Certification for services

Answer:

ISO 27001 cannot be used to certify products and services, but to certify the processes that support them (e.g. e-mail administration and operation processes).

After getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, the steps for ISO 27001 implementation you should consider are:
1) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
2) development of risk assessment and treatment methodology;
3) perform risk assessment and define the risk treatment plan;
4) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
5) people training and awareness;
6) controls operation;
7) performance monitoring and measurement;
8) perform internal audit;
9) perform management critical review; and
10) address nonconformities, corrective actions and opport unities for improvement.

During this process you can select and hire the certification body to perform the certification audit.

These articles will provide you further explanation about ISMS implementation and certification:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/