Guide to Certification
for the WLA Security Control Standard
Foreword
The World Lottery Association (WLA) is an international, member-based organization of state-authorized lotteries, sports betting operators, and suppliers to the global gaming industry. According to WLA By-Laws, member gaming operators must be licensed or authorized to conduct games by the jurisdiction within which their gaming products are sold.
The WLA Security and Risk Management Committee (SRMC) comprises security specialists from the gaming sector, as well as other gaming professionals from around the world. SRMC members are duly appointed by the WLA Executive Committee. The WLA SRMC is authorized to oversee the selection process of certification auditors, and to advise the WLA and its members on security and risk management issues.
For more than two decades, the WLA SRMC has developed and maintained an internationally recognized security standard for the gaming sector known as the WLA Security Control Standard (WLA-SCS). Development of the WLA-SCS follows a cooperative and consensus approach and is available only to WLA members pursuant to the WLA By-Laws. Thus the WLA-SCS applies to regulated games, gaming operators, and suppliers only. For more information on the WLA-SCS, please refer to the WLA website.
The Guide to Certification for the WLA Security Control Standard (GtC) was written by the WLA and approved by the SRMC. It contains the regulations and procedures for the WLA-SCS certification process and includes the requirements for becoming a WLA affiliated Assessment Service Entity (ASE) and the requirements for becoming a WLA recognized auditor. The GtC presupposes familiarity with the WLA-SCS standard documentation.
The GtC is intended for:
- WLA members seeking WLA-SCS certification.
- ASEs and qualified professionals seeking to provide services within the WLA-SCS framework.
- WLA recognized auditors seeking to undertake WLA-SCS assessments.
The GtC consists of the following parts:
- Part A
The certification process
Detailed description of the WLA-SCS certification process. - Part B
Assessment Service Entities and auditors
Guidance for ASEs and auditors seeking WLA approval to conduct WLA-SCS assessments. - Annex A
Assessment resources estimation
Provides assistance in determining the time needed to perform WLA-SCS assessments. - Annex B
Declaration of Assessment Form (DoAF)
Provides an example of the DoAF and the instructions for completing it. - Annex C
Assessment Form (AF)
Provides an example of the AF and the instructions for completing it. - Annex D
WLA-SCS certificate
Shows a sample of the WLA-SCS certificate. - Annex E
Certificate Request Form (CRF)
Provides an example of the CRF. - Annex F
Remote Assessment Request Form (RAR)
Provides an example of the RAR.
Introduction
The security and integrity of gaming activities play a critical role in maintaining the public’s confidence and trust in the gaming sector. It is therefore vital that gaming operators in general develop and maintain a visible and documented security and integrity environment in order to achieve and sustain public confidence in their operations.
In October 2024, the WLA SRMC released the eighth iteration of the Standard, known as the WLA-SCS:2024. The previous version of the standard, the WLA-SCS:2020, introduced the Framework 2020 and streamlined the norms and procedures for ASEs and auditors contained in this document. The accompanying Code of Practice has since been updated for conformity with the new version of the WLA-SCS:2024.
WLA-SCS:2024
The WLA-SCS:2024 specifies the minimum requirements necessary for the effective management of security for gaming operators. The latest edition of the WLA-SCS is distinguished from previous issues by the year of its approval, 2024 (WLA-SCS:2024). It replaces the WLA-SCS:2020 and all other versions released prior to the 2020 edition.
The WLA-SCS:2024 provides clearer guidance in relation to cloud security controls and security for suppliers, and for managed services, be it in hosted data centers, or in the cloud.
Some controls have been reorganized to simplify the standard, for instance, moving those applicable to all game offerings to the general section. New sections have been created for eSports and horse race betting, and for online games so as to cover virtual betting. As well, another section has been created for Random Number Generators, since they are at the heart of all lottery game operations.
For the development of the WLA-SCS:2024, the SRMC favored a generic, as opposed to detailed approach; the aim being to provide a comprehensive yet flexible set of controls, readily adaptable to the varying needs of WLA members internationally. Additionally, the new controls incorporated in the WLA SCS:2024 bring it into line with our evolving industry and technology advances.
Certification framework
The Certification Framework was introduced alongside the previous version of the standard, the WLA-SCS:2020, to establish two levels of certification, WLA-SCS:2020 Level 1 and WLA-SCS:2020 Level 2. The Certification Framework has been retained unchanged in the present version of the standard, the WLA-SCS:2024. The two levels of certification are now known as WLA-SCS:2024 Level 1 and WLA-SCS:2024 Level 2.
WLA-SCS:2024 Level 1 offers a ground-level entry to the WLA-SCS for gaming operators who may need a more graded approach to certification. For Level 1 certification, WLA Regular Members (gaming operators) must satisfy all applicable controls of WLA-SCS:2024 but ISO/IEC 27001 certification is not a prerequisite. Level 1 certification is not open to WLA Associate Members (suppliers to the gaming industry).
WLA-SCS:2024 Level 2 offers a comprehensive path to certification for WLA Regular Members and WLA Associate Members ready to meet the full scope of certification requirements laid out by the WLA SRMC; these include, among others, satisfying the requirements of the ISO/IEC 27001 certification for information security management.
Code of Practice for the WLA-SCS (CoP)
The CoP provides guidelines for a better understanding and application of the WLA-SCS controls. It is designed to support WLA members who are organizing their Information Security Management Systems in preparation of a WLA-SCS assessment, and auditors executing WLA-SCS assessments of WLA members.
Guide to Certification for the WLA Security Control Standard
The rules for ASEs and auditors remain unchanged from the previous edition of the Guide to Certificate. All data and information are regularly monitored via the yearly reports that all ASEs are required to send to the WLA.
