SOC 2 vs ISO 27001 for iGaming: Which Certification Does Your Operator Actually Need?

What Each Standard Actually Covers

ISO 27001 is a comprehensive information security management standard recognised by every major gambling regulator. It requires an organisation-wide ISMS with defined risk treatment, continuous improvement, and evidence of control effectiveness. The MGA and UKGC explicitly accept ISO 27001 certificates as audit evidence. SOC 2 is an auditing framework developed by the AICPA primarily for US-market service organisations. It evaluates controls across five Trust Services Criteria. It is widely used by SaaS vendors and platform providers. However, it is not accepted by the MGA or UKGC as a substitute for ISO 27001 or an RTS audit.

The Fast Track Lesson: Certification Isn't Security

The Fast Track breach demonstrated something critical: a SOC 2 Type 2 certificate renewed months before the breach provided no protection against the attack that followed. Certification tells you a company had controls in place at audit time. It doesn't tell you those controls work against novel attack techniques, supply chain attacks, or zero-day vulnerabilities. Continuous security testing — not periodic audits — is what actually reduces risk.

Which to Pursue for MGA/UKGC Compliance

For MGA and UKGC compliance: ISO 27001. It's the standard regulators recognise and accept. For vendor assessments of your third-party providers: ask for both — ISO 27001 for their overall security programme and SOC 2 Type 2 for their operational controls. Then use Panorays to monitor them continuously, because certifications go stale within days of being issued.

Frequently Asked Questions