HI Damien. I’ve done this a few times in both large and small enterprises, in heavily regulated environments and not. ISO27k1 (as an example) can be a massive problem to comply with - but actually, in many ways, the bootstrapper has the advantage here.
First, is it reasonable to expect any business to comply with this stuff? I would personally say, absolutely yes, for a few reasons. Mainly, if you don’t “bake in” security from the start, it’s difficult or impossible to add later - you have to build the discipline in from the start. But also, even at a small scale, you can do massive damage to your customers, and on an individual basis it doesn’t matter what scale the org is - if a customer has their identity stolen, that’s a problem.
Onto the solutions. I said earlier bootstrappers have an advantage, and I genuinely think this is true. It’s difficult to be a security expert for sure, but it’s very easy to buy into solutions which have excellent security, and so long as you stick to best practice you’re likely doing better than the big orgs. If you use AWS, for example, the standard of compliance is extremely high. Yes, to do ISO 27k1 you have to have a security process, and a lot of compliance, but if your systems are good that’s actually not hard to do. Auditing is costly, relatively.
There are smaller-scale versions of this. In the UK, we have “Cyber Essentials” or IASME - lighter weight programmes that still have lots of good stuff in them, plus if you get the accreditation you potentially save on your business insurance etc. If you’re allowing credit card payment for anything, you need to be PCI-DSS compliant (although your compliance requirement here is likely to be very low), and that’s also a lower but useful bar.
It’s difficult to get an outsider in to give you good advice, sadly, but I would definitely take it seriously. I’m happy to help out with any more specific questions.