How to Document Your ISO 22000 System

Why ISO 22000 Documentation Is Different From Other Standards

If you have already worked with ISO 9001 or ISO 14001, you might assume that documenting your ISO 22000 Food Safety Management System follows a similar pattern. In some ways it does, but ISO 22000 has a layer of technical complexity that catches a lot of businesses off guard. The standard sits at the intersection of management system requirements and food science, which means your documentation needs to satisfy both a certification auditor and the practical realities of food safety control.

The core challenge is that ISO 22000 requires you to document not just your processes and policies, but also the scientific reasoning behind your food safety decisions. Your Hazard Analysis and Critical Control Points plan, your prerequisite programmes, your monitoring procedures, these all need to be written in a way that demonstrates genuine understanding, not just box ticking. An auditor who knows food safety will see straight through documentation that has been copied from a template without being adapted to your actual operation.

This guide walks you through exactly what documentation ISO 22000 requires, how to build it properly, and the common mistakes that cause businesses to fail their certification audit on document-related findings.

What ISO 22000 Actually Requires You to Document

The standard distinguishes between two types of documented information: documents that define how things should be done, and records that prove things were actually done. Both are essential, and confusing the two is one of the most common errors in early-stage food safety management systems.

Mandatory Documents Under ISO 22000

ISO 22000:2018 specifies a number of documents that must exist in your system. These are not optional. If any of these are missing during your Stage 1 audit, you will almost certainly receive a major non-conformity that delays your certification.

• Food Safety Policy: A clear, signed statement from top management that sets the direction of your food safety commitments. It needs to be appropriate to your organisation, not a generic statement copied from the internet.
• Food Safety Objectives: Measurable targets that link directly to your food safety policy. These need to be documented and communicated across the organisation.
• Scope of the Food Safety Management System: A written definition of which products, processes, sites and supply chain steps are covered by your system.
• Prerequisite Programmes (PRPs): Documented programmes covering areas like cleaning and sanitation, pest control, personal hygiene, allergen management, supplier controls and facility maintenance. These are the foundation of your system.
• Hazard Analysis: A documented process for identifying all potential biological, chemical, physical and allergen hazards associated with your products and processes.
• HACCP Plan: The output of your hazard analysis, identifying Critical Control Points, critical limits, monitoring procedures, corrective actions and verification activities.
• Operational Prerequisite Programmes (OPRPs): Documented controls for hazards that are significant but managed outside the HACCP plan.
• Traceability System: A documented procedure that allows you to trace raw materials forward through production and finished products back to their source.
• Emergency Preparedness and Response: Documented plans for potential emergency situations that could affect food safety.
• Internal Audit Programme: A documented schedule and procedure for conducting internal audits of your food safety management system.
• Management Review Records: Evidence that top management regularly reviews the performance of the food safety system.

Beyond these mandatory items, the standard also requires documented information wherever it is necessary to ensure effective operation of your processes. That is a judgement call, and it is one you need to make thoughtfully based on your specific operation.

Records You Must Maintain

Records are the evidence that your system is working in practice. They need to be legible, retrievable and retained for appropriate periods. Key records include monitoring results for CCPs and OPRPs, calibration records for measurement equipment, corrective action records, supplier evaluation records, training records, internal audit findings and management review minutes.

One thing worth noting: the standard does not prescribe specific retention periods for most records. You need to define these yourself, taking into account legal requirements, customer requirements and the shelf life of your products. For a business producing shelf-stable products with a two-year shelf life, retaining records for only twelve months would be inadequate and would likely be raised as a non-conformity.

Building Your Documentation From the Ground Up

The most practical approach is to build your documentation in a logical sequence that mirrors how the standard itself is structured. Trying to write everything at once leads to inconsistencies and gaps. Here is a sequence that works well in practice.

