The 25 Most Common FSSC 22000 Non-Conformances – and How to Avoid Them

by
FSSC 22000 V7 · Audit Findings · Authority Guide

The 25 Most Common FSSC 22000 V7 Non-Conformances — and How to Avoid Them

An evidence-based playbook drawn from real FSSC 22000 Version 7 (May 2026) transition gap audits, mock audits and post-CB-audit reviews — clause by clause, with severity grading, root cause analysis and the corrective action that closes each finding cleanly.

By Mthokozisi Nkosi, Food Safety Specialist & SAATCA Lead Auditor · Reviewed by senior FSSC 22000 lead auditors with IRCA · Exemplar Global · SAATCA credentials · Published 9 May 2026

25Non-conformances
covered
7Thematic groups
for prevention
3Auditor credentials
IRCA · Exemplar · SAATCA
18V7 Additional
Requirements

Methodology

This guide is compiled from FSSC 22000 V7 audit observations across multiple sectors and geographies. The 25 non-conformances listed represent the highest-frequency findings observed by ASC Food Safety Consultants' IRCA-, Exemplar Global- and SAATCA-credentialed lead auditors during V7 transition gap audits, mock audits and post-CB-audit reviews. They are presented in thematic order, not frequency order, to support systematic prevention planning. Severity grading reflects typical CB practice; individual auditors may grade specific findings up or down based on the evidence. Clause references are to the FSSC 22000 Scheme V7.0 (May 2026), Foundation FSSC.

GROUP 1 — DOCUMENTATION & REFERENCES (NCs 1–5)

Five of the most common V7 findings occur because legacy V6 documentation was carried into the V7 audit without a comprehensive reference refresh. Auditors notice fast.

NC 1 — PRP procedures still reference old ISO/TS 22002-x prefixes

Major · Clause: Appendix 2 (Normative References) · Sector: all

What the auditor sees: the PRP manual, individual PRP procedure headers, training material and internal audit checklists still reference "ISO/TS 22002-1:2009" instead of "ISO 22002-1:2025". The manual lists the 2009 edition in its bibliography. Procedures cite clauses that no longer exist in the 2025 edition.

Root cause: the V6→V7 transition was treated as a scope statement update only. Find-and-replace was not extended to all linked documents.

The fix: run a comprehensive document register search for "ISO/TS 22002", "PAS 221" and "TS 22002". Update every header, footer, bibliography, training slide and audit checklist. Re-validate any clause-specific cross-references that may have moved between editions.

→ ASC's FSSC 22000 V7 Document Toolkit already references the new ISO 22002-x:2025 series throughout.

NC 2 — Food fraud plan does not reference ISO 22002-100:2025 clause 16.3

Major · Clause: 2.5.4 · Sector: all

What the auditor sees: a vulnerability assessment built using a pre-V7 methodology (often the Foundation FSSC V6 guidance), with no reference anywhere to ISO 22002-100:2025 clause 16.3. The plan looks competent in isolation, but doesn't anchor to the V7 normative reference.

Root cause: the existing V6 plan was renamed to "V7" without rebuilding it from the new clause.

The fix: re-run the vulnerability assessment using ISO 22002-100:2025 clause 16.3 as the methodology. Document mitigation measures for each "vulnerable" raw material category. Schedule annual review with documented outcomes.

→ Build competence with ASC's Food Fraud and Food Defence course.

NC 3 — Food defence plan does not reference ISO 22002-100:2025 clause 16.2

Major · Clause: 2.5.3 · Sector: all (FII has additional supplier expectation)

What the auditor sees: a threat assessment that follows the "TACCP" methodology familiar from V6 but without clause 16.2 anchoring. For Category FII (brokering / trading / e-commerce) the auditor additionally expects the organisation to verify suppliers' food defence plans — and that verification record is missing.

Root cause: same as NC 2 — V6 plan renamed rather than rebuilt.

The fix: rebuild the threat assessment from clause 16.2; expand scope to include cyber, insider, supply-chain and tampering threat categories; for FII, build a supplier food-defence-verification register.

