Testing strategy for compliance with remote gambling and software technical standards
Table 1 sets out that an annual security audit must be carried out (the following categories of licence require the full security audit by an independent auditor: Remote general betting (standard) (virtual events), remote betting host (virtual events), remote pool betting, remote betting intermediary, remote bingo operating, remote bingo (host), remote casino, remote casino (game host) and remote lottery licences (entries greater than £250,000 per year)) to assess compliance against the security requirements of the RTS. The security requirements are based on relevant sections of ISO/IEC 27001:2013 and these are listed in Section 5 of the RTS. The Commission does not intend to approve security audit firms to perform the security audit as many licensees already have arrangements with appropriate security auditors.
Licensees must satisfy themselves that the third party security auditor is reputable, is suitably qualified to test compliance with ISO/IEC 27001:2013 and that the auditor is independent from the licensee.
Licensees must provide to the Commission copies of the full report produced by the security auditor, along with management responses for any identified issues, on completion of their audit.
The security audit reports should be uploaded via the eServices portal.
The security auditor’s report must comply with our Security audit advice.
The Commission is aware that many licensees are also subject to PCI DSS ((PCI DSS) Payment Card Industry Data Security Standard) and are audited for those purposes. The Commission considers its security standards to be sufficiently broad that audits conducted against other standards may meet some of the Commission’s requirements. Licensees will need to ensure that their audits cover the scope of the security requirements as set out in Section 5 of the RTS.
The Commission has highlighted those systems that are most critical to achieving the Commission’s aims and the security standards will apply to these critical systems:
- electronic systems that record, store, process, share, transmit or retrieve sensitive consumer information, eg credit/debit card details, authentication information, consumer account balances
- electronic systems that generate, transmit, or process random numbers used to determine the outcome of games or virtual events
- electronic systems that store results or the current state of a consumer’s gamble
- points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems)
- communication networks that transmit sensitive consumer information.
Back to contents list