Why PSPs and odds providers are your real attack surface
PSPs and odds providers are your real attack surface because they sit between your players and the money, data and outcomes you are trusted to protect. You often find that your highest security risks sit in these payment and odds services, not just in your own code. When those services fail, are breached or behave unpredictably, customers and regulators still see your logo, not your supplier’s, so your governance and technical controls have to treat key partners as if they sit inside your own environment.
Why PSPs and odds providers sit inside your security boundary
PSPs and odds providers sit inside your security boundary because their systems directly shape player journeys, money flows and game integrity, even when they run on someone else’s infrastructure. If those services are compromised or unstable, the impact lands on your customers, your regulators and your licence, so you must govern them as tightly as the systems you build yourself.
In most game studios and iGaming operators, the experiences players see depend on a chain of external services. PSPs handle deposits and withdrawals. Odds and data providers drive pricing, settlement and integrity. KYC and AML tools screen customers. Hosting and content‑delivery networks keep everything reachable. If any of these falter, customers see your brand, not the logo of an upstream supplier.
You should therefore treat key suppliers as extensions of your own environment, even if they sit on separate networks and in different jurisdictions. Attackers and regulators already think this way. Supply‑chain compromise is attractive because one successful intrusion can open doors into dozens of operators at once. A single PSP breach can expose payment tokens, account identifiers and behavioural data across multiple brands, while a manipulated odds feed can skew prices, corrupt settlement and mask suspicious patterns until it is too late.
Clear sight of who really runs your systems turns vague third‑party risk into concrete, fixable exposure.
It is also unusual for you to deal with a single, neatly bounded supplier. PSPs rely on their own processors, fraud engines and infrastructure providers. Odds companies source data from leagues, scouts and upstream feeds, then distribute it through aggregators. Each link in that chain introduces extra attack surface. If you only think about the brand on your contract, you miss much of the true dependency map that attackers and regulators care about.
A practical starting point is to create a single supplier‑dependency register for anything that touches player data, money flows or game integrity. That usually means capturing, in one owned place:
- Every PSP, odds or data provider, KYC/AML tool, hosting platform and key SaaS that touch critical data or processes.
- What each one does, which systems they connect to and which products or markets depend on them.
- Who is accountable for keeping this view accurate and regularly reviewed.
Together, these details give you a realistic picture of where your real attack surface lies. Many operators choose to keep this register in an ISMS platform such as ISMS.online so that records, risks and controls stay linked instead of disappearing into static spreadsheets.
Finally, remember this is not just a security‑architecture exercise. Fraud, game‑integrity and AML teams often understand supplier failure modes better than anyone. Bringing them into the conversation early helps you frame risks in terms of disputes, investigations and licence conditions, not just technical exploits. That shared view is exactly what you need when you start implementing ISO 27001 control A.5.19 in a serious, structured way.
How attackers exploit PSP and odds‑provider weaknesses
Attackers exploit PSP and odds‑provider weaknesses by abusing the trust and automation you have placed in their integrations, not only by stealing raw data. They look for weak endpoints, loose authentication and poorly monitored changes that let them alter behaviour or syphon value while staying below your normal alert thresholds.
Common patterns include tampering with callback URLs or API credentials so that payment confirmations are forged, exploiting weak authentication on management portals, or abusing test environments that are loosely protected but still wired to production workflows. On the odds side, attackers focus on manipulating prices, delays and error‑handling logic, knowing that automated trading engines may react blindly under time pressure.
You reduce these attack paths by combining supplier governance with technical safeguards. That means validating which endpoints suppliers can talk to, applying least‑privilege access, logging and monitoring integrations and insisting on change notifications when PSPs or odds providers alter their systems. A.5.19 gives you the governance umbrella for this work; your security architecture brings it to life in code and configuration. You should always adapt these measures to your specific regulatory, contractual and technical context and seek specialist advice where needed.
Book a demoWhat ISO 27001 A.5.19 actually expects from you
ISO 27001 A.5.19 expects you to manage supplier security as a continuous, risk‑based lifecycle from selection and onboarding through day‑to‑day operation, change and exit. It is not enough to send one questionnaire; you need an ongoing process you can explain and evidence to auditors, gaming regulators and payment schemes whenever they ask.
In practice, that means treating PSPs, odds providers and other key vendors as part of your own information‑security programme. Decisions about them should be documented, risk‑based and repeatable, not just stored in individual inboxes. Auditors increasingly look for proof that you have made conscious trade‑offs rather than simply trusting every supplier with a certificate.
The lifecycle ISO 27001 A.5.19 expects you to run
The lifecycle ISO 27001 A.5.19 expects you to run starts with identifying in‑scope suppliers and ends with secure termination, with risk‑based checks at every stage. Auditors typically look for clear ownership, consistent criteria and evidence that you actually follow the process, especially for high‑impact relationships such as PSPs and odds providers.
Because the official text of ISO/IEC 27001:2022 and ISO/IEC 27002:2022 is paywalled, you should always refer directly to the standards for exact wording. In plain language, Annex A control A.5.19 (“Information security in supplier relationships”) asks you to define and operate a process for managing the information‑security risks that arise when you rely on suppliers’ products and services. That process must cover selection, onboarding, operation, change and termination, not just the sales cycle.
For a game studio or iGaming operator, that turns into five concrete responsibilities:
- Maintain a clear inventory of in‑scope suppliers.: Capture PSPs, odds providers, data partners, KYC tools, hosting platforms and other vendors that could affect your services.