Transition rules
Transition rules from WLA-SCS:2020 to WLA-SCS:2024
With the adoption of the WLA-SCS:2024 by the WLA General Assembly in October 2024, the WLA SRMC established the following transition periods.
Initial certifications
For initial certifications, the WLA SRMC established a transition period of six months, which extends until April 30, 2025. During this period, WLA members that request to be WLA-SCS certified can choose to certify to either the WLA-SCS:2020 or the WLA-SCS:2024. Initial certifications completed after April 30, 2025 must be to the WLA-SCS:2024.
Recertifications and annual review assessments
For recertifications and annual review assessments the WLA SRMC established a transition period of two years, which extends until October 31, 2026. During this period, WLA members can choose to perform recertifications or annual review assessments based to either the WLA-SCS:2020 or the WLA-SCS:2024. Recertifications and annual review assessments completed after October 31, 2026 must be to WLA-SCS:2024.
Member organizations that maintain a valid WLA-SCS:2020 certification may choose to recertify to the WLA-SCS:2024 before their WLA-SCS:2020 certification expires.
If a WLA-SCS:2020 certified member chooses to recertify to the WLA-SCS:2024 within the framework of an annual review assessment, all the new controls of the WLA-SCS:2024 must be assessed in addition to the controls originally scheduled for the annual review assessment.
Definitions
For the purposes of this document, the following terms and definitions apply.
1 Agreement (for ASEs)
Refers to a non-commercial agreement entered into force between the WLA and an ASE for the provision of WLA-SCS assessment services to WLA members. More details can be found in Part B, Section 2.2 of this guide.
2 Annual assessment
Refers to a mandatory annual control assessment to ensure that the certified WLA member remains compliant to the WLA-SCS during the three-year period between certification and recertification.
3 Assessment report
Refers to the document issued by an authorized WLA ASE to the WLA member describing the evaluation performed and the results obtained during the certification or recertification process. This document is property of the WLA member and will be regarded as strictly confidential.
4 Assessment Form (AF)
Refers to a document issued by the assessment service entity describing the elements that were audited, describing the elements that were not applicable, and the recommendation regarding certification or recertification. More details can be found in Annex C of this guide.
5 Associate Member (supplier)
Refers to an entity that supplies goods or services to the gaming sector duly approved as a WLA member in accordance with the WLA By-Laws.
6 Assessment Service Entity (ASE)
Refers to the third-party establishments, approved by the WLA, offering assessment services to WLA members. Individual auditors working as independent contractors are considered in effect Assessment Service Entities as well.
7 WLA-SCS certified
Refers to a WLA member that has been subjected to an assessment process and found to be, at that moment in time, compliant with the WLA-SCS requirements.
8 WLA-SCS certificate
Refers to the document confirming that a WLA member is in conformity with the WLA-SCS requirements.
9 Certification auditor
Refers to an auditor selected to perform WLA-SCS assessments.
10 Certification authority/Certification body
Refers to the WLA.
11 Certification process
Refers to the evaluation and assessment process performed by a WLA accredited auditor to determine compliance to the WLA-SCS.
12 Declaration of Assessment Form (DoAF)
Refers to a document issued by the auditor advising the WLA of its intent to undertake the assessment of a WLA member for compliance to the WLA-SCS. More details can be found in the Annex B of this guide.
13 Pre-assessment services
Refers to a simplified assessment by an ASE where the compliance of a WLA member is evaluated against the WLA-SCS, without extensive verification of implementation.
14 Recertification assessment
Refers to a complete evaluation and assessment process performed by a WLA-SCS auditor for a certified WLA member before the expiry of the three-year term of validity of the previous certificate, in order to confirm compliance with the WLA-SCS.
15 Regular Member
Refers to a state-authorized lottery organization, state-licensed sports betting operator, or other gaming operator duly approved as a WLA member in accordance with the WLA By-Laws.
16 Remote assessment
A remote assessment is an assessment that is conducted off site, either in whole or in part. The remote assessment is mainly based on the use of Information and Communication Technology (ICT) to gather information and evidence for the verification of compliance to specific controls of a standard.
17 WLA Member
Refers to both a Regular Member (lottery or sports betting operator) and an Associate Member (supplier) duly approved as a WLA member in accordance with the WLA By-Laws.
18 WLA-SCS
Refers to the WLA Security Control Standard, a comprehensive set of lottery- and gaming-specific security standards and integrity requirements.
19 WLA SRMC
Refers to the WLA Security and Risk Management Committee, a committee of technical and security professionals employed by WLA Regular Members.
Part A
The certification process
Part A of the GtC contains principles, requirements, and procedures that are involved in the WLA-SCS certification process. It is meant to support WLA members seeking WLA-SCS certification, auditors that have been selected to perform the WLA-SCS assessment, and for the ASEs that employ the selected auditor.
WLA-SCS certification
The GtC presupposes familiarity with the WLA-SCS.
WLA-SCS certification is open to WLA members pursuant to the WLA By-Laws. The WLA-SCS certification is also open to WLA Associate Members and approved subsidiaries.
The WLA-SCS certificates are valid for a three-year period.
WLA-SCS certification specifies the essential requirements necessary for the effective management of security in lottery and sports betting operations. Compliance with the WLA-SCS enables WLA members to ensure the integrity, availability, and confidentiality of information vital to their secure operation.
WLA-SCS certification attests only to the existence of a set of security and integrity procedures that, at the time of certification, correspond to the objective of managing the inherent risks associated with the operations of gaming operators.
WLA-SCS certification does not guarantee in any manner the results obtained in the matters that they deal with.
WLA-SCS certification programs
There are two different approaches to WLA-SCS certification that WLA Regular Members can choose to follow according to their needs: WLA-SCS Level 1 certification and WLA-SCS Level 2 certification.
WLA Associate Members can only be certified under the WLA-SCS Level 2 scheme.
