Updated RTS Audit Requirements

June 14th, 2024 Posted in ISO 27001

RTS audit requirements to align with ISO 27001:2022

The Gambling Commission have released information regarding the transition for RTS Security Audits to migrate from the requirements of ISO 27001:2013 over to ISO 27001:2022. The Gambling Commission are planning to align themselves with the requirements of ISO 27001:2022, this change will replace the current requirements outlined from ISO 27001:2013. As of the 31st of October 2024, organisations undergoing RTS Security Audits will be required to audit against a selection of controls from the ISO 27001:2022 standard. This blog aims to highlight the key additions and changes.

What are the new RTS Requirements?

There is only one new requirement identified from this transition. This requirement has been established due to increasing popularity of Cloud Service Providers, with an attempt to ensure organisations consider information security in their cloud service utilisation. The new control is detailed below:

A.5.23 – Information Security for use of Cloud Services

Organisations will need to ensure that they include their Cloud Service Provider(s) within their current Supplier Management Process if not done so already. This includes establishing processes for the acquisition, use, management and exit from Cloud Services in line with your organisation’s information security requirements.

What are the changed RTS Requirements?

There have been slight changes within some requirements of RTS Security Audits. These are in relation to a change of terminology or a slight addition to processes and procedures, these changes are detailed in the table below:

2013 Control (old)2022 Control (new)Change
A.9.4.3 Password management systemA.5.17 Authentication informationThis requirement no longer specifically calls out organisations to utilise a Password Management System when managing and securing authentication information.
A.14.2.6 Secure development environmentA.8.31 Separation of development, test and production environmentsThis requirement now specifies that development, test and production enviornments will need to be segregated and secure.
A.16.1.3 Reporting information security weaknessesA.6.8 Information security event reportingThis requirement no longer considers Information Security Weaknesses. The emphasis is on reporting observed or suspected Information Security Events.

Important Note

The UK Gambling Commission has always established the requirement for an RTS Security Audit to be conducted on-site by a qualified auditor. In the past, this requirement has been relaxed and a lot of auditors have been able to conduct remote RTS Security Audits. Recently, we have witnessed that this requirement is being more diligently enforced, whereby licensees must provide a business justification as to why the audit is not conducted onsite.

What does this mean for your organisation?

The most significant change will involve the layout of the requirements, also known as controls. Several controls from ISO 27001:2013 have been consolidated into single requirements, as illustrated in the ISO 27001:2022 controls.

These changes will not have a detrimental impact on the way current organisations that have to undergo RTS Security Audits operate. As described above, there is only one new requirement regarding Supplier Management that may constitute a development of current processes, and three revitalised requirements regarding a change in terminology or a slight addition to current processes and procedures.

Organisations conducting gambling and lottery activities will still be required to undergo annual RTS Security Audits as defined by the Gambling Commission to ensure their Information Security is appropriately controlled and protected. We strongly suggest that licensees make arrangements for their annual audits to be conducted onsite rather than remotely.

Further Information on RTS

We encourage all organisations who are unsure on the requirements of the Gambling Commission to direct their attention to the Gambling Commission website linked below for further detail:

Remote gambling and software technical standards (RTS) – 4 – Remote gambling and software technical standards (RTS) security requirements (gamblingcommission.gov.uk).

Need help with RTS security compliance? 

Before your RTS security requirements audit, our team of expert ISO 27001 consultants can help you prepare. We can support you with all levels of readiness activities, including document creation, process review and pre-audit assessments to ensure that you have everything you need for a smooth audit experience. 

Our team here at Evalian also includes certified ISO 27001 Lead Auditors with experience in conducting RTS security requirements audits, regardless of whether you’re a charity lottery or the next big online casino, speak to one of our friendly sales team now to see how we can help. 

Evalian is committed to protecting and respecting your privacy. By proceeding with your inquiry, you agree to the terms of our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Jamie Saunders 1

Written by Jamie Saunders

Prior to joining Evalian, Jamie recently finished a degree BSc (Hons) in Computer Science at the University of Winchester in 2023. Jamie has joined the team as an ISO Advisor with experience in Computer Science with university, and just before this, working within Thames Valley Police as a Police Community Support Officer; advising and dealing with minor and major crime when needed.