- Classify supplier risk in a structured, documented way.: Separate genuinely critical suppliers from lower‑impact tools and treat them differently.
- Carry out proportionate due diligence before and during the relationship.: Scale the depth of checking with risk, rather than applying a one‑size‑fits‑all questionnaire.
- Embed information‑security requirements into agreements.: Keep security obligations in contracts and service levels, not just in emails or slide decks.
- Monitor suppliers and their changes over time.: Assume risk will change and track performance, incidents and service changes so you can respond quickly.
These are the elements auditors and regulators expect to see operating in your environment. If you can show how suppliers move through this lifecycle, who owns each step and what evidence it produces, you are a long way towards satisfying A.5.19.
How A.5.19 links to A.5.20–A.5.22 and privacy law
A.5.19 links closely to A.5.20–A.5.22 and to data‑protection law because together they describe how you must control supplier behaviour from contract through daily operation. They define the governance, contractual and technical expectations that regulators and auditors use when they decide whether your third‑party risk management is credible.
A.5.19 is not the only supplier‑related control in ISO 27001. It sits alongside three close companions that are particularly important for PSPs and odds providers:
- A.5.20 – Addressing information security within supplier agreements: focuses on what your contracts, service‑level agreements and security schedules must say.
- A.5.21 – Managing information security in the ICT supply chain: zooms in on technical and development relationships such as cloud infrastructure, remote gaming servers and core SaaS platforms.
- A.5.22 – Monitoring, review and change management of supplier services: covers how you keep oversight as services and risks evolve.
Together they form a coherent framework: A.5.19 defines the overall governance and process; A.5.20 makes it contractual; A.5.21 applies it specifically to the ICT supply chain; and A.5.22 ensures everything stays current.
You also need to reconcile A.5.19 with privacy and data‑protection concepts. Under laws such as the GDPR, you may act as a controller. PSPs, odds providers and analytics vendors may be processors, joint controllers or separate controllers. ISO 27001 does not override those roles. Instead, A.5.19 gives you a structured way to ensure appropriate technical and organisational measures appear in how you choose, contract with and monitor those parties, so your legal positions are backed by operational reality.
Many teams fall into the trap of thinking, “Our PSP is certified, so this is covered.” A certification or attestation can be useful evidence, but A.5.19 is about your own governance: your risk decisions, your records and your monitoring. If you cannot show why you judged a PSP acceptable, what conditions you set and how you have kept that judgement under review, you have not really implemented the control. For regulated gaming, that matters twice over, because gambling regulators increasingly hold licence holders responsible for supplier behaviour, even when those suppliers are also regulated elsewhere.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
Translating A.5.19 into the gaming and gambling value chain
A.5.19 becomes practical when you map its supplier language onto your real gaming journeys, markets and regulatory obligations. When colleagues can see exactly which PSPs, odds providers and platforms support each player step, they are much more willing to help you assess and control the risk.
Rather than starting from a generic list of controls, you make more progress by starting from what players see and regulators scrutinise. That means identifying the key journeys in your games and betting products, the suppliers that power each step and the specific harms that would occur if any of those suppliers failed or were compromised.
Mapping A.5.19 onto your gaming supplier ecosystem
Mapping A.5.19 onto your gaming supplier ecosystem means starting from the journeys your players follow and the services that support them, rather than from an abstract controls list. Auditors respond best when you can show exactly which suppliers are involved at each stage and what would happen if any of them failed.
Start with your own ecosystem rather than a template. In a typical operator or content provider, in‑scope suppliers often include:
- PSPs and gateways handling card payments, wallets, open banking and alternative methods.
- Odds and sports‑data providers whose feeds drive markets and settlement.
- KYC and AML vendors providing identity verification, sanctions screening and transaction monitoring.
- Cloud and hosting providers, content‑delivery networks and managed service partners.
- Remote gaming servers, platform providers and back‑office tools.
- CRM, marketing automation and communications tools that handle player data.
- Affiliates and performance‑marketing partners that receive tracking or audience data.
- Outsourced customer support, fraud operations or technical‑support teams.
Together, these suppliers form the core of your in‑scope ecosystem for A.5.19.
Once you have this catalogue, map it onto the journeys and processes that matter most. One useful technique is to lay out the full bet lifecycle: registration, deposit, game or bet selection, in‑play changes, settlement, cash‑out or withdrawal and account closure. At each step, ask which suppliers are involved, what data moves where and what a failure would do to players and regulatory obligations.
Visual: end‑to‑end bet lifecycle showing supplier touchpoints at each step.
You can repeat this for other journeys such as content updates, risk and trading operations or major incident response. This exercise helps everyone see that PSPs and odds providers are not abstract boxes; they are embedded inside the experiences players care about and the controls regulators expect you to operate.
Using journeys and regulators to focus your supplier effort
Using journeys and regulators to focus your supplier effort means tagging each vendor by the processes it supports and the authorities that care most about its behaviour. This helps you prioritise due diligence and monitoring where failures would have the largest commercial, regulatory or player‑trust impact.
Alongside journeys, look outward at your regulatory landscape. For each supplier type, identify which external bodies care most:
- Gambling regulators, who focus on fairness, player protection, anti‑money laundering and systems integrity.
- Financial regulators and payment schemes, who focus on payment security, fraud reduction and sanctions.
- Data‑protection authorities, who care about lawful processing, security of personal data and cross‑border transfers.
Tagging suppliers in your register with their primary regulatory touchpoints helps you focus due diligence and evidence collection where it matters. For example, a PSP used in a high‑risk market may warrant deeper AML and sanctions checks than a KYC vendor used only for age verification in one jurisdiction.