To be granted the WLA-SCS Level 1 certificate, the WLA Regular Member must successfully pass the assessment against the applicable controls of the WLA-SCS. For a period of three years, extending until October 31, 2026, MUSL lotteries certified to MUSL Rule 2 automatically qualify for WLA-SCS:2024 Level 1 certification.
To be granted the WLA-SCS Level 2 certificate, a WLA Member must successfully pass assessment against the applicable controls of the WLA-SCS and hold a current and valid ISO/IEC 27001 certificate with a global scope including the ISMS related requirements.
WLA Members that hold a WLA-SCS:2020 certificate are considered to be at Level 2. Transition to WLA-SCS:2024 Level 2 certification can occur during an annual review or recertification assessment.
WLA Member’s responsibilities
The WLA Member recognizes the WLA-SCS and the GtC as written at the time of certification or recertification.
The WLA Member is solely responsible for the choice of procedures and methods used to render the WLA-SCS operational.
The WLA Member recognizes that the WLA, the WLA affiliated ASE, and the selected auditor are in no way responsible for any claim/s or damage/s in regard to Part A, Section 3.2.
The WLA member is responsible for making all pertinent information and any changes to the supplied information available to the WLA affiliated ASE and the selected auditor in a timely manner.
The WLA member will provide all the required assistance to the WLA affiliated ASE and the selected auditor.
WLA-SCS certification is open solely to WLA Members in good standing pursuant the WLA By-Laws and can only be used in conformity with the WLA Code of Conduct and other WLA directives.
Preparation for WLA-SCS certification
Gap analysis and pre-assessment
Prior to the certification audit, the WLA member seeking to obtain the WLA-SCS certification may conduct a gap analysis or a pre-assessment of their security, integrity, and risk management systems, to identify any discrepancies between their current security and integrity arrangements and the requirements of the WLA-SCS and ISO/IEC 27001.
Typically, the gap analysis or a pre-assessment is carried out by the internal staff or consultants.
The gap analysis or a pre-assessment is not mandatory, but it can help in evaluating the organization’s readiness for an external assessment.
Selection of the ASE and the auditor
In accordance with Part B, Section 1.1, the WLA member must select an auditor that is an employee, agent, or subcontractor of an ASE affiliated to the WLA.
The official list of affiliated ASEs is published on the WLA website or can be obtained by contacting the WLA office.
In accordance with Part B, Section 1.3, it is advised that the WLA member makes sure the ASE selected is affiliated with the WLA.
In accordance wih Part B, Section 3, the WLA member must make sure the auditor selected, or designated by the ASE to conduct the WLA-SCS assessment, has valid and current credentials.
Certification assessment procedures
Principles
ASEs and auditors must act in a fair and objective way, guaranteeing impartiality.
ASEs and auditors must demonstrate competence and knowledge of the WLA-SCS documents.
The procedures followed by ASEs and the auditors conducting WLA-SCS assessments must be clear and openly available.
All information and documents that are not covered by confidentiality must be made available by ASEs and the auditors.
Certification (basic procedures)
The WLA-SCS certification foresees three different types of assessments: initial certification, annual review, and recertification – where not specified, collectively referred to as “certification assessment” or “assessment”.
WLA member must identify the type of WLA-SCS certification program, according to Part A, Section 2 of this guide.
The assessment is conducted by the selected auditor employed by an ASE affiliated with the WLA, or by an independent contractor affiliated with the WLA (collectively referred to as “auditor”).
As soon as any type of certification assessment is scheduled, and in any case before it starts,
the selected auditor must complete the Declaration of Assessment Form (hereinafter DoAF), and send it to the WLA, notifying the intention to conduct a WLA-SCS certification assessment of a WLA member. An example of the DoAF and the instructions on how to fill it out can be found in Annex B of this guide.
The duration of the assessment depends on the type of assessment and the size of the WLA member. While the ASE bears full responsibility for establishing the needed resources and for defining the timeframe for adequately conducting a WLA-SCS assessment, the WLA SRMC provides some guidance on the expected number of days required to complete the assessment (see Annex A of this guide).
On completion of the certification audit, the auditor selected completes a detailed certification assessment report, the Assessment Form (hereinafter AF), and any other documents deemed useful for clarifying the outcome of the assessment.
The assessment report serves to document the certification assessment and its outcome. Given its confidentiality, it should be sent directly to the concerned WLA member and not to the WLA or any other third party. The content and the format of the report are at the discretion of the auditor.
The AF contains:
• All the applicable controls and the sites that have been audited;
• The auditor’s recommendations;
• References to the ISO/IEC 27001 certificate held by the WLA member (only for WLA-SCS Level 2).
The completed AF must be sent to the WLA. An example of the AF and instructions on how to fill it out can be found in Annex C of this guide.
Upon completion of the assessment, the auditor must send the WLA the AF and, if required by the WLA-SCS certification program selected, a valid copy of the ISO/IEC 27001 certificate held by the WLA member audited, and any other relevant document related to the certification process.
Any major non-conformity found during the assessment must be communicated to the WLA in the recommendation field of the AF and resolved within six months. Until the major non-conformity is resolved, the issuing or validation of the certificate remains pending.
Multiple sites assessments
If during the same WLA-SCS certification process different premises are audited against different controls, the auditor must clearly clarify in the recommendations field of the AF which controls have been audited for each premises.
In complying with Part A, Section 5.3.1, a separate document can be prepared by the auditor
and attached to the AF, if necessary. In such cases, reference to the additional document must be included in the recommendations field of the AF. The format of the additional document is at the discretion of the auditor.
If during the same WLA-SCS assessment different premises are audited by different auditors, each auditor must complete one AF, specifying in the recommendation field that the AF is partial and provide the name of the other auditor/s involved in the same WLA-SCS audit.
