Skip to content
ISMS.online

ISO 27001 A.5.35 – Independent Security Reviews for Gaming & Sportsbook Platforms

Sportsbook and casino platforms can appear secure on paper, but real vulnerabilities often hide between audit cycles and evolving integrations. ISO 27001 A.5.35 independent reviews challenge outdated controls, uncovering risk areas that routine certifications miss. For security leaders, this means gaining true assurance and staying ahead of both threats and regulatory demands—before gaps become losses.

Author
Mark Sharron
Updated December 1, 2025
4/5 Stars

The hidden fragility of sportsbook security assurances

Independent security reviews show you how secure your sportsbook really is, not just how secure it looks on paper between certification cycles. For high‑velocity betting and casino platforms, your risk profile can change faster than your traditional audits, leaving serious gaps in the places that matter most. If you lead security or compliance for a gaming brand, treating A.5.35 as a living control – rather than a clause to quote in policy documents – is one of the most direct ways to expose and close those gaps before regulators, partners or attackers find them. This information is general in nature and is not legal or regulatory advice; you should consult qualified advisers before making decisions on licencing or compliance.

Independent eyes often notice the weak seams that busy teams step over every day.

You already rely on familiar comfort tokens: ISO 27001 certificates, game‑testing reports, payment‑security attestations and penetration‑test summaries. Those artefacts are useful, but they are narrow snapshots taken at specific moments and often against tightly defined scopes. Between those moments, your products, integrations and third‑party ecosystem continue to evolve at betting speed, while the assumptions behind earlier audits drift quietly out of date.

Independent security reviews under ISO 27001 A.5.35 are designed to challenge that drift. They focus on whether your overall approach to information security is still adequate and effective for the risks in your sportsbook and casino, not just whether historic controls once met a checklist. For CISOs, compliance leads and licence‑holders, the uncomfortable truth is that familiar badges can coexist with untested exposure around customer funds, game integrity and licence conditions.

Why traditional audits miss real sportsbook risk

Traditional audits and assessments focus on narrow slices of your environment, so they often miss how risk appears in a live betting platform where markets, prices and integrations are constantly changing. On paper you may see a reassuring mix of certifications and test reports, yet in practice large parts of your real‑world attack surface remain unexamined.

Most operators hold a combination of ISO 27001 certification, game‑testing reports, payment‑security attestations and periodic penetration tests. Each activity has a narrow remit, happens at a fixed point in time and follows a sampling approach that rarely keeps up with the pace of change in your stack. Certification audits confirm that an information security management system (ISMS) exists and sample selected processes, but they will not deep‑dive every odds engine, feed integration or bonus configuration.

Game‑testing laboratories focus on fairness and randomness, not on day‑to‑day change control or access management in your back office, while payment assessments concentrate on cardholder data rather than the integrity of bet‑settlement flows or wallet logic. Even well‑run penetration tests are usually scoped around specific applications or network segments and cannot realistically cover every path that matters in a 24/7 sportsbook.

The result is that major weaknesses often live in the seams between those scopes: where trading tools connect to feeds, where bonus logic interacts with wallets, where marketing systems talk to player‑data platforms and where fraud and AML controls touch security processes. Without a deliberate, independent review of your overall approach to security, those seams remain largely unchallenged and invisible from the vantage point of any single audit report.

Where assurance gaps actually live in a modern betting platform

Assurance gaps are easiest to see when you map your platform as a simple player journey and then layer your existing audits over that picture. When you do this honestly, you often find that critical steps are barely touched by any form of independent challenge, even though they carry obvious customer, financial or licence risk.

If you sketch your platform as a player journey – registration, deposit, navigation, bet placement, in‑play changes, settlement and withdrawal – several high‑risk points usually stand out:

  • Onboarding steps that collect identity and payment data.
  • Promotions that increase traffic and incentives for abuse.
  • In‑play markets where odds change rapidly based on external feeds.
  • Settlement and withdrawal logic where money leaves your platform.

Now layer existing audits and reviews over that journey. You will usually find that some steps are heavily scrutinised by several parties, while others are barely touched. A typical pattern is:

  • Strong coverage around core account management and simple deposits.
  • Patchy coverage around complex promotions, special markets and new bet types.
  • Minimal independent challenge on day‑to‑day configuration of trading tools and risk limits.
  • Fragmented understanding of how fraud, AML and security controls interact across systems.

When nobody owns the big picture, each function assumes someone else has it covered. Independent reviews under A.5.35 are intended to confront that assumption by forcing an objective look at how security is managed end to end, not just at the pieces that happen to have their own audit regimes. For practitioners who spend their days chasing evidence and responding to incidents, this kind of mapping can be a powerful way to show senior leaders where help is really needed.

Visual: Player journey from registration to withdrawal with audit and review coverage overlaid to reveal untested seams.

