GLI-GSF-1 v1.1: The Common Controls Audit Every Gaming Enterprise Must Pass

GLI-GSF-1 v1.1, published by Gaming Laboratories International (GLI) under copyright 2025, is the foundational common controls module of the GLI Gaming Security Framework (GLI-GSF). Every Gaming Enterprise seeking a GIS Controls Audit, regardless of whether it operates land-based, online, or hybrid gaming, must satisfy the requirements in this document before any sector-specific module applies. For compliance teams preparing for certification or for regulators evaluating a framework adoption, GLI-GSF-1 is the baseline that cannot be bypassed.

What GLI-GSF-1 Is and Why It Exists

The GLI Gaming Security Framework was created in response to what GLI describes as an “overwhelming industry request for a comprehensive gaming security framework covering online gaming security.” The framework draws on three and a half decades of gaming industry experience and a review of global best practices in information security. GLI-GSF-1 is the cross-cutting module that defines the Gaming Information Security Management System (GISMS) common controls applicable to all forms of gaming.

A GISMS, as defined in the standard, is “a structured framework and set of processes designed to safeguard a Gaming Enterprise’s sensitive data, assets, and Critical System Components within its GPE against unauthorized access, disclosure, alteration, or destruction.” It encompasses policies, procedures, controls, and risk management practices specifically tailored to the unique challenges and regulatory requirements of the gaming industry.

GLI-GSF replaces the technical security tests previously established in GLI-27 for land-based gaming operations. GLI also confirms that, as further modules are released, the framework will replace the technical security controls established in Appendix B of GLI-19 and GLI-33 for interactive gaming and event wagering respectively. Compliance professionals relying on those legacy appendices should treat the GLI-GSF transition as an active planning item.

Who the Standard Applies To

GLI-GSF-1 defines the “Gaming Enterprise” broadly. It covers the operator and any suppliers, manufacturers, vendors, service providers, and other entities who have a role in overseeing the operation of a Gaming Production Environment (GPE), or who provide services integral to its function, including the management of sensitive data.

Security within a GPE is treated as a collective responsibility across all of these entities. Each plays a role in maintaining the confidentiality, integrity, availability, and accountability of the environment, particularly where sensitive data is involved. That sensitive data includes, at minimum: audit logs and system databases recording information used to determine outcome, payment, redemption, and patron tracking, accounting and significant event information related to Critical System Components, RNG seeds and any information affecting game outcomes, encryption keys where transmission is required, and validation numbers associated with patron accounts and wagering instruments.

Suppliers and vendors are not passive recipients of the framework. GLI-GSF-3 (Gaming Information Security Vendors Audit v1.0) builds directly on GLI-GSF-1, requiring vendors who integrate business applications into a Gaming Enterprise’s GPE to satisfy all GIG1 common controls from this module. In practice, a payment platform provider, a CRM supplier, or a bonus engine vendor embedded in an operator’s GPE must each demonstrate GISMS compliance aligned with GLI-GSF-1’s baseline requirements.

What Is a Gaming Production Environment?

The GPE is the unit of analysis throughout the audit. The standard defines it as “the operational setting where gaming activities and related services are conducted, managed, and delivered to patrons in a live or real-time manner.” It encompasses the physical and virtual infrastructure, gaming systems, software, and processes required to facilitate gaming, including backend systems, business applications, and infrastructure that interacts with regulated gaming components.

The GPE concept is deliberately expansive. An operator’s cloud-hosted game servers, on-premises data centres, network perimeter, administrative access controls, and incident response procedures all fall within GPE scope. Compliance teams should resist scoping the GISMS to a narrow cluster of gaming-specific servers, because the standard requires a full-envelope view of the environment in which gaming activity occurs. For guidance on how ISO 27001 scoping errors surface in practice across UKGC and MGA-regulated environments, see our article on ISO/IEC 27001 in iGaming: Why Most Compliance Teams Get It Wrong.