With due regard to Part A, Sections 5.4.4, 5.5.5, and 5.6.5, if the scope of a WLA-SCS certification involves multiple sites, and not all sites are physically covered by the present assessment, the reason for exclusion of these sites must be clearly stated in the recommendation field of the AF.
Initial certification
Before the initial certification procedure begins, it is recommended that the WLA member informs the WLA office.
WLA Regular Members and WLA Associate Members that are also lottery operators must be
audited against all the controls of Annex A (Organizationl controls, known as the G Controls)
and all the applicable controls of Annex B (Controls for the operation of games, known as the L Controls), and Annex C (Controls for the development of gaming systems and the provision of gaming services, known as the S Controls).
WLA associate members that are not lottery operators must be audited against all the controls of Annex A and any applicable controls of Annex C. Any additional L controls included in the assessment are not mandatory.
During the initial certification all the premises to be covered by the WLA-SCS certificate must be physically visited and assessed against all the applicable controls. If it involves multiple sites that perform the same function, the auditor can decide on how best to gain his own confidence on compliance on the number of premises to be physically assessed.
The certification procedure to follow for the initial certification is contained in Part A, Section 5.2.
Annual review
In order to ensure that the certified WLA member remains compliant with the WLA-SCS throughout the three-year certification period, two annual review assessments must be scheduled and completed.
The annual review assessments are also to focus on any changes that may have occurred within the WLA member since the previous assessment.
The two annual review assessments must be scheduled by the auditor in agreement with the WLA member and be performed in a reasonable time according to the certification period, ideally 12 months after the previous assessment.
During mandatory annual review assessments, the applicable controls shall be sampled. However, for WLA-SCS Level 2 certified members, the current validity of the ISO/IEC 27001 certification and its global scope must be verified at each annual assessment. All applicable controls shall have been audited at least once during the three-year assess-ment cycle.
All the premises to be covered by the WLA-SCS certificate during a first and/or second annual assessment should be physically visited and assessed against the relevant applicable controls. Remote visits can be conducted in accordance with the policies of the National Accreditation body and ISO/IEC 27001. If there is a scope, process, and or organizational change, the premises related to those changes must be physically visited and assessed against all applicable controls. If it involves multiple sites that perform the same function, the auditor can decide on how best to gain his/her own confidence on compliance on the number of premises to be physically assessed.
The certification procedure to follow for the annual review assessment is contained in Part A, Section 5.2.
Recertification
The WLA member can maintain its certification valid by repeating the certification process every three years.
To avoid any disruption to the certification, the recertification process should begin prior to the expiration of the WLA-SCS certificate.
When multiple sites are audited for the same WLA-SCS certificate, it is recommended that all the sites are audited not later than four months before the expiry date of the WLA-SCS certificate. In this case, where needed, multiple auditors can be selected to perform the assessment in time.
All the applicable controls shall be covered in the recertification assessment.
During the recertification assessment, all the premises to be covered by the WLA-SCS certificate, must be physically visited and assessed against all the applicable controls. If it involves multiple sites that perform the same function, the auditor can decide on how best to gain his own confidence on compliance on the number of premises to be physically assessed.
The certification procedure to follow for the recertification assessment is contained in Part A, Section 5.2.
Certification procedure for MUSL lotteries
MUSL lotteries certified to MUSL Rule 2 automatically qualify for the WLA-SCS:2024 Level 1 certificate until October 31, 2026. From November 1, 2026 onwards, MUSL lotteries that wish to keep their WLA-SCS certificate must refer to the regular certification procedures contained in Part A, Section 5 of this guide.
To receive the WLA-SCS Level 1 certificate, MUSL lotteries must complete the Certificate Request Form and send it to the WLA together with a copy of the MUSL certificate. An example of the Certificate Request Form can be found in Annex E of this guide.
Once the required documents are received and verified, the WLA will issue a WLA-SCS Level 1 certificate with a validity period of three years.
To receive the WLA-SCS Level 2 certificate, MUSL lotteries must follow the regular certification procedure contained in Part A, Section 5 of this guide. Additionally, MUSL lotteries must be audited against Annex D (controls for multi-jurisdictional games, known as the M Controls).
Issue of the WLA-SCS certificate
The WLA is the only entity that can issue WLA-SCS certificates.
The decision to either grant or decline WLA-SCS certification, is based on the auditor’s recommendation and all the documents submitted by the auditor (DoAF, AF, copy of the ISO/IEC 27001 certificate, and any other additional documents).
The WLA informs the WLA member and the auditor by email of the WLA-SCS certificate release status.
If approved, the WLA publishes the result on the WLA website and issues the WLA-SCS certificate, by providing the WLA member with the digital version and the WLA-SCS logo.
A sample of the WLA-SCS certificate can be found in Annex D of this guide.
ISO/IEC 27001 certificate conformity
The ISO/IEC 27001 certificate is independent and separate from the WLA-SCS certificate and it follows its specific rules and regulations.
The WLA-SCS assessments and the ISO/IEC 27001 assessments can be performed in different periods or in parallel. The WLA encourages the alignment of the two certification periods.
The WLA-SCS assessment and the ISO/IEC 27001 assessment can be performed by two different auditors or by the same auditor. If the auditor performing the assessments is the same for both certificates, Part A, Section 4.2 of this guide must be taken into consideration.
At the time the AF is being reviewed by the WLA for WLA-SCS Level 2 certification, the WLA member must must have a valid and current ISO/IEC 27001 certificate, issued from an entity which is accredited for ISO/IEC 27001 certifications.
Remote assessment
Remote assessments are considered as such when:
a. The auditor never physically visits the auditee premises.
b. The auditor checks only some controls remotely.
c. The auditor is on-site but conducts interviews with employees in smart/home-office, or visits some premises remotely using videocam support.
In each of the preceding cases, the present section applies.
