Supplier management is consistently one of the highest-scoring areas for non-conformances in ISO and GFSI audits globally. It is also one of the most commonly misunderstood — because organisations often treat supplier management as a one-time approval exercise rather than an ongoing, systematic control.
Whether you are certified to ISO 9001, ISO 22000, BRCGS Food Safety, FSSC 22000 Version 7, or SQF Edition 10, the expectations around supplier management ISO and GFSI compliance are stricter in 2026 than they have ever been. Supply chain disruptions, food fraud incidents, and increased regulatory scrutiny have driven every major standard to tighten supplier control requirements.
This guide covers everything auditors check in your supplier management system — from initial approval to ongoing monitoring, incoming inspection, food fraud controls, and traceability requirements.
⚠️ Supplier management non-conformances are one of the top five most common findings in BRCGS and FSSC 22000 audits globally. The most frequent gap: organisations approve suppliers once and never review them again.
WHY SUPPLIER MANAGEMENT ISO AND GFSI COMPLIANCE MATTERS MORE IN 2026
Three major trends have elevated supplier management from a compliance checkbox to a strategic risk control:
📌 Supply chain complexity — global supply chains are longer, more opaque, and more vulnerable. A single ingredient may pass through four to six countries before reaching your production line.
📌 Food fraud and adulteration — economically motivated food fraud is a growing global problem. Horsemeat in beef products, olive oil adulterated with cheaper oils, and allergen substitutions have resulted in major recalls and prosecutions.
📌 Regulatory pressure — EU Food Safety Authority, FDA FSMA, and local GCC regulatory bodies are all increasing scrutiny of supply chain controls. GFSI Benchmarking 2024 has tightened supplier requirements across all recognised schemes.
WHAT SUPPLIER MANAGEMENT ISO AND GFSI AUDITORS CHECK
Every auditor — regardless of which standard they are auditing against — works through four core supplier management areas.
- SUPPLIER APPROVAL AND QUALIFICATION
The first question every auditor asks: how do you approve a new supplier before you start purchasing from them?
What auditors check:
✅ Is there a documented supplier approval procedure?
✅ Is your approval process risk-based — higher risk suppliers require more rigorous approval?
✅ Is there a current, maintained approved supplier list?
✅ For food suppliers — do they hold a GFSI-recognised certificate (BRCGS, FSSC 22000, SQF)?
✅ If no GFSI certificate — what alternative approval was used? Second-party audit? Questionnaire with risk justification?
✅ Are BRCGS certificates verified through the BRCGS Directory — not just accepted at face value?
⚠️ BRCGS-specific: for direct food contact materials and high-risk ingredients, a valid GFSI-recognised certificate is required. Where no certificate is held, a supplier audit by a competent auditor must be conducted. A questionnaire alone is not acceptable for these categories.
- ONGOING SUPPLIER PERFORMANCE MONITORING
Approving a supplier once is not enough. Every major standard requires ongoing monitoring — and auditors always check whether monitoring is actually happening.
What auditors check:
✅ Is there a supplier re-evaluation schedule — and is it being followed?
✅ Are there defined performance KPIs — delivery reliability, quality conformance, complaint rate?
✅ Is supplier performance reviewed at management review?
✅ How do you respond when supplier performance falls below requirements?
✅ Are supplier non-conformances raised and tracked through your CAPA system?
✅ Are certificate expiry dates monitored and re-verification confirmed?
Monitoring frequency requirements:
→ Annual minimum: scheduled re-evaluation of all approved suppliers (all standards)
→ After each non-conformance: performance-triggered review (all standards)
→ After food safety incident: immediate review of supplier controls (BRCGS, FSSC V7, SQF Edition 10)
→ Certificate expiry: before certificate lapses — re-verify and update approved supplier list
→ After supplier change of ownership or significant process change: immediate re-assessment
- SPECIFICATIONS AND INCOMING INSPECTION
Every material you purchase must have a documented specification — and there must be a process for verifying that what you receive matches that specification.
What auditors check for specifications:
✅ Is there a documented specification for every purchased material — ingredients, packaging, processing aids?
