Returning customers: To access ISO tools that you have previously purchased, click here to login.
|
User Login
Login to access CASRO
product downloads
|
|
FAQs
Frequently Asked Questions about Certifying to ISO 20252 and 26362:
ABOUT ISO STANDARDS:
How often is the ISO Standard updated and changed?
|
The ISO Standard [and clauses] is currently (2010 and 2011) under review. Once a Standard is released it is usually reviewed within the first 3 years and again each subsequent 3 years. Changes are usually minimal although the changes to this current review may be more extensive as it will reference the ISO 26362 Standard [Access Panel Management].The review process itself usually takes 18 months to 2 years and then there is a lag time before the revised standard is published - consider the whole process at least 2 - 2.5 years from time of commencement which brings it closer to 5 + years in all. The ISO wheels grind slowly.
|
TYPES OF CERTIFICATION:
PREPARING FOR CERTIFICATION:
What is the difference between processes, procedures, documents and records?
| A RECORD is either a document or data that cannot be changed, it represents a finite point, and it is permanent and historical. e.g. a training record, a completed questionnaire, a completed and closed off contract, a completed project, a paid invoice, etc. PROCESSES, PROCEDURES and DOCUMENTS are information that is changing and/or changeable while remaining under a control mechanism that allows for traceability; e.g. A documented process or procedure can be changed and updated as necessary but should have a form of document control such as date or revision status that shows the changes that have occurred. A contract is a live document until the contract is completed. While the contract is ongoing it can be amended as long as the amendments are traceable. Once it is completed and signed it becomes a Record. A blank template is a document and is in effect the master. Once it has information in it, it becomes a document until such time as the form (or template) is completed and then it becomes a record.
|
How do I start the self-assessment?
It is a lot of work but this document forms the basis on which the company's pre-assessment to the ISO Standard is judged by CIRQ so it is important to get it right.
Take a systematic approach to the document:
- Go through the standard and read it before opening the self assessment tool
- Highlight the following words in varying colors (for reference) in the copy of your ISO Standard: "shall", "procedure", "record", "document"
- The Self Assessment tool mirrors the ISO Standard. Now, refer back to the marked up ISO Standard for each clause to explain what is needed in that section.
- Leave Section 3 of the ISO Standard and equivalent Self Assessment Section until last as it is the most complex.
- Complete Section 4 first and then follow with all other sections. Identify what you have in relation to the requirement and type it into the space/box available. Self assessment comments can be and should be brief.
- A good approach is to disseminate the appropriate sections to the relevant department and request them to complete the information.
- Lastly the Quality Manager should review and fine tune the responses and complete Section 3.
|
What if I can't answer some of the questions in the self-assessment form?
You must do so to the best of your ability according to your scope. Try to not leave sections blank as the document will be returned to you for completion. If you have difficulties, there are various support services available via CASRO and CIRQ. Check the CASRO and CIRQ websites for:
- List of consultants that can provide one on one support
- CASRO ISO Implementation tools including templates and forms
- Webinars and Workshops offered by CASRO or CIRQ
- One-on-one sessions with a CIRQ representative to review where you stand
- How to Schedule an on-site Gap Assessment
- List of consultants that can provide one on one support
Note: If the scope of your system does not include some section of the Standard, simply write "Not Applicable". However, do not write "Not Applicable" simply because you are not following a process that is addressed within the ISO Standard.
Note: Section 3 of the ISO standard is by far the most difficult to complete so you may wish to leave this section to complete last. You may want to consider involving senior management and/or your HR people in completing Section 3. Also note that in Section 3, the only clause that may be "Not Applicable" is the clause referring to Subcontracting and outsourcing - all other clauses of this section are always applicable.
|
If I Find the Self-Assessment to be difficult, what are my options?
|
You may find it helpful to follow up your work on the Self-Assessment with a CIRQ Gap Assessment which can indicate what is still required to achieve certification. You would still need to complete as much of the Self-Assessment as possible, involving appropriate departments and then schedule this Gap Assessment with CIRQ. This Gap Assessment essentially is an on-site Pre-Assessment (the next step in the certification process) and is completed by a CIRQ auditor(s). The cost of this will be more than the standard Pre-Assessment since it is done on-site and therefore will take longer and have travel expense associated with it. You may also find it useful to hire a consultant to support you at the Self-Assessment stage and provide guidance on how to fill the gaps. You should also use the expertise of in house staff where practical. For instance, the person in the company who manages the computers and software issues could complete the sections relating to back-ups, data security, etc.
