ISO 22000 Internal Audit Checklist
Result Charts
Process Report
Clause Report
ISO 22000 Food Safety Internal Audit — Everything You Need To Know
What Is an ISO 22000 Internal Audit?
An ISO 22000 internal audit is a systematic evaluation of an organisation’s Food Safety Management System (FSMS) against the requirements of ISO 22000:2018. The standard applies to all organisations in the food chain — from primary producers and food manufacturers to transport, storage, retail, food service, and providers of equipment, packaging, and cleaning agents. Internal audits verify that the FSMS effectively controls food safety hazards and produces safe products.
Clause 9.2 of ISO 22000:2018 requires internal audits at planned intervals. The audit programme must consider the importance and performance of processes, changes affecting the organisation, monitoring and measurement results, and findings from previous audits. Given the direct public health implications of food safety failures, the internal audit is one of the most critical verification activities within the FSMS.
ISO 22000 and the HACCP Principles
ISO 22000:2018 integrates the seven principles of HACCP (Hazard Analysis and Critical Control Points) within a broader management system framework. The standard requires organisations to conduct a hazard analysis, determine Critical Control Points (CCPs) and Operational Prerequisite Programmes (OPRPs), establish critical limits, implement monitoring systems, define corrective actions, verify the HACCP plan, and maintain documentation. The internal audit checklist must verify that all seven HACCP principles are effectively implemented and that CCP monitoring records demonstrate ongoing control.
What Should Your ISO 22000 Audit Checklist Cover?
Prerequisite Programmes (PRPs)
PRPs are the fundamental conditions and activities necessary to maintain a hygienic environment throughout the food chain. Audit areas include: facility construction and layout, supply of utilities (water, air, energy), waste and sewage disposal, equipment suitability and maintenance, procurement management, cross-contamination prevention, cleaning and sanitising, pest control, personnel hygiene, and recall procedures. PRPs must be appropriate to the organisation’s position in the food chain and the types of products handled.
Hazard Analysis and Critical Control Points
The core of the audit covers the hazard analysis process and HACCP plan implementation. Verify that: all potential biological, chemical, physical, and allergenic hazards have been identified; hazard assessment considers severity and likelihood; CCPs and OPRPs have been correctly determined using a decision-tree methodology; critical limits are scientifically validated; CCP monitoring is performed at the required frequency with calibrated equipment; deviations trigger defined corrective actions; and verification activities (including internal audit) confirm the system’s ongoing effectiveness.
Management System Requirements (Clauses 4–10)
ISO 22000:2018 follows the ISO High Level Structure, aligning with other management system standards. The audit checklist should cover: organisational context and scope (Clause 4), food safety policy and food safety team leadership (Clause 5), risk and opportunity planning (Clause 6), resource management including competence and communication (Clause 7), operational planning including traceability and emergency preparedness (Clause 8), performance evaluation including monitoring, measurement, analysis, and internal audit (Clause 9), and nonconformity management and continual improvement (Clause 10).
ISO 22000 and Related Standards
FSSC 22000 and ISO 22000
FSSC 22000 (Food Safety System Certification) builds upon ISO 22000 by adding sector-specific Prerequisite Programme requirements (ISO/TS 22002-x series) and additional FSSC scheme requirements. FSSC 22000 is GFSI (Global Food Safety Initiative) recognised, whereas standalone ISO 22000 is not. Organisations targeting GFSI recognition should note that their ISO 22000 internal audit checklist must also cover FSSC additional requirements if pursuing FSSC 22000 certification.
BRCGS and ISO 22000
BRCGS (British Retail Consortium Global Standards) is an alternative GFSI-recognised scheme widely used in UK and European retail supply chains. While structurally different from ISO 22000, many requirements overlap. Organisations holding both certifications can benefit from an integrated audit approach that covers common elements — such as HACCP, traceability, supplier management, and allergen control — through a single checklist.
Planning Your ISO 22000 Internal Audit Programme
The audit programme should ensure complete FSMS coverage within each annual cycle. Frequency should be risk-based, with CCPs, OPRPs, and high-risk processes audited more frequently. Seasonal variations in production, changes in suppliers, and recall or withdrawal incidents should trigger additional audits. Auditors must be competent in food safety principles, HACCP methodology, and the specific processes they audit. Results must be reported to the food safety team leader and top management.
Frequently Asked Questions
What is an ISO 22000 internal audit checklist?
An ISO 22000 internal audit checklist is a structured tool for evaluating a Food Safety Management System against ISO 22000:2018. It covers management system requirements (clauses 4–10), HACCP plan implementation, CCP monitoring, PRPs, and traceability. The checklist guides auditors through each requirement with fields for findings and corrective actions.
How does ISO 22000 relate to HACCP?
ISO 22000:2018 incorporates all seven HACCP principles within a broader management system framework. While HACCP focuses specifically on hazard analysis and critical control points, ISO 22000 adds management system elements including leadership, planning, resource management, and continual improvement. An ISO 22000 audit covers both HACCP-specific and management system requirements.
What is the difference between ISO 22000 and FSSC 22000?
FSSC 22000 builds on ISO 22000 by adding sector-specific Prerequisite Programme requirements and additional scheme requirements. FSSC 22000 is GFSI recognised, making it acceptable to major retailers and food service companies. Standalone ISO 22000 certification is not GFSI recognised.
How often should ISO 22000 internal audits be conducted?
ISO 22000:2018 requires audits at planned intervals. Annual full-cycle audits are standard, with more frequent audits for CCPs, OPRPs, and high-risk processes. Seasonal production changes, supplier changes, and food safety incidents should trigger additional audits.
Can I use an ISO 22000 audit checklist for FSSC 22000?
An ISO 22000 checklist covers the core requirements but must be supplemented with FSSC-specific additional requirements (food safety culture, environmental monitoring, food fraud mitigation, food defence, etc.) for FSSC 22000 certification purposes.