Requirements for remote assessments
The ASE shall provide evidence to the WLA about the internal procedures and rules its auditors must take into consideration to evaluate, schedule, and perform remote audits.
According to the documentation received from the ASE in relation to Part A, Section 8.1.1, the WLA releases a notice of validity to the ASE. Only after receiving the notice of validity for remote auditing, the ASE and its auditors are allowed to schedule and perform WLA-SCS assessments remotely.
The WLA may perform spot checks on the procedures for remote assessments identified by the ASEs and followed by the auditors.
Remote assessments are possible only for auditors employed by ASEs that meet the requirements of Part A, Sections 8.1.1, 8.1.2, and 8.1.3.
Partially remote assessments are considered remote assessments and must be scheduled, and performed, taking into consideration the requirements and procedures included in this guide.
Remote assessments or partially remote assessments differ from on-site assessments only in the means used to perform the audit. All other provisions and principles remain unaltered.
The decision to perform remote assessments must be taken by both the auditor and the WLA member, taking into account the requirements documented in this section.
Remote audits can be performed only by auditors that have already conducted at least one complete on-site assessment of the WLA member. The only exception being that cited in Part A, Section 8.4 (Specific instructions for initial assessments conducted remotely).
Remote audits are not allowed if one or more of the following cases apply:
a. The audit is for an initial certification assessment (see the exception in Part A, Section 8.4).
b. The audit involves a scope extension.
c. Significant changes in products, services, or processes have occurred since the last assessment.
d. Significant changes to the buildings or facilities have occurred since the last assessment.
To perform a remote audit, a suitable Information and Communication Technology (ICT) infrastructure shall be available, allowing access to relevant information required for the assessment and guaranteeing the feasibility and efficacy of the process.
Both the auditor and the WLA member representatives shall have sound competency in the use of the ICT tools and infrastructure.
Both the auditor and the WLA member shall have a clear understanding of, and be in full compliance with, the local legislation and regulations related to confidentiality, security, and data protection.
The ICT availability and the competency of human resources must be assessed by the auditor and the WLA member prior to the decision to schedule a remote assessment.
A documented feasibility and risk analysis shall be prepared by the ASE and the auditor and be made available at the request of the WLA.
Procedure for all remote assessments
The auditor and the WLA member shall explicitly inform the WLA office when a WLA-SCS
assessment is going to take place remotely, taking full responsibility for the requirements included in Part A, Section 8.1 of this guide.
The communication to the WLA shall be made through the Remote Assessment Request form (hereinafter RAR). An example of the RAR and instructions on how to complete it can be found in the Annex F of this guide.
Before a remote assessment can be performed, the auditor must receive an acceptance notice from the WLA business office. It is therefore strongly recommended that the WLA business office be informed in good time to allow all the necessary checks.
If the auditor is not satisfied with the remote audit findings, the audit shall be suspended, and an on-site assessment shall be organized.
Auditors shall add their comments in the recommendation field of the AF, regarding the extent to which ICT was used, and the effectiveness of its use in achieving the audit objectives. The report should ultimately indicate which processes could not be audited and should have been audited on-site.
Any major non-conformity found during the remote assessment must be communicated to the WLA in the recommendation field of the AF and resolved within six months. The auditor shall evaluate if an on-site visit is necessary to verify the resolution of the non-conformity. Until the non-conformity is resolved, the issuing or validation of the WLA-SCS certificate will remain pending.
Specific instructions for recertification assessments conducted remotely
WLA-SCS recertification can be performed remotely only in cases where a manifestly critical situation would preclude an on-site visit. In this case, the WLA-SCS certification shall only be a provisional certification until an onsite assessment has been performed to satisfaction.
During the three-year certification cycle at least one on-site visit shall be scheduled and performed.
Specific instructions for initial assessments conducted remotely
WLA-SCS initial certifications must be performed on-site. They can be performed remotely only in cases where a manifestly critical situation would preclude an on-site visit (see the “Crisis Management Guidance for the WLA-SCS” for details) and there is a demonstrated urgency to obtain the WLA-SCS certificate. In this case, the WLA-SCS certification shall only be a provisional certification until an onsite assessment has been performed to satisfaction in the 3-year cycle.
Evidence of a critical situation or an urgency in obtaining the WLA-SCS certificate must be provided to the WLA. The WLA will then inform the auditor and the WLA member in writing as to whether the remote assessment of the initial certification is approved or denied.
The first annual review after a remote initial assessment shall be done on-site and the auditor shall audit, without exclusion, all applicable controls. If this condition is not met, the WLA-SCS certification shall remain a provisional certification until an onsite assessment has been performed to satisfaction. The second annual review after a remote initial assessment or a remote first annual review shall be done on-site and the auditor shall audit, without exclusion, all applicable controls. If this condition is not met, the certificate will be suspended.
Part B
Assessment service entities (ASEs) and auditors
Part B of the GtC contains principles and requirements for the entities and auditors providing WLA-SCS assessments.
Generic requirements
Certification of WLA members to the WLA-SCS can be conducted by experienced auditors that are employees, agents, or subcontractors of an ASE affiliated with the WLA.
Independent contractors (hereinafter collectively referred to as ASE) can also perform WLA-SCS assessments.
ASEs seeking to offer WLA-SCS assessment services, must follow the rules provided for in Part B, Section 2 and must be affiliated with the WLA on entering into the non-commercial agreement called “Agreement for WLA-SCS Certification Services” (hereinafter Agreement).
ASEs
ASEs requirements
An ASE seeking to offer WLA-SCS assessment services must:
a. Be an accredited entity in accordance with the ISO/IEC 17021 or ISO/IEC 27006 standards, or;
b. Provide evidence to the WLA, on a case-by-case basis, that the auditors performing WLA-SCS assessments meet all the mandatory requirements specified in Part B, Section 3.1 of this guide.
