I actually looked into those certifications as a person who's considering one day starting a small 1 person SaaS company. It seems like both ISO 27001 and SOC 2 can both easily cost more than 10'000$ to get, even for very small organizations.
That is a dealbreaker. There is precisely 0 value for anyone working at such a small scale to attempt to pursue those certifications - their costs will not only take up a lot of their time, but probably also exceed their revenue. That said, at that scale it's likely that also doing enterprise sales will simply not be possible, given the long purchase cycles and ample bureaucracy.
It should probably only be a concern with at least 20 employees or more, when targeting enterprises. Until then, there might as well be fully automated purchasing funnels, with no way to "contact sales", with the "enterprise plans" simply being self-hosted offerings: if any potential clients want to ensure compliance, they can simply buy the source code and a license for X number of cores/instances/whatever and put it on their fully compliant servers, do code audits, make their own customizations etc.
Of course, if you don't jump through enough of the bureaucratic hoops put in place by the enterprises, then it's likely that they won't even purchase your code.
That is a dealbreaker. There is precisely 0 value for anyone working at such a small scale to attempt to pursue those certifications - their costs will not only take up a lot of their time, but probably also exceed their revenue. That said, at that scale it's likely that also doing enterprise sales will simply not be possible, given the long purchase cycles and ample bureaucracy.
It should probably only be a concern with at least 20 employees or more, when targeting enterprises. Until then, there might as well be fully automated purchasing funnels, with no way to "contact sales", with the "enterprise plans" simply being self-hosted offerings: if any potential clients want to ensure compliance, they can simply buy the source code and a license for X number of cores/instances/whatever and put it on their fully compliant servers, do code audits, make their own customizations etc.
Of course, if you don't jump through enough of the bureaucratic hoops put in place by the enterprises, then it's likely that they won't even purchase your code.