|
What is the difference between the Self-Assessment and the Pre-Assessment?
|
They essentially contain the same information; however the Self-Assessment is completed first by the company seeking certification. When that is submitted to CIRQ, CIRQ assigns an auditor who then completes the Pre-Assessment based on a review of the Self-Assessment and on any documents that the company was required to submit along with the Self-Assessment, like their Quality Manual. CIRQ then prepares a Pre-Assessment Report for the client recommending whether or not they appear to be ready for the initial on-site audit.
|
How do I know if my company is ready for the audit?
|
First your quality system must be completely documented and have been in place for at least 3 months so that you have RECORDS or EVIDENCE to demonstrate your compliance with the ISO standard to which you wish to be certified. At least some of these RECORDS or EVIDENCE must be available for closed projects. Then when you have completed all sections of the Self-Assessment form you should submit it to CIRQ for a Pre-Assessment, which CIRQ will conduct. Before you submit the Self-Assessment, review it to ensure you have the required DOCUMENTATION, and the RECORDS or EVIDENCE for every clause where it is required. This is your true indication of whether you are ready for a certification audit. A CIRQ auditor will conduct a Pre-Assessment review against your Self-Assessment and let you know if your company appears to be ready for audit, or not. And if not, the Pre-Assessment report will indicate why.
|
How long do procedures have to be in place and operational before ISO Certification can occur?
|
The answer is 3 months. Usually when you decide to put in place an ISO system, 60 - 70% of required processes are already documented and only need minor changes in order to comply. The minor changes need to be tested for about 3 months. Any new process should also be in place for about 3 months. Should you change or revise processes after that time you need not wait a further 3 months as the bulk [about 95%] of the system is now in place and tested. Take into account though, that over a 3 month span, at least one project, preferably more, should experience the completed ISO system from start to completion so there is a completed project for the Auditor to audit.
|
For how long does a company have to follow the standard prior to audit?
|
At least the company's core processes, which make up their Quality System, should be proven with required evidence available for audit for a 3 month period prior to undertaking a certification audit. All core processes, such as proposal, report, body of the job, i.e., data collection, coding, analysis, should have a 3 month history with several completed projects having worked through the entire system from proposal to reporting for an audit to take place. An auditor requires evidence; a documented process that has not been fully enacted cannot be audited and therefore, you would not be ready for certification. However a process that is only just recently changed but 80% of the process history remains intact, would be considered sufficient to continue to audit.
|
Though the amount of time to become ISO certified will vary drastically from company to company what is the estimate for how long it will usually take to prepare for certification?
There is really no such thing as a typical certification period. Because the amount of existing documentation already in place, compliance with this and the culture of the organization is unknown, estimating time to certification is not possible. However, regardless of how large or small your company is, and the scope of your business, you cannot go from start to finish in under 3 months as you need records of 3 months compliance for certification. At the other end of the scale, a program that achieves certification in no longer than 6 months is ideal. Past the 6 month point the journey is too long and you will experience either complacency or resistance. Once committed to implementing the standard (s), it is ideal to have a goal of completing the process in 6 months.
So in general:
- Understand the minimum requirements of the Standard - then develop the policy manual and procedures (2 months)
- Introduce the processes into the company. Let the processes run for a month or two (1 - 2 months)
- Internally audit the processes to see who has used them, who has ignored them in the hope they will go away [and you with it] and whether the procedures are appropriate and processes compliant (2 weeks)
- Now update processes, deal with those who have not yet started the process, and wait another 2 months - then re-audit.
- Give it another month and you are ready for certification. EASY!
|
SCOPE OF CERTIFICATION:
What does "scope of certification" mean?
