Compliance and audit certificates

1) Introduction: why certificates are needed

For iGaming platforms, certification is not only a tick for B2B/B2G contracts and payment partners, but also a systematic way to reduce incidents, speed up sales and simplify access to new jurisdictions. It is important to understand the difference between certification (official certificate after audit), attestation/audit report (e.g. SOC 2), self-declarations and laboratory test reports (GLI, iTech Labs, eCOGRA).

2) Basic standards map (what, why and when)

3) What is really "certified" and what is not

Third party certifications: ISO 27001, 27701, 22301, 37301, 42001, PCI DSS (QSA/ASV), CSA STAR Level 2.
Auditor's reports: SOC 2 Type I/II, SOC 1 Type I/II (ISAE 3402/SSAE 18).
Tests/laboratory certificates: GLI, eCOGRA, iTech Labs (games, RNG, integrations).
Compliance without a "single certificate": GDPR/UK GDPR, ePrivacy - confirmed by a set of artifacts (registry of treatments, DPIA, policies, DPA, pentests, ISO 27701, external assessments).

4) Correspondence matrix (simplified map of controls)

(For a detailed map, start your own "Control Matrix. xlsx" with owners and evidence.)

5) 12 Month Roadmap (for iGaming platform)

Q1 - Foundation

1. Gap analysis vs. ISO 27001 + SOC 2 (Trust Services Criteria selection).
2. Purpose of ISMS-Lead, DPO, BCM-Owner, PCI-Lead.
3. Risk register, data classification, system map (CMDB), audit boundaries (scope).
4. Basic policies: ISMS, Access, SDLC, Change, Incident, Vendor, Crypto/Key Mgmt, Privacy, Sanctions/AML (if applicable).

Q2 - Practices and Technical Controls

5. IAM (RBAC/ABAC), MFA everywhere, password/secret rotation, PAM for admins.

6. Logging/EDR/SIEM, alerts of P0/P1 incidents, "chain of custody."

7. Secure SDLC: SAST/DAST/SCAs, pull-request rules, sales accesses via change-board.
8. DR/BCP: RTO/RPO, backup, restore rehearsal (table-top + tech. test).

Q3 - Evidence base and "observation period"

9. Pentest of the external perimeter and key services (including games and payments).
10. Vendor-risk: DPA, SLA, audit authority, partner SOC/ISO reports, sanction screening.
11. Evidence factory: tickets, change logs, trainings, exercise protocols, DPIA.
12. Pre-audit (internal audit) and corrective actions (CAPA).

Q4 - External Assessments

13. ISO 27001 Stage 1/2 → certificate (when ready).
14. SOC 2 Type II (observation period ≥ 3-6 months).
15. PCI DSS 4. 0 (QSA or SAQ if tokenization/outsourcing reduces scope).
16. GLI/eCOGRA/iTech Labs - on the roadmap of releases and markets.

6) Evidence Factory (what you show the auditor)

Technical controls: SSO/MFA logs, IAM configs, password policies, backups/wrestlers, encryption (KMS/HSM), hardening checklists, SAST/DAST/SCA results, EDR/SIEM reports, pentest reports and remediation.
Processes: Risk Register, SoA (Statement of Applicability), Change tickets, Incident reports (P0-P2), Post-mortems, BC/DR protocols, Vendor due diligence (questionnaires, DPA, SOC/ISO partners), Trainings (phishing simulations, security awareness).
Privacy: Processing registry, DPIA/PIA, DSR procedures (access/erase/export), Privacy by Design in features, Cookie/Consent logs.
iGaming/labs: RNG/Fairly Fair policy, test/certification results, mathematical model descriptions, RTP reports, build change control.

7) PCI DSS 4. 0: How to reduce the audit zone

Tokenize as much as possible and bring the PAN storage to the tested PSP.
Segment the network (CDE is isolated), prohibit "bypass" integrations.
Approve the Cardholder Data Flow and the list of components in the scope.
Set up ASV scans and penetration tests; train support to deal with card incidents.
Consider SAQ A/A-EP/D depending on the architecture.

8) SOC 2 Type II: Practical Tips

Select the relevant Trust Services Criteria: Security , plus Availability/Confidentiality/Processing Integrity/Privacy by business case.
Provide an "observation period" with continuous artifact fixation (at least 3-6 months).
Enter Controls Owner for each control and a monthly self-assessment.
Use "evidence automation" (screenshots/export logs) in the ticket system.

9) ISO 27701 and GDPR: bundle

Build PIMS as an add-on to ISMS: controller/processor roles, legal basis for processing, storage objectives, DPIA.
Write down the DSR processes (requests of the subject) and the SLA for their execution.
Map 27701 to GDPR articles in your Control Matrix for audit transparency.

10) GLI/eCOGRA/iTech Labs: How to fit into SDLC

Version game mathematics and RTP, store invariants; change control - through release regulations.
Support "provably fair" descriptions (commit-reveal/VRF), public sides, verification instructions.
Plan laboratory tests in advance for releases and markets; keep a common "Evidence folder" with templates.

11) Continuous compliance

Compliance dashboard: controls × owners × status × artifacts × deadlines.
Quarterly internal audits and management review.
Automation: asset inventory, IAM drift, config drift, vulnerabilities, change logging.
Politicians are "alive": PR-merge processes, versioning, changelog.

12) Roles and RACI

13) External Audit Readiness Checklist

1. Defined scope + system/process boundaries.
2. Complete set of policies and procedures (current versions).
3. Risk register and SoA performed by CAPA on past findings.
4. Incident and post mortem reports for the period.
5. Pentests/scans + elimination of critical/high vulnerabilities.
6. Trainings and proof of completion.
7. Contracts/SLAs/DPA with key suppliers + reports their SOC/ISO/PCI.
8. Evidence of BCP/DR tests.
9. Confirmations of IAM controls (access revisions, offboarding).
10. Prepared interview scripts for teams and session schedule.

14) Frequent mistakes and how to avoid them

"Policies on paper" without implementation → integrate with Jira/ITSM and metrics.
Underestimate vendor risk → demand reports and audit rights, keep a registry.
No "evidence trail" → automate artifact collection.
Scope creep in PCI → tokenization and strict segmentation.
Delaying BCP/DR → do exercises at least once a year.
Ignore privacy with → Privacy by Design and DPIA in Definition of Done.

15) Artifact templates (recommended to keep in repository)

Control Matrix. xlsx (ISO/SOC/PCI/ 27701/22301 map).
Statement of Applicability (SoA).
Risk Register + evaluation methodology.
ISMS Policies (Access, Crypto, SDLC, Incident, Vendor, Logging, BYOD, Remote Work и др.).
Privacy Pack (RoPA/Treatment Registry, DPIA, DSR playbook, Cookie/Consent).
BCP/DR Runbooks and exercise protocols.
Pentest Reports + Remediation Plan.
Vendor Due Diligence Kit (questionnaires, DPA, SLA).
Audit Readiness Checklist (from section 13).

Output

Certification is a project to build managed processes, not a one-time check. Assemble a "skeleton" from ISO 27001 and complement it with SOC 2 Type II (for demanding B2Bs), PCI DSS 4. 0 (if cards are available), ISO 27701 (privacy), ISO 22301 (sustainability), ISO 37301 (general compliance) and GLI/eCOGRA/iTech Labs (gaming specifics). Maintain the "evidence factory," automate the collection of artifacts and conduct regular internal audits - this way external audits will become predictable and pass without surprises.