Aliquora Team

GLP vs GMP vs ISO 17025: What Small Labs Actually Need

Confused by GLP, GMP, and ISO 17025? This guide breaks down each framework so small lab QA managers can pick the right compliance path fast.

Choosing between GLP, GMP, and ISO 17025 is one of the first decisions a small lab's QA manager faces — and picking the wrong framework wastes months of effort. This guide walks you through what each standard actually requires, how to match your lab's work to the right one, and the setup steps to get compliant without over-engineering your QMS.

Before You Start: Prerequisites

Before comparing frameworks, confirm the following:

  • Know your customer. Are you reporting results to a regulatory agency, a manufacturing client, or end consumers?
  • Know your output. Do you produce research data, release testing results, or calibration/test reports for third parties?
  • Know your jurisdiction. FDA-regulated work follows different rules than OECD-recognized GLP studies or accreditation-body-assessed labs.

Without these answers, framework selection becomes guesswork.

Step 1 — Understand What Each Framework Actually Governs

These three standards are often lumped together, but they govern very different activities.

GLP (Good Laboratory Practice)

GLP is a study-integrity framework, not a quality system for routine testing. It was designed by the OECD and adopted by the FDA and EPA to ensure that non-clinical safety studies (toxicology, ecotoxicology, residue studies) are conducted and reported reproducibly.

Key requirements:

  • A designated Study Director who owns the study protocol
  • Master Schedule tracking all ongoing studies
  • Raw data archives retained for the life of the study plus a defined period
  • QA unit that audits studies and inspects facilities independently

Who needs it: Contract research organizations (CROs) running regulatory submission studies. If you run discrete, protocol-driven studies for pesticide or pharmaceutical registration, GLP is mandatory.

GMP (Good Manufacturing Practice)

GMP governs manufacturing processes, including in-process and release testing tied to a product batch. FDA 21 CFR Parts 210/211 (pharma), Part 111 (dietary supplements), and similar regulations require labs embedded in or contracted to manufacturers to follow GMP.

Key requirements:

  • Laboratory controls with written procedures for each test
  • Out-of-specification (OOS) investigation procedures
  • Two-person review of batch records
  • Retention samples and reference standards with defined storage conditions

Who needs it: QC labs testing finished pharmaceutical products, dietary supplements, or medical devices before release.

ISO 17025

ISO 17025 is a technical competence standard for testing and calibration laboratories. It is accreditation-based — a body like A2LA or NVLAP assesses your lab against the standard and grants scope-specific accreditation.

Key requirements:

  • Method validation or verification records for each accredited method
  • Measurement uncertainty estimates for quantitative results
  • Impartiality and confidentiality policies
  • Proficiency testing participation
  • Documented management review

Who needs it: Environmental labs, food safety labs, cannabis testing labs, and any lab that sells testing services to external clients who require accredited results.

Step 2 — Match Your Lab Type to the Right Framework

Use this decision logic:

  1. Do you run non-clinical safety studies for regulatory submissions? → GLP. Stop here.
  2. Are you a QC lab inside or contracted to a manufacturer regulated by FDA or equivalent? → GMP. You may also layer ISO 17025 if you serve external clients.
  3. Do you issue test reports to external clients who need accredited data? → ISO 17025.
  4. Do none of the above apply yet, but you want a defensible QMS? → Start with ISO 17025 as a foundation. Its structure maps cleanly onto GLP and GMP if you scale later.

Concrete example: Meridian Analytical, a 6-person food safety lab in Ohio, was running pesticide residue screens for grocery retailers. Their clients began requiring accredited results. Meridian needed ISO 17025, not GLP — even though both involve pesticide testing. The difference: GLP applies to study-based regulatory submissions; ISO 17025 applies to routine commercial testing. Meridian pursued A2LA accreditation and was assessed within 14 months.

Step 3 — Build Your Documentation Stack

Regardless of which framework you choose, the core documentation requirements overlap significantly. Build these first:

  1. Quality Manual — describes your QMS scope, policy, and organizational structure.
  2. SOPs for each method — written, version-controlled, and reviewed on a defined cycle.
  3. Training records — demonstrate that analysts are qualified before running tests independently.
  4. Instrument calibration and maintenance logs — with pass/fail criteria and corrective action records.
  5. Sample receipt and chain-of-custody records — including condition on arrival and any sample integrity flags.
  6. OOS/OOT investigation procedure — required explicitly under GMP; strongly implied under ISO 17025 and GLP.

A LIMS like Aliquora can automate OOS flagging, maintain audit-ready chain-of-custody records, and generate COAs directly from validated result sets — reducing the manual documentation burden at steps 5 and 6.

Common Mistake #1: Writing SOPs after an audit gap is identified rather than before testing begins. Auditors treat missing documentation as evidence the process was not controlled, even if the actual testing was done correctly.

Common Mistake #2: Treating ISO 17025 accreditation as a one-time project. Accreditation requires annual surveillance assessments and continuous proficiency testing. Budget for ongoing maintenance, not just initial implementation.

Common Mistake #3: Applying GLP requirements to routine commercial testing. GLP's Study Director model and Master Schedule create significant overhead. Imposing it on a high-throughput environmental lab will slow operations without adding compliance value.

Frequently Asked Questions

Can a small lab be compliant with more than one framework at the same time?

Yes, and it is common. A contract pharmaceutical testing lab might maintain GMP compliance for client product release work while holding ISO 17025 accreditation for environmental monitoring methods. The documentation systems overlap enough that a well-structured QMS can satisfy both.

Is ISO 17025 required for cannabis testing labs?

In most U.S. states with regulated cannabis markets, ISO 17025 accreditation — or accreditation to an equivalent standard — is a licensing requirement for third-party testing labs. Check your state's cannabis control authority for the specific accreditation body and scope requirements.

Do GLP labs need ISO 17025 accreditation?

No. GLP and ISO 17025 are parallel, not hierarchical. GLP studies are evaluated through regulatory authority inspections (e.g., FDA or EPA), not through accreditation bodies. Some labs hold both, but there is no requirement to do so.

What is the fastest path to compliance for a startup lab?

Start with a gap assessment against ISO 17025:2017, since its requirements are explicit and auditable. Build your QMS around those clauses, then layer on GMP or GLP requirements only if your client contracts or regulatory obligations demand them. A staged approach prevents over-building on day one.

How long does ISO 17025 accreditation take?

Typically 9–18 months from application to initial accreditation, depending on the number of methods in scope, readiness of documentation, and the accreditation body's assessment schedule. Labs with an existing documented QMS tend to move faster.