The New PRP Foundation: What ISO 22002-100:2025 Means for the Food Industry

Why did industry publications call ISO 22002-100:2025 a "new foundation" back in September 2025? Because it is one. Not a cosmetic revision. Not a reshuffled clause list. The standard rewires how prerequisite programs get built, how they talk to each other across food, feed, and packaging sectors, and what auditors will hold you to starting from your next assessment.

Picture what most companies were running before. Separate sector documents. Same requirements, different phrasing. Systems bloated with copy-paste duplicates. Audit outcomes that swung on whether one auditor read one sentence the way your quality manager intended. That era is over. ISO 22002-100:2025 drops a shared PRP framework underneath everything: one logic, one vocabulary, sector-specific layers only where operations genuinely differ.

In one project last year we found a mid-size dairy exporter maintaining three overlapping sets of hygiene SOPs because each had been written against a different part of the old series. Three documents, doing roughly the same job, confusing the floor staff who had to follow all of them. The new structure would have prevented that from day one.

At Ekontrol, we treat the transition as a foundation repair, not a reference swap. Two outcomes matter: a stronger position at audit and tighter daily discipline where it counts.

The supply chain outgrew the old documents. That is the short version. Climate shocks destabilizing raw material quality. Sourcing routes stretching across more borders and more intermediaries than anyone planned for five years ago. Packaging formats multiplying. Buyers asking for traceability data that the previous document structure could not support without awkward workarounds.

So in July 2025, ISO 22002 got a full architectural overhaul. One base document, ISO 22002-100, with synchronized sector parts layered on top. Build from the shared core. Add specifics only where your operation actually needs them. No more guessing which clause in which part covers your situation.

The gap most companies miss is this: the transition timeline printed in a scheme bulletin is not the only deadline that matters. Clients and auditors are already forming opinions. Ask your commercial team whether any buyer has asked about your adaptation plan in the last six months. If the answer is yes, you already know the stakes. If the answer is no, start asking yourself why they haven't, because they will.

One module. Written once. Hygiene, allergen controls, traceability principles, all sitting in a shared PRP framework instead of being copied and slightly reworded across every sector document. That is the structural idea behind the update, and it is simpler than people expect.

Where does this land hardest in daily operations? Training. We ran a pilot rollout at a packaging-and-food group last autumn, and the training lead told us something that stuck: "For the first time, production and warehouse teams are learning from the same base material, and I am not fielding questions about why their SOPs contradict each other." New hires picked up foundational requirements faster. Handover errors between shifts dropped. Differences between departments only showed up in specialized blocks tied to specific operation types, which is exactly where they belong.

Audit dynamics shift too. When your system runs from a shared core, the auditor can follow one line of control logic from receiving through dispatch without bouncing between documents that say slightly different things about the same hazard. Less explaining. Fewer findings rooted in paperwork contradictions. More time spent on the substance of your controls, which is what a good audit should focus on anyway.

Boundaries. That is what the new ISO 22002 structure finally gives sectors. Manufacturing owns technical process stability and condition control. Logistics and warehousing own handover points, product state, and traceability. Retail and wholesale get a requirement profile shaped around their actual reality, the last links before the consumer.

Multi-channel operators need to pay special attention here. Running each department as its own island, with its own documentation silo, breaks down fast under the new logic. What works is a single process-and-risk matrix. You look at it and immediately see which PRPs are shared, which need sector add-ons, and whose name sits next to each responsibility. In one transition we ran for a company doing both manufacturing and wholesale distribution, the lack of this matrix cost them almost four months of circular debates about who owned temperature monitoring at the handover point between production and dispatch. Four months. For something a matrix would have settled in an afternoon.

The commercial payoff is blunt: when clients see transparent control over every link, they stop piling on extra inspections. Contracts move faster.

We built this matrix at Ekontrol for transition kickoffs and internal audits. Pin it somewhere visible. It shows, at a glance, what actually shifts in daily work.

Here is a question worth asking at your next management review: when was the last time you updated your PRP risk profile to reflect what actually threatens the raw material supply right now? Not three years ago. Right now.

