ISO 22002-100:2025 Transition Plan: How to Get Your PRPs Ready for the Audit

Stop treating PRPs as a checkbox.

ISO 22002-100:2025 rewrites the ground rules for how food chain companies build and prove their prerequisite programmes. Not a name swap, not a cosmetic revision. The document sets a single baseline for general PRP requirements across the whole series, and that changes the conversation you'll have with auditors, with buyers, and inside your own management meetings.

Why does timing matter? We had a dairy exporter client last year who figured they'd wait for "official deadlines." The auditor opened with exactly one question: show me your transition plan. There was no plan. The audit turned into a three-hour interrogation about change management, and they left with four nonconformities they could have avoided entirely. If your company works with retail chains, exports, or contract manufacturing, that story probably sounds familiar.

The teams that handle this well do something simple. They start early, while the pressure is still low, and build the transition plan before anyone asks for it. Nonconformity risk at the next audit drops. People get trained without an all-hands-on-deck panic. And buyers notice. A documented, in-progress transition tells them more about how you run things than a slide deck ever could.

Think of it as a split into layers.

ISO 22002-100 now holds the common requirements framework. The sector-specific parts of the series handle the details for manufacturing, packaging, transport and storage, feed, retail. If you run multiple sites or business lines, the upside is real: one unified PRP baseline instead of copy-pasting requirements across every unit with slight variations that nobody can track.

The downside? Modularity forces precision. Your team has to map exactly where general PRP controls apply, where sector-specific layers add on top, and how you record proof for each. We worked with a meat processing group that had three sites and assumed their existing PRP documents already covered the new structure. The gap analysis showed 17 open points they hadn't even noticed, mostly around monitoring frequency and record-keeping for allergen controls. The gap between written procedures and shop-floor reality was wider than anyone expected.

So don't start by editing templates. Start by walking the process from incoming raw materials to dispatch. The picture that comes back will tell you where the real gaps live, and you'll save your team weeks of pointless document reshuffling.

Most companies we talk to know about clause 6.3. Few treat it like what it actually is.

ISO 22000:2018 doesn't suggest you plan changes. It requires it. The language is direct: when your management system needs to change, the change must be planned, resourced, and controlled. A transition to updated PRP requirements falls squarely into that box. "We'll get to it" is not a plan.

Auditors already ask about this. The typical pattern we see: the auditor knows ISO 22002-100:2025 has been published, the company knows it too, but nobody wrote anything down. No owner, no timeline, no risk assessment. Ten minutes into the opening meeting, the auditor raises it. Now you're explaining why a known standard change has no documented response. That's a change management gap, and it lands in the report.

But forget the audit for a second. A documented transition plan does something more useful: it gives your management team a shared picture of costs, timing, and risk. It gives the production floor a sequence of steps instead of a fog of "new requirements coming sometime." And it gives customers proof that you manage your system, not just maintain it. Clause 6.3 is boring on paper. In practice, it's the difference between a controlled transition and a fire drill.

Keep it simple. Seriously.

A transition plan that nobody reads is worse than no plan at all, because it creates a false sense of progress. The job of this document is to answer a handful of questions in plain language: what are we changing, why, what goes wrong if we skip it, who owns each piece, when is the deadline, and how do we check that the change actually works in operations.

We usually build the list by process, not by standard clause. Sanitation PRP update. Pest control requirements revision. Temperature monitoring gaps. Traceability in logistics. Supplier evaluation criteria. Each item gets a one-line reason tied to the specific new requirement it addresses. One client told us this list alone was worth the project, because it was the first time the management team could see every open point on a single page.

Then comes the question that most plans skip: what's the risk of doing nothing? Or doing it halfway? That's what drives prioritization. If postponing a sanitation update means your next audit hits a food safety gap, that goes to the top. If reformatting a document template has zero operational impact, it waits.

The last block is verification. Not "did we update the document" but "is the change working on the floor." Shift records, audit findings, incident trends. That's what closes the loop.

In short, a transition plan needs:

• a list of changes with priorities and deadlines;
• assigned roles and resources for each stage;
• verification criteria that confirm changes are working on the ground.

Below is a compact structure that works for both internal management and audit demonstration.

