SAS certification ( SAS-UP and SAS-SM )

The GSMA operate a Security Accreditation Scheme ( SAS ).

Companies wishing to manufacture eUICCs must get their site accredited to SAS-UP ( SAS for UICC Production ) while those wishing to program eUICCs must get their site SAS-SM accreditation.

The schemes are in place mainly to ensure that the highly sensitive Profiles from the MNO’s are secure. They have components of ISO 27001 to ensure that an ISMS ( Information Security Management System ) and BCP ( Business Continuity Plan ) are in place. In addition they require that all of these procedures are operated in a High Security Area ( HSA ), over a secure network by trained personnel who comply with strict HR policies.

The GSMA currently use two outside companies to conduct the audits for SAS-UP, FML and ChaseWaterford

For SAS-SM they use NCC Group and SRC Security Research & Consulting GmbH

The audit usually takes about a week and is performed by both auditors.

A provisional approval is given once the site is able to demonstrate that they have all of the processes in place to meet the requirements but is not yet operating with real customers. This is sometimes called a ‘dry audit’. Another audit is conducted up to 9 months after provisional approval to finalise the certification. This is sometimes called a ‘wet audit’.

A list of SAS accredited sites is available on the GSMA web site.