这是用户在 2024-6-11 16:30 为 https://app.immersivetranslate.com/word/ 保存的双语快照页面,由 沉浸式翻译 提供双语支持。了解如何保存?


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology

Security Accreditation Scheme for UICC Production - Methodology
UICC生产安全认可计划 - 方法论

Version 10.1
版本 10.1

12 April 2023

Security Classification: Non-confidential

Access to and distribution of this document is restricted to the persons permitted by the security classification. This document is subject to

copyright protection. This document is to be used only for the purposes for which it has been supplied and information contained in it must not be disclosed or in any other way made available, in whole or in part, to persons other than those permitted under the security classification without

the prior written approval of the Association.

Copyright Notice

Copyright © 2023 GSM Association
版权所有 © 2023 GSM 协会


The GSM Association (“Association”) makes no representation, warranty or undertaking (express or implied) with respect to and does not accept any responsibility for, and hereby disclaims liability for the accuracy or completeness or timeliness of the information contained in this document. The information contained in this document may be subject to change without prior notice.

Compliance Notice

The information contain herein is in full compliance with the GSM Association’s antitrust compliance policy.

This Permanent Reference Document is classified by GSMA as an Industry Specification, as such it has been developed and is maintained by GSMA in accordance with the provisions set out in GSMA AA.35 - Procedures for Industry Specifications.
本永久参考文件被GSMA归类为行业规范,因此由GSMA根据GSMA AA.35 - 行业规范程序中的规定制定和维护。

