I would repeat user Aaronstotle's comment that smaller teams are likely not the right audience for these levels of compliance.
When it does become a concern, I think this post [0] put out by Latacora (no affiliation) is a great starting guide, although it is bent towards SOC 2 compliance. All of the items they mention are concrete wins for the business from a compliance/security perspective. The process of implementing just a few can help you better realize if your business is going to be able to muster the time and effort needed to continually work towards these standards, or if the business value isn't there yet.
When it does become a concern, I think this post [0] put out by Latacora (no affiliation) is a great starting guide, although it is bent towards SOC 2 compliance. All of the items they mention are concrete wins for the business from a compliance/security perspective. The process of implementing just a few can help you better realize if your business is going to be able to muster the time and effort needed to continually work towards these standards, or if the business value isn't there yet.
[0] https://latacora.micro.blog/2020/03/12/the-soc-starting.html