1. Is there an ISO certification we should look at?
Please note that ISO certifications are not mandatory by themselves, although some countries have established laws and regulations that are easier to be fulfilled by adopting them, and an increased number of customers are preferring ISO-certified organizations as suppliers because they consider such organizations are more capable to help them.
Considering that, you need to evaluate your legal environment and customers’ profile to see if an ISO certification is interesting to you.
Broadly speaking, IT Managed Service Providers, should consider the following certifications:
ISO 20000: related to the management of IT services
ISO 27001: related to the management of information security
ISO 9001: related to quality management
These standards share many common requirements, so you can implement them in an integrated way.
These articles will provide you a further explanation about ISO standards:
2. What would be involved to get certified and what sort of costs would we expect?
After the implementation of documents and controls required by the specific standard, you need to make sure that everyone in the company is complying with documents, i.e., performing all the activities prescribed there. After that, you can work on selecting your certification body.
Regarding costs, without detailed information about the certification scope it is not possible to give you a precise answer, but broadly speaking, what I can tell you is that these are some cost issues you should consider: