEP 18: SELECTION OF CERTIFYING BODY
Negotiations have to be made to ensure that the most appropriate certification

body is chosen to carry out the assessment of the organisation. Many factors
have to be considered, not the least being the perception of the market into
which the organisation will be selling. This may be more significant than cost.
2.17 STEP 19: MANAGEMENT REVIEW
A full management review (ref: ISO 22000:2018, Section 9.3) needs to be

undertaken before final assessment. This is some indication that the food and
safety management system is operating as intended. Records must be
available to prove this, however.
2.18 STEP 20: FINAL ASSESSMENT – BY CHOSEN CERTIFICATION BODY
Planning has allowed for the consultant to attend for only half a day: it is
recommended that the last half day of the assessment is appropriate and then
any resulting issues can be discussed with the organisation management.
P a g e | 101

LG 07-11-2018
SESSION THREE
P a g e | 102

LG 07-11-2018
SESSION FOUR
Session Four
Designing the
Documented FSMS
P a g e | 103

LG 07-11-2018
SESSION FOUR
DESIGNING THE DOCUMENTED FSMS

OBJECTIVES
 understand and explain the primary activities of the overall plan;
 conduct a gap analysis.
KEY POINTS
 Status evaluation.
 System design changes.
 Implementation.
 Internal audits.
 Project close-out.
P a g e | 104

LG 07-11-2018
SESSION FOUR
DESIGNING THE DOCUMENTED FSMS

1. INTRODUCTION
This session gives more detail than the overall plan (Document D06 and Session 3
above) in relation to some key activities. It should be used to assist with
implementation in conjunction with D06 and Session 4. It also briefly mentions
training needs in Session 3.
2. KEY PROJECT ACTIVITIES
The primary activities on the project are as follows:
 A. Status evaluation:
 appointment of the project leader;
 gap analysis;
 discuss gap analysis with senior management.
 B. System design changes:
 changes to or introduction of a FSMS manual (especial focus on

context of the organisation and worker participation);
 determination of additional procedures needed;
 assessing the value of existing procedures and determining any

possible changes needed;
 organisation structural changes if any;
 performance management system design changes and determination

of additional record keeping;
 determination of improvement needs to achieve ISO 22000:2018.
 C. Implementation:
 actual procedure writing;
 implementation and monitoring of procedures;
 record keeping.
P a g e | 105

LG 07-11-2018
SESSION FOUR
2. KEY PROJECT ACTIVITIES, CONTINUED
 D. Internal audits:
 internal audit schedule changes;
 corrective actions.
 E. Project close-out
 enhanced management review;
 certification transition arrangements.
No Activity
 Commencement of Project.
A1
 Appointment of Project Leader.
 Status evaluation.
 Determination of the overall company business and FSMS
objectives.
A2  Meeting with the management to discuss status of internal
awareness.
 Project management training.
 Senior management awareness training.
A3  Plan the initiative in detail, including reviews.
 Changes to / development of FSMS manual.

B1
 include context of the organisation and interested parties.
 Determination of additional procedures / risk assessments needed.

 Assessing the value of existing procedures / risk assessments and
B2
determining any possible changes needed.
 (See Gap Analysis – document D05.)
P a g e | 106

LG 07-11-2018
SESSION FOUR
2. KEY PROJECT ACTIVITIES, CONTINUED
No Activity
 Organisational structural changes if any.

B3  Determination of the organisation chart.
 Determination of basic responsibilities.
 Performance management system design changes and

determination of additional record keeping.
B4  Determination of the FSMS and objectives.
 Determination of monitoring and measurement methods.
 Determination of any new records needed.
B5  Determination of improvement needs to achieve ISO 22000:2018
 Document writing.
C1  Procedure and additional risk assessment writing.
 Writing training?
 Trialling, implementation and monitoring of FSMS documentation in

practice.
C2
 Implementation of “to-be” processes.
 Monitoring and reviewing FSMS document implementation.
C3  Record keeping.
 Internal auditing.
 Internal audit update training.
D1
 Internal audit schedule changes.
 Corrective actions.
E1  Management Review.
 Certification.
E2
 Confirm (transition) arrangements.
P a g e | 107