Book a demo


From formal audits to continuous assurance in high‑risk gaming

Independent review under ISO 27001 A.5.35 gives you a way to move from calendar‑driven audits to risk‑driven, continuous assurance that matches the tempo of your sportsbook. For a 24/7 betting and gaming operation, that shift is essential if you want real assurance rather than a dated certificate that no longer reflects how you trade today.

You may already feel weighed down by external audits and certifications and be tempted to say, “We already do enough.” A.5.35 is not about adding yet another ceremony; it is about using independent review deliberately so that the assurance work you already fund is sequenced, targeted and capable of keeping up with the way your products, partners and threats actually evolve. Many operators find that when they treat this clause as the organising idea for assurance, rather than an extra test, the overall burden becomes more manageable.

For CISOs and senior security leaders, this is also the bridge between a compliance storey and a resilience storey. Instead of telling your board that you “passed the audit”, you can show how independent reviews are timed and focused to protect the parts of your sportsbook that create the highest potential harm for customers, regulators and revenue.

Turning “planned intervals” into a risk‑based review cadence

A.5.35 requires your organisation to review how it manages information security at planned intervals and whenever significant changes occur. The standard deliberately avoids a fixed frequency because different environments carry different levels of inherent risk, and your betting platforms move far faster than static policy documents or annual audit timetables.

In practice, most regulated operators settle on a pattern such as:

  • An ISMS‑wide independent review at least annually, often aligned with your internal audit programme.
  • More frequent, focused reviews on domains with high inherent risk, such as payments, player‑data handling, trading and odds management.
  • Specific reviews when significant changes occur, such as a major platform migration, entry into a new jurisdiction, a new product vertical or a serious incident.

A sensible cadence comes from asking, “Where could things go badly wrong, and how quickly?” Transaction volumes, peak event calendars, jurisdictional obligations and potential customer harm should all influence how often you commission independent eyes on a given area. Whatever cadence you choose, it should complement rather than replace your legal and regulatory obligations and fit coherently alongside your existing certification and testing cycles, including any structured ISMS platform you already use.

If you are responsible for security or internal audit in a gaming group, one of the most practical next steps is to map your current audits, tests, reviews and regulator visits across the year, then deliberately place A.5.35 reviews where they add insight rather than noise.

Distinguishing operational monitoring from independent review

Operational teams understandably point to the vast amount of monitoring already in place and ask whether that does not already satisfy A.5.35. It is important to clarify the difference between first‑line monitoring and independent review so that neither is diluted or described inaccurately.

Security operations and fraud teams already monitor a large array of signals: security‑event alerts, fraud rules, AML scenarios, performance dashboards and health checks in your observability stack. These first‑line controls answer the question, “Are we spotting and handling issues in real time?” They are essential, but they are not designed to step back and question the design of the control environment itself.

Independent review addresses a different question: “Is the way we manage security across people, process and technology still adequate and effective for the risks we face?” That means stepping back from the console and, on a planned basis, having people who do not operate the controls review:

  • Whether your policies and risk assessments still match the realities of your technology, jurisdictions and business model.
  • Whether first‑line controls are complete, sensibly designed and used as intended, not just switched on by default.
  • Whether incidents and near‑misses are being analysed and fed back into improvement rather than simply closed in ticketing tools.

Many operators find it helpful to visualise this as three layers: day‑to‑day monitoring, periodic independent review and external oversight from regulators, payment partners and certification bodies. A.5.35 formalises the middle layer and makes it part of your ISMS rather than an informal, ad‑hoc activity. If you are an operations lead, this clarity lets you show that your team’s monitoring is necessary but not sufficient on its own.

Visual: Three‑layer assurance model showing operational monitoring, independent review and external oversight stacked above the sportsbook.



ISMS.online gives you an 81% Headstart from the moment you log on

ISO 27001 made easy

An 81% Headstart from day one

We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.

Get started


What ISO 27001:2022 A.5.35 really asks you to do

For a gaming or sportsbook operator, A.5.35 boils down to three linked duties: define how you manage security, arrange independent review of that approach and act on what those reviews find. When you do that consistently, the control turns from a paper requirement into a protective habit woven into your normal governance and licencing conversations.

At a high level, you are being asked to replace comfortable assumptions about “how we do security” with periodic, structured challenge. That is particularly important where your risk profile, technology stack or regulatory landscape is changing faster than traditional assurance cycles can keep up. The goal is not to chase every new threat headline, but to make sure your underlying security management remains appropriate for the way you actually run betting and gaming today.

If you are just beginning to align your ISMS with ISO 27001:2022, an early win is to translate this clause into a short, plain‑English internal statement and connect it directly to your review, internal‑audit and management‑review procedures. That anchoring makes it clear to teams that A.5.35 is about how you manage security, not just about another test.

