Completion of RTS security audit

Request

I would like to request the following information regarding organisations that fall under the Gambling Commission’s remit and that are required to complete an annual third-party security audit under the remote gambling and software technical standards (RTS).

This request is for security audit submissions for the 2023 calendar year.

1. What is the total number of organisations that are required to complete a yearly remote gambling and software technical standards (RTS) security audit?
2. How many organisations have completed and provided to the Gambling Commission a report that demonstrates that they have successfully met the requirements as outlined under the RTS?

Response

Thank you for your request which has been processed under the Freedom of Information Act 2000 (FOIA).

In your email you have requested: I would like to request the following information regarding organisations that fall under the Gambling Commission's remit and that are required to complete an annual third-party security audit under the remote gambling and software technical standards (RTS).

This request is for security audit submissions for the 2023 calendar year.

1. What is the total number of organisations that are required to complete a yearly remote gambling and software technical standards (RTS) security audit?
2. How many organisations have completed and provided to the Gambling Commission a report that demonstrates that they have successfully met the requirements as outlined under the RTS?

In order to be of assistance, the Gambling Commission can confirm the following:

1. 550 operators hold licenced products that would require completion of a security audit.
2. 217 operators have provided security audits that demonstrates that they have successfully met the requirements. In addition, 82 operators have provided assurance that requirements have been met.

Please note, operators only have to provide a copy of the audit report if requested by the Commission or if major non-conformities were identified. The Compliance Team conducts a review of security audits based on a sample selection of operators on a yearly basis. However, some operators still submit the reports (based on a previous process, pre-April 2021) even if the Commission hasn’t requested them. All of the audits received have been reviewed.

Therefore, the operators where we have not been provided with a security audit report were not part of the sample for 2023 and therefore were not requested by the Commission, however, these operators should still have had a security audit report.

Review of the decision

If you are unhappy with the service you have received in relation to your Freedom of Information request you are entitled to an internal review of our decision. You should write to FOI Team, Gambling Commission, 4th floor, Victoria Square House, Victoria Square, Birmingham, B2 4BP or by reply to this email.

Please note, internal review requests should be made within 40 working days of the initial response. Requests made outside this timeframe will not be processed.

If you are not content with the outcome of our review, you may then apply directly to the Information Commissioner (ICO) for a decision. Generally, the ICO cannot make a decision unless you have already exhausted the review procedure provided by the Gambling Commission.

The ICO can be contacted at: The Information Commissioner’s Office (opens in a new tab), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

Information Management Team
Gambling Commission
Victoria Square House
Victoria Square
Birmingham B2 4BP