The Gambling Commission requires that all license holders comply with the Remote Gambling and Software Technical Standards (RTS) and that annual security audits are carried out by an independent, qualified security specialist.
In May 2024, the Gambling Commission updated its Remote Gambling and Software Technical Standards (RTS) to align with ISO 27001:2022. The key changes which came into effect on 31 October 2024 were:
- References to ISO/IEC 27001:2013 have been amended to ISO/IEC 27001:2022.
- One new control has been added to the RTS security audit requirements:
- 5.23 Information security for use of cloud services
- The transition timeline for the new standard was as follows:
- Until October 31, 2024, security audits could be conducted against either the 2013 or 2022 version of the standard.
- From November 1, 2024, all security audits had to be conducted against the controls listed in the updated RTS, which aligns with the 2022 version of the standard.
- By October 31, 2025, all relevant licensees must have completed a security audit based on the 2022 version of the standard.
- Remote inspection techniques can now be used to verify relevant controls, although the Commission still does not consider that a good audit can be conducted remotely based only on documentation.
- The Commission has clarified reporting requirements for operators who obtain full ISO 27001 accreditation.
These changes are designed to ensure that gambling operators maintain up-to-date information security standards, particularly addressing the growing use of cloud services in the industry.
Shown below are the updated controls with the 2013 versions shown in brackets.
Organisational controls
5.1 Policies for information security (2013 5.1.1, 5.1.2)
5.10 Acceptable use of information and other associated assets (2013 8.1.3, 8.2.3)
5.15 Access control (2013 9.1.1, 9.1.2)
5.16 Identity management (2013 9.2.1)
5.17 Authentication information (2013 9.2.4, 9.3.1, 9.4.3)
5.18 Access rights (2013 9.2.2, 9.2.5, 9.2.6)
5.19 Information security in supplier relationships (2013 15.1.1)
5.20 Addressing information security within supplier agreements (2013 15.1.2)
5.21 Managing information security in the ICT supply chain (2013 15.1.3)
5.22 Monitoring, review and change management of supplier services (2013 15.2.1, 15.2.2)
5.23 Information security for use of cloud services (New)
5.24 Information security incident management planning and preparation (2013 16.1.1)
5.25 Assessment and decision on information security events (2013 16.1.4)
5.26 Response to information security incidents (2013 16.1.5)
5.28 Collection of evidence (2013 16.1.7)
5.35 Independent review of information security (2013 18.2.1)
People controls
6.3 Information security awareness, education, and training (2013 7.2.2)
6.5 Responsibilities after termination or change of employment (2013 7.3.1)
6.7 Remote working (2013 6.2.2)
6.8 Information security event reporting (2013 16.1.2, 16.1.3)
Physical controls
7.8 Equipment siting and protection (2013 11.2.1)
7.10 Storage media (2013 8.3.1, 8.3.2, 8.3.3, 11.2.5)
7.14 Secure disposal or re-use of equipment (2013 11.2.7)
Technological controls
8.1 User endpoint devices (2013 6.2.1, 11.2.8)
8.2 Privileged access rights (2013 9.2.3)
8.3 Information access restriction (2013 9.4.1)
8.5 Secure authentication (2013 9.4.2)
8.7 Protection against malware (2013 12.2.1)
8.13 Information backup (2013 12.3.1)
8.15 Logging (2013 12.4.1, 12.4.2, 12.4.3)
8.17 Clock synchronisation (2013 12.4.4)
8.18 Use of privileged utility programs (2013 9.4.4)
8.20 Networks security (2013 13.1.1)
8.21 Security of network services (2013 13.1.2)
8.22 Segregation of networks (2013 13.1.3)
8.24 Use of cryptography (2013 10.1.1, 10.1.2)
8.25 Secure development life cycle (2013 14.2.1)
8.26 Application security requirements (2013 14.1.2, 14.1.3)
8.27 Secure system architecture and engineering principles (2013 14.2.5)
8.29 Security testing in development and acceptance (2013 14.2.8, 14.2.9)
8.30 Outsourced development (2013 14.2.7)
8.31 Separation of development, test and production environments (2013 12.1.4, 14.2.6)
8.32 Change management (2013 12.1.2, 14.2.2, 14.2.3, 14.2.4)
8.33 Test information (2013 14.3.1)
How can Dionach help?
Gap Assessment
Dionach’s consultants will review your current policies, procedures and practices against the controls listed in the RTS and produce a detailed Gap Analysis Report which outlines your current compliance levels and highlights any areas that need to be addressed.
UK Gambling Commission ISO 27001 Audit
Our highly experienced team of auditors will conduct a full evaluation against the controls listed in the RTS and produce a detailed report outlining areas of non-conformance and suggesting corrective actions.