When you ask an Indonesian supplier whether they are “certified,” the answer is rarely a simple yes or no. ISO 9001, ISO 22000, HACCP, GMP, BRCGS, and FSSC 22000 are different standards covering different things, issued by different bodies, with different scopes and renewal cycles. A supplier can hold one and not another, or hold a certificate that has lapsed, or hold one that covers a sister facility rather than the line your product runs on. This guide explains what each certification actually covers, how they signal a legitimate and capable supplier, the audit types behind them, and how a buying agent verifies a certificate is genuine and current before you pay.
Why supplier certifications matter to buyers
A certification is a third party’s confirmation that a supplier operates a documented, audited management system to a recognized standard. For an importer who cannot stand on the factory floor, that confirmation is valuable: it narrows the gap between what a supplier claims and what they can demonstrate. Many retail and food-manufacturing buyers also require specific certifications as a condition of purchase, so the question is not only whether a supplier is capable but whether they hold the exact certificate your own customers will accept.
The caution is that a certificate is a snapshot of an audited system tied to a defined scope and validity period. It is not a permanent or universal guarantee, and a logo on a website is not the same as a current, verifiable certificate. This is the same principle that runs through all supplier due diligence on Indonesian exporters.
What each certification covers
The standards fall into two broad groups: general quality management, and food safety management. They overlap but are not interchangeable.
| Certification | What it covers | Typical relevance |
|---|---|---|
| ISO 9001 | General quality management system: consistent processes, traceability, continual improvement | Any product category; signals process discipline |
| ISO 22000 | Food safety management built on HACCP plus prerequisite programs | Food and food-ingredient suppliers |
| HACCP | Systematic identification and control of food safety hazards | Foundation under most food safety schemes |
| GMP | Good Manufacturing Practice: hygiene, facility, and process controls | Food, cosmetics, and supplement manufacturing |
| BRCGS | GFSI-benchmarked retail and brand food safety standard | Suppliers selling to major retailers |
| FSSC 22000 | GFSI-benchmarked scheme combining ISO 22000 and sector prerequisites | Food manufacturers needing GFSI recognition |
ISO 9001
ISO 9001 is the most widely held management standard in the world and applies to any industry. It is not food-specific. It tells you a supplier runs documented processes, controls records, manages non-conformities, and pursues continual improvement. For commodity buyers it is a useful signal of basic operational discipline, but it says nothing on its own about food safety.
ISO 22000
ISO 22000 is the food-safety counterpart. It incorporates HACCP principles and prerequisite programs into a management-system framework, so it covers hazard analysis alongside the documentation and traceability discipline of a quality system. It is common among food-ingredient exporters and is often the baseline a food buyer looks for.
HACCP
HACCP (Hazard Analysis and Critical Control Points) is a method, not a brand. It identifies where biological, chemical, and physical hazards can enter a process and defines control points to manage them. Most food safety schemes, including ISO 22000, BRCGS, and FSSC 22000, are built on HACCP. A supplier may be certified to a HACCP-based standard by an independent body, which is different from simply claiming to “follow HACCP.”
GMP
Good Manufacturing Practice covers the hygiene, facility, equipment, and process conditions under which a product is made. It is central to cosmetics, supplements, and food processing. For categories like virgin coconut oil or essential oils destined for personal-care or food use, GMP signals that the production environment itself is controlled.
BRCGS and FSSC 22000
BRCGS (formerly BRC) and FSSC 22000 are both benchmarked by the Global Food Safety Initiative (GFSI). Large retailers and manufacturers frequently accept either as evidence of a comprehensive food safety system. Which one your buyer requires depends on their own customer chain, so confirm the specific scheme rather than assuming GFSI recognition is enough.
How certificates are issued and audited
None of these certificates are self-declared. They are issued by independent certification bodies that should themselves be accredited by a national accreditation body. The general pattern is consistent across schemes:
- The supplier applies to a certification body and documents its system against the chosen standard.
- The body conducts an audit, which may be a certification (initial) audit, a surveillance audit at recurring intervals, or a recertification audit at the end of a cycle.
- Non-conformities are raised and must be closed before or shortly after certification.
- A certificate is issued with a defined scope, the certified sites, the product categories, and issue and expiry dates.
Audits can be announced or, increasingly under retail schemes, unannounced, which is generally regarded as a stronger signal because the supplier cannot prepare for the visit. Understanding the audit type behind a certificate tells you how much weight it carries.
How to verify a certificate is genuine and current
This is where many buyers stop short, and where problems start. Holding a PDF is not verification. The checks that matter are:
- Issuing body. Identify the certification body named on the certificate and confirm it is accredited to issue against that standard.
- Scope. Read the scope carefully. Confirm it covers the exact product, processing site, and activity you are buying, not a different line or a sister company.
- Validity dates. Confirm the certificate is current and covers your shipment window, not lapsed or pending renewal.
- Certificate number. Where the certification body or scheme operates a public directory, look up the number to confirm it matches the supplier named everywhere else in your file.
- Entity match. Confirm the certified entity is the same company that controls the goods and that you would actually pay, the same cross-check we apply when verifying suppliers on the ground.
A certificate that fails any of these checks is not necessarily fraudulent, but it is not yet usable, and that distinction needs to be settled before money moves.
How a buying agent verifies certifications without issuing them
Karya Commodity does not issue or audit ISO, HACCP, GMP, BRCGS, or FSSC 22000 certificates. Only independent, accredited certification bodies do that. As a buying agent representing the buyer, our role is to identify which certifications your market and customers require, request them from candidate suppliers, and verify what is presented:
- Confirming the issuing body and its accreditation for the standard you need
- Checking the certificate scope against the exact product and site
- Confirming validity dates cover your order
- Cross-checking the certified entity against the supplier and exporter on the rest of the shipping file
- Flagging gaps early, so you can decide before committing rather than after shipment
This sits alongside product-level checks such as sample approval and lab testing, and the broader compliance work described on our quality and compliance page. Where a market requires scheme-specific certifications such as Halal or organic, the same verify-before-you-pay logic applies. You can see where it fits in the wider workflow on our how it works page.
Verify your supplier’s certifications before you commit
If you need an Indonesian supplier’s ISO, HACCP, GMP, BRCGS, or FSSC 22000 certificate checked for issuing body, scope, and validity against what your market requires, we can verify the certificate and the supplier behind it before you pay. Contact us with the product, destination, and certifications you need, and we will confirm what holds up.