I've seen a small company do a SOC2 where the "CEO" seems to be the only actual employee..

Its a lot of paperwork but it is supposed to scale for company size so you could dismiss with a lot of the separation if the CEO accepts risks and perhaps relies on a fair amount of external systems that are already certified and has some contractors for specific tasks etc.