Who owns this?

If you can't answer that question in five seconds, the transition is already in trouble. The number one reason these projects stall is diffused responsibility. Management tells "the team" to handle it. The team assumes somebody else is leading. Three months later, nothing has moved.

Appoint one person. Not a committee, not "the quality department." One named owner for the ISO 22002-100 transition project, with a written mandate from top management. Then spell out every function's piece: quality handles methodology and document control; production translates new requirements into shift-level actions; warehouse and logistics own their process areas; procurement and legal review supplier contracts; HR runs training.

We saw this play out at a bakery group last spring. They had five sites and no project owner. Each quality manager assumed the head office was coordinating. The head office assumed each site was self-managing. The auditor asked one question: "Who is leading your transition?" Nobody could answer it. That single gap triggered a nonconformity and a follow-up audit three months later.

When every person can explain their role without checking a document, the auditor picks up on it fast. The transition stops being one specialist's side project and becomes visible across the management team. That's a different conversation entirely.

You cannot fix everything at once. Don't even try.

A PRP gap analysis has one purpose: separate the urgent from the eventual. We use three tiers. Tier one: anything that directly touches product safety or traceability. If it fails, you have a food safety incident or a recall scenario. Tier two: systemic weaknesses that cause the same nonconformities to repeat cycle after cycle. Tier three: document formatting, template alignment, process labels that have zero operational impact.

The mistake we see over and over is a company that tries to close all gaps in one push. A food packaging client tried this. They launched 23 changes simultaneously. Within six weeks, the quality team was drowning, line managers stopped attending progress meetings, and most of the "fixes" were copy-paste procedure updates that nobody on the floor had read. The ISO 22000 audit found the same problems the gap analysis had found four months earlier.

Short waves work. Pick the top five tier-one gaps. Close them. Verify they hold. Move to the next batch. Operations keep running, people don't burn out, and management can actually see movement.

One rule we use at Ekontrol: every change must end with a checkable result. Updated procedure plus signed training record. Completed traceability test. Closed internal audit finding. If you can't point to a concrete outcome, the change isn't done.

Paper doesn't produce safe food. People do.

If a line operator doesn't know what changed in the sanitation PRP, the new procedure might as well not exist. Same for warehouse staff, logistics shifts, cleaning crews. Training has to be short, role-specific, and concrete. Not a two-hour lecture on "what ISO 22002-100 means" but a fifteen-minute walkthrough: here's what changed on your line, here's what you do differently starting Monday, here's why it matters for the product.

We ran a training session at a frozen foods plant where the biggest "aha" moment wasn't about the standard at all. It was a line supervisor who realized the new temperature monitoring frequency actually explained three unexplained quality complaints from the previous quarter. That's when buy-in happens, when people see the connection between the requirement and their daily problems.

Suppliers are the other half of this. A partner running a critical operation that sits outside your ISO 22002:2025 transition plan is a ticking audit finding. Review selection criteria, contract language, evaluation schedules, and how you handle deviations. One weak supplier can cost you a nonconformity and, frankly, a customer.

The commercial angle here gets overlooked. Stable supplier relationships lower complaint rates, reduce returns, and give you leverage when negotiating with retail buyers. When you can show chain control across your partners, buyers see predictability. That often tips the decision more than a price discount would.

Auditors think in layers. Four of them, usually.

Layer one: did management make a decision to transition? Layer two: are the changes documented? Layer three: did those changes actually happen on the floor? Layer four: has someone verified the results? An auditor who finds all four will move on quickly. An auditor who finds a hole in any one of them will dig, and that's where time-consuming findings start.

So what goes into the evidence base? The approved transition plan itself. A change matrix showing each PRP block, the risk, the timeline, and the current status. Updated procedures. Training records with dates and names. Internal audit results from after the changes went live. Corrective actions and proof those corrective actions actually worked, not just that someone opened a form.

One thing we've learned to always recommend: prepare a two-page management summary of the transition progress. Hand it to the auditor in the opening meeting. It takes them maybe ten minutes to read, and it frames the whole audit. Instead of the auditor piecing the story together from scattered documents, they get the narrative upfront. The rest of the audit becomes confirmation, not discovery.

