Getting certified for ISO 27001 certification is not necessarily complicated or super expensive. It needs time, effort and support of senior manager(s). You also need attention to details and proper documentation and forms.
Senior manager(s) need to be behind the decision for ISO 27000 implementation and support it in each and every step.
Scope of implementation should be defined as well as the operational and functional boundaries.
Like ISO 9000, ISO 27000 needs comprehensive documentation in order to address all applicable millstones and administrative, technical, and physical controls/safeguards. These documents will be used to check weather or not the organization meets ISO 27000 requirements. These documents would be a policy (or set of policies), and its related documented procedures and guidelines to ensure the business is adhering to ISO requirements in an efficient and achievable way. ISO 27002 standard would be a huge help to prepare such documentation but in is not necessary to select the controls/safeguards from ISO 27002 text.
At least 15 different documents are required for ISO/IEC 27001:2013:
Auditors will check that above-mentioned documentation are present, up-to-date and fit to ISMS scope which is defined in step 1
By applying Gap Analysis, comparison of actual performance with desired performance and documentation, it is time to make sure that the company is following all procedures and guidelines. We'd better conduct a pre-assessment in order to make sure that the organization is on the right track. Pre-assessment can be conducted by using pre-assessments forms, gathering of evidences and filling checklists. Another key to have a successful realization step is to communicate with all employees about the processes in place and the need to adopt them fully and report back on all discrepancies.
An experienced (or certified) internal or external auditor is needed for this step. Some audit tools like forms and checklists are needed for such a job.
ISO does not perform certification for ISO 27001. Certification companies like SGS, TÜV Rheinland or BSI can do the audit and issue the certificate for you. The certificates are usually good for 3 years.
In order to maintain the ISMS working, the organization should integrate it into daily operations. Continual improvement and change management are other essential parts of this ongoing step.