沉浸式翻译 - 文档双语翻译：一键翻译 PDF， ePub 电子书，字幕文件，txt文件

GSMA

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology

Security Accreditation Scheme for UICC Production - Methodology
UICC生产安全认可计划 - 方法论

Version 10.1
版本 10.1

12 April 2023
二零二三年四月十二日

Security Classification: Non-confidential
安全分类：非机密

Access to and distribution of this document is restricted to the persons permitted by the security classification. This document is subject to
本文件的访问和分发仅限于安全分类允许的人员。本文档受制于

copyright protection. This document is to be used only for the purposes for which it has been supplied and information contained in it must not be disclosed or in any other way made available, in whole or in part, to persons other than those permitted under the security classification without
版权保护。本文件仅用于提供本文件的目的，其中所含信息不得全部或部分披露或以任何其他方式提供给安全分类所允许的人以外的人，除非

the prior written approval of the Association.
协会事先书面批准。

Copyright Notice
版权声明

Disclaimer
免責聲明

The GSM Association (“Association”) makes no representation, warranty or undertaking (express or implied) with respect to and does not accept any responsibility for, and hereby disclaims liability for the accuracy or completeness or timeliness of the information contained in this document. The information contained in this document may be subject to change without prior notice.
GSM协会（“协会”）对本文档所含信息的准确性、完整性或及时性不作任何陈述、保证或承诺（明示或暗示），也不承担任何责任，特此声明不承担任何责任。本文件所载资料如有更改，恕不另行通知。

Compliance Notice
合规通知

The information contain herein is in full compliance with the GSM Association’s antitrust compliance policy.
此处包含的信息完全符合GSM协会的反垄断合规政策。

This Permanent Reference Document is classified by GSMA as an Industry Specification, as such it has been developed and is maintained by GSMA in accordance with the provisions set out in GSMA AA.35 - Procedures for Industry Specifications.
本永久参考文件被GSMA归类为行业规范，因此由GSMA根据GSMA AA.35 - 行业规范程序中的规定制定和维护。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