LG 07-11-2018
SESSION FOUR
3. SUMMARY OF POSSIBLE TRAINING REQUIREMENTS
Phase Training
Preparation Project management (project leader).
System review Project steering group awareness.
Internal audits Internal auditing.
Status evaluation General staff awareness.
Status evaluation Senior management awareness.
Note: External help may combine these training approaches according to the size
and competence of the organisation, especially when the procedure writing group
and project steering group are the same personnel.
P a g e | 108

LG 07-11-2018
SESSION FOUR
ACTIVITY 4: FSMS DOCUMENTATION AND GAP ANALYSIS

PURPOSE
 To allow you the opportunity to identify omissions or errors regarding ISO

22000:2018 requirements and complete a gap analysis.
TASK
 In your teams:
 review the following documentation for Montgomery Scott:
 MF Food Management Manual 18001;
 MF Audit Questionnaire;
 MF Internal Audit Schedule 18001;
 MF Management Review Agenda;
 MF Objectives;
 MF Food Management Policy;
 MF Food Management Procedures;
 MF Organisation Chart;
 MF Safety Procedures SP1.
 identify any omissions or errors regarding ISO 22000:2018 requirements;
 complete the gap analysis in document D05 provided.
OUTPUT
TIME ALLOWED
P a g e | 109

LG 07-11-2018
SESSION FOUR
P a g e | 110

LG 07-11-2018
SESSION FIVE
Session Five
Implementing New Procedures

and Processes
P a g e | 111

LG 07-11-2018
SESSION FIVE
IMPLEMENTING NEW PROCEDURES AND PROCESSES

OBJECTIVES
 identify responsible resources;
 understand and explain the requirements for implementing new procedures and
processes.
KEY POINTS
 Importance of people.
 Initiative.
 Motivation and commitment.
 Change management.
P a g e | 112

LG 07-11-2018
SESSION FIVE
IMPLEMENTING NEW PROCEDURES AND PROCESSES

1. THE IMPORTANCE OF PEOPLE
No FSMS can function properly unless people:
 believe in it;
 are committed to providing a safe environment; and
 are motivated to follow the system.
A documented FSMS cannot cover all areas of an organisation’s functions in depth,

and indeed should not attempt to, as there will be many areas where initiative will
be required.
If staff are not committed to FSMS implementation, then the system will fail. There
are thus two key elements to proper FSMS:
 a flexible, responsive and helpful food and safety system (some of which will
be documented); and
 commitment of all staff to serving customers properly.
One without the other will not function correctly and will not provide safe and
healthy working practices. This session deals with the 'people' aspect of food and
safety, which is so vital for the provision of safe working.
2. INITIATIVE
One of the hardest areas of implementing a FSMS is in deciding what procedures

need to be closely defined and, where necessary, documented, and what can be
left up to individual initiative.
Too much control and staff become de-motivated. They 'follow the book', don't
respond to individual problems and are perceived as unhelpful by customers.
However, food safety must be the driving factor in making this determination.
For example:
"Our procedure is that you have to fill in these three forms in duplicate and get them
signed by someone else. Then go to another office and hand them in."
" But all I wanted was some advice and help. Surely you can do that."
P a g e | 113

