About CIRQ

Certification Institute for Research Quality

“As our clients are increasingly concerned about their quality and tightening up on compliance, certification to ISO 20252 gives us an advantage…After investigating a number of certification bodies, I chose CIRQ because of its reputation and global certification approach, which suits us perfectly.”
Dr. Jessica Santos
Global Compliance and Quality Director, Oracle Cerner Enviza

CIRQ (Certification Institute for Research Quality), a subsidiary of the Insights Association, was established in 2009 to provide audit and certification services to market research, insights and data analytics firms seeking certification to ISO 20252:2019 Market, opinion and social research, including insights and data analytics. CIRQ also offers audit and certification services for ISO 27001 Information technology – Security techniques – Information security management systems.

A 501(c)(6) non-profit entity, CIRQ complies with ISO the standards for requirements for certification bodies and is managed with oversight from an independent Board of Directors and an annual review by external authorities on ISO requirements.

CIRQ is accredited by the ANSI National Accreditation Board (ANAB) for the following:

  1. ISO/IEC 17065:2012 Standard for Conformity assessment Requirements for bodies certifying products, processes and services.
  2. ISO/IEC 17021:2015-1 Standard for Conformity assessment Requirements for bodies providing audit and certification of management systems
  3. ISO/IEC 27006:2015-AMD 1:2020 Standard for Security techniques – Requirements for bodies providing audit and certification of information security management systems

CIRQ complies with the following:

  1. Accreditation requirements for organisations providing certification services to ISO 20252:2019 Market, opinion and social research including insights and data analytics within the territorial jurisdictions of Australia, UK and USA, 2020.

In addition, CIRQ is audited annually by an independent auditor to insure that CIRQ maintains conformance to the above in the conduct of its auditing and certification practices. CIRQ is independently operated and managed by the Managing Director of Certifications who reports to the Insights Association Board.

CIRQ staff and contractors are prohibited from engaging in any conduct, activity, practice, or act which conflicts with, or appears to conflict with, the interests of CIRQ, including any conduct which is directly or indirectly unethical, dishonest, disloyal, disruptive, competitive or damaging to CIRQ’s interests.



CIRQ is committed to providing timely, thorough, and impartial assessments of its customers’ research process management or information security management systems. Clients who have achieved ISO 20252:2019 and ISO 27001:2013/ISO 27001:2022 are listed below. Please click on a company logo to view the clients scope and date of certification(s).



International Recognition

The International Organization for Standardization (ISO) is recognized worldwide as the authority on quality management. The ISO Research Standard is accepted and in some cases required globally. An accredited certification bearing the ISO brand is understood to be a mark of quality around the world.

Global Management

Provides a tool for managing global offices, multiple project teams, and outsourced suppliers to a level of quality consistent with company protocol.

Risk Mitigation

An aligned and documented ISO quality system manages variables and delivers “proof” of adequate controls including data protection and security addressing US safe harbor, EU and other requirements and client concerns.

Increased Revenue

Studies have shown that companies certified to ISO 20252 experience increased productivity and improved financial performance, compared to uncertified companies. This is due to less re-work, improved employee production and greater client satisfaction leading to repeat business, especially in industries partial to standardized processes and quality controls.

Increased Efficiency

Companies that go through the implementation of ISO 20252:2019 create a Research Process (Quality) Management System and have given a lot of thought to their processes and how to maximize quality and efficiency. Once certified, the processes are established and guidelines in place for anyone to follow easily, making training, transitions, and trouble-shooting easier.

Employee Morale and Training

Defined roles and responsibilities, accountability of management, established training systems and a clear picture of how their roles affect quality and the overall success of the company, all contribute to more satisfied and motivated staff and ease of training new recruits.

Supplier Relationships and Control

As more processes are outsourced for efficiency and to access data in global markets, supplier relationships and quality control are increasingly critical to producing accurate and actionable data. Certification to ISO 20252 requires a company to have procedures in place to ensure that a supplier understands the requirements of the global market research standard as it relates to the work provided. There must be established agreements and methods for evaluating suppliers. Mutually beneficial supplier relationships are one of the key attractions to certification.