You should also confront concentration risk. Some suppliers are much harder to replace than others. A niche analytics tool can often be swapped out with limited impact. A PSP that processes half of your deposits, or an odds provider that underpins your most popular leagues, may take months to migrate. Your A.5.19 documentation should reflect these realities. High‑dependency relationships belong at the top of your risk list and deserve the strongest controls and most frequent reviews.
By grounding the control in concrete value‑chain mapping and regulatory focus, you prepare the ground for the next steps: performing a deep risk analysis for PSPs and odds providers, designing a fit‑for‑purpose classification scheme and building proportionate due diligence and contracts around it.
Risk deep dive: PSPs vs odds providers
A risk deep dive on PSPs and odds providers shows that both are critical but for different reasons: PSPs concentrate payment and fraud exposure, while odds providers drive fairness, settlement and betting integrity. PSPs sit at the intersection of gambling, payments and financial regulation, while odds providers sit at the intersection of sport, trading engines and fairness obligations. Explaining these differences in simple terms helps senior leaders understand why you apply slightly different control strategies to each group and tune A.5.19 to those realities instead of applying a single generic approach.
The distinctive risk profile of PSPs
The distinctive risk profile of PSPs comes from their position at the junction of gambling, payments and financial regulation, where outages or compromises quickly become visible to players, banks and supervisors. When PSP flows fail, your fraud, AML and behavioural controls can break quietly behind the scenes as well as loudly at the customer interface.
PSPs often handle sensitive financial and behavioural data, even when you offload most cardholder information to them. You still share tokens, identifiers and logs that can be misused. A compromised PSP integration can lead to account takeover, fraudulent withdrawals, abuse of stored payment instruments or credential‑stuffing attempts against your own login flows.
Beyond confidentiality, PSPs are subject to payment‑security standards and strong customer‑authentication rules intended to reduce fraud. They may also face national restrictions on processing certain gambling transactions. If a PSP misclassifies your traffic, blocks legitimate customers or allows prohibited flows, you will carry part of the blame with regulators and schemes.
Operationally, PSP downtime has an immediate, visible effect. If deposits or withdrawals fail, complaints, chargebacks and social‑media criticism spike quickly. Repeated PSP instability can also distort your fraud, AML and behavioural models if events arrive late or not at all. In many operators, PSP‑driven incidents are among the first that regulators hear about directly from players.
The distinctive risk profile of odds and sports‑data providers
The distinctive risk profile of odds and sports‑data providers lies in their impact on fairness, integrity and the perception of a level playing field. When their feeds are delayed, corrupted or manipulated, you can misprice markets, mis‑settle bets and miss signs of suspicious activity that gambling regulators and sports bodies expect you to catch.
Odds and sports‑data providers primarily influence integrity and fairness, though the financial impact can be just as large. Their role is to deliver timely, accurate and tamper‑resistant information about events, prices and results. If feeds are delayed, in‑play markets may close unexpectedly or hang at stale prices. If feeds are manipulated-through compromise, insider fraud or upstream match‑fixing-you may offer unfair odds, settle bets incorrectly or miss suspicious betting patterns that regulators and sports‑integrity teams expect you to detect.
Because odds feeds often drive automatic trading decisions, errors can compound within seconds and affect thousands of bets. Regulators increasingly expect you to demonstrate how you assure feed integrity, how quickly you can detect anomalies and what you do when issues arise. That means combining supplier oversight, internal monitoring and clear incident‑response plans.
A simple comparison can help you explain these differences to stakeholders:
| Dimension | PSPs (payments) | Odds providers (pricing/data) |
|---|---|---|
| Primary impact | Cash flow, fraud, chargebacks | Fairness, settlement accuracy, betting integrity |
| Data sensitivity | Financial identifiers, transaction histories | Event data, prices, results, potentially player trends |
| Key regulators | Financial supervisors, payment schemes, AML bodies | Gambling regulators, sports‑integrity bodies |
| Typical failure mode | Authorisation drops, outages, misclassified traffic | Delays, stale data, incorrect or manipulated prices |
| Main control focus | Payment security, AML coverage, resilience, reporting | Data integrity, anomaly detection, contingency feeds |
This table is not exhaustive, but it anchors a richer risk discussion in concrete dimensions everyone recognises.
You should also examine how these risks interact. For example, if a PSP and an odds provider both experience problems during a major event, you could face payment disputes and betting complaints at the same time. Combined scenarios like that are where your incident and resilience planning really gets tested. Documenting these interactions in your risk assessments makes it easier to justify stronger controls for some suppliers and to explain your decisions to auditors and regulators.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Designing a supplier risk classification for PSPs and odds feeds
Designing a supplier risk classification for PSPs and odds feeds means turning a messy set of impressions into a simple tiering model that anyone can apply. The aim is not perfect scoring, but consistent, transparent decisions that you can defend to auditors, regulators and internal stakeholders when incidents or changes occur.
A good classification model turns a complex supplier landscape into clear, repeatable tiers that non‑specialists can use. The goal is not a mathematically perfect score. It is to align how much harm a supplier could cause with how much effort you invest in controlling that risk, and to do so in a way your teams can explain to regulators.
Choosing practical risk criteria for PSPs and odds feeds
Choosing practical risk criteria for PSPs and odds feeds means selecting a handful of business‑relevant measures and applying them consistently, rather than chasing an elaborate scoring system. When security, risk, product and commercial teams all classify suppliers the same way, regulators see a mature, well‑governed approach.