V10.1 Page 1 of 63


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

Table of Contents

1 Introduction 5
1 引言 5

1.1 Overview 5
1.1 概述 5

1.2 Scope 5
1.2 范围 5

1.3 Intended Audience 5
1.3 目标受众 5

1.4 Language 5
1.4 语言 5

1.5 Definitions 6
1.5 定义 6

1.6 Abbreviations 8
1.6 缩略语 8

1.7 References 8
1.7 参考资料 8

2 Participants 9
2 参与者 9

2.1 Auditee 9
2.1 被审计方 9

2.2 Audit Team 9
2.2 审计组 9

2.2.1 Observing Auditor 9
2.2.1 旁听审计师 9

2.3 SAS Group 10
2.3 SAS 组 10

2.4 Audit Management 11
2.4 审计管理 11

2.5 Participant Relationships 11
2.5 参与者关系 11

3 Audit Process 13
3 审计流程 13

3.1 Audit Setup 13
3.1 审计设置 13

3.1.1 Audit Request 13
3.1.1 审计请求 13

3.1.2 Confirmation of Audit Date 13
3.1.2 确认审计日期 13

3.1.3 Contract 13
3.1.3 合同 13

3.2 Audit Preparation (off-site) 13
3.2 审核准备(场外) 13

3.2.1 Audit Agenda 13
3.2.1 审计议程 13

3.2.2 Audit Pre-requisites 14
3.2.2 审计先决条件 14

3.3 Audit Process (on-site) 14
3.3 审核流程(现场) 14

3.3.1 Presentation and Documentation for the Audit Team 14
3.3.1 审计组的列报和文件编制 14

3.3.2 Information collection 14
3.3.2 信息收集 14

3.3.3 Assessment of compliance 14
3.3.3 遵守情况评估 14

3.3.4 Preparation of the Audit Report 15
3.3.4 审计报告的编制 15

3.3.5 Presentation of the Audit Results 15
3.3.5 审计结果的列报 15

3.4 Distribution of the Audit Report 15
3.4 审计报告的分发 15

3.5 Certification 16
3.5 认证 16

3.6 Appeal 16
3.6 上诉 16

3.7 Notification and Publication of Certification 16
3.7 认证的通知和公布 16

4 Certification Process 17
4 认证流程 17

4.1 Certification Process 17
4.1 认证流程 17

4.2 Certification Period 17
4.2 认证期限 17

4.3 Duration of Certification 18
4.3 认证期限 18

4.3.1 Standard durations 18
4.3.1 标准工期 18

4.3.2 Exceptions 19
4.3.2 例外 19

4.3.3 Minimum period of certification 19
4.3.3 最短认证期限 19

4.3.4 Extension of the period of certification 19
4.3.4 延长认证期限 19

5 Scope of certification 20
5 认证范围 20

V10.1 Page 2 of 63
V10.1 第 2 页,共 63 页


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

5.1 Provisional Certification 20
5.1 临时认证 20

5.1.1 Provisional Certification Process 20
5.1.1 临时认证流程 20

5.1.2 Provisional Certification Period 21
5.1.2 暂定认证期 21

5.1.3 Duration of Provisional Certification 21
5.1.3 临时核证期限 21

5.1.4 Duration of Provisional Certification Audits 22
5.1.4 临时认证审核的期限 22

5.2 Auditing and Certification of Supporting Sites 22
5.2 支持站点的审核和认证 22

5.2.1 Definition 22
5.2.1 定义 22

5.2.2 Auditing and Certification Approach 23
5.2.2 审核和认证方法 23

Centralised or Outsourced IT Services 23
集中或外包的IT服务 23

5.3 Management of PKI Certificates 24
5.3 PKI证书的管理 24

6 Audit Report Scoring and Assessment 26
6 审计报告评分与评估 26

6.1 Audit Result 26
6.1 审计结果 26

7 Maintaining SAS Compliance 28
7 维护 SAS 合规性 28

7.1 Notifiable Events for PKI certificate management 28
7.1 PKI 证书管理的通报事件 28

7.2 Examples of other Notifiable Events 28
7.2 其他须予通报的事件例子 28

7.2.1 What should be Notified 29
7.2.1 应通知的内容 29

7.2.2 What Would not Normally Require Notification: 29
7.2.2 通常不需要通知的内容: 29

8 Costs 30
8 费用 30

8.1 First Audit or Renewal Audit 30
8.1 首次审计或续期审计 30

8.2 Audit of Small and Large Sites, and Sites with Limited Scope 31
8.2 小型和大型站点以及范围有限的站点的审核 31

8.3 Audit of Central / Corporate Functions 31
8.3 中央/公司职能的审计 31

8.4 Repeat Audit 31
8.4 重复审计 31

8.5 Off-Site Review of Improvements 32
8.5 改进的场外审查 32

8.6 Cancellation Policy 33
8.6 取消政策 33

8.7 Appeals 33
8.7 上诉 33

Annex A Sample audit agenda 34
附件A 审计议程样本 34

Annex B Audit modules 35
附件B 审计单元 35

B.1 Audit modules 35
B.1 审计单元 35

Annex C Sample required documents list 47
附件 C 所需文件清单样本 47

C.1 Document List 47
C.1 文件清单 47

C.1.1 Security Management System (modules B, C) 47
C.1.1 安全管理系统(B、C单元) 47

C.1.2 Key Management (modules J, K) 47
C.1.2 密钥管理(模块 J、K) 47

C.1.3 Production (modules O, P) 47
C.1.3 生产(模块O、P) 47

C.1.4 Human Resources (module D) 47
C.1.4 人力资源(D单元) 47

C.1.5 Security Internal Audit System (module U) 48
C.1.5 安全内部审计系统(模块U) 48

Annex D Collection of information 49
附件D 资料收集 49

Information 49
信息 49

Annex E Assessment of compliance 52
附件 E 遵约评估 52

E.1 Audit assessment and compliance 52
E.1 审计评估和遵守情况 52

Annex F Final Audit Report Structure 56
附件F 最终审计报告结构 56

F.1 First Page: 56
F.1 首页: 56

F.2 Following Pages: 56
F.2 以下页数:56

Annex G Data Processing Audit 59
附件 G 数据处理审计 59

G.1 Before the Audit 59
G.1 审计前 59

V10.1 Page 3 of 63
V10.1 第 3 页,共 63 页

G.1.1 Preparation 59
G.1.1 准备工作 59

G.1.2 Key Exchange 59
G.1.2 密钥交换 59

G.1.3 Input File Exchange 60
G.1.3 输入文件交换 60

G.1.4 Processing of Input File 1 60
G.1.4 输入文件的处理 1 60

G.1.5 Output File Exchange 60
G.1.5 输出文件交换 60

G.1.6 Timescales 60
G.1.6 时间表 60

G.2 During the Audit 60
G.2 审计期间 60

G.2.1 Review of Key Exchange 60
G.2.1 密钥交换审查 60

G.2.2 Review of Input File 1 Processing 60
G.2.2 输入文件审查 1 处理 60

G.2.3 Demonstration of Input File 2 Processing 61
G.2.3 输入文件 2 处理演示 61

G.3 After the Audit 61
G.3 审计后 61

Annex H Document Management 62
附件 H 文件管理 62

H.1 Document History 62
H.1 文件历史 62

H.2 Other Information 63
H.2 其他信息 63

V10.1 Page 4 of 63
V10.1 第 4 页,共 63 页


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

1 Introduction
1 引言

1.1 Overview
1.1 概述

The GSMA Security Accreditation Scheme (SAS) for UICC Production (SAS-UP) is a

scheme through which UICC suppliers subject their production Sites to an Audit. The

purpose of the Audit is to ensure that UICC suppliers have implemented adequate security measures to protect the interests of mobile network operators (MNOs).

Audits are conducted by specialist Auditing Companies over a number of days, typically in a single Site visit. The Auditors will check compliance against the GSMA SAS-UP Standard[1]
审核由专业审核公司在几天内进行,通常在一次现场访问中进行。审核员将检查是否符合GSMA SAS-UP标准[1]

and the requirements specified in[3]by various methods such as document review

interviews and tests in specific areas. Sites that demonstrate compliance with the SAS-UP Standard are certified by the GSMA.

NOTE: All references to UICCs and UICC suppliers in this document apply equally
注意:本文档中对 UICC 和 UICC 供应商的所有引用均适用

to eUICCs and eUICC suppliers unless specifically stated otherwise.
除非另有特别说明,否则向 eUICC 和 eUICC 供应商提供。

1.2 Scope
1.2 范围

This scope of this document covers:

• SAS-UP participating stakeholders and their roles
• SAS-UP参与的利益攸关方及其作用

• Processes for arrangement and conduct of an SAS-UP Audit
• SAS-UP审计的安排和实施流程

Audit scoring and Audit Report structure
• 审计评分和审计报告结构

• Certification and Provisional Certification Processes
• 认证和临时认证程序

SAS-UP costs
• SAS-UP成本

1.3 Intended Audience
1.3 目标受众

• Security professionals and others within UICC supplier organisations seeking to obtain accreditation for Sites under SAS-UP.
• UICC供应商组织内寻求获得SAS-UP站点认证的安全专业人员和其他人员。

• Security professionals and others within organisations seeking to procure UICCs
• 寻求采购 UICC 的安全专业人员和组织内的其他人

SAS Group members
• SAS集团成员

•核 数 师

1.4 Language
1.4 语言

The language of the scheme is English.

The language of the scheme will be used for the management and administration of the scheme itself, and for the Audit Process.

The Audit will, in all cases, be conducted in the language of the scheme. The Auditee is responsible to ensure that documents are available in the language of the scheme, as described inAnnex C. .Other documents may be in a language other than English but translation facilities should be available during the conduct of the Audit.

Where it is likely to be difficult to conduct Audit discussions with personnel in English,

Auditees should arrange for one or more translators with knowledge of the business and subject matter to be available to the Audit Team.

V10.1 Page 5 of 63
V10.1 第 5 页,共 63 页


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

1.5 Definitions
1.5 定义



Appeals Board

Two Auditors, one each from different GSMA selected Auditing

Companies who consider and rule on appealed Audit Results. Auditors for the SAS-UP Appeals Board will be drawn from the SAS-SM Auditing Companies and vice versa.


The SAS audit carried out by the Audit Team at the Auditee’s Site.

Audit Management

A GSMA team, as described in2.4, which:

• Manages the scheme documentation.
• 管理计划文档。

Appoints the Auditing Companies
• 任命审计公司

Administers SAS-UP
• 管理 SAS-UP

• Monitors and assures the quality and consistency of the Audit Process and Audit Team
• 监督并确保审计流程和审计团队的质量和一致性

• Issues Certificates to those Sites that the Audit Team assesses as compliant with the requirements.
• 向审核小组评估为符合要求的站点颁发证书。

Audit Process

The overall process followed by the Audit Management and Audit Team to deliver the Audit, as defined in section3.
审计管理层和审计团队执行审计的整个过程,如第 3 节所定义。

Audit Report, Audit

Result, Audit Summary and Auditors’


As defined inAnnex A.

Audit Team

Two Auditors, one each from different GSMA selected Auditing

Companies, jointly carrying out the Audit on behalf of the GSMA, as described in2.1.