The scope of certification is a description of the service (or product) provided by your company to your clients. As ISO 20252 and 26362 are considered product or industry standards, a company cannot exclude any part of the services they provide simply because they do not wish to certify that part of their business. For instance, a company cannot exclude the data collection processes if they provide those processes, in house, as part of their client services. This scope must also declare the geographies in which the company produces and provides their services, but in this instance can exclude some (minor) geographic locations. For instance, if a company works primarily in the USA but has a data collection facility in Japan, and does not wish to include the Japanese operations in the scope of certification, then the scope needs to indicate this e.g. ABC Company's certification includes all operations within the USA only. And the scope would also indicate if your company is requesting an exclusion to any clause of the standard, because it does not apply to your company. For example if your company only performs qualitative research, then you might claim an exclusion to the clauses that pertain to the collection and reporting of quantitative research. So in essence, a scope statement must include:
- A description of the total services you provide to a client
- The geographic area in which those services are produced and provided
- Any exclusions that may apply
|
Who develops scope of certification?
The company develops its own scope of certification against the services (or products) the business delivers and CIRQ confirms the scope meets the requirements of the ISO Standard/s against the company profile. Your scope should be developed according to your business structure as they relate to the ISO standard/s. CIRQ shall validate the scope and assist with any clarifications as and if required. Section 3 of ISO 20252 addresses the requirements of the scope. Examples of some typical scope statements follow:
Example 1 - XYZ is a full service market, opinion and social research company headquartered in Chicago. We conduct both quantitative and qualitative research throughout North America and operate our own data collection services in Chicago and New York City, where we also have specialist laboratories for eye tracking projects.
We offer a full array of project management capabilities, which include projects such as product/service optimization, customer satisfaction and performance evaluations, marketing communications evaluations, and brand health and positioning studies.
Our clients include both government and non-government organizations and cover a range of sectors including healthcare, education, social welfare and community services, and transportation.
Example 2 - ABC is a North American data collection provider headquartered in Philadelphia, with offices in New York, Boston, Philadelphia, Toronto and Montreal. We provide qualitative and quantitative data collection services to both domestic and international clients involving both consumer and business-to-business respondents.
- Our Consumer projects include: focus group interviews, in-depth interviews, clinics or central location tests, ethnographic interviews, and in-home use tests.
- Our Business to Business projects include: Face to face interviews, focus groups, and tri - ads
- We survey respondents in a wide range of industries including finance, telecommunications, manufacturing, medical, and pharmaceutical organizations; and from a range of company sizes on the Business-to-Business side(Sizes of organizations range from small businesses to the top 1000 listed corporations.) Respondents are either cold called, contacted from client lists, or from panels we purchase.
|
Do we have to include all of our services in the Scope of Certification?
|
Basically the answer is YES, all services related to the market, opinion and social research product(s) you provide should be included. That said, you can consider an 80/20% rule. If 80% of your business consists of certain services provided to your clients, then this is the general scope of your business. Subcontracted work is considered under another part of the standard and not included in the scope of certification. The 20% of your business remaining may include specific projects for a particular client or clients that are not your normal market research offering.. These projects could be left out of the scope of work as long as they do not grow to represent more than approximately 20% of your business. Additionally, some market research companies provide other services such as strategic planning that do not have a direct market research function. This work does not fit within the bounds of ISO 20252 or 26362 and therefore should not be included in the scope of work.
|
By the 80/20 rule, does this mean that if we survey children rarely/less than 20% of the time, it would not have to be included in the scope?
Unfortunately no. The 80/20 rule is a general determination [rule of thumb] of how to interpret the scope of your quality system and is an indicator of the general nature of research services provided to clients. In using the 80/20 rule focus on methodologies rather than a select group of individuals [sample group]. If you provided various services/methodologies that were undertaken once or twice a year for one or two projects then this could fit within the 80/20 concept.
There would rarely be a situation where interviewing children would constitute the bulk of a business and they are not so much a methodology as a sample group. Given the sensitivity and risks associated with interviewing children this process needs to be included in the scope of work when it is undertaken even if it is seldom.
|
Can the audit Scope of Certification change?
