ISO 9001:2026 Revision to be Released Fall of 2026: Most Notable Changes

By Carrie Hayden
Based on an interview with George Cipolla

Looking back to 1987, it’s difficult to imagine that ISO 9001 certification would not only be relevant but also a mandatory supplier requirement in 2026. Some early naysayers didn’t think the standard would stick, that it would become another flash-in-the-pan quality program. Quite the opposite, the global standard continues to grow in terms of certifications, and according to a recent survey, there are more than 1.3 million organizations certified across 170 countries*.

Initially, the standard was to be revised every seven years. The initial version was released in 1987, revised in subsequent years, 1994, 2000, and 2015, with 2000 being the year with the most significant changes.

The 2026 standard is still in draft form due for release in the fall of this year. In conversations with our Consulting Manager and Lead Assessor, George Cipolla, the most notable emphasis is on the term ‘opportunity’ and its context when it is coupled with and/or differentiated from ‘risk’.

George goes on to explain, “In ISO 9000, the term ‘opportunity’ is not defined. However, it is commonly understood as a positive effect of risk, arising when an organization identifies and manages risks effectively.

“ISO 9001:2015 emphasizes the importance of recognizing opportunities as part of risk management, indicating that opportunities can present new changes for improvement and growth, even if they may also carry risks.”

“Risk,” however, is defined as “the effect of uncertainty” in the draft of the new standard.

Examples are as follows:

Example 1 Risk – Missing a delivery date

Example 1 Opportunity – automate scheduling for supervisors/leads so they don’t waste time parsing out their pieces of a massive shipping schedule

Example 2 Risk – accept the NC product at the receiving dock (too many receipts coupled with the human factor).

Example 2 Opportunity – streamline receiving inspection and implement a low-risk “Dock to Stock” process.

The takeaway is that we need to understand the subtle differences and similarities between risk and opportunity.

There is a note in the draft in Clause 6 Planning stating “Actions to address opportunities can include new practices, launching new products, creating new partnerships, leveraging new technologies, implementing new initiatives, and other actions to address current and changing needs and expectations of its customers and other relevant interested parties.

Some of the other changes:

• Incorporation of the 2024 climate change amendment into the main text (clauses 4.1 and 4.2)
• New wording on leadership, emphasizing quality culture and ethical behavior
• Strengthened links between the quality policy, organizational context, and strategic direction
• Broader recognition of interested parties, and extended awareness requirements

If all of this sounds like a new language, you’re not alone. Requirements can be interpreted differently. PJC certification consultants have been simplifying the language of ISO into easy-to-understand systems for over 30 years. Let us assist you in implementing the new requirements with ease through our transition programs.

For updates on this topic and others, follow us on LinkedIn.

You can also opt in on our website www.pjcinc.com

*ISO Survey https://www.the-iso-survey.html

Data Theft and Ransomware Continue to be a Threat to Businesses

Ransomware attacks increased globally by 32%, with some 7,419 attacks recorded. Many go unreported, as some pay hefty ransoms to recover their data. According to Exabeam’s 2025/Industrial Cyber report, manufacturing companies were the most targeted sector, with smaller companies being the most vulnerable.

The good news is that you can add another layer of protection by obtaining ISO 27001 certification for your organization. Most manufacturers are certified to ISO 9001, or one of its derivatives. Integrating this Information Security Management System into your current ISO system is not complicated with the right partner. Perry Johnson has been the company of choice since the late 1980’s, successfully helping thousands of organizations achieve certification.

Don’t wait until the bad thing happens – contact us today for a free consultation or download a free executive overview on ISO 27001 at our website.

The System Must Work When No One’s Watching

Why This Matters

Food safety isn’t about passing audits. It’s about protecting people. And the single most important truth auditors carry—whether spoken or not—is this:

Your system must work when no one’s watching.

That’s the difference between compliance and culture. Between a binder and a behavior. Between a company that survives a recall and one that never needs one.

What Auditors See That Signals System Strength

• Unscripted execution: Can staff explain and perform tasks without coaching or cue cards?
• Evidence of ownership: Do operators take initiative when something’s off—or wait for a manager?
• System resilience: Does the process hold up during turnover, stress, or change?

Auditors don’t just look for records. They look for reality. They want to see your system breathing on its own.

Common Weaknesses That Break Under Pressure

• SOPs that are too vague, too long, or too theoretical.
• Training that ends with a signature, not a skill.
• Label control that relies on memory or manual edits.
• Allergen programs that assume perfect behavior.
• Sanitation programs that skip verification.

These systems might look good on paper—but they collapse when the lights go off.