An entity involved in the production of UICCs that is seeking SAS-UP certification of its Sites, as described in2.1.
参与生产 UICC 的实体,正在寻求对其站点进行 SAS-UP 认证,如 2.1 所述。

Auditing Companies

Companies appointed by the GSMA to provide Auditors.


A person qualified to perform SAS-UP audits.


Certificate issued by the GSMA to the Auditee following demonstration of compliance by the Site with the SAS requirements specified in[3].

Certification Process,

Certification Period and Duration of Certification

As defined in section4.
如第 4 节中所定义。

Dry Audit, and Wet Audit

As defined in section5.
如第 5 节中所定义。


A removable or non-removable UICC which enables the remote and/or local management of Profiles in a secure way.
可移动或不可移动的 UICC,可以安全的方式远程和/或本地管理配置文件。

Note: The term originates from “embedded UICC”
注意:该术语源自“嵌入式 UICC”

Full Certification

SAS certification of Site controls in live operation.

PKI Certificate Management
PKI 证书管理

The process of:

• Securely generating a key pair and certificate signing request and submitting this to a recognised certificate authority / issuer
• 安全地生成密钥对和证书签名请求,并将其提交给公认的证书颁发机构/颁发者

• Securely storing the key pair and certificate and making them available under appropriate control for the generation of eUICC certificates.
• 安全地存储密钥对和证书,并在适当的控制下使它们可用于生成 eUICC 证书。

V10.1 Page 6 of 63
V10.1 第 6 页,共 63 页



The definition refers only to the management of the key pair and certificate. The process of generating individual eUICC device
该定义仅涉及密钥对和证书的管理。生成单个 eUICC 设备的过程

certificates is included within the definition of “Generation of Data for Personalisation” for eUICCs.
证书包含在 eUICC 的“生成个性化数据”的定义中。

Primary Site

See Site


A combination of data and applications to be provisioned on an eUICC for the purpose of providing services.



Provisional Certification Process, Provisional

Certification Period and Duration of Provisional Certification

As defined in section5.
如第 5 节中所定义。

Renewal Audit

Audit performed towards the end of a period of SAS certification to check continued compliance by the Site with the SAS requirements and provide the basis for a decision to award further SAS certification.


Audit performed to confirm that updated controls implemented by the

Auditee following non-compliances found at an earlier Audit are sufficient to satisfy the SAS requirements.

SAS Group

A group of GSMA members and staff (including the Audit Management) that, together with the SAS Auditors, is responsible for maintenance and development of the SAS Standards, Methodologies, Consolidated

Security Requirements and Guidelines.

See also2.3.

Scope Extension

Extension of the scope of certification of a Site that already holds some SAS-UP certification.
扩展已持有某些 SAS-UP 认证的站点的认证范围。

Secondary Site

See Site


Auditee’s physical facility and its relevant controls that are subject to the Audit. May be a
Auditee 的物理设施及其受审计的相关控制可能是

Primary Site

Supporting Site

Secondary Site

The main audit site for which the SAS-UP certificate will be issued.
将为其颁发 SAS-UP 证书的主要审核站点。

Any independent locations that are subject to

separate certification audits. Audit findings will be documented separately in another SAS-UP audit report. Dependence of the Primary Site on the

Supporting Site(s) will be noted as part of the certification of the primary site.

Any location directly supporting the activities of a Primary Site and included as part of the same

audit process and audit report. Secondary Sites

will not be issued with SAS-UP certificates, but will be noted as part of the certification of the Primary Site
不会颁发 SAS-UP 证书,但会作为主站点认证的一部分注明

Supporting Site

See Site


The platform, specified by ETSI, which can be used to run multiple
该平台,由 ETSI 指定,可用于运行多个

V10.1 Page 7 of 63
V10.1 第 7 页,共 63 页



security applications. These applications include the SIM for 2G
安全应用程序。这些应用包括用于 2G 的 SIM 卡

networks, USIM for 3G, 4G and 5G networks, CSIM for CDMA, and ISIM (not to be confused with integrated SIM) for IP multimedia services.

UICC is neither an abbreviation nor an acronym.

See section2for more detailed explanations of SAS-UP roles

1.6 Abbreviations
1.6 缩略语




Consolidated Security Requirements and Guidelines


Embedded UICC


GSM Association


Mobile Network Operator


Security Accreditation Scheme


Security Accreditation Scheme for UICC Production


Security Accreditation Scheme for Subscription Management


Prefix identifier for official documents belonging to the GSMA SIM Group
属于 GSMA SIM 组的官方文件的前缀标识符


Sensitive Process

1.7 References
1.7 参考资料


Doc Number



珠三角 FS.04

GSMA SAS-UP Standard, latest version available at
GSMA SAS-UP 标准,最新版本可在




GSMA SAS-UP Standard Agreement, available from sas@gsma.com
GSMA SAS-UP标准协议,可从 sas@gsma.com 获得


珠三角 FS.18

GSMA SAS Consolidated Security Requirements and Guidelines, available atwww.gsma.com/sas
GSMA SAS综合安全要求和指南,atwww.gsma.com/sas 提供

V10.1 Page 8 of 63
V10.1 第 8 页,共 63 页


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

2 Participants
2 参与者

The following section describes the roles of the participants during the standard Audit

Process. The role of the Appeals Board is not considered here (see section3.6for details instead).

2.1 Auditee
2.1 被审计单位

The Auditee is the participant in the UICC supply chain that is to be subject to Audit. The Auditee is responsible for:

• Providing all necessary information during the Audit to enable the Audit Team to perform its assessment of compliance with SAS-UP requirements for activities within the scope of certification.
• 在审核期间提供所有必要的信息,使审核小组能够对认证范围内的活动是否符合 SAS-UP 要求进行评估。

• Ensuring that all key individuals are present when required.
• 确保所有关键人员在需要时都在场。

• Delivering a short presentation at the beginning of the Audit describing how it believes that it is compliant with the Standard [1], and the relevant documentation that will be made available to the Audit Team during the Audit.
• 在审核开始时做一个简短的介绍,描述它如何认为它符合标准[1],以及在审核期间将提供给审计小组的相关文件。

• Disclosing to the Audit Team all areas of the Site where assets related to UICC production may be created, stored or processed. The Auditee may be required by the Audit Team to demonstrate that other areas of the Site are not being used to create, store or process relevant assets, and should honour any reasonable request to validate this
• 向审计小组披露网站中可能创建、存储或处理与UICC生产相关的资产的所有区域。审计团队可能会要求被审计方证明网站的其他区域未用于创建、存储或处理相关资产,并应遵守任何合理的请求以验证这一点

2.2 Audit Team
2.2 审计小组

The Audit Team consists of two independent Auditors, one from each of the Auditing

Companies selected by the GSMA following a competitive tender for the supply of SAS auditing services and in accordance with selection criteria defined by the GSMA.

