Gambling Commission Compliance - Security Requirements
The Gambling Commission regulates gambling in the UK. All licensed remote gambling operators and gambling software operators must comply with specific licensing requirements, including technical standards, and provide annual security audit reports.
Newly licensed remote gambling operators have to submit a security audit within six months of being granted a licence, irrespective of whether they are trading.
Remote gambling and software technical standards
The Gambling Commission’s Remote gambling and software technical standards (RTS) detail the specific technical standards and the security requirements that licensed remote gambling operators and gambling software operators need to meet.
Under section 5 of the RTS, remote gambling operators must complete a third-party annual security audit against specific sections of the ISO/IEC 27001:2013 standard and submit an audit report to the Commission.
Gambling operators that obtain certification to the full Standard must be audited against ISO/IEC 27001:2013.
Scope of the security audit
The scope of the “security audit” needs to cover the following “critical” systems:
electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, e.g. credit/debit card details, authentication information, customer account balances;
electronic systems that generate, transmit or process random numbers used to determine the outcomes of games or virtual events;
electronic systems that store results or the current state of a customer’s gambling history;
points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems);
communication networks that transmit sensitive customer information.
Who can conduct the security audit?
While the Commission does not approve security audit firms to perform the security audit, it highlights that “Licensees must satisfy themselves that the third party security auditor they intend to use is reputable, is suitably qualified to test compliance with BS ISO/IEC 27001 and that the auditor is independent from the licensee.”
The auditor must be one of the following:
ISO 27001 Lead Auditor
Certified Information Systems Auditor (CISA)
Certified Information Security Manager (CISM)
Certified Information Systems Security Professional (CISSP)
IT Governance has a team of ISO 27001 Lead Auditors, many of whom also hold CISA, CISM or CISSP certificates and are qualified to carry out independent information security audits as required by the Gambling Commission. See our Gambling Commission Security Audit service for more details.
IT Governance can also assist you in preparing to meet the Gambling Commission security audit requirements and passing the audit. See our Gambling Commission Security Requirements Consultancy service for more details.
Why choose IT Governance?
We have over 15 years’ experience implementing ISO 17799/ISO 27001.
We have fully qualified and experienced ISO 27001 auditors.
We have experience in Gambling Commission security audits.
We offer comprehensive implementation and remediation support – i.e. we can help you address any nonconformities and prepare you to pass your security audit successfully.
We offer an integrated service, which means that we can also provide penetration testing, as well as Data Protection Act (DPA) and PCI DSS compliance support.
Our transparent pricing enables you to control all your costs.
PCI DSS compliance for remote gambling operators
As a PCI QSA company, we can help operators that process payment cards comply with the Payment Card Industry Data Security Standard (PCI DSS).
The PCI DSS imposes strict information security control requirements on all merchants that process payment cards, and these security requirements overlap and intersect with the controls identified under the Gambling Commission's technical requirements.
Please email us or telephone +44 (0)845 070 1750 to see how we can help you meet these complex requirements.
Ensure your web applications are secure
As a CREST-accredited company we can also provide penetration testing services to help you determine whether your web applications are protected from fraudulent activity and unauthorised disclosure.