Table of Contents
目录

1 Introduction 5
1 引言 5

1.1 Overview 5
1.1 概述 5

1.2 Scope 5
1.2 范围 5

1.3 Intended Audience 5
1.3 目标受众 5

1.4 Language 5
1.4 语言 5

1.5 Definitions 6
1.5 定义 6

1.6 Abbreviations 8
1.6 缩略语 8

1.7 References 8
1.7 参考资料 8

2 Participants 9
2 参与者 9

2.1 Auditee 9
2.1 被审计方 9

2.2 Audit Team 9
2.2 审计组 9

2.2.1 Observing Auditor 9
2.2.1 旁听审计师 9

2.3 SAS Group 10
2.3 SAS 组 10

2.4 Audit Management 11
2.4 审计管理 11

2.5 Participant Relationships 11
2.5 参与者关系 11

3 Audit Process 13
3 审计流程 13

3.1 Audit Setup 13
3.1 审计设置 13

3.1.1 Audit Request 13
3.1.1 审计请求 13

3.1.2 Confirmation of Audit Date 13
3.1.2 确认审计日期 13

3.1.3 Contract 13
3.1.3 合同 13

3.2 Audit Preparation (off-site) 13
3.2 审核准备（场外） 13

3.2.1 Audit Agenda 13
3.2.1 审计议程 13

3.2.2 Audit Pre-requisites 14
3.2.2 审计先决条件 14

3.3 Audit Process (on-site) 14
3.3 审核流程（现场） 14

3.3.1 Presentation and Documentation for the Audit Team 14
3.3.1 审计组的列报和文件编制 14

3.3.2 Information collection 14
3.3.2 信息收集 14

3.3.3 Assessment of compliance 14
3.3.3 遵守情况评估 14

3.3.4 Preparation of the Audit Report 15
3.3.4 审计报告的编制 15

3.3.5 Presentation of the Audit Results 15
3.3.5 审计结果的列报 15

3.4 Distribution of the Audit Report 15
3.4 审计报告的分发 15

3.5 Certification 16
3.5 认证 16

3.6 Appeal 16
3.6 上诉 16

3.7 Notification and Publication of Certification 16
3.7 认证的通知和公布 16

4 Certification Process 17
4 认证流程 17

4.1 Certification Process 17
4.1 认证流程 17

4.2 Certification Period 17
4.2 认证期限 17

4.3 Duration of Certification 18
4.3 认证期限 18

4.3.1 Standard durations 18
4.3.1 标准工期 18

4.3.2 Exceptions 19
4.3.2 例外 19

4.3.3 Minimum period of certification 19
4.3.3 最短认证期限 19

4.3.4 Extension of the period of certification 19
4.3.4 延长认证期限 19

5 Scope of certification 20
5 认证范围 20

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

5.1 Provisional Certification 20
5.1 临时认证 20

5.1.1 Provisional Certification Process 20
5.1.1 临时认证流程 20

5.1.2 Provisional Certification Period 21
5.1.2 暂定认证期 21

5.1.3 Duration of Provisional Certification 21
5.1.3 临时核证期限 21

5.1.4 Duration of Provisional Certification Audits 22
5.1.4 临时认证审核的期限 22

5.2 Auditing and Certification of Supporting Sites 22
5.2 支持站点的审核和认证 22

5.2.1 Definition 22
5.2.1 定义 22

5.2.2 Auditing and Certification Approach 23
5.2.2 审核和认证方法 23

Centralised or Outsourced IT Services 23
集中或外包的IT服务 23

5.3 Management of PKI Certificates 24
5.3 PKI证书的管理 24

6 Audit Report Scoring and Assessment 26
6 审计报告评分与评估 26

6.1 Audit Result 26
6.1 审计结果 26

7 Maintaining SAS Compliance 28
7 维护 SAS 合规性 28

7.1 Notifiable Events for PKI certificate management 28
7.1 PKI 证书管理的通报事件 28

7.2 Examples of other Notifiable Events 28
7.2 其他须予通报的事件例子 28

7.2.1 What should be Notified 29
7.2.1 应通知的内容 29

7.2.2 What Would not Normally Require Notification: 29
7.2.2 通常不需要通知的内容： 29

8 Costs 30
8 费用 30

8.1 First Audit or Renewal Audit 30
8.1 首次审计或续期审计 30

8.2 Audit of Small and Large Sites, and Sites with Limited Scope 31
8.2 小型和大型站点以及范围有限的站点的审核 31

8.3 Audit of Central / Corporate Functions 31
8.3 中央/公司职能的审计 31

8.4 Repeat Audit 31
8.4 重复审计 31

8.5 Off-Site Review of Improvements 32
8.5 改进的场外审查 32

8.6 Cancellation Policy 33
8.6 取消政策 33

8.7 Appeals 33
8.7 上诉 33

Annex A Sample audit agenda 34
附件A 审计议程样本 34

Annex B Audit modules 35
附件B 审计单元 35

B.1 Audit modules 35
B.1 审计单元 35

Annex C Sample required documents list 47
附件 C 所需文件清单样本 47

C.1 Document List 47
C.1 文件清单 47

C.1.1 Security Management System (modules B, C) 47
C.1.1 安全管理系统（B、C单元） 47

C.1.2 Key Management (modules J, K) 47
C.1.2 密钥管理（模块 J、K） 47

C.1.3 Production (modules O, P) 47
C.1.3 生产（模块O、P） 47

C.1.4 Human Resources (module D) 47
C.1.4 人力资源（D单元） 47

C.1.5 Security Internal Audit System (module U) 48
C.1.5 安全内部审计系统（模块U） 48

Annex D Collection of information 49
附件D 资料收集 49

Information 49
信息 49

Annex E Assessment of compliance 52
附件 E 遵约评估 52

E.1 Audit assessment and compliance 52
E.1 审计评估和遵守情况 52

Annex F Final Audit Report Structure 56
附件F 最终审计报告结构 56

F.1 First Page: 56
F.1 首页： 56

F.2 Following Pages: 56
F.2 以下页数：56

Annex G Data Processing Audit 59
附件 G 数据处理审计 59

G.1 Before the Audit 59
G.1 审计前 59

G.1.1 Preparation 59
G.1.1 准备工作 59

G.1.2 Key Exchange 59
G.1.2 密钥交换 59

G.1.3 Input File Exchange 60
G.1.3 输入文件交换 60

G.1.4 Processing of Input File 1 60
G.1.4 输入文件的处理 1 60

G.1.5 Output File Exchange 60
G.1.5 输出文件交换 60

G.1.6 Timescales 60
G.1.6 时间表 60

G.2 During the Audit 60
G.2 审计期间 60

G.2.1 Review of Key Exchange 60
G.2.1 密钥交换审查 60

G.2.2 Review of Input File 1 Processing 60
G.2.2 输入文件审查 1 处理 60

G.2.3 Demonstration of Input File 2 Processing 61
G.2.3 输入文件 2 处理演示 61

G.3 After the Audit 61
G.3 审计后 61

Annex H Document Management 62
附件 H 文件管理 62

H.1 Document History 62
H.1 文件历史 62

H.2 Other Information 63
H.2 其他信息 63

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

1 Introduction
1 引言

1.1 Overview
1.1 概述

The GSMA Security Accreditation Scheme (SAS) for UICC Production (SAS-UP) is a
GSMAUICC生产安全认证计划（SAS）是一个

scheme through which UICC suppliers subject their production Sites to an Audit. The
UICC供应商对其生产基地进行审核的方案。这

purpose of the Audit is to ensure that UICC suppliers have implemented adequate security measures to protect the interests of mobile network operators (MNOs).
审计的目的是确保UICC供应商已实施足够的安全措施，以保护移动网络运营商（MNO）的利益。

Audits are conducted by specialist Auditing Companies over a number of days, typically in a single Site visit. The Auditors will check compliance against the GSMA SAS-UP Standard[1]
审核由专业审核公司在几天内进行，通常在一次现场访问中进行。审核员将检查是否符合GSMA SAS-UP标准[1]

and the requirements specified in[3]by various methods such as document review
以及[3]中规定的要求，通过各种方法，如文件审查,

interviews and tests in specific areas. Sites that demonstrate compliance with the SAS-UP Standard are certified by the GSMA.
特定领域的面试和测试。符合SAS-UP标准的网站将获得GSMA认证。

NOTE: All references to UICCs and UICC suppliers in this document apply equally
注意：本文档中对 UICC 和 UICC 供应商的所有引用均适用

to eUICCs and eUICC suppliers unless specifically stated otherwise.
除非另有特别说明，否则向 eUICC 和 eUICC 供应商提供。

