AROVELA
AROVELA
Back to Blog

ISO 22000, HACCP, GMP Explained: What B2B Buyers Must Verify Before Their First Order

April 17, 2026Arovela Team
ISO 22000, HACCP, GMP Explained: What B2B Buyers Must Verify Before Their First Order

Why certifications matter for B2B procurement

Certifications are the language B2B buyers use to compress trust into a single line on a quotation. ISO 22000, HACCP, and GMP each prove that a supplier operates a documented, audited system to control specific risks — food safety hazards, process deviations, contamination. For a buyer placing a six-figure order with a manufacturer they have never visited, those certificates are the closest available proxy for on-site due diligence. But only if the buyer reads them carefully — because not every certificate proves what its holder implies.

ISO 22000 — what it actually proves (and what it doesn't)

ISO 22000:2018 is a Food Safety Management System (FSMS) standard published by the International Organization for Standardization. A certified facility has demonstrated, to a third-party accredited certification body, that it operates a system covering:

  • Food safety policy and management commitment
  • Hazard analysis (built on HACCP principles)
  • Prerequisite programs (PRPs): cleaning, pest control, personnel hygiene, building integrity
  • Operational PRPs and critical control points (CCPs)
  • Traceability and recall procedures
  • Internal audit and continual improvement

What ISO 22000 does prove: a working management system exists, has been audited, and has not failed a recertification (typically every three years with annual surveillance).

What ISO 22000 does not prove: that any specific batch you receive is safe. The certificate says the system is in place; it says nothing about whether the system was followed on the day your container was packed. That gap is closed by batch CoA, retained sample, and audit trail — not by the certificate itself.

HACCP — process vs certification

Hazard Analysis and Critical Control Points (HACCP) is a method, not a single certificate. It originated with NASA in the 1960s for astronaut food safety and is now embedded in food law across the EU, US, and most major markets.

The core idea is simple: identify the steps in your process where a biological, chemical, or physical hazard could enter; define a critical control point (CCP) at each; set a measurable limit; monitor it; document it; respond when limits drift.

Where buyers get confused:

  • HACCP plan — every food business in regulated markets is legally required to have one
  • HACCP certification — voluntary, issued by a certification body against a specific scheme (often Codex Alimentarius HACCP, or a country-specific scheme)

A "HACCP certificate" hung in a factory office is meaningful only if you check the scheme name and certification body. A self-declared HACCP plan is not a certificate. ISO 22000 wraps HACCP inside a wider FSMS — for most buyers, asking for ISO 22000 is the cleaner request.

GMP variants: cGMP, EU-GMP, WHO-GMP — which applies when

Good Manufacturing Practice is a regulated framework, not a single document. Which version applies depends on where your finished product will be sold and how it is regulated.

  • cGMP (US 21 CFR 117 / 21 CFR 111) — current GMP for food and dietary supplements in the United States. FDA-enforceable.
  • EU-GMP (EudraLex Volume 4) — for human and veterinary medicinal products marketed in the EU. Inspected by national competent authorities.
  • WHO-GMP — World Health Organization GMP, often required for emerging-market pharmaceutical procurement and as a baseline for tenders.
  • Cosmetic GMP (ISO 22716) — the global GMP standard for cosmetics. Effectively mandatory for any cosmetic ingredient or finished product placed on the EU market.
  • Food supplement GMP — typically national interpretations layered on top of ISO 22000 + HACCP.

If you are sourcing a botanical extract for a US dietary supplement, ask about cGMP per 21 CFR 111. If it's going into an EU cosmetic, ask about ISO 22716. If a supplier waves a generic "GMP certificate," ask which standard, which scope, which certification body. The honest ones give straight answers in one email.

Certificate authenticity: 3 verification methods

Counterfeit certificates exist. Verify before you wire a deposit:

  1. Direct certification-body lookup. Every legitimate certification body (SGS, Bureau Veritas, TÜV SÜD, DNV, Intertek, BSI, and accredited national bodies) maintains a public register of currently certified clients. Search the company name. If the certificate is genuine, it appears with the same scope, expiry date, and certificate number as on the document the supplier sent you.
  2. Accreditation chain. A certificate is only as good as the body that issued it, and that body's accreditor. Look for the IAF MLA mark (International Accreditation Forum). Cross-check the certification body in the IAF or the local accreditation register (e.g. UKAS, DAkkS, ANAB, TÜRKAK).
  3. Scope check. Read the scope statement on the certificate. "ISO 22000:2018 — production of dried herbs and essential oils" is verifiable. "ISO 22000 — quality management" with no scope and no version is a warning sign. If the scope on the certificate doesn't match what the supplier is actually selling you, the certificate is irrelevant for your purposes.

