ISO 22002:2025 Series Update: What Changed in PRP and How to Get Your Business Ready

Most teams hear "ISO 22002:2025 update" and think it means swapping references in a few documents. It doesn't.

The whole logic behind managing prerequisite programs (PRP) got rebuilt. What used to be a collection of separate ISO/TS technical specifications is now a set of full international ISO standards wired together through a modular architecture. Manufacturing, catering, packaging, logistics, feed, retail: all of these segments share a common base module instead of each having its own overlapping document. For any company that touches more than one segment, building a single coherent PRP framework just got far less painful.

We've watched teams treat this as a paperwork exercise and regret it within weeks. Companies that actually benefit from the update run it like a management project from day one: mapping how PRPs work on the shop floor, who owns verification, whether records match reality, and how leadership stays in the loop on compliance. That's the difference between an audit story you can defend and one you can't.

In July 2025 ISO published ISO 22002-1:2025, ISO 22002-2:2025, ISO 22002-4:2025, ISO 22002-5:2025, ISO 22002-6:2025, ISO 22002-7:2025 and ISO 22002-100:2025. The old ISO/TS versions were withdrawn. That single word, withdrawn, is what matters most. PRP requirements are no longer treated as supplementary guidance. They're a permanent normative layer inside food safety management systems.

What does your team need to do right away? Three things. Rebuild the applicability matrix against the new part numbers. Walk through training programmes to strip out dead ISO/TS references. Update every internal audit template that points to the old documents.

There's a commercial side too. Retailers and importers notice. The auditor's first question is usually whether your normative base is current, and a company that can show a structured adaptation reads as a supplier that manages its system actively, not one coasting on yesterday's paperwork.

This is the working map most companies are missing. Every sector part of the series with its old version, its 2025 release, the headline changes, and who it applies to. Pin it on the wall above the food safety manager's desk.

Three things stand out when you sit with the table for ten minutes.

First, the dates spread across more than a decade. ISO 22002-1 sat untouched from 2009. ISO 22002-5 was last revised in 2019. So depending on which sector part you've been using, the gap between your current PRPs and the new requirements ranges from minor refresh (Part 5 users) to substantial rework (Part 1 users). Don't assume your timeline mirrors a peer in another segment.

Second, ISO 22002-7 is genuinely new. There was no dedicated PRP standard for retail and wholesale before. Operators in those segments were stitching together ISO 22000 clauses with internal QA frameworks or scheme-specific add-ons. The 2025 release closes that gap, and certification bodies will be looking for evidence that retail-specific controls are documented, not improvised.

Third, ISO 22002-4 absorbs PAS 222. If your packaging operation still references PAS 222 anywhere (procedures, audit checklists, supplier specifications), that reference is dead. Migrate to ISO 22002-4:2025 as a priority, because FSSC 22000 won't accept PAS 222 after the transition window. Sources like the GFSI benchmarking documents and individual scheme bulletins are the authoritative place to confirm dates for your specific scope.

Already certified to ISO 22000? Preparing for FSSC 22000? The series update hits your evidence base directly.

The food safety management system logic stays the same. What shifts is how you prove that baseline prerequisite programs match the current normative documents. References in your manual, training slides, internal audit checklists, supplier qualification files: all of these now point to withdrawn ISO/TS numbers unless you've already updated them. If your company outsources packaging, storage, or transport, the supplier requirements section of your contracts needs a fresh look too.

FSSC 22000 V7 references the new series as the PRP basis for certified sites. So if you hold an FSSC certificate, your scheme transition and your ISO 22002:2025 update are the same project. Procurement teams from large retailers have started asking suppliers for V7 readiness statements, and "we'll start when the deadline is closer" is already costing contracts in some categories.

During a certification body assessment or a client audit, the question about whether your normative base is current usually comes in the first fifteen minutes, not the last. A company with a documented transition plan moves through that conversation fast. A company without one spends the rest of the audit explaining why.

One practical point worth flagging. ISO 22000:2018 clause 6.3 (planning of changes) gives auditors a direct hook to write a finding if your transition is undocumented. The clause requires that changes to the FSMS are carried out in a planned manner, with consideration for purpose, system integrity, resources, and reallocation of authorities. A series update of this size is exactly the kind of change clause 6.3 was written for. No documented response equals an automatic finding under change management, regardless of how much else is in order.

Three things kill transitions, and the standard's complexity isn't one of them. Documents, people, and suppliers.

Documents go wrong first, and quietly. A company renames the referenced standards in the header, updates the revision date, and calls it done. The procedure logic underneath hasn't changed. The document still says "monitoring required" without defining who checks, how often, and what triggers escalation. On paper the system looks complete. Walk the floor and it falls apart. The fix is a cascading review: policies and main procedures first, then work instructions at specific areas, then record forms, checklists, logs, electronic templates. At every level ask one question. Does this document help someone manage a specific risk right now, today? If you can't answer clearly, rewrite it.

