ISO/IEC 17020

ISO/IEC 17020:2026 Requirements Explained, Clause by Clause

Published on June 23, 2026
12 min read
By Levy M.

Last Updated on June 24, 2026 by Hafsa J.

ISO/IEC 17020:2026 Requirements Explained, Clause by Clause

If you run or quality-manage an inspection body, ISO/IEC 17020:2026 is the document an assessor will hold you to. The requirements live in five blocks, Clauses 4 through 8, plus a normative Annex A that decides your independence type. This guide walks each clause in the order the standard sets them, and flags exactly what the 2026 third edition changed from the 2012 edition you were last accredited against.

One framing point first, because most articles get it wrong: inspection bodies are accredited against ISO/IEC 17020, not certified to it. The standard is a requirements document for accreditation, peer assessment or other assessments. So when you read a requirement below, read it as something you will have to show evidence for when an assessor visits, not a box you self-declare.

The 2026 edition was published on 27 March 2026 and replaces ISO/IEC 17020:2012. Bodies have until 27 March 2029 to transition under the ILAC resolution. The structure below is the fastest way to map your current system against the new text and find the gaps.

The shape of the standard, and why it matters

ISO/IEC 17020 governs inspection, which the standard defines as examination of an item and determination of its conformity with detailed requirements, or, on the basis of professional judgement, with general requirements. That last phrase is the whole reason inspection has its own standard: inspectors exercise judgement, so the requirements are built around competence, impartiality and consistent operation rather than around a fixed test method.

Inspection is also a large field in its own right. It sits at roughly a third of the global testing, inspection and certification market, which puts the activities governed by this one standard in the order of a hundred billion dollars of annual revenue.

WHERE INSPECTION SITS IN THE WIDER MARKET
Inspection is about a third of the global TIC market
Testing, Inspection and Certification revenue split, 2025.
Global TIC
2025
Testing, about 42%
The largest segment. Laboratory and field testing of products and materials.
Inspection, about 35%
The activity governed by ISO/IEC 17020. On a 2025 TIC market of roughly USD 260 to 420 billion, that is an inspection segment in the order of USD 90 to 150 billion.
Certification, about 23%
Management system and product certification (ISO/IEC 17021, 17065).

Segment shares vary by analyst definition; one breakdown gives Testing 42 percent, Inspection 35 percent, Certification 23 percent, while others define testing more broadly. The USD range reflects differing 2025 TIC market estimates across firms. Sources: Grand View Research; MarketsandMarkets (2025).

 

The 2026 edition also added two definitions that thread through every clause: item (the object of inspection, which can be a product, process, service, material, location, facility, installation or its design) and client (the person or organization requesting inspection, who can be different from the provider of the item). Wherever the old edition said “object,” the new one says “item,” and several requirements now name the client explicitly.

Clause 4: General requirements (impartiality and confidentiality)

Clause 4 holds the two principles every other requirement protects. Impartiality (4.1) requires that inspection activities are undertaken impartially and that the body does not allow commercial, financial or other pressures to compromise that. The clause that changed most is 4.1.3: the body shall monitor its activities and relationships to identify threats to impartiality on an ongoing basis, and that monitoring shall include the relationships of its personnel. The note lists the kinds of relationship that can create a threat, from ownership and governance to shared resources, contracts, marketing and sales commissions for referrals.

Let me be direct about why this matters. The 2012 habit was a once-a-year impartiality risk assessment filed and forgotten. The 2026 wording is “on an ongoing basis.” If a threat is identified (4.1.4), its effect shall be eliminated or minimized, and you shall be able to demonstrate how. Clause 4.1.7 adds that personnel involved in inspection shall not be remunerated in a way that influences the results, so a bonus tied to “pass” rates is now a direct nonconformity waiting to be found.

Confidentiality (4.2) requires legally enforceable commitments covering all information obtained or created during inspection, with advance notice to the client of anything you intend to place in the public domain. The 2026 text is explicit that the confidentiality obligation reaches committee members, contractors and any person acting on the body’s behalf (4.2.4), and that information about the client obtained from other sources, a complainant or a regulator for example, is treated as confidential unless the source agrees otherwise (4.2.3).

