[pschneidr]

ISO 27001 and SOC2 are both very valuable ways to communicate your security posture to external partners and customers. Like others have mentioned this will allow you to close deals quicker and prevent a more costly outcome by navigating security reviews more quickly. Source of info: friends at https://pentestiq.com and https://vanta.com that handle security/compliance for many startups.

[tptacek]

I think for a lot of startups this is mostly not true at all, and that you can get a pretty long way without doing SOC2. I think for most startups there's basically no sales value to 27001 at all, and I would be wary of anyone giving advice suggesting anyone should do a 27001 preemptively, rather than to close a 7 figure pilot or something where the deal will pay for the cert drama.

[pschneidr]

You are correct, in many ways even SOC2 is not a desirable investment for young companies. You can do 5 figure deals with fortune 500 companies without it but the process of closing that deal will require a lot more work. Maybe a good time to start investing in SOC2 or ISO certification is when you have multiple large deals with enterprises in your sales pipe. Before that, running a small security program (annual pentest, security awareness training) and communicating that via security questionnaires will get you first deals.