Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first
Back to Knowledge & Insights

Step-By-Step Guide: ISO 27001 For The Gambling Sector

Information security in the gambling sector

The gambling sector is a highly regulated landscape, with organisations responsible for safely handling the personal information of hundreds of thousands of customers.

Gambling organisations are also required to retain customer data for a long period of time. In line with requirements for investigations into customer money laundering, the Gambling Commission states that licensees should ensure that data which relates in any way to regulatory compliance should be available for a minimum period of five years after the end of a relationship with a customer.

Securing data is therefore a significant, and ongoing, priority for the sector. Failing to prevent or appropriately respond to security incidents like data breaches can cause severe reputational damage. Having a framework in place to prevent and respond to breaches is key. An information security management system (ISMS) and achieving certifications like ISO 27001 can be crucial to protecting customer information and enhancing your organisation’s reputation.

What is ISO 27001?

ISO 27001 is a globally-recognised information security standard developed by the International Organisation for Standardisation (ISO). The ISO 27001 framework enables you to:

  • Establish
  • Implement
  • Operate
  • Monitor
  • Review
  • Maintain
  • Continually improve


When certified to the ISO 27001, your ISMS ensures your data and information assets’ confidentiality, integrity and availability. In essence, ISO 27001 certification proves that your organisation is efficiently managing the security and confidentiality of information you hold, enabling you to build existing customer trust and engage potential new customers.

As well as reputational benefits, ISO 27001 certification also ensures that your business is more resilient. Cyber attacks are a significant threat to the sector and data breaches can be costly, so it’s important that your organisation has a plan in place to reduce potential damage and cost were a breach successful.

Being ISO 27001 certified also helps your organisation to comply with other industry-wide pieces of legislation, like the EU General Data Protection Regulation (GDPR).

How does ISO 27001 certification help gambling companies comply with the Gambling Commission remote gambling and software technical standards (RTS)?

The Gambling Commission RTS are based on relevant sections of ISO 27001. While being certified to ISO 27001 isn’t required, license holders must meet the RTS requirements including ISO 27001:2013 annex A, outlined below.

A.5 Information security policies

This section is dedicated to providing guidance and support to manage information security. All actions must apply to the scope of the business and comply with any laws governing the company’s jurisdiction.

A.6 Organisation of information security

Annex A.6 states the importance of top management in the implementation and control of your organisation’s ISMS. There must be some form of order and structure in the system operations and the assuring of its effectiveness.

A.7 Human resources security

This section requires that specific measures be taken before, during and after a person’s employment at your organisation.

A.8 Asset management

Annex A.8 aims to identify relevant organisational assets and assign roles to manage their security. The designated person must know how to handle these assets based on predefined guidelines.

A.9 Access Control

This section requires that your organisation restricts employees to view only the information relevant to their role. This reduces the chance of data reaching unauthorised hands and risking leakage.

A.10 Cryptography

The controls in annex A.10 aim to ensure the efficient use of cryptography to promote data confidentiality and integrity.

A.11 Physical and Environmental Security

Annex A.11 controls aim to restrict unauthorised access to physical boundaries and to protect equipment from the effects of human and environmental or natural occurrences.

A.12 Operations Security

Controls in annex A.12 ensure that your information processing operations are well controlled and well managed.

A.13 Communications Security

Annex A.13 controls address issues with network security management and involving matters concerning data transfers, to ensure that conditions that preserve data confidentiality, integrity and availability are in place.

A.14 System acquisition, development and maintenance

This section aims to maintain information security as the foundation of all development processes within your organisation.

A.15 Supplier relationships

The controls in annex A.15 aim to protect your company and its assets within third party agreements with suppliers.

A.16 Information security incident management

This section of the annexure requires your organisation to implement a process to manage security incidents effectively.

A.18 Compliance

Annex A.18 enforces that your organisation identifies relevant laws and regulations that apply to its scope.

If your organisation has already achieved ISO 27001, you may supply existing information to show you comply with the RTS rather than having to duplicate your efforts.

Is ISO 27001 right for your gambling organisation?

Is your team stuck doing important information security tasks using Word, Excel and files that aren’t easy to link up or align?

Are your policies and procedures difficult to keep up to date – or are you unable to confirm they’ve been reviewed by the relevant members of staff?

Are you struggling to log your information assets and the risks associated with them, or are you finding it difficult to collect evidence of your security measures?

Building your ISMS in line with ISO 27001 could be the solution your gambling organisation needs.

What does the ISO 27001 certification process look like?

At Hicomply, we break down the ISO 27001 certification process into six steps.

Step 1: ISMS scoping

You should define the scope of your ISMS to ensure that your ISMS suits your organisation and its needs.

Your ISMS scope process should account for:

  • Business size
  • Complexity
  • Any legal and regulatory requirements
  • Any external and internal issues.

Step 2: Asset register creation

Your asset register’s purpose is to record and manage your organisation’s assets. Those assets include your organisation’s:

  • Hardware
  • Software
  • Information
  • Infrastructure.

Step 3: Risk assessment and treatment

The risk assessment and treatment process shows that you understand the risks that could impact your organisation, how they could impact and that your organisation has a plan in place to mitigate them.

Step 4: Policy and procedure documentation

It’s crucial to document the policies and procedures your organisation uses to protect your data. The number of policies required for ISO 27001 certification varies depending on the size of your business, your industry and the regulations or laws you must comply with.

Step 5: Statement of applicability (SoA)

To create your statement of applicability, your organisation must indicate each clause, control ID, evidence supporting your decision to include or exclude each control in the scope of your ISMS, the process owner, and any further information such as risks identified and mitigated.

Step 6: Internal audit

Your organisation’s internal audit is key to making sure that your ISMS meets the requirements for the ISO 27001 standard. Undertaking an internal audit will put you in the best position for success when it’s time to bring in an external auditor. You can find out more in-depth internal audit information in our ISO 27001 internal audit checklist.

Once you’ve completed your internal audit and addressed any issues raised, you’re ready to run your external audit and achieve certification.

Learn more about our six steps to ISO 27001 certification.

How long does it take to get ISO 27001 certified?

The traditional route to ISO 27001 certification involves hundreds of spreadsheets and documents for evidence. This process can take organisations up to a year. However, businesses using Hicomply can be audit-ready in two to three months using our ISMS scoping tool, automated asset register, task management tool, policy and procedure library and third-party integrations.

Final thought

Team Hicomply has helped hundreds of users on the journey to ISO 27001 compliance. Ready to learn more? Discover the cost of ISO 27001 or book a demo to find out more about how your organisation can achieve ISO 27001 quickly and easily.

More Insights

How to solve a problem like third-party vendors
Spread your ISMS audit over three years
Understanding e-commerce requirements for PCI DSS

Information security made simple

Start your journey to ISO 27001 certification