HACCP, ISO 22000, FSSC 22000, BRCGS, IFS — the food safety standards landscape has more options than most adjacent industries, and the relationships between them are unintuitive. Organisations new to formal food safety management often start by trying to pick the right one, when in reality the standards layer rather than compete. Understanding the layers makes the choice much clearer.
HACCP: The Methodology
Hazard Analysis and Critical Control Points (HACCP) is a methodology for identifying and controlling food safety hazards through seven defined principles: conduct hazard analysis, identify critical control points, establish critical limits, monitor those limits, define corrective action, verify the system works, and maintain documentation. HACCP is referenced or required in food safety regulation in most countries. It is a methodology, not a management system, and there is no certification body that issues a "HACCP certificate" the way certification bodies issue ISO 22000 certificates.
ISO 22000: The Management System
ISO 22000 is a food safety management system standard. It incorporates HACCP principles within a broader management system framework — context, leadership, planning, support, operation, performance evaluation, improvement — using the High-Level Structure shared with other ISO management standards. ISO 22000 adds prerequisite programmes (PRPs and operational PRPs), management commitment requirements, internal audit programmes, and the systematic improvement loop that pure HACCP does not require.
In practice, an organisation implementing ISO 22000 inherently implements HACCP — the standard requires it. The reverse is not true. Many organisations operate HACCP-based programmes that satisfy regulatory requirements but do not constitute an ISO 22000-aligned management system.
FSSC 22000: The Certification Scheme
FSSC 22000 is a certification scheme built on ISO 22000 plus sector-specific prerequisite programme requirements (typically ISO/TS 22002-1 for food manufacturing) plus additional FSSC requirements covering things like food defence, food fraud prevention, and management of services. Crucially, FSSC 22000 is recognised by the Global Food Safety Initiative (GFSI), which means certification under FSSC 22000 is accepted by major retailers and food service operators that require GFSI-recognised certification.
A common confusion: an organisation gets ISO 22000 certified, then loses a major customer who requires GFSI-recognised certification. ISO 22000 alone is not GFSI-recognised. FSSC 22000 is. If your customer base includes major international retailers or food service brands, FSSC 22000 (or another GFSI-recognised scheme like BRCGS or IFS) is usually the right target rather than plain ISO 22000.
How to Choose
- Regulatory baseline only — implement HACCP rigorously; you do not need certification
- Internal management system maturity — ISO 22000 gives you the structure without GFSI overhead
- Major retailer or food service customers — FSSC 22000 (or BRCGS/IFS depending on the customer)
- Multi-site operations needing harmonised audits — FSSC 22000 with the multi-site option
- Already have ISO 9001 or ISO 14001 — ISO 22000 integrates cleanly via the shared HLS
Practical Implementation Notes
Whichever target you pick, the implementation work is similar in shape. Establish prerequisite programmes that match your sector. Conduct rigorous hazard analysis with documented decisions. Identify CCPs and the critical limits at each. Build the monitoring procedures into operations rather than overlaying them. Maintain records that demonstrate the system runs as documented. Run internal audits that genuinely test the system rather than just checking the documentation. The certification audit then becomes a verification exercise rather than a discovery exercise.
The food safety standards work, but only when treated as operational systems rather than documentation projects. The organisations that get value from them are the ones whose food safety practice does not change visibly when the auditor leaves the building.