There is no set definition of what a Security Operation Centre (SOC) is. A SOC or internal CSIRT monitors, protects, defends, or basically manages cybersecurity risks to an organisation’s business activities. A SOC typically provides routine services including analysis of incident detection, and monitoring and maintenance of security response systems. The centre is managed by a chief security officer (CSO) or a chief information security officer (CISO).
In building a SOC, an organisation should start small and slowly build in a controlled manner to create a fully fledged SOC. At the beginning, the emphasis should be on gaining experience in monitoring log data from a select number of infrastructure or middleware components, registering incidents using the right tools, generating periodic reports and recording lessons learned. Staff should participate in relevant meetings within the organisation. An information security policy that has been approved by the management is essential for the operation of a SOC.
Compliance or certification to ISO/IEC 27001 standard demonstrates the quality and effectiveness of the organisation’s information security policies, procedures and controls. This standard can be used to support the functioning of the SOC.