ISO 22002:2025 Updates Explained – What Certified Sites Need to Know
In July 2025, the ISO 22002 series was revised, introducing significant structural and content updates to the prerequisite programme (PRP) requirements that support ISO 22000 and FSSC 22000 certified food safety management systems.
While PRPs are often seen as “basic hygiene requirements,” the 2025 revision makes one thing clear: PRPs are no longer static background controls. They are risk-based, structured, and audit-critical.
Here is what has changed — and what it means for certified sites.
1. Introduction of ISO 22002-100: A Common PRP Baseline
The most important structural change is the introduction of ISO 22002-100:2025.
This new standard establishes a common PRP foundation across all sectors of the food chain. Sector-specific standards (such as food manufacturing, packaging, farming, catering, transport, retail and feed production) now build on this shared baseline.
What this means for you:
- Greater harmonisation across sectors
- Less duplication between standards
- More consistent audit expectations
- Clearer alignment with ISO 22000:2018 and FSSC 22000 Version 6
However, it also means organisations must review their PRP structure carefully to ensure it aligns with the new clause numbering and content.
2. Stronger Risk-Based Thinking Across PRPs
One of the most noticeable shifts is the emphasis on risk-based implementation — not just documented procedures.
Examples include:
- Formal risk-based zoning of facilities
- Utility specifications defined according to intended use
- Supplier categorisation based on risk level
- Cleaning frequencies determined through risk assessment
- Food defence and food fraud vulnerability assessments
Auditors will increasingly expect justification of decisions, not simply evidence of existence.
3. Zoning Becomes More Structured and Documented
Facility zoning is now a formal, documented requirement rather than an implied good practice.
Sites must demonstrate:
- Defined hygiene zones (e.g. raw, high-care, low-risk)
- Controlled personnel and material flow
- Managed air movement where applicable
- Clear segregation plans
Zoning must now link directly to contamination prevention, allergen control and cleaning programmes.
For many sites, this will require updating layout drawings and revisiting risk assessments.
4. Cleaning and Verification Are Elevated
Cleaning is no longer just about having a schedule.
The updated requirements emphasise:
- Risk-based cleaning frequencies
- Clearly assigned responsibilities
- Objective verification (e.g. ATP, microbiological testing)
- Stronger chemical control
- Post-maintenance cleaning verification
This signals a move from routine cleaning to controlled, measurable hygiene management.
5. Supplier Risk Management Is Strengthened
The new requirements reinforce that supplier approval must be proportionate to risk.
Expect to see:
- Risk-based supplier categorisation
- Increased scrutiny of high-risk suppliers
- Active performance monitoring
- Review of audit findings — not just collection of certificates
Sites that rely heavily on third-party certification without evaluating supplier performance trends may need to strengthen their controls.
6. Utilities and Environmental Controls Are More Defined
Utilities such as water, air and gases now require:
- Clear quality specifications
- Differentiation between potable and non-potable systems
- Defined monitoring programmes
- Preventive maintenance records
There is also stronger focus on drainage design and environmental contamination prevention.
Utilities can no longer be treated as background infrastructure — they are audited as active risk controls.
7. Food Loss and Waste (FLW) Now Included
Aligned with sustainability expectations and FSSC 22000 Version 6, food loss and waste management is explicitly addressed.
Sites must show:
- Controlled waste handling
- Systems capable of handling peak volumes
- Prevention of cross-contamination
- Consideration of sustainability impacts
This is particularly relevant for high-volume production environments.
8. Food Defence and Food Fraud Remain Critical
The updated structure reinforces the requirement for:
- A documented Food Defence Threat Assessment (TACCP)
- A documented Food Fraud Vulnerability Assessment (VACCP)
- Defined mitigation measures
- Regular review of risks
These are no longer “add-ons” — they are core expectations.
9. Rework Clarified (Manufacturing Sector)
For food manufacturing sites, rework controls remain essential.
Requirements include:
- Full traceability of rework
- Clear rules on quantity and application
- Segregation and identification
- Risk-based decision-making
Production pressure is not an acceptable justification for uncontrolled rework.
What Does This Mean for FSSC 22000 Sites?
Although FSSC 22000 Version 7 has not yet been released, history shows that scheme updates closely follow ISO revisions.
Certified organisations should:
- Conduct a structured gap analysis
- Review PRP documentation against ISO 22002-100
- Update zoning and contamination control documentation
- Strengthen cleaning verification records
- Reassess supplier risk categorisation
- Review TACCP and VACCP documentation
Waiting until your next surveillance audit is not a strategy.
Final Thoughts
The 2025 revision of ISO 22002 does not introduce radically new concepts — but it does raise the bar on implementation, justification and verification.
The shift is clear:
From documented procedures
To risk-based, demonstrable control
Sites that prepare early will find transition straightforward. Sites that delay may experience preventable audit findings.
If you would like a practical ISO 22002:2025 Gap Analysis Checklist to assess your site readiness, contact Food Safety Excel.
Preparation should be proactive — not reactive.