→ ASC's Food Fraud and Food Defence course covers V7 methodology in full.

NC 4 — FSMS scope statement still references "V6"

Minor · Clause: ISO 22000:2018 § 4.3 · Sector: all

What the auditor sees: the formal FSMS scope of the management system still says "FSSC 22000 V6". The certificate scope therefore appears inconsistent with the documented system, raising additional questions in the audit closing meeting.

Root cause: the scope statement was updated mentally but not in the controlled document.

The fix: update the FSMS scope statement, the FSMS manual cover, the management review pack header, the internal audit pack and any communication-of-scope documents. Coordinate with the CB to update certificate scope wording at next reissue.

→ Use the V7-aligned scope template included in the FSSC 22000 V7 Document Toolkit.

NC 5 — Country of intended sale not reflected in label control procedure

Major · Clause: 2.5.2(a) · Sector: all manufacturers

What the auditor sees: the label control procedure references "country of manufacture" rules only. International products are released without a country-of-intended-sale label review. For exporters, the auditor will sample finished products and trace the label-approval audit trail back — and find it missing.

Root cause: the V6 procedure was country-of-manufacture based; V7 explicitly inverts the requirement.

The fix: update the label control procedure to require country-of-intended-sale review for every export market. Build a market-by-market label requirements register (allergens, claims language, languages, weight/measure units, safety symbols). Train design and QA teams.

→ ASC implementation consulting includes label procedure refresh and market-specific label review training.

GROUP 2 — ALLERGEN MANAGEMENT (NCs 6–9)

V7 clause 2.5.6 is one of the most heavily inspected Additional Requirements. Allergen-related findings drive recalls and brand damage in the real world, so auditors hunt them aggressively.

NC 6 — Precautionary "may contain" labels used as substitute for allergen control

Major · Clause: 2.5.6 · Sector: all manufacturers

What the auditor sees: finished products carry "may contain" warnings, but the underlying allergen risk assessment is thin and there is no validation evidence that the warnings are necessary or that other controls (cleaning validation, scheduling, line dedication) have been considered.

Root cause: a precautionary label is treated as a control. Under V7 it is explicitly NOT — labels do not exempt the organisation from controls.

The fix: rebuild the allergen risk assessment; validate cleaning between products with shared allergens; verify with risk-based testing (swabs, finished-product tests); only retain "may contain" wording where validated as necessary; document the decision logic.

→ The V7 Toolkit includes a complete allergen risk assessment and validation pack.

NC 7 — Allergen list covers raw materials only, not finished products

Major · Clause: 2.5.6 · Sector: all manufacturers

What the auditor sees: the allergen master list shows allergens by raw material but does not cumulate them into a finished-product allergen profile. When the auditor asks "which finished products contain X allergen" the QA team has to derive it manually.

Root cause: the allergen system was built bottom-up from BOMs and never consolidated upward to product level.

The fix: rebuild the allergen list to cover both raw materials AND finished products, including cross-contact pathways. Cross-reference label declarations. Verify the entire register annually.

→ ASC's implementation consulting rebuilds allergen registers as a discrete deliverable.

NC 8 — Allergen risk-based verification testing programme missing

Major · Clause: 2.5.6 · Sector: sites where multiple products with different allergen profiles share a production area

What the auditor sees: the site shares a line between products with different allergen profiles. There is no documented swab or finished-product testing programme to verify allergen control between changeovers.

Root cause: testing is done ad-hoc when something goes wrong, not as a planned verification.

The fix: design a risk-based verification programme — swab points, frequency, action limits, escalation. Validate cleaning. Document trending. Review annually.

→ Build allergen verification competence with ASC's Advanced HACCP System Implementation course.

NC 9 — Allergen training not evidenced for all personnel

Minor (escalates to Major if production operators show poor knowledge) · Clause: 2.5.6 · Sector: all

What the auditor sees: training records exist for the QA team and HACCP team. Production operator records are missing or out of date. Random operator interviews reveal patchy allergen knowledge.

Root cause: allergen training was treated as a QA discipline rather than an organisational expectation under V7.