The Audit Team conducts the Audit by reviewing documentation, conducting interviews with key individuals and carrying out tests in key areas. After the Audit is conducted, the Audit

Team writes a report (see3.3.4)

The independence of the Audit Team is of paramount importance to the integrity of the

scheme. It is recognised that the chosen Auditing Companies are professional in the conduct of their business. Where the Auditing Companies previously supplied consultancy services

to an Auditee, the GSMA should be informed of this fact prior to commencement of the Audit, and the Auditors performing the Audit should be different individuals to those who have provided the consultancy services.

2.2.1 Observing Auditor
2.2.1 观察审计员

On some audits, an additional observing SAS Auditor may accompany the Audit Team, in order to:

• Support the development of a common understanding of SAS-UP between the Auditing Companies
• 支持审计公司之间就SAS-UP达成共识

• Ensure consistency in standards and the Audit Process
• 确保标准和审核流程的一致性

V10.1 Page 9 of 63
V10.1 第 9 页,共 63 页


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

• Facilitate sharing of best practice in the Audit approach
• 促进分享审计方法中的最佳做法

Audit observation will be carried out at no additional cost to the Auditee, and subject to the following guidelines:

A maximum of one observer will be present on any one Audit, except by the prior agreement with the Auditee. Auditees will be under no obligation to agree to any requests for participation of more than one observer.
• 任何一次审计最多有一名观察员在场,除非事先与被审计人达成协议。被审计方没有义务同意任何要求一名以上观察员参加的请求。

The observer will comply with all requirements of the Auditee
• 观察员将遵守被审计方的所有要求

• Prior to the Audit (e.g. signing NDAs, providing personal information for visitor authorisation).
• 在审核之前(例如签署保密协议,为访客授权提供个人信息)。

• On-site (e.g. behaviour and supervision).
• 现场(例如行为和监督)。

• The role of the observer is to observe. The observation process should not interfere with the conduct of the Audit. Specifically, the observing Auditor should:
• 观察者的作用是观察。观察过程不应干扰审计的进行。具体而言,观察审计师应:

• Not normally engage directly with the Auditee during the Audit Process to ask Audit questions
• 在审计过程中,通常不会直接与被审计者接触以询问审计问题

• Only engage in discussion with the Auditee about the observer’s own SAS scheme when such discussion will not interfere with the Audit Process.
• 只有在不干扰审计过程的情况下,才与被审计者就观察员自己的SAS计划进行讨论。

• Not present or participate in any discussions during the closing meeting.
• 在闭幕会议期间不出席或参与任何讨论。

• Not contribute to the preparation of the Audit Report.
• 不参与编制审计报告。

To maximise the benefits of the observation process the observer and Audit Team are expected to discuss elements of the Audit Process and approach. Such discussions:

• Should only take place outside of the Audit Process, and not in the presence of the Auditee.
• 只能在审计程序之外进行,不得在被审计者在场的情况下进行。

• Should include an opportunity for the observer to read the Audit Report.
• 应包括观察员阅读审计报告的机会。

• May include a post-Audit discussion, either on- or off-site to discuss any questions or observations. The post-Audit discussion may be extended to include other Auditors if appropriate.
• 可能包括审计后讨论,在现场或场外讨论任何问题或意见。审计后的讨论可酌情扩大到包括其他审计师。

Members of the Audit Management may also seek to attend and observe audits from time to time. They guidelines above will also apply to them.

2.3 SAS Group
2.3 SAS集团

The SAS Group is a committee comprised of GSMA staff (including the Audit Management)

and members, and representatives of the Auditing Companies. It is responsible for maintenance of the following SAS-UP documentation:
以及审计公司的成员和代表。它负责维护以下 SAS-UP 文档:

The Standard[1]which contains the security objectives for SAS-UP
• 标准[1],其中包含SAS-UP的安全目标

The Consolidated Security Requirements and Guidelines (CSRG)[3]which
• 综合安全要求和准则 (CSRG)[3]其中

• Provides requirements for all sensitive processes (SPs) within the scope of the different SAS schemes. Many of the requirements are common across all schemes, however some requirements are specific to individual SPs, including UICC production. The requirements that apply to UICC production indicated in
• 为不同 SAS 方案范围内的所有敏感进程 (SP) 提供要求。许多要求在所有方案中都是通用的,但有些要求特定于单个 SP,包括 UICC 生产。适用于UICC生产的要求

V10.1 Page 10 of 63
V10.1 第 10 页,共 63 页


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

that document. These are the requirements that the UICC supplier must satisfy in order to be certified.

• Provides guidelines to guide interpretation and operational application of the requirements
• 提供指导要求的解释和操作应用的准则

The Methodology (this document)
• 方法论(本文件)

Updates will normally arise from an annual review meeting of the SAS Group. Where acute issues are identified ad hoc meetings may be convened to discuss updates to the SAS-UP documentation.

The SAS Group also contributes to the development of Auditing Company selection criteria when the GSMA is procuring SAS auditing services from time to time. Operator members of the SAS Group that do not offer any products or services within the scope of SAS will be

invited by the GSMA to participate in the review of tender responses and the selection of Auditing Companies.

2.4 Audit Management
2.4 审计管理

The Audit Management comprises a team of GSMA staff members responsible for administering the scheme, including:

• Selecting suitably qualified Auditing Companies to carry out the audits, in conjunction with the SAS Group as indicated in section2.3, and ensuring that they provide a high- quality service
• 如第2.3节所述,选择具有适当资格的审计公司与SAS集团一起进行审计,并确保他们提供高质量的服务

• Ensuring that audits are conducted in accordance with the SAS-UP Methodology and that Audit Reports meet GSMA quality requirements.
• 确保审核按照SAS-UP方法进行,并确保审核报告符合GSMA的质量要求。

• Managing Audit lifecycle tasks, pre and post Audit, for example maintenance of the Audit logs and list of certified and provisionally certified Sites
• 管理审计前后的审计生命周期任务,例如维护审计日志以及认证和临时认证站点列表

• Contract and financial management between the GSMA and Auditees and the GSMA and Auditing Companies
• GSMA与被审计单位以及GSMA与审计公司之间的合同和财务管理

• Distribution of SAS-UP documentation (this document, the Standard [1], the Consolidated Security Requirements and Guidelines [3], and other supporting documents to Auditees and Auditors.
• 向被审计方和审计师分发SAS-UP文件(本文件、标准[1]、综合安全要求和指南[3]以及其他支持文件)。

Handling general queries for example, via sas@gsma.com.
• 处理一般查询,例如,通过sas@gsmacom

2.5 Participant Relationships
2.5 参与者关系

The relationships between SAS-UP participants are indicated inFigure 1.

