After you are done implementing Instant 27001, you are ready for certification by an accredited certification body (sometimes called a registrar).
Finding a certification body
On the web site of the International Accreditation Forum (IAF), you can find your local accreditation organization. They should be able to help you further, often by publishing a list with certification bodies that hold their accreditation.
For our most active markets, they can be found here:
|Netherlands||Raad voor Accreditatie (RvA)|
|Belgium||Belgische Accreditatie Instelling (BELAC)|
|Germany||Deutsche Akkreditierungsstelle (DAkkS)|
|Switzerland||Swiss Accreditation Service (SAS)|
|Spain||Entidad Nacional de Acreditacion (ENAC)|
|United Kingdom||United Kingdom Accreditation Service (UKAS)|
|United States||ANSI National Accreditation Board (ANAB)|
|United States (2)||International Accreditation Service (IAS)|
|Canada||Canadian International Accreditation Services (CIAS-BAR)|
|Canada (2)||Standards Council of Canada (SCC)|
|Australia and New Zealand||Joint Accreditation System of Australia and New Zealand (JAS-ANZ)|
As you will see, most countries have dozens of certification bodies to choose from, so there will always be one that you feel comfortable with.
The certification process
Once you have contracted a certification body, they will set you up with an auditor or audit team and the audit days are planned.
An initial certification audit consists of two parts, conveniently named stage 1 and stage 2.
Also dubbed the documentation review, the auditor takes a look at the documentation (risk analysis, policies and procedures) to estimate whether you are ready to undergo the second part.
This part is sometimes called an implementation audit. It consists of a series of interviews with representatives of the different departments (management, HR, IT, development, operations, …) to make sure they understand their responsibilities when it comes to information security.