ISO 20252 certification requires documentation of all processes and any changes, errors and discrepancies. This ensures consistency throughout production and accountability of all staff. This also guarantees traceable records are available in case of errors or omissions or to repeat a study. This is also helpful if staff changes occur on a project.


All processes from cost quotation or proposal to client deliverables are defined, outlined and documented, minimizing error. Change management is also documented, ensuring that efficiency is maximized.


Certification to the ISO global market research standard provides third party proof of your quality commitment. Your company will be differentiated in the marketplace with this unique and respected global credential. Link here to read more: Celebrate your certification



Gather Information
  • Visit the the Insights Association support pages for ISO 20252 and ISO 27001 for educational content and a general overview of the processes.
  • Visit the CIRQ website for the step-by-step certification process.
  • View the CIRQ Quality Manual for detailed information on CIRQ’s accredited certification programs.
Purchase the Standard(s) from ANSI
  • ISO 20252:2019* International Standard for Market, Opinion and Social Research, including Insights and Web Analytics
  • ISO/IEC 27001:2022 International Standard for Information Security Management Systems

*this revises ISO 20252:2012 and ISO 26362:2009

Understand the Standard(s)

Read the standard(s) and using four colored highlighters, look for the following words and highlight them in different colors:

  • “shall” means you must do this – this is a requirement of the standard
  • “procedure” tells  you what documented procedures you need to have in place
  • “record” means you need to be able to show a record (i.e. evidence) of performing this task or function
  • “document” means the event, occurrence or process must be written down (i.e. documented)
  • Completing this task will help provide an understanding of the standard’s requirements
Establish Staff Support
  • Appoint a Quality Manager or Team (Note: Quality Manager is usually NOT a full time position)
  • Consider the best practice from the revised ISO 20252:2019, and identify an “Annex owner”, a person responsible for maintaining the procedures specific to Annexes identified in your Statement of Applicability
  • Garner top-level support (CEO)
Determine Statement of Applicability
  • A description of the total services you provide to a client
  • The geographic area of those services
  • Any exclusions that may apply

This Statement of Applicability will be included on the CIRQ Registry once the company achieves certification and will also be listed on the Certificate of Compliance.

Request Quote
  • Client receives self-assessment from CIRQ
  • Client completes CIRQ self-assessment form indicating compliance with each applicable section of the ISO 20252:2019
  • CIRQ evaluates client self-assessment against the components of the standard and prepares a pre-assessment report that indicates the client’s readiness to be audited.
  • For ISO 27001 certification, upon approval of the application and estimated fees, a Stage 1 and Stage 2 audit will be scheduled.
Audit Plan

CIRQ and client communicate regarding the schedule of the initial onsite or remote via web-conferencing (ICT) audit, sites to visit, fees, etc.

Onsite Audit

CIRQ auditor(s) conduct the onsite or remote audit, beginning with the client headquarters and following with the agreed upon additional locations, if any.

Audit Report

Results of the audit are documented by the Lead Auditor and an Audit Report is submitted to CIRQ and subsequently to the client.

  • Upon successful completion of the audit, review of documentation, and based on audit conclusions, CIRQ will make a decision to grant certification if there is sufficient evidence of conformity, or not to grant certification if there is insufficient evidence of conformity.
  • The Final Audit Report in PDF format is submitted to the client
  • The certificate of compliance is issued and final invoice is sent to the client
  • The CIRQ Certification Process for ISO 20252 and ISO 27001 is described in the CIRQ Quality Manual.
Client Feedback

Client is sent the FC 8001 1.5 CIRQ Client Feedback Form for scoring and comments on audit planning and auditor performance. A formalized client interview via phone can also be requested after the client audit to discuss the audit management process.

1st Surveillance Audit

Planning of the 1st surveillance audit begins 3 months prior to the 1st surveillance and will be completed 12 months from the last audit.

2nd Surveillance Audit

Planning of the 2nd surveillance audit begins 9 months following the 1st surveillance audit and will be completed 12 months from the last audit.


Scheduling of the re-certification audit begins 9 months following the 2nd surveillance audit and will be completed 3 years from the first initial audit.


