Second consultation concerning an update of the Danish Gambling Authority’s certification programme

21, Dec 2021

In connection with the consultation of the Danish Gambling Authority’s certification programme earlier this year, the Danish Gambling Authority has received consultation responses which have given rise to further changes of the certification programme. Interested parties are welcome to comment on the update.  

Second consultation on certification programme 2021

The Danish Gambling Authority must receive the comments no later than Monday the 10th of January 2022. Please submit the comments via the contact form and select the category “Certification”.  

Submit your comments via the contact form

The Danish Gambling Authority expects the updated certification programme to enter into force on 1 January 2023 to allow time for both licence holders and testing houses to become compliant with the updated requirements. 

The new changes primarily concern the requirements for the testing houses, who must oversee testing and inspection etc. of the licence holders’ games and business systems. The changes made in this area can be illustrated in the following way: 

Current requirements 

  • Testing standards: ISO 17020 or ISO 17025
  • Inspection standards: ISO 17020 or ISO 17025
  • Information security management system: ISO 17020 or ISO 17025
  • Penetration testing: ISO 17020 or ISO 17025 + PCI/ASV-approval
  • Vulnerability scanning: ISO 17020 or ISO 17025 + PCI/ASV-approval
  • Change management programme: ISO 17020 or ISO 17025

Future requirements

  • Testing standards: ISO 17025 or ISO 17065
  • Inspection standards: ISO 17020 or ISO 17065
  • Information security management system: ISO 17021-1 or ISO 17065
  • Penetration testing: ISO 17025, ISO 17065 or PCI/ASV-approval
  • Vulnerability scanning: PCI/ASV-approval
  • Change management programme: ISO 17021-1 or ISO 17065

Explanation of ISO accreditation 

  • ISO 17020: Requirements for the operation of various types of bodies performing inspection.
  • ISO 17021-1: Requirements for bodies providing audit and certification of management systems.
  • ISO 17025: General requirements for the competence of testing and calibration laboratories.
  • ISO 17065: Requirements for bodies certifying products, processes and services.

The Danish Gambling Authority considers it necessary to make the above changes so that in the future, ISO accreditations targeted the individual areas are used. Among other things, this means that ISO-17020 and ISO-17025 accreditations targeted inspection bodies and testing laboratories, respectively, and which have been used for all areas up until now, in the future only will be used in the areas targeted by the ISO accreditation.

Neither ISO 17020 nor ISO 17025 targets the assessment of management systems, which is why none of them are optimal to use in the areas “Information security management system” and “Change management programme”.  

In the area of vulnerability scanning, the Danish Gambling Authority has chosen to maintain the first draft and require an ASV-approval, since this is considered the leading standard within vulnerability scannings. 

In the area of penetration testing, there is not only one standard. The quality in this area is highly dependent on personal qualities. However, the Danish Gambling Authority will not let the requirements for the testing organisations be based on personal qualifications alone. We see a need for the testing organisations to document that they as a business comply with certain standards. Consequently, the Danish Gambling Authority suggests that testing houses must have an ISO-17025, an ISO-17065 or an ASV-approval to be able to conduct penetration testings. 

The Danish Gambling Authority notes that the new ISO accreditations brought into play in the update of the certification programme should not be unknown to testing organisations operating in the gambling industry since they are already in use in other jurisdictions.