Consultation response
Summer 2023 consultation – Proposed changes to LCCP and RTS: Consultation Response
This response sets out our position in relation to the consultation on the proposed changes to LCCP and Remote Gambling and Software Technical Standards.
Contents
- Executive summary
- Summary of topics
- Topic 1 - Improving customer choice on direct marketing: Consultation Response
- Topic 2 - Strengthening age verification in premises: Consultation Response
- Topic 3 - Game design: Consultation Response
- Topic 4 - Financial vulnerability checks: Consultation Response and Financial risk assessments pilot: Consultation Response
- Topic 5 - Personal Management Licence: Consultation Response
- Topic 6 - Changes to Regulatory Panels: Consultation Response
- Evaluating the impact of relevant changes
- Annex
Proposal 7: Information security standards
Proposals
We identified one of the new controls in International Organization for Standardization (ISO)27001:2022 as particularly pertinent to remote gambling and proposed to include it in the remote gambling and software technical standards (RTS) as a control for future security audits:
5.23 Information security for use of cloud services
Consultation questions
To what extent do you agree with the proposal to introduce one new section of the ISO27001 2022 standard as a requirement in RTS security audits? Do you think any of the other new controls from the ISO 27001 2022 update should be included in the security audit requirements?
Respondents’ views
The views from respondents’ were:
- a couple of responses highlighted the existing transitional arrangements between the 2013 and 2022 ISO27001 standards
- clarity was sought on the go-live date for audits against the 2022 standard so licensees would not require re-auditing against the updated standard
- there were a small number of suggestions for the Gambling Commission to consider whether controls, 8.12 – ‘Data leaking protection’, 8.28 – ‘Secure coding’ are appropriate to include within the security audit requirements.
Our position
We have reconsidered the addition of controls 8.12 and 8.28.
Secure coding is a control aimed at instilling secure coding principles to software development. Our remote testing strategy already sets out good practice for in-house developing, testing and release of software which is based on the controls already included from ISO27001. The inclusion of this control does not appear to add much beyond what is already expected. We are not adding this control to the security audit requirements at this point in time.
Data leaking protection is aimed at mitigating the loss of sensitive data a process that is already covered by data protection laws and standards such as the Payment Card Industry Data Security Standard (PCI DSS)1 . Other areas of ISO27001 already mitigate similar risks by requiring access to data to be controlled and cryptography is implemented where appropriate. We are not requiring the addition of this control to the security audit requirements at this point in time.
We have reviewed the new sections of the 2022 standard again and are proceeding as indicated in the consultation. We had not intended to introduce this update ahead of the end of the transitional window. We had received several queries from licensees about which standard they should be getting an audit against, so it was important to consult on updating the RTS to give stakeholders sufficient notice on changes.
We are aware that organisations that are fully certified against ISO27001:2013 standard have until 31 October 2025 to transition to the 2022 standard.
Our security audit requirements are a bespoke and more limited set of the ISO27001 controls and required to be completed on an annual basis. As an annual requirement, the last date for any licensee to complete a security audit against the 2013 standard will be 31 October 2024. All security audits conducted after 1 November 2024 must be conducted against the controls listed in the updated RTS which aligns with the 2022 standard. This means by 31 October 2025 all relevant licensees will have completed a security audit based on the 2022 standard.
For clarity, any security audit up to 31 October 2024 can be against either the 2013 or 2022 standard.
This extended period will give all relevant licensees time to prepare and ensure they are audited correctly.
Final wording
These changes will come into effect on 31 October 2024. This means any annual security audit conducted after 1 November 2024 must be to the updated 2022 standard.
The final wording of the new security audit requirements can be found in section 4 of the RTS. This section lists the relevant controls of the 2013 standard transposed to the numbering of the 2022 standard with the addition of the control we consulted on, 5.23 ‘Information security for use of cloud services’.
References
1The Payment Card Industry Data Security Standard is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.
Last updated: 1 May 2024
Show updates to this content
Implementation date updated in the final wording section.