✅ Are specifications formally agreed with suppliers — not just internal documents?
✅ Are specifications reviewed and updated when formulations or requirements change?
✅ Do specifications include relevant food safety requirements — allergen status, microbiological standards, chemical limits?
What auditors check for incoming inspection:
✅ Is there a defined incoming inspection procedure — what is checked, how often, and by whom?
✅ Are Certificates of Analysis (CoA) received, reviewed, and matched against specifications?
✅ Are incoming inspection records maintained — batch numbers, quantities, results, disposition?
✅ Is there a documented rejection and quarantine process for failed deliveries?
- FOOD FRAUD (VACCP) AND SUPPLY CHAIN RISK
Since GFSI Benchmarking 2020, Food Fraud vulnerability assessment has been mandatory across all GFSI-recognised schemes. In 2026, FSSC 22000 Version 7, SQF Edition 10, and the upcoming BRCGS Issue 10 have all strengthened these requirements.
What auditors check in food fraud controls:
✅ Is there a documented VACCP (Vulnerability Assessment and Critical Control Points) process?
✅ Has every ingredient and material been assessed for food fraud vulnerability?
✅ Are fraud risks mapped to specific ingredients — considering geographic origin, processing method, supply chain length, and historical fraud for that commodity?
✅ Are control measures defined for high-vulnerability materials?
✅ Is the VACCP reviewed annually and when supply chain changes occur?
✅ Is country of origin documented and verified for all ingredients?
💡 Most common VACCP failure: organisations complete a vulnerability assessment once at certification and never update it. When a supplier changes or a new ingredient is introduced, the VACCP must be reviewed. Auditors will ask for the date of the last review and evidence of what triggered it.
SUPPLIER MANAGEMENT REQUIREMENTS BY STANDARD
ISO 9001:2026 — Clause 8.4: Control of externally provided processes, products, and services. Risk-based approach.
ISO 22000:2018 — Clause 7.1.6: Control of externally provided processes — PRPs and HACCP must consider supplier controls.
BRCGS Issue 9 — Clause 3.5: Supplier approval, documented specifications, monitoring, GFSI certification for high-risk categories.
FSSC 22000 V7 — Clause 8.4 + ISO 22002-100:2025: Supplier management strengthened — new PRP requirements for qualification.
SQF Edition 10 — Clause 2.4: Approved supplier register, risk-based approval, certificate verification, incoming inspection.
ISO 45001:2018 — Clause 8.1.4: Control of contractors and outsourced activities — OH&S performance of suppliers in scope.
COMMON SUPPLIER MANAGEMENT AUDIT FAILURES
❌ FAILURE 1 — Supplier approved once, never re-evaluated
Fix: Implement a re-evaluation schedule with calendar reminders — annual minimum for all suppliers
❌ FAILURE 2 — No specifications for some materials
Fix: Document specifications for all materials including packaging and processing aids
❌ FAILURE 3 — BRCGS certificates accepted without directory check
Fix: Verify every BRCGS certificate at approval and each renewal through the official BRCGS Directory
❌ FAILURE 4 — VACCP completed at certification, never updated
Fix: Review VACCP annually and whenever a new supplier or ingredient is introduced
❌ FAILURE 5 — Supplier non-conformances not tracked in CAPA
Fix: Raise a CAPA for every supplier non-conformance — link to supplier performance record
❌ FAILURE 6 — Approved supplier list not maintained
Fix: Review and date-stamp the approved supplier list quarterly
THE BOTTOM LINE
Supplier management is not a one-time approval exercise. It is an ongoing, systematic control that must be documented, monitored, reviewed, and improved over time. Auditors reviewing your supplier management system are not looking for a perfect supplier base — they are looking for evidence that you know your suppliers, understand your risks, and have proportionate controls in place.
Start with your approved supplier list. Is it current? Is every supplier re-evaluated annually? Do you have specifications for every material? Is your VACCP plan up to date? Those four questions alone will identify the gaps that most organisations find at audit.
👉 Download your free Supplier Evaluation Form at standardsunlimited.com/free