It is a huge pain in the ass and I would not do it at your scale. Beyond the money, which is substantial --- even if you're smart about it, you're still going to sink tens of thousands into the stupid report --- it's going to eat months of your brain just to get the process going.
The article does a great job of cutting through all the noise.
Highlighting here because it is relevant: certification is about sales.
I’d only do it once you either:
1) you spend much more time filling out questionnaires than the time/investment needed to get certified (note, they’ll still ask you to fill out questionnaires though)
2) you want to go after companies that actually care about this (banking, government). Even then, these will have shortcuts through procurement that will lower requirements (ie: innovation projects, small ticket items)
"Innovation projects" is how we got past the gatekeeper at our very first client (banking industry). We pitched it as an experimental technology that we wanted to partner with them to build out. No guarantees type of deal made it a lot easier to sell to the board, because we weren't proposing to put any line-of-business on top of it (at first).
Once you have 1 client in your target industry using your product, it is infinitely easier to get a 2nd client (assuming you can use the 1st as a positive reference).
SOC2 seems like an interview-time item if I were to try to put an analogy around it. Once you have a certain reputation and key players trust you, its a lot easier to navigate around regardless of your specific credentials.