Understanding the control in plain language

In straightforward terms, A.5.35 expects your organisation to make independent security review part of how you run your ISMS, not an occasional reaction to an incident or regulator request. The control focuses on your approach to managing security, not just on individual technical tests.

Practically, that means you should:

  • Set out how you manage information security through an ISMS that covers people, processes and technology.
  • Arrange for that approach and its implementation to be reviewed by people who are not responsible for designing or operating the controls they assess.
  • Do this on a planned schedule and whenever major changes occur that could affect risk or control design.
  • Use the results to improve the ISMS and its controls rather than simply filing reports.

This is different from running a penetration test or hosting a certification audit. Penetration tests are highly valuable but usually focused on specific environments, and certification audits are performed by external bodies working to their own sampling plans and timelines. A.5.35 is about you deliberately arranging independent scrutiny of how your overall security management actually works for your sportsbook, against the risks you face, not only against a generic checklist.

What independence really means in a sportsbook environment

Independence in A.5.35 is meant to be practical and functional. It does not require that only external parties ever review your ISMS, but it does require reviewers to be free from conflicts of interest with the controls they examine and able to report candidly to senior decision‑makers.

Common patterns that satisfy independence include:

  • Internal audit teams that do not design or operate sportsbook controls and report functionally to the board or audit committee.
  • Group‑level internal audit or risk functions reviewing regulated entities, where local management cannot suppress or alter findings.
  • External assurance providers engaged to assess the design and operation of specific control domains where specialist skills are needed.

By contrast, having your head of trading write, implement and “review” their own risk limits, or your platform‑engineering team sign off its own change‑management arrangements, does not meet the spirit or letter of A.5.35. Segregation of duties, clear charters and documented reporting lines are how you demonstrate that independence exists and that reviewers can say difficult things without fear of retaliation.

When you explain your model to auditors or regulators, make clear that these are examples of how independence can be achieved, not the only acceptable structures, and that you have aligned your approach with applicable corporate‑governance and regulatory requirements in each jurisdiction where you hold a licence.



Translating A.5.35 into an iGaming and sportsbook review scope

Designing an independent review that really works for gaming begins with scope. You cannot evaluate what you have not clearly included, and for a modern sportsbook or casino the relevant scope is wider than many teams initially assume. If you are the practitioner who has to assemble evidence when auditors ask questions, a well‑defined scope can be the difference between a controlled exercise and a scramble.

Your goal is to build a review universe that reflects how your platform actually works: which channels customers use, where bets are created and settled, which systems hold sensitive data and how third parties plug into that ecosystem. Once that universe exists, you can plan reviews that focus on real risk rather than on tidy organisational charts or narrow system lists that ignore key attack paths.

Many operators find it easiest to start from their existing ISO 27001 scope statement and then expand it with a clear map of the player and transaction lifecycle. This approach keeps the review recognisably linked to your ISMS while surfacing sportsbook‑specific risk that generic scopes often miss.

Building a sportsbook‑specific review universe

A good starting point is to combine your ISMS scope statement with a map of the player and transaction lifecycle. For most operators, an A.5.35 review universe will include:

  • Customer‑facing channels: web and mobile betting sites, native apps, mobile web and kiosks.
  • Core betting logic: odds‑calculation engines, risk and trading tools, bet‑settlement processes.
  • Game and RNG systems: remote game servers, table games, slots and live‑dealer platforms.
  • Player lifecycle systems: registration, know‑your‑customer tools, account management and safer‑gambling mechanisms.
  • Financial systems: payment gateways, alternative payment methods, wallets and reconciliation tools.
  • Fraud and AML systems: transaction‑monitoring engines, case‑management platforms and sanctions‑screening tools.
  • Data platforms: data warehouses, reporting tools, marketing databases and customer‑service platforms.
  • Supporting infrastructure: cloud accounts, container platforms, identity providers and remote‑access tools.
  • Third parties: game studios, feed providers, identity‑verification vendors, payment processors and hosting partners.

Your independent review plan should state explicitly which of these domains are in scope for each cycle and why. For high‑risk domains such as in‑play betting, VIP programmes or payment processing, you would normally expect more frequent or deeper review. The exact pattern should reflect your own risk assessments and regulatory duties and can be much easier to maintain if you use an ISMS platform, such as ISMS.online, to anchor scopes, owners and review dates in one place.

Taken together, these domains give reviewers a realistic picture of how your platform makes and settles money, how it protects players and where third parties create additional dependencies.

Using risk scenarios to define what reviewers test

Once you know which systems and processes to include, you can go a level deeper and define review objectives using realistic scenarios rather than abstract headings. This keeps reviewers focused on events that would genuinely damage customers, markets or your licence, rather than simply confirming that documentation exists.

