What ISO 27001 covers
ISO 27001 specifies the requirements for an information-security management system: a documented framework of policies, controls, risk assessments, and continual-improvement processes covering the confidentiality, integrity, and availability of information. The standard is paired with ISO 27002, which provides the catalogue of control objectives and recommended controls. The most recent revision (ISO/IEC 27001:2022) restructured the controls in Annex A into four themes: organisational, people, physical, and technological.
Certification is conferred by accredited third-party auditors (UKAS-accredited bodies in the UK, equivalent national accreditation bodies elsewhere). Certification follows a Stage 1 documentation review and a Stage 2 implementation audit, with annual surveillance audits and a full recertification audit every three years.
Scope, risk assessment, and control selection
The ISMS scope is defined by the certified organisation, not the standard. A vendor might certify its production-platform operations, its hosted-service operations, or its corporate infrastructure. The certified scope is documented in the Statement of Applicability and shown in the certificate. Operators procuring services pay close attention to scope: a certificate covering corporate IT only is far weaker than one covering the production platform serving customer data.
Risk-based control selection is central. The organisation assesses information-security risks within the defined scope, selects applicable controls from Annex A (and supplementary controls where needed), implements them, and documents residual risk. The selection is reviewed regularly, with documented justification for excluded controls.
ISO 27001 in iGaming B2B procurement
For operators, holding ISO 27001 certification provides a defensible baseline against UKGC, MGA, and other regulator expectations on information security. It also reduces the friction of demonstrating security maturity to customers, regulators, and counterparties. For B2B vendors, ISO 27001 is increasingly a procurement entry ticket. Platform providers, KYC vendors, payment processors, and game studios that hold the certification clear vendor due diligence more easily than peers that do not.
ISO 27001 sits alongside SOC 2 Type 2 in many vendor stacks. Some operators prefer one, some both. PCI DSS sits alongside both for payment-card handling. Together they form the standard set of evidenced security signals expected during procurement, and Gamblers Connect editorial coverage of B2B vendors notes the certifications held.
Frequently asked questions about What Is ISO 27001 in iGaming?
Initial certification typically takes 6 to 12 months: 3 to 6 months to design and implement the ISMS, then Stage 1 and Stage 2 audits. Maintenance involves annual surveillance audits and a full recertification audit every three years.
They overlap but are not equivalent. ISO 27001 certifies the existence and operation of an ISMS. SOC 2 attests to controls over a defined trust services criteria set. Many iGaming vendors hold both. Operators procuring services may require one, the other, or both.
Costs vary by organisation size and scope. Direct certification fees often run from low five to mid six figures for the initial certification, with annual surveillance costs lower. Internal implementation cost (policy, process, controls, staff time) typically exceeds the audit cost.
Holding ISO 27001 alone does not satisfy GDPR. GDPR has specific requirements around personal data that go beyond information-security management generally. However, ISO 27001 provides a strong foundation, and ISO/IEC 27701 (the privacy extension to 27001) maps directly to GDPR requirements.