1.2 Scope
1.2 范围

This scope of this document covers:
本文档的范围包括：

• SAS-UP participating stakeholders and their roles
• SAS-UP参与的利益攸关方及其作用

• Processes for arrangement and conduct of an SAS-UP Audit
• SAS-UP审计的安排和实施流程

• Audit scoring and Audit Report structure
• 审计评分和审计报告结构

• Certification and Provisional Certification Processes
• 认证和临时认证程序

• SAS-UP costs
• SAS-UP成本

1.3 Intended Audience
1.3 目标受众

• Security professionals and others within UICC supplier organisations seeking to obtain accreditation for Sites under SAS-UP.
• UICC供应商组织内寻求获得SAS-UP站点认证的安全专业人员和其他人员。

• Security professionals and others within organisations seeking to procure UICCs
• 寻求采购 UICC 的安全专业人员和组织内的其他人

• SAS Group members
• SAS集团成员

• Auditors
•核数师

1.4 Language
1.4 语言

The language of the scheme is English.
该计划的语言是英语。

The language of the scheme will be used for the management and administration of the scheme itself, and for the Audit Process.
该计划的语言将用于计划本身的管理和行政，以及审计过程。

The Audit will, in all cases, be conducted in the language of the scheme. The Auditee is responsible to ensure that documents are available in the language of the scheme, as described inAnnex C. .Other documents may be in a language other than English but translation facilities should be available during the conduct of the Audit.
在所有情况下，审计都将以该计划的语言进行。被审计方有责任确保文件以计划的语言提供，如附件C所述。其他文件可能使用英语以外的语言，但在进行审计期间应提供翻译设施。

Where it is likely to be difficult to conduct Audit discussions with personnel in English,
如果可能难以用英语与人员进行审计讨论，

Auditees should arrange for one or more translators with knowledge of the business and subject matter to be available to the Audit Team.
被审计方应安排一名或多名具有业务和主题知识的翻译人员提供给审计组。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

1.5 Definitions
1.5 定义

Term 术语	Description 描述
Appeals Board 上诉委员会	Two Auditors, one each from different GSMA selected Auditing 两名审核员，分别来自不同的GSMA审核员 Companies who consider and rule on appealed Audit Results. Auditors for the SAS-UP Appeals Board will be drawn from the SAS-SM Auditing Companies and vice versa. 考虑并裁定上诉审计结果的公司。SAS-UP上诉委员会的审计员将从SAS-SM审计公司中选出，反之亦然。
Audit 审计	The SAS audit carried out by the Audit Team at the Auditee’s Site. 审计小组在被审计人现场进行的SAS审计。
Audit Management 审计管理	A GSMA team, as described in2.4, which: GSMA团队，如2.4所述，其中： • Manages the scheme documentation. • 管理计划文档。 • Appoints the Auditing Companies • 任命审计公司 • Administers SAS-UP • 管理 SAS-UP • Monitors and assures the quality and consistency of the Audit Process and Audit Team • 监督并确保审计流程和审计团队的质量和一致性 • Issues Certificates to those Sites that the Audit Team assesses as compliant with the requirements. • 向审核小组评估为符合要求的站点颁发证书。
Audit Process 审核流程	The overall process followed by the Audit Management and Audit Team to deliver the Audit, as defined in section3. 审计管理层和审计团队执行审计的整个过程，如第 3 节所定义。
Audit Report, Audit 审计报告，审计 Result, Audit Summary and Auditors’ 结果、审计摘要和审计师 Comments 评论	As defined inAnnex A. 定义见附件A。
Audit Team 审计团队	Two Auditors, one each from different GSMA selected Auditing 两名审核员，分别来自不同的GSMA审核员 Companies, jointly carrying out the Audit on behalf of the GSMA, as described in2.1. 代表GSMA共同进行审核的公司，如2.1所述。
Auditee 被审计方	An entity involved in the production of UICCs that is seeking SAS-UP certification of its Sites, as described in2.1. 参与生产 UICC 的实体，正在寻求对其站点进行 SAS-UP 认证，如 2.1 所述。
Auditing Companies 审计公司	Companies appointed by the GSMA to provide Auditors. 由GSMA任命的公司提供审计师。
Auditor 审计员	A person qualified to perform SAS-UP audits. 有资格执行SAS-UP审核的人员。
Certificate 证书	Certificate issued by the GSMA to the Auditee following demonstration of compliance by the Site with the SAS requirements specified in[3]. GSMA在证明网站符合[3]中规定的SAS要求后，向被审核方颁发的证书。
Certification Process, 认证流程， Certification Period and Duration of Certification 认证期限和认证期限	As defined in section4. 如第 4 节中所定义。
Dry Audit, and Wet Audit 干式审计和湿式审计	As defined in section5. 如第 5 节中所定义。
eUICC eUICC公司	A removable or non-removable UICC which enables the remote and/or local management of Profiles in a secure way. 可移动或不可移动的 UICC，可以安全的方式远程和/或本地管理配置文件。 Note: The term originates from “embedded UICC” 注意：该术语源自“嵌入式 UICC” .
Full Certification 全面认证	SAS certification of Site controls in live operation. 现场控制在实时操作中的SAS认证。
PKI Certificate Management PKI 证书管理	The process of: 流程： • Securely generating a key pair and certificate signing request and submitting this to a recognised certificate authority / issuer • 安全地生成密钥对和证书签名请求，并将其提交给公认的证书颁发机构/颁发者 • Securely storing the key pair and certificate and making them available under appropriate control for the generation of eUICC certificates. • 安全地存储密钥对和证书，并在适当的控制下使它们可用于生成 eUICC 证书。