V10.1 Page 11 of 63
V10.1 第 11 页,共 63 页


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

Figure 1: SAS-UP Participant Relationships
图 1:SAS-UP 参与者关系

V10.1 Page 12 of 63
V10.1 第 12 页,共 63 页


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

3 Audit Process
3 审核流程

The Audit Process is described below.

3.1 Audit Setup
3.1 审计设置

3.1.1 Audit Request
3.1.1 审计请求

If an entity involved in the UICC production chain wishes to be SAS-UP certified, the entity should present itself to the Audit Management as a potential participant in the scheme.

Prior to contacting the Audit Management, the potential participant should have familiarised itself with the current published scheme documentation.

The potential participant should contact the Audit Management to obtain a copy of the Audit Application Form and supporting guidance notes. The completed Audit Application Form

should be formally submitted to the Audit Management to request a certification audit. On receipt of the request the Audit Management will log the details of the request.

Audit applications should be submitted to the GSMA several months in advance to increase the likelihood of the SAS Audit Teams being available to conduct an Audit on or near the

dates requested by the Auditee. As a guide:

If SAS Audit application is submitted

3 months before

requested Audit dates,

then GSMA will try to schedule Audit within

4 weeks of requested dates
4 周的请求日期

2 months before

requested Audit dates

6 weeks of requested dates
6 周的请求日期

1 month before

requested Audit dates

8 weeks of requested dates
8 周的请求日期

Table 1 - Audit Scheduling Guidance
表 1 - 审核计划指南

It always remains the responsibility of the Auditee to ensure that certification is in place to meet the requirements of any specific contract, customer or bid.

3.1.2 Confirmation of Audit Date
3.1.2 审核日期的确认

After logging the details of the Audit request, the information is sent to the Audit Team. The Audit Team will contact the Auditee to agree Audit dates.

3.1.3 Contract
3.1.3 合同

The Auditee enters into a standard agreement[2]with the GSMA and pays the GSMA in advance for the Audit.

3.2 Audit Preparation (off-site)
3.2 审核准备(场外)

After Audit dates have been agreed, the Audit Team and Auditee will liaise to agree arrangements for the Audit.

3.2.1 Audit Agenda
3.2.1 审计议程

A provisional agenda will normally be agreed at least one week before the Audit Team travels to the Site to be audited.

V10.1 Page 13 of 63
V10.1 第 13 页,共 63 页


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

A sample agenda is included in Annex A. The sample agenda includes guidance for Auditees on information that should be prepared for each element of the Audit.

Changes to the agenda may need to be made during the Audit itself, as agreed between the Audit Team and Auditee.

3.2.2 Audit Pre-requisites
3.2.2 审核先决条件

To assist in the process of auditing the data generation process (for Sites where this is part of the audit or certification scope), the Audit Team may request that a test/demonstration of the Site’s data processing operations is carried out. The process may include advance

arrangements with the Auditee to:

• Exchange transport keys
• 交换传输密钥

• Submit test input files to the Auditee
• 向被审核方提交测试输入文件

• Perform data generation for the specified test input file(s)
• 为指定的测试输入文件执行数据生成

• Return the corresponding output file(s) to the Audit Team
• 将相应的输出文件返回给审计小组

The Auditee will be expected to make appropriate arrangements within its systems to enable a test/demonstration of the data processing to take place.

The Audit Team will liaise with the Auditee to ensure that pre-requisites are in place.

A more detailed guide to this process for Auditees is included inAnnex G.

3.3 Audit Process (on-site)
3.3 审核流程(现场)

The process of conducting the audit follows a number of defined phases.

3.3.1 Presentation and Documentation for the Audit Team
3.3.1 审计小组的演示和文件

During the first half day of the Audit the Auditee introduces the Site’s activities and security management system, and presents to the Audit Team the information and documentation specified in the Audit agenda.

A list of the required documentation is included inAnnex C. Documentation must be available to the Audit Team in English.

Based on the Audit agenda, presentation and documentation, the Audit Team agrees the key individuals to be interviewed during the Audit. It is the responsibility of the Auditee to ensure the availability of these key individuals.

3.3.2 Information collection
3.3.2 信息收集

The Audit Team collects information according to the agreed agenda to form the basis of the assessment of compliance.

The approach to collection of information is described in more detail in Annex D.

3.3.3 Assessment of compliance
3.3.3 合规评估

Based on the information collected during the Audit, the Audit Team assesses the compliance of the Auditee’s controls with the SAS requirements.

V10.1 Page 14 of 63
V10.1 第 14 页,共 63 页


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

The assessment of compliance with the SAS requirements is described in more detail in Annex E.

3.3.4 Preparation of the Audit Report
3.3.4 编制审计报告

The Audit Team summarises the findings of the Audit in a report that follows a fixed structure, as described in Annex F, that comprises

Audit summary and overall assessment
• 审计总结和总体评估

Summary of certification
• 认证摘要

• 审计员的意见

Actions required
• 需要采取的行动

• Detailed results
• 详细结果

Detailed results are provided in an annex to the Audit Report, following the structure of the SAS requirements.

3.3.5 Presentation of the Audit Results
3.3.5 审计结果的列报

The Audit Report is normally completed during the Audit and delivered to the Auditee on completion of the closing meeting.

During the final half day of the Audit, the Audit Team will normally finalise the Audit Report. The Audit Team will present the Audit Results to the Auditee, focussing on the key points identified in the Audit Report.

The Audit Result includes the Audit Team’s decision on certification of the Site, which is passed to the Audit Management.

It is not deemed necessary to have a slide presentation, or to undertake a detailed review of the Audit Report, as part of the presentation of the Audit Results.

