Gambling Commission Compliance – Security Requirements

The Gambling Commission regulates gambling in the UK. All licensed remote gambling operators and gambling software operators must comply with specific licensing requirements, including technical standards, and provide annual security audit reports.

Newly licensed remote gambling operators must also submit a security audit within six months of being granted a licence, irrespective of whether they are trading.

Get in touch with one of our experts today for more information about the Gambling Commission, or for a free, no obligation security audit quote.

Request a quote

The Gambling Commission’s Remote gambling and software technical standards (RTS) detail the specific technical standards and the security requirements that licensed remote gambling operators and gambling software operators need to meet.

Under section 4 of the RTS, remote gambling operators must complete a third-party annual security audit against specific sections of the ISO 27001 standard and submit an audit report to the Commission.

Gambling operators that obtain certification to the full Standard must be audited against ISO/IEC 27001:2022.

The scope of the security audit needs to cover the following critical systems:

• Electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, e.g. credit/debit card details, authentication information, customer account balances.
• Electronic systems that generate, transmit or process random numbers used to determine the outcomes of games or virtual events.
• Electronic systems that store results or the current state of a customer’s gambling history.
• Points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems).
• Communication networks that transmit sensitive customer information.

While the Commission does not approve security audit firms to perform the security audit, it highlights that “Licensees must satisfy themselves that the third party security auditor they intend to use is reputable, is suitably qualified to test compliance with BS ISO/IEC 27001 and that the auditor is independent from the licensee.”

The auditor must be one of the following:

• ISO 27001 Lead Auditor
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified Information Systems Security Professional (CISSP)

GRC Solutions has a team of ISO 27001 Lead Auditors, many of whom also hold CISA, CISM or CISSP certificates and are qualified to carry out independent information security audits as required by the Gambling Commission. Talk to us about our Gambling Commission Security Audit service for more details.

GRC Solutions can also assist you in preparing to meet the Gambling Commission security audit requirements and passing the audit.

As a PCI QSA company, we can help operators that process payment cards comply with the Payment Card Industry Data Security Standard (PCI DSS).

The PCI DSS imposes strict information security control requirements on all merchants that process payment cards, and these security requirements overlap and intersect with the controls identified under the Gambling Commission’s technical requirements.

Ensure your web applications are secure

As a CREST-accredited company we can also provide penetration testing services to help you determine whether your web applications are protected from fraudulent activity and unauthorised disclosure.

• We have many years’ experience of performing Gambling Commission security audits as well as over 20 years’ experience implementing ISO 17799/ISO 27001.
• We have fully qualified and experienced ISO 27001 auditors, many of whom also hold CISA®, CISM® or CISSP® certificates.
• We offer comprehensive implementation and remediation support so we can help you address any nonconformities and prepare you to pass your security audit successfully.
• We offer an integrated service, which means that we can also provide penetration testing, as well as Data Protection Act (DPA) and PCI DSS compliance support.
• You will be supported throughout by a dedicated account manager.
• Our transparent pricing enables you to control all your costs.