Frequently Asked Questions about Certifying to ISO 20252:2019 and ISO 27001:2022

Can I have the same auditor?2022-11-29T20:40:51+00:00

It is CIRQ’s policy to try and maintain the same audit team with a client for a period of at least 3 years until re-certification is due and then, where practical, a new audit team is appointed. From time to time this may not be possible and in these circumstances, you will be informed of changes in advance and the reasons for those changes.

Can I pick my auditor?2019-01-15T20:28:07+00:00

There is no objection to you choosing your own auditor amongst the certified CIRQ auditors, however, there are rules relating to auditors’ access to companies where there may be a conflict of interest and also auditor availability and experience. Generally, Auditors are assigned based on experience and availability factors, location, costs, and conflict of interest, etc. If you would like to discuss this matter, please contact CIRQ and your query will be directed to the Managing Director for response.

Can the ISO 20252:2019 Statement of Applicability change?2021-05-05T15:32:34+00:00

As a requirement of ISO 20252:2019, certification clients will be drafting and submitting their Statement of Applicability annually before the scheduled date of the Initial, Surveillance or Re-Certification Audit for review by the assigned CIRQ Auditor. The services that an organization provides can and often does change. When it does, CIRQ must be notified via email and CIRQ shall validate the revised SoA during the following years’ audit. The scope may change when:

  • A company merges with another company
  • New offices are opened (or existing offices closed)
  • New services are provided
  • The business expands overseas
  • Additional expertise is acquired within the business

Note: CIRQ must be informed in writing (email is accepted) if you wish to change the SoA or if the structure of your organization changes. This may impact your audit process and the audit program may need to be adjusted. It is always in the best interest of a company to keep their SoA current and to keep it as full a statement as possible. Therefore, always inform CIRQ as soon as you believe the SoA of your certification could or should change.

Can we certify to ISO 9001 with our ISO 20252 system?2022-11-29T20:49:13+00:00

No. ISO 9001 and ISO 20252 are different standards, and while a company can pursue ISO 9001, CIRQ is not accredited to certify to this standard. Our management system and processes are not aligned to the requirements of ISO 9001. CIRQ is accredited by ANAB to ISO 17021 and ISO 17065, the two standards applicable to certification bodies certifying management systems and processes.

Do we have to include all of our services in the ISO 20252:2019 Statement of Applicability?2021-05-05T15:34:01+00:00

The ISO 20252:2019 Statement of Applicability (Clause 4.1.1) replaces the old Scope Statement from ISO 20252:2012/ISO 26362:2009. Basically the answer is YES; however, consider an 80/20% rule. If 80% of your business consists of certain services provided to your client groups, then this is the general scope of your business. Within the revised ISO 20252, subcontracted services are considered within each Annex and are included in the Statement of Applicability. The 20% of your business remaining may include specific project related work for a particular client or clients that are not your normal market research standard operating methodology. These jobs can be left out of the scope of works as long as they do not grow to represent more than approximately 20% of your business. Additionally, some market research companies provide other services such as strategic planning that do not have a direct market research function. This work does not fit within the bounds of ISO 20252:2019 and therefore should not be included in the scope of work.

From the time I submit my application, when will I be able to schedule the company’s audit?2022-11-29T19:27:43+00:00

That really depends on the scope of your certification, how prepared you are for the audit and how you progress the documentation throughout the certification journey. We have seen companies be audit ready in 6 months.

How do I dispute or appeal the findings? / What if I have a complaint?2024-06-06T15:36:11+00:00

This rarely occurs but when it does the matter is addressed according to a documented process. As a CIRQ client, the Complaint & Appeal Process is outlined in the CIRQ Standard Certification Agreement. For a description of the Complaint/Dispute/Appeal process, please access the link for the CIRQ Complaint Appeal Dispute form. Once completed, please submit to juliana.wood@cirq.org. You can also access the CIRQ Quality Manual which details this process.