People are the second fracture point. Sending a PDF and collecting signatures isn't training. We walked into a meat processing plant during a pre-audit check last spring. Every operator had a signed training record. But when we asked a line worker what she'd do if the metal detector flagged a product, she froze. She'd memorised the term "corrective action" from a slide deck. She didn't know the actual steps. Auditors catch this in minutes. Role-based, scenario-driven training fixes the disconnect: line staff practise the specific control actions they'll perform during their shift, supervisors rehearse escalation paths, quality teams work through verification logic.

Suppliers are the third weak spot. Under the new ISO 22002 architecture you can't wall off the supply chain as "external territory." A partner running a critical operation carries risk that's yours, both for certification and reputation. Classify suppliers by safety impact: high, medium, baseline. High-risk suppliers get more frequent assessments, explicit record-keeping obligations, periodic on-site or remote audits, and corrective action verification within defined timeframes. A one-page letter saying "please comply with our food safety requirements" doesn't cut it anymore.

"When is the deadline?" Every second client asks. There's no single answer.

ISO didn't set a standard transition period for these documents. The IAF doesn't apply an automatic timeline the way it does for ISO 9001 or ISO 14001 revisions. Deadlines come from certification scheme owners, from contracts, or from regulatory bodies in your market. So your neighbour in the supply chain might face a completely different cutoff date. We had a client discover this mismatch three weeks before a surveillance audit. Not a pleasant conversation.

What works: keep a living transition map. Three columns. Requirements already in place. In progress, with owners and dates. Waiting on external decisions. Management sees the full picture, resource planning stays sane.

Start with a short gap analysis. Compare what your system says on paper against the new structure, then walk the floor and compare both against what your people actually do. The second comparison is where surprises live. One plant we assessed had a sanitation SOP that described a procedure nobody had followed in over a year, because the team had quietly improvised a better method without documenting it. An auditor would write that up as a nonconformity either way.

Once you have the gaps listed, sort them. Safety and traceability gaps go to the top. Record forms, instruction templates, training materials, service contracts: those follow. Without this ranking the project sprawls and staff burn out before the hard stuff gets done.

Then test. Run the updated requirements through a few normal production days, not a staged rehearsal. Do operators actually fill in the new forms, or do those forms pile up blank next to the old ones? Skip this step and the update stays cosmetic.

The number-one trap is cosmetic editing. References get updated. Control practices don't. On paper the system looks fine. Then an inspector walks the warehouse, asks a line supervisor to explain the new PRP verification frequency, and gets a blank stare. We've seen this exact scenario play out at three different sites in the past year.

Applicability errors come second. A business does manufacturing and retail. The food safety manager updates the manufacturing block because that's "the core." Retail requirements? Untouched. The gap stays invisible right up until a supply chain audit.

Third: hollow training. Sending a PDF isn't training. If operators can't describe what changed and why, the update didn't land. Same with suppliers. If you never revised the quality agreement, your partner has no contractual reason to follow the new PRP conditions. Nonconformities stack up quietly, then surface all at once during a surveillance visit.

Don't try to rewrite everything at once. We learned this the hard way on early projects, and now we never start a transition without a phased plan.

Phase one: management locks down the project scope, assigns owners, and sets target dates. The team runs a gap analysis. A roadmap comes out of that analysis, not before. Phase two: update PRPs, procedures, records, training. Phase three: internal audit, close nonconformities. Phase four: compile the evidence base for an external audit or client inspection.

Introduce changes in waves. High-risk areas first. Lower-priority blocks after. Sounds obvious, but most companies default to alphabetical order or whichever department head complains loudest, and then the critical stuff gets buried. We run short implementation sprints with a documented result after each one. The business keeps its production rhythm. Management sees progress at clear checkpoints instead of getting a vague "we're working on it" for three months.

Name one transition owner with a written mandate from top management, not a committee. The single most common reason these projects stall is diffused responsibility: management asks "the team" to handle it, the team assumes someone else is leading, and three months later nothing has moved. When each function head can describe their part of the transition without checking a document, the auditor picks up on it inside the first hour.

A starting sequence that works in practice:

• identify which sector parts of ISO 22002:2025 apply to your real processes;
• close the PRP gaps that carry actual safety or traceability risk before touching anything secondary;
• update training materials and supplier specifications in parallel, not afterwards;
• run an internal audit against the updated requirements before the external inspector arrives.

Keep a contingency reserve in the budget. Around 10 to 15 percent of cost and a two-week schedule buffer covers the cross-functional dependencies that surface during every transition. A logistics procedure change ripples into labelling, which ripples into warehouse records, which means retraining adjacent teams. Without a buffer, those cascades break the plan.

ISO 22002:2025 rewired the PRP document foundation. A modular structure, with 22002-100 at the base and seven sector parts on top, gives businesses a cleaner way to manage food safety risks across different operations. When the transition is done properly, the payoff goes past audit readiness and shows up in steadier day-to-day results.

Exporters and retail-chain suppliers feel the pressure earliest, because their partners check normative currency as a routine matter. Running a gap analysis now, updating PRPs, and training the team before deadlines close in costs a fraction of what a scramble-before-audit scenario costs.

Need a working transition plan? The Ekontrol team picks up from diagnostics and stays through evidence base preparation for the audit.