The fix: run an organisation-wide allergen training refresh. Capture in the training matrix. Schedule annual recurrence. Use random verbal verification at internal audits.

→ Use ASC's online Basic Food Safety for Food Handlers alongside in-house allergen-specific induction.

GROUP 3 — FOOD SAFETY CULTURE (NCs 10–12)

Clause 2.5.8 is the single most underestimated V7 finding. Auditors interview frontline operators — and culture findings cluster fast when documentation is strong but operators don't know.

NC 10 — Food culture plan unknown to production operators

Major · Clause: 2.5.8 · Sector: all

What the auditor sees: a comprehensive food safety culture plan signed by the Managing Director. When the auditor interviews production operators, supervisors and line leaders, they cannot describe the culture commitment in their own words.

Root cause: the plan was written for the audit, not for the workforce. Communication was a single email.

The fix: communicate the plan operationally — toolbox talks, shift huddles, visible commitments at line level, recognition programmes. Schedule quarterly culture pulse checks. Track changes in operator awareness over time.

→ ASC's Food Safety and Quality Culture course embeds culture across the organisation, not just in the QA office.

NC 11 — Food culture plan has no measurable objectives

Major · Clause: 2.5.8 · Sector: all

What the auditor sees: the plan is a policy statement only — values and intent without metrics, baselines or targets. Senior management cannot show evidence of measuring progress.

Root cause: the requirement to measure culture is new to V7 and was not understood as a hard expectation.

The fix: define measurable culture objectives covering communication, training, employee feedback, engagement and performance. Set baselines. Track quarterly. Discuss in management review.

→ Speak to an ASC consultant for a culture programme design built to V7 measurability standards.

NC 12 — Employee feedback mechanism documented but not used

Minor · Clause: 2.5.8 · Sector: all

What the auditor sees: a feedback channel exists on paper — a culture mailbox, a digital form, a dedicated email — but no records of input, no records of management response, and no integration into management review.

Root cause: the feedback mechanism was set up for the audit and never operationalised.

The fix: establish a quarterly review of feedback inputs. Document each input and the management response. Include a summary in management review.

→ ASC's consulting team can embed culture feedback into your existing management review cadence.

GROUP 4 — FOOD FRAUD & FOOD DEFENCE (NCs 13–15)

Beyond the missing-clause-reference findings (NCs 2 and 3), three further fraud/defence findings recur repeatedly.

NC 13 — Food fraud vulnerability assessment uses pre-V7 methodology

Major · Clause: 2.5.4 · Sector: all

What the auditor sees: the assessment uses an older Foundation FSSC template or an ad-hoc methodology with no anchoring to ISO 22002-100:2025 clause 16.3. Mitigation measures don't address all "vulnerable" raw material categories.

Root cause: see NC 2.

The fix: rebuild from clause 16.3; rerun across all raw material categories; document mitigation per vulnerable input; annual review.

ASC's Food Fraud and Food Defence course.

NC 14 — Food defence threat assessment scope too narrow

Minor · Clause: 2.5.3 · Sector: all

What the auditor sees: the assessment covers physical site security only — perimeter fencing, access control, CCTV. Cyber, insider, supply-chain and intentional adulteration threats are not addressed.

Root cause: the V6 plan was a narrow physical-security exercise; V7's clause 16.2 expects broader threat coverage.

The fix: expand the threat assessment scope to all 22002-100:2025 clause 16.2 categories. Validate mitigation measures.

Food Fraud and Food Defence course covers full V7 threat scope.

NC 15 — Annual review of food fraud and food defence missing

Minor · Clauses: 2.5.3, 2.5.4 · Sector: all

What the auditor sees: last review date on either plan is more than 12 months old. No documented outcomes, no triggers for change.

Root cause: annual review was not scheduled into the management calendar.

The fix: schedule an annual review for both plans into the management review cadence. Document inputs (industry incidents, supplier changes, new product launches, regulatory changes) and outcomes.

→ Embed the review schedule with help from an ASC virtual consultation.

GROUP 5 — SUPPLIER & PURCHASING (NCs 16–18)

V7 strengthens supplier-related expectations across allergens, food fraud, food defence and recycled-input criteria. Three findings recur frequently.

