You don't even need to bother with the encryption and sensitivity levels (your data classification policy can be just that, a policy). The ace move is to roll a set of SOC2 policies that just captures what modern dev teams do anyways; that was the idea behind https://latacora.micro.blog/2020/03/12/the-soc-starting.html.
The right way to think about SOC2 is that it's a ~$15k outlay that will come up when a major customer proposes a P.O. that justifies it, and little else.
The right way to think about SOC2 is that it's a ~$15k outlay that will come up when a major customer proposes a P.O. that justifies it, and little else.