Climate volatility is warping harvest patterns and cold chain assumptions in ways that nobody budgeted for in 2020. Fraud risk scales with every intermediary added to the chain. Digital monitoring tools exist that could cut your response time in half, but most companies have not built the data discipline to use them properly. Paper logs still dominate where electronic records should have taken over years ago.

When PRPs ignore these shifts, decline does not announce itself. It creeps. More deviations per quarter. Root cause investigations that take weeks instead of days. Conversations with clients that feel slightly harder each round. Then an auditor walks in and everything that was quietly slipping becomes a formal finding.

Treat the ISO 22002-100 transition as a modernization trigger, not a document replacement exercise. Where can you tighten traceability? Where are supplier controls still built for a simpler chain than the one you actually operate? Which records still get filled in by hand when automation is sitting right there? That is where this transition pays for itself.

Waiting is the most expensive option. If you already hold ISO 22000 or operate inside FSSC 22000, a staged transition started now will cost less and hurt less than a rushed one six weeks before your next assessment.

Step one is a formal management decision to begin adapting. Write it down. Date it. Step two: run a gap analysis against the new structure to locate where the real pressure points are. Step three: approve a roadmap with names attached to every action, deadlines that people actually agreed to, and review checkpoints along the way.

Parallel to that, update reference bases in your internal documents. Revisit training programs. Rework internal audit checklists. Confirm that supplier requirements still match. None of this requires stopping a production line. It requires planning the work in waves so no single team gets buried.

We used this staged model with a frozen foods exporter last year. They had eight months before their surveillance audit. By month five, 80% of the documentation changes were live, the floor staff had already been through scenario-based training, and the internal audit using new checklists had been completed. No crunch. No surprises on audit day. The model is unglamorous, but it delivers.

Concrete starting point:

• Get the change plan formally approved at management level;
• Update the requirements matrix and internal audit checklists;
• Run short, role-based training for people in the most exposed functions.

Most gap analyses we have reviewed from other consultancies follow the same pattern: clause number on the left, procedure title on the right, green-yellow-red traffic light in the middle. Looks thorough. Tells you almost nothing about where the system actually loses grip during a live shift.

A gap analysis that works goes deeper. Documents, yes. But also records. Floor observations. Five-minute conversations with the person who owns the process, not the person who wrote the SOP two years ago and never touched it since. You are looking for the moment where what the document says and what the operator does diverge. That is your real gap.

Then triage. Everything touching food safety or traceability is a critical gap. Anything affecting whether a control repeats reliably across shifts is an important gap. Nice-to-have speed or convenience improvements go in a supporting tier. Without this sorting step, teams scatter energy everywhere and close nothing on time.

The output should be a prioritized action plan short enough to fit on two pages. Not a 200-row spreadsheet that nobody opens after the first week.

Nobody ever stalled a transition because the requirements were too hard to understand. The work stalls because it is poorly organized. Too many tasks open at once. No clear sequence. Everyone waiting on everyone else.

Short sprints break the deadlock. First sprint: the highest-risk PRP blocks and the roles most exposed to those risks. Second sprint: adjacent processes. Each sprint ends with verification, corrective actions where needed, and sign-off before moving on.

The team stays focused because each sprint is small enough to finish. Management gets concrete progress reports instead of the dreaded "we are still working on it." Production keeps running because changes fold into the existing rhythm rather than fighting against it.

One addition we have made at Ekontrol over the past year that shifted how our transition projects run: a short communication block after every sprint. Three things only. What changed. Why it matters to your role specifically. What becomes mandatory starting on this date. People resist what they do not understand. Give them those three data points and resistance drops sharply.

If management cannot see the transition's progress in under five minutes, something is wrong with your metrics. Keep the KPI set tight: share of critical changes closed, percentage of staff with confirmed training, speed of corrective action resolution, trend line on recurring nonconformities, and pass rate on client or external inspections.

Budget needs the same discipline. Split it into four categories: methodology and documentation, training, internal reviews, external assessment. When one category starts eating more than planned, you catch it early enough to redirect money before the overrun compounds.

