4 minute read
ISO 22716
By Robert Low, Lead Management System Specialist
ISO 22716:2007 is the international standard for Good Manufacturing Practice in cosmetics. If you manufacture, pack, or hold cosmetic products and sell into markets that expect GMP certification — which is most of them now — this is the standard your auditor will be working from.
The standard itself is structured around the product lifecycle: personnel, premises, equipment, raw materials and packaging, production, finished products, quality control, and the management systems that hold it all together. Here is what each section actually asks for, without the standard’s own formal language getting in the way.
This section is about training, hygiene, and clear responsibility. Auditors want to see that staff working in production understand why hygiene matters, not just that they signed a form once. Training records need to show ongoing competence, not a single induction date three years ago.
The standard expects manufacturing areas to be designed and maintained to prevent contamination and mix-ups. This covers everything from layout and ventilation to cleaning schedules for equipment. The documentation burden here is mostly about proving a maintenance and cleaning regime exists and is followed — not just that it is written down somewhere.
This is where supplier management becomes central to GMP compliance. ISO 22716 requires that incoming materials are checked against specification before use, and that suppliers are evaluated and approved through a defined process. An auditor will ask to trace a specific batch of raw material back to its supplier’s certificate of analysis — if that trail does not exist or takes twenty minutes to find, that is a finding.
Production requirements cover batch records, in-process controls, and the prevention of cross-contamination between products. Every batch needs a record showing what was made, when, by whom, and what checks were performed along the way. This is the area where production control software earns its place — manual batch records are workable at small scale and increasingly painful as volume grows.
Finished product requirements are about quarantine, release, and storage. A product cannot leave the building until it has been checked against specification and formally released by someone authorised to do so. The standard wants evidence that this release decision happened, who made it, and on what basis.
If you operate any in-house testing, the standard expects equipment calibration records, defined test methods, and traceability of results back to specific batches. Outsourced testing needs the same rigour applied to the lab you are using as a supplier.
This is essentially nonconformance management under a different name. The standard wants a defined process for what happens when something does not meet specification — investigation, disposition decision, and a record of what was ultimately done with the affected product.
Often overlooked, but the standard does expect a defined approach to handling waste materials safely and in line with relevant regulations.
ISO 22716 expects you to audit your own system periodically, not just wait for an external certification visit. This is meant to catch problems before an external auditor does.
Underpinning all of the above is a documentation requirement: procedures need to be controlled, version-tracked, and accessible to the people who need them. This is the section that most exposes a spreadsheet-based system — document control that relies on shared drives and trust tends to fail exactly here.
Every section of ISO 22716 follows the same underlying logic: define the process, follow the process, and prove you followed it. The standard does not particularly care whether that proof comes from a binder or a database — but in practice, the manufacturers who struggle at audit are almost always the ones trying to assemble that proof manually, under time pressure, the week before the auditor arrives.