Term 术语	Description 描述
	The definition refers only to the management of the key pair and certificate. The process of generating individual eUICC device 该定义仅涉及密钥对和证书的管理。生成单个 eUICC 设备的过程 certificates is included within the definition of “Generation of Data for Personalisation” for eUICCs. 证书包含在 eUICC 的“生成个性化数据”的定义中。
Primary Site 主站点	See “Site” 请参阅“网站” .
Profile 轮廓	A combination of data and applications to be provisioned on an eUICC for the purpose of providing services. 在eUICC上配置的数据和应用程序的组合，以提供服务。
Provisional 临时 Certification, 认证 Provisional Certification Process, Provisional 临时认证程序，临时 Certification Period and Duration of Provisional Certification 核证期限及临时核证期限	As defined in section5. 如第 5 节中所定义。
Renewal Audit 续订审核	Audit performed towards the end of a period of SAS certification to check continued compliance by the Site with the SAS requirements and provide the basis for a decision to award further SAS certification. 在SAS认证期结束时进行审核，以检查站点是否持续遵守SAS要求，并为决定授予进一步的SAS认证提供依据。
Re-audit 重新审核	Audit performed to confirm that updated controls implemented by the 执行审核以确认更新的控制措施由 Auditee following non-compliances found at an earlier Audit are sufficient to satisfy the SAS requirements. 在先前的审核中发现的不合规行为的被审核方足以满足SAS的要求。
SAS Group SAS集团	A group of GSMA members and staff (including the Audit Management) that, together with the SAS Auditors, is responsible for maintenance and development of the SAS Standards, Methodologies, Consolidated 由GSMA成员和员工（包括审核管理层）组成的小组，与SAS审核员一起负责维护和制定SAS标准、方法、综合 Security Requirements and Guidelines. 安全要求和准则。 See also2.3. 另见2.3。
Scope Extension 范围扩展	Extension of the scope of certification of a Site that already holds some SAS-UP certification. 扩展已持有某些 SAS-UP 认证的站点的认证范围。
Secondary Site 辅助站点	See “Site” 请参阅“网站” .
Site 网站	Auditee’s physical facility and its relevant controls that are subject to the Audit. May be a Auditee 的物理设施及其受审计的相关控制可能是:
		Primary Site 主站点 Supporting Site 支持站点 Secondary Site 辅助站点	The main audit site for which the SAS-UP certificate will be issued. 将为其颁发 SAS-UP 证书的主要审核站点。 Any independent locations that are subject to 任何受 separate certification audits. Audit findings will be documented separately in another SAS-UP audit report. Dependence of the Primary Site on the 单独的认证审核。审计结果将单独记录在另一份SAS-UP审计报告中。主站点对 Supporting Site(s) will be noted as part of the certification of the primary site. 支持站点将作为主站点认证的一部分进行说明。 Any location directly supporting the activities of a Primary Site and included as part of the same 直接支持主站点活动并作为主站点的一部分包含在主站点中的任何位置 audit process and audit report. Secondary Sites 审核流程和审核报告。辅助站点 will not be issued with SAS-UP certificates, but will be noted as part of the certification of the Primary Site 不会颁发 SAS-UP 证书，但会作为主站点认证的一部分注明.
Supporting Site 支持站点	See “Site” 请参阅“网站” .
UICC	The platform, specified by ETSI, which can be used to run multiple 该平台，由 ETSI 指定，可用于运行多个

Term
术语

Description
描述

security applications. These applications include the SIM for 2G
安全应用程序。这些应用包括用于 2G 的 SIM 卡

networks, USIM for 3G, 4G and 5G networks, CSIM for CDMA, and ISIM (not to be confused with integrated SIM) for IP multimedia services.
networksUSIM用于3G、4G和5G网络，CSIM用于CDMA，ISIM（不要与集成SIM卡混淆）用于IP多媒体服务。

UICC is neither an abbreviation nor an acronym.
UICC既不是缩写也不是首字母缩写词。

See section2for more detailed explanations of SAS-UP roles
有关SAS-UP角色的更详细说明，请参见第2节.

1.6 Abbreviations
1.6 缩略语

Term 术语	Description 描述
CSRG	Consolidated Security Requirements and Guidelines 综合安全要求和准则
eUICC eUICC公司	Embedded UICC 嵌入式UICC
GSMA	GSM Association GSM协会
MNO	Mobile Network Operator 移动网络运营商
SAS	Security Accreditation Scheme 保安认可计划
SAS-UP	Security Accreditation Scheme for UICC Production UICC生产安全认可计划
SAS-SM	Security Accreditation Scheme for Subscription Management 订阅管理安全认可计划
SGP.nn SGP.nn（英语：SGP.nn）	Prefix identifier for official documents belonging to the GSMA SIM Group 属于 GSMA SIM 组的官方文件的前缀标识符
SP	Sensitive Process 敏感过程

1.7 References
1.7 参考资料

Ref	Doc Number 文档编号	Title 标题
[1]	PRD FS.04 珠三角 FS.04	GSMA SAS-UP Standard, latest version available at GSMA SAS-UP 标准，最新版本可在 www.gsma.com/sas
[2]	N/A	GSMA SAS-UP Standard Agreement, available from sas@gsma.com GSMA SAS-UP标准协议，可从 sas@gsma.com 获得
[3]	PRD FS.18 珠三角 FS.18	GSMA SAS Consolidated Security Requirements and Guidelines, available atwww.gsma.com/sas GSMA SAS综合安全要求和指南，atwww.gsma.com/sas 提供