Here is what we have learned running these transitions. A 30-minute monthly KPI review, just half an hour, changes the trajectory of the whole project. The team sees what matters this month, not some abstract goal six months out. Management stops debating and starts deciding. Readiness builds in a straight line instead of the classic panic curve where nothing happens for months and then everything happens in the last three weeks.

Three things kill transitions. Not the standard's complexity. Not budget. Documents, people, and suppliers. In most failed projects we have reviewed, the team understood the requirements perfectly well. The requirements just never left the paper they were printed on.

Documents go wrong first and they go wrong quietly. A company renames the referenced standards in the header, updates the revision date, and calls it done. But the procedure logic underneath has not changed. The document says "monitoring required" without defining who checks, how often, and what triggers an escalation. There is a deviation response procedure, but the threshold for what counts as a critical deviation is missing. On paper the system looks complete. Walk the floor and it falls apart.

Fixing this takes a cascading review, and the sequence matters. Policies and main procedures first. Work instructions at specific areas next. Then record forms, checklists, logs, electronic templates. At every level, one question: does this document help someone manage a specific risk right now, today? If you cannot answer that clearly, rewrite it. Do not archive it "just in case."

People are the second fracture point, and often the most painful one to confront. We walked into a meat processing plant during a pre-audit check last spring. Every operator had a signed training record. Every single one. But when we asked a line worker what she would do if the metal detector flagged a product, she froze. She had memorized the term "corrective action" from a slide deck. She did not know the actual steps: isolate, log, escalate, verify. Auditors catch this in minutes.

Role-based, scenario-driven training fixes the disconnect. Line staff practice the specific control actions they will perform during their shift, not abstract principles. Shift supervisors rehearse escalation paths and root cause analysis. Quality teams work through verification logic and effectiveness evaluation. Procurement and logistics focus on holding external partners to contractual requirements. When training maps to what someone actually does from 7 AM to 3 PM, the system stops living in a binder.

Suppliers are the third weak spot. Under ISO 22002-100, you cannot wall off the supply chain as "external territory" anymore. A partner running a critical operation carries risk that is yours, for certification and for reputation. The transition has to include a hard look at evaluation criteria, contract language, inspection frequency, and response speed when something breaks.

Practically: classify suppliers by safety impact. High risk, medium, baseline. High-risk suppliers get stepped-up treatment: more frequent assessments, explicit record-keeping obligations, periodic audits whether on-site or remote, and corrective action verification within defined timeframes. Medium risk operates on a planned monitoring cycle. Baseline gets a simplified model. Cost stays proportional to actual risk.

One more thing people skip: digital discipline. Teams keep records in electronic systems but have no rules for version control, access rights, or data entry accuracy. During an audit, electronic records carry exactly the same weight as paper logs. If the auditor cannot trace a data point back to its source or confirm its integrity, the whole system's reliability comes into question.

At Ekontrol we enforce a simple rule on every project: every document change gets an owner, an effective date, a one-sentence explanation of what changed and why, and a follow-up review two to four weeks later to confirm people are actually using the new version. That single rule kills the classic problem where a revision is formally approved and the floor keeps working from the old template nobody bothered to remove.

When documents, people, and suppliers connect into one operating model, the transition stops being a project you run for the auditor. It becomes the way you work. Deviations get caught faster. Rework drops. Clients negotiate differently when they see that level of control.

ISO 22002-100:2025 is not about checking a compliance box. It resets what a mature PRP system looks like, and companies that start early come out of the transition with something more than a certificate. They get a system that holds under pressure from clients, auditors, and the market itself.

For Ukrainian businesses the timing is especially tight. International supply chains do not slow down because you are mid-transition. Contract competition is intense. Buyers already form opinions based on whether you can show a structured adaptation plan or not. That signal carries weight long before the formal deadline hits.

Our team at Ekontrol takes this from diagnostics and planning through implementation, floor-level training, and building the evidence base your auditor will ask to see. The goal is not an updated system sitting in a folder somewhere. It is a working tool that moves the business forward, measurably and visibly.