[seanhunter]

I don't know, but search for "saas vendor due diligence" and you should find a bunch of stuff. Every big corp I've been in the approval seat has a different process so it's not standardized for sure but generally the basic process is the vendor sends out the questionnaire as an excel sheet and provides a box folder or something to dump the evidence in, and then there are a couple of zoom calls to talk through any questions or concerns. There are certification type things like iso 27001 and isae 3402[1] and although they make this process easier because you will rip the bandaid off and take all the pain in one hit I wouldn't recommend a startup go for those right away[2].

[1] https://isae3402.co.uk/isae-3402-and-iso-27001

[2] Going for them will suck up a lot of energy, focus and time and you can't really tell which ones your clients are going to ask for in what order so there is the danger that you get the priorities wrong which would be a bad mistake in the early stage of a saas startup. So what I would recommend is you read through those and whatever nist guidelines and stuff like that and bear them in mind as you build your product, then start researching who you will get to do your ISAE/ISO27001/SOC1/SOC2 audit when you need one, then when the first client says have you got ISAE3402 (or whichever other one) you say "we're working towards it" (which is true) and as soon as you get off the call with your client call your preferred audit vendor and start the process. "We're working towards it" is an acceptable answer for most big corps because they know the process is slow (iirc it takes a minimum of 6 months for any of those because you have to demonstrate the process over time) and they are slow anyway so they don't mind it taking a minute for you to get it done. Then once you have one, the next time a client asks you for that one you have it, and if they ask you for a different one you say "we have <x> already and are working towards <y>" and rinse and repeat. It's going to be easier this time because you'll be able to repurpose some of the stuff you produced for the first one for the second and so on.