How do I know if my company is ready for the audit?2019-01-15T20:07:29+00:00

First your quality system must be completely documented and have been in place for at least 3 months so that you have RECORDS or EVIDENCE to demonstrate your compliance with the ISO standard to which you wish to be certified. At least some of these RECORDS or EVIDENCE must be available for closed projects. Then when you have completed all sections of the self-assessment form you should submit it to CIRQ for a pre-assessment evaluation and report conducted by a CIRQ auditor. Before you submit the self-assessment, go through it and ensure you have or are creating RECORDS or EVIDENCE for every statement you have made in the assessment. This is your true indication of whether you are ready for a certification audit. A CIRQ auditor will conduct a pre-assessment review against your self-assessment and inform you if it is determined that you are not ready for an audit.

How do I start the Client Self-Assessment ISO 20252:2019 workbook?2021-05-05T15:31:12+00:00

Before qualifying to go to audit, companies undertaking ISO 20252:2019 implementation will be required to complete the Client Self-Assessment workbook. There are cases where this step *may* be waived, and CIRQ’s Managing Director will make that determination with the client lead/Quality Manager.

To get started, take a systematic approach to the document:

  • Go through the standard and read it before opening the self-assessment tool
  • Highlight the following words in varying colors (for reference) in the copy of your ISO Standard: “shall”, “procedure or “document”, “record”, “training” or “competence”
  • These words will indicate actions you need to take to comply with the standard. For example, anytime there is a “shall” this is a requirement of the standard.
  • The Self-Assessment tool mirrors the ISO Standard. Now, refer back to the marked-up ISO Standard for Clause 4 – Core Requirements and each applicable Annex, as stated in your organization’s Statement of Applicability, to explain what is needed in that section.
  • Complete Clause 4 – Core Requirements first and then follow with a draft Statement of Applicability (4.1.1). Identify what you have in relation to the requirements from Clause 4 and applicable Annexes and type responses into the space/box available. Self-assessment comments can be and should be brief.
  • It is suggested to assign an “Annex owner” to each Annex that is stated in the SoA to disseminate the appropriate sections to the relevant department and request them to complete the information.

Lastly the Quality Manager should review and fine tune the responses and complete Clause 4 – Core Requirements, as this is mandatory for all certification clients.

How does CIRQ ensure impartiality of its personnel, audits and certifications?2023-08-14T14:03:42+00:00

CIRQ is committed to impartiality in the audit and certification services it provides. This Quality Policy outlines that CIRQ understands the importance of impartiality in carrying out its management system certification activities, manages conflict of interest, and ensures the objectivity of its management system certification activities.

CIRQ’s Board of Directors, personnel, external auditors and technical advisors are committed to ensure that all Management System Certification activities are undertaken in an impartial and unbiased manner.

CIRQ has established an Impartiality Committee, comprised of representatives from the market research and insights community, to undertake annual evaluations of areas of potential and unforeseen risk.

CIRQ is currently accredited to both ISO/IEC 17021-1:2015 and ISO 17065:2012 by the ANSI National Accreditation Board (ANAB) and complies with all requirements of these two framework standards for certification bodies to ensures impartiality for all its personnel related to all certification activities.

CIRQ has established processes to identify, analyze, evaluate, treat, monitor, and document risks related to conflict of interests arising from provision of certification including any conflicts arising from its relationships on an ongoing basis. In case of threats to impartiality, CIRQ documents and demonstrates elimination or minimization of such threats and documents residual risk. In cases of residual risk, each instance is then reviewed to determine if it is within the level of acceptable risk. The demonstration covers all potential threats that are identified whether they arise from within the certification body or from activities of other persons, bodies or organizations. Whenever a relationship poses an unacceptable threat to impartiality then certification will not be provided.

To ensure above CIRQ has established an impartiality committee of interested parties that include clients, representatives of industry associations, and customer organizations.

To demonstrate effective implementation of this Impartiality policy:

  • CIRQ will not certify another certification body for its Research and/or Information Security Management System.
  • CIRQ will not provide Management Consultancy services for realization, continuity and sustenance of certification.
  • CIRQ will not conduct internal audits of its certified clients.
  • CIRQ will not provide its services either marketed or offered as linked with organization providing management consultancy.
  • CIRQ will not outsource audits to any management system consultancy organization nor allow any auditor, who was responsible for providing management system consultancy towards the client to be involved in audits.
  • CIRQ will not state or imply that certification would be simpler, easier, faster or less expensive.
  • CIRQ will take action to respond to any threats to its impartiality arising from the actions of other persons, bodies or organization.