Step 1: Establish Your Context and Scope

Before you write a single procedure, you need to define the boundaries of your system. This means documenting what products you make, what processes are involved, which sites are included, and where your supply chain responsibilities begin and end. Your scope document should also reference the relevant regulatory requirements that apply to your operation, whether that is the Australia New Zealand Food Standards Code, state-based food safety legislation, or export requirements for specific markets.

This is also the point at which you document your understanding of the organisation and its context, including the internal and external factors that affect your ability to deliver safe food. Think about things like your supply chain complexity, the vulnerability of your customer base, your facility age and condition, and any regulatory changes on the horizon.

Step 2: Develop Your Food Safety Policy and Objectives

Your food safety policy is a short, clear document, typically one page, that states your commitment to producing safe food, meeting customer and regulatory requirements, and continually improving your system. It must be signed by the most senior person in the organisation. A policy that is signed by a quality manager but not the CEO or Managing Director will be questioned by an auditor.

Your food safety objectives need to be specific and measurable. Vague objectives like “improve food safety” are not acceptable. Instead, write objectives like “reduce customer complaints related to foreign matter by 30% within twelve months” or “achieve 100% completion of scheduled CCP monitoring checks each month.” These objectives should be tracked and reviewed at management review.

Step 3: Document Your Prerequisite Programmes

PRPs are the hygiene and operational controls that create the foundation for your HACCP system. They are often underestimated in terms of documentation effort. Each PRP needs to describe what the control is, who is responsible, how it is implemented, how it is monitored, and what records are kept.

Common PRPs that need individual documented programmes include cleaning and disinfection, pest management, personal hygiene and health requirements, allergen management, supplier approval and monitoring, maintenance of equipment and facilities, waste management, water quality, and storage and transport controls. For a food manufacturer, you might be looking at ten to fifteen separate PRP documents, each with associated records templates.

Do not try to cover everything in a single document. Auditors find it much easier to evaluate your system when each PRP is a standalone document with a clear owner and a clear monitoring mechanism.

Step 4: Conduct and Document Your Hazard Analysis

This is the technical heart of your ISO 22000 system and the area where documentation quality matters most. Your hazard analysis must be documented in enough detail that someone reading it can understand the reasoning behind every decision you made.

Start with a documented description of each product, including its intended use, target consumer group, and any vulnerable populations who might consume it. Then document your process flow diagrams, which map every step from raw material receipt through to dispatch. These flow diagrams need to be verified on the factory floor, and that verification needs to be recorded.

For each process step, document every potential hazard, the likelihood and severity of that hazard occurring, the control measures available, and whether the hazard is controlled by a PRP, an OPRP, or a CCP. The Codex Alimentarius HACCP principles, which underpin ISO 22000, provide the framework for this analysis. Your documentation should reference this framework explicitly.

Step 5: Write Your HACCP Plan

The HACCP plan is a summary document that captures the output of your hazard analysis for each CCP. For each CCP, the plan must document the hazard being controlled, the critical limits, the monitoring method, the monitoring frequency, who is responsible for monitoring, what corrective action is taken when a critical limit is breached, and how monitoring is verified.

Critical limits must be based on scientific evidence, regulatory requirements, or validated industry standards. If you set a critical limit of 75 degrees Celsius for a cooking step, you need to be able to demonstrate that this limit is sufficient to control the relevant pathogen to an acceptable level. That scientific justification needs to be documented, either in the HACCP plan itself or in a referenced supporting document.

One of the most common audit findings in food businesses is HACCP plans that list critical limits without any documented justification. Do not let this happen to you. If you are unsure about the scientific basis for a critical limit, speak to a food technologist or reference peer-reviewed guidance from a recognised food safety authority.

Step 6: Develop Your Monitoring and Verification Records

Every CCP and OPRP needs a monitoring record. These are typically forms or electronic templates that operators complete during production. The design of these records matters. A poorly designed monitoring form leads to incomplete data, which in turn creates gaps in your evidence during an audit.

A good monitoring record includes the date and time of the check, the name of the person conducting the check, the result of the check, a comparison against the critical limit or action limit, a space for corrective action if required, and a supervisor sign-off field. Pre-printed forms with clear prompts reduce the likelihood of incomplete entries.