To avoid any conflict of interest, the ASE cannot be a WLA associate or collaborating member that provides goods and services to the gaming industry, except in the circumstances where the services offered are restricted solely to IT security consulting and auditing services. ASEs must not provide both WLA-SCS auditing services and other goods and services to the same gaming operator and/or supplier simultaneously. Hence, when applying for approval as an ASE, any potential conflict of interest must be declared. Furthermore, the proposed ASE must demonstrate that it enforces segregation between the audit and the IT departments.
Agreement for WLA-SCS certification services
The Agreement outlines the responsibilities, obligations, and limitations of the ASE in view of their work as an assessment body for the WLA-SCS certification processes.
The Agreement must be signed and sent to the WLA prior to the ASE and/or auditor taking the responsibility for the performance of WLA-SCS assessment to WLA members.
The Agreement must be read in conjunction with the GtC.
A copy of the Agreement can be obtained from the WLA.
ASEs’ duties and responsibilities
ASEs must assure the WLA that the ASE’s requirements specified in Part B, Section 2.1 of this guide are current, valid, and in good standing for the entire duration of the Agreement, or at least for the time that ASE’s auditors are performing WLA-SCS assessments.
ASEs are responsible for ensuring that the WLA-SCS assessments are performed by auditors that meet
the requirements specified in Part B, Section 3 of this guide.
ASEs must assure the WLA that all the auditors’ requirements specified in Part B, Section 3 of this guide are current, valid and in good standing for a period sufficient to cover any planned WLA-SCS assessment.
ASEs must promptly inform the WLA of any changes that occurs within the ASE, affecting the Agreement and the communication between the WLA and the ASE.
ASEs must promptly inform the WLA about any changes in the employment of their auditors who are assigned to perform WLA-SCS assessments.
ASEs must designate a representative to manage all relations with the WLA (WLA Relations Manager), and provide details of that person (name, surname, job title, email address, and telephone number/s) to the WLA. The ASE must inform the WLA immediately should any changes occur regarding the WLA Relations Manager or their details.
Reporting
ASEs must annually provide the WLA with a detailed WLA-ASE Report that confirms the compliance of the ASE with the agreement and requirements, as well as a list of the employed auditors involved in WLA-SCS assessments.
The report must be submitted by using the corresponding template available for downloading on the WLA website or directly from the WLA.
The report must be signed by the WLA Relations Manager (see Part B, Section 2.3.6 of this guide) and the ASE’s management.
Only auditors listed in the WLA-ASE Report can perform WLA-SCS assessments.
If the ASE wishes to add new auditors to those listed in the latest WLA-ASE Report, the ASE will notify the WLA of its intention, providing the name, surname, contact details, type of employment in the ASE (including territories wherein employed), and data sharing option of the new auditors, taking into consideration the mandatory requirements specified under Part B, Section 3 of this guide.
The reports and communications mentioned in Part B, Section 2.4 of this guide are supervised by the WLA office, with the active support of the WLA SRMC.
Auditors
Mandatory requirements
Auditors must have a minimum of two years’ professional experience as an ISO/IEC 27001 Lead auditor and at least ten full ISMS audits as a team lead.
Auditors working for ASEs that are not an accredited entity in accordance with ISO/IEC 17021 or ISO/IEC 27006 must:
a. Pass the ISO/IEC 27001 Lead Auditor training.
b. Be certified as ISO/IEC 27001 Lead Auditor from a body recognized by the WLA (the official list of the recognized bodies can be requested from the WLA).
c. Receive SRMC approval as specified in Part B, Section 3.3 of this guide.
The ISO/IEC 27001 Lead Auditor certification must be held by the auditor prior to them assuming responsibility for WLA-SCS assessments.
Auditors must be actively involved in the business of information systems and risk management.
Additional requirement
Auditors who already have professional experience in the gaming sector should be given preference when selecting an auditor to perform WLA-SCS assessments.
Auditors that are designated to perform WLA-SCS assessments in the WLA-ASE Report (Part B, Section 2.4 of this guide), should participate in periodic training events organized by the WLA.
SRMC approval of auditors
Auditors who work for ASEs not accredited to ISO/IEC 17021 or ISO/IEC 27006 must receive prior approval of the SRMC.
SRMC approval must be secured before said auditors can be included in the WLA-ASE Report and conduct WLA-SCS assessments.
Applicants must visit the WLA website or contact the WLA for further information on application procedures.
Before applying, auditors must be sure that all the mandatory requirements listed in Part B, Section 3.1 of this guide are met. Upon application only relevant documents should be submitted.
Applicant submissions are reviewed and evaluated by the SRMC.
The SRMC has the discretion to request and accept on a case-by-case basis alternative evidence demonstrating the fitness of an auditor to conduct WLA-SCS assessments.
The applicant will be informed via email by the WLA about the outcome of the SRMC evaluation.
ASEs must include the name of the SRMC-approved auditors in the WLA-ASE Report (Part B, Section 2.4 of this guide).
Obligations of WLA members seeking certification
WLA members seeking WLA-SCS certification/recertification, must ensure that the auditor selected or designated by the ASE to conduct the WLA-SCS assessment has valid and current credentials.
WLA members can contact the WLA to verify if the selected auditor is entitled to conduct WLA-SCS certification assessments.
WLA monitoring activity
The WLA may conduct random inspections (including desktop or remotely), to verify compliance with the rules provided in Part B, Sections 1, 2, and 3 of this guide.
During inspections, ASEs and entities being assessed are obliged to fully cooperation with the inspection, including the provision of any and all information requested.
Invalidity clauses
Non-compliance with Part B, Sections 1 and 3.1 of this guide renders any assessments invalid and will delay issuance of the WLA-SCS certificates.
ASEs that fail to comply with the GtC and the signed Agreement may be subject to the cancellation of the Agreement with the WLA, depending on the severity of the non-compliance. The decision is taken by the WLA in conjunction with the SRMC.