For most game studios and iGaming operators, four tiers work well: critical, high, medium and low. Rather than vague labels like “strategic supplier” or “high spend”, define tiers using concrete criteria that matter to your business, such as:
- Transaction volume and value.: How much money moves through this supplier, directly or indirectly?
- Licence impact.: Could a failure or breach here trigger regulator interest or threaten licence conditions?
- Data sensitivity.: What types of personal, financial or behavioural data does the supplier handle or see?
- Technical coupling.: How tightly is the supplier woven into your core systems and how hard is it to replace them?
- Availability dependence.: What happens to players and to other controls if this supplier is down or unreliable?
PSPs and odds providers will usually score highly on several of these axes, so many will justifiably land in the critical tier. That is not a flaw; it reflects reality. The important step is to write down what each tier means in practice so teams across security, risk, procurement and product can make consistent decisions.
To avoid subjective judgements, encode your classification logic into simple questions or scoring matrices. Different teams should be able to apply the same criteria to a supplier and land on the same tier most of the time. Where they do not, treat that as a signal that your criteria need refinement, not as an argument about personalities or budgets.
Clear risk tiers turn heated arguments about individual suppliers into structured conversations about agreed rules.
Turning risk tiers into concrete treatment plans
Turning risk tiers into concrete treatment plans means linking each classification to a defined minimum set of checks, contract terms and monitoring activities. This gives your teams a playbook to follow for PSPs and odds providers instead of reinventing the approach with every new deal or incident.
Once you have agreed tiers, link each one to a baseline treatment plan. For example, you might decide that critical suppliers must:
- Undergo enhanced due diligence, including security and resilience assessments beyond basic questionnaires.
- Receive executive‑level visibility for onboarding, renewal and any major changes.
- Accept stronger contract terms covering security, continuity, audit rights and incident response.
- Be monitored more frequently, with regular reporting and review meetings.
High‑risk suppliers might receive a slightly lighter version of this baseline. Medium‑risk suppliers could face basic due diligence and standard contractual clauses. Low‑risk suppliers may only require simple checks to confirm they do not unexpectedly handle sensitive data or critical processes.
To keep this model relevant, treat it as a living artefact. New products, new regulatory expectations and changing threat patterns can shift which suppliers are truly critical. Nominate an owner-often the CISO or head of risk-and schedule a regular classification review with technical, business and compliance stakeholders. Adjust criteria, tiers and baselines as needed and make sure changes are reflected wherever you store supplier records, such as an ISMS platform like ISMS.online.
With this in place, A.5.19 stops being an abstract expectation to “manage supplier risk” and becomes a practical engine that drives who you scrutinise, how rigorously you do it and how often you revisit earlier decisions.
Due diligence, onboarding and contracting that really holds up
Due diligence, onboarding and contracting only hold up under pressure when they reflect your risk tiers and produce evidence you can reuse across audits, regulators and internal reviews. For PSPs and odds providers, that means asking focused questions, capturing answers in a structured way and turning agreements into enforceable obligations rather than vague promises.
Risk classification tells you where to focus. Due diligence and contracts are where you convert that focus into expectations that can withstand regulator questions, player complaints and difficult incidents. Generic questionnaires and soft wording in contracts rarely stand up when money has been lost or fairness is questioned.
Building a due‑diligence pack that actually gets used
Building a due‑diligence pack that actually gets used means designing short, standard question sets by risk tier and wiring them into procurement, rather than sending ad‑hoc spreadsheets. When busy product or commercial teams see due diligence as part of the normal deal flow, they are far more likely to complete it properly.
For each PSP and odds provider, you should design a standard due‑diligence pack that answers the same core questions every time. The aim is to be consistent and proportionate, not to drown suppliers in paperwork. Typical elements include:
- Corporate details and ownership, so you understand who ultimately controls the supplier.
- Regulatory permissions and licences for relevant financial and gambling activities.
- A summary of information‑security governance, policies and key controls.
- Evidence of secure development and change‑management practices for relevant systems.
- Business‑continuity and disaster‑recovery capabilities, including expected recovery times.
- A high‑level incident history and how similar events were handled.
For critical suppliers, you might add deeper technical reviews, architectural diagrams, penetration‑test summaries or the right to speak to key security personnel. For medium‑ and low‑risk suppliers, a lighter questionnaire and public statements may be sufficient. The essential point is that the depth of checking reflects the risk tier and that you store outputs where auditors and regulators can see them.
A pragmatic way to embed this is to integrate due‑diligence packs into procurement and vendor‑management workflows. If security questions and evidence capture live in a separate, manual process, they will be skipped under time pressure. If they are part of standard approval flows in your ISMS or vendor‑management tool, they become routine rather than exceptional.
Step 1 – Decide your minimum questions per risk tier
Define the essential topics you will always ask critical, high, medium and low‑risk suppliers to cover.
Step 2 – Build reusable templates and owner roles
Create simple templates for each tier and assign clear owners for sending, chasing and reviewing them.
Step 3 – Embed those templates into procurement and onboarding flows
Connect templates to existing purchasing and contracting steps so they are triggered automatically.
Step 4 – Store and link outputs to supplier records and risk assessments
Keep completed packs linked to supplier profiles, risk ratings and contracts in one trusted place.
These simple steps move due diligence from ad‑hoc requests into a repeatable, auditable activity that gaming regulators and auditors recognise as robust.