Verification records are separate from monitoring records. Verification activities, such as calibration of thermometers, review of monitoring records by a supervisor, or periodic microbiological testing, need their own documented evidence. Do not mix monitoring and verification records in the same document.

Structuring Your Document Control System

Having good documents is only half the job. You also need a system for controlling them. ISO 22000 requires that documented information be properly identified, stored, protected, distributed, retained and disposed of. This is where many businesses create unnecessary complexity for themselves.

Keep Your Document Control Simple

You do not need expensive software to manage document control effectively, especially if you are a small or medium-sized food business. A well-structured shared drive with a clear folder hierarchy, a document register in a spreadsheet, and a simple review and approval workflow is entirely sufficient for most operations.

Every document in your system should have a unique identifier, a version number, an issue date, an approval signature, and a review date. When a document is revised, the old version must be clearly marked as obsolete and either removed from circulation or stored separately with a clear label. Understanding how controlled documents work is fundamental to keeping your system audit-ready at all times.

Linking Documents to Each Other

Your food safety management system will have dozens of documents. Auditors need to be able to follow the thread from your policy through to your hazard analysis, into your HACCP plan, and then into your monitoring records. If these documents are not cross-referenced, an auditor has to do the detective work themselves, which wastes time and creates doubt about whether your system is coherent.

Use a consistent referencing system. When your HACCP plan refers to a monitoring procedure, cite the document number and title. When a procedure refers to a record template, include the form number. This makes your system navigable and demonstrates that it was designed as an integrated whole rather than assembled from disconnected pieces.

Common Documentation Mistakes That Cause Audit Failures

Having reviewed food safety management systems across a wide range of food businesses, the same documentation problems appear repeatedly. Here are the ones most likely to result in a non-conformity during your certification audit.

• Generic templates used without customisation: Downloaded templates that have not been adapted to your specific products, processes and site conditions. Auditors can spot these immediately, and they raise serious questions about whether your team actually understands the content.
• Hazard analysis without documented justification: Concluding that a hazard is not significant without explaining why. Every decision in your hazard analysis needs a rationale.
• Critical limits without scientific basis: Setting limits based on habit or assumption rather than validated evidence.
• Outdated documents in circulation: Old versions of procedures or forms still being used on the factory floor while newer versions exist in the office.
• Monitoring records with gaps or corrections that are not properly managed: Blank fields, correction fluid, or illegible entries undermine the integrity of your records.
• PRPs that describe what should happen but have no monitoring evidence: A cleaning procedure that is well-written but has no completed cleaning records to support it.
• Traceability procedures that have never been tested: ISO 22000 requires you to verify that your traceability system actually works. If you cannot demonstrate a successful traceability exercise, this will be raised as a finding.

If you are preparing for your first certification audit, reviewing the key steps before a Stage 1 readiness audit will help you identify gaps in your documentation before the auditor does.

Maintaining Your Documentation After Certification

Getting certified is one milestone. Keeping your documentation current and relevant is an ongoing responsibility. ISO 22000 requires your food safety management system to be reviewed and updated whenever there are changes to products, processes, ingredients, suppliers, equipment, or relevant legislation.

Build a scheduled review cycle into your system. Most documents should be formally reviewed at least annually, with ad-hoc reviews triggered by changes. Assign clear ownership for each document so that when something changes in the business, the right person knows to update the relevant documentation.

Your internal audit programme is also a key mechanism for catching documentation that has drifted out of date. Running internal audits that genuinely find problems rather than just confirming that everything looks fine is what separates businesses that maintain strong systems from those that scramble before each surveillance audit.

If you are building or rebuilding your ISO 22000 documentation and want expert guidance, CertBetter can connect you with verified food safety consultants who have hands-on experience with ISO 22000 implementation across a range of food industry sectors. Submit one form and receive up to three competing quotes from vetted providers, at no cost to your business.