Standards
Remote gambling and software technical standards (RTS)
Remote gambling and software technical standards under section 89 and section 97 of the Gambling Act 2005.
Contents
- 1 - Introduction
- 2 - Definition of terms
- 3 - Remote gambling and software technical standards
- - RTS 1 – Customer account information
- - RTS 2 – Displaying transactions
- - RTS 3 – Rules, game descriptions and the likelihood of winning
- - RTS 4 – Time-critical events
- - RTS 5 – Result determination
- - RTS 6 – Result determination for play-for-free games
- - RTS 7 – Generation of random outcomes
- - RTS 8 – Auto-play functionality
- - RTS 9 – Progressive jackpot systems
- - RTS 10 – Interrupted gambling
- - RTS 11 – Limiting collusion and cheating
- - RTS 12 – Financial limits
- - RTS 13 – Time requirements and reality checks
- - RTS 14 – Responsible product design
- - RTS 15 – In-play betting
- - RTS 16 – Use of third party software
- - RTS 17 – Live dealer studios
- 4 - Remote gambling and software technical standards (RTS) security requirements
- 5 - Annex
4 - Remote gambling and software technical standards (RTS) security requirements
The following new section 4 will replace this section after 31 October 2024.
Standard - A.5 Information security policies
Standard - A.6 Organisation of information security
Standard - A.7 Human resources security
Standard - A.8 Asset management
Standard – A.9 Access Control
Standard – A.10 Cryptography
Standard – A.11 Physical and environmental security
Standard – A.12 Operations Security
Standard – A.13 Communications Security
Standard – A.14 System acquisition, development and maintenance
Standard – A.15 Supplier Relationships
Standard – A.16 Information Security Incident Management
Standard – A.18 Compliance
4.1 This section sets out a summary of the RTS security requirements that licence holders must meet. The Commission has based the security requirements on the relevant sections of Annex A to the ISO/EIC 27001:20013 standard.
4.2 This 2013 standard replaces ISO/IEC 27001:2005.
4.3 The Commission’s aim in setting out the security standards is to ensure customers are not exposed to unnecessary security risks by choosing to participate in remote gambling. The Commission has highlighted those systems that are most critical to achieving the Commission’s aims and the security standards apply to these critical systems:
- electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, for example, credit/debit card details, authentication information, customer account balances
- electronic systems that generate, transmit, or process random numbers used to determine the outcome of games or virtual events
- electronic systems that store results or the current state of a customer’s gamble
- points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems)
- communication networks that transmit sensitive customer information.
Security requirements summary
Standard - A.5 Information security policies
Objective A.5.1 Information security policy
Requirement A.5.1.1 Policies for information security
Requirement A.5.1.2 Review of the information security policy
Standard – A.6 Organisation of information security
Objective A.6.2 Mobile devices and teleworking
Requirement A.6.2.1 Mobile device policy
Requirement A.6.2.2 Teleworking
Standard – A.7 Human resources security
Objective A.7.2 During employment
Requirement A.7.2.2 Information Security Awareness, Education and Training.
Objective A.7.3 Termination or change of employment
Requirement 7.3.1 Termination or change of employment responsibilities
Standard – A.8 Asset management
Objective A.8.2 Information classification
Requirement A.8.2.3 Handling of assets.
Objective A.8.3 Media Handling
Requirement A.8.3.1 Management of removable media
Requirement A.8.3.2 Disposal of media
Standard – A.9 Access Control
Objective A.9.1 Business requirements of access control
Requirement A.9.1.1 Access control policy
Requirement A.9.1.2 Access to network and network services
Objective A.9.2 User access management
Requirement A.9.2.1 User registration and de-registration
Requirement A.9.2.2 User access provisioning
Requirement A.9.2.3 Management of privileged access rights
Requirement A.9.2.4 Management of secret authentication information of users
Requirement A.9.2.5 Review of user access rights
Requirement A.9.2.6 Removal or adjustment of access rights
Objective A.9.3 User responsibilities
Requirement A.9.3.1 Use of secret authentication information
Objective A.9.4 System and application access control
Requirement 9.4.1 Information access restriction
Requirement A.9.4.2 Secure log-on procedure
Requirement A.9.4.3 Password management system
Requirement A 9.4.4 Use of privileged utility programmes
Standard – A.10 Cryptography
Objective A.10.1 Cryptographic controls
Requirement A.10.1.1 Policy on use of cryptographic controls
Requirement A.10.1.2 Key management
Standard – A.11 Physical and Environmental Security
Objective A 11.2 Equipment
Requirement A.11.2.1 Equipment siting and protection
Requirement A.11.2.7 Secure disposal or re-use of equipment.
Requirement A.11.2.8 Unattended user equipment
Standard - A.12 Operations Security
Objective A.12.1 Operational procedures and responsibilities
Requirement A.12.1.4 Separation of development, testing and operational environments.
Objective A.12.2 Protection from malware
Requirement A.12.2.1 Controls against malware
Objective A.12.3 Protect against loss of data
Requirement A.12.3.1 Information backup
Objective A.12.4 Logging and monitoring
Requirement A.12.4.1 Event logging
Requirement A.12.4.2 Protection of log information
Requirement A.12.4.3 Administrator and operator logs.