Putting enforceable security and continuity terms into contracts
Putting enforceable security and continuity terms into contracts means working with Legal to create clear, reusable security schedules aligned to your risk tiers. Regulators and auditors care less about elegant wording and more about whether clauses are specific enough to be tested and used when incidents or disputes occur.
ISO 27001 A.5.20 expects you to put information‑security requirements into supplier agreements in a way that is clear and enforceable. That usually means working with Legal to develop security schedules or addenda that you can attach to master service agreements and data‑processing agreements.
For PSPs and odds providers, those schedules should cover, in proportionate detail:
- Which standards, laws and internal policies the supplier is expected to support.
- Minimum technical and organisational controls, such as encryption, access control, logging, monitoring and environment segregation.
- Timelines and formats for reporting incidents that affect your players or operations.
- Rights to obtain independent assurance, request clarifications or conduct audits within reasonable bounds.
- Rules for appointing and changing sub‑processors, and obligations to keep you informed.
- Business‑continuity and disaster‑recovery commitments, including recovery objectives.
- Clear procedures for secure termination, including data return or deletion and transition assistance.
To keep negotiations manageable, many organisations create internal “bands” of contractual terms by risk tier. Critical suppliers must accept a defined set of security and continuity commitments, while medium‑risk suppliers may be offered a simplified version. Agreeing these bands early between Commercial, Legal and Security prevents each deal from becoming a fresh argument about baseline expectations.
You also need to think ahead to the end of the relationship. Exiting a PSP or odds provider under pressure-after an incident, dispute or regulatory issue-is rarely clean. Building explicit termination and transition clauses into contracts, and rehearsing what they mean in realistic scenarios, can stop a difficult situation from becoming a full‑blown security or compliance crisis.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Living with the risk: monitoring, incidents and change
Living with supplier risk under A.5.19 means proving that oversight continues long after contracts are signed, through routine monitoring, clear incident playbooks and structured change‑management. Gaming regulators and auditors often judge your maturity less by policies and more by how you behave when PSPs and odds providers stumble or change direction.
Once a PSP or odds provider is live, the real test of your A.5.19 implementation is how you manage the relationship over time. Monitoring, incident handling and change management are where theory either becomes daily practice or quietly fails, especially under pressure from major sporting events or seasonal peaks.
What proportionate, ongoing supplier monitoring looks like
Proportionate, ongoing supplier monitoring combines scheduled checks and event‑driven reviews so critical PSPs and odds providers receive more attention than low‑impact tools. Auditors typically expect to see a calendar of reviews, clear owners and a record of what you did when performance, incidents or scope changed.
Monitoring should combine routine checks with event‑driven responses. For each risk tier, define what “ongoing oversight” actually means. For critical and high‑risk suppliers, that might include:
- Regular performance and availability reports, especially around major events.
- Periodic security statements or updated assurance reports.
- Refreshing due‑diligence questionnaires at agreed intervals.
- Scheduled review meetings to discuss incidents, changes and upcoming plans.
For medium‑ and low‑risk suppliers, lighter‑touch approaches may be enough, such as annual check‑ins or simple confirmations that nothing material has changed. The important thing is that the depth and frequency of monitoring are proportionate to risk, clearly documented and demonstrably happening.
An integrated ISMS platform such as ISMS.online can help you keep these activities consistent by linking supplier records, risks, actions and review tasks. Instead of hunting through mailbox folders for old performance reports, your team can see a single timeline of oversight activity for each PSP or odds provider.
Responding to incidents and supplier changes without chaos
Responding to incidents and supplier changes without chaos depends on agreeing playbooks in advance and wiring supplier notifications into your own processes. When PSPs or odds providers experience problems, regulators look for evidence that you already knew who would lead, who would inform them and how you would protect players while the issue is resolved.
Incident handling deserves particular attention. When a PSP or odds provider experiences a security event, you may learn about it at the same time as other customers-or later. To avoid confusion and finger‑pointing at the worst moment, agree incident playbooks with key suppliers in advance.
Those playbooks should make clear:
- What kinds of events must be reported to you, and within what timeframes.
- Points of contact on both sides, including alternates.
- How you will share logs and forensic information, within legal and contractual limits.
- Who is responsible for communication with regulators, payment schemes, partners and players.
- How you will coordinate recovery steps and post‑incident reviews.
Visual: simple swimlane diagram linking supplier incidents to your security, compliance, product and customer‑support roles.
Tabletop exercises around realistic scenarios-a compromised PSP tokenisation service, a corrupted odds feed during a high‑profile match-can reveal gaps before real crises do. They also help senior leaders understand their roles and prepare for external scrutiny.
Change management is the other half of “living with the risk.” Suppliers rarely stand still: they add services, open new data centres, adopt new sub‑processors, merge with other firms or pivot business models. Many of these changes alter your risk profile. A mature A.5.19 process ensures significant supplier changes trigger reassessment, not just a technical integration ticket.
You can achieve this by requiring suppliers to notify you of material changes, wiring those notifications into your own change‑ and risk‑assessment processes and updating classifications, due‑diligence records and contracts where appropriate. Involving security, compliance, product and commercial stakeholders in these decisions reduces the chance that someone accepts a change that others would have challenged.
Bringing everything together, many organisations create a single “supplier‑governance” operating model that connects A.5.19, A.5.20, A.5.21 and A.5.22. In practice, that often means:
- A central register containing suppliers, risk classifications, key contacts and regulatory tags.
- Linked records for risk assessments, due‑diligence outputs, contracts, incidents and reviews.
- Workflows that guide onboarding, monitoring, change handling and termination.