CIRQ personnel, or committees, who could influence certification activities will not allow any commercial, financial or other pressures to compromise impartiality are required to sign and submit a No Conflict Statement. CIRQ personnel will not accept assignments in which they may have (1) a vested interest in the assigned client, (2) been employed by the client in some capacity within the past three years, currently, or will agree to be employed by the client in some capacity in the next year (3) provided consulting services to the client within the past two years or will provide consulting to the client in the next year, or (4) provided specific and tailored training services to the client within the past two years.

CIRQ requires the revealing and recording of any situation of conflict of interest from its personnel prior to or during the course of an assignment. If  a situation in which CIRQ personnel believe the impartiality of the audit can be/has been compromised, they will notify the CIRQ Managing Director immediately.

How long does a company have to follow the standard prior to audit?2019-01-15T20:07:04+00:00

At least the core processes should be proven and available for audit prior to undertaking a certification audit. An auditor requires evidence; a documented process that has not been fully enacted cannot be audited and therefore, you would not be ready for certification. However, a process that is only just recently changed but 80% of the process history remains would be considered sufficient to continue to audit. All core processes, such as proposal, report, body of the job, i.e., data collection, coding, analysis, must have a minimum of 3 months history with several projects having worked through the system from proposal to reporting for a system to be ready for audit.

How much will the audit cost?2023-06-14T16:14:30+00:00

Depending upon which of the two standards a company may be pursuing for audit and certification, please refer to the following documents. Both documents, when completed, will provide CIRQ the data necessary to provide a reliable cost estimate for an initial ISO 20252 or ISO 27001 audit.

Return the completed forms to Juliana Wood, CIRQ’s Managing Director.

If a company is merged/acquired, etc., does the certification still stand?2021-05-05T15:52:11+00:00

Yes, it will if CIRQ is notified either prior to or at the time the change occurs. CIRQ will request that you submit a management plan, detailing who is now responsible for the quality system, how the scope of certification will change and how the new structure will absorb the quality system sufficiently to maintain certification standards. Refer to the Core Requirements of ISO 20252:2019. Submit to CIRQ the plan for merging the two company’s quality systems so that your company and CIRQ can prepare for an interim audit (if necessary) or for the next surveillance audit [depending on timeframes]. The Plan should be submitted early within the timeframe of change and allow a 6-month transition period prior to the next CIRQ audit in order to confirm compliance. The earlier the notification to CIRQ, the more lead time CIRQ can provide you for any changes necessary in your overall audit schedule. Within 6 months of the change having occurred CIRQ will need to audit the change management functions and random processes to ensure certification continues.

If a company operates in several countries, can they be certified in just one country?2019-01-15T20:04:52+00:00

Yes, as long as they cover all of the core processes covered by the scope of business within that country. For instance, if the only data collection function you have is in China, you will need to include China in the scope of services. If you have data collection functions in the US, then you could geographically leave out China in your scope statement.

Is CIRQ an accredited certification body?2024-06-06T20:54:30+00:00

Yes, CIRQ holds two accreditations through the American National Standards Institute National Accreditation Board.

FOR CIRQ’s ISO 20252:2019 audit and certification program, ANAB has awarded certification to ISO/IEC 17065 Conformity assessment — Requirements for bodies certifying products, processes and services. CIRQ achieved this accreditation in 2019, and maintains this certification through annual ANAB assessments and witness audits. CIRQ will undergo a recertification every two years.



For CIRQ’s ISO/IEC 27001:2022 audit and certification program, ANAB has awarded certification to ISO/IEC 17021-1:2015 Conformity assessment — Requirements for bodies providing audit and certification of management systems. CIRQ achieved this accreditation in 2021 maintains certification through annual ANAB assessments and witness audits. CIRQ will undergo a recertification in 2026 for its ISO/IEC 17021-1:2015 and ISO/IEC 27006:2015 accreditation.