How to Build a System That Works in the Dark

• Technician-proof SOPs: Clear, visual, and built for execution—not just approval.
• Competence-based training: Use verbal checks, “show me” drills, and mock audits.
• Automated label control: Link labels to approved formulations and lock down edits.
• Mock recalls and traceability drills: Test your system under stress, not just in theory.
• Culture visibility: Build systems that show ownership, not just obedience.

Final Thought

Auditors know: the best systems don’t need supervision. They’re built to work when no one’s watching. That’s not just food safety—it’s food integrity.

Food Safety Trends for 2025 and Beyond

By: M.R. Trace

Why This Matters

Food safety isn’t static—it’s evolving. And while most companies focus on today’s compliance, auditors are already scanning the horizon. In 2025, several regulatory and cultural shifts are reshaping how food systems will be built, verified, and defended.

What’s Coming: Key Regulatory Changes

1. FSMA Updates: Water, Traceability, and Produce Safety

• Pre-Harvest Agricultural Water Requirements: Farms must now conduct annual water assessments and reassess after any significant change. Compliance dates vary by farm size, starting April 7, 2025.
• Food Traceability Final Rule: Enhanced recordkeeping for foods on the FDA’s Traceability List. All affected entities must comply by January 20, 2026.
• Produce Safety Rule: Continued rollout of science-based standards for growing, harvesting, and holding produce.

2. Ingredient Bans and State-Level Action

• Brominated Vegetable Oil (BVO): Banned by the FDA in 2024 due to health risks.
• Red Dye No. 3 and Others: California and other states are pushing bans on additives, signaling a shift toward state-driven food safety.

3. Allergen Complexity

• Sesame: Now a major allergen, creating labeling and formulation challenges. Expect more scrutiny and possible expansion of the allergen list.
• Coconut: Per the new FDA guidelines, Coconut is no longer an allergen!

4. Food Defense Enforcement

• The FDA is now fully enforcing the Food Defense rule, moving from spot checks to formal audits.

5. FDA Reorganization Removed as an allergen

• The Human Foods program is undergoing a major restructure to improve regulatory efficiency. Expect new guidance and inspection protocols.

Systemic Trends Auditors Are Watching

• Traceability as a System, Not a Spreadsheet: Companies will need to show real-time traceability across ingredients, equipment, and personnel—not just paper trails.
• State vs. Federal Divergence: With states like California leading on additive bans, companies must prepare for patchwork compliance.
• Cultural Maturity: Auditors will increasingly assess not just systems, but the culture behind them—how well teams understand, own, and execute food safety.
• Digital Verification: Expect a rise in digital logs, automated label control, and AI-assisted traceability. Manual systems will face more scrutiny.

How to Future-Proof Your System

• Mock audits for traceability: Test your ability to trace allergens, ingredients, and packaging by lot and shift.
• Water assessment protocols: Build technician-proof SOPs for water source evaluation and hazard mapping.
• Label control automation: Reduce manual edits and link labels to approved formulations.
• Cultural visibility: Train for competence, not just compliance. Use verbal checks and scenario drills.
• State-level monitoring: Track emerging state regulations and build flexibility into your compliance strategy.

Final Thought

Auditors don’t just look at what’s in place—they look at what’s coming. The best systems aren’t just compliant—they’re resilient, adaptive, and built to evolve.

Would you like this version adapted for black-background training slides or turned into a “2025 Food Safety Readiness Checklist”? I can also build a companion piece on “Traceability That Works” or “Water Assessments Made Technician-Proof.”

Allergen Control: Beyond the Label

Why This Matters

Undeclared allergens are the leading cause of food recalls in the U.S., accounting for nearly half of all recall events in 2024. Of those label-related recalls, a staggering 83.85% stemmed from undeclared allergens. The average cost of a single recall? $10 million, not including lawsuits, reputational damage, or lost sales.

What Auditors See That You Might Miss

Auditors don’t just look at your label—they trace allergen risk through your entire system. Here’s where undeclared allergens often hide:

• Shared tools: Scoops, slicers, or utensils used across allergen and non-allergen products.
• Rework: Reintroducing product into the system without allergen traceability.
• Label printing: Manual label entry or outdated templates that miss allergens.
• Ingredient swaps: Last-minute substitutions not reflected in the label.
• Sanitation gaps: Incomplete cleaning between allergen runs, especially in dry environments.

How to Build Auditor-Visible Allergen Control

• Labeling: Automate label control and link it to approved formulations. Use mock audits to verify label accuracy.
• Separation: Create visual zoning, color-coded tools, and time-based scheduling to isolate allergens.
• Spill Clean-Up: Develop a technician-proof SOP with allergen-specific response steps and disposal protocols.
• Cleaning Validation: Use swabbing, ATP testing, or visual checks to confirm allergen removal—especially in dry clean areas.
• Create an allergen flow map: Show where allergens enter, move, and exit your system.
• Train for competence, not just compliance: Use verbal checks, not just sign-offs.
• Audit your sanitation program: Validate allergen removal with swabbing or visual checks.

