Technical standards: security requirements
Our testing strategy requires a third party annual security audit against particular sections of ISO/IEC 27001:2013.
You must ensure that the security audit report provided by the security auditor meets our advice. Read our security audit advice.
A copy of the audit report must be submitted to the Gambling Commission by the licensee annually, within 7 days, if requested by the Commission or if any major non-conformities were identified.
Reports containing major non-conformities should be submitted to:
Requested reports should be submitted according to the process set out in the request.
Remote technical standards: section 4
You can obtain a full copy of ISO/IEC 27001:2013 from BSI Customer Services (opens in new tab).
The security requirements detail information security standards with the aim of ensuring that you have appropriate controls in place so that customers are not exposed to unnecessary risks when choosing to participate in remote gambling.
The requirements apply to:
- electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, for example credit/debit card details, authentication information, customer account balances
- electronic systems that generate, transmit, or process random numbers used to determine the outcome of games or virtual events
- electronic systems that store results or the current state of a customer’s gamble
- points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems)
- communication networks that transmit sensitive customer information.
Breaches of information security may constitute a key event (opens in new tab) which you must report to us. We have produced guidance to help you in determining when to report security breaches (opens in new tab) and what information to include in the report.
Whilst we do not require operators to become fully certified with the ISO 27001:2013 standard many have chosen to. For these operators we allow them to supply existing information, rather than having to duplicate effort.
Existing information would include:
- accreditation certificate - ensuring that the entities and business functions covered by the accreditation are clearly defined
- Statement of Applicability (SOA) - ensuring it covers all RTS security elements
- copy of last audit report - including management response and an action plan for any findings
- a forward schedule of future audit focus - or some other way of demonstrating that all RTS security elements will be reviewed at least every three years.