Guidance
Guidance to licensing authorities
The Gambling Commission's guidance for licensing authorities.
Contents
- Changes to the Guidance for Licensing Authorities
- Part 1: General guidance on the role and responsibilities of licensing authorities in gambling regulation
-
- Introduction
- Partnership working between the Commission and licensing authorities – shared regulation
- Co-ordination and contact
- Primary legislation
- Statutory aim to permit gambling
- The licensing objectives
- Codes of practice
- Licensing authority discretion (s.153 of the Act)
- Local risk assessments
- Licensing authority policy statement
- Limits on licensing authority discretion
- Other powers
- Part 2: The licensing framework
- Part 3: The Gambling Commission
- Part 4: Licensing authorities
- Part 5: Principles to be applied by licensing authorities
- Part 6: Licensing authority policy statement
- Part 7: Premises licences
- Part 8: Responsible authorities and interested parties definitions
- Part 9: Premises licence conditions
- Part 10: Review of premises licence by licensing authority
- Part 11: Provisional statements
- Part 12: Rights of appeal and judicial review
- Part 13: Information exchange
- Part 14: Temporary use notices
- Part 15: Occasional use notices
- Part 16: Gaming machines
- Part 17: Casinos
-
- Casino premises
- Casino games
- Protection of children and young persons
- The process for issuing casino premises licences
- Resolutions not to issue casino licences
- Converted casinos (with preserved rights under Schedule 18 of the Act)
- Casino premises licence conditions
- Mandatory conditions – small casino premises licences
- Mandatory conditions – converted casino premises licences
- Default conditions attaching to all casino premises licences
- Self-exclusion
- Part 18: Bingo
- Part 19: Betting premises
- Part 20: Tracks
-
- Definition of a track
- Track premises licences – differences from other premises licences
- Betting on tracks
- Licences and other permissions for the provision of betting facilities
- Betting on event and non-event days
- Social responsibility considerations for tracks
- Gaming machines
- Self-service betting terminals (SSBTs)
- Applications
- Licence conditions and requirements
- Part 21: Adult gaming centres
- Part 22: Licensed family entertainment centres
- Part 23: Introduction to permits
- Part 24: Unlicensed family entertainment centres
- Part 25: Clubs
- Part 26: Premises licensed to sell alcohol
- Part 27: Prize gaming and prize gaming permits
- Part 28: Non-commercial and private gaming, betting and lotteries
- Part 29: Poker
- Part 30: Travelling fairs
- Part 31: Crown immunity and excluded premises
- Part 32: Territorial application of the Gambling Act 2005
- Part 33: Door supervision
- Part 34: Small society lotteries
-
- Small society lotteries
- The status of lotteries under the Act
- Licensing authority guidance
- Social responsibility
- External lottery managers’ licence status
- Lottery tickets
- Prizes
- Specific offences in relation to lotteries
- Application and registration process for small society lotteries
- Administration and returns
- Part 35: Chain gift schemes
- Part 36: Compliance and enforcement matters
- Appendix A: Summary of machine provisions by premises
- Appendix B: Summary of gaming machine categories and entitlements
- Appendix C: Summary of gaming entitlements for clubs and alcohol-licensed premises
- Appendix D: Summary of offences under the Gambling Act 2005
- Appendix E: Summary of statutory application forms and notices
- Appendix F: Inspection powers
- Appendix G: Licensing authority delegations
- Appendix H: Poker games and prizes
- Appendix I: Glossary of terms
Proposal 7: Information security standards
Proposals
We identified one of the new controls in International Organization for Standardization (ISO)27001:2022 as particularly pertinent to remote gambling and proposed to include it in the remote gambling and software technical standards (RTS) as a control for future security audits:
5.23 Information security for use of cloud services
Consultation questions
To what extent do you agree with the proposal to introduce one new section of the ISO27001 2022 standard as a requirement in RTS security audits? Do you think any of the other new controls from the ISO 27001 2022 update should be included in the security audit requirements?
Respondents’ views
The views from respondents’ were:
- a couple of responses highlighted the existing transitional arrangements between the 2013 and 2022 ISO27001 standards
- clarity was sought on the go-live date for audits against the 2022 standard so licensees would not require re-auditing against the updated standard
- there were a small number of suggestions for the Gambling Commission to consider whether controls, 8.12 – ‘Data leaking protection’, 8.28 – ‘Secure coding’ are appropriate to include within the security audit requirements.
Our position
We have reconsidered the addition of controls 8.12 and 8.28.
Secure coding is a control aimed at instilling secure coding principles to software development. Our remote testing strategy already sets out good practice for in-house developing, testing and release of software which is based on the controls already included from ISO27001. The inclusion of this control does not appear to add much beyond what is already expected. We are not adding this control to the security audit requirements at this point in time.
Data leaking protection is aimed at mitigating the loss of sensitive data a process that is already covered by data protection laws and standards such as the Payment Card Industry Data Security Standard (PCI DSS)1 . Other areas of ISO27001 already mitigate similar risks by requiring access to data to be controlled and cryptography is implemented where appropriate. We are not requiring the addition of this control to the security audit requirements at this point in time.
We have reviewed the new sections of the 2022 standard again and are proceeding as indicated in the consultation. We had not intended to introduce this update ahead of the end of the transitional window. We had received several queries from licensees about which standard they should be getting an audit against, so it was important to consult on updating the RTS to give stakeholders sufficient notice on changes.
We are aware that organisations that are fully certified against ISO27001:2013 standard have until 31 October 2025 to transition to the 2022 standard.
Our security audit requirements are a bespoke and more limited set of the ISO27001 controls and required to be completed on an annual basis. As an annual requirement, the last date for any licensee to complete a security audit against the 2013 standard will be 31 October 2024. All security audits conducted after 1 November 2024 must be conducted against the controls listed in the updated RTS which aligns with the 2022 standard. This means by 31 October 2025 all relevant licensees will have completed a security audit based on the 2022 standard.
For clarity, any security audit up to 31 October 2024 can be against either the 2013 or 2022 standard.
This extended period will give all relevant licensees time to prepare and ensure they are audited correctly.
Final wording
These changes will come into effect on 31 October 2024. This means any annual security audit conducted after 1 November 2024 must be to the updated 2022 standard.
The final wording of the new security audit requirements can be found in section 4 of the RTS. This section lists the relevant controls of the 2013 standard transposed to the numbering of the 2022 standard with the addition of the control we consulted on, 5.23 ‘Information security for use of cloud services’.
References
1The Payment Card Industry Data Security Standard is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.
Last updated: 1 May 2024
Show updates to this content
Implementation date updated in the final wording section.