LG 07-11-2018
SESSION FIVE
2. INITIATIVE, CONTINUED
"No, I've explained our procedure and we have to follow it."
How many times have you as a manager been faced by that sort of attitude and
there is nothing you can do about it? It is infuriating, and probably not very pleasant,
for the staff, who have to suffer verbal abuse for a system they did not create.
However, go too far the other way without proper support and staff complain that
they do not know what to do, don't know how to proceed, have been left on their
own to face tricky situations etc.
It is up to management to get the whole system right so that everyone feels properly
supported but able to use their initiative when needed, and committed to using their
initiative. This is what good management is all about: getting the best out of staff
and satisfying customers.
The question that must always be asked is - are (documented) procedures or risk
assessments needed here in order to ensure a safe outcome? ISO 22000:2018
deliberately does not define the form of procedures needed and only requires
documentation in a few cases, again without defining the form of documentation.
So, it is very much up to managers to decide what level and form of procedures are
required and when they are required.
It is of course easier to audit against documented procedures but this is no reason

for insisting on them. If a system works without such procedures and staff know
exactly how to respond properly to all situations that arise, then the Food and
Safety system is working.
3. MOTIVATION AND COMMITMENT
ISO 22000:2018 mentions commitment in a number of clauses, especially on the

part of top management. No FSMS can properly work without staff being committed
to it and motivated to follow it.
Unfortunately, it is not possible to measure motivation and commitment simply,

although it is quite easy to spot those organisations that have it and those that do
not. It is also not possible to devise a simple procedure to ensure that staff are
committed.
P a g e | 114

LG 07-11-2018
SESSION FIVE
3. MOTIVATION AND COMMITMENT, CONTINUED
This is again the art of good management of course. A 'food safety' manager will
ensure that her/his staff are committed and will motivate them properly. This means:
 leadership – inspiring by vision, enjoying change, encouraging active

participation by all staff;
 constant improvement in self and others;
 obsession with listening;
 empowering staff to set their own standards and monitor themselves;
 being out and about, listening, watching, encouraging;
 training and retraining.
Managers obtain commitment most of all by being committed themselves and

demonstrating it, and by being consistent – i.e., not demanding one standard of
their staff whilst actually delivering a different standard themselves.
Putting all the above together results in an organisation with the right level of
defined standards and procedures whilst leaving staff the initiative to perform
properly in undefined situations and give customer satisfaction.
4. CHANGE MANAGEMENT
Inevitably, the introduction of ISO 22000:2018 will introduce some changes to

working practices at all levels in the organisation. Change is almost always resisted
particularly where staff involvement in decision making or information dissemination
is low.
We return to the subject of management style: change is more easily accomplished

where an open relationship exists between staff at different levels. A lack of
knowledge of impending changes produces a fear of the unknown, suspicion and a
mistrust of the motives of management in wanting to introduce any change.
P a g e | 115

LG 07-11-2018
SESSION FIVE
4. CHANGE MANAGEMENT, CONTINUED
Staff may perceive change as a threat to their workplace security. Senior staff need
to be told:
 what the philosophy of ISO 22000:2018 is (i.e., improved management control

and producing safe food ‘right first time');
 that managing change resulting from the introduction of ISO 22000:2018 is

hugely demanding of their time;
 what the benefits of ISO 22000:2018 are and that these must be spelled out
to junior staff;
 that the 'quick-fix' mentality is not sufficient to meet ISO 22000:2018

requirements: long term, permanent improvement is needed.
Senior staff need training in ISO 22000:2018 understanding, improvement and

change management.
Junior staff need to be given simple, initial awareness training concerned with the
fact that it will be policy to introduce ISO 22000:2018 and explaining in relatively
little detail at this stage what it means. As junior staff become involved in procedure
writing or review, it may be necessary to give them more training in this area.
Once procedures and work instructions are produced, it will be necessary to expend
more management effort in training and supervising junior staff in new methods and
practices. Simply leaving staff with pieces of paper to follow is wholly inadequate.
It is likely that the following training steps will need to be addressed:
 ISO 22000:2018 awareness training for senior staff;
 procedure writing training for those involved;
 facilitation skills for project implementers;
 short seminars at the beginning of the implementation project to allay the

fears of junior staff;
 on the job training for staff with new procedures/work instructions to follow.
P a g e | 116