What are the criteria for an auditor selection?2022-11-29T20:39:42+00:00

We have a list of criteria for auditors when scheduling audits that address:

  • Research experience and match to the client’s services
  • Completion of formal auditor training based on ISO 19011
  • Contractual commitment to CIRQ according CIRQ procedures
  • Geographical proximity
  • No conflict of interest with the company
What are the guidelines for use of certification mark [CIRQ Logo] and how does it relate to the scope of certification?2024-06-06T15:34:31+00:00

There are strict regulatory controls around the terms of use of the Certification Mark [CIRQ Logo] once a decision to certify is granted and a company is certified to an ISO Standard. Please access the link for the CIRQ Standard Certification Agreement which provides full details about these requirements. Briefly, the rules are as follows:

  • Certification approval to use the Logo is limited to the scope of audit validated by CIRQ – that is, only those services and sites certified can show any claim through the use of the Logo regarding ISO certification status. This means that divisions, parents, subsidiaries, sister companies and other affiliated companies are not permitted to use the CIRQ Certification Mark [CIRQ Logo] unless they have individually received certification by CIRQ to one or both of the Standards.
  • Certification and subsequent permission to use the CIRQ certification Logo does NOT mean that companies who are NOT members of the Insights Association can use the Insights Association Logo. Insights Association membership and associated rules of use of the Insights Association Logo are quite separate from that of CIRQ and the CIRQ Logo.
  • The CIRQ name and Certification Mark may not be used in any way to suggest product approval, as they apply only to a certification of the certified company’s systems.
  • The use of the CIRQ Certification Mark is subject to annual review based on the successful result of the initial certification, subsequent annual surveillance audits, and a re-certification audit.
  • CIRQ reserves the right to suspend or withdraw a company’s certification if the rules of use are violated in any way.
What are the Terms and Conditions for the Audit and Certification Process?2024-06-06T13:04:52+00:00

Please access the CIRQ Standard Certification Agreement to view the Terms and Conditions for the Audit and Certification Process.

What Audit facilities are necessary on the day of audit?2023-06-14T15:13:25+00:00

On the day of audit, an auditor will need to have sufficient resources to get their job done with as little disruption to the company as possible but also in an efficient and effective manner:

  • Please review the audit schedule and plan as much as possible to have relevant staff available. Where a person cannot be available please nominate a second person where practical. If staff representatives are not available on the day of audit this sometimes extends an audit length as the scope of the audit must be covered in order for the audit to be completed.
  • If your system has electronically held records and processes are managed electronically, the auditor will need to have access to your electronic systems therefore access, including passwords as necessary, may need to be organized.
  • When the audit is performed via web conferencing tools (ICT) like Zoom, Teams, Webex, etc., it is the client’s responsibility to provide login credentials to the CIRQ auditor (and any approved observer/witness) in advance of the audit. For new clients, a test session will be scheduled to ensure that all audio, video, and screensharing capabilities are in good working order for the auditor to perform an effective audit.
  • For onsite audits, ff there is a spare office or desk, it would be useful to provide this working space to the auditor. Also, please ensure auditors are made aware of the personal facilities such as restrooms and administrative facilities such as photocopier, internet access, etc.
What does Statement of Applicability mean?2019-05-14T18:00:00+00:00

The Statement of Applicability (ISO 20252:2019, Clause 4.1.1) replaces the old scope of certification from ISO 20252:2012 and ISO 26362:2009. The Statement of Applicability, or SoA, is the attestation of the service (or product) capabilities provided by your company to the client and reflects the services to which you will be audited against. As ISO 20252:2019 is considered product or industry standard, a company cannot exclude part of the services they provide simply because they do not wish to certify the quality controls of that part of their business. For instance, a company cannot exclude the data collection processes if they provide those processes as part of their client services. Equally, a company must declare the geographies of their services but in this instance can exclude some geographic locations.

The SoA must include:

  • A description of the total services you provide to a client
  • The geographic area of those services
  • The Annexes in which your organization provides services
  • Any exclusions that may apply

Scope Statement

You need to write a Statement of Applicability that reflects the certification you are applying for.