The Three Gaming Implementation Groups

GLI-GSF-1 classifies every Gaming Enterprise into one of three Gaming Implementation Groups (GIGs). Each GIG defines the set of GIS Controls the Gaming Enterprise must implement. GIG2 builds upon GIG1, and GIG3 comprises all GIS Controls.

GIG1 represents the essential gaming security hygiene baseline and “an emerging minimum standard of GIS for all Gaming Enterprises.” It targets entities with limited security expertise dedicated to protecting critical assets, a limited tolerance for downtime, and low-criticality sensitive data principally comprising employee and financial information. GIG1 controls are designed to be implementable with limited gaming security expertise and to thwart general, non-targeted attacks.

GIG2 extends GIG1 to help security teams cope with increased attacker sophistication. GIG2 Gaming Enterprises manage sensitive data or functions subject to some regulatory and compliance oversight, and the controls selected for this group assist with managing a more complex asset inventory.

GIG3 is the highest tier and requires the full set of GIS Controls. GIG3 enterprises hold critical assets containing sensitive data or functions subject to regulatory and compliance oversight, must address availability and accountability of services, and must protect the integrity and confidentiality of sensitive data. Successful attacks at this level can cause significant harm to Personally Identifiable Information (PII), and GIG3 controls are selected to abate targeted attacks from sophisticated adversaries and reduce the impact of zero-day attacks.

“All Gaming Enterprises running online gaming operations (e.g. interactive gaming, online event wagering, etc.) are to be treated as GIG3 Gaming Enterprises, unless otherwise specified by the Regulatory Body.”, GLI-GSF-1 v1.1

The default GIG3 designation for all online operations is significant. Any iGaming operator, online sportsbook, or interactive lottery platform must satisfy the complete GIS Controls catalogue unless a specific Regulatory Body has made a contrary determination in its adoption of the framework. There is no opt-in to a lower tier based on self-assessed risk.

The GIS Controls Catalogue: CIS Critical Security Controls and Additional Requirements

GLI-GSF-1’s control architecture has two layers. The first adopts the Center for Internet Security (CIS) Critical Security Controls, Version 8.1, by reference. The second layer adds gaming-specific Additional Common GIS Controls that apply across all GPEs.

The CIS controls incorporated into GLI-GSF-1 span 18 control domains, each mapped to a GIG tier. Selected highlights include:

CIS-4 (Secure Configuration of Enterprise Assets and Software): GIG1 requires managing default accounts, while GIG2 extends to configuring trusted DNS servers and enforcing automatic device lockout on portable end-user devices.

CIS-5 (Account Management): GIG1 mandates establishing and maintaining an inventory of accounts, using unique passwords, disabling dormant accounts, and restricting administrator privileges to dedicated administrator accounts. GIG2 adds service account inventories and centralised account management.

CIS-6 (Access Control Management): GIG1 requires formal processes for access granting and revoking, and mandates multi-factor authentication (MFA) for externally-exposed applications, remote network access, and administrative access. Role-based access control (RBAC) definition is a GIG3 requirement under CIS-6.8.

CIS-7 (Continuous Vulnerability Management): GIG1 requires a documented vulnerability management process and a remediation process. Patch management and vulnerability scanning are minimum baseline obligations, not optional enhancements.

CIS-11 (Data Recovery): GIG1 requires establishing and maintaining a data recovery process and an isolated instance of recovery data. Recovery testing is a GIG2 obligation.

CIS-13 (Network Monitoring and Defense): GIG2 requires centralised security event alerting and deployment of both host-based and network intrusion detection solutions. GIG3 escalates to intrusion prevention systems, port-level access control, and application layer filtering.

CIS-17 (Incident Response Management): GIG1 requires designated personnel for incident handling, established contact information for reporting, and an enterprise-level incident reporting process. GIG2 adds a documented incident response process, key role assignments, and communication mechanisms. GIG3 adds defined security incident thresholds.