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

2 Participants
2 参与者

The following section describes the roles of the participants during the standard Audit
以下部分介绍参与者在标准审核期间的角色

Process. The role of the Appeals Board is not considered here (see section3.6for details instead).
过程。这里不考虑上诉委员会的作用（详见第3.6节）。

2.1 Auditee
2.1 被审计单位

The Auditee is the participant in the UICC supply chain that is to be subject to Audit. The Auditee is responsible for:
被审核方是UICC供应链中要接受审核的参与者。被审计方负责：

• Providing all necessary information during the Audit to enable the Audit Team to perform its assessment of compliance with SAS-UP requirements for activities within the scope of certification.
• 在审核期间提供所有必要的信息，使审核小组能够对认证范围内的活动是否符合 SAS-UP 要求进行评估。

• Ensuring that all key individuals are present when required.
• 确保所有关键人员在需要时都在场。

• Delivering a short presentation at the beginning of the Audit describing how it believes that it is compliant with the Standard [1], and the relevant documentation that will be made available to the Audit Team during the Audit.
• 在审核开始时做一个简短的介绍，描述它如何认为它符合标准[1]，以及在审核期间将提供给审计小组的相关文件。

• Disclosing to the Audit Team all areas of the Site where assets related to UICC production may be created, stored or processed. The Auditee may be required by the Audit Team to demonstrate that other areas of the Site are not being used to create, store or process relevant assets, and should honour any reasonable request to validate this
• 向审计小组披露网站中可能创建、存储或处理与UICC生产相关的资产的所有区域。审计团队可能会要求被审计方证明网站的其他区域未用于创建、存储或处理相关资产，并应遵守任何合理的请求以验证这一点.

2.2 Audit Team
2.2 审计小组

The Audit Team consists of two independent Auditors, one from each of the Auditing
审计组由两名独立审计员组成，每个审计组各一名

Companies selected by the GSMA following a competitive tender for the supply of SAS auditing services and in accordance with selection criteria defined by the GSMA.
GSMA根据GSMA定义的遴选标准，通过竞争性招标选出提供SAS审核服务的公司。

The Audit Team conducts the Audit by reviewing documentation, conducting interviews with key individuals and carrying out tests in key areas. After the Audit is conducted, the Audit
审计小组通过审查文件、与关键人物进行访谈和在关键领域进行测试来进行审计。审计完成后，审计

Team writes a report (see3.3.4)
团队编写报告（见3.3.4）.

The independence of the Audit Team is of paramount importance to the integrity of the
审计小组的独立性对审计组的诚信至关重要

scheme. It is recognised that the chosen Auditing Companies are professional in the conduct of their business. Where the Auditing Companies previously supplied consultancy services
方案。我们认可所选择的审计公司在开展业务方面是专业的。审计公司以前提供咨询服务的地方

to an Auditee, the GSMA should be informed of this fact prior to commencement of the Audit, and the Auditors performing the Audit should be different individuals to those who have provided the consultancy services.
对于被审计者，GSMA应在审计开始前被告知这一事实，并且执行审计的审计师应与提供咨询服务的审计师是不同的个人。

2.2.1 Observing Auditor
2.2.1 观察审计员

On some audits, an additional observing SAS Auditor may accompany the Audit Team, in order to:
在一些审计中，审计团队可能会有一名额外的观察员陪同审计小组，以便：

• Support the development of a common understanding of SAS-UP between the Auditing Companies
• 支持审计公司之间就SAS-UP达成共识

• Ensure consistency in standards and the Audit Process
• 确保标准和审核流程的一致性

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

• Facilitate sharing of best practice in the Audit approach
• 促进分享审计方法中的最佳做法

Audit observation will be carried out at no additional cost to the Auditee, and subject to the following guidelines:
审计观察将不向被审计者收取额外费用，并遵守以下准则：

• A maximum of one observer will be present on any one Audit, except by the prior agreement with the Auditee. Auditees will be under no obligation to agree to any requests for participation of more than one observer.
• 任何一次审计最多有一名观察员在场，除非事先与被审计人达成协议。被审计方没有义务同意任何要求一名以上观察员参加的请求。

• The observer will comply with all requirements of the Auditee
• 观察员将遵守被审计方的所有要求:

• Prior to the Audit (e.g. signing NDAs, providing personal information for visitor authorisation).
• 在审核之前（例如签署保密协议，为访客授权提供个人信息）。

• On-site (e.g. behaviour and supervision).
• 现场（例如行为和监督）。

• The role of the observer is to observe. The observation process should not interfere with the conduct of the Audit. Specifically, the observing Auditor should:
• 观察者的作用是观察。观察过程不应干扰审计的进行。具体而言，观察审计师应：

• Not normally engage directly with the Auditee during the Audit Process to ask Audit questions
• 在审计过程中，通常不会直接与被审计者接触以询问审计问题.

