Category: eUICC certification

Describes certification schemes for GSMA compliant eSIMs

eUICC and RSP certification

There are various bodies involved in the certification of the different elements involved in GSMA compliant eUICC applications.

The GSMA operate a scheme called Security Accreditation Scheme ( SAS ) that provides a certification of the site belonging to an organisation that provides Remote SIM Provisioning services. Details of the scheme and a list of approved sites is available on their web site.

GlobalPlatform tests and lists the actual certified eUICC chips on their website. Select “eUICC” from the drop-down to see the eUICCs that are currently approved.

The Global Certification Forum ( GCF ) operates a scheme to certify RSP compliance of consumer devices, the details of which are available on their website.

 

SAS certification ( SAS-UP and SAS-SM )

The GSMA operate a Security Accreditation Scheme ( SAS ).

Companies wishing to manufacture eUICCs must get their site accredited to SAS-UP ( SAS for UICC Production ) while those wishing to program eUICCs must get their site SAS-SM accreditation.

The schemes are in place mainly to ensure that the highly sensitive Profiles from the MNO’s are secure. They have components of ISO 27001 to ensure that an ISMS ( Information Security Management System ) and BCP ( Business Continuity Plan ) are in place. In addition they require that all of these procedures are operated in a High Security Area ( HSA ), over a secure network by trained personnel who comply with strict HR policies.

The GSMA currently use two outside companies to conduct the audits for SAS-UP, FML and ChaseWaterford

For SAS-SM they use NCC Group and SRC Security Research & Consulting GmbH

The audit usually takes about a week and is performed by both auditors.

A provisional approval is given once the site is able to demonstrate that they have all of the processes in place to meet the requirements but is not yet operating with real customers. This is sometimes called a ‘dry audit’. Another audit is conducted up to 9 months after provisional approval to finalise the certification. This is sometimes called a ‘wet audit’.

A list of SAS accredited sites is available on the GSMA web site.