Yes, and it often does. But when it does, CIRQ must be notified and CIRQ shall validate the revised scope of certification. The scope may change when:
- A company merges with another company
- New offices are opened (or existing offices closed)
- New services are provided
- The business expands overseas
- Additional expertise is acquired within the business
Note: CIRQ must be informed if you wish to change the scope or if the structure of your organization changes. This may impact your audit process and the audit program may need to be adjusted. It is always in the best interest of a company to keep their scope statement current and to keep it as full a statement as possible. Therefore, always inform CIRQ as soon as you believe the scope of your certification could or should change.
|
If a company operates in several countries, can they be certified in just one country?
|
Yes, as long as they address all of the core processes covered by the scope of business within that country. If for instance the only data collection function you have is in China, you will need to include China in the scope of services. If you have data collection functions in the US, then you could geographically leave out China in your scope statement.
|
What happens if a company does not want to include all of its geographic locations in its certification?
|
First, locations can only be excluded from the scope if they represent a small portion of the company's operations. And if these locations are actually used to produce part of the service from time to time they would need to be treated as a subcontractor and the clauses within the Standard covering subcontracting would apply. Any locations allowed to be excluded would not be listed on the company's certificate of compliance, nor would they be included in the company's description on the CIRQ website's directory of certified companies.
|
QUESTIONS ABOUT YOUR AUDIT AND THE AUDITOR:
How much will the audit cost?
|
This will depend of the scope of certification including the number of employees and sites to be audited. A tighter cost estimate will be provided to you after the pre-assessment report is completed.
|
From the time I submit my application, how long will it take to be audited?
|
That really depends on the scope of your certification, how prepared you are for the audit and how you progress with the required documentation throughout the certification journey. Once you submit your self-assessment and an auditor conducts the pre-assessment you will have a very good idea of when your audit will be scheduled. Completion of the self-assessment and your evaluation of the evidence you have to show an auditor is the largest task in the process.
|
Can we meet the auditor first?
|
Our auditors have limited availability and are paid according to time worked. While we do not object to you meeting the auditor, there is a cost factor related to the auditor's time and travel that would be charged.
|
Can I pick my auditor?
|
There is no objection to you choosing your own auditor amongst the qualified CIRQ auditors, however, there are rules relating to assigning auditors where there may be a conflict of interest and also auditor availability and experience. Generally Auditors are assigned based on experience and availability factors, location (which impacts audit costs) and conflict of interest, etc. If you would like to discuss this matter please contact CIRQ and your query will be directed to the relevant Director for response.
|
Can I have the same auditor?
|
It is CIRQ's policy to try and maintain the same audit team with a client for a period of 3 years until re-certification is due and then, where practical, a new audit team is appointed. From time to time this may not be possible and in these circumstances you will be informed of changes in advance and the reasons for those changes.
|
What are the criteria for an auditor selection?
We have a list of criteria for auditors when scheduling audits that address:
- Research history - experience and match to the client's services
- Successful completion of formal auditor training based on ISO 19011
- Contractual commitment to CIRQ according to CIRQ procedures
- Geographical location
|
Why does the audit take so long?
|
The audit team will need to leave the audit with a level of confidence that your company consistently complies with the ISO standard. Where this is transparent, the audit may take less time than anticipated. Where this is difficult to determine, the audit can take longer than anticipated. Also initial certification audits take longer than surveillance audits.
|
Can we stay later each day and shorten the audit?
|
Yes you can, if agreed by the audit team. You will however be charged for equivalent full days of audit time. There may also be an option to choose to have two auditors attend each day which will decrease the days needed on site, however this does not reduce the cost of the audit.
|
Why do we need two auditors for 26362?
|
Due to the technical nature of the standard, a technical expert is necessary to insure compliance to ISO 26362. Therefore CIRQ requires the auditor be accompanied by a technical advisor so that two party verification of the system is possible. Audit time will not be extended as a result of having a technical expert participating in addition to the auditor.
|
What does the technical expert do?
|
He/she confirms the client's technical compliance to the ISO Standard. He/she confers with the auditor about the various computer based applications used in the delivery of the company's services to their client. This generally only applies to ISO 26362, but may apply to ISO 20252 when the quality system is totally paperless.
|
What is key to a successful audit in addition to conforming to the standard?
Simple compliance to the Standard against your scope of certification is the answer. However, try this Top 10 Key Success Factor checklist as a good indicator of success:
- What evidence (or records) do you have of top management's support of the quality system? Have they been involved, do they understand the system and do they 'walk the talk' of the system? On the day of audit, a meeting with the CEO or executive management is essential as part of an audit process.
