Question about ISO 27001 and ISO 22301

Hope you are keeping well.  I have a question about how we approach ISO 27001 and 22301 in relation to our (potential) customers.  As you may recall, we are a start-up company with no contractual arrangements with our current clients. Currently we have a number of customers using our AI product in Proof of Concept projects. The aim is, once they are happy with the PoC, to move on to a large project(s) where we will formalize the relationship by selling our products and services to the customers. Now to ISO ...  As we have no contracts with customers currently the plan for both ISO 27001 and 22301 is to cover just our company’s Security standards and Business Continuity needs, so that we obtain certification for ourselves.  As and when we sign a Customer we will then modify all relevant ISO process to include the Customer’s security and Service availability requirements, and so on. Is this the correct approach?  Or do we need a customer. And if so, why?