I wouldn’t do it. You’re looking at at least US$12k/year (and potentially a whooooooole lot more, especially in the first year) going to the auditors, plus the “operational drag” of having to have all the policies, and then prove you followed the policies, and then prove that you can prove that you followed the policies… and so on. That US$12k is for absolute bargain-basement, useless-as-wheels-on-a-tree auditor, that’ll do more harm than good. I hate to think what an actually useful auditor would charge.
If your product is actually valuable, I’ll bet that your client will be able to make an exception for you in their procurement process. It’s been my experience that when big companies say, “oh you need to have SOC2/ISO27001/WunderCert2.0”, and you reply, “well, we don’t, and we’re not going to get it”, whatever senior executive lusts for your product will overrule procurement or IT Security or whoever is pushing for it, and you’ll get in without needing it. “No” is a very powerful word.
Also, don’t believe anyone who says that if you’ve got SOC2, you’ll be able to avoid filling out those dire and useless security questionnaires, either. That was one of the touted benefits of getting SOC2 for a place I know of. Before SOC2, the conversation went:
“Are you SOC2 compliant?”
“No.”
“OK, well fill out our security questionnaire then.”
(Sound of head banging on desk for several hours)
After we got SOC2, the conversation now goes:
“Are you SOC2 compliant?”
“Yes! Here is our paperwork about that.”
“Great, now fill out our security questionnaire.”
(Sound of head banging on desk for several hours)
Another touted benefit of SOC2 is that it would encourage the company to tighten up their security, get important policies in place, etc etc. It didn’t. All the actually useful security stuff was already being done, and in a couple of places the auditors had to be educated about how what was being done was better than what they were telling the company they had to do. The rest was just pointless busy work to tick a box.
You have far, far better things to be doing with your time and money, as a small company, than to chase SOC2 compliance. If the customer walks away as a result, consider yourself lucky. Strictly mandating SOC2 compliance from vendors is highly correlated with the mandating organisation being a complete waste of oxygen. The customer that convinced the company I mentioned above to get SOC2 compliant was a massive pain to work with, and then eventually cancelled the contract before the project even went live. I’d say “bullet dodged”, but management decided to stick with maintaining SOC2, in a spectacular demonstration of the power of the sunk cost fallacy. So I guess it’s half a bullet dodged?