Annex A
Assessment resource estimation
Mindful of fair competition within a free market, the WLA SRMC presents this guidance as a means of providing a common level of assurance with regards to available resources for conducting a WLA-SCS assessment, and to ensure a consistent certification scheme. In so doing, the WLA SRMC hopes to maintain member confidence and to create a level playing field among ASEs and auditors.
In that spirit, the table shown here may serve to determine the duration of an assessment at a given lottery or gaming organization. The estimate is based on the size of the WLA member to be audited in terms of the number of the staff it employs.
It should be noted that the present guidance does not except ASEs and auditors from the responsibility for establishing the needed resources and for defining the timeframe for adequately conducting WLA-SCS assessments, both on-site and remotely. The present table pertains to on-site assessments only.
| Size of the WLA member (full-time staff equivalent, excluding retailer) | Initial Certification Assessment | Annual Review Assessment | Recertification Assessment |
| ≤ 200 | 2.5 days | 1.5 days | 2.5 days |
| 200–500 | 3.5 days | 1.5 days | 3.5 days |
| ≥ 500 | 3.5 days | 2.5 days | 3.5 days |
Annex B
Declaration of Assessment Form (DoAF)
Pursuant to Part A, Section 5.2.4 of this guide, before any type of certification assessment starts, the selected auditors must complete the DoAF notifying the WLA of their intention to conduct a WLA-SCS certification assessment of a WLA member.
The DoAF must be filled out in all its parts and signed by the auditor and by a representative of the WLA member to be audited.
The completed DoAF must be sent by email to the WLA at: security@world-lotteries.org
Delays in sending the DoAF or the submission of incomplete DoAFs will impede the delivery of the WLA-SCS certificate.
Instruction for completion of the DoAF:
- WLA Member: Refers to the complete name of the WLA Member to be assessed.
- Address: Refers to the address of the WLA member’s headquarters. If necessary, all the relevant documents will be delivered to this address. If the delivery address differs from that of the headquarters, please include the delivery address in this field as well.
- Contact person: Refers to the WLA member’s representative responsible for the WLA-SCS certificate. Typically, it is the CIO or CISO of the company or entity.
- Email address: Refers to the email address of the contact person.
- Phone number: Refers to the phone number of the contact person, either office or mobile number.
- WLA-SCS certificate number: Refers to the WLA-SCS certificate serial number. If the WLA member doesn’t have a WLA-SCS certificate yet or if the previous certificate is not identified by a serial number, this space can be left blank.
- WLA-SCS expiry date: Refers to the expiry date of the WLA-SCS certificate. If the WLA member does not yet have a WLA-SCS certificate, this space can be left blank.
- ISO/IEC 27001 certificate number: Refers to the ISO/IEC 27001 certificate serial number. If the WLA member does not yet have an ISO/IEC 27001 certificate, this space can be left blank. For WLA mem-bers requesting the WLA-SCS Level 1 certificate, this section should be left blank.
- ISO/IEC 27001 expiry date: Refers to the ISO/IEC 27001 expiry date. If the WLA member does not yet have an ISO/IEC 27001 certificate, this space can be left blank. At any rate, details of the ISO/IEC 27001 certificate must be provided together with the AF in order to finalize the WLA-SCS certificate release.
- ISO/IEC 27001 certifying body: Refers to Assessment Entity in charge of the ISO/IEC 27001 certificate release. If the WLA member does not yet have an ISO/IEC 27001 certificate, this space can be left empty. At any rate, details of the ISO/IEC 27001 certificate must be provided together with the AF in order to finalize the WLA-SCS certificate release.
- ASE: Refers to the name of the ASE employing the auditor selected to perform the WLA-SCS assessment.
- Address: Refers to the address of the ASE’s headquarters.
- Auditor: Refers to the name and surname of the auditor/s in charge of the WLA-SCS assessment.
- Email address: Refers to the email address/es of the auditor/s.
- Telephone number/s: Refers to telephone number/s of the auditor/s.
- Type of assessment: Refers to the type of assessment scheduled. It can be an initial certification, recertification, or annual review assessment. Details can be found in Part A of this guide.
- Type of certificate requested: Refers to the type of certificate requested. For more information please refer to Part A of this guide.
- Standard used: Refers to the version of controls used during the assessment. The version WLA-SCS:2020 will be available until October 2026.
- Intended date/s of the assessment: Refers to the dates in which the WLA-SCS assessment is scheduled to take place.
- Number of premises in the scope: Refers to the total number of premises included in the scope of the WLA-SCS certificate.
- The assessment foresees a physical visit to all the premises: If the WLA-SCS assessment does not foresee a physical visit to all the sites included in the WLA-SCS scope, clarify the reason here.
- Additional notes and communications: This space can be used by the auditor to specify any additional details to be communicated to the WLA.
- Signatures: Refers to the dates and signatures of the auditor in charge of the assessment and the WLA member’s representative.
WLA-SCS Declaration of Assessment Form
Notification of pending assessment
Annex C
Assessment Form (AF)
Pursuant to Part A, Section 5.2.6 of this guide, upon completion of the certification audit, the auditor must fill out the AF providing all the necessary information for the assessment-outcome evaluation and the preparation of the WLA-SCS certificate.
All parts of the AF must be filled out and signed by the auditor. With his/her signature, the auditor assumes all responsibility for what is declared in the AF.
The completed AF must be sent by email to the WLA at: security@world-lotteries.org
Delays in sending the AF or the submission of incomplete AFs will impede the delivery of the WLA-SCS certificate.
Instruction for completion of the AF:
- Type of assessment: Refers to the type of assessment scheduled. It can be an initial certification, recertification, or annual review assessment. Details can be found in Part A of this guide.
