Cookies on the Gambling Commission website

The Gambling Commission website uses cookies to make the site work better for you. Some of these cookies are essential to how the site functions and others are optional. Optional cookies help us remember your settings, measure your use of the site and personalise how we communicate with you. Any data collected is anonymised and we do not set optional cookies unless you consent.

Set cookie preferences

You've accepted all cookies. You can change your cookie settings at any time.

Skip to main content

Guidance

Guidance to licensing authorities

The Gambling Commission's guidance for licensing authorities.

Contents


4 - Remote gambling and software technical standards (RTS) security requirements

Security requirements summary

4.1 This section sets out a summary of the RTS security requirements that licence holders must meet. The Commission has based the security requirements on the relevant sections of Annex A to the ISO/IEC 27001:2022 standard.

4.2 This 2022 standard replaces ISO/IEC 27001:2013.

4.3 The Commission’s aim in setting out the security standards is to ensure customers are not exposed to unnecessary security risks by choosing to participate in remote gambling. The Commission has highlighted those systems that are most critical to achieving the Commission’s aims and the security standards apply to these critical systems:

  • electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, for example, credit/debit card details, authentication information, customer account balances
  • electronic systems that generate, transmit, or process random numbers used to determine the outcome of games or virtual events
  • electronic systems that store results or the current state of a customer’s gamble
  • points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems)
  • communication networks that transmit sensitive customer information.

Organisational controls

5.1 Policies for information security
5.10 Acceptable use of information and other associated assets
5.15 Access control
5.16 Identity management
5.17 Authentication information
5.18 Access rights
5.19 Information security in supplier relationships
5.20 Addressing information security within supplier agreements
5.21 Managing information security in the ICT supply chain
5.22 Monitoring, review and change management of supplier services
5.23 Information security for use of cloud services
5.24 Information security incident management planning and preparation
5.25 Assessment and decision on information security events
5.26 Response to information security incidents
5.28 Collection of evidence
5.35 Independent review of information security

People controls

6.3 Information security awareness, education and training
6.5 Responsibilities after termination or change of employment
6.7 Remote working
6.8 Information security event reporting

Physical controls

7.8 Equipment siting and protection
7.10 Storage media
7.14 Secure disposal or re-use of equipment

Technological controls

8.1 User endpoint devices
8.2 Privileged access rights
8.3 Information access restriction
8.5 Secure authentication
8.7 Protection against malware
8.13 Information backup
8.15 Logging
8.17 Clock synchronisation
8.18 Use of privileged utility programs
8.20 Networks security
8.21 Security of network services
8.22 Segregation of networks
8.24 Use of cryptography
8.25 Secure development life cycle
8.26 Application security requirements
8.27 Secure system architecture and engineering principles
8.29 Security testing in development and acceptance
8.30 Outsourced development
8.31 Separation of development, test and production environments
8.32 Change management
8.33 Test information

Is this page useful?
Back to top