Final Thought

Allergen control isn’t just about avoiding recalls—it’s about protecting lives. Auditors see beyond the label. So should you.

When “Corrective Action” Is Just Damage Control And What Corrective Action Is Not

Most facilities treat corrective action like a fire extinguisher—grab it when things go wrong, spray the problem and file the report. But clause-backed corrective action isn’t about optics or containment. It’s about systemic recalibration.

• Damage control is reactive.
• Corrective action is architectural.

Start with the Right Problem

A corrective action plan begins with a precise problem statement—not a solution, or a justification.

• Define the issue without solving it.
• Let clause cues guide your lens:
1. “Systemic” → not isolated
2. “Repeat finding” → ineffective past action
3. “Gap in control” → architectural flaw

If the finding reads like déjà vu, your system isn’t learning—it’s looping.

🔌 Corrective Action Is a Switch

Think of corrective action like a switch:

• Insert it → the problem disappears
• Remove it → the problem returns

If the issue persists with post-correction, you didn’t find the root—you found a symptom.

• Root cause analysis isn’t about blame.
• It’s about solving correcting the system that created the problem

🛠️ Correction vs. Corrective Action

Correction: An immediate fix to contain or resolve the issue (e.g. Re-cleaning a contaminated surface)

Corrective Action: Systemic change to prevent recurrence, based on root cause analysis (e.g. Revising sanitation SOP and retraining)

🎯 Match the Action to the Cause

If your root cause is “lack of training,” your corrective action isn’t “update the SOP.” The action must directly neutralize the root cause.

✅ Verification Isn’t a Checkbox

Verification must evaluate effectiveness, not just confirm completion.

Ask:

• Did the problem reoccur?
• Did the system behave differently post-action?
• Can we prove the fix worked under stress?

🌐 Preventive Action—The Look Across

Preventive action isn’t a bonus—it’s a systems mindset.

Use the root cause to scan adjacent systems:

• If one SOP was flawed, are others built on the same logic?
• If one operator misunderstood, is the training model flawed?

Corrective action closes the loop. Preventive action expands the lens.

🧭 Closing Thought

Corrective action isn’t a form. It’s a philosophy. When done right, it’s the difference between a facility that survives audits—and one that evolves through them.

Legacy isn’t built on fixes. It’s built

HACCP Without Blind Spots

By: M.R. Trace

Hazard Analysis and Critical Control Points (HACCP) is the backbone of food safety systems. It’s clause-backed, globally recognized, and mandatory in regulated environments. But here’s the uncomfortable truth:

Many HACCP plans look complete—until you audit them.

WHAT I SEE AS AN AUDITOR

I’ve reviewed hundreds of HACCP plans. Some are robust. Most are performative. Here are recurring gaps that compromise safety, traceability, and credibility:

• No mention of rework – Product re-entering the process isn’t addressed. Risk is recycled, not mitigated.
• Waste streams ignored – Disposal logic is missing. What leaves the system isn’t tracked.
• Customer returns excluded – Returned product is outside the hazard lens. That’s a blind spot.
• Flow chart not verified by HACCP Coordinator – No signature, no ownership. Just a diagram.
• Flow chart doesn’t match hazard analysis – Steps are skipped, merged, or mislabeled. The map doesn’t match the terrain.
• High-risk steps identified but not mitigated – Hazards are acknowledged, then left hanging. No CCP. No control.
• No clause-backed justification for exclusions – “Not applicable” is used like white-out, not like logic.

If a step is excluded, it must be evaluated and justified—per clause, not convenience.

METAL DETECTOR ≠ HACCP PLAN

One of the most common missteps I see:
Facilities treat the metal detector as their only Critical Control Point
It’s installed, calibrated, and documented—so they assume the job is done.

But here’s the clause-backed reality:

• Metal detection addresses one hazard type metal fragments.
• It does not mitigate biological, chemical, or other physical hazards (e.g., brittle plastic, glass, bone).
• It’s a last-line defense, not a comprehensive control strategy.

If your HACCP plan has one CCP — and its metal detection—you better have clause-backed justification for every other hazard being controlled upstream.

Otherwise, you’re not managing risk. You’re outsourcing it to a machine.

WHAT A CLAUSE-BACKED HACCP PLAN LOOKS LIKE

• Every process step is mapped, verified, and owned
• Rework, waste, and returns are addressed with hazard logic
• High-risk steps trigger mitigation — not just acknowledgment
• Flow chart and hazard analysis are synchronized and clause-referenced
• HACCP Coordinator signs off — not just in theory, but in practice
• Not applicable is justified with clause-backed rationale, not convenience
• CCPs are validated — not assumed

FINAL THOUGHT

HACCP plans don’t fail because the hazards are invisible. They fail because the system pretends not to see them. If your flow chart is decorative, your hazard analysis is incomplete, your CCPs are unvalidated, and your exclusions are unexamined— you don’t have a HACCP plan. You have a liability.