LG 07-11-2018
SESSION FIVE
ACTIVITY 5: WRITING NEW PROCEDURES AND RISK

ASSESSMENTS
PURPOSE
 To allow you the opportunity to identify responsible resources for writing new
procedures and reviewing risk assessments.
TASK
 In your teams discuss and list who should be:
 responsible for writing new procedures – it may be different persons for

different procedures;
 involved in reviewing risk assessments for staff and visitors / contractors.
OUTPUT
TIME ALLOWED
P a g e | 117

LG 07-11-2018
SESSION FIVE
P a g e | 118

LG 07-11-2018
SESSION SIX
Session Six
Reviewing and Assessing

Implementation Progress
P a g e | 119

LG 07-11-2018
SESSION SIX
REVIEWING AND ASSESSING IMPLEMENTATION PROGRESS

OBJECTIVES
 understand the extent of the review processes through the life of the project;
 understand and explain the 20 key steps involved in implementing ISO 22000:2018
and the typical deliverables to be expected;
 understand and explain a typical project plan showing elapsed time to end of project
and possible project leader / consultancy input in terms of days;
 develop an internal audit schedule.
KEY POINTS
 Project process reviews.
 Phase 1 and 2 activities.
 Typical deliverables.
 Internal audit schedule.

SESSION SIX
REVIEWING AND ASSESSING IMPLEMENTATION PROGRESS

1. INTRODUCTION
The purpose of this session is to explain what project progress reviews should take
place. To this end, two tables are presented showing:
 firstly, typical deliverables; and
 secondly, approximate timescales from the start of the project as to when

those deliverables should be available for review.
It is important that the review process should involve the so-called ‘steering
committee’ as they have the authority to allocate additional resourcing if project
timescales are slipping. This session finishes with an activity to enable you to
understand the extent of the review processes through the life of the project.
2. THE 20 KEY STEPS INVOLVED IN IMPLEMENTING ISO 22000:2018 AND

THE DELIVERABLES TO BE EXPECTED
Review
Step Activity Typical Deliverables
Responsibility
Activities for Phase 1
Establish and list food
1 Actual list of risks
safety risks
Determine and list Actual list of legislation and
2 applicable food safety other compliance
legislation requirements
Establish significance Calculations and table of
3
of risks risks
Finalise registers of
risks and legislation
Actual registers of risks &
4 and produce plan(s) of
legislation
action to address
issues
Produce procedures to
Document control
5 control, maintain and
procedures
update registers
P a g e | 121

LG 07-11-2018
SESSION SIX

THE DELIVERABLES TO BE EXPECTED, CONTINUED
Review
Responsibility
Gap analysis of current Gap analysis checklist

6
systems Status evaluation report
Status evaluation meeting

Review of gap analysis report (optional)
7
results Plan with agreed
deliverables and training
Establish food and
8 Job descriptions
safety responsibilities
Plan project in more
9 Implementation project plan
detail
10 Appoint steering group -
FSMS manual (or modified

Determine policies and
11 quality manual)
produce FSMS manual
FSMS policy and objectives
List of procedures /
Catalogue existing
additional risk assessments
material and list
12 / PRP and HACCP
additional procedures
documentation requiring to
and work instructions
be written
Plan training
13 Training plan
programme
14 Implement all training
Write all necessary

procedures and work
15 instructions Procedures
(organisation’s staff will
do most of this)
Implement and monitor
16 procedures/work -
instructions
P a g e | 122

LG 07-11-2018
SESSION SIX

THE DELIVERABLES TO BE EXPECTED, CONTINUED
Review
Responsibility
Implement and assist
with internal audit
17 programme (excludes Audit Reports
training of
ORGANISATION staff)
18 Select certifying body -
Hold management
19 Minutes
review
20 Final assessment
The list of deliverables above needs to be checked at the appropriate time. The
plan on the next page will show WHEN the activity generating the deliverable
should be complete. The review should take place at that point.
The responsibility for the review of any given deliverable is the subject of the activity
at the end of this session.
P a g e | 123