Clause 5: Structural requirements

Clause 5.1 points you to Annex A for independence (covered below). Clause 5.2 sets the legal basis: the body shall be a legal entity or a defined, identifiable part of one, legally responsible for all its inspection activities, and shall define and document the inspection activities for which it conforms to the standard, with the field, range and stage of inspection and the applicable schemes or specifications (5.2.3).

Watch 5.2.4. It now requires adequate provisions to cover liabilities, and it spells out a method: analyse the risks arising from inspection activities, assess the potential liabilities associated with them, and assure that the level of provisions (insurance or reserves) is consistent with those liabilities. An insurance certificate alone no longer demonstrates the requirement; the assessor will want the analysis behind it. Clause 5.3 requires a defined organization and management structure, named technical management with overall authority for the inspection activities (5.3.2), and documented duties and authorities for each function (5.3.5).

Clause 6: Resource requirements

Clause 6.1 (personnel) requires a single documented process for managing competence covering six elements: determining competence requirements including for professional judgement, selection, initial training, authorization, monitoring of competence, and continual training (6.1.2). The body shall hold documented information demonstrating each person’s competence.

Clause 6.2 (facilities and equipment) carries the single most consequential addition in the edition, 6.2.9. Where the body uses technology in connection with inspections, and the standard names computers, automated equipment, data processing, artificial intelligence, augmented reality and remote inspection techniques, it shall ensure the technology is suitable and adequate for use (validated before use, revalidated periodically and after changes, software updated as required), that procedures protect the integrity and security of data, and that hardware and software are maintained. This is the clause that finally writes drone, remote and AI inspection into the requirements, and it has its own dedicated guide; see the AI and remote inspection deep-dive linked at the end.

Clause 6.3 broadens “subcontracting” into externally provided products and services: a procedure for defining, approving, evaluating, selecting, monitoring and re-evaluating providers, applied to everything from calibration and testing services to IT and inspection services. The body shall normally perform the inspections it contracts; using externally provided inspection activities is reserved for exceptional circumstances, the client must be informed and given the chance to object in advance, and responsibility for the results stays with the body (6.3.3 to 6.3.5).

Clause 7: Process requirements

Clause 7 is the operational core, from contract review through to the report. Review of requests, tenders and contracts (7.1) ensures the inspection and item are clearly defined and that you have the capability and methods to deliver. Inspection methods and procedures (7.2) require standard methods where they exist and documented, validated non-standard methods where they do not. The expanded 7.2.5 lists what methods shall address, and two items are new in spirit: activities where the inspector’s judgement may rely on the use of technology (7.2.5 b), and inspection results from artificial intelligence or digital developments (7.2.5 f). Clause 7.2.6 requires validation of non-standard methods including when technology is used, with records retained.

Handling of items (7.3) requires unique identification and a check that the item is in a ready state before inspection. Inspection records (7.4) require timely recording, identification of equipment with significant influence including the date of use, and traceable amendments where both the original and amended data are retained with the date.

Clause 7.5, control of data and information, is a new standalone subclause. Systems used to collect, process, record, report, store or retrieve inspection data shall be validated, and any change, including configuration changes or modifications to commercial off-the-shelf software, shall be authorized, documented and validated before implementation. Technical data and records shall be safeguarded against unauthorized access, tampering and loss, maintained for integrity and security, and shall log system failures with the corrective actions taken. The inspection report or certificate (7.6) keeps its mandatory content list, with one addition worth noting, the facility name or location of inspection when relevant. Appeals (7.7) and complaints (7.8) are now two separate clauses, each with a publicly available process and decisions taken by people not involved in the matter under review.

Clause 8: Management system requirements

Clause 8 lets you run either a standalone management system meeting 8.2 to 8.7 or a quality management system in line with ISO 9001 that demonstrably supports the standard’s requirements (8.1.3). The change to flag is 8.4, actions to address risks and opportunities, which is now a mandatory part of the management system rather than an optional extra. The body shall consider risks and opportunities associated with its inspection activities, plan actions, integrate them into the system and evaluate their effectiveness, with actions proportional to the potential impact on the validity of results. The standard is careful to add that no formal risk management process or documented methodology is required, so you can keep this proportionate.