Spend twenty minutes on this on the front end. It is the single highest-ROI action in B2B sourcing diligence.

Beyond certs: audit trail, batch records, lab capability

A certificate is a snapshot. What you actually buy with each container is a moment of execution. Ask for:

  • Recent third-party audit reports — even a redacted summary tells you whether the auditor found minor or major findings, and whether they were closed
  • Sample batch records — the actual production paperwork for a recent lot in the product category you are buying. Look for completeness, legibility, and signed/dated entries
  • Lab capability statement — in-house or contracted, with which methods, accredited or not (ISO/IEC 17025 if accredited)
  • Retained sample policy — how long, under what conditions, and whether you can request release of a retained sample if a dispute arises
  • Recall and complaint history — twelve-month summary, anonymised. Suppliers who claim "zero" without context are either lying or do not investigate complaints

A supplier with ISO 22000 + ISO 22716 + a clean recent audit + readable batch records + a lab they can describe in detail is the operational profile worth committing to. See our certifications page for the full Arovela documentation set.

7 red flags that should kill the deal

  1. Certificate scan with no certification number — or one that doesn't show up on the issuer's register.
  2. A "GMP certificate" with no scheme name (cGMP? EU-GMP? Cosmetic GMP?). Vagueness here is the most common form of misrepresentation.
  3. Refusal to share batch GC-MS, CoA, or microbiology test results for a recent lot before you buy.
  4. Reluctance to host a virtual or in-person audit of the production facility. Reputable manufacturers expect this — it's normal.
  5. Pricing dramatically below market, with vague answers about how it's possible. The two real explanations — undeclared adulteration or non-compliant raw material — are both your problem after delivery.
  6. No clarity on sub-contracted operations. If part of the process happens at a third site, that site's certifications and audits matter to you, and the supplier should disclose them up-front.
  7. Push-back on documentation requests as the order moves from sample to pilot to production. Legitimate suppliers invest more documentation effort as commitment grows; problem suppliers do the opposite.

FAQ

My customer asks for "FDA approval" — does that exist for ingredients? The FDA does not approve food ingredients in the way it approves drugs. For most botanicals and dried foods, what exists is GRAS status, FDA facility registration, and FSMA compliance. A supplier "FDA-registered" simply means they have filed under the Bioterrorism Act — it is not an endorsement of product quality.

Is BRCGS or IFS Food a substitute for ISO 22000? For European retail buyers, BRCGS and IFS Food are usually preferred or required. They are GFSI-recognised schemes — broader and more retail-focused than ISO 22000. A supplier with BRCGS at AA grade is in strong shape for EU retail private label.

How often should certificates be renewed? ISO 22000 typically runs on a three-year certification cycle with annual surveillance audits. BRCGS and IFS are annual. Always check the expiry date on the document the supplier sends, not just the issue date.

Can a small supplier be properly certified? Yes. Certification scales to operation size. A small, focused operation with ISO 22000 + a relevant cosmetic or organic certificate can be a stronger partner than a huge operation with messy paperwork.

What if the supplier is in a country I can't easily visit? Use a third-party audit firm. SGS, Bureau Veritas, Intertek and several smaller specialists offer country-specific audit services for reasonable cost (typically USD 1,500–4,000 per audit day plus travel). Build it into your supplier-onboarding budget.

Ready to verify, then buy?

Trust is built one document at a time. Review the Arovela certifications page, browse the product catalogue, or contact our compliance team with the specific certificates and audit evidence you need to greenlight a first order. We expect — and welcome — the questions on this page.

Back to Blog

Get a Quote for Your Project

Contact us for wholesale supply, private label manufacturing or contract farming.

Get In Touch
Get a quote on WhatsApp