For example, you might model scenarios such as:

  • A coordinated bonus‑abuse ring creates hundreds of accounts and rapidly withdraws winnings.
  • A third‑party data feed is manipulated, causing mispriced odds ahead of a major event.
  • A vulnerability in a mobile app leads to account takeover of high‑value players.
  • A new jurisdiction is launched quickly with local payment methods and bespoke integrations.

For each scenario, an independent reviewer can then ask:

  • Do the documented controls and processes across security, fraud, AML and trading address this scenario in a realistic way?
  • Are the controls implemented as described in live systems and day‑to‑day operations?
  • Are incidents or near‑misses in this area being captured, investigated and fed back into design?

By anchoring reviews in risk scenarios, you avoid turning A.5.35 into a policy recital exercise and instead test the real ability of your controls to protect customers, markets and regulatory relationships. You should still align the scope and scenarios with any specific expectations from your regulators or corporate‑governance framework, but this approach gives practitioners a much clearer sense of why particular questions are being asked.



climbing

Free yourself from a mountain of spreadsheets

Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.

Book your demo


Designing genuinely independent review governance

Scope tells you what to look at; governance determines who looks, under what authority and how results are handled. In a regulated gaming group, governance around A.5.35 is often where auditors and regulators focus first because it reveals whether independent reviews can genuinely surface uncomfortable truths and trigger change.

If your governance is weak, reviews risk becoming another box‑ticking exercise or a shelf of reports that nobody reads. If your governance is strong, independent findings become a credible route for improving security, compliance and business resilience, and for giving your board a defensible view of risk across brands and licences.

For CISOs, heads of risk and internal audit, this is also where you can demonstrate that you are not “marking your own homework”. Clear roles, charters and reporting lines are often the deciding factor in whether regulators accept your “independent” review model.

Clarifying roles and reporting lines

Many organisations use a “three lines” concept as a simple way to describe responsibilities:

  • First line (operations and technology) owns and operates controls.
  • Second line (risk, compliance, security oversight) guides, challenges and monitors the first line.
  • Third line (internal audit, sometimes supplemented by external reviewers) provides independent assurance to the board and senior management.

For A.5.35, you should be able to show that:

  • Specific functions are authorised to perform independent reviews and have clear scopes.
  • These functions do not design or operate the controls they review.
  • They have a documented route to escalate findings to senior management and the board without undue interference.
  • Their mandate, scope and independence are defined in charters, policies or committee terms of reference.

If you are part of a group with multiple brands and jurisdictions, you will also need to explain how group‑level review functions interact with local management. For example, you might allow group internal audit to review a licence‑holding entity’s ISMS while requiring local management to participate in scoping and to respond formally to findings. The right balance will depend on your structure and on any jurisdiction‑specific governance expectations, but it should always be clear who can challenge whom, and on what basis.

Ensuring competence and avoiding common independence pitfalls

Independence without competence is risky. Reviewers must understand both information‑security management and the specific features of gaming risk: fraud patterns, AML expectations, game and odds integrity, responsible‑gambling obligations and the realities of platform engineering and operations.

Common pitfalls include:

  • Group security teams that design standard controls and then “independently” review their own designs without third‑line involvement.
  • Internal audit functions that provide detailed project‑assurance support and are later asked to provide independent assurance over the same implementations.
  • Over‑reliance on a single individual with deep platform knowledge who informally signs off design, implementation and review.

To avoid these, many operators:

  • Define competence criteria for anyone performing A.5.35 reviews, including sector knowledge and technical understanding.
  • Limit the advisory role of internal audit in major transformation projects and, where necessary, bring in separate reviewers for post‑implementation assurance.
  • Use a mix of internal and external reviewers, especially for highly technical domains such as complex trading algorithms or bespoke integrations.

When you describe your governance model to regulators or certification auditors, make clear that it is one defensible way of meeting the control’s intent and that you remain responsible for aligning it with applicable laws, licencing conditions and corporate‑governance codes. If you are responsible for internal audit or risk in a gaming group, tightening these points can significantly improve how seriously your independent reviews are taken.



A.5.35 audit checklist for gaming platforms, payments and trading

At operational level, teams need more than principles; they need a repeatable way to run independent reviews that makes sense to auditors and regulators. A structured checklist tied to A.5.35 gives reviewers a starting point and helps ensure that critical domains are not overlooked, especially when time is tight and multiple brands and licences are in play. A good checklist turns the broad ideas of independence and scope into concrete review questions, evidence requests and follow‑up actions. It should be tailored to your platform, but it can follow a common structure across gaming brands and jurisdictions so that reviewers and owners recognise the pattern quickly.

If you manage application security, payments or trading for a sportsbook, a clear checklist also makes it easier to explain what “good” looks like and to show progress over time, rather than re‑arguing the basics with each new review.

