Strategy
Testing strategy for compliance with remote gambling and software technical standards
Requirements for the timing and procedures for the testing of remote gambling products.
Contents
Third party annual security audit
Table 1 sets out that an annual security audit must be carried out13 to assess compliance against the security requirements of the RTS. The security requirements are based on relevant sections of ISO/IEC 27001:2013 and these are listed in Section 4 of the RTS. The Commission does not intend to approve security audit firms to perform the security audit as many licensees already have arrangements with appropriate security auditors.
Licensees must satisfy themselves that the third party security auditor is reputable, is suitably qualified to test compliance with ISO/IEC 27001:2013 and that the auditor is independent from the licensee.
Licensees must keep their security audit on file once completed. If requested by the Commission, licensees must make available a copy of the full security audit produced by their auditor, within 7 days of the request. This must be submitted via the manner specified in the Security audit advice, including management responses to any identified issues.
Where major non-conformities are identified during a security audit, the licensee must submit a copy of the security audit to the Commission within 7 days of its receipt. The security audit should be supplied, via the manner specified in the Security audit advice note, including an explanation of the failings identified and the management responses. Management responses may be provided in a covering letter if not included within the security audit.
The security auditor’s report must comply with our security audit advice.
The Commission is aware that many licensees are also subject to PCI DSS14 and are audited for those purposes. The Commission considers its security standards to be sufficiently broad that audits conducted against other standards may meet some of the Commission’s requirements. Licensees will need to ensure that their audits cover the scope of the security requirements as set out in Section 4 of the RTS.
The Commission has highlighted those systems that are most critical to achieving the Commission’s aims and the security standards will apply to these critical systems:
- electronic systems that record, store, process, share, transmit or retrieve sensitive consumer information, for example, credit or debit card details, authentication
- information, consumer account balances
- electronic systems that generate, transmit, or process random numbers used to determine the outcome of games or virtual events
- electronic systems that store results or the current state of a consumer’s gamble
- points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems)
- communication networks that transmit sensitive consumer information.
References
13 The following categories of licences require the full security audit by an independent auditor: Remote general betting (standard) (virtual events), remote betting host (virtual events), remote pool betting, remote betting intermediary, remote bingo operating, remote bingo (host), remote casino, remote casino (game host) and remote lottery licences (entries greater than £250,000 per year)
14 (PCI DSS) Payment Card Industry Data Security Standard
In-house developing, testing and release - good practice Next section
Annex A - Major and minor game and software updates
Last updated: 23 November 2023
Show updates to this content
Formatting changes