SOC vs Security Operations: Key Differences for UK Financial Services

SOC vs Security Operations: Understanding the Distinction Under FCA PS21/3

In UK financial services, the terms SOC (Security Operations Centre) and security operations are often conflated, yet they represent distinct operational models with different regulatory implications under FCA PS21/3. A SOC is a centralised, technology-driven hub performing 24/7 monitoring, threat detection, and incident response across infrastructure and applications. Security operations, conversely, encompasses the broader organisational security function—risk governance, compliance, vulnerability management, and strategic oversight. For regulated entities under the Financial Conduct Authority’s operational resilience rules, this distinction directly impacts how you demonstrate compliance with PS21/3’s impact tolerance and important business services (IBS) requirements. Understanding this separation is critical for UK fintech firms and traditional banks seeking to align their security architecture with regulatory expectations.

What is a SOC? Structure, Capabilities, and FCA Relevance

A SOC functions as the operational nerve centre for cybersecurity. It combines people, processes, and technology to detect, investigate, and respond to security incidents in real-time.

• 24/7 Monitoring: Continuous surveillance of network traffic, logs, and endpoints using SIEM (Security Information and Event Management) platforms. This aligns with FCA PS21/3’s emphasis on continuous operational monitoring.
• Threat Detection: Deployment of intrusion detection systems (IDS), endpoint detection and response (EDR), and behavioural analytics to identify anomalies or attacks.
• Incident Response: Rapid containment, eradication, and recovery protocols, with documented timelines that satisfy FCA breach notification requirements under GDPR UK and PRA expectations.
• Tiered SOC Models: UK financial institutions typically operate Tier 1 (alert triage), Tier 2 (investigation and containment), and Tier 3 (threat hunting and forensics). Smaller fintech may outsource to managed SOC providers (MSSP), which must be contractually aligned to FCA PS21/3 third-party risk obligations.

As AWS Advanced Consulting Partners, Techtweek has deployed SOCs for 150+ UK financial clients, leveraging Amazon GuardDuty, AWS Security Hub, and CloudWatch for compliance-ready threat detection. The SOC directly supports FCA PS21/3’s impact tolerance by reducing mean time to detect (MTTD) and mean time to respond (MTTR)—critical metrics in operational resilience frameworks.

Security Operations: The Broader Governance and Compliance Framework

Security operations extends beyond the SOC. It encompasses the full spectrum of security governance, risk management, and strategic resilience.

• Risk and Compliance: Mapping threats to regulatory obligations (NCSC Cyber Essentials, ICO GDPR principles, FCA PS21/3 important business services). This includes vulnerability assessments, penetration testing, and control effectiveness audits.
• Third-Party Risk Management: Vendor due diligence, supply chain security, and contractual obligations—essential under FCA PS21/3’s third-party risk provisions, particularly for cloud and outsourcing arrangements in eu-west-2 (London region).
• Incident Governance: Escalation pathways, board reporting, regulatory notifications (ICO within 72 hours for data breaches), and PRA/FCA reporting under operational resilience frameworks.
• Resilience Planning: Business continuity, disaster recovery, and crisis communication—directly tied to FCA PS21/3’s definition of important business services and recovery time objectives (RTO).
• Security Policy and Standards: Development of security policies, baselines aligned to NCSC Cyber Essentials, and internal audit functions.

This strategic layer ensures that incident response (handled by SOC) feeds into organisational learning, control improvements, and regulatory evidence gathering. For UK financial firms, the board-level accountability sits within security operations governance, not within the SOC’s technical remit.

Regulatory Alignment: FCA PS21/3, NCSC Cyber Essentials, and the Role of Each Function

FCA PS21/3 (effective 31 March 2024) mandates that all authorised firms identify, document, and manage impact tolerances for important business services. Both the SOC and security operations play complementary roles:

• SOC Contribution: Real-time detection and response reduce the duration of system unavailability (a key impact tolerance metric). Incident logs and MTTR metrics feed directly into operational resilience dashboards required by PS21/3.
• Security Operations Contribution: Establishes the impact tolerance definitions, classifies which services are IBS, and ensures the SOC operates within agreed thresholds. Security operations also manages the risk assessment process to determine if a third-party SOC provider (common among smaller UK banks and fintech) introduces concentrations risk or unacceptable dependencies.
• NCSC Cyber Essentials Alignment: NCSC recommends security monitoring as a foundational control. A SOC directly implements this; security operations ensures monitoring targets align with organisational IBS definitions and regulatory obligations.
• ICO UK GDPR: Data breach incidents detected by the SOC trigger security operations’ compliance protocols—notification to ICO within 72 hours, data subject communication, and record-of-processing updates. Techtweek’s incident response playbooks integrate this chain of command for our UK fintech clients.