Key domains and sample review questions

One practical way to structure a checklist is by domain, with clear review focuses and example questions. This keeps reviewers aligned on what matters most in each part of your platform and makes it easier for control owners to understand what will be examined and why.

Here is an example pattern for key domains and questions:

Domain Review focus Example independent review question
Application security Secure development and change management Are high‑risk changes to betting apps approved and tested against defined criteria before release?
Player data and privacy Protection of identity, KYC and behavioural data Do access controls and logging around player data match stated policies and regulatory expectations?
Payments and wallets Integrity of deposits, transfers and withdrawals Are reconciliation, limits and exception handling independently validated for all payment methods?
Odds and trading Accuracy and integrity of pricing and trading decisions Are trading tools, limits and overrides reviewed against defined risk appetite and segregation‑of‑duties rules?
Fraud and AML Prevention and detection of abuse and money laundering Are AML and fraud‑monitoring rules regularly tested for effectiveness and adjusted when patterns change?
Infrastructure and operations Resilience, access and monitoring across platforms Are privileged‑access paths and changes to critical infrastructure subject to independent review?

A full checklist would expand each line into concrete tests, required evidence and sampling guidance. For example, an application‑security section might include sampling change requests, confirming code review and security testing, and checking that emergency changes follow controlled processes with post‑implementation reviews.

Step 1 – Define domains

Confirm which domains apply to your sportsbook or casino, based on your ISMS scope and risk assessment, and assign clear owners for each.

Step 2 – Select representative samples

Select realistic samples in each domain, such as recent releases, incidents or high‑risk products, rather than only “happy‑path” examples that make controls look better than they are.

Step 3 – Capture evidence and findings

Capture evidence in a consistent format and record findings with risk ratings, owners and due dates in a single register that is visible to all relevant stakeholders.

Step 4 – Review and refine the checklist

Refine questions and tests after each review so the checklist reflects current technology, regulations and risk, and retire items that no longer add value to keep the exercise focused.

Adopting this kind of structure turns A.5.35 from a vague requirement into a practical tool that reviewers, owners and regulators can understand and discuss. It also gives internal teams a defensible framework when they push back on ad‑hoc requests that fall outside agreed review scope.

Making findings traceable and actionable

Independent reviews only add value if their findings lead to change. A.5.35 implicitly expects that you not only perform reviews but also track and close the resulting actions in a way that stands up to external scrutiny over time.

In practice, that means:

  • Each finding has a named owner, a risk rating, a due date and agreed remediation steps.
  • There is a single register where findings from all independent reviews – internal audit, external assessments and regulator‑mandated audits – are recorded.
  • Progress is reviewed at appropriate governance forums, such as security committees, risk committees and management meetings.
  • Closure is verified, either by the original reviewer or by another independent function, and evidence of effective remediation is retained.

Many operators struggle here, relying on local spreadsheets and informal follow‑up. Centralising this information in a system of record, such as an ISMS platform, reduces manual coordination and strengthens the storey you can tell auditors and regulators. ISMS.online, for example, is used by organisations to bring findings, risks and actions into one place so that independent reviews and follow‑up are visibly connected rather than scattered across teams.

Within the next quarter, you can usually make measurable progress by defining a single findings register, assigning ownership for existing actions and testing whether governance forums genuinely review and challenge open items rather than merely noting them. For practitioners, this makes reviews feel less like random inspections and more like part of a predictable improvement rhythm.



ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Manage all your compliance, all in one place

ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Book your demo


Coordinating A.5.35 with audits, testing and gambling regulators

Most regulated operators already carry a heavy assurance load: regulator security audits, technical‑standards testing, ISO or similar certifications, payment‑security assessments, penetration tests and third‑party risk reviews. If A.5.35 is implemented carelessly, it can feel like “yet another audit” rather than the backbone that makes the rest of your assurance activities easier to explain and justify.

Treating A.5.35 as the organising principle for assurance helps you reduce duplication, coordinate calendars and present a coherent storey to regulators and partners. Used well, it becomes the frame that explains how your different checks relate to each other and where you intentionally go deeper for sportsbook‑specific risk.

If you are a CISO, CRO or head of internal audit, this is also how you move from separate audit reports towards a single, joined‑up view of assurance that your board can understand and challenge.

Turning A.5.35 into the backbone of your assurance map

The most effective organisations treat A.5.35 as the map that ties multiple assurance activities together rather than as an extra layer. In that model:

  • Regulator‑mandated security audits are recognised as one form of independent review and planned and recorded as such.
  • ISO 27001 certification and surveillance audits are viewed as external checks on the ISMS, supplemented by planned A.5.35 reviews that go deeper into sportsbook‑specific risk.
  • Payment‑security assessments and game‑testing reports are fed into the same findings log and risk discussions as internal reviews.
  • Major penetration tests and red‑team exercises are aligned with, not separate from, the independent‑review schedule.