The rest of Clause 8 covers documented information and document control (8.3), corrective actions and nonconformity handling (8.5), internal audits across all fields of inspection and all premises (8.6), and management review (8.7), whose input list now explicitly includes risk identification results, impartiality threat conclusions, the effectiveness of the competence process, and projected workloads.

Annex A: independence, Type A and Type non-A

Annex A is normative, which means it carries requirements, not guidance. The old Type A, B and C model is gone. The 2026 edition recognises two types: Type A, a third party independent of all parties involved, and Type non-A, which absorbs the former Type B and Type C. A Type A body and its legal entity shall not engage in the design, manufacture, supply, installation, purchase, ownership, use or maintenance of the item inspected, and the restriction now extends to similar competitive items, alternatives competing in the market. A Type non-A body provides safeguards inside its legal entity to segregate inspection from other activities, and the same person shall not both produce or maintain and inspect the same item, except where a scheme explicitly allows it.

A body can hold different types for different inspection activities, so reclassification is an activity-by-activity exercise, not a single label. Because that decision sets the documents you have to rewrite, it has its own tool and walkthrough rather than being squeezed in here: work through the Type A vs Type non-A reclassification guide and self-classifier to find your 2026 category and re-documentation list.

What changed from 2012, in one table

If you only have ten minutes before a gap analysis, this is the list of clauses where the 2026 edition added or strengthened a requirement. Each row points at the clause to read in full.

Clause Requirement area What is new or strengthened in 2026
3.7, 3.8 Definitions New definitions of “item” and “client” added and used throughout.
4.1.3 Impartiality Ongoing monitoring of threats and personnel relationships, not a yearly review.
5.2.4 Liabilities Documented liability risk analysis behind insurance or reserves.
6.2.9 Technology Explicit rules for AI, augmented reality, remote techniques and data processing: validate, revalidate, secure.
7.2.5 f Methods Methods must address inspection results from AI or digital developments.
7.5 Control of data New standalone subclause: validate data systems, secure technical data, log failures.
7.7, 7.8 Appeals and complaints Split into two separate clauses, each with a public process.
8.4 Risks and opportunities Now mandatory in the management system, kept proportionate.
Annex A Independence Type A, B, C replaced by Type A and Type non-A; restriction extended to similar competitive items.

Frequently asked questions

Is ISO/IEC 17020 a certification or an accreditation?

Accreditation. Inspection bodies are accredited against ISO/IEC 17020 by an accreditation body such as ANAB, A2LA, IAS, UKAS, NATA or SCC. The standard itself states it can be used as a requirements document for accreditation, peer assessment or other assessments. Calling it a certification is a common error in older guides.

How many clauses does ISO/IEC 17020:2026 have?

The requirements sit in five numbered clauses: Clause 4 general requirements, Clause 5 structural, Clause 6 resource, Clause 7 process, and Clause 8 management system. Clauses 1 to 3 cover scope, normative references and definitions. Annex A (independence) is normative; Annex B (optional report elements) is informative.

Do I have to switch to a documented risk management system?

No. Clause 8.4 requires you to consider and act on risks and opportunities, but a note in the standard states there is no requirement for a formal risk management method or a documented risk management process. You decide how extensive to make it, as long as the actions are proportional to the impact on the validity of your results.

Where to take this next

Reading the clauses is step one. Turning them into accreditation is a separate journey: if you are starting from zero, the ISO/IEC 17020 accreditation guide walks the process, the accreditors and the cost and timeline numbers. The official scope and status of the standard is on the ISO catalogue page for ISO/IEC 17020, and ANAB has published a plain-language summary of the 2026 changes on the ANSI National Accreditation Board blog.

When you move from reading the standard to building the documents it calls for, the ISO/IEC 17020:2026 Documentation Kit gives you the manual, procedures and records already mapped to these clauses, so your gap analysis becomes a fill-in exercise rather than a blank page.

Clause numbers and requirement wording in this article are drawn directly from ISO/IEC 17020:2026. Always work from the official standard for your own compliance decisions; this guide orients you, it does not replace the text.

Share on social media
Take the next step

Prepare your ISO/IEC 17020 certification with the complete kit

The complete documentation package to deploy an ISO/IEC 17020:2026-compliant inspection body management system: ready-to-use document architecture covering the new 2026 requirements, impartiality safeguards, remote inspection, and ICT controls.