[tptacek]

I think for a lot of startups this is mostly not true at all, and that you can get a pretty long way without doing SOC2. I think for most startups there's basically no sales value to 27001 at all, and I would be wary of anyone giving advice suggesting anyone should do a 27001 preemptively, rather than to close a 7 figure pilot or something where the deal will pay for the cert drama.

[pschneidr]

You are correct, in many ways even SOC2 is not a desirable investment for young companies. You can do 5 figure deals with fortune 500 companies without it but the process of closing that deal will require a lot more work. Maybe a good time to start investing in SOC2 or ISO certification is when you have multiple large deals with enterprises in your sales pipe. Before that, running a small security program (annual pentest, security awareness training) and communicating that via security questionnaires will get you first deals.