  • Decide what is included, and what is excluded, from the scope of your system. To do this you will need to review Clause 4 – Core Requirements and each of the six (6) Annexes of the standard and balance this with the activities of the organization that are identified in the standard. This will give you the overall scope. You then need to draft the SoA, which will be reviewed annually before each audit.
  • 80% of normal research activities must be addressed in the scope statement.
  • One off projects for clients that are outside the normal business activities do not need to be included in the scope.
  • Other business services such as strategic or business planning undertaken by the company do not fit into the scope of work.

The SoA cannot be a marketing statement. It must be factual. You cannot use words like ‘best’ ‘most advanced’ or “value added to the client” unless it can be proven and therefore becomes part of your audit.


XYZ Company (legal entity name) is a market and social research organization (insert brief description of organization).

XYZ Company delivers research services to (insert client/industry profiles) throughout (insert general geographical locations).

XYZ Company has elected to include (state research services covered) to be attested to ISO 20252 in accordance with Annexes A, B, C, D, E and F (as appropriate). XYZ Company has elected to exclude (state research services not covered) from attestation.

Details of XYZ Company attested Annexes are described* as follows:

Annex A Sampling including access panels

Annex B Fieldwork
Annex C Physical Observation
Annex D Digital Observation
Annex E Self Completion
Annex F Digital management and processing

*For each Annex, insert a descriptive statement of services provided, including any relevant technical specifications.

What happens if the standard is updated or changed?2023-06-14T15:01:29+00:00

In late 2022, ISO 27001 updated from the 2013 version to the revised ISO/IEC 27001:2022. Current ISO 27001:2013 certified clients are advised to transition to the new standard before September 2025, and CIRQ will work with each client audit representative to determine the timing of the transition audit and the steps required to document a client’s implementation of the effectiveness of the new requirements.

CIRQ will continue to offer new certification clients the option of certifying to the 2013 or 2022 version of the standard from June 2023 through March 2024.

After March 2024, new clients will only be certified to the 2022 version of the standard as the 2013 version. To learn more about the update to the standard and the processes for new and current clients, view our January 2023 webinar, ISO 27001:2022 Updates.

Client communications and transitions are currently in progress and ongoing, and if you have questions specific to your certification, please reach out to juliana.wood@cirq.org.

CIRQ shall give due notice to all certified clients of changes in the standard, as well as any changes CIRQ intends to make in its requirements for certification as a result. The client has up to 18 months to make the advised changes in order to maintain certification.

What if I am not satisfied with the audit or any other process I have experienced?2020-09-21T17:57:41+00:00

The formal process is to lodge a complaint with CIRQ in writing – email is acceptable. Download and complete the FS 2001 Complaint Appeal Dispute form, and when complete, submit to juliana.wood@cirq.org. This complaint will be reviewed and the complaints process followed, as outlined in the CIRQ Quality Manual.

What is key to a successful audit in addition to conforming to the standard?2019-01-15T20:07:55+00:00

Simple compliance to the Standard against your scope of certification is the answer. However, try this Top 10 Key Success Factor checklist as a good indicator of success:

  1. What evidence do you have of top management support of the quality system? Have they been involved; do they understand the system and do they ‘walk the talk’ of the system? On the day of audit, a meeting with the CEO or executive management is essential as part of an audit process.
  2. Is the quality system readily accessible to those who need it?
  3. Have all areas of the business that need to use the quality system been part of its development and have they been appropriately trained in the use of the system from their perspective?
  4. Are records easily traceable? Have all the record requirements of the ISO Standard been addressed?
  5. Have legal and regulatory matters been appropriately addressed in the quality system, and relevant staff trained and aware of their obligations?
  6. Have all the applicable ‘shalls’ in the ISO Standard been addressed?
  7. Have all the ‘procedures’ and ‘documents’ identified as required in the ISO Standard been addressed?
  8. How is the integrity of any software or computer system managed considering the level of risk management required to sustain the quality system and integrity of the service delivery to the clients?
  9. Are responsibilities and authorities clearly delegated throughout the company such that the quality of client service delivery will never be compromised by inexperienced project personnel or lack of cross checking the project work of junior or less experienced staff? What evidence is there?
  10. Is the system audited, reviewed or periodically checked internally to ensure it is working as expected and that it meets the needs of the company? What evidence is there?
What is the CIRQ Self-Assessment tool for ISO 20252:2019 and how is it used?2021-05-05T15:32:05+00:00

