What ISO Certification Can and Cannot Do for your Organization
by Juliana Wood - Juliana is Managing Director of CIRQ, (the Certification Institute for Research Quality), a subsidiary of the Insights Association provides audit and certification services to market research firms seeking certification to ISO 20252 and ISO 27001.
Over the years, I have received countless calls and emails from CEOs, COOs, quality and compliance managers, and generally interested industry professionals who all ask a version of the same question, “What can an ISO certification do for my company?” Inherent in that question is another, but one that doesn’t get asked as often, “Is there something that certification to an ISO standard cannot do for my company?”
Before I share the answers to these two burning questions, a bit of background... The global market research standard, ISO 20252, has been around for almost 30 years, and grew out of a need for the insights and data analytics industry to have a body of accepted best practices specific to the research process. It has been developed by industry professionals and stakeholders – researchers, academics, association professionals, audit and certification representatives, and provider-side companies – who all work together on an ISO technical committee (TC 225) to manage the standard’s updates and engagement across the globe.
In concert with the market research-specific work addressed in ISO 20252, data privacy has become of critical importance to the industry, especially with the publication of the GDPR and other regulations like the CCPA, as well as the growing list of country and state-level privacy laws. Clients want to be assured that their data subjects’ information is protected to the highest degree, and with that, ISO 27001 has gained wide popularity. The standard itself is agnostic of industry, meaning it focuses on a risk-based approach to data privacy and is not specific to market research. With that,
Here’s what an ISO certification CAN do for your organization:
Build credibility and trust. Certification to these two specific ISO standards signals to customers, partners, and regulators that your organization meets internationally recognized standards. It's a third-party endorsement of your processes.
Remember this fun fact! ISO does not certify. ISO convenes experts for standards development. Certification bodies certify and make sure to look for those that are accredited by their national standards body – like CIRQ!
Improve internal processes. The certification process forces organizations to document, standardize, and review workflows, which often surfaces inefficiencies and gaps that weren't visible before. Formal processes create transparency and trust, and fraud or breaches are much less likely to occur when transparency is present.
“ISO 20252 certification has many benefits, but I would especially call out the visibility and credibility it gives us with prospective clients, the discipline it brings to project execution, and the role it plays in helping ensure consistent quality from our data collection partners,” said Sanjeev Dixit, Vice President, Reason Research. “Many of our clients ask us to complete quality and IT/cybersecurity questionnaires, and I rely heavily on our research process management documents to answer these questions much more efficiently than I could have without them. It also makes a strong statement to be able to say “yes” when asked whether we carry an independent, third-party quality certification.”
Open market access. Many industries, governments, and large corporations require certification to an ISO standard as a prerequisite to doing business. It can be a literal door-opener for contracts and provide a competitive edge when seeking new business.
Reduce errors and risk. ISO 20252 and ISO 27001 create systematic controls that reduce the likelihood of mistakes, breaches, or failures. Through the implementation of requirements, these standards help create a transparency of processes so that when failure happens, mitigation and remediation can be traced to a direct source and corrected.
“ISO 27001 certification mattered to us because it formalized how we protect critical information, gave our clients added confidence in our controls,” said Matt Benard, VP Governance, Risk, & Compliance at Escalent. “It aligned the whole organization around security, accountability, and continuous improvement.”
Support continuous improvement. These two specific standards include built-in cycles of review and corrective action, through the internal audit process, by pushing organizations to improve over time rather than stall and wait for an annual external audit.
Provide a common language. Across global supply chains, ISO standards give partners and suppliers a shared framework for quality, safety, and compatibility expectations.
Here’s what an ISO certification CANNOT do for your organization:
Guarantee product or service quality. Certification means your processes conform to a standard — not that your client report or project or other output is actually good. A company can be ISO 20252 or ISO 27001 certified and still produce mediocre products if those processes aren’t developed or matured or consistently followed.
“As a Chief Compliance Officer with experience across multiple segments of the research supply chain — agency, sponsor, analytics, and panel — the questions I encounter most consistently are: 'How good is good enough?' 'How can I trust my partners and vendors?' and 'How do we demonstrate our credibility to clients?' “, says Jessica Santos, PhD, AIGP, Chief Compliance & Privacy Officer at Konovo. “The answer to all three? ISO certification. ISO standards are not a legal requirement, nor do they offer absolute guarantees — but they represent a rigorous, globally recognized industry benchmark backed by independent, third-party verification. For any organization serious about quality and accountability, the value is undeniable."
Replace competence or good judgment. No certification substitutes for skilled people making sound decisions. Documentation and audits don't make up for a poorly trained or mismanaged workforce.
Prevent all failures or incidents. ISO 20252 doesn’t provide 100% data quality, and ISO 27001 doesn't make your company unhackable. The goal is a notable reduction in fraud and/or data breaches so that the best practices and requirements of the standard(s) become second nature within the organization.
Said David Rothstein, CEO, RTi Research, “We pursued ISO 27001 certification because we believed it was important to provide our employees, clients, and research participants with confidence that information security and data protection are embedded in how we operate. Of course, certification doesn’t eliminate every risk, but it does provide a disciplined framework that helps us strengthen processes, foster accountability, and continuously improve. Ultimately, it reinforces the trust that is essential to successful research partnerships with both clients and participants.”
Automatically satisfy legal or regulatory compliance. Certification to these ISO standards and legal requirements can often overlap, but certification to a standard is not the same as legal compliance. You will likely need both to comply with your state/country/regional requirements to do business.
Sustain itself without ongoing commitment. Don’t "get the certificate" and then let the real practices slip! Certification becomes hollow without genuine, ongoing engagement with the standard, continual process improvement, and ongoing annual internal and external audits.
Cure organizational culture problems. If leadership doesn't genuinely support the standard's principles, the certification becomes a paper exercise. Leadership support and buy-in is critical to ongoing success because adoption of an ISO standard is effectively a cultural shift for an organization. Adoption of the best practices contained in an ISO standard become core to the organization’s success.
Apply uniformly across all contexts. Standards are generic by design. They require interpretation and adaptation, and both ISO 20252 and ISO 27001 can be scaled to fit a two-person research firm to a global and diverse full-service organization.
Remember….
Certification to industry-relevant standards like ISO 20252 and ISO 27001 are tools. Implemented thoughtfully and adopted seriously, they can drive real improvements and open doors to new opportunities and new business.
I’m happy to answer specific questions you may have and detail the steps required to obtain ISO certification – please reach out!
Juliana Wood is the Managing Director of CIRQ, the Certification Institute for Research Quality, where she oversees a team of auditors and technical experts, and an ever-expanding list of certified global clients representing the market research, data analytics, finance and software development industries. She also manages CIRQ’s dual ANAB accreditations, successfully achieved ANSI membership for the Insights Association in early 2026, which allows for U.S. voting representation for matters pertaining to ISO 20252, and serves as the Secretariat for the U.S. Technical Advisory Group for the ISO TC 225.