3.4 Distribution of the Audit Report
3.4 审计报告的分发

On completion, the Audit Team will distribute the Audit Report to:

The Auditee for the purpose of internal review and formulation of action plan(s).
• 被审计方进行内部审查和制定行动计划。

The Audit Management for the purpose of quality control and certification.
• 以质量控制和认证为目的的审核管理。

Neither the Auditee nor Audit Management will distribute the report to any other party as part of the Audit Process, except:

• In case of an appeal (see below), the Audit Report will also be provided to the Appeals Board.
• 如有上诉(见下文),审计报告也将提供给上诉委员会。

• For the purpose of Auditor training and SAS quality management, the Audit Report may be provided by the Audit Management to other SAS-UP and SAS-SM Auditors.
• 出于审核员培训和SAS质量管理的目的,审核管理层可能会向其他SAS-UP和SAS-SM审核员提供审核报告。

The Auditee is free to distribute the report to its customers, but is responsible to ensure that neither the Audit Findings, Audit Result or status of Certification are misrepresented.

V10.1 Page 15 of 63
V10.1 第 15 页,共 63 页


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

3.5 Certification
3.5 认证

The Audit Management checks the report to confirm that the Audit has been carried out in accordance with this Methodology document and that the report meets GSMA quality


In the event of a successful Audit the Audit Management issues a Certificate to the Auditee within fifteen (15) business days of completion of the Audit.
如果审核成功,审核管理层将在审核完成后十五 (15) 个工作日内向被审核方颁发证书。

3.6 Appeal
3.6 上诉

In the event that the certification decision and/or duration of certification are in dispute the Auditee may lodge a submission with the Audit Management within twenty (20) business
如果认证决定和/或认证期限有争议,被审核方可以在二十 (20) 项业务中向审核管理层提交意见

days of completion of the Audit. The Audit Management will refer the appeal to the Appeals Board.

The Appeals Board is comprised of two Auditors, one each from different GSMA selected Auditing Companies and separate from the Auditing Companies that performed the Audit that is the subject of the appeal. For SAS-UP, the Appeals Board is comprised of

representatives of the SAS-SM Auditing Companies, and vice versa. The individual Auditors from each Auditing Company that serve on the Appeals Board may be assigned by those

Auditing Companies from a pool of suitably experienced Auditors pre-approved by the GSMA, and may change per appeal.

The Appeals Board will consider and rule on appealed Audit Results. The process to be followed by the Appeals Board will include:

• Review of the Audit Report, focussing on the appealed assessment(s)
• 审查审计报告,重点关注被上诉的评估

• Discussion with the Audit Team and the Auditee The Appeals Board should not need to visit the Site.
• 与审计小组和被审计方的讨论 上诉委员会不应访问该网站。

The Auditee may request the members of the Appeals Board to sign an NDA prior to receiving a copy of the Audit Report and other information about the Site.

The Appeals Board will seek to rule on appeals within twenty (20) business days of
上诉委员会将寻求在二十 (20) 个工作日内对上诉作出裁决

lodgement of the appeal, subject to the availability of the Audit Team and the Auditee and the prompt provision of any information requested from either party.

The Auditee and the Audit Team agree to accept the decision of the Appeals Board as final.

A description of the costs associated with the appeals process is included in section0.

3.7 Notification and Publication of Certification
3.7 认证的通知和公布

The GSMA will list certified Sites on theSAS website. The listing will include

The Auditee name and the address of the certified Site.
• 被审核机构名称和认证站点的地址。

The scope of certification, including whether the certification is full or provisional.
• 认证范围,包括认证是全面认证还是临时认证。

The expiry date of the certification
• 认证的有效期

• Details of any exceptions or specific comments that apply to the Site’s certificates.
• 适用于本网站证书的任何例外情况或特定评论的详细信息。

V10.1 Page 16 of 63
V10.1 第 16 页,共 63 页


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

4 Certification Process
4 认证流程

The Certification Process is described below.

4.1 Certification Process
4.1 认证流程

The Certification Process begins with the first full Audit, first Dry Audit (provisional certification) or Renewal Audit at a Site.

The Certification Process ends when:

A Certificate is issued based on the decision of the Audit Team.
• 根据审核小组的决定颁发证书。


The Site withdraws from the Certification Process by either:
• 本网站通过以下任一方式退出认证流程:

• Indicating that it does not intend to continue with the Certification Process.
• 表明不打算继续进行认证程序。


• Not complying with the Audit Team’s requirements for continuing with the Certification Process following a non-compliant Audit Result (Typically, the Audit Team requires the Site to arrange a Repeat Audit, or to provide appropriate evidence of improvement within agreed periods).
• 在审核结果不合规后,不遵守审核小组的要求,继续进行认证流程(通常,审核小组要求现场安排重复审核,或在约定的期限内提供适当的改进证据)。

For an existing certified Site the Certification Process can begin up to 3 months before the expiry of the current Certificate.
对于现有的认证站点,认证过程可以在当前证书到期前 3 个月开始。

4.2 Certification Period
4.2 认证期限

The Certification Period begins when a Certificate is issued based on the decision of the Audit Team

The Certification Period ends at the date specified on the Site’s SAS Certificate.

The Certification Period will be determined by the Audit Team based on the following criteria:

• For Sites with an existing valid Certificate:
• 对于具有现有有效证书的站点:

• If the Certification Process begins up to 3 months before the expiry of the existing Certificate
• 如果认证过程在现有证书到期前 3 个月开始


• the certification is awarded before the expiry of the existing Certificate
• 该证书是在现有证书到期之前颁发的


• the Certification Period will begin at the expiry of the existing Certificate
• 认证期将从现有证书到期时开始

In all other cases the Certification Period will begin at the time that the Certificate is issued.

V10.1 Page 17 of 63
V10.1 第 17 页,共 63 页


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

V10.1 Page 18 of 63
V10.1 第 18 页,共 63 页




Certification of sites with existing certificates

Existing certification





Duration of certification

Certification period


3 months



Figure 2 - Certification of Sites with existing Certificates
图2 - 具有现有证书的站点认证

• For Sites without an existing valid Certificate (new Sites, Sites where certification has lapsed):
• 对于没有现有有效证书的站点(新站点、认证已失效的站点):

• the Certification Period will begin at the time that the Certificate is issued.
• 认证期将从证书颁发之时开始。

Certification of new

First audit

Certification process


Re- audit

Duration of certification


Certification period

Certificate expiry

Figure 3 - Certification of new Sites
图3 - 新站点的认证

Under the terms of their contract with the GSMA, all Sites must be aware of their obligations relating to notification of significant changes at certified Sites within the Certification Period, as specified in section7.