- Is the quality system readily accessible to all those who need it?
- Have all areas of the business that need to use the quality system been part of its development and have they been appropriately trained in the use of the system from their perspective?
- Are records easily traceable? Have all the record requirements of the ISO Standard been addressed?
- Have legal and regulatory matters been appropriately addressed in the quality system, and relevant staff trained and aware of their obligations?
- Have all the 'shalls' in the ISO Standard been addressed?
- Have all the 'procedure's' and 'documents' identified as required in the ISO Standard been addressed?
- How is the integrity of any software or computer system managed considering the level of risk management required to sustain the quality system and integrity of the service delivery to the clients?
- Are responsibilities and authorities clearly delegated throughout the company such that the quality of client service delivery will never be compromised by inexperienced project personnel or lack of cross checking the project work of junior or less experienced staff? What evidence is there?
- Is the system audited, reviewed or periodically checked internally to ensure it is working as expected and that it meets the needs of the company. What evidence is there of these internal checks?
|
What facilities/arrangements are necessary on the day of audit?
On the day of audit, an auditor will need to have sufficient resources to get their job done with as little disruption to the company as possible but also in an efficient and effective manner:
- Please review the Audit Schedule that CIRQ will provide in advance as much as possible to have relevant staff available. Where a person cannot be available please nominate a second person where practical. If staff representatives are not available on the day of audit this sometimes extends an audit length as the scope of the audit must be covered in order for the audit to be completed.
- The audit team will need a private work area, with access to a printer, telephone and WiFi
- If your system has electronically held records and processes are managed electronically, the auditor will need to have access to your electronic systems. Therefore access, including passwords as necessary, may need to be organized in advance.
Also please ensure auditors are made aware of personal facilities such as restrooms, breakrooms, lunch rooms, etc.
|
What level of compliance is required to pass the very first audit, or the initial certification audit?
|
There is no single answer to this question since it comes down to interpretation by the auditor, based on their review of sufficient evidence from at least the previous 3 month period. That said it is almost impossible to be 100% compliant to every process. It is expected that the Core processes would be reasonably embedded into the operations of the company and therefore that there would be at least 90% compliance with these. Core processes would be standard data collection and recruiting processes, validation/verification processes, staff training processes, record keeping processes, etc. Non-core processes are those that are likely to change from time to time and have certain built-in variables, often driven by client preferences. These may be processes dealing with proposals, cost quotations, and client reports where an initial compliance level of 75% would be expected.
|
REQUIRED RECORDS (OR EVIDENCE)
If we are programming a survey or report and during the testing we find some bugs that need to be fixed, do we have to retain every version during the programming/testing/de-bugging process?
|
While the ISO standard does refer to keeping all versions of changes this is not always practical when creating electronic documents such as CATI questionnaires or SPSS reports. With hard copy documents, yes you would retain all versions. But with electronic documents it would be more practical to save each version when a hand-off occurs from one person to the next. So for example, the programmer would keep only the version he/she hands off to a project person for their review. If the project person finds changes that need to be made and it goes back to the programmer for these changes that would create a second version to be saved once the changes were made, and so on. Once you have a final questionnaire and it goes live for a short time and then changes are needed, you would have the first final and then a second revised final, and so on.
|
USE OF SUBCONTRACTORS (OR VENDORS):
Since we outsource 100% of our telephone interviewing, how much of 5.2, 5.3, 5.4 are we required to meet? Are we exempt from these?
|
Since you outsource data collection, you primarily need to focus on clause 3.5 regarding subcontracting and outsourcing and meet the requirements of this section. That exempts you from Section 5 Data Collection. Having said that, you are still obliged to see that your suppliers are meeting the requirements of the ISO Standard which are contained in Section 5. The best way to do this is ask them to supply a Job Summary Report or some equivalent document that indicates to you the various quality controls they have in place. Since you outsource 100% of your data collection (and assuming you may use multiple vendors) you may want to consider developing a standard agreement for use with your suppliers that spells out the quality control procedures you require and perhaps a simple checklist they complete and return to you after each project is completed. If you decide to use this agreement and related form, describe this under section 3.5 as this is your quality control for subcontractors/suppliers.
|
PROPOSAL REQUIREMENTS:
What is the right way to handle the client's approval or acceptance of a proposal, which is a requirement of the standard?
