Typically this is your B2B infosec audit evolution:
1. No audits/certifications. Stay here until you're losing deals with big-ish companies to the point where it's worth investing $10-20k and ~200 hours into solving this.
2. SOC 2 Type 1. Takes about $10-20k/yr and 200 hours in my experience. If you use a platform like Drata it'll be a bit more money but less effort. This report satisfies a lot of security teams, and you have to get it once per year. The 2nd/3rd time is way less time investment than first. Stay here until you're losing deals over not having SOC 2 Type 2 / ISO27001.
3. SOC 2 Type 2. Takes about $15-30k/yr. If you've done SOC 2 Type 1 it should only take 80 hours or so to get. Again, platforms like Drata cost more but make this easier.
4. ISO27001. If SOC 2 Type 2 isn't enough for your big enterprise customers to buy, this is the next step. There's a lot of overlap between SOC 2 Type 2 and ISO27001, but ISO27001 definitely introduces some new controls. Drata can help with this as well, but pricing might go up to something more like $50k/yr for SOC 2 Type 2 + ISO27001.
If your company's very first sales will be enterprise deals, you may need to get SOC 2 Type 1/2 from the beginning. If you're starting out with SMB and eventually moving upstream, you could probably wait a few years before getting SOC 2 Type 1/2.
If a customer is asking "do you have ISO27001 certification?", saying "no" to that isn't (necessarily) damning. It might just mean they want you to fill out their security questionnaire. These can be time consuming, so you can even get around this by filling out a VSA Core once (standardized questionnaire) and trying to send them that instead of filling out each customer's custom questionnaire.
1. No audits/certifications. Stay here until you're losing deals with big-ish companies to the point where it's worth investing $10-20k and ~200 hours into solving this.
2. SOC 2 Type 1. Takes about $10-20k/yr and 200 hours in my experience. If you use a platform like Drata it'll be a bit more money but less effort. This report satisfies a lot of security teams, and you have to get it once per year. The 2nd/3rd time is way less time investment than first. Stay here until you're losing deals over not having SOC 2 Type 2 / ISO27001.
3. SOC 2 Type 2. Takes about $15-30k/yr. If you've done SOC 2 Type 1 it should only take 80 hours or so to get. Again, platforms like Drata cost more but make this easier.
4. ISO27001. If SOC 2 Type 2 isn't enough for your big enterprise customers to buy, this is the next step. There's a lot of overlap between SOC 2 Type 2 and ISO27001, but ISO27001 definitely introduces some new controls. Drata can help with this as well, but pricing might go up to something more like $50k/yr for SOC 2 Type 2 + ISO27001.
If your company's very first sales will be enterprise deals, you may need to get SOC 2 Type 1/2 from the beginning. If you're starting out with SMB and eventually moving upstream, you could probably wait a few years before getting SOC 2 Type 1/2.
If a customer is asking "do you have ISO27001 certification?", saying "no" to that isn't (necessarily) damning. It might just mean they want you to fill out their security questionnaire. These can be time consuming, so you can even get around this by filling out a VSA Core once (standardized questionnaire) and trying to send them that instead of filling out each customer's custom questionnaire.