Comment by rozumbrada
5 hours ago
Not possible in case your clients are not stupid. Any company with SOC2 and <5 people is a red flag.
You might find auditors that would go along but any reasonable client will check your SOC2 report and quality of your auditors.
SOC2 requires tons of paperwork and management and separation of duties with also mandatory roles in your company - never feasible in a one man show.
I've seen a small company do a SOC2 where the "CEO" seems to be the only actual employee..
Its a lot of paperwork but it is supposed to scale for company size so you could dismiss with a lot of the separation if the CEO accepts risks and perhaps relies on a fair amount of external systems that are already certified and has some contractors for specific tasks etc.
So that means that solo-entrepreneurs can't sell apps to big enterprises due to SOC2 limitation? I think that it is not fair
It’s a disadvantage for sure but not usually a blocker.
They often have security questionnaires you can complete instead. Or, as part of signing with them, you can promise to get SOC2 by x date (which will hopefully be easier with the funds from an enterprise contract).
I’d recommend looking online at some example security questionnaires or the types of things soc2 covers and writing an internal security doc for yourself so you know your position on everything and don’t have to scramble when it comes to it.
Thank you for your comment!
You can. It just means that the customer has to do the proper analyses and risk evaluation for their own SOC2 (or ISO 27001 or whatever) certification.
Just focus on providing a good value application and be frank about what you do, why you can't get certification for something like that, but that you can answer any questions they might have for their own certification process.
If the potential customer makes 'has SOC2' a requirement, than that is not a customer for you, in the same way that 'has more than 20 employees' rules you out.
Like it or not, having a bus factor of 1 is a pretty big risk. You are a giant single-point-of-failure, which means that operations-wise you are a far riskier option to your customers than a significantly larger competitor.
It isn’t fair, but few rackets are.