- Dashboards that give leadership a structured view of supplier risk and oversight.
Running this model consistently is demanding if you rely on emails and standalone documents. An ISMS platform like ISMS.online can give you the structure, prompts and evidence linking to make supplier governance sustainable rather than heroic.
Book a Demo With ISMS.online Today
ISMS.online helps you turn ISO 27001 A.5.19 into a manageable, everyday discipline by giving you one place to control, evidence and improve supplier security for PSPs, odds providers and other high‑risk partners, transforming A.5.19 from a once‑a‑year scramble into a normal part of how you run your games and betting products. When supplier governance lives in one structured environment and teams can see the same picture and follow the same workflows, you reduce audit panic, increase confidence with regulators and internal stakeholders and free people to focus on building great experiences while still demonstrating control.
How ISMS.online turns A.5.19 from paperwork into daily practice
ISMS.online turns A.5.19 from paperwork into daily practice by linking your suppliers, risks, contracts, controls and actions in a single ISMS. Instead of hunting through email threads and drives, you see a joined‑up history of decisions, reviews and incidents that auditors and regulators can follow without confusion.
A dedicated ISMS platform is one of the most effective ways to keep your supplier‑security lifecycle running without burning out your people. ISMS.online is built around ISO 27001 and related standards, so it already understands the relationships between A.5.19, A.5.20, A.5.21 and A.5.22. Instead of forcing you to assemble a patchwork of spreadsheets and shared folders, it provides a single environment where:
- Supplier records, risk classifications, contracts and evidence all live in one place, linked to your wider ISMS.
- Workflows guide teams through onboarding, assessment, approval, monitoring, change and termination.
- Controls and policies aligned to Annex A.5.19–A.5.22 can be adopted, adapted and assigned without starting from scratch.
- Actions, decisions and exceptions are tracked with clear ownership and history for audit and regulatory review.
For game studios and iGaming operators, this makes it much easier to treat PSPs, odds providers and other high‑risk suppliers as first‑class citizens in your security and compliance programme. Security, compliance, legal, product and commercial stakeholders can all see the same picture and understand their roles.
A practical way to explore the value is to start with one or two real relationships-for example, a core PSP and a major odds provider. Load their details, contracts, risk ratings and known incidents into ISMS.online and map them to the workflows the platform provides. You will quickly see where you already have strong evidence, where processes are informal and where there are gaps. Early wins such as cleaner licence responses, faster due diligence and fewer repeated audit questions help build internal support.
Deciding whether now is the right time to invest
Deciding whether now is the right time to invest in an ISMS platform comes down to how painful it feels to keep everything aligned with your current tools. If supplier governance already strains spreadsheets, manual trackers and inboxes, a structured environment usually pays for itself in reduced stress, clearer evidence and smoother audits.
If you are still testing your approach, you can start by applying these ideas with your current tools: build a supplier register, define risk tiers, standardise due diligence and tighten contracts. As those practices mature, you will probably find that keeping everything aligned across teams and jurisdictions becomes the real challenge. That is the point at which an ISMS platform stops being a nice‑to‑have and becomes the natural next step.
When you are ready, booking a demo with ISMS.online lets you see how your world would look with a structured backbone for supplier governance. You can bring your own PSP and odds‑provider examples to the conversation, explore how the workflows map to your reality and decide whether the platform is the right fit for your size, markets and regulatory pressures.
Choose ISMS.online if you want ISO 27001 A.5.19 to feel like part of how you build and run secure, trusted games-rather than a tense rush before each audit or regulator visit.
This information is for general guidance only and does not constitute legal or regulatory advice. You should always seek advice from qualified professionals who understand your specific regulatory and contractual obligations.
Book a demoFrequently Asked Questions
How should ISO 27001 A.5.19 change the way you treat PSPs and odds providers?
ISO 27001 A.5.19 should push you to treat PSPs and odds providers as extensions of your own ISMS and licence risk, not as distant integrations you only look at during onboarding. If their failure can touch money, markets, player data or regulators, they sit firmly inside your control environment.
What lifecycle does A.5.19 really expect in an iGaming context?
A usable lifecycle for A.5.19 in gaming and betting usually covers five linked stages:
Scoping and registration
You maintain a single, owned register of third parties that can influence:
- player data (identity, KYC/AML outcomes, behavioural data, account history)
- payment flows (deposits, withdrawals, chargebacks, wallet balances, bonus credit)
- bet and game integrity (odds, settlement logic, risk models, market availability)
That register is updated when:
- a new PSP, odds feed or trading partner is proposed
- an existing supplier changes scope, geography or product mix
- a relationship is downgraded, replaced or terminated
Risk classification and tiering
You apply simple, published criteria-for example:
- revenue and transaction dependency
- impact on licence obligations, schemes and card brands
- personal and financial data sensitivity
- technical coupling and ease of replacement
- exposure during peaks (major sporting events, jackpots, promos)
Those answers place suppliers into critical / high / medium / low tiers that visibly drive:
- due‑diligence depth
- contract strength
- monitoring cadence and escalation
Proportionate due diligence and onboarding
Higher tiers receive:
- structured questionnaires and evidence requests
- architecture and data‑flow reviews
- assurance artefacts (for example, ISO 27001, PCI DSS, SOC 2 where relevant)
- explicit sign‑off before first production traffic
Lower tiers follow a lighter pattern so you don’t drown in low‑impact checks.
