*Plenty of successful firms don't have SOC2s. If you're losing sales where SOC2 is a factor, you didn't have those sales to begin with.*

We do have ISO27k1 and we had "customer/prospect for more" and they have a person that requires us to be "DORA compliant" it is just an excuse I know because we don't fall under DORA (they might be clueless about how it works that's other explanation). They do fall under DORA so they need to make sure they check their suppliers basically have ISO27k1 and are following what we wrote in ISO27k1 documentation.

We got away with not having ISO27k1 for years (filling in forms and proving we are doing good to people that care, I did have to go and talk with CISOs so they trust me I care about stuff) but not since 2025 in Europe, I firmly believe if we wouldn't do ISO27k1 last year, people would just stop talking to us based on feedback I got from business people (excluding pure "let's make an excuse" I wrote about above).

This said - I am not arguing against what tptacek wrote as he is way more experienced than I am, just stating my experience which also is a decade in SaaS. I am working for company that has between 20 and 30 employees so it also makes sense to be ISO27k certified. We deliver b2b to big companies.