That framing matters. When evidence is scattered and you're digging through folders during the audit, it looks like the system happened by accident. When it's organized before the auditor walks in, it looks like management.

We've seen every version of this go wrong.

The wait-and-see trap. Company knows the standard changed, decides to "wait for official timelines," shows up to the ISO 22000 audit with nothing. No transition plan, no PRP gap analysis results, no evidence. The auditor writes it up in twenty minutes.

The rename trap. Someone goes through every document and replaces "ISO/TS 22002-1" with "ISO 22002-100." References updated, procedures unchanged, shop floor untouched. Auditor pulls one process record, sees the old monitoring frequency, and the house of cards falls over.

The supplier blind spot. Internal PRPs get updated, but nobody tells the external warehouse operator or the contract cleaning company. The auditor asks about supplier alignment. Silence.

And then there's the slow drift. No monthly check-ins, no progress reviews. Small delays compound. By the time someone notices, there are eight open items and the audit is in six weeks.

The fix isn't complicated. Start before you have to. Name one owner. Prioritize the changes that touch safety first. Build evidence as you go, not the week before the auditor arrives. The hard part, honestly, is just not putting it off.

If management can't see the numbers, the project dies quietly.

The ISO 22002-100:2025 transition belongs in operational management, not parked inside the quality department as a side task everyone politely ignores. Pick three or four KPIs at the start. Not twenty. Just the ones that answer the question: are we actually moving, or are we producing activity reports?

Here's what we track in our projects. First, the percentage of closed changes in high-risk PRP blocks. That's the number that matters most, because it tells you whether the points touching safety and production stability are handled. Second, the share of staff who finished role-specific training and can demonstrate they understood it (not just signed an attendance sheet). Third, internal audit results after the changes: are the same nonconformities coming back, how fast do corrective actions close, what's happening with shift-level incidents?

Then look at the commercial side. How many customer audits did you pass clean? Are new contracts getting approved faster or slower? Are buyers asking for extra PRP evidence less often? One confectionery manufacturer we worked with tracked this and found their contract approval time dropped from 14 weeks to 9 after the transition was 60% complete. That's the kind of number that gets a CEO's attention.

Timelines have two failure modes. Too aggressive: the team misses early milestones, loses motivation, starts treating the plan as fiction. Too loose: no urgency, no accountability, the project drifts into next year. A staged model with control gates works. Stage one: gap analysis, scope approval. Stage two: high-risk PRP changes and training. Stage three: stabilization, internal audit, corrective actions. Stage four: evidence base assembly, readiness check for the external audit. You move between stages by meeting pre-set criteria, not by looking at the calendar.

Budget is the same idea. Don't lump everything into "certification costs." Split it: methodology and document updates; training; internal audits and corrective actions; external audit or customer assessment. When you see where overruns happen, you can fix them before they cascade.

Keep a contingency reserve. Always. Cross-functional dependencies appear out of nowhere during transitions. A logistics procedure change ripples into labeling requirements, which ripples into warehouse records, which means retraining adjacent teams. Ten to fifteen percent of budget and a two-week time buffer handles most of these surprises without blowing the schedule.

We close each month with a short management meeting. Thirty minutes, no longer. KPI status, schedule deviations, root causes, decisions, owners, date of the next check. That rhythm keeps the transition visible and gives the team clear priorities instead of a vague sense that "something is happening with ISO."

This isn't about paperwork. It never was.

The transition to ISO 22002-100:2025 either strengthens how your company operates or it sits in a binder. The difference comes down to whether management treats it as a change management exercise under ISO 22000:2018 (clause 6.3) or as a documentation refresh. Companies that do the former get fewer audit findings, tighter operations, and a stronger hand when negotiating with retail buyers. Companies that do the latter get a binder.

Buyers notice. When two suppliers offer comparable products and one can show a structured, in-progress transition plan with evidence of real execution, that supplier wins the contract more often than not.

If you need a transition plan that works without shutting down production, the Ekontrol team can build the roadmap, run the PRP gap analysis, update your procedures, train your people, and assemble the evidence base for the audit. What you get is not a certificate on the wall but a system your business can actually grow on.