Named ownership and ongoing reviews
You assign clear owners for:
- keeping the register and risk ratings accurate
- updating due‑diligence records and controls when services change
- running periodic reviews and signing off residual risks
Those reviews are time‑boxed and evidence‑based, not “we looked at it and it seemed fine”.
Exit and learning
You plan how you will leave before you go live:
- data return or verified deletion
- key and credential revocation
- decommissioned endpoints or rules
- changes to risk posture and resilience assumptions
Each exit adds “what we’d do differently next time” into your model, so strengths and gaps compound over time.
If you centralise this lifecycle in ISMS.online-supplier register, risk logic, due‑diligence outputs, contracts, monitoring notes and exits-you can show auditors that A.5.19 isn’t a policy paragraph; it is how you treat PSPs and odds providers every day.
Which suppliers really fall under A.5.19 in an iGaming or betting ISMS?
A.5.19 covers any external party whose failure or compromise could materially damage confidentiality, integrity, availability, compliance or player trust. In gaming and betting that quickly extends beyond traditional “IT vendors”.
How can you systematically decide who belongs in scope?
A practical way to avoid blind spots is to walk through the real journeys your players and teams experience, then layer suppliers on top.
Map the real journeys
Cover two tracks:
- Player and transaction journey:
Registration → verification → deposit → gameplay or bet placement → in‑play updates → settlement → withdrawal → dispute handling → account closure.
- Internal operating journey:
Risk and trading decisions, odds and content updates, marketing campaigns, fraud and AML handling, incident management, licence reporting and audits.
At each step, list every third party that touches data, decisions or funds, for example:
- PSPs and gateways
- sports‑data and odds providers
- managed trading desks and risk advisors
- KYC/AML/fraud platforms
- hosting, CDN, DDoS and logging providers
- outsourced development or operations teams with production access
Ask three grounding questions for each supplier
For every name on that map:
- If this supplier fails or is compromised, what does the player experience first?
(blocked deposits, missing markets, wrong odds, delayed settlements, frozen withdrawals)
- Which regulators or schemes would demand answers: , and which obligations would you immediately struggle to meet?
(licence conditions, AML reporting, PSD2/SCA, GDPR, card‑scheme rules)
- How hard is it to replace them: , technically, commercially and from a licence perspective?
If any answer points to blocked funds, incorrect bets or results, missed reporting, visible game integrity issues or obvious loss of trust, that supplier belongs inside your A.5.19 scope.
Recording these decisions in one ISMS.online workspace helps you:
- avoid over‑controlling low‑impact SaaS tools that never see player data or money
- stop missing “non‑IT” dependencies-like advisory firms or outsourced trading teams-that regulators still see as part of your control environment
Over time, that map becomes a strong storey for auditors: “Here is exactly who we rely on, why they matter, and how A.5.19 shapes how we manage them.”
How can you risk‑classify PSPs and odds providers so your controls stay proportionate?
Risk classification is useful when anyone involved in onboarding can apply it quickly and get to the same tier, and when those tiers drive different actions. Over‑engineered models almost always end up ignored under deadline pressure.
What does a simple but effective classification model look like?
Start with a short set of concrete questions that can be answered in normal language during onboarding:
1. Business and revenue dependency
- What share of deposits, withdrawals, trading volume or active markets depends on this supplier?
- Would a failure here directly block or distort major revenue streams or flagship events?
2. Regulatory and licence impact
- Would a significant incident almost certainly trigger scrutiny from your gambling regulator, card schemes, AML authority or data‑protection regulator?
- Does this supplier operate in markets or regimes that increase your regulatory exposure?
3. Data sensitivity and role
- Does the supplier handle identity documents, payment data, KYC results, behavioural data, device fingerprints or trading algorithms?
- Are they acting as a data processor, joint controller or independent controller for any of that information?
4. Technical coupling and resilience
- Is this supplier effectively a single point of failure for payments, odds, settlement or reporting?
- Do you have realistic alternatives, dual‑sourcing or manual fallbacks?
5. Change pace and transparency
- How often do they change interfaces, file formats, limits or logic in ways that affect your controls or reports?
- How early and clearly do you learn about those changes?
You can translate the answers into a tier table-for example, 1–4 scores per question that roll up to critical, high, medium or low. The important part is what each tier unlocks:
- Critical: → most of your volume or licence exposure: enhanced due diligence, strong clauses, regular reviews, explicit incident playbooks, and dual‑sourcing where realistic.
- High: → important but not existential: focused due diligence, targeted clauses, annual formal reviews plus trigger‑based checks.
- Medium/Low: → sensible checks and simpler terms that reflect their modest impact.
Embedding this logic into supplier records in ISMS.online turns classification into a normal step in the workflow rather than a separate spreadsheet. You can then show auditors not just that you scored suppliers, but that risk tier consistently drives the way you select, contract and monitor PSPs and odds providers.
What should robust due diligence and onboarding look like for higher‑risk PSPs and odds providers?
For critical and high‑risk suppliers, A.5.19 expects a due‑diligence approach that is repeatable, evidence‑backed and aligned to your risk tiers, not a bespoke questionnaire invented by whichever team shouted loudest that week.
Which checks are worth standardising for higher‑risk suppliers?
For your top tiers, most operators converge on a core pack with five focus areas.
