Gambling Commission Compliance
The Gambling Commission regulates gambling in the UK. All licensed remote gambling operators and gambling software operators must comply with specific licensing requirements, including technical standards, and provide annual security audit reports.
Newly licensed remote gambling operators have to submit a security audit within six months of being granted a licence, irrespective of whether they are trading.
Remote gambling and software technical standards
The Gambling Commission’s Remote gambling and software technical standards (RTS) detail the specific technical standards and the security requirements that licensed remote gambling operators and gambling software operators need to meet.
Under section 5 of the RTS, remote gambling operators must complete a third-party annual security audit against specific sections of the ISO/IEC 27001:2013 standard and submit an audit report to the Commission.
Gambling operators that obtain certification to the full Standard must be audited against ISO/IEC 27001:2013. Scope of the security audit
The scope of the “security audit” needs to cover the following “critical” systems:
- electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, e.g. credit/debit card details, authentication information, customer account balances;
- electronic systems that generate, transmit or process random numbers used to determine the outcomes of games or virtual events;
- electronic systems that store results or the current state of a customer’s gambling history;
- points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems);
- communication networks that transmit sensitive customer information.
Scheduling your security audit
While the Commission does not approve security audit firms to perform the security audit, it highlights that “Licensees must satisfy themselves that the third party security auditor they intend to use is reputable, is suitably qualified to test compliance with BS ISO/IEC 27001 and that the auditor is independent from the licensee.”
The auditor must be one of the following:
- ISO 27001 Lead Auditor
- Certified Information Systems Auditor (CISA)
- Certified Information Security Manager (CISM)
- Certified Information Systems Security Professional (CISSP)
Minatio security consultants are fully qualified to carry out independent information security audits as required by the Gambling Commission.
Minatio can also assist you in preparing to meet the Gambling Commission security audit requirements and passing the audit.