4.3 Duration of Certification
4.3 认证期限

4.3.1 Standard durations
4.3.1 标准持续时间

The duration of certification is determined by the Audit Team based on a standard framework:

Type of certificate

Standard duration of certification

First full certification

1 year

Renewal full certification

2 years

First provisional certification

9 months

Table 2 - Standard Durations of Certification
表 2 - 认证的标准期限


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

These durations will be applied in most cases.

4.3.2 Exceptions
4.3.2 例外

The Audit Team may, at its discretion, decide that certification should be for a shorter duration, for reasons including:

• Significant changes planned at the Site related to security-critical processes or facilities
• 现场计划进行与安全关键流程或设施相关的重大变更

A significant reliance on very recently introduced processes or systems where there is little or no history of successful operation of similar or equivalent controls
• 严重依赖最近引入的流程或系统,而这些流程或系统很少或根本没有成功运行类似或同等控制措施的历史

A repeated failure to maintain security controls at an appropriate level for the entire Certification Period (as evidenced by significant failure to meet the requirements of the standard[1]at the initial Renewal Audit).
• 在整个认证期间多次未能将安全控制保持在适当的水平(如在初始更新审核中严重未能满足标准[1]的要求)。

The Audit Team may also, at its discretion, decide that certification should be for two years for Sites without an existing valid Certificate that perform exceptionally well at the first Audit.

The Audit Management will review decisions made on exceptional circumstances as part of its control of scheme quality and consistency.

4.3.3 Minimum period of certification
4.3.3 最短认证期限

Sites without an existing valid Certificate shall, in all cases, be granted certification for a minimum of seven months from the month during which a Certificate is issued. This

allowance reduces the likelihood that the next Renewal Audit at the Site resulting in 2-year certification is influenced by the most recent Repeat Audit rather than being an assessment of steady-state controls in operation at the Site.
余地降低了导致 2 年认证的现场下一次更新审核受最近一次重复审核影响的可能性,而不是对现场运行的稳态控制的评估。

4.3.4 Extension of the period of certification
4.3.4 认证期限的延长

The SAS-UP Methodology does not normally allow the GSMA to extend a Site’s duration of certification. Sites with an existing Certificate that are planning or making major changes in advance of a Renewal Audit, which could affect the ability to demonstrate the necessary

period of evidence, may be eligible for a temporary extension of certification based on the TEA process described in the GSMA SAS remote auditing and certification policy.
证据期限内,可能有资格根据 GSMA SAS 远程审核和认证政策中描述的 TEA 流程获得临时延期认证。

Sites wishing to be considered for a temporary extension are encouraged to contact the GSMA as early as possible.

V10.1 Page 19 of 63
V10.1 第 19 页,共 63 页


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

5 Scope of certification
5 认证范围

As part of the application process, the Auditee will be required to specify the scope of activities for which it is applying for certification.

The possible scope items for certification are defined as part of the Audit Application Form.

In most cases, Audits take place of Primary Sites leading to Full Certification, however SAS- UP also offers the ability for Audits to take place:
在大多数情况下,审核会对主站点进行审核,从而获得全面认证,但 SAS-UP 还提供进行审核的功能:

• For Sites that are not yet operating; under the provisional certification scheme.
• 对于尚未运营的网站;根据临时证书计划。

• Of Supporting Sites that perform specific functions or activities in support of activities at one or more Primary Sites.
• 执行特定功能或活动以支持一个或多个主要站点的活动的支持站点。

SAS-UP certification is also a pre-requisite for Sites wishing to apply for an EUM PKI
SAS-UP认证也是希望申请EUM PKI的站点的先决条件

certificate from one of the GSMA’s root CIs. Sites wishing to obtain such PKI certificates will be required to demonstrate compliance with the specific requirements for:
来自 GSMA 根 CI 之一的证书。希望获得此类 PKI 证书的站点将被要求证明符合以下特定要求:

• PKI certification management.
• PKI认证管理。

These certification scopes are described in more detail below.

5.1 Provisional Certification
5.1 临时认证

SAS-UP is open to both established and new UICC supplier Sites.

To help newly-established Sites to achieve certification, two options are offered:

• Undergo a Full Certification Audit once sufficient production is in place at the Site to provide evidence of controls in operation.
• 一旦工厂有足够的生产,就进行全面的认证审核,以提供运行中控制的证据。

• The Full Certification process requires that reasonable evidence exists of continued operation of controls (the Guidelines [3] suggest 4-6 weeks of continuous operation).
• 全面认证过程要求存在持续运行控制的合理证据(指南 [3] 建议连续运行 4-6 周)。

• Undergo a two-stage Provisional Certification Process specifically designed for new Sites that do not have sufficient production volumes to submit to a Full Certification Audit. This Provisional Certification Process will initially lead to Provisional Certification
• 经过两个阶段的临时认证流程,专门为生产量不足的新工厂设计,无法提交全面认证审核。此临时认证流程最初将导致临时认证

The Auditee will be responsible for choosing its preferred approach.

5.1.1 Provisional Certification Process
5.1.1 临时认证流程

The Provisional Certification Process requires two audits at the production Site.

The first, which is referred to as a Dry Audit, takes place before live production commences at the Site. For a Dry Audit to take place, the Site must have a complete set of operational

systems, processes and controls in place in all areas of the SAS-UP Standard. The Site

should be in a position to begin production for a customer immediately when an order is

received, although it is not necessary to have processed live customer orders before or

during the Audit. The Auditors will expect to see that at least one test or live production batch of a reasonable size has been processed prior to the Audit, exercising all aspects of the

V10.1 Page 20 of 63
V10.1 第 20 页,共 63 页


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

production data flow and asset control mechanism. The Auditee should be able to process at

least one further batch of a reasonable size during the Audit if requested. A batch of a

reasonable sizewill normally be expected to demonstrate controls consistent with those for the typical size of a customer order (as a guide, in a mass production environment, batches of 1’s, 10’s or 100’s of devices would be unlikely to be considered representative, but 1000’s of devices would).
通常,“合理尺寸”将展示与客户订单典型规模一致的控制措施(作为指导,在大规模生产环境中,1、10 或 100 批设备不太可能被视为具有代表性,但 1000 件设备会)。

If the Site demonstrates compliance with the Standard[1], a Provisional Certification is

granted that remains valid for a period of nine months. A non-compliant result at a Dry Audit requires the UICC supplier to remedy identified non-compliances within three months.