NC 16 — Procurement policy for prohibited substances missing

Major · Clause: 2.5.1 · Sector: C0, CI, CIII, CIV

What the auditor sees: the site procures animals, fish, seafood or plant materials potentially exposed to pharmaceuticals, veterinary medicines, heavy metals or pesticides. There is no documented procurement policy controlling supplier expectations on these substances.

Root cause: the V6 supplier programme covered general food safety but not the specific prohibited-substances scope under V7.

The fix: draft a procurement policy explicitly addressing prohibited substances by category. Include in supplier specifications, supplier questionnaires and goods-in inspection criteria.

→ Consider a complete supplier programme refresh through ASC implementation consulting.

NC 17 — Emergency procurement procedure missing

Minor · Clause: 2.5.1 · Sector: BIII, C, D, I, FII, G, K

What the auditor sees: when raw material supply is interrupted (supplier failure, force majeure, transport disruption), the site has no documented procedure for sourcing from non-approved suppliers under controlled conditions.

Root cause: emergency procurement is an exception activity that was never formalised.

The fix: draft an emergency procurement procedure with: trigger criteria, approval workflow, risk assessment template, additional verification testing requirements, retroactive supplier approval timeline.

→ Procedure templates included in the FSSC 22000 V7 Document Toolkit.

NC 18 — Supplier approval programme does not include allergen verification

Major · Clauses: 2.5.1, 2.5.6 · Sector: all manufacturers

What the auditor sees: supplier files do not document allergen status or allergen control commitments. Goods-in inspection does not verify allergen declarations match the spec.

Root cause: allergen status was assumed from the spec but not built into supplier approval and verification processes.

The fix: update the Supplier Assessment Questionnaire (SAQ) to require allergen declaration with documented evidence. Verify at goods-in. Include allergen verification in supplier audits.

→ ASC's Internal and Supplier Auditing course teaches V7-aligned supplier audit practice.

GROUP 6 — OPERATIONS, PRPs & FOREIGN MATTER (NCs 19–22)

NC 19 — Foreign matter risk assessment does not justify presence/absence of detection equipment

Major · Clause: 2.5.11 · Sector: all except FII

What the auditor sees: some lines have metal detectors; others don't. There is no documented risk assessment justifying why detection is or isn't required by line. Breakage management for metal/ceramic/hard plastic is informal.

Root cause: historical equipment decisions were never documented as risk-based justifications.

The fix: run a foreign-matter risk assessment by line. Justify detection equipment presence (or absence). Document breakage management for metal/ceramic/hard plastic. Verify detector challenge tests cover all relevant contaminant types.

V7 Document Toolkit includes foreign-matter risk-assessment templates.

NC 20 — 3-working-day CB notification trigger not embedded in incident procedure

Minor · Clause: 2.5.17 · Sector: all

What the auditor sees: the incident-management procedure does not reference the V7 obligation to notify the Certification Body within 3 working days of FSMS-impacting events, force-majeure, public food safety events, regulatory actions, legal proceedings, fraudulent activities or corruption.

Root cause: the notification obligation is new in V7 and was missed in the procedure refresh.

The fix: add a CB notification step to the incident-management procedure, with clear trigger criteria, designated responsible person, and template notification format.

→ Notification template included in the V7 Toolkit.

NC 21 — Food loss and waste policy missing measurable targets

Minor · Clause: 2.5.16 · Sector: all EXCEPT Category I

What the auditor sees: the site has a sustainability or environmental statement that mentions food loss and waste but no documented policy, no measurable targets, no timelines, and no donation or surplus management procedure.

Root cause: sustainability messaging was treated as marketing rather than as a V7 management requirement.

The fix: draft a food loss and waste policy with measurable targets, baseline, monitoring methodology, timelines, donation controls and surplus management.

→ Speak to an ASC consultant to align the policy with your existing sustainability KPIs.