LG 07-11-2018
SESSION SIX
3. TYPICAL PROJECT PLAN SHOWING ELAPSED TIME FOR ACTIVITIES UNTIL THE END OF THE PROJECT
Month /
Activities for Phase 1 1 2 3 4 5 6 7 8 9 10 11 12
Step
1 Establish and list food safety risks
2 Determine and list applicable food safety legislation
3 Establish significance of risks
Finalise registers of risks and legislation and produce

4
plan of action to address issues
Produce procedures to control, maintain and update

5
registers
6 Gap analysis of current systems
7 Review of gap analysis results
8 Establish food and safety responsibilities
9 Plan project
10 Appoint steering group
Determine policies and produce food and safety

11
management systems manual
P a g e | 124

LG 07-11-2018
SESSION SIX
3. TYPICAL PROJECT PLAN SHOWING ELAPSED TIME FOR ACTIVITIES UNTIL THE END OF THE PROJECT,
CONTINUED
Month /
Activities for Phase 1 1 2 3 4 5 6 7 8 9 10 11 12
Step
Catalogue existing material and list additional

12 procedures, work instructions, PRP and HACCP
documentation needed
13 Plan training programmes
14 Conduct Training (probably with assistance)
Write all necessary procedures, work instructions / risk

15
assessments (ORGANISATION staff will do most of this)
16 Implement and monitor procedures/risk assessments
Implement and assist with internal audit programme

17
(excludes training of ORGANISATION staff)
18 Select certifying body -
19 Hold Food and Safety Management Review
20 Final assessment
P a g e | 125

LG 07-11-2018
SESSION SIX
ACTIVITY 6: RESOURCES RESPONSIBLE FOR DELIVERABLES

PURPOSE
 To enable you to understand the extent of the review processes through the life of
the project.
TASK
 In your teams discuss the table of activities, identify and list:
 Who should review the deliverables and approve the results?
 How long should be spent assessing each deliverable?
 What should happen if there are deficiencies?
OUTPUT
TIME ALLOWED
P a g e | 126

LG 07-11-2018
SESSION SIX
P a g e | 127

LG 07-11-2018
SESSION SIX
ACTIVITY 7: DEVELOPING AN INTERNAL AUDIT SCHEDULE

PURPOSE
 To enable you to develop an internal audit schedule.
TASK
 In your teams develop an internal audit schedule for the company whose
documentation you reviewed in activity 4.
OUTPUT
TIME ALLOWED
P a g e | 128

LG 07-11-2018
SESSION SIX
P a g e | 129

LG 07-11-2018
SESSION SIX
P a g e | 130

LG 07-11-2018
SESSION SEVEN
Session Seven
The Certification Process and

Preparing for it
P a g e | 131

LG 07-11-2018
SESSION SEVEN
THE CERTIFICATION PROCESS AND PREPARING FOR IT

OBJECTIVES
 understand and explain the sequence of activities involved from securing a

quotation to final audit;
 understand and explain the final activities prior to the certification audit;
 understand and explain how to prepare staff for the certification audit;
 develop a management review agenda.
KEY POINTS
 Stage 2 site certification audit.
 Audit stages.
 Outcomes of an audit.
 Certification cost.
 Key activities prior to a certification audit.
P a g e | 132

LG 07-11-2018
SESSION SEVEN
THE CERTIFICATION PROCESS AND PREPARING FOR IT

1. INTRODUCTION
This session simply explains the process of contracting with an accredited

certification body form the point of requesting a quotation through to arranging a
Stage 1 review and subsequently a final Stage 2 site certification audit.
In addition, it covers some key processes which must be completed before a final
audit can take place and lastly mentions the need to prepare staff for that audit.
2. THE SEQUENCE OF ACTIVITIES INVOLVED FROM SECURING A

