Working in the product compliance team at Oryx Gaming means playing a crucial part in ensuring the company can operate in chosen markets. In 2020, on top of everyday tasks, our team worked on an important project to get Oryx ISO 27001 certified. Everyone who participated had to use their whole skill set to juggle their regular workload with this big project in order to meet the deadline. It’s safe to say that all of us picked up new skills in the process. We learned a lot and really enjoyed being part of such an exciting project – one of many that working at Oryx allows you to be involved in.
iGaming is a specific industry where regulations have changed dramatically in the last few years. We are working in a heavily regulated field where every country, and sometimes even state or province, adapt and enforce their own iGaming regulations. As a result, we need to constantly adapt our products to comply rules in individual target jurisdictions.
A certified lab checks if the products (games, RNG, aggregator, iGaming platform), processes, systems and information security are in line with local requirements. Final products are tested before the first launch and after any major changes. Audits are usually done periodically, often once a year although in some regions they occur every two years. Some demands, like change management, can be monitored quarterly.
There is a major advantage to being checked for compliance regularly. When jurisdictions write certain regulation, they often go by a certain standard. If a supplier already holds that standard, there is no need to further examine the processes. Some countries, like Switzerland, go a step further and demand a ISO 27001 certificate.
The compliance process should be ongoing so our compliance team consistently and accurately governs our compliance policies over time.
In modern iGaming regulation, there is a strong emphasis on the detailed and precise definition of Information Security and Change Management which result in direct or indirect periodic, usually annual, compliance checks and security tests.
Due to appropriate management of Information Security and Change Management, Oryx started the journey to acquire the ISO/IEC 27001:2013 certificate last year and was awarded it in June 2020.
The aim of the system is to help Oryx make the information assets we hold more secure.
The project team developed Oryx’s Information Security Management System (ISMS) – including several policies and documented procedures, that help us keep a level of security for the information system. The aim of the system is to help Oryx make the information assets we hold more secure.
ISO/IEC 27001 is an international standard on how to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 and then revised in 2013. It details requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).
ISO 27001 certification covers information security management policies and procedures in the software development process. It focuses on:
• Information security policies
• Organization of information security
• Human resource security
• Asset management
• Access control
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
This certification is an industry-standard and enables the company to easier obtain new clients and can also demonstrate compliance with jurisdiction/licence requirements.
The ISO27001 standard proves the level of processes and development that Oryx undertakes. Our strategy is focused on usability and not just to fulfill bureaucratic demands.
Acquiring the ISO27001 standard was a big project and we proved to be extremely efficient, making sure we gained the certificate in a record-breaking time. It was amazing to see how the team was effective in preparing tons of wiki pages of documentation in such a short time. We were glad to see that most of the procedures where already in place, we just needed to define them.
I am proud to say I was a part of this team.
In taking Oryx to the next level of compliance, it was obvious that we were already there, which was confirmed by the positive response from SIQ. I am proud to say I was a part of this team, along with Peter Lavrič, Peter Zorin, Simon Tomažič, Anja Rožac, Samo Jamnik and Peter Žagar!