Successful certification will be valid from the date of the repeat Dry Audit.

A follow up Wet Audit is required to upgrade the Provisional Certification to Full Certification. This Audit can only be undertaken if the Site has been in continuous live production for a

minimum period of six weeks and it must be undertaken within nine months of the successful Dry Audit.

Successful completion of a Wet Audit leads to Full Certification. The period of this

certification runs from the date of the successful Dry Audit. Provisional Certification will be withdrawn if:

• The Wet Audit is not conducted within nine months of the conduct of the initial Dry Audit
• 湿式审核不会在初次干式审核后九个月内进行

• The Wet Audit result is non-compliant, and a successful Repeat Audit is not completed within three months
• 湿审核结果不合规,三个月内未成功完成重复审核

• Live production for a continuous period of six weeks cannot be demonstrated within nine months of the initial Dry Audit
• 在初次干审核后的九个月内,无法证明连续六周的现场生产

The UICC supplier chooses to withdraw from the Certification Process
• UICC供应商选择退出认证流程

5.1.2 Provisional Certification Period
5.1.2 暂定认证期

The nine-month Provisional Certification Period begins when the Site is first certified.

NOTE: The Provisional Certification Period extends from the date of the successful

completion of a Dry Audit whether that Audit is an initial or repeat Dry Audit. This differs from the normal Certification Process, which backdates

certification to the initial Audit. An exception has been made in the case of

Provisional Certification because the three month period required to make improvements that may be necessary after an initial Dry Audit would

significantly reduce the window of opportunity within the nine month Provisional Certification Period to ramp-up production.

The Provisional Certification Period ends at the date specified on the Site’s SAS Provisional

Certificate of compliance or when the Site is fully certified following the successful completion of a Wet Audit.

5.1.3 Duration of Provisional Certification
5.1.3 临时认证期限

The Duration of Provisional Certification is fixed at nine months and it is the responsibility of

the participating UICC supplier to ensure the necessary Wet Audit to achieve Full Certification is undertaken within the nine month Provisional Certification Period.

V10.1 Page 21 of 63
V10.1 第 21 页,共 63 页


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

If a Provisionally-Certified Site receives a non-compliant result at a Wet Audit, its Provisional Certification will not be immediately withdrawn and it will retain its Provisional Certification

status until the end of the nine month Provisional Certification Period.

Full Certification will normally run for one year, in accordance with the provisions set out at

4.3 above for Sites not holding an existing valid Certificate, and this will be back dated to the date on which the first Wet Audit was concluded. If the Wet Audit extends the scope of
4.3 对于未持有现有有效证书的站点,该证书的日期将追溯到第一次湿审核结束的日期。如果湿审计扩展了

existing Full Certification for a Site, and there is significant overlap in controls between the

existing and new scope elements, the Audit Team may extend the Full Certification expiry

date for the new scope element to match the expiry date of the existing certification (if later).

5.1.4 Duration of Provisional Certification Audits
5.1.4 临时认证审核的持续时间

The initial Dry Audit is conducted over a four day period and all controls will be audited.

Production processes will also be examined but in the absence of live production it will not be possible to sample test controls. The duration of a repeat Dry Audit will depend on the areas to be re-audited and will be agreed with the supplier in accordance with section 8.4 below.
还将检查生产过程,但由于没有现场生产,将无法对测试控制进行抽样。重复干审核的持续时间将取决于要重新审核的领域,并将根据下文第 8.4 节与供应商达成一致。

The Wet Audit is normally conducted over a two day period to review the controls in

operation. If the Wet Audit is conducted together with a Renewal Audit for other fully certified scope elements, some time savings on the total Audit duration may be possible.

5.2 Auditing and Certification of Supporting Sites
5.2 支持站点的审核和认证

SAS provides auditing and certification on a Site-by-Site basis. However, Sites that

participate in the scheme may use additional physical Sites owned and operated by

themselves or by third party subcontractors to provide some supporting infrastructure or services within the scope of certification. This section specifies how Supporting Sites are formally handled within the scheme.

5.2.1 Definition
5.2.1 定义

A Supporting Site is one that meets all of the following criteria:

• Provides supporting infrastructure and/or services within the scope of SAS certification to the Primary Site seeking certification.
• 在SAS认证范围内向寻求认证的主站点提供支持基础设施和/或服务。

• Does not wish to hold its own SAS certification, or is not eligible to do so.
• 不希望持有自己的SAS认证,或者没有资格持有SAS认证。

To be eligible for SAS-UP certification as a Primary Site, a Site must operate, or be planning to operate, live and primary (not just backup) production or services that fulfil at least one of the primary SAS-UP scope elements.
• 要获得 SAS-UP 认证作为主站点的资格,站点必须运行或计划运营至少满足一个主要 SAS-UP 范围要素的主要和主要(而不仅仅是备份)生产或服务。

• Exceptional applications for SAS certification by Sites that do not meet these criteria will be considered by the GSMA on a case-by-case basis.
• 不符合这些标准的站点的特殊SAS认证申请将由GSMA根据具体情况予以考虑。

In most cases the Supporting Site is primarily accountable (via internal or contractual

agreements) to the Primary Site rather than to the GSMA for its compliance with the SAS requirements. However, a Supporting Site must still be subject to the terms of SAS
协议)给主站点,而不是GSMA,以使其符合SAS要求。但是,支持站点仍必须遵守 SAS 的条款

participation, and therefore must be named on an SAS agreement signed by the Primary Site or the Primary Site’s parent company.
参与,因此必须在主站点或主站点的母公司签署的 SAS 协议上命名。

V10.1 Page 22 of 63
V10.1 第 22 页,共 63 页


Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

A Secondary Site is a Supporting Site that is included as part of the same Audit Process and Audit Report as the Primary Site.

5.2.2 Auditing and Certification Approach
5.2.2 审核和认证方法

The auditing and Certification Process to be followed is slightly different depending on the type of Supporting Site. To date, a single type of Supporting Site has been encountered

within SAS-UP, as follows:
在 SAS-UP 中,如下所示:

Centralised or Outsourced IT Services
集中式或外包式 IT 服务




Centralised IT administration, network operations centre, server farm, firewall management
集中式 IT 管理、网络运营中心、服务器场、防火墙管理

Application form

The application form provides space to provide Supporting Site details and to outline the Site <