HACCP, ISO 22000 and Food Safety Compliance: Document Management Guide for Australian Businesses

Food safety compliance in Australia requires documented evidence at every stage of production and supply: hazard analyses, critical control point records, supplier certificates, traceability logs and corrective action reports. Australian food businesses must satisfy at least three overlapping documentary regimes simultaneously — statutory obligations under the Australia New Zealand Food Standards Code (ANZFSC) enforced by state and territory food authorities, the requirements of their chosen food safety management standard (HACCP, ISO 22000 or a GFSI-benchmarked scheme), and the commercial audit criteria imposed by major retailers such as Woolworths and Coles. A gap in any layer — an unrecorded CCP deviation, a missing Certificate of Analysis, or an outdated Prerequisite Programme review — can result in a failed state authority inspection, a suspended retail supplier listing or a product recall carrying penalties of up to $550,000 for corporations under the NSW Food Act 2003.

Document fraud in food supply chains is accelerating. Our platform has processed over 2.4 million verified documents with a fraud detection recall rate of 94.8%, and internal analysis shows a 23% year-on-year increase (2024–2025) in fraudulent food safety certificates — including fabricated BRCGS certificates, doctored Certificates of Analysis and forged supplier audit reports. Automated document verification is therefore a control measure in its own right, not merely an administrative convenience.

This guide explains what each documentary layer demands under Australian law, how the main certification schemes compare, and how food businesses are cutting audit preparation time by up to 83% across enterprise deployments of document management platforms.

This article is provided for informational purposes only and does not constitute legal, financial or regulatory advice. Consult a qualified professional for questions relating to your specific situation.

HACCP Programs Under Standard 3.2.1: Who Needs Them and What to Document

HACCP (Hazard Analysis and Critical Control Points) operates in Australia under a risk-tiered model. Standard 3.2.2 of the Australia New Zealand Food Standards Code requires all food businesses to implement food safety practices proportionate to their risk, but Standard 3.2.1 (Food Safety Programs) imposes a formal, documented HACCP-based food safety program on specific higher-risk sectors. Standard 3.2.2A introduced mandatory food safety supervisor requirements and training documentation obligations for most food service and retail businesses from 8 December 2023.

The NSW Food Authority and equivalent state bodies enforce these obligations. Businesses in scope for Standard 3.2.1 include: food service to vulnerable persons (hospitals, aged care, childcare); processors of ready-to-eat and raw seafood; and manufacturers and processors of meat and poultry. For these businesses, the documented food safety program must be maintained, reviewed following any process or product change, and made available on request during a food authority inspection.

Prerequisite Programmes (PRPs) — cleaning and sanitation schedules, pest control contracts, maintenance logs, allergen management plans, supplier approval records — are required alongside the HACCP plan and are equally subject to inspection. The Safe Food Australia guidance publication issued by FSANZ provides the authoritative interpretation of these requirements for Australian operators.

State and territory food authorities carry out scheduled and unannounced inspections. Victoria's PrimeSafe and the Department of Health Human Services, Queensland Health, and equivalent bodies in South Australia, Western Australia and other states each publish their own inspection checklists, all grounded in the ANZFSC requirements.

ISO 22000:2018 and GFSI Certifications in the Australian Market

ISO 22000:2018 integrates HACCP with a full management system framework aligned to the ISO High Level Structure, making it compatible with ISO 9001 and ISO 14001. In Australia, certification bodies issuing ISO 22000 certificates must be accredited by JAS-ANZ (Joint Accreditation System of Australia and New Zealand), the peak accreditation body for both countries. JAS-ANZ accreditation is the recognised mark of credibility for food safety certification in the Australian and New Zealand markets.

Key documentary requirements specific to ISO 22000:2018 include:

• Scope statement (clause 4.3): a documented description of the products, processes and sites covered by the food safety management system.
• Hazard control plan (clause 8.5.4): the output of the hazard analysis, specifying control measures categorised as CCPs or Operational PRPs, with associated monitoring procedures and corrective action triggers.
• Traceability system (clause 8.3): documented procedures demonstrating one-step-back/one-step-forward traceability for raw materials, ingredients, packaging and finished products.
• Management review records (clause 9.3): minutes and action logs from at least one annual review by top management.
• Internal audit programme (clause 9.2): a risk-based schedule of internal audits, audit reports and evidence that non-conformities were addressed within defined timeframes.
• Competence records (clause 7.2): training matrices, certificates and records of on-the-job assessment for all personnel affecting food safety.

GFSI-benchmarked schemes — FSSC 22000, BRCGS Food Safety and SQF — are widely used by Australian food manufacturers and are required by major domestic retailers and export customers. FSSC 22000 v6 builds directly on an ISO 22000 foundation and adds FSSC-specific additional requirements (PRPs and food fraud prevention). JAS-ANZ accredits the certification bodies that audit and issue certificates under these schemes.

See our vendor compliance certificate verification guide for practical steps on collecting and verifying ISO 22000 and GFSI certificates from Australian and international suppliers.

