Security Accreditation Scheme (SAS)

Thursday 25 Jul 2019 | Build |

The GSMA’s Security Accreditation Scheme (SAS) enables mobile operators, regardless of their resources or experience, to assess the security of their UICC and eUICC suppliers, and of their eUICC subscription management service providers. Two schemes operate under SAS:

  • SAS for UICC Production (SAS-UP): This is a well-established scheme through which UICC and eUICC manufacturers subject their production sites and processes to a comprehensive security audit. Successful sites are awarded security accreditation for a period of one year, extending to two further years upon each successful renewal. This scheme has accredited some of the industry’s largest suppliers. GSMA also provides advice to its members on how to benefit from SAS-UP.
  • SAS for Subscription Management (SAS-SM): To ensure industry confidence in the security of remote provisioning for eUICCs, a related security auditing and accreditation scheme exists for the providers of eUICC subscription management services.

Audience: Technical security practitioner, Risk practitioner, Auditor

Resource technology specifics: Host virtualisation, Generic, Enterprise network, UICC/eUICC/iUICC

Resource type: Process or procedure

Resource enforcement: Voluntary

Resource certification type: Third-party audit

Advantage Disadvantage

  • Demonstrates commitment to security and reduces risks for customers
  • Leads to fewer individual operator inspections
  • Provides certification from the world’s leading wireless industry representative body
  • Delivers a world-class security review of operations
  • Offers a uniform approach to security audits
  • Part of GSMA remote SIM provisioning compliance scheme for eUICC production and subscription management


  • No need to spend money and time conducting individual audits
  • Audits are conducted by highly-qualified individuals at no cost to the operator
  • The scheme sets a rigorous security standard requiring a high-level of supplier commitment
  • Offers peace of mind that suppliers have implemented appropriate security measures

  • Up-front and ongoing cost of investment in compliant security controls and certification


  • Visibility of certification status only; no first-hand view of security controls
  • SAS requirements may not provide coverage of bespoke operator requirements.
Read more about SAS