QUOTATION TO FINAL AUDIT
Audits are performed in a number of discrete stages. Prior to any audit, the auditee
organisation must select a suitable certification body: they usually request
questionnaires from a number of bodies and complete these. This gives the
certification body an idea of the number of employees and scope of the quality
system and geographical layout of the organisation.
The certification bodies will then give a quotation to the auditee and the auditee will
choose a body and submit an application for audit. The audit takes place in two
stages where the management system standard has a significant reference to
legislation.
The Stage 1 process consists of the certification body reviewing the proffered
documentation along with a site visit, and, if this is all satisfactory, a date for the
implementation and effectiveness audit 'on the ground' is arranged. This final visit is
Stage 2 of the certification process.
When certification bodies first carry out a detailed appraisal of the organisation's
documented FSMS (Stage 1 audit), omissions and deviations from the
requirements are pointed out and amendments can be made when necessary.
Once the documents are deemed satisfactory and the initial site visit has shown no
problems or omissions, the Stage 2 implementation audit can then be carried out.
The audit of the implementation and effectiveness of the management system

involves an in-depth appraisal of the auditee's activities and arrangements for
compliance with ISO 22000:2018. The organisation is required to demonstrate the
practical application of its documented procedures and risk assessments and
records of FSMS performance.
P a g e | 133

LG 07-11-2018
SESSION SEVEN
2. THE SEQUENCE OF ACTIVITIES INVOLVED FROM SECURING A

QUOTATION TO FINAL AUDIT, CONTINUED
There can be one of three outcomes from the audit:
1. unqualified registration, where there are no nonconformities;
2. qualified or pending registration where there are minor nonconformities which

must be corrected before certificate issuance;
3. non-registration, where there are one or more major nonconformances.
Conformance with the standard is not assessed in black and white terms – the
standard is partially descriptive rather than prescriptive. However, with regard to
ISO 22000:2018, it is recognised that organisations will need to demonstrate full
compliance with the standard.
In the cases of registration, a certificate of registration is issued together with a

schedule defining the scope of registration, the premises it applies to, etc. It is worth
noting that most certified organisations display their certificate prominently but
seldom display the accompanying schedule which contains details of the scope
(coverage / boundaries) of the registration.
Following registration there are regular surveillance visits, usually twice a year.
These involve an examination of just key parts of the organisation's operation on
each visit. Registration can be withdrawn or suspended if major problems are
found.
Some certifying bodies only issue the certificate for a three-year period and require
a re-audit before re-certifying.
3. THE COST OF CERTIFICATION
Certification is a commercial transaction. The organisation pays the certification

body to audit it against the standard.
It is free to go to any certified body it wishes. The time taken for each of the above
stages, the number of people involved and hence the cost, depend on the size of
the organisation and its complexities.
P a g e | 134

LG 07-11-2018
SESSION SEVEN
3. THE COST OF CERTIFICATION, CONTINUED
It is very difficult to provide guidelines on what average certification costs are and
the following is an example only. For a medium sized organisation (200 employees)
operating on a single site, with a typical rate of £800 per auditor day, costs may be
estimated from the following example:
 audit: 4 to 6 auditor days;
 surveillance: 1 to 2 auditor days per visit.
However, it may be much less than this for small organisations and much more for
larger ones.
4. FINAL ACTIVITIES PRIOR TO A CERTIFICATION AUDIT
It is essential to ensure that certain key activities have been completed before a
Stage 1 audit. These include:
 provision of a policy statement;
 provision of FSMS objectives;
 provision of a clear ‘scope of the FSMS system’ showing any parts of the
organisation which may not be covered (usually a separate building or
geographical entity);
 provision of risk assessments for all activities;
 confirmation that all relevant legislation is understood and available.
With regard to Stage 2, the following items, which may not have been available at
Stage 1, must be available:
 internal audit reports covering the overwhelming majority of activities;
 management review minutes;
 records to show that all necessary aspects of ISO 22000:2018 and legislation
are addressed, especially checks to show implementation of compliance
(legislative and other) requirements and HACCP activities;
 training and briefing records (including tool box talks for example).
P a g e | 135