Requirement A.12.4.4 Clock synchronisation.
Standard – A. 13 Communications Security
Objective A.13.1 Network security management
Requirement A.13.1.1 Network controls
Requirement A.13.1.2 Security of network services
Requirement A.13.1.3 Segregation in networks
Standard – A.14 System acquisition, development and maintenance
Objective A.14.1 Security requirements of information systems.
Requirement A.14.1.2 Securing application services on public networks
Requirement A.14.1.3 Protecting application service transactions
Objective A. 14.2 Security in development and support processes
Requirement A. 14.2.1 Secure development policy
Requirement A. 14.2.2 System change control procedures
Requirement A. 14.2.3 Technical review of applications after operating platform changes
Requirement A.14.2.4 Restrictions on changes to software packages
Requirement A. 14.2.5 Secure system engineering principles
Requirement A. 14.2.6 Secure development environment
Requirement A. 14.2.7 Outsourced development
Requirement A. 14.2.8 System security testing
Requirement A. 14.2.9 System acceptance testing
Objective A. 14.3 Test Data
Requirement A. 14.3.1 Protection of test data
Standard – A.15 Supplier Relationships
Objective A.15.1 Information security in supplier relationships.
Requirement A.15.1.1 Information security policy for supplier relationships.
Requirement A.15.1.2 Addressing security within supplier agreements
Requirement A.15.1.3 Information and communication technology supply chain
Objective A.15.2 Supplier service delivery management.
Requirement A.15.2.1 Monitoring and review of supplier services
Requirement A 15.2.2 Managing changes to supplier services
Standard – A.16 Information security incident management
Objective A. 16.1 Management of security incidents and improvements
Requirement A. 16.1.1 Responsibilities and procedures
Requirement A. 16.1.2 Reporting information security events
Requirement A. 16.1.3 Reporting information security weaknesses
Requirement A. 16.1.4 Assessment of and decision on information security events
Requirement A 16.1.5 Response to information security incidents
Requirement A. 16.1.7 Collection of evidence
Standard – A.18 Compliance
Objective A.18.2 Information security review
Requirement A.18.2.1 Independent review of security policy
As an annual requirement, the last date for any licensee to complete a security audit against the 2013 standard will be 31 October 2024. All security audits conducted after 1 November 2024 must be conducted against the 2022 standard. This means by 31 October 2025 all relevant licensees will have completed a security audit based on the 2022 standard.
For clarity, any security audit up to 31 October 2024 can be against either the 2013 or 2022 standard.
The following section contains details of the relevant 2022 requirements which have been converted from the 2013 standard along with the addition of 5.23 ‘Information security for use of cloud services’ which was consulted on in summer 2023. The new section will replace the existing section 4 after 31 October 2024.
The following new section 4 will replace this section after 31 October 2024.
4 - Remote gambling and software technical standards (RTS) security requirements
Security requirements summary
4.1 This section sets out a summary of the RTS security requirements that licence holders must meet. The Commission has based the security requirements on the relevant sections of Annex A to the ISO/EIC 27001:2022 standard.
4.2 This 2022 standard replaces ISO/IEC 27001:2013.
4.3 The Commission’s aim in setting out the security standards is to ensure customers are not exposed to unnecessary security risks by choosing to participate in remote gambling. The Commission has highlighted those systems that are most critical to achieving the Commission’s aims and the security standards apply to these critical systems:
- electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, for example, credit/debit card details, authentication information, customer account balances
- electronic systems that generate, transmit, or process random numbers used to determine the outcome of games or virtual events
- electronic systems that store results or the current state of a customer’s gamble
- points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems)
- communication networks that transmit sensitive customer information.
Organisational controls
5.1 Policies for information security
5.10 Acceptable use of information and other associated assets
5.15 Access control
5.16 Identity management
5.17 Authentication information
5.18 Access rights
5.19 Information security in supplier relationships
5.20 Addressing information security within supplier agreements
5.21 Managing information security in the ICT supply chain
5.22 Monitoring, review and change management of supplier services
5.23 Information security for use of cloud services
5.24 Information security incident management planning and preparation
5.25 Assessment and decision on information security events
5.26 Response to information security incidents
5.28 Collection of evidence
5.35 Independent review of information security
People controls
6.3 Information security awareness, education and training
6.5 Responsibilities after termination or change of employment
6.7 Remote working
6.8 Information security event reporting
Physical controls
7.8 Equipment siting and protection
7.10 Storage media
7.14 Secure disposal or re-use of equipment
Technological controls
8.1 User endpoint devices
8.2 Privileged access rights
8.3 Information access restriction
8.5 Secure authentication
8.7 Protection against malware
8.13 Information backup
8.15 Logging
8.17 Clock synchronisation
8.18 Use of privileged utility programs
8.20 Networks security
8.21 Security of network services
8.22 Segregation of networks
8.24 Use of cryptography
8.25 Secure development life cycle
8.26 Application security requirements
8.27 Secure system architecture and engineering principles
8.29 Security testing in development and acceptance
8.30 Outsourced development
8.31 Separation of development, test and production environments
8.32 Change management
8.33 Test information
3 - Remote gambling and software technical standards Next section
5 - Annex
Last updated: 1 May 2024
Show updates to this content
Formatting changes