Doing this well requires a single view of assurance activities across the group. That view should answer simple questions, such as, “For this brand and licence, in the last year, which independent reviews have been performed, what did they find and what changed as a result?” Different regulators and corporate‑governance codes will shape the details, but the underlying idea is the same: you can demonstrate that reviews are coordinated, not random, and that they are focused where gaming‑specific risk is highest.

As your assurance map matures, a dedicated ISMS platform can help you keep this picture current, link it to risks and controls and share it with senior stakeholders without resorting to complex spreadsheets and slide decks.

Smoothing calendars and strengthening external relationships

Assurance work competes with delivery work for scarce time and attention, so coordination in the calendar matters as much as scope. Many operators inadvertently cluster certification audits, regulator reviews, payment assessments and internal projects into the same quarter, creating review fatigue and reducing the quality of engagement from already stretched subject‑matter experts.

By plotting all material assurance activities on a shared calendar and aligning your A.5.35 plan with it, you can:

  • Avoid scheduling independent reviews during major sports events or critical release windows.
  • Spread the load on key subject‑matter experts across the year, reducing burnout and improving the quality of responses.
  • Give regulators, partners and certification bodies a clearer storey about how your assurance fabric works and how different activities support each other.

A practical next step is to build a simple assurance map that lists all major audits, assessments and reviews by brand and licence, then identify where A.5.35 reviews can consolidate effort. From there, you can adjust timings to remove peaks, align related work and agree a long‑term pattern that respects both regulatory expectations and operational realities. If you are responsible for those relationships, this coordination often turns difficult audit discussions into more constructive, partnership‑oriented conversations.



Book a Demo With ISMS.online Today

ISMS.online helps you turn independent security reviews from scattered exercises into a living, joined‑up process that your teams, auditors and regulators can all see and understand. When everyone works from the same ISMS, control set and findings register, designing, running and evidencing A.5.35 reviews becomes much easier to manage and to explain.

Turning A.5.35 into a living process rather than a one‑off project

With ISMS.online, you can plan A.5.35 reviews, assign clear owners and due dates and link them directly to the risks, controls and policies in your ISMS. That means:

  • CISOs and heads of security can see which parts of the sportsbook have had independent attention and which are queued next.
  • Compliance and MLRO teams can tag reviews and findings by licence, jurisdiction or product, making it easier to answer regulator questions quickly and consistently.
  • Internal audit and external reviewers can work from shared checklists and evidence collections, with role‑based access and full audit trails to protect their independence.

Instead of scattered files and ad‑hoc trackers, independent reviews become part of a single, living system of record, visible to senior leadership and easy to explain. You retain full responsibility for meeting your legal and regulatory obligations, but you gain a platform that makes it far simpler to demonstrate how you are doing so in practice and how your assurance activities fit together.

Giving reviewers, owners and executives a shared picture

A shared platform also helps you bridge the gaps between teams and functions that must collaborate to make independent review effective and credible:

  • Reviewers can request and receive evidence in a structured way, without relying on long email chains or informal messages.
  • Control owners in security, trading, engineering and operations can see exactly what is being asked of them, when it is due and why it matters.
  • Executives and boards receive consistent, up‑to‑date reporting on the status of independent reviews and the closure of high‑risk findings.

Choose ISMS.online when you want independent security reviews across complex gaming and sportsbook environments to be visible, repeatable and clearly tied to risk reduction and regulatory confidence. If you are ready to move A.5.35 from a minimum obligation to a reliable source of assurance for your board, regulators and players, booking a demo is a straightforward way to see how a dedicated ISMS can support that journey without forcing you to rebuild your entire governance model from scratch.

Book a demo


Frequently Asked Questions

How should a sportsbook operator interpret ISO 27001 A.5.35 in day‑to‑day operations?

You should read A.5.35 as a requirement to regularly challenge whether your whole ISMS still fits the real sportsbook you run, not just prove that controls exist on paper.

What does that mean in practice for a betting and gaming business?

In day‑to‑day terms, A.5.35 expects you to:

  • Document how you run information security as a system: , not as a control list: governance, risk assessment methods, control design approach, metrics, incident handling and continual‑improvement routines.
  • Plan independent reviews of that system at defined intervals and after major change: , rather than waiting for certification audits or regulator visits.
  • Use reviewers who do not design or operate the controls they are assessing: , so they can be honest about weaknesses and structural gaps.

For a sportsbook, “the ISMS” should clearly cover real operational flows, including:

  • Odds creation and trading tools, including feeds and limit engines.
  • Bonus, promotion and loyalty engines.
  • Payment gateways, wallets and withdrawal journeys.
  • Player‑data platforms, analytics and CRM tooling.
  • Game platforms, RNG services and content aggregators.
  • Fraud, AML and safer‑gambling systems.
  • Cloud, on‑premise and network infrastructure that underpins all of this.