CIS-18 (Penetration Testing): GIG2 requires establishing and maintaining a penetration testing programme, performing periodic external penetration tests, and remediating findings. GIG3 adds internal penetration testing and security measure validation.

Beyond the CIS controls, the Additional Common GIS Controls in Section B of the standard address gaming-specific obligations. These include the Critical Asset Register (CAR), which must document all assets affecting GPE functionality, including hardware, software, their interdependencies, and each asset’s unique ID, asset owner, physical or logical location, classification, and disposal date. Change management receives detailed treatment: emergency changes must be approved, tested, documented, and monitored under GIS-9.3.7, and any change categorised as critical triggers an additional GIS Controls Audit. Incident response, system monitoring, GPE malfunction procedures, and backup and recovery controls are all addressed with mandatory GIG1 obligations.

What the Audit Process Looks Like

The GIS Controls Audit is conducted by an Independent Security Firm (ISF). The audit process follows six distinct phases defined in Section 2 of the standard.

Documentation Review: The ISF collects and reviews all relevant GIS documentation. The standard specifies the minimum documentary evidence, including the GIS policy, GIS risk assessment and treatment plans, access control policy, incident response procedures, asset management policy, change management programme, procedures for monitoring information processing facilities, teleworking policies, cryptographic controls policy, and network diagrams. Compliance teams should prepare a complete evidence pack covering all of these before the audit commences.

Key Personnel Interviews: After the documentary review, the ISF interviews users, administrators, and management to identify undocumented practices and assess user awareness. The ISF gauges whether personnel outside the IT function understand their role in protecting information and critical assets. Gaps between documented policy and actual practice are a common finding at this stage.

Controls Assessment: The technical assessment phase covers system and network architecture, security software, database design and configuration, cryptographic controls, system monitoring, reporting and logging, system development controls, and business continuity and disaster recovery plans.

Physical and Environmental Controls Assessment: The ISF evaluates physical safeguards including location and facility security, perimeter security and monitoring, physical access controls, equipment security, intrusion detection, alarm systems, surveillance systems, HVAC, power systems, fire detection and suppression, and emergency response procedures.

GIS Incident Response Plan Assessment: The ISF tests the effectiveness and adequacy of the incident response plan, identifies weaknesses, and assesses the Gaming Enterprise’s preparedness.

Risk Assessment: A formal risk assessment is conducted as a standalone audit phase, separate from the policy review.

The three core assessment methods used across all phases are: Interview (discussions with individuals or groups to facilitate understanding); Examine (reviewing, observing, and analyzing assessment objects); and Test (exercising audit objects under specified conditions to compare actual with expected behaviour).

Audit Report Requirements and Remediation Obligations

The GIS Controls Audit report must contain a specific minimum structure. The executive summary covers the Gaming Enterprise’s name, business model, gaming activities offered, service providers utilised, location, number of employees, website, certifications, and a high-level IT infrastructure description covering data centres and cloud services. The body of the report details the ISF’s qualifications and contact information, the audit dates from request through to completion, the scope of work including environments reviewed and Critical System Components assessed, the tools and techniques used, and all findings with their classification.

Non-conformities are classified by severity. Major non-conformities require immediate corrective action. The Gaming Enterprise must provide the Regulatory Body and the ISF with a remediation plan within 30 days of audit completion, unless the Regulatory Body specifies otherwise. That remediation plan must address each non-conformity through a documented process that identifies the extent of the non-conformity, its root cause, and the corrective actions taken to prevent recurrence.

“Remediation steps to address each identified major non-conformity must be carried out immediately and the Regulatory Body and the ISF, if required by the Regulatory Body, must be notified of the actions taken within thirty days, unless otherwise specified by the Regulatory Body.”, GLI-GSF-1 v1.1, Section 2.6

Critical changes to the GPE trigger an additional cycle. Under GIS-9.3.12, any change categorised as critical will be subjected to additional GIS Controls Audits and Gaming Technical System (GTS) Assessments, potentially focused on the critical change and the Critical System Components affected by it.