LG 07-11-2018
SESSION SEVEN
5. PREPARING STAFF FOR THE CERTIFICATION AUDIT
Staff need to be briefed about receiving and dealing with external auditors and
should abide by the following principles. Do be:
 honest;
 polite;
 brief and to the point with answers;
 factual.
Do no:
 offer information;
 be obstructive;
 expand on answers given to the auditor – if they want more, they can ask;
 argue;
 offer opinions (even when asked);
 offer an answer if you do not know – do not guess.
It is important that external auditors are accompanied at all times. However, in order
not to intimidate staff, it is advisable to keep the numbers of the “audit party” to a
minimum. It is not unusual to have a guide, an observer, a departmental manager,
the FSMS manager and the external auditor(s). This is generally inadvisable but
may on some occasions be necessary.
Note that dealing with external auditors is different from dealing with internal
auditors. One of the purposes of internal auditing is to find all that you can that
needs improvement before the external auditors spot any deficiencies.
Consequently, it is imperative to have maximum co-operation between staff and

their internal auditor colleagues. Any issues should be found and rectified before
the external persons find any problems.
P a g e | 136

LG 07-11-2018
SESSION SEVEN
ACTIVITY 8: DEVELOPING A MANAGEMENT REVIEW AGENDA

PURPOSE
 To enable you to develop a management review agenda.
TASK
 In your teams, discuss and list the issues that a comprehensive management
review should cover to meet the requirements of ISO 22000:2018.
OUTPUT
TIME ALLOWED
P a g e | 137

LG 07-11-2018
SESSION SEVEN
ACTIVITY 9: INDIVIDUAL ACTION PLAN

PURPOSE
 To enable you to outline an action plan to implement ISO 22000:2018 in your own
organisation.
TASK
 In your teams, discuss and outline an action plan to implement ISO 22000:2018 in
your organisation.
OUTPUT
TIME ALLOWED
P a g e | 138

LG 07-11-2018
SESSION SEVEN
P a g e | 139

LG 07-11-2018
SESSION SEVEN
P a g e | 140

LG 07-11-2018
APPENDICES
Appendices
P a g e | 141

LG 07-11-2018
APPENDICES
CONTENTS PAGE
Appendix 1: Model of a process-based FSMS showing the links to ISO 22000:2018.... 143
Appendix 2: The clauses of ISO 22000:2018 compared with the clauses of ISO
22000:2005 .................................................................................................................. 144
P a g e | 142

LG 07-11-2018
APPENDICES
APPENDIX 1: MODEL OF A PROCESS-BASED FSMS SHOWING

THE LINKS TO ISO 22000:2018
Illustration of the Plan-Do-Check-Act cycle at the two levels
P a g e | 143

LG 07-11-2018
APPENDICES
APPENDIX 2: THE CLAUSES OF ISO 22000:2018 COMPARED WITH

THE CLAUSES OF ISO 22000:2018
Clauses in ISO 22000:2018 ISO 22000:2005
4 Context of the organisation New
4.1 Understanding the organisation and its context New
4.2 Understanding the needs and expectations of interested

New
parties
4.3 Determining the scope of the FSMS New
4.4 FSMS 4.1
5 Leadership
5.1 Leadership and commitment 5.1, 7.4.3
5.2 Policy 5.2
5.3 Organisational roles, responsibilities and 5.4, 5.5, 7.3.2
6 Planning
6.1 Actions to address risks and opportunities New
6.2 Objectives of the FSMS and planning to achieve them 5.3
6.3 Planning of changes 5.3
7 Support
7.1 Resources 1, 4, 6.2, 6.3, 6.4
7.2 Competence 6.2, 7.3.2
7.3 Awareness 6.2.2
7.4 Communication 5.6, 6.2.2
7.5 Documented information 4.2, 5.6.1
8 Operation
8.1 Operational planning and control New
8.2 Prerequisite programmes (PRPs) 7.2
8.3 Traceability system 7.9
P a g e | 144

LG 07-11-2018
APPENDICES
Clauses in ISO 22000:2018 ISO 22000:2005
8.4 Emergency preparedness and response 5.7
8.5 Hazard control 7.3, 7.4, 7.5, 7.6 & New
8.6 Updating the information specifying the PRPs and the

