Gambling Compliance

Gambling commission advice and audit

 

Gambling Commission Compliance

The Gambling Commission regulates gambling in the UK. All licensed remote gambling operators and gambling software operators must comply with specific licensing requirements, including technical standards, and provide annual security audit reports.

Newly licensed remote gambling operators have to submit a security audit within six months of being granted a licence, irrespective of whether they are trading.

Remote gambling and software technical standards

The Gambling Commission’s Remote gambling and software technical standards (RTS) detail the specific technical standards and the security requirements that licensed remote gambling operators and gambling software operators need to meet.

Under section 5 of the RTS, remote gambling operators must complete a third-party annual security audit against specific sections of the ISO/IEC 27001:2013 standard and submit an audit report to the Commission.

Gambling operators that obtain certification to the full Standard must be audited against ISO/IEC 27001:2013. Scope of the security audit

The scope of the “security audit” needs to cover the following “critical” systems:

  • electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, e.g. credit/debit card details, authentication information, customer account balances;
  • electronic systems that generate, transmit or process random numbers used to determine the outcomes of games or virtual events;
  • electronic systems that store results or the current state of a customer’s gambling history;
  • points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems);
  • communication networks that transmit sensitive customer information.

Scheduling your security audit

While the Commission does not approve security audit firms to perform the security audit, it highlights that “Licensees must satisfy themselves that the third party security auditor they intend to use is reputable, is suitably qualified to test compliance with BS ISO/IEC 27001 and that the auditor is independent from the licensee.”

The auditor must be one of the following:

  • ISO 27001 Lead Auditor
  • Certified Information Systems Auditor (CISA)
  • Certified Information Security Manager (CISM)
  • Certified Information Systems Security Professional (CISSP)

Minatio security consultants are fully qualified to carry out independent information security audits as required by the Gambling Commission.

Minatio can also assist you in preparing to meet the Gambling Commission security audit requirements and passing the audit.

Gambling Commission Preparation

The Gambling Commission requires all remote gambling operator licensees to complete an annual third-party security audit against particular sections of ISO 27001, and to submit a report to the Commission as evidence of compliance.

Minatio security consultants are fully qualified and in a suburb position to help remote gambling operators comply with the applicable ISO 27001 clauses, as set out under section 5 of the Remote gambling and software standards (RTS).

What we can do for you.

Minatio will perform a gap analysis against the selected ISO 27001 controls and provide you with a detailed project plan enabling you to perform remediation on the highlighted gaps. We will guide you through the process of complying with the security requirements with one of our expert security consultants.

As part of our full preparation service we will cover the following selected ISO 27001 controls as mandated by the Gambling Commission:

  • A.5 Information security policies
  • A.6 Organisation of information security
  • A.7 Human resources security
  • A.8 Asset management
  • A.9 Access control
  • A.10 Cryptography
  • A.11 Physical and environmental security
  • A.12 Operations security
  • A.13 Communications security
  • A.14 System acquisition, development and maintenance
  • A.15 Supplier relationships
  • A.18 Compliance

Gambling Commission Audit

The Gambling Commission requires all remote gambling operator licensees to complete a third-party annual security audit against particular sections of ISO 27001, and to submit a report to the Commission as evidence of compliance.

Minatio are suitably qualified to assess licensed remote gambling providers against the applicable ISO 27001 clauses as set out under Section 5 of the Remote gambling and software standards (RTS).

We will perform an audit against the selected ISO 27001 security controls that apply to the following “critical” systems as defined by the Gambling Commission:

  • electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, e.g. credit/debit card details, authentication information, customer account balances
  • electronic systems that generate, transmit, or process random numbers used to determine the outcome of games or virtual events
  • electronic systems that store results or the current state of a customer’s gambling history
  • points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems)
  • communication networks that transmit sensitive customer information

On completion of the annual security audit we will provide you with a report that is suitable for submission to the Gambling Commission.

What does the security audit include?

In line with the requirements of the Gambling Commission, we will deliver the following as part of the security audit:

  • Determine the scope of testing.
  • Review relevant policies, procedures and documents.
  • Review IT systems.
  • Assess the effectiveness of security controls.
  • Conduct interviews with key stakeholders and staff members.
  • Gather evidence from specific areas, including network security settings, user control access and training records.
  • Develop a management plan to resolve issues that were identified.
  • Provide an executive summary including the key audit findings.
  • Produce a security audit report that meets the requirements of the Gambling Commission.