• Only engage in discussion with the Auditee about the observer’s own SAS scheme when such discussion will not interfere with the Audit Process.
• 只有在不干扰审计过程的情况下，才与被审计者就观察员自己的SAS计划进行讨论。

• Not present or participate in any discussions during the closing meeting.
• 在闭幕会议期间不出席或参与任何讨论。

• Not contribute to the preparation of the Audit Report.
• 不参与编制审计报告。

To maximise the benefits of the observation process the observer and Audit Team are expected to discuss elements of the Audit Process and approach. Such discussions:
为了最大限度地发挥观察过程的好处，观察员和审计小组应讨论审计过程的要素和方法。这样的讨论：

• Should only take place outside of the Audit Process, and not in the presence of the Auditee.
• 只能在审计程序之外进行，不得在被审计者在场的情况下进行。

• Should include an opportunity for the observer to read the Audit Report.
• 应包括观察员阅读审计报告的机会。

• May include a post-Audit discussion, either on- or off-site to discuss any questions or observations. The post-Audit discussion may be extended to include other Auditors if appropriate.
• 可能包括审计后讨论，在现场或场外讨论任何问题或意见。审计后的讨论可酌情扩大到包括其他审计师。

Members of the Audit Management may also seek to attend and observe audits from time to time. They guidelines above will also apply to them.
审计管理层成员亦可不时出席及旁听审计工作。上述准则也适用于他们。

2.3 SAS Group
2.3 SAS集团

The SAS Group is a committee comprised of GSMA staff (including the Audit Management)
SAS集团是一个由GSMA员工（包括审计管理层）组成的委员会

and members, and representatives of the Auditing Companies. It is responsible for maintenance of the following SAS-UP documentation:
以及审计公司的成员和代表。它负责维护以下 SAS-UP 文档：

• The Standard[1]which contains the security objectives for SAS-UP
• 标准[1]，其中包含SAS-UP的安全目标.

• The Consolidated Security Requirements and Guidelines (CSRG)[3]which
• 综合安全要求和准则（CSRG）[3]其中:

• Provides requirements for all sensitive processes (SPs) within the scope of the different SAS schemes. Many of the requirements are common across all schemes, however some requirements are specific to individual SPs, including UICC production. The requirements that apply to UICC production indicated in
• 为不同 SAS 方案范围内的所有敏感进程（SP）提供要求。许多要求在所有方案中都是通用的，但有些要求特定于单个 SP，包括 UICC 生产。适用于UICC生产的要求

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

that document. These are the requirements that the UICC supplier must satisfy in order to be certified.
该文件。这些是UICC供应商必须满足的要求才能获得认证。

• Provides guidelines to guide interpretation and operational application of the requirements
• 提供指导要求的解释和操作应用的准则

• The Methodology (this document)
• 方法论（本文件）

Updates will normally arise from an annual review meeting of the SAS Group. Where acute issues are identified ad hoc meetings may be convened to discuss updates to the SAS-UP documentation.
更新通常由SAS集团的年度审查会议提供。如果发现严重问题，可以召开特别会议来讨论对SAS-UP文档的更新。

The SAS Group also contributes to the development of Auditing Company selection criteria when the GSMA is procuring SAS auditing services from time to time. Operator members of the SAS Group that do not offer any products or services within the scope of SAS will be
当GSMA不时采购SAS审计服务时，SAS集团还为审计公司选择标准的制定做出了贡献。SAS集团的运营商成员如果不在SAS范围内提供任何产品或服务，则将

invited by the GSMA to participate in the review of tender responses and the selection of Auditing Companies.
受GSMA邀请参与投标响应的审查和审计公司的遴选。

2.4 Audit Management
2.4 审计管理

The Audit Management comprises a team of GSMA staff members responsible for administering the scheme, including:
审计管理层由负责管理该计划的GSMA工作人员组成，包括：

• Selecting suitably qualified Auditing Companies to carry out the audits, in conjunction with the SAS Group as indicated in section2.3, and ensuring that they provide a high- quality service
• 如第2.3节所述，选择具有适当资格的审计公司与SAS集团一起进行审计，并确保他们提供高质量的服务.

• Ensuring that audits are conducted in accordance with the SAS-UP Methodology and that Audit Reports meet GSMA quality requirements.
• 确保审核按照SAS-UP方法进行，并确保审核报告符合GSMA的质量要求。

• Managing Audit lifecycle tasks, pre and post Audit, for example maintenance of the Audit logs and list of certified and provisionally certified Sites
• 管理审计前后的审计生命周期任务，例如维护审计日志以及认证和临时认证站点列表

• Contract and financial management between the GSMA and Auditees and the GSMA and Auditing Companies
• GSMA与被审计单位以及GSMA与审计公司之间的合同和财务管理

• Distribution of SAS-UP documentation (this document, the Standard [1], the Consolidated Security Requirements and Guidelines [3], and other supporting documents to Auditees and Auditors.
• 向被审计方和审计师分发SAS-UP文件（本文件、标准[1]、综合安全要求和指南[3]以及其他支持文件）。

• Handling general queries for example, via sas@gsma.com.
• 处理一般查询，例如，通过sas@gsmacom

2.5 Participant Relationships
2.5 参与者关系

The relationships between SAS-UP participants are indicated inFigure 1.
SAS-UP参与者之间的关系如图1所示。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

Figure 1: SAS-UP Participant Relationships
图 1：SAS-UP 参与者关系

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

3 Audit Process
3 审核流程

The Audit Process is described below.
审计流程如下所述。

3.1 Audit Setup
3.1 审计设置

3.1.1 Audit Request
3.1.1 审计请求

If an entity involved in the UICC production chain wishes to be SAS-UP certified, the entity should present itself to the Audit Management as a potential participant in the scheme.
如果参与UICC生产链的实体希望获得SAS-UP认证，则该实体应向审计管理层表明自己是该计划的潜在参与者。