There are a number of ways in which this could be handled.
- The client could actually sign a copy of the proposal and return it for your files. This would then be your requred record.
- 1.They could send an email with a clear reference to the particular proposal in question and give their approval to proceed in the email. This email would then be your required record of the approval.
- 1.They could give their approval verbally to the appropriate member of your organization who would then send an email to the client, referencing the particular proposal, confirming their approval and thanking them for the business. It would also be a good idea to state in this email that the project will proceed as outlined in the particular proposal unless they contact you to discuss amendments. This email sent by your organization to the client then becomes the required record
|
VARIOUS ASPECTS OF PROJECT MANAGEMENT:
Section 4.3 says "Any briefing shall be documented". Can you define what is meant by "briefing"? For example, if we call the client to ask for clarity about something in the RFP, is that a briefing?
|
A briefing is an explanation or overview of what is required of that particular person for a particular job or role they are about to undertake - typically done with the project team at the start of a project or with the data collection operations or subcontractors. It also includes briefings of clients in terms of project planning and progress to give them updates which in a sense is then an opportunity for them to comment, or have some form of input. Calling the client and asking for clarity is not a briefing, as it's simply communicating and clarifying an existing issue - it's simply a conversion. If however, you are asking for their permission to do something or give you the 'go ahead' for something within the project, whilst that is also not necessarily a briefing it is something that you would make a note to file as a project change or risk management issue.
|
CHILDREN IN RESEARCH:
FIELDWORKERS OR DATA COLLECTION:
REPORTING REQUIREMENTS:
QUANTITATIVE RESEARCH:
POST-CERTIFICATION MATTERS:
What are the guidelines for use of the certification mark provided by CIRQ and how does it relate to the scope of certification?
There are strict regulatory controls around the terms of use of the Certification Mark provided by CIRQ once a company is certified to an ISO Standard. The Quality Manual available on the CIRQ website provides full details about these requirements. Briefly, the rules are as follows:
- Once certified and in receipt of the Certificate of Compliance, the use the Certification Mark is limited to the scope of the audit validated by CIRQ -that is, only those services and sites certified can show any claim through the use of the Mark regarding ISO certification status. This means that divisions, parents, subsidiaries, sister companies and other affiliated companies are not permitted to use the CIRQ Certification Mark unless they have individually received certification by CIRQ to one or both of the Standards.
- Certification and subsequent permission to use the CIRQ Certification Mark does NOT mean that companies who are NOT members of CASRO can use the CASRO Logo. CASRO membership and associated rules of use of the CASRO Logo are quite separate from that of CIRQ and the CIRQ Certification Mark.
- The CIRQ name and Certification Mark may not be used in any way to suggest product approval, as they apply only to the certification of the certified company's systems.
- The use of the CIRQ Certification Mark is subject to annual review based on the successful result of the initial certification, subsequent annual surveillance audits, and a re-certification audit.
- CIRQ reserves the right to suspend or withdraw a company's certification if the rules of use are violated in any way.
|
If a company is merged/bought out, etc., does the certification still stand?
|
Yes it will if CIRQ is notified either prior to or at the time the change occurs. CIRQ will request that you submit a management plan, detailing who is now responsible for the quality system, how the scope of certification will change and how the new structure will absorb the quality system sufficiently to maintain certification standards. Refer to Section 3.1 of the 20252 standard called Organization and Responsibilities (this also applies to ISO 26362). Submit to CIRQ the plan for merging the two company's quality systems (or deploying the existing system to the acquired company) so that your company and CIRQ can prepare for an interim audit (if necessary) or for the next surveillance audit [depending on timeframes]. The Plan should be submitted early within the timeframe of change and allow a 6 month transition period prior to the next CIRQ audit in order to confirm compliance. The earlier the notification to CIRQ, the more lead time CIRQ can provide you for any changes necessary in your overall audit schedule. Within 6 months of the change having occurred CIRQ will need to audit the change management functions and random processes to ensure certification continues.
|
|