Food Traceability in Australia: FSANZ Requirements and Best Practices

Traceability in Australia is governed primarily by Standard 1.2.1 of the ANZFSC, which requires food businesses to be able to identify the immediate supplier of any food and the immediate customer to whom food has been supplied. This one-step-back/one-step-forward obligation must be demonstrable promptly in a food safety emergency, product recall or Food Standards Australia New Zealand investigation.

The ANZFSC traceability obligation applies across the entire food chain: primary producers, manufacturers, importers, distributors and retailers. Food Recall requirements are also set out in the ANZFSC and are administered by FSANZ, which publishes guidance on voluntary and mandatory recall procedures.

The documentary evidence required to demonstrate traceability compliance includes:

• Goods received records: supplier name and address, product name, lot or batch number, quantity, date received — cross-referenced to purchase orders and delivery notes.
• Batch production records: which raw material batches (with lot numbers) were used to produce which finished product batches, on which date, on which line, and by which operator.
• Finished goods dispatch records: which finished product batches were shipped to which customers, on which date, via which carrier, and under which delivery note or invoice number.
• Recall and withdrawal procedures: a documented procedure reviewed and tested at least annually, with mock recall exercise records retained as evidence of system effectiveness.

For export-oriented Australian food businesses — and Australia is a major exporter of beef, lamb, wheat, dairy, wine and seafood — traceability records must also satisfy the importing country's requirements. Exports to the EU must comply with Regulation (EC) 178/2002 traceability standards; exports to the United States must address FDA FSMA Foreign Supplier Verification Program (FSVP) requirements; exports to China must comply with GACC (General Administration of Customs China) registration and traceability obligations. Australian export meat establishments operate under DAFF (Department of Agriculture, Fisheries and Forestry) audit and may require additional National Vendor Declaration and Property Identification Code records.

Australian Retailer Certifications: Woolworths, Coles and Export Requirements

Statutory compliance is the floor, not the ceiling. Securing and maintaining a supplier listing with major Australian retailers requires satisfying scheme-specific audit criteria that substantially exceed the legal minimum. Woolworths Supplier Requirements and Coles Supplier Requirements both mandate GFSI-recognised certification for direct food suppliers, typically BRCGS Food Safety, FSSC 22000 or SQF.

The Australian Meat Industry Council (AMIC) publishes HACCP guidance tailored to the meat industry, and meat processing establishments seeking export licences are audited by DAFF against Australian Standard AS 4696. Seafood businesses may be required to comply with Primary Production and Processing Standards under the ANZFSC, enforced by state authorities including SafeFish.

For export to the EU, BRCGS Issue 9 or FSSC 22000 combined with EU-specific registration is commonly required. For export to the US, SQF or FSSC 22000 combined with FDA FSVP compliance documentation provides the strongest foundation. JAS-ANZ accredits all major certification bodies operating in Australia.

Automating Food Safety Document Management

The two most common operational pain points in Australian food safety management are: collecting Certificates of Analysis from a large and geographically dispersed supplier base within the timeframe required by retailer supplier standards, and producing three to five years of PRP review records, corrective action logs and calibration certificates on short notice during an unannounced state authority inspection.

Both describe the same underlying problem: food safety document management remains, in most Australian food businesses, a manual process built on shared drives, email chains and spreadsheets. The consequences are predictable — documents are unversioned or missing, supplier CoAs are filed by product name rather than lot number, and signed cleaning schedules from three months ago cannot be located during an inspection.

Our platform reduces audit preparation time by 83% for the 85+ enterprise food clients who have deployed it. Every document — supplier certificate, CoA, calibration record, corrective action form — is ingested at source, assigned to the correct supplier, product and lot reference, and verified against expected parameters before it enters the approved document set. The 94.8% fraud detection recall rate means that a forged BRCGS certificate or a CoA with a manipulated microbiological result is flagged at intake rather than discovered during an audit.

Practical capabilities that address common Australian industry pain points:

• Automated CoA collection and matching: suppliers receive a secure upload link triggered at each delivery. The platform matches the CoA to the purchase order, checks that reported values fall within the approved specification, and places a hold on non-compliant or missing CoA lots automatically.
• PRP review scheduling and evidence capture: cleaning records, pest control reports and maintenance logs are collected on a defined schedule with automatic escalation if a record is overdue. The audit trail shows not just whether a record exists but when it was uploaded and who reviewed it.
• Certificate expiry monitoring: supplier ISO 22000, BRCGS and SQF certificates are tracked against expiry dates. Procurement teams receive alerts 90, 60 and 30 days before a certificate lapses, preventing approved supplier lists from going out of date between audits.
• Mock recall support: traceability queries — "show me all finished goods batches that contain ingredient lot X" — are resolved in seconds, enabling effective and well-documented mock recall exercises.

For related guidance on how document compliance works in adjacent supply chain functions, see our article on transport and logistics document compliance and the broader industry verification guide.

The CheckFile platform integrates with existing ERP and quality management systems via API, extending automated document verification to food safety records without replacing existing infrastructure. Security architecture and data handling details are at /securite, and pricing for food sector deployments is at /tarifs.