A practical way to start is to write a short, plain‑language A.5.35 statement that:

  • Explains what you mean by “ISMS” in your sportsbook context.
  • Describes who can perform independent reviews and how often they will happen.
  • Links to your audit and assurance calendar so timing and scope are easy to see.

If you are in early stages, that statement can be simple and live inside an ISMS platform such as ISMS.online, then grow in detail as your ISMS matures and your regulator expectations increase.

How often should a high‑risk gaming operator schedule independent A.5.35 reviews?

Most high‑risk operators find that an annual ISMS‑wide independent review plus extra reviews around major change is the minimum credible pattern.

How can a sportsbook choose the right frequency and triggers?

ISO 27001 talks about “planned intervals” and “significant changes” rather than dictating a calendar. For a regulated sportsbook, a sensible pattern is:

  • At least one ISMS‑wide independent review every 12 months: , aligned with your internal‑audit or enterprise‑risk cycle.
  • Additional thematic or scope‑limited reviews: triggered by:
  • Launch of a new jurisdiction, brand or licence.
  • Large tournaments or seasons where in‑play volumes spike dramatically.
  • Major platform migrations (trading, wallet, game aggregators, core platforms).
  • Significant new payment methods (for example, instant withdrawals) or KYC providers.
  • Serious incidents such as data breaches, integrity concerns or large bonus‑abuse cases.

Instead of trying to remember all of this manually, it helps to define the cadence once in an ISMS platform and attach reviews to brands and jurisdictions. In ISMS.online you can:

  • Create a review calendar that shows when each brand and licence will be examined.
  • Record the scope, evidence and findings for each review.
  • Link follow‑up actions to owners and due dates so you can show regulators and auditors that A.5.35 is being handled as a deliberate, risk‑based process, not as a scramble before audits.

How can we design a risk‑based A.5.35 review scope that reflects a modern sportsbook?

You get more value from A.5.35 when you build the scope around real attack and failure paths, not your org chart or static policy indexes.

What is a practical way to build that scope?

A good starting approach is:

  1. Trace the player and money journey end‑to‑end
    Map how a customer:
  • Finds you, registers and completes KYC.
  • Deposits, receives bonuses, places bets and cashes out.
  • Interacts with safer‑gambling, AML and customer‑support processes.
  1. Identify systems and teams that support those journeys
  • Web, mobile and retail front‑ends.
  • Odds and trading engines, feed integrations, limit and risk tools.
  • Wallets, payment systems, bonus and promotion engines.
  • Fraud and AML tooling, case‑management workflows.
  • Data warehouses, reporting and marketing platforms.
  • The hosting, network and identity services that sit underneath.
  1. Prioritise domains based on risk and change
  • High‑risk scenarios such as cross‑border liquidity pools, VIP programmes, major events or real‑time payouts should be reviewed more often.
  • Areas with recent material change, incidents or regulator focus should move to the top of the queue.
  1. Express the scope in scenario language

Instead of “review CRM team,” define scopes like:

  • “Coordinated bonus abuse during a major tournament.”
  • “Integrity risk from corrupted odds feeds.”
  • “Data leakage risk from analytics and marketing tooling.”

Scenario‑based scopes help reviewers test whether your controls would withstand pressure, not just whether documents exist. If you keep this map and the associated review scopes in ISMS.online, you can adjust them as your brands, platforms and suppliers evolve and give certification auditors or regulators a clear, current picture of how A.5.35 is applied in practice.

What does genuine independence look like for A.5.35 inside a multi‑brand gaming group?

Independence under A.5.35 is about who can credibly challenge your ISMS design and operation without conflicted interests, not about outsourcing all assurance to third parties.

How can a sportsbook group structure independent review roles?

In a typical three‑lines‑of‑defence model:

  • First line: (operations and delivery) – sportsbook operations, product, engineering, customer‑operations and first‑line security own and run controls.
  • Second line: (risk and oversight) – risk, compliance and central security‑oversight teams set frameworks, write policies and monitor performance.
  • Third line: (independent assurance) – internal audit or an equivalent function examines the ISMS and reports to the board or audit committee.

For A.5.35 to be credible:

  • Reviewers must not design or operate the controls they assess.
  • They must be able to report findings without local managers diluting or blocking them.
  • Group‑level teams reviewing local brands must have documented mandates and direct reporting lines to senior governance, not just dotted‑line reporting to local management.

You can demonstrate this clearly with an assurance‑responsibility matrix that shows:

  • Which functions may review which domains.
  • Where conflicts of interest exist and are explicitly excluded.
  • How findings escalate to boards or risk committees.

ISMS.online can hold that matrix alongside your control set, so when auditors or regulators ask how independence works, you can show a live model of “who reviews what” and related evidence, rather than reconstructing it from emails or slides.