Prior to contacting the Audit Management, the potential participant should have familiarised itself with the current published scheme documentation.
在联系审计管理部门之前，潜在参与者应熟悉当前发布的计划文件。

The potential participant should contact the Audit Management to obtain a copy of the Audit Application Form and supporting guidance notes. The completed Audit Application Form
潜在参与者应联系审计管理部门，以获取审计申请表和支持性指导说明的副本。填妥的审核申请表

should be formally submitted to the Audit Management to request a certification audit. On receipt of the request the Audit Management will log the details of the request.
应正式提交给审核管理层，以请求认证审核。收到请求后，审计管理部门将记录请求的详细信息。

Audit applications should be submitted to the GSMA several months in advance to increase the likelihood of the SAS Audit Teams being available to conduct an Audit on or near the
审核申请应提前几个月提交给GSMA，以增加SAS审核团队在

dates requested by the Auditee. As a guide:
被审员要求的日期。作为指南：

If SAS Audit application is submitted …
如果提交了SAS审核申请...

3 months before
3个月前

requested Audit dates,
请求的审计日期，

then GSMA will try to schedule Audit within …
然后GSMA将尝试在...

4 weeks of requested dates
4 周的请求日期

2 months before
2个月前

requested Audit dates
请求的审核日期

6 weeks of requested dates
6 周的请求日期

1 month before
1个月前

requested Audit dates
请求的审核日期

8 weeks of requested dates
8 周的请求日期

Table 1 - Audit Scheduling Guidance
表 1 - 审核计划指南

It always remains the responsibility of the Auditee to ensure that certification is in place to meet the requirements of any specific contract, customer or bid.
被审核方始终有责任确保认证到位，以满足任何特定合同、客户或投标的要求。

3.1.2 Confirmation of Audit Date
3.1.2 审核日期的确认

After logging the details of the Audit request, the information is sent to the Audit Team. The Audit Team will contact the Auditee to agree Audit dates.
记录审核请求的详细信息后，信息将发送给审核团队。审计小组将与被审计方联系，商定审计日期。

3.1.3 Contract
3.1.3 合同

The Auditee enters into a standard agreement[2]with the GSMA and pays the GSMA in advance for the Audit.
被审计方与GSMA签订标准协议[2]，并提前向GSMA支付审计费用。

3.2 Audit Preparation (off-site)
3.2 审核准备（场外）

After Audit dates have been agreed, the Audit Team and Auditee will liaise to agree arrangements for the Audit.
在商定审计日期后，审计团队和被审计方将联络以商定审计安排。

3.2.1 Audit Agenda
3.2.1 审计议程

A provisional agenda will normally be agreed at least one week before the Audit Team travels to the Site to be audited.
一般在审计组前往现场接受审计之前至少一周，将商定一个临时议程。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

A sample agenda is included in Annex A. The sample agenda includes guidance for Auditees on information that should be prepared for each element of the Audit.
议程样本载于附件A。议程样本包括为被审计单位提供的关于应为审计的每个要素准备的信息的指南。

Changes to the agenda may need to be made during the Audit itself, as agreed between the Audit Team and Auditee.
根据审计组和被审计人之间的商定，可能需要在审计期间对议程进行更改。

3.2.2 Audit Pre-requisites
3.2.2 审核先决条件

To assist in the process of auditing the data generation process (for Sites where this is part of the audit or certification scope), the Audit Team may request that a test/demonstration of the Site’s data processing operations is carried out. The process may include advance
为了协助审核数据生成过程（对于属于审核或认证范围的站点），审核小组可能会要求对站点的数据处理操作进行测试/演示。该过程可能包括提前

arrangements with the Auditee to:
与被审计方的安排：

• Exchange transport keys
• 交换传输密钥

• Submit test input files to the Auditee
• 向被审核方提交测试输入文件

• Perform data generation for the specified test input file(s)
• 为指定的测试输入文件执行数据生成

• Return the corresponding output file(s) to the Audit Team
• 将相应的输出文件返回给审计小组

The Auditee will be expected to make appropriate arrangements within its systems to enable a test/demonstration of the data processing to take place.
被审计方应在其系统内做出适当的安排，以便对数据处理进行测试/演示。

The Audit Team will liaise with the Auditee to ensure that pre-requisites are in place.
审计小组将与被审计方联络，以确保先决条件到位。

A more detailed guide to this process for Auditees is included inAnnex G.
附件G中为被审计方提供了更详细的流程指南

3.3 Audit Process (on-site)
3.3 审核流程（现场）

The process of conducting the audit follows a number of defined phases.
进行审计的过程遵循若干规定的阶段。

3.3.1 Presentation and Documentation for the Audit Team
3.3.1 审计小组的演示和文件

During the first half day of the Audit the Auditee introduces the Site’s activities and security management system, and presents to the Audit Team the information and documentation specified in the Audit agenda.
在审核的前半天，被审核方介绍网站的活动和安全管理系统，并向审核小组提交审核议程中指定的信息和文件。

A list of the required documentation is included inAnnex C. Documentation must be available to the Audit Team in English.
所需文件清单载于附件C。文件必须以英文提供给审计组。

Based on the Audit agenda, presentation and documentation, the Audit Team agrees the key individuals to be interviewed during the Audit. It is the responsibility of the Auditee to ensure the availability of these key individuals.
根据审计议程、演示文稿和文件，审计小组同意在审计期间与关键人物进行面谈。被审计方有责任确保这些关键人员的可用性。