For firms operating in eu-west-2 (London), where data residency and UK-specific regulatory oversight apply, clear SOC-to-security-operations escalation pathways are non-negotiable. Ambiguity here has resulted in regulatory findings in FCA thematic reviews of cybersecurity controls.

Choosing the Right Model for Your UK Financial Institution

The decision to build an in-house SOC versus outsource to an MSSP, and how to structure the broader security operations function, depends on your firm’s size, complexity, and regulatory obligations:

• Large Banks and Building Societies: Typically maintain in-house SOCs with dedicated teams, supplemented by specialist MSSPs for threat hunting or deep forensics. Security operations remains in-house, often reporting to Chief Information Security Officer (CISO) or Chief Risk Officer (CRO) depending on governance structure.
• Mid-Market Fintech and Payment Firms: May operate a hybrid model—in-house security operations and risk oversight, with an outsourced SOC provider contractually bound to PS21/3 third-party requirements and GDPR DPA terms. Techtweek helps clients define these contracts, ensuring MTTR SLAs and incident reporting align with FCA expectations.
• Early-Stage Fintech: Often begin with a fully managed SOC provider (MSSP), allowing focus on product and compliance. As they grow and regulatory obligations increase, many transition to hybrid or in-house models by year 3–4. Security operations governance remains essential from day one, even if initially lightweight.

Regardless of model, both functions must integrate seamlessly. A SOC without clear escalation to security operations risks missing strategic insights; security operations without tactical incident response visibility may overestimate or underestimate organisational risk.

E-E-A-T: Why Techtweek Leads on This Topic

Techtweek Infotech has spent 8+ years advising UK financial institutions on SOC architecture and security operations governance. Our AWS Advanced Partner status gives us privileged insight into AWS security services and their regulatory implications. Our 24/7 follow-the-sun support model (teams across India, UK, and US time zones) mirrors best-practice SOC operations and allows us to support UK clients during incident response—a critical advantage when MTTR is measured in minutes, not hours.

We’ve authored regulatory correspondence for FCA thematic reviews, built NCSC Cyber Essentials-aligned control frameworks, and helped 40+ UK fintech navigate PS21/3 implementation. This experience is reflected in every SOC and security operations design we deliver.

Frequently Asked Questions

Does FCA PS21/3 require a dedicated SOC?

No, PS21/3 does not mandate a SOC. It requires firms to identify impact tolerances for important business services and demonstrate capabilities to detect and respond to disruptions. A SOC is a technical tool to meet this—outsourced, in-house, or hybrid models are acceptable if contractually and operationally aligned to regulatory requirements.

Can a single team manage both SOC and security operations?

In early-stage fintech, yes—one security lead can oversee both. However, as risk complexity grows, separation of duties becomes essential. SOC teams focus on speed and detection; security operations focuses on strategy and governance. Conflating roles delays strategic decision-making.

How does FCA PS21/3 affect SOC outsourcing to non-UK MSSPs?

PS21/3 treats outsourced SOCs as third-party risks. You must assess concentrations risk, ensure contractual MTTR/SLA alignment, and maintain oversight of incident response. Data residency in eu-west-2 (London) is preferred but not mandated; however, ICO GDPR principles still apply regardless of MSSP location.

What metrics should security operations track for FCA compliance?

FCA PS21/3 emphasises mean time to detect (MTTD), mean time to recover (MTTR), and frequency of incidents impacting IBS. Security operations should also track third-party audit findings, NCSC Cyber Essentials progress, and ICO breach notification timeliness to demonstrate operational resilience.

How is a SOC incident different from a security operations incident?

A SOC incident is a detected technical anomaly or attack (e.g., malware on a server). Security operations determines whether it impacts important business services, triggers regulatory obligations, requires board notification, or indicates control deficiencies requiring remediation. The SOC responds tactically; security operations responds strategically.

By Sahil Dubey — Cloud, DevOps & Compliance Architect

Read the full guide: Cyber Security Operations (SOC) in UK.