State Authority Inspections: What Assessors Check

Food safety inspections in Australia are carried out by state and territory food authorities: the NSW Food Authority, PrimeSafe and DHHS in Victoria, Queensland Health, SA Health, the WA Department of Health, and equivalent bodies in Tasmania, the ACT and the Northern Territory. Inspections may be announced or unannounced and are typically risk-rated, with higher-risk businesses inspected more frequently.

During an inspection, food safety assessors will typically examine:

• The food safety program (HACCP plan): Is it documented and current? Has it been reviewed following any change in product, process or premises? Are critical limits scientifically justified? Are monitoring records complete and signed?
• Temperature records: Are refrigeration and cooking temperatures being logged at the required frequency? Are there corrective action records for any out-of-range readings?
• Cleaning and sanitation records: Is there a written schedule? Are signed cleaning records current and complete? Are sanitiser concentrations being verified and recorded?
• Allergen management: Is there a documented allergen management procedure? Are allergen declarations for all ingredients current and cross-referenced to recipes and labels?
• Supplier approval records: Can the business demonstrate that it sources from approved suppliers and that certificates and CoAs are being actively collected and reviewed?
• Training records under Standard 3.2.2A: Can the business show that food handlers have received appropriate food safety training? Is there a current food safety supervisor certificate for the business? Records of training, including dates and competency assessments, must be maintained.
• Calibration records: Are thermometers and other measuring instruments calibrated on a documented schedule with records retained?

A business holding a current BRCGS or FSSC 22000 certificate from a JAS-ANZ accredited certification body will typically have all of the above documentation in place, but certification does not exempt the business from statutory state authority inspection. Assessors inspect against the ANZFSC baseline, and a certified business that has allowed its operational records to deteriorate between certification audits will still receive enforcement notices or corrective action requirements.

The most common documentary failures in Australian food authority inspection data are: incomplete CCP monitoring logs with unexplained gaps; allergen management procedures that have not been updated after recipe changes; and supplier approval records that are not maintained as active documents — the initial questionnaire was completed but CoAs are not being collected or reviewed on an ongoing basis.

Frequently Asked Questions

What businesses in Australia are legally required to have a documented HACCP-based food safety program under Standard 3.2.1?

Standard 3.2.1 of the Australia New Zealand Food Standards Code requires businesses in specific higher-risk categories to have a documented, HACCP-based food safety program. These include: food service to vulnerable persons (hospitals, aged care facilities, childcare centres); businesses that process raw or ready-to-eat seafood; and manufacturers or processors of meat and poultry. All other food businesses must comply with Standard 3.2.2 food safety practices, but are not required to have a fully documented HACCP program unless their state or territory food authority imposes additional requirements or their retail customers mandate it.

Which GFSI certification is most commonly required by Woolworths and Coles in Australia?

Both Woolworths and Coles require GFSI-recognised certification for direct food manufacturing suppliers. BRCGS Food Safety Issue 9 and FSSC 22000 v6 are the most commonly specified schemes. SQF is also accepted by most major Australian retailers, particularly for businesses that primarily export to the United States. The specific scheme accepted for a particular category should always be confirmed in writing with the retailer's supplier quality team, as requirements can vary by product type and supply agreement.

How long must food safety records be kept in Australia?

Record retention requirements vary by state and by certification scheme. The ANZFSC does not prescribe a universal retention period, but three years is the common minimum for operational records across most state food safety regulations. BRCGS Food Safety Issue 9 and FSSC 22000 both specify a minimum of five years for the HACCP plan and associated technical documents, and shelf-life plus one year (or shelf-life plus six months under some state guidance) for product-specific records relating to perishable goods. Businesses should align their retention policy to the most demanding requirement applicable to their market — typically the retailer scheme.

What is the role of JAS-ANZ in Australian food safety certification?

JAS-ANZ (Joint Accreditation System of Australia and New Zealand) is the joint government accreditation body for Australia and New Zealand. It accredits the certification bodies authorised to issue food safety management system certificates under ISO 22000, FSSC 22000, BRCGS and SQF schemes. A certificate issued by a JAS-ANZ accredited certification body carries recognised credibility in the Australian, New Zealand and international markets. Businesses procuring food safety certificates from suppliers should verify that the issuing certification body is listed on the JAS-ANZ register before relying on the certificate.

How can an Australian food manufacturer manage CoA collection from a large supplier base during a BRCGS audit?

The most effective approach is a supplier portal that triggers a secure document upload request at purchase order confirmation or goods receipt. Automated matching against purchase order references and product specifications ensures each CoA is linked to the correct lot and that out-of-specification results generate immediate holds. Analysis of enterprise food clients shows this approach reduces CoA processing time by over 80% compared with manual email-based collection and eliminates the most common source of missing CoA records at BRCGS and FSSC 22000 audits. The CheckFile platform supports this workflow for businesses managing supplier bases from 20 to over 2,000 active suppliers. See /tarifs for Australian deployment options.