NC 22 — Hygienic-design specification for new equipment missing

Major · Clause: 2.5.15 · Sector: all manufacturers

What the auditor sees: CapEx purchasing of process or food-contact equipment proceeds without a documented hygienic-design specification. Risk-based change management is informal. New equipment is commissioned without documented commissioning evidence.

Root cause: hygienic design has historically lived in engineering's head, not in QA-controlled documentation.

The fix: draft a hygienic-design specification template. Embed in the CapEx approval process. Make commissioning evidence a formal sign-off step.

→ The V7 Document Toolkit includes a hygienic-design specification template.

GROUP 7 — SYSTEM MAINTENANCE (NCs 23–25)

NC 23 — Internal audit plan does not cover all 18 V7 Additional Requirements

Major · Clauses: 2.5.12, ISO 22000:2018 § 9.2 · Sector: all

What the auditor sees: the internal audit programme covers ISO 22000 clauses well but maps incompletely to the 18 V7 Additional Requirements. Several clauses (typically 2.5.8 culture, 2.5.16 food loss and waste, 2.5.14 traceability) appear nowhere in the schedule.

Root cause: the V6 internal audit plan was carried into V7 without remapping.

The fix: rebuild the annual internal audit plan to cover every Part 2 Additional Requirement at least once per year, plus all ISO 22000 clauses. Train internal auditors on V7-specific changes.

→ ASC's Internal and Supplier Auditing course rebuilds internal audit competence to V7 expectations.

NC 24 — Management review missing V7 strategic clauses

Minor · Clauses: 2.5.3, 2.5.4, 2.5.8, 2.5.16, ISO 22000:2018 § 9.3 · Sector: all

What the auditor sees: the management review template still follows the V6 input/output structure. V7 strategic discussion areas — food safety culture metrics, food fraud and defence reviews, food loss and waste targets, SDG contribution — are absent from the review pack and meeting minutes.

Root cause: the management review template was carried unchanged from V6.

The fix: update the management review input/output template to capture all V7 strategic items. Brief senior management on V7 talking points before the next review.

→ ASC implementation consulting includes management review template refresh and senior management briefing.

NC 25 — Multi-site sampling not using new V7 formula

Major · Clause: 2.5.18 · Sector: BIII, E, F, G with multi-site certification

What the auditor sees: sample size for the multi-site programme is calculated from IAF MD 1's table, not from the new V7 formula y = 20 + √(x − 20). The audited sample is too small.

Root cause: the V7 sampling formula change was missed during transition planning.

The fix: recalculate sample size using y = 20 + √(x − 20) for BIII, E, F and G. Update the multi-site governance documentation, central function records, and internal audit programme to reflect the new sampling intensity.

→ Multi-site programmes are complex; engage ASC consulting early to recalculate and resequence the audit programme.

How ASC Food Safety Prevents These Findings — Services and Resources

Every one of the 25 non-conformances above can be prevented. ASC Food Safety Consultants delivers the full prevention stack:

  • V7 gap audit — surface every NC before your CB does. Speak to a consultant →
  • FSSC 22000 V7 Document Toolkits — V7-aligned document set for food manufacturing, packaging, feed and animal food. Browse toolkits →
  • FSSC 22000 V7 Transition Course — three modules: scheme overview, Part 2 audit requirements, Part 3 certification process. Self-enrol →
  • Food Safety and Quality Culture course — embed culture across all personnel, not just QA. Self-enrol →
  • Food Fraud and Food Defence course — rebuild plans against ISO 22002-100:2025 clauses 16.2 and 16.3. Self-enrol →
  • Internal and Supplier Auditing course — rebuild internal audit competence to V7. Self-enrol →
  • Root Cause Analysis course — close findings effectively the first time. Self-enrol →
  • Mock audit / pre-certification review — by IRCA-, Exemplar Global- or SAATCA-credentialed lead auditors. Book a mock audit →
  • Premium virtual consultation — hourly expert input for specialist questions. Book a consultation →

Frequently Asked Questions

What are the most common FSSC 22000 V7 non-conformances?