7.7
hazard control plan
8.7 Control of monitoring and measuring 8.3
8.8 Verification related to PRPs and the hazard control plan 7.8, 8.2
8.9 Control of product and process nonconformities 7.10
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation New
9.1.1 General New
9.1.2 Analysis and evaluation 8.4.2, 8.4.3
9.2 Internal audit 8.4.1
9.3 Management review 5.8
10 Improvement
10.1 Nonconformity and corrective action New
10.2 Continual improvement 8.1, 8.5.1
10.3 Update of the FSMS 8.5.2
Annex A (informative) Cross references between the CODEX

New
HACCP and this document
Annex B (informative) Cross references between this

New
document and ISO 22000:2005
P a g e | 145

LG 07-11-2018

Iso 22

Uploaded by

Copyright:

Available Formats

Iso 22

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iso 22

Uploaded by

Copyright:

Available Formats

ISO 22000:2018 Food Safety

Management Systems (FSMS)

ISO 22000:2018 FSMS ITC

ISO 22000:2018 FSMS ITC

ISO 22000:2018 FSMS ITC

ISO 22000:2018 FSMS ITC

POLICY STATEMENT AND OBJECTIVES

COURSE CRITERIA – OBJECTIVES

Upon completion of this course, learners will be able to:

 plan how to implement ISO 22000:2018 into any organisation.

Learners will need to demonstrate acceptable performance in these areas to complete

ISO 22000:2018 FSMS ITC

Learners will be graded based on full attendance of the course.

Not applicable for this course.

Upon completion of this course, learners will be able to:

 know and understand the requirements of the latest version of ISO

 plan how to implement ISO 22000:2018 into any organisation.

ISO 22000:2018 FSMS ITC

The is no examination as part of this course.

10. APPEALS AND COMPLAINTS

ISO 22000:2018 FSMS ITC

08.45 Course Registration

09.00 Course Introduction

09.30-10.45 Session 1 ISO 22000:2018 Principles and Detail

11.00-12.00 Session 1 ISO 22000:2018 Principles and Detail, continued

12.00-12.30 Activity 1 Audit Evidence related to ISO 22000:2018 Clauses

13.45-14.30 Session 2 Project Management Principles and their

ISO 22000:2018 FSMS ITC

14.30-15.15 Activity 2 Project Responsibilities for Involved Staff

15.30-16.30 Activity 2 Feedback

16.30-17.00 Review of Day 1

17.00 END OF DAY 1

There will be a break of 15 minutes mid-morning and mid-afternoon.

ISO 22000:2018 FSMS ITC

09.30-10.15 Activity 3 Planning Key Implementation Project Activities

11.15-12.45 Session 3 Project Steps involved in ISO 22000:2018

13.30-14.15 Session 4 FSMS Design

14.15-15.15 Activity 4 FSMS Documentation and Gap Analysis

15.30-16.15 Activity 4 FSMS Documentation and Gap Analysis,

ISO 22000:2018 FSMS ITC

16.45-17.30 Session 5 Implementing New Procedures and Processes

17.30-18.00 Review of Day 2

18.00 END OF DAY 2

There will be a break of 15 minutes mid-morning and mid-afternoon.

ISO 22000:2018 FSMS ITC

10.30-11.00 Session 6 Reviewing and Assessing Implementation

11.15-12.00 Activity 6 Resources Responsible for Deliverables

12.45-13.15 Activity 7 Developing an Internal Audit Schedule

14.00-14.30 Activity 7 Feedback

14.30-15.00 Session 7 The Certification Process and Preparing for this

15.00-15.30 Activity 8 Developing a Management Review Agenda

15.45-16.15 Activity 8 Feedback

16.15-17.00 Activity 9 Individual Action Plan

17.30-18.00 Course Review

18.00 END OF COURSE

There will be a break of 15 minutes mid-morning and mid-afternoon.

ISO 22000:2018 FSMS ITC

ISO 22000:2018 FSMS ITC