Who Conducts the Audit: ISF Qualification Requirements

GLI-GSF-1 specifies that the GIS Controls Audit must be conducted by an ISF whose personnel hold relevant educational backgrounds or otherwise demonstrate qualifications in assessing GPEs. The standard lists certifications that may demonstrate suitability, including ISO/IEC 27001 Lead Auditor, and notes that other nationally or internationally recognised certifications from recognised certification boards are also acceptable. The Regulatory Body may specify additional or alternative requirements.

GLI itself offers ISF services through its GLI Secure practice, which includes ISO/IEC 27001:2022 certification services with accredited Lead Auditors, penetration testing, source code security audits, and PCI DSS compliance services. Operators may engage GLI directly or any qualified ISF accepted by the relevant Regulatory Body. The choice of ISF must be disclosed in the audit report.

Relationship to ISO 27001 and the Broader GLI-GSF

GLI-GSF-1 and ISO/IEC 27001:2022 are complementary, not interchangeable. ISO 27001 defines requirements for an information security management system, GLI-GSF-1 operationalises that concept for the gaming production environment with controls drawn from CIS Critical Security Controls v8.1, supplemented by gaming-specific requirements addressing RNG integrity, audit logs, malfunction response, and regulatory reporting obligations that have no direct ISO 27001 equivalent.

A Gaming Enterprise holding an ISO 27001 certification does not automatically satisfy GLI-GSF-1. The standard’s GISMS definition explicitly incorporates risk management practices “specifically tailored to the unique challenges and regulatory requirements of the gaming industry.” The gaming-specific controls addressing GPE malfunctions, RNG seed protection, critical change triggers, and regulatory incident reporting thresholds have no counterpart in the ISO 27001 Annex A control set. An existing ISO 27001 programme provides a substantial documentation and governance foundation that reduces the gap considerably, and the ISF qualification list names ISO/IEC 27001 Lead Auditor credentials as demonstrating suitability.

The UKGC’s Remote Gambling and Software Technical Standards (RTS) section 4.1 directly references ISO/IEC 27001:2022 Annex A as the basis for its security requirements for remote gambling licensees. MGA technical infrastructure guidance similarly directs cloud service providers to ISO/IEC 27002 for ISMS implementation. Neither regulator has yet formally adopted GLI-GSF as a mandatory standard at the time of writing, but the framework’s explicit purpose of replacing GLI-27 security requirements and its eventual replacement of GLI-19 and GLI-33 appendices means jurisdictions that currently mandate those standards will progressively require GLI-GSF compliance. For a full picture of UKGC and MGA licensing obligations alongside their respective security standards requirements, see the UKGC vs MGA licence comparison.

Operators with multi-jurisdictional portfolios spanning markets such as Ontario under the AGCO Registrar’s Standards for Internet Gaming, or Alberta under the AGLC Standards and Requirements for Internet Gaming, should verify whether those regulators have adopted the GLI-GSF alongside their existing GLI-19 requirements. For context on how the ISO 27001 standard interacts with specific UKGC and MGA regulatory obligations, including the most common scoping and implementation errors, see our analysis of ISO/IEC 27001 in iGaming: Why Most Compliance Teams Get It Wrong. For a comparison of GLI certification pathway decisions between GLI-19 and GLI-33, see GLI-19 vs GLI-33: Choosing the Right Standard for Your Certification Path.

The GLI-GSF Module Architecture Beyond GLI-GSF-1

GLI-GSF-1 is the common controls foundation. Additional modules build upon it for specific operational contexts. GLI-GSF-3 (Gaming Information Security Vendors Audit v1.0) targets vendors integrating non-gaming business applications and ancillary solutions that do not directly affect regulated gaming components. GLI-GSF-4 (Gaming Information Security Land-Based Audit v1.0) covers physical gaming venues including casinos, racetracks, and gaming halls. GLI-GSF-5 (Gaming Information Security Online Audit v1.0) targets online operators conducting interactive gaming, iGaming, and online sports wagering via websites or mobile platforms.

