Once all the requirements of ISO/IEC 27001 have been met, you can apply for an external audit. This should be carried out by a third party, an accredited certification body. In the UK, the body should be accredited by UKAS (look for the 'crown and tick' logo).
The chosen certification body will firstly review relevant documentation. This should include the declared policy, scope of the ISMS, documents covering the risk assessment, risk treatment plan, Statement of Applicability and documented security procedures. The auditors will also be checking that you have identified and implemented the controls that are appropriate to your size and type of business. This process is normally carried out at your premises, as this is the best option for both parties.
This is followed at a later date by a full on-site audit to ensure that working practices observe these procedures and stated objectives, and that appropriate records are kept.
After a successful audit, a certificate of registration to ISO/IEC 27001 will be issued. There will then be surveillance visits (usually once or twice a year) to ensure that the system continues to work.