- Type of certificate requested: Refers to either the WLA-SCS Level 1 certificate or the WLA-SCS Level 2 certificate. Details can be found in Part A of this guide.
- WLA Member: Refers to the complete name of the WLA Member to be printed on the WLA-SCS certificate.
- Address of premises included in the WLA-SCS scope: Refers to the entire list of premises, and their corresponding addresses, included in the WLA-SCS scope. The list of premises will be printed on the WLA-SCS certificate as written in this field.
- WLA-SCS scope: Refers to the scope of the WLA-SCS certification as it will be stated on the WLA-SCS certificate.
- WLA-SCS reference number: Refers to the serial number of WLA-SCS certificate; a feature introduced as part of the WLA-SCS:2024 release. If the reference number has not been assigned, leave the space blank.
- WLA-SCS initial certification: Refers to the date of the initial release of the WLA-SCS certificate.
- WLA-SCS latest revision: Refers to the latest date of WLA-SCS certificate release.
- WLA-SCS expiry date: Refers to the end of validity of the WLA-SCS certificate.
- ASE: Refers to the name of the ASE employing the auditor that performed the WLA-SCS assessment.
- ASE’s address: Refers to the address of the ASE headquarters.
- ISO/IEC 27001 scope: Refers to the scope of the ISO/IEC 27001 certification as written on the valid ISO/IEC 27001 certificate.
- ISO/IEC 27001 reference number: Refers to the serial number of the ISO/IEC 27001 certificate.
- ISO/IEC 27001 latest revision: Refers to the latest date of ISO/IEC 27001 certificate release.
- ISO/IEC 27001 expiry date: Refers to the end of validity of the ISO/IEC 27001 certificate.
- For each control listed in the AF, specify if it has been “Audited”, “Not Audited” or if it is “Not Applicable”.
- If there are G controls that are not applicable, specify the reasons of non-applicability in the recommendation field.
- Auditor’s recommendations: In the recommendation field the auditor must state the outcome of the WLA-SCS assessment and declare whether WLA-SCS certification should be granted or declined.
If any of the premises in the scope were not physically visited, the auditor must provide reason for the exclusion in this section, as well as any information about controls that were excluded.
Based on the auditor’s recommendation, the WLA either grants or declines the WLA-SCS certificate.
WLA-SCS:2024
Assessment Form
Annex D
The WLA-SCS:2024 certificate
WLA-SCS:2024 Level 1 certification offers a ground-level entry to the WLA-SCS for WLA Regular Members who may need a more graded approach to certification. For Level 1 certification, WLA Regular Members must satisfy all applicable controls of WLA-SCS:2024 but ISO/IEC 27001 certification is not a prerequisite. Level 1 certification is not open to WLA Associate Members (suppliers to the gaming industry).
WLA-SCS:2024 Level 2 certification is for WLA Regular Members and WLA Associate Members ready to meet the full scope of certification requirements laid out by the WLA Security and Risk Management Committee (SRMC); these include, among others, satisfying the requirements of the ISO/IEC 27001 certification for information security management. The current edition (2022), or the most recent version of the standard applies.
Certificate Request Form*
Annex F
Remote Assessment Request Form (RAR)
Pursuant to Part A, Section 8 of this guide, upon scheduling a WLA-SCS remote assessment, the auditor shall explicitly and immediately inform the WLA office through the Remote Assessment Request form (RAR).
The RAR must be filled out in all its parts and signed by the auditor and by a representative of the WLA member to be audited. With the signature, the auditor and the WLA member representative assume all responsibility for what is declared in the RAR.
The completed RAR must be sent by email to the WLA at: security@world-lotteries.org
Delays in sending the RAR or the submission of incomplete RARs will impede the recognition of the WLA-SCS assessment and the delivery of the WLA-SCS certificate.
Instruction for completion of the AF:
- WLA Member: Refers to the complete name of the WLA Member to be assessed.
- WLA-SCS certificate number: Refers to the WLA-SCS certificate serial number. If the WLA member doesn’t have a WLA-SCS certificate yet or if the previous certificate is not identified by a serial number, this space can be left blank.
- WLA-SCS expiry date: Refers to the expiry date of the WLA-SCS certificate. If the WLA member does not yet have a WLA-SCS certificate, this space can be left blank.
- Type of assessment: Refers to the type of assessment scheduled. It can be an initial certification, recertification, or annual review assessment. To be noted that remote audit for initial certifications is available only in cases of demonstrable urgency. Details can be found in Part A, Section 8 of this guide.
- Number of premises in the scope: Refers to the total number of premises included in the scope of the WLA-SCS certificate.
- Address of premises in the scope: Refers to the list of premises, and their corresponding addresses, included in the WLA-SCS scope.
- Intended date/s of the assessment: Refers to the dates in which the WLA-SCS assessment is scheduled to take place.
- Signatories confirm that: Refers to the mandatory requirements contained in this guide, necessary to perform a remote audit. The list is mandatory, and all the boxes shall be selected to validate the remote audit request. If one or more points in the list cannot be selected, the remote audit request is invalid, and the audit cannot be recognized.
- Assessment Service Entity: Refers to the name of the ASE employing the auditor selected to perform the WLA-SCS assessment.
- Signatures: Refers to the dates and signatures of the auditor in charge of the assessment and the WLA member’s representative.
- Auditor: Refers to the name and surname of the auditor/s in charge of the WLA-SCS assessment. The name must be followed by the date and signature of the auditor.
- WLA member’s representative: Refers to the name and surname of the WLA member’s representative responsible for the WLA-SCS certificate. The name must be followed by the date and signature of the representative.
WLA-SCS
Remote Assessment Request Form
Any reproduction of WLA material is strictly prohibited.
Guide to Certification for the WLA Security Control Standard – © WLA 2024 – Publication: October 2024, Version 9.