GSMA SAS

GSMA SAS -- Security Accreditation for SIM/eSIM Manufacturing

The GSMA Security Accreditation Scheme (SAS) is a certification program that audits and accredits organizations involved in the production and management of SIM cards, eSIM/eUICC platforms, and telecom credentials. SAS ensures the integrity and confidentiality of sensitive subscriber data -- including cryptographic keys (Ki, OPc), IMSI values, and operator profiles -- throughout the manufacturing and provisioning supply chain.

Accreditation Tracks

GSMA SASGSMA SASComplianceGSMA security certification for SIMSIMApplicationSmart card for mobile network authentication.Click to view →/eSIMeSIMApplicationProgrammable embedded SIM chip.Click to view → manufacturers.Click to view → operates two primary accreditation tracks. SAS-UP (UICC Production) covers the physical manufacturing, electrical personalization, and graphical personalization of SIM cards, evaluating physical site security, personnel vetting, key management procedures, production line integrity, and data handling controls. SAS-SM (Subscription Management) covers SM-DP+ and SM-SR platform operators, evaluating the security of remote profile generation, storage, and delivery for eSIM devices. Both tracks require annual surveillance audits and full re-accreditation every three years.

Audit Scope

A SAS audit examines multiple security domains. Physical security includes perimeter protection, access control, CCTV, and secure destruction of waste materials containing sensitive data. Logical security covers HSM management, key ceremony procedures, key diversification algorithms, and network segmentation between production and corporate systems. Personnel security includes background checks, security awareness training, and separation-of-duties enforcement. Data handling covers the encryption of personalization data files in transit and at rest, chain-of-custody for finished cards, and audit trail completeness.

Industry Significance

Mobile network operators typically require their SIM suppliers to maintain GSMA SAS accreditation as a contractual condition. Without SAS certification, a personalization bureau cannot receive operator key material and therefore cannot produce SIM cards for that operator. For eSIM ecosystems, SAS-SM accreditation of the SM-DP+ platform is required before operators will entrust their profile packages to the platform. Major accredited facilities include Thales, IDEMIA, Giesecke+Devrient, and Valid -- the same vendors that dominate the global SIM and eSIM manufacturing market.