Corporate profile and regulatory posture
- ownership and control (including ultimate beneficial owners and key jurisdictions)
- history in regulated sectors, including relevant enforcement actions you can verify
- licences they depend on to operate (payments, data processing, gambling, financial services)
Security governance and ISMS maturity
- named security and continuity roles with contact routes you can use under pressure
- evidence that they manage risk, incidents and changes systematically, not ad hoc
- recognised frameworks or certifications where they fit the service-for example:
- ISO 27001 for broader information security controls
- PCI DSS for card‑processing PSPs
- SOC 2 reports for service organisations with wide access
Technical architecture and integration
- clear data‑flow diagrams or descriptions covering collection, processing, storage and transmission
- authentication patterns, access segregation, encryption practices, logging and monitoring
- development and deployment process, especially around changes that affect odds, settlement or reporting
Continuity and performance under stress
- documented recovery time and data‑loss tolerances, compared with your own appetite
- approach to peak events and campaigns-how they plan, test and expand capacity
- evidence of recent failover or continuity tests and outcomes
Independent assurance and alignment with your obligations
- relevant external reports or attestations, checked for scope and recency
- clarity on how their controls help you meet your licence conditions, AML duties, GDPR and other local obligations
The supplier handling most of your card volume or your primary sports‑data feed will naturally warrant more depth here than a low‑volume enrichment service.
If those checks, findings, documents and approvals sit together in one ISMS.online record, you can:
- reuse that work for ISO 27001 audits, licence renewals and security questionnaires
- show a straight line from “identified as critical” to “due diligence completed and acted on”
- avoid last‑minute scrambles when regulators or partners ask, “What did you actually check before you went live with this PSP or odds provider?”
How can you turn expectations for PSP and odds‑provider controls into contracts that actually protect you?
Contract language gives you leverage when it turns your risk model into specific, measurable obligations. General phrases about “best practice” rarely help when funds are stuck or odds were wrong during a major event.
How do you build clause sets that track supplier risk and stay maintainable?
A practical pattern is to maintain reusable clause libraries aligned to your risk tiers, so legal and commercial teams can move quickly without reinventing from scratch.
For critical PSPs and odds providers, contracts will usually cover:
Named standards and control baselines
You explicitly call out the frameworks or obligations that matter most, for example:
- PCI DSS for card‑processing PSPs
- ISO 27001‑aligned controls for data processors
- relevant local technical standards from gambling regulators or schemes
Technical and organisational measures
You make expectations specific, such as:
- encryption requirements (in transit and at rest)
- multi‑factor and role‑based access
- patching and vulnerability management windows
- change‑control discipline for changes that affect markets, odds, settlement or reporting
- minimum logging and monitoring coverage for your transactions and data
Incident notification and cooperation
You define:
- what qualifies as a notifiable incident
- timeframes for initial notification and ongoing updates
- evidence and support you expect for investigations and regulatory engagement
Sub‑processors and critical subcontractors
You require:
- approval or notification for material sub‑processors
- minimum controls they must meet
- visibility at least into the chain that touches your players or funds
Continuity and exit
You set:
- recovery objectives that reflect your event calendar and risk appetite
- expectations for continuity testing and sharing of results
- concrete timelines and formats for data return or deletion
- practical support for migrating to another provider, especially around data, keys and interfaces
For high and medium‑risk suppliers, you usually simplify scope and proof but reuse the same themes. For low‑risk tools, you focus on confidentiality and straightforward data‑handling commitments.
Storing standard clause sets, any agreed deviations and the signed agreements alongside supplier records in ISMS.online gives you a clear storey for auditors: “Here’s what we learned in due diligence, and here’s exactly how that influenced the contract we rely on in production.”
What ongoing monitoring and incident handling does A.5.19 imply once PSPs and odds providers are live?
A.5.19 does not stop at contract signature. Once suppliers are live, ISO 27001 expects you to demonstrate active oversight, especially where player funds, game integrity or regulatory reporting are concerned. That connects naturally with A.5.22 and your incident‑management and continuity controls.
How can you structure monitoring and incident handling so you can explain it under audit?
For your higher‑impact PSPs and odds providers, it helps to make three areas explicit and repeatable.
Monitoring cadence and assurance refresh
You define:
- which service KPIs you track (for example, authorisation rates, latency, feed timeliness, settlement accuracy)
- how often you review performance formally
- how frequently you refresh assurance material-updated certificates, audit reports, posture summaries, incident statistics
Those reviews are logged with dates, decisions and follow‑up actions, not just discussed informally.
Triggers for deeper review or re‑rating
You agree in advance which events should trigger a fresh look at risk and controls, for example:
- incidents or outages during peak trading or flagship events
- new territories, licences or products that change your regulatory footprint
- major changes to architecture, hosting regions, encryption strategy or data‑processing locations
- mergers or acquisitions that alter ownership and control
When those triggers occur, you can show what you did: extra checks, tightened clauses, revised tiers or alternative routes.
Incident playbooks and joint response
You maintain playbooks that assume suppliers are part of your response team, not innocent bystanders:
- shared understanding of what constitutes a reportable incident
- agreed contact points and escalation routes on both sides
- expectations around data capture, root‑cause analysis, interim containment and long‑term fixes
- aligned messaging and timelines for communications with regulators, schemes, banks and, where appropriate, players
Occasional tabletop simulations-for example, primary PSP failure on a tournament weekend or corrupted odds across multiple markets-are an effective way to prove that those plans are more than words.
When you keep risk ratings, monitoring notes, assurance updates, incidents, actions and re‑assessments together for each supplier in ISMS.online, you can answer pointed questions such as, “Show us how you manage this PSP or odds provider end‑to‑end under A.5.19,” without having to reconstruct the storey from scattered emails and files. That level of visibility gives regulators and auditors confidence that supplier risk is part of how you run the business, not an afterthought.
