SOC2 and ISO27001 are just the conversations starters. Companies that take security seriously will send you a questionnaire like OPs. It's commonly referred to as a Vendor Security Assessment (VSA).

Source: I worked on compliance management software for a while and VSAs were a major pain point for our customers (small to mid market companies trying to sell to enterprises).