The most common V7 non-conformances cluster in seven thematic areas: documentation and references not updated to V7, allergen management, food safety culture, food fraud and food defence (alignment to ISO 22002-100:2025 clauses 16.2 and 16.3), supplier and purchasing controls, operational PRPs and foreign-matter management, and system maintenance — internal audit and management review. This guide details the top 25 across these themes.

How are FSSC 22000 audit findings graded?

Audit findings are graded as Minor, Major or Critical. Minor findings indicate a documentation or process gap that does not affect food safety integrity and must be closed within ~90 days. Major findings indicate a significant breakdown that could affect food safety and must be closed within ~28 days with verified evidence. Critical findings cause immediate audit failure — the audit converts to a gap assessment.

What is the most underestimated V7 non-conformance?

Food safety culture findings under clause 2.5.8. V7 explicitly expects demonstrable commitment from all personnel — not just senior management. Auditors interview production operators, supervisors and line leaders. A culture plan that exists only on paper or only in QA's head will fail the test, regardless of how comprehensive the documentation looks.

What changed in V7 traceability requirements?

V7 clause 2.5.14 was repurposed from V6's "Health Status" to a new traceability requirement specifically for Category C0 (animal primary conversion). It requires traceability of all edible parts of the carcass — including blood for human consumption — until the carcass is deemed fit for human consumption. C0 sites that did not previously implement this level of carcass traceability will face a Major finding under V7.

How long do I have to close FSSC 22000 audit findings?

Closure timeframes vary by certification body but typically follow the FSSC scheme requirements: Major findings within 28 days of the audit closing meeting (with verified evidence of root cause analysis, correction and corrective action); Minor findings within 90 days. A Critical finding causes immediate audit failure and the site must remediate fully before re-booking a new initial audit.

Can ASC Food Safety help us close FSSC 22000 V7 non-conformances?

Yes. ASC delivers root cause analysis training, corrective action coaching, document refresh consulting and pre-surveillance mock audits to verify findings have been closed effectively before the certification body returns. Our lead auditors hold IRCA, Exemplar Global and SAATCA credentials and have closed thousands of FSSC 22000 audit findings across food manufacturing, packaging, catering, retail, animal feed and biochemical production sites.

Don't Wait for Your CB to Find These

Every one of these 25 non-conformances is preventable. The cheapest fix is the one made before the auditor sees it. Book a V7 gap audit, enrol in V7 transition training, or download the toolkit — your next audit window is closer than you think.

Book a V7 gap audit   Self-enrol in V7 training   Download a V7 toolkit   Book a virtual consultation

↑ Back to top

About ASC Food Safety Consultants

ASC Food Safety Consultants is an international food safety consultancy and training provider headquartered in South Africa. Our consultants are FSSC 22000 lead auditors with competence registered with IRCA (International Register of Certificated Auditors, UK), Exemplar Global (USA / Australia) and SAATCA (Southern African Auditor and Training Certification Authority). We work across primary production, food manufacturing, packaging, catering, retail, transport and biochemical production — across South Africa, the SADC region, the EU, the UK, the US, the GCC and Australia.

"Leading with Science. Ensuring Food Safety."

Accreditations: SAATCA-registered training provider · FoodBev SETA accredited · IRCA-credentialed lead auditors · Exemplar Global certified auditors · B-BBEE Level 1 (135% procurement recognition).

Branches and contact

Eastern Cape — Head Office: 14 Brickmakers Kloof Road, South End, Gqeberha, 6001 · +27 (0)41 004 0382

Gauteng: Atrium Terraces, 272 Oak Avenue, Ferndale, Randburg, 2194 · +27 (0)10 500 4661

Western Cape: 183 Albion Springs, Rondebosch, Cape Town, 7700 · +27 (0)21 140 1504

Email: info@ascfoodsafety.com · Web: ascfoodsafety.com · Training: ascfoodsafetytraining.com

Related FSSC 22000 V7 articles on ascfoodsafety.com

Published 9 May 2026. Disclaimer: this article is an educational guide based on FSSC 22000 V7 audit experience. The official, binding source for V7 requirements is the English-language version of the Scheme published by Foundation FSSC.

Leave a Comment

I accept the Terms and Conditions and the Privacy Policy