RTS Security Compliance

Gambling Commission RTS security compliance

July 1st, 2019 Posted in ISO 27001

To operate a remote gambling product in the UK you need to be licensed by the Gambling Commission. To be licensed you’ll need to meet specific conditions pursuant to the Gambling Act 2005. These conditions are set out in the Gambling Commission’s Licence Conditions and Codes of Practice (LCCP).

LCCP licence condition 2.3.1 requires that licensees providing remote gambling products and services must also meet the Gambling Commission’s Remote Technical Standards, which include very specific security standards based on ISO 27001: 2013.

This condition applies to B2B and B2C operators. B2B’s build and operate technical platforms which are used by customer-facing gambling businesses to deliver their own services. B2C’s are the customer-facing businesses. Some build and operate their own platforms but many use platforms provided by B2B’s. The Remote Technical Standards (or ‘RTS’) shouldn’t apply to intermediaries who are effectively white-labelling a third-party service but whilst working with one B2B to support their security compliance, we have seen the Gambling Commission suggest that an intermediary who holds customer data should also meet the RTS security standards.

Remote technical standards security

The RTS security requirements utilise specific controls from Annex A of ISO 27001: 2013. Licensees don’t need to be ISO 27001 certified but do need to undergo an independent audit annually. The audit report needs to be provided to the Gambling Commission.

Whilst the number of applicable controls appears extensive at first glance, the list is actually just a little over 50% of the controls that an organisation will need to consider (and more likely apply) if it plans to certify to ISO 27001. The control areas in scope are as follows:

  • 5 Information Security Policies
  • 6 Organisation of Information Security
  • 7 Human Resources Security
  • 8 Asset Management
  • 9 Access Control
  • 10 Cryptography
  • 11 Physical & Environmental Security
  • 12 Operations Security
  • 13 Communications Security
  • 14 Systems Acquisition, Development & Maintenance
  • 15 Supplier Relationships

Clearly, this is the full list of control areas but of the 114 specific controls covered by these areas in Annex A, only 61 are required to satisfy the RTS security requirements.

RTS security scope

The scope to which the RTS security standards must be applied is set by the Gambling Commission. Specifically, the standards apply to the following systems, which are deemed as ‘critical systems’ in the RTS:

  • Electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, e.g. credit/debit card details, authentication information, customer account balances.
  • Electronic systems that generate, transmit, or process random numbers used to determine the outcome of games or virtual events.
  • Electronic systems that store results or the current state of a customer’s gamble.
  • Points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems).
  • Communication networks that transmit sensitive customer information.

Gambling Commission security audits

As covered above, remote gambling licensees must ensure they carry out an annual security audit to assess compliance against the RTS security standards. The auditor must be independent and suitably qualified, and a copy of the audit report must be submitted to the Gambling Commission annually. New licensees must submit their first audit report within six months of commencing trading.

The scope of the audit must cover, at least, the scope of the ‘critical systems’ listed above. The audit provider must be clearly independent from the licensee and the audit report must include enough information to enable the Gambling Commission to verify this. The lead auditor must be either a qualified ISO 27001 Lead Auditor, a CISA, CISM or CISSP and have completed external audits of other organisations.

Like ISO 27001, the audit approach must be evidence-based and include reviews of documents, records, contracts, service level agreements, architecture document logs and discussions with key stakeholders and other staff members.

The audit report must include information on the audit provider, the lead auditor, the operator, the locations audited and an executive summary. It must also include, the assessment results of each of the RTS security elements, the scope of the audit, the audit methodology followed, details of the evidence obtained and the results of the audit.

Audit results should be reported as per ISO 27001 audits, with observations, minor non-conformities and major non-conformities all reported. Management plans to address identified issues should also be identified. More details on the audit requirements together with an example audit report are provided in the Gambling Commission’s Security Audit Advice document.

Meeting the Gambling Commission security requirements

 If you plan to licence remote gambling products or to retain your licence, you’ll need to demonstrate that you have security controls in place that meet the ISO 27001: 2013 Annex A controls listed above. From our experience it’s clear that the Gambling Commission is also looking more at management engagement and will ask for timelines of decisions and steps taken to implement the security requirements if it doubts the security obligations are being met.

Our advice would be to start by meeting the RTS requirements by implementing an information security management system that covers the ‘critical systems’ and the Annex A controls listed by the Gambling Commission.

Thereafter we would recommend increasing the scope of your ISMS to cover your wider business and a ‘statement of applicability’ that addresses all 114 Annex A controls. This will help demonstrate that you take security seriously, will embed a security culture, and help with other regulatory compliance requirements by ensuring ongoing risk management. It will also show credibility to customers and partners.

Need help?

Working alongside a leading law firm, we have assisted remote gambling operators and have experience of the Gambling Commission requirements.

We can help you prepare to meet the RTS standards and are qualified to provide security audits which meet the Gambling Commission RTS security standards. Our legal partner can help you satisfy your broader licensing obligations.

If you would like assistance with the Gambling Commission security requirements, please do contact us.

Sean Huggett Evalian 250x250

Written by Sean Huggett

Sean specialises in data protection, information risk and information security consulting. He is a qualified barrister, having been called to the Bar in 1998, and started his career as an in-house lawyer working in intellectual property, data protection and commercial contracts. He later progressed in to commercial leadership roles, working in a number of sectors before specialising in governance, risk and compliance with a focus on privacy and security. Sean is also Managing Director at Evalian™. His qualifications include IAPP CIPP-E, CIPT, GDPR Practitioner Certificate, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor and CISMP.