3.3.2 Information collection
3.3.2 信息收集

The Audit Team collects information according to the agreed agenda to form the basis of the assessment of compliance.
审计组根据商定的议程收集信息，以形成对遵守情况的评估。

The approach to collection of information is described in more detail in Annex D.
附件D更详细地描述了收集信息的方法。

3.3.3 Assessment of compliance
3.3.3 合规评估

Based on the information collected during the Audit, the Audit Team assesses the compliance of the Auditee’s controls with the SAS requirements.
根据审计期间收集的信息，审计小组评估被审计方的控制措施是否符合SAS的要求。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

The assessment of compliance with the SAS requirements is described in more detail in Annex E.
附件E更详细地描述了对SAS要求的遵守情况的评估。

3.3.4 Preparation of the Audit Report
3.3.4 编制审计报告

The Audit Team summarises the findings of the Audit in a report that follows a fixed structure, as described in Annex F, that comprises
审计组在一份报告中总结了审计结果，该报告遵循附件F所述的固定结构，其中包括:

• Audit summary and overall assessment
• 审计总结和总体评估

• Summary of certification
• 认证摘要

• Auditors’ comments
• 审计员的意见

• Actions required
• 需要采取的行动

• Detailed results
• 详细结果

Detailed results are provided in an annex to the Audit Report, following the structure of the SAS requirements.
详细结果见审计报告的附件，按照SAS要求的结构提供。

3.3.5 Presentation of the Audit Results
3.3.5 审计结果的列报

The Audit Report is normally completed during the Audit and delivered to the Auditee on completion of the closing meeting.
审计报告通常在审计期间完成，并在闭幕会议结束后交付给被审计方。

During the final half day of the Audit, the Audit Team will normally finalise the Audit Report. The Audit Team will present the Audit Results to the Auditee, focussing on the key points identified in the Audit Report.
在审计的最后半天，审计组通常会完成审计报告。审计组将向被审计人提交审计结果，重点关注审计报告中确定的要点。

The Audit Result includes the Audit Team’s decision on certification of the Site, which is passed to the Audit Management.
审核结果包括审核小组对网站认证的决定，该决定将传递给审核管理层。

It is not deemed necessary to have a slide presentation, or to undertake a detailed review of the Audit Report, as part of the presentation of the Audit Results.
作为审计结果介绍的一部分，认为没有必要进行幻灯片演示或对审计报告进行详细审查。

3.4 Distribution of the Audit Report
3.4 审计报告的分发

On completion, the Audit Team will distribute the Audit Report to:
完成后，审计小组将把审计报告分发给：

• The Auditee for the purpose of internal review and formulation of action plan(s).
• 被审计方进行内部审查和制定行动计划。

• The Audit Management for the purpose of quality control and certification.
• 以质量控制和认证为目的的审核管理。

Neither the Auditee nor Audit Management will distribute the report to any other party as part of the Audit Process, except:
作为审计过程的一部分，被审计方和审计管理层都不会将报告分发给任何其他方，但以下情况除外：

• In case of an appeal (see below), the Audit Report will also be provided to the Appeals Board.
• 如有上诉（见下文），审计报告也将提供给上诉委员会。

• For the purpose of Auditor training and SAS quality management, the Audit Report may be provided by the Audit Management to other SAS-UP and SAS-SM Auditors.
• 出于审核员培训和SAS质量管理的目的，审核管理层可能会向其他SAS-UP和SAS-SM审核员提供审核报告。

The Auditee is free to distribute the report to its customers, but is responsible to ensure that neither the Audit Findings, Audit Result or status of Certification are misrepresented.
被审核方可以自由地将报告分发给其客户，但有责任确保审核结果、审核结果或认证状态均未被歪曲。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

3.5 Certification
3.5 认证

The Audit Management checks the report to confirm that the Audit has been carried out in accordance with this Methodology document and that the report meets GSMA quality
审核管理层会检查报告，以确认审核已按照本方法文件进行，并且报告符合GSMA质量

requirements.
要求。

In the event of a successful Audit the Audit Management issues a Certificate to the Auditee within fifteen (15) business days of completion of the Audit.
如果审核成功，审核管理层将在审核完成后十五（15）个工作日内向被审核方颁发证书。

3.6 Appeal
3.6 上诉

In the event that the certification decision and/or duration of certification are in dispute the Auditee may lodge a submission with the Audit Management within twenty (20) business
如果认证决定和/或认证期限有争议，被审核方可以在二十（20）项业务中向审核管理层提交意见

days of completion of the Audit. The Audit Management will refer the appeal to the Appeals Board.
审计完成后的天数。审计管理部门将把上诉转交上诉委员会。

The Appeals Board is comprised of two Auditors, one each from different GSMA selected Auditing Companies and separate from the Auditing Companies that performed the Audit that is the subject of the appeal. For SAS-UP, the Appeals Board is comprised of
上诉委员会由两名审计师组成，分别来自不同的GSMA选定的审计公司，并且与执行上诉标的审计的审计公司分开。对于SAS-UP，上诉委员会由以下人员组成

representatives of the SAS-SM Auditing Companies, and vice versa. The individual Auditors from each Auditing Company that serve on the Appeals Board may be assigned by those
SAS-SM审计公司的代表，反之亦然。在上诉委员会任职的各审计公司的个人审计师可由以下人员指派

Auditing Companies from a pool of suitably experienced Auditors pre-approved by the GSMA, and may change per appeal.
从GSMA预先批准的具有适当经验的审计师库中选出