Each sector-specific module incorporates GLI-GSF-1 by reference: the Appendix of GLI-GSF-3, GLI-GSF-4, and GLI-GSF-5 each state that the module’s controls apply in addition to the Common GIS Controls from GLI-GSF-1, and users are directed to both appendices to ensure no controls are overlooked. A vendor undergoing a GLI-GSF-3 audit satisfies the GLI-GSF-1 GIG1 baseline controls as part of that process, an online operator undergoing a GLI-GSF-5 audit satisfies all GIG3 common controls from GLI-GSF-1 as the foundation. There is no route to a sector module audit that bypasses the GLI-GSF-1 common controls.

The framework allows adoption in whole or in part by any Regulatory Body and any Gaming Enterprise. Regulatory Bodies may specify additional audit requirements beyond the GLI-GSF minimum, adjust the ISF qualification requirements, modify remediation timelines, or extend GIG classifications based on their jurisdiction-specific risk profile. Operators and compliance teams entering new jurisdictions must verify whether the adopting regulator has imposed any such supplements.

Practical Audit Readiness: What to Prepare

For compliance teams preparing for a GLI-GSF-1 GIS Controls Audit, the documentation review phase defines the minimum pre-audit evidence package. The following items must be ready for ISF review: the GIS policy with evidence of management approval and personnel acknowledgement, the GIS risk assessment and treatment plan, the access control policy covering both physical and logical access, the incident response plan with defined thresholds and escalation paths, the Critical Asset Register (CAR) covering all hardware and software components affecting GPE functionality, the change management programme including emergency change procedures, monitoring procedures for information processing facilities, teleworking policies, cryptographic controls policy, and current network diagrams.

Personnel must be prepared for substantive interviews. The ISF does not limit its inquiry to IT leadership: it assesses whether users outside the IT function understand GIS and their role in protecting information and critical assets. Training records, security awareness programme documentation, and evidence of social engineering training mapped to CIS-14.2 should all be available.

For GIG2 and GIG3 enterprises, additional preparation is required. The GIS forum at management level, meeting at least every six months and maintaining formal minutes, must be evidenced under GIS-2.6.2. The GIS function, which must report to executive level management and must be operationally independent from the line-of-business functions it oversees, must be clearly identifiable in the organisational structure under GIS-2.6.3 to GIS-2.6.6. Penetration testing records, including external test results and remediation evidence, are mandatory for GIG2. Internal penetration testing is required at GIG3.

“The goal is to align GIS in such a way that gaming operations can function as other eCommerce operations to ensure a safe and stable environment with the secure features of operations in parallel industries.”, GLI-GSF-1 v1.1, Section 1.5

The audit will surface gaps not between stated policy and regulatory requirements, but between documented policy and operational reality. The ISF’s interview phase is designed to identify “undocumented practices” and test whether policies are operationally embedded. Compliance teams should treat pre-audit internal readiness assessments as mandatory, not optional. Qualified legal counsel should be engaged for any jurisdiction where specific regulatory adoption of GLI-GSF-1 is uncertain or where regulatory supplements to the standard have been issued.

Key Resources

GLI-GSF-1 Gaming Information Security Controls Audit v1.1, available at no charge at www.gaminglabs.com, published by Gaming Laboratories International, LLC, Copyright 2025.

GLI Gaming Security Framework Overview, framework architecture and module descriptions, Gaming Laboratories International, available at www.gaminglabs.com.

CIS Critical Security Controls, Version 8.1, incorporated by reference into GLI-GSF-1, available at no charge at www.cisecurity.org.

GLI-GSF-3 Gaming Information Security Vendors Audit v1.0, GLI-GSF-4 Gaming Information Security Land-Based Audit v1.0, and GLI-GSF-5 Gaming Information Security Online Audit v1.0, sector-specific modules layered on GLI-GSF-1, all available at www.gaminglabs.com.