How do we build a practical A.5.35 review checklist for apps, payments and trading?

A useful checklist for A.5.35 reviews in a sportsbook groups questions by real domains and defines expected evidence up front, so reviews feel focused rather than theoretical.

What could that checklist look like across core sportsbook areas?

You can structure a checklist around five or six domains, for example:

Web and mobile applications

  • How are high‑risk changes assessed, tested, approved and rolled back?
  • How is session integrity maintained under high load and across devices?
  • What logging and monitoring is in place to detect suspicious activity?

Evidence: Sample change tickets, test records, deployment approvals, log extracts, incident records.

Player data and analytics

  • Who can access sensitive personal and behavioural data?
  • How do logging, retention and anonymisation support both security and privacy obligations?
  • How are access reviews performed and recorded?

Evidence: Access‑control lists, role definitions, access‑review records, data‑retention schedules.

Payments and wallets

  • How are reconciliations handled between wallet, payment providers and ledger?
  • How are limits, exceptions, refunds and chargebacks controlled and monitored?
  • How are suspicious payment patterns escalated?

Evidence: Reconciliation reports, exception logs, refund workflows, AML case records.

Trading and odds

  • How are limits set, changed and documented?
  • How are manual overrides authorised and logged?
  • How are suspicious betting patterns identified and escalated?

Evidence: Configuration exports, change logs, trading policies, alerts and escalation records.

Fraud and AML

  • How are detection rules designed, tuned and tested before go‑live?
  • How are model and rule changes governed?
  • How are edge cases handled and tracked?

Evidence: Rule documentation, test results, governance minutes, case files.

Once the checklist is defined, you can standardise how findings are classified, risk‑rated and tracked. Capturing all of this inside an ISMS platform helps you keep the checklist, evidence and resulting actions tightly connected and visibly progressing, which is exactly what auditors expect to see when they test A.5.35.

How should A.5.35 reviews be coordinated with regulator audits, pen tests and certification work?

You get much more value from A.5.35 when you treat it as the organising layer for all the independent assurance you already have to do, rather than as yet another audit stacked on top.

How can a sportsbook turn A.5.35 into an assurance spine instead of extra bureaucracy?

Most gaming groups already face a dense assurance landscape, for example:

  • Regulator‑mandated systems or security audits tied to specific licences.
  • ISO 27001 certification and surveillance audits.
  • Payment‑security assessments such as PCI DSS.
  • Game‑lab testing and certification of platforms and RNGs.
  • Regular penetration tests, red‑team exercises and supplier assessments.

A.5.35 reviews should sit above this as an integrator and challenger that asks:

  • Do these activities, taken together, give us enough confidence in our ISMS design and operation?
  • Where are the gaps by brand, licence, platform or supplier?
  • Are we re‑testing low‑risk areas too often while high‑risk seams go unexamined?
  • Does our ISMS still fit the business model and regulatory profile we actually have now?

A pragmatic way to make this explainable to internal stakeholders, regulators and auditors is to maintain a simple assurance calendar and coverage map, by brand and licence, that shows:

  • What independent activities happen when (audits, tests, reviews).
  • Which parts of the environment and which risks they cover.
  • Where A.5.35‑driven reviews add extra depth or close gaps.

When you maintain that calendar, the associated scopes and the resulting findings inside ISMS.online, you can:

  • Open one workspace and show, per brand or licence, the recent independent work and its conclusions.
  • Demonstrate how A.5.35 reviews pull together outputs from regulators, certification bodies and testers into a coherent improvement plan.
  • Give senior leadership a clear view of where assurance is strong and where additional focus is planned.

That shifts A.5.35 from a box‑ticking clause into the backbone of a living Information Security Management System that keeps pace with how your sportsbook actually acquires players, takes bets, pays out and stays on the right side of regulators.

Mark Sharron

Mark Sharron leads Search & Generative AI Strategy at ISMS.online. His focus is communicating how ISO 27001, ISO 42001 and SOC 2 work in practice - tying risk to controls, policies and evidence with audit-ready traceability. Mark partners with product and customer teams so this logic is embedded in workflows and web content - helping organisations understand, prove security, privacy and AI governance with confidence.

Twitter

Take a virtual tour

Start your free 2-minute interactive demo now and see
ISMS.online in action!

Try it now
platform dashboard full on mint

We’re a Leader in our Field

4/5 Stars
Users Love Us
Leader - Spring 2026
High Performer - Spring 2026 Small Business UK
Regional Leader - Spring 2026 EU
Regional Leader - Spring 2026 EMEA
Regional Leader - Spring 2026 UK
High Performer - Spring 2026 Mid-Market EMEA

"ISMS.Online, Outstanding tool for Regulatory Compliance"

— Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

— Karen C.

"Innovative solution to managing ISO and other accreditations"

— Ben H.