The Gambling Commission requires that remote gambling licence holders get annual ISO 27001 security audits done. This needs to cover a specific subset of ISO 27001 controls, which are listed in section five of the Remote Gambling and Software Technical Standards document.
The specific subset focuses on access control, communications and operations, and software development, rather than all of the sections; for example, there is no specific requirement for business continuity or compliance.
ISO 27001 as a whole does not specifically state that penetration testing is a requirement for certification, whether it is external, internal or application penetration testing. Penetration testing is stated in the ISO 27002 guidance in 15.2.2 for technical compliance checking, however this is only guidance. You can also consider penetration testing, especially application penetration testing, to meet the requirements of clause A.10.9.1 electronic commerce; a penetration test can certainly help you determine whether a web application is protected from fraudulent activity or unauthorized disclosure.
For a full information security management system based on all of the requirements of ISO 27001, a certification auditor would likely require a penetration test if there were significant network or application assets exposed to the Internet, or if the business was largely based on the provision of online services. Penetration testing may already be required for compliance reasons, such as PCI DSS, which requires annual penetration tests. The risk assessment should determine whether assets that may require testing are significant, and whether there is an unacceptable risk.
For the Gambling Commission specific clauses of ISO 27001, there is no clause A.15.2.2 for technical compliance checking, only A.10.9.1 electronic commerce. Providing online services is a key part of remote gambling, and it is very likely that these web applications would be a target for fraud and unauthorized access to personal information. An ISO 27001 auditor should interview developers, review the application design and sample application code, and should also review a penetration test report that demonstrates that a thorough manual assessment of the web application has been carried out.
In conclusion, a penetration test of the system in scope should be a requirement for the Gambling Commission ISO 27001 annual audit.