ISO 27001 readiness for iGaming.
Player data, payment integrity, supplier governance, and jurisdiction-sensitive compliance. AFEND treats UKGC, MGA, Curaçao, and Kahnawake not as footnotes but as first-class overlays that shape what evidence your SoA actually needs.
- Jurisdictions with ready overlays
- UKGC · MGA · Curaçao · Kahnawake
- Licence obligations mapped per workspace
- Annex A cross-walk
- Player-risk control scaffolding
- Fraud + RG + KYC
Pick your licences at setup; the obligations register opens with jurisdiction-specific evidence requirements and retention rules instead of a blank sheet.
Every licence obligation (RTS, MGA directives, Curaçao conditions) is pre-mapped to the Annex A controls it touches. Nothing falls through the cracks at audit.
Self-exclusion testing, withdrawal freeze runbooks, KYC retention schedules - drafted in the templates, linked to the controls they prove.
Focus areas pre-loaded for this profile
- Player PII and deposit history protection
- Payment fraud and bonus abuse monitoring
- Platform provider and studio governance
- KYC, AML, and responsible gambling obligations
- Jurisdiction compliance (UKGC, MGA, Curaçao)
The friction iGaming teams hit before AFEND.
- 01Licensing regimes that don't agree on wording: UKGC, MGA, Curaçao, and Kahnawake each ask overlapping but not identical questions, and most auditors ask you to reconcile them.
- 02Payment fraud and bonus abuse are live operational problems - your fraud team's controls are real controls, but they're rarely written up in auditor-friendly form.
- 03Responsible-gambling obligations (self-exclusion, deposit limits, affordability checks) are both a regulatory obligation and an ISO 27001 'interested party' requirement.
- 04Platform vendors and studios with privileged access to player data are often the largest single sub-processor and the thinnest contractual evidence.
- 05KYC, AML, and sanctions screening use the most sensitive PII you hold - classification and retention rules need to work across all three.
The questions an external auditor opens with.
Not the Annex A wording. The real questions your auditor puts in the Stage 1 interview - and that AFEND makes answerable by construction.
- Q1How do you demonstrate that a self-excluded player cannot re-register under a new email - end to end.
- Q2Your fraud-team playbook: how a suspect withdrawal is flagged, frozen, investigated, and documented.
- Q3The platform provider's SOC 2 or ISO attestation, plus your own contractual security clauses.
- Q4How player financial data is separated from marketing analytics (spoiler: it usually isn't).
- Q5Evidence of KYC document retention and destruction matching your licence's minimum + maximum schedule.
Annex A controls the auditor will press on for iGaming.
All 93 Annex A controls go through the Statement of Applicability. These six get disproportionate scrutiny in igaming engagements - AFEND surfaces them on the SoA dashboard so you approve them first.
- A.5.34
- Player PII mixed with deposit history mixed with behavioural data - the data-flow diagram is the artefact. If it doesn't exist in one picture, you're not ready.
- A.5.20
- Platform providers and game studios hold keys to player identities and balances. Contract clauses that reference ISO 27001 specifically are the evidence.
- A.5.31
- Map every licence obligation to a control in the SoA. UKGC RTS, MGA directive 3/2018, Curaçao control conditions - each gets a row.
- A.8.15
- Financial action logging is a licence obligation, not just an ISO control. Retention is jurisdiction-sensitive. Tamper-evident is the bar.
- A.8.25
- Game vendors integrate via RGS/SDKs. Your SDLC evidence has to cover third-party integrations, not just code your team wrote.
- A.5.26
- An incident that affects player funds is often a licence-reportable event on a tight clock. The playbook has to name the regulator, not just the internal ticket.
Privacy and protection of PII
Addressing information security within supplier agreements
Legal, statutory, regulatory and contractual requirements
Logging
Secure development life cycle
Response to information security incidents
Artefacts the readiness pack must contain.
Mapped to the Annex A controls above. AFEND’s evidence room accepts file uploads, external-system links, and review cycles; the auditor export bundles them in the expected structure.
- Data-flow diagram covering KYC → wallet → withdrawal with classification labels
- Platform-provider compliance attestations + contractual security clauses
- Fraud-detection runbook with recent dated investigations
- Responsible-gambling control test record (self-exclusion end-to-end)
- Player data retention schedule mapped per licence jurisdiction
- Incident register with regulator-reportable events flagged
- Access control to player financial data separated from marketing analytics
Mistakes we see every iGaming team repeat.
Anti-pattern
Treating platform provider attestations as enough for your own SoA.
Fix
Their certificate proves their controls. Yours has to prove the configuration, integration, and monitoring you operate on top. Document it.
Anti-pattern
Responsible-gambling written into marketing but not into engineering tickets.
Fix
Each RG obligation (self-exclusion, deposit limit, reality check) maps to a concrete code path. Link the ticket to the control in the SoA.
Anti-pattern
KYC documents retained indefinitely 'just in case'.
Fix
Retention schedule per licence + legal basis per type. Auditors prefer short, deliberate retention + a written destruction record over an 'we keep everything' posture.
Anti-pattern
Fraud team's controls unwritten because 'everyone knows what to do'.
Fix
A shadow-and-draft exercise makes the real control visible. That runbook is the audit evidence.
Questions iGaming buyers ask us.
We're licensed in multiple jurisdictions - does AFEND handle that?
Yes. Each licence is an 'obligation' in the register with its own evidence requirements and retention schedule. The SoA cross-maps Annex A controls to each obligation, so one implementation covers them all and the differences are explicit.
Our RGS / game provider already has ISO 27001. Do we still need it?
Yes. Their certificate covers their controls. Your certificate covers how you integrate with them, handle player data on top, and operate the wallet and withdrawal flows. Regulators increasingly require both.
How does ISO 27001 help with AML / KYC obligations?
It doesn't replace them, but it formalises how the PII you collect for KYC is protected, retained, and destroyed. The auditor will ask for your retention schedule per document type - AFEND's obligations register keeps it with the legal basis.
Does an ISO 27001 certificate help with regulator reputational reviews?
In practice, yes. UKGC's fitness assessments and MGA's periodic reviews both cite information security maturity. A current ISO 27001 certificate doesn't automate the review but it shortens the evidence trail.
Open a workspace with the iGaming overlay already loaded.
14-day trial, no credit card. The iGaming risk library, the six core controls, and the evidence scaffolding above are pre-seeded the moment you choose this industry at setup.