The ISO 20252:2019 Client Self-Assessment is a unique tool provided by CIRQ to help you do a GAP analysis of your compliance to the standard(s). You simply indicate briefly how your company complies with each clause listed. Your responses will eventually be evaluated by an auditor resulting in a score indicating your company’s readiness to go to the onsite audit. Note: If the scope of your system does not include some section of the audit tool, simply write “Not Applicable”. However, do not write “Not Applicable” simply because you are not following a process that meets the ISO Standard.

What is the difference between processes, procedures, documents and records?2019-01-15T20:06:39+00:00

RECORD is either a document or data that cannot be changed, it represents a finite point, and it is permanent and historical. e.g. a training record, a completed questionnaire, a completed and closed off contract, a completed project, a paid invoice, etc.

PROCESSES, PROCEDURES and DOCUMENTS are information that is changing and/or changeable while remaining under a control mechanism that allows for traceability; e.g. A documented process or procedure can be changed and updated as necessary but should have a form of document control such as date or revision status that shows the changes that have occurred. A contract is a live document until the contract is completed. While the contract is ongoing it can be amended as long as the amendments are traceable. Once it is completed and signed it becomes a Record. A blank template is a document and is in effect the master. Once it has information in it, it becomes a document until such time as the form (or template) is completed and then it becomes a record.

Where do I purchase the standards?2023-06-14T15:19:11+00:00

Access the link(s) below to purchase a copy of the standard(s) from the American National Standards Institute and the ISO Webstore:

Market, opinion and social research, including insights and data analytics — Vocabulary and service requirements

Information technology — Security techniques — Information security management systems — Requirements

Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines


“ISO greatly improved our processes. Going through project records, there’s a clear demarcation in detail and quality between those before and after ISO certification. Having that extra nuance has been super helpful!”
Jeffrey Hiban, Operations Manager at Reason Research
“We are committed to providing our clients with the highest level of information security and privacy, so we are incredibly pleased to be one of just a few market research companies that have been recognized by this global standard. Our clients can rest assured that their information is in the safe and secure hands of our expert teams.”
Allen R. DeCotiis, Ph.D., Chairman and CEO of Phoenix MI
“While we already operated to many of the standard’s requirements, securing the ISO 27001 certification assures our clients that the work we produce is being executed with rigorous quality processes and security controls in place, demonstrating our commitment to information security.”
Scott Spry, Chief Operating Officer of Phoenix MI
“We embarked on this certification process to ensure we had in place the requisite safeguards to protect our data and our client’s information. While we have always made information security a priority, in applying the ISO 27001 standards we have found tangible benefits in formalizing our data protection processes and the less tangible value of a company culture infused with an even greater level of caution and awareness.”
Wayne Marks, President, Hansa|GCR
“We are very proud of our ISO 27001 certification as it reflects Acuant’s mission of creating trusted transactions by showing our dedication to data privacy and protection of personally identifiable information (PII). As a customer-centric company, we look to establish trust and transparency with our partners and view this certification as part of that ongoing commitment.”
Yossi Zekri, President and CEO, Acuant
“Oracle Life Sciences hears very positive reviews on the quality of work performed and it is attributed being ISO certified as the company and all teams follow best practices from ISO 20252 standard.”
Angelina Yatsenko, Quality Manager



    Call Juliana Wood at 202-370-6318 for more information about CIRQ.

    CIRQ is a non-profit entity formed to provide audit and certification services globally to research firms in order to assess their compliance with ISO 20252:2019 and ISO/IEC 27001:2013 / ISO/IEC 27001:2022 and make a determination regarding certification.

    For More Information Contact: 

    Juliana Wood
    Director of Certifications / CIRQ

    Go to Top