{"id":10171,"date":"2023-09-22T18:04:00","date_gmt":"2023-09-22T17:04:00","guid":{"rendered":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/security\/?post_type=gsma_theme_resources&p=10171"},"modified":"2026-04-09T12:03:50","modified_gmt":"2026-04-09T11:03:50","slug":"guidelines-for-quantum-risk-management-for-telco-pq-02","status":"publish","type":"gsma_theme_resources","link":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/security\/gsma_resources\/guidelines-for-quantum-risk-management-for-telco-pq-02\/","title":{"rendered":"Guidelines for Quantum Risk Management for Telco (PQ.02)"},"content":{"rendered":"\n

Cryptographically Relevant Quantum Computers (CRQC) pose new threats to telecommunication systems and significant new cybersecurity challenges, because they disrupt widely used encryption algorithms and protocols.<\/p>\n\n\n\n

The overall objective is to ensure that key stakeholders and business owners have the information required to make proportionate decisions in Quantum Risk Management (QRM) in the right timeframes. We believe that a Quantum Cryptanalytic Risk Assessment (QCRA) for Telco is a critical methodology that supports Telecommunication Service Providers and the extended Telecommunication supply chain building a multi-year plan to address quantum risk.<\/p>\n\n\n\n

Given the complexity and breadth of the impacts on current cryptography related to both legacy and future cybersecurity capabilities used in Telecommunication environments, an important element of proactive threat management is the ability to identify, evaluate and prioritise risks on an ongoing basis.<\/p>\n\n\n\n

Improving education and awareness about Quantum Computing, building skills and knowledge, are important aspects for all organisations in creating an effective Quantum Risk Management (QRM) capability.<\/p>\n\n\n\n

This document provides an analysis of how some common risk assessment frameworks can be adapted specifically for a Cryptanalytic Risk Assessment for Telco, using telco relevant use cases as examples.<\/p>\n\n\n\n

The recommendation is to consider relevant risk assessment methodologies as part of the overall risk framework.<\/p>\n\n\n\n

\u201cA Methodology for Quantum Risk Assessment\u201d and \u201cCrypto Agility Risk Assessment Framework (CARAF)\u201d are two examples of Quantum Cryptanalytic Risk Assessment (QCRA), while the NIST Risk Management Framework [2] and ISO\/IEC 27000 [1] can be adapted to address quantum risk.<\/p>\n\n\n\n

Common considerations across risk assessment frameworks and a QCRA include: definition of roles and responsibilities, threat identification, asset and cryptographic inventory, impact calculation, and control selection.<\/p>\n\n\n\n

Two attacks should be considered for threat identification:<\/p>\n\n\n\n