What a Food Safety Team Should Actually Be Doing

By: M.R. Trace

In most facilities, the food safety team gets mentioned in audits, training slides, and org charts—but what does it actually *do*? More importantly, what *should* it be doing?

Let’s strip away the fluff and look at the real work of a food safety team, not the ceremonial stuff. The operational stuff. The kind that keeps systems sharp, risks visible, and decisions grounded.

First, Define the Team

A food safety team isn’t just QA and the plant manager. It’s **cross-functional by design**. That means:

• Production brings process realities
• Sanitation brings frontline insight
• Maintenance brings equipment context
• Purchasing brings supplier and spec awareness
• R&D or Product Development brings formulation foresight
• Quality/Regulatory brings system oversight

When these voices are in the room, the team becomes a **decision-making engine**, not just a compliance checkpoint.

What Should Be on the Agenda?

Here’s what a food safety team should be reviewing regularly—not just when an auditor’s coming:

1. Site Inspection Nonconformances

• Review internal audits, GMP walks, and sanitation inspections
• Trend findings over timeespecially repeat offenders
• Focus on identifying and correcting root causes, not just surface fixes

2. Ingredient, Process, Customer Changes or Product Changes

• Any new ingredient, equipment, or formulation should trigger a review
• Focus especially on new allergens — even trace introductions
• Ask: Has this change been risk-assessed and communicated clearly?

3. HACCP Plan Review

• Revisit hazard analysis when processes shift or new risks emerge
• Don’t just “update the document” — challenge the assumptions
• Ask: Is our plan still relevant to what’s actually happening on the floor?

4. PRP and CCP/Preventive Control Effectiveness

• Review monitoring records and corrective actions
• Look for patterns: missed checks, repeated deviations, vague responses
• Ask: Are our controls working, or are we just checking boxes?

Final Thought

The food safety team isn’t a formality. It’s a forum. A place where operations, quality, and strategy intersect. When it’s functioning well, it doesn’t just protect the brand—it drives continual improvement.

Advantages of Outsourcing your ISO implementation Project

Do you have customers requiring ISO certification and don’t know where to begin?

ISO 9001 and other ISO standards are based on certain requirements. These requirements vary depending on the standard. An organization seeking certification is responsible for establishing, documenting, implementing, and once certified, maintaining the ISO system.

Can an organization’s personnel implement the requirements on their own?

Of course they can! If the organization can expend the time and energy of one of the managers to attend a couple of weeks of training and dedicate a good part of the next several months to documenting and implementing the requirements, then yes. Once the requirements are learned, the challenge can be applying these requirements in their respective operation.

Then Why Engage a Certification Consultant?

Time and money. While there is a cost in hiring a consultant, there is also a cost for a company to utilize internal resources.

The fundamental advantage is that a good consultant will provide common sense explanations in understanding ISO 9001. The standard is full of vague requirements leaving individuals new to ISO with a sense of frustration trying to nail down, “what does this mean?”

Aside from this, a good consultant can help with proven methodologies and supply you with sample forms, etc. Many companies feel that they need to invest in software or otherwise incur other expenses to implement an ISO system. This is not the case.

A good consultant will develop level one and two documents for you and will include the interaction of processes. Your documentation should reflect what your company does. It should also meet the requirements of the standard, leaving you with a manageable system. This is one of the biggest pitfalls…companies choosing to tackle this on their own often over document creating more work for themselves down the road in doc modification.

Consultants can also help with quality objectives, management review, internal audits and corrective action.

Conclusion

Overall, hiring an ISO expert will expedite your ability to achieve certification more quickly, which will in turn, keep your customers happy.

Holiday Greetings from Perry Johnson Consulting, Inc.

We at Perry Johnson Consulting (PJC) want to take a moment to express our heartfelt gratitude to you – our clients, partners, and supporters. Your trust and collaboration have been instrumental to our success this year, and we are truly honored to have been part of your journey.

The holiday season is a time for reflection and celebration, a moment to pause and cherish the company of friends and family. With this in mind, our offices will be closed on December 25th and January 1st, to give our hardworking team the opportunity to enjoy this time with their loved ones.

As we prepare to welcome 2025, we are filled with excitement for the opportunities and growth it will bring. We look forward to continuing to serve you with the same dedication and excellence you’ve come to expect.

From all of us at Perry Johnson Consulting, we wish you a joyful holiday season and a new year filled with health, happiness, and success.

Warmest regards,
The Perry Johnson Consulting Team