While SOC covers some aspects of reactive security, it is primarily a proactive cybersecurity unit, aimed at threat detection and early prevention, rather than remediation post-attack.

Respectively, you need to understand where your company stands security-wise before working out the optimal contingency plan. This entails conducting an in-depth IT architecture assessment and formalizing:

Which critical IT infrastructure protection scenario should be implemented?
What baseline event monitoring and logging practices have to be in place?
How should a reactive cybersecurity response plan be executed?
What threat detection, prevention, and monitoring capabilities do you require?
Additionally, as per ETSI recommendations, it is worth separately determining:

Target of Measurement (TOM) — the minimum part of infrastructure that should be continuously monitored to ensure operational security.
Security Assurance View (SAV) — a detailed representation of the measurement results (i.e., how the information on operational security assurance will be reported).
These two metrics should help you create common ground for confidence among all security teams and standardize reporting and communication on security incidents.

Create a List of Requirements for SOC Operations
Having identified the security jobs to be done, you need to translate these into specific functions your SOC team will take on.

More info: cts certification