Technical standards: Security requirements
Our testing strategy requires a third party annual security audit against particular sections of ISO/IEC 27001:2013.
You must ensure that the security audit report provided by the security auditor meets the guidance provided in the security audit advice.
Remote technical standards: section 5
A full copy of ISO/IEC 27001:2013 can be obtained from BSI Customer Services (firstname.lastname@example.org).
The security requirements detail information security standards with the aim of ensuring that you have appropriate controls in place so that customers are not exposed to unnecessary risks when choosing to participate in remote gambling.
The requirements apply to:
- electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, for example credit/debit card details, authentication information, customer account balances
- electronic systems that generate, transmit, or process random numbers used to determine the outcome of games or virtual events
- electronic systems that store results or the current state of a customer’s gamble
- points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems)
- communication networks that transmit sensitive customer information.
Breaches of information security may constitute a key event which you must report to us. We have produced guidance to assist you in determining when to report such breaches and what information to include in the report.
Whilst we don’t require operators to become fully certified with the ISO 27001:2013 standard many have opted to do so. For these operators we allow them to supply existing information, rather than having to duplicate effort. Existing information would include:
- Accreditation certificate (ensuring that the entities and business functions covered by the accreditation are clearly defined);
- Statement of Applicability (SOA, ensuring it covers all RTS security elements);
- Copy of last audit report (including management response and action plan for any findings); and
- A forward schedule of future audit focus (or some other way of demonstrating that all RTS security elements will be reviewed at least every three years).