Due to the impact Covid-19 is having on operations across the UK we have had to reduce our phoneline opening hours.

Our phonelines are open on Monday, Wednesday and Friday between 10 am and 4 pm.

The contact us service is also available for answers to common questions and we will aim to respond to these enquiries as quickly as possible.

If you have a question about your gambling, or the gambling of someone close to you, our FAQs from gambling consumers during lockdown may provide valuable information. Our what we do page also provides an overview of the types of queries we are able to help consumers with in the first instance.

The National Gambling Helpline is also available 24 hours a day, seven days a week through GamCare. It is there to support those suffering from gambling problems or those concerned about the affect gambling is having on people close to them. You can call them free on 0808 8020 133, or visit gamcare.org.uk.
Skip to main content

Technical standards: Security requirements

Our testing strategy requires a third party annual security audit against particular sections of ISO/IEC 27001:2013. 

You must ensure that the security audit report provided by the security auditor meets the guidance provided in the security audit advice.  

Remote technical standards: section 5

A full copy of ISO/IEC 27001:2013 can be obtained from BSI Customer Services (cservices@bsigroup.com).

The security requirements detail information security standards with the aim of ensuring that you have appropriate controls in place so that customers are not exposed to unnecessary risks when choosing to participate in remote gambling.

The requirements apply to:

  • electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, for example credit/debit card details, authentication information, customer account balances
  • electronic systems that generate, transmit, or process random numbers used to determine the outcome of games or virtual events
  • electronic systems that store results or the current state of a customer’s gamble
  • points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems)
  • communication networks that transmit sensitive customer information. 

Breaches of information security may constitute a key event which you must report to us. We have produced guidance to assist you in determining when to report such breaches and what information to include in the report.

Whilst we don’t require operators to become fully certified with the ISO 27001:2013 standard many have opted to do so. For these operators we allow them to supply existing information, rather than having to duplicate effort. Existing information would include:

  • Accreditation certificate (ensuring that the entities and business functions covered by the accreditation are clearly defined);
  • Statement of Applicability (SOA, ensuring it covers all RTS security elements);
  • Copy of last audit report (including management response and action plan for any findings); and
  • A forward schedule of future audit focus (or some other way of demonstrating that all RTS security elements will be reviewed at least every three years).