Many restaurants use only Hazard Analysis Critical Control Points (HACCP)-based procedures to control food safety hazards that can cause foodborne illnesses. However, HACCP alone is insufficient to defend against food safety hazards. Prerequisite programs (PRPs) and national food safety regulations are both critical in reducing and eliminating food safety hazards. PRPs are capable of controlling food safety hazards and lay the groundwork for HACCP-based procedures. 

In addition to food safety, restaurant operators are also concerned about the quality of food and overall service, as well as the risks that can affect the restaurant business. Given these concerns, restaurant operators require a globally recognized and widely adopted Food Safety Management System (FSMS) capable of incorporating all of the aforementioned aspects into a single system. The International Organization for Standardization's ISO 22000:2018 is one such FSMS. Restaurant operators that want to certify their establishment against ISO 22000 must meet the requirements outlined in the standard. This means creating, implementing, and maintaining an FSMS that is compliant with ISO 22000 standards. 

Obtaining ISO 22000 certification benefits restaurants in many ways. Restaurants that are ISO 22000 certified not only have higher customer trust, which leads to stronger customer–brand relationships, but also imparts a lower risk of product liability lawsuits. Implementing an effective FSMS can significantly reduce the risk of foodborne illness, thereby assisting food service establishments in meeting their social responsibility to protect public health. Another advantage of implementing an ISO 22000-compliant FSMS is that it easily enables restaurant operators to incorporate their already existing HACCP-based procedures into the standards. Additionally, the standard assists restaurant operators in meeting national food safety regulations.

Before discussing how to implement an ISO 22000-compliant FSMS, it may be helpful to review some general information about ISO 22000 standards and why effective leadership is required for the standards to be implemented successfully.

The ISO first published its ISO 22000 standards in September 2005. Prior to the implementation of ISO 22000, the foodservice industry relied on ISO 9001 quality management standards. ISO published new standards in 2018 that followed the same structure as the previous version, but incorporated HACCP and ISO 9001 principles with a different approach to risk assessment. The risk assessment principles used by ISO 22000 are the same as those used by all other food safety systems; the only difference is the structure. 

Any stakeholder in the food supply chain, from farmers to foodservice operators, can use ISO 22000 certification, regardless of size, industry, or location. The standard can assist restaurant operators in implementing best practices and establishing an FSMS capable of effectively controlling food safety hazards and reducing the risk of foodborne illnesses. It is important to note that ISO does not certify foodservice establishments; accredited certification bodies do. If a restaurant does not already have an FSMS, then certification bodies can assist it in developing and implementing one. 

The extent to which a restaurant can meet ISO 22000 requirements is determined by a number of factors, including the organization's context and structure, its products/services and processes, as well as the risks involved. Setting up an ISO 22000-compliant FSMS is a relatively simple task, but it requires a thorough understanding of the standard and its requirements, as well as a commitment to implement the standard consistently.

When planning and developing an FSMS that is compliant with the latest version of ISO 22000 (referred to as ISO 22000:2018), restaurant operators must take a risk-based approach, use the Plan-Do-Check-Act (PDCA) method at both the corporate and process levels, and combine it with HACCP. This type of strategic application will provide numerous benefits. The PDCA method will assist the foodservice operator in identifying risks at both the organizational and process levels, while HACCP will assist in identifying, eliminating, or reducing potential food safety hazards, thereby lowering the likelihood of food contamination. The application of this strategy will also help determine how processes interact with one another, whether processes are adequately resourced, how processes can be controlled to reduce or eliminate food safety hazards, and how to measure the safety of the resulting products. Furthermore, people who think in terms of risk are more likely to be proactive rather than reactive, which promotes continuous improvement. It is important to note that processes include steps such as receiving, storing, washing, cooking, holding, and serving. 

ISO 22000 certification cannot be obtained or maintained unless senior management understands and commits to meeting the standard's requirements on a consistent basis. Restaurant operators must implement an ISO 22000-compliant FSMS, which requires buy-in from corporate senior management and business stakeholders for restaurants groups. Developing an FSMS can be difficult if the standard's requirements are not well understood. It is also necessary to develop a food safety policy that is appropriate to the organization's purpose and context, define the policy's objectives, and integrate the policy into restaurant operations. 

It is important to remember that ISO 22000 certification is not a one-time event. The certification is valid for three years from the date of issue, and restaurants must pass a recertification audit every three years to maintain it. To improve understanding of the standard's requirements, senior management should request ISO awareness and implementation training from the certification body and ensure that representatives from senior management attend the trainings. Senior management representatives must also attend the certification and recertification audit to be aware of the conformances and non-conformances discovered during the audits and effectively communicate these findings to department heads for corrective actions. 

Another thing to remember is that the food safety team will require resources to implement and maintain the FSMS. Failure to implement and maintain the FSMS over time endangers not only food safety but also results in failed recertification audits, regulatory noncompliance, and re-audits, all of which require time and effort. Effective leadership is also required to instill a food safety culture in the restaurant. When a restaurant has a food safety culture, all team members are equally involved in ensuring food safety. A few examples of effective leadership are providing employees with sanitary working conditions, enforcing safe food handling behavior and practices as needed, clearly communicating the importance of food safety, and forming an implementation team of employees with technical expertise. 

The senior management team must also set a timeline for obtaining ISO 22000 certification. They must devise a well-planned strategy to identify the tasks to be completed, the people in charge of the tasks, and deadline for completion. The implementation team must make every effort to meet the deadlines established by senior management for implementing an ISO 22000-compliant FSMS. Active collaboration among team members from all relevant departments will ensure that the standards are implemented smoothly and efficiently. 

Choosing a Certification Body and Signing the Contract

Several steps and procedures are involved in obtaining ISO 22000 certification. Restaurants wishing to obtain certification must first select a certification body. Numerous certification bodies are authorized to certify restaurants. When choosing one, however, a number of factors must be considered. Accreditation is the first and most important factor. 

Restaurant operators must obtain certification from a reputable certification body accredited to issue ISO 22000 certification. Accreditation ensures that the chosen certification body follows internationally recognized ISO management systems, employs qualified auditors, and is authorized to issue ISO 22000 certification following the certification audit. Some of the ISO-accredited certification bodies that issue ISO 22000 certification are TÜV SÜD, SGS, Bureau Veritas, BSI, and Intertek.

Another important factor to consider is the cost of the audit, as audit fees vary depending on the certification body. It is advised to request rate quotes from various certification bodies for initial certification and annual inspection costs, as well as other audit expenses, before making a decision.

Other factors to consider are the audit waiting time, the auditor's profile, and any other ISO certifications provided by the certifying body. Some certification bodies require a longer waiting period. To get a sense of who will be auditing the restaurant and how much experience the auditor has, the restaurant operator should inquire about the auditor's background, such as technical expertise and auditing experience. Finally, it is important to check if the certification body offers certification for other ISO management systems, such as ISO 9001:2015, a quality management system preferred by many restaurant operators. The restaurant may seek such certification in the future. 

After selecting a certification body, the restaurant operator can approach it to discuss the certification process and requirements, after which the certification body may submit a proposal. The certification body will discuss the audit scope, the type of certification for which the restaurant will be audited, the sector category into which the restaurant falls, and the products covered by the certification scope. If the restaurant operator accepts the proposal, then both parties sign a contract outlining their respective rights and obligations, as well as liability concerns, confidentiality, and access rights. When it comes to certification costs, a variety of factors can play a role. The number and type of processes, the complexity of the management system, the level of risk involved, employee strength, and the total number of working days and shifts are all factors to consider.

Train Team Members on ISO 22000 Standards

It is understood that implementing ISO 22000 necessitates a thorough understanding of the standard by restaurant operators and employees, which can be accomplished through effective and extensive training. A restaurant may request the certification body to conduct ISO 22000 awareness training for all team members, implementation training for the food safety or implementation team, and internal audit training for the internal audit team. Such trainings must also be attended by senior management representatives. These efforts will assist team members in comprehending the fundamentals and structure of the ISO 22000 standard, as well as how to conduct risk assessments and best practices for internal audits. It is also important to keep a record of the training, as it may be requested during the certification audit.

Forming an Internal Audit Team and Implementation Team

To develop an ISO 22000-compliant FSMS and oversee its implementation, senior management must form a cross-functional food safety team or an implementation team. Since department heads are in charge of safety within their departments, the restaurant manager, kitchen stewarding manager, purchasing officer, and executive chef must all be on the implementation team. Primary responsibilities for the team must include assessing gaps and hazards in the process, comparing current processes and procedures to best practices, documenting processes and procedures, and holding food safety meetings. 

Restaurant operators must request an ISO 22000 implementation training workshop from the certification body to improve the efficiency of the implementation team. This will help team members understand the purpose, structure, and various sections of the standard. It will also assist in understanding how to create an implementation plan, apply key principles, and decide which documents to keep. 

Furthermore, senior management must form an internal audit team. It is advised that the team in charge of implementing the ISO 22000-compliant FSMS does not audit the FSMS. An independent internal audit team with auditing knowledge and skills should be created. If the identified team members lack the necessary experience and skills, then the restaurant operator may request that the certification body train the internal audit team on how to audit the FSMS. All members of the food safety and internal audit teams must attend such trainings.

Conducting Gap Analysis to Review Existing FSMS

Following the signing of the contract between the restaurant and the certification body, the certification body's lead auditors will visit the restaurant and conduct a gap analysis. The auditors will examine the processes, standards, and policies, as well as the restaurant's documentation of these items. The goal of the gap analysis is to identify the gap between the existing FSMS and the requirements of the ISO 22000 standard—i.e. what needs to happen to achieve certification. This will assist the food safety or implementation team in addressing deficiencies in the system, and planning and implementing corrective actions prior to the full certification audit. 

If the restaurant is implementing ISO 22000 for the first time and the implementation team members have no prior experience with the standards, then conducting a gap analysis will be difficult and error-prone. A gap analysis performed with the assistance of an ISO 22000 expert not only saves time and effort while eliminating errors, but also provides the opportunity to learn from an expert. Furthermore, auditors can provide guidance on developing and implementing ISO 22000 standards, making implementation of the standard easier. 

The majority of restaurants have HACCP-based procedures in place. In such situations, restaurant operators could request from the certification body an assessment checklist for use in evaluating the existing FSMS. A gap analysis can then be performed to compare the restaurant's current food safety practices and processes to the ISO 22000 standard. If the restaurant does not have a HACCP plan in place, then ISO 22000 requires developing and implementing one. A thorough analysis of food safety hazards must be performed to identify the likelihood of their occurrence, as well as the severity of harm. 

Once the hazards have been identified and classified, then it is time to determine the appropriate food safety measures to be implemented to reduce the hazard to an acceptable level. Typically, this is achieved through either PRPs or critical control point (CCP). The standard also requires that PRPs, processes, standards, and policies be documented to make them more accessible and easier to verify. Such efforts will raise employee awareness of food safety policies, objectives, and safe food behaviors and practices that must be followed.

Part 2 of this article series, to be published in next week's eDigest, will examine the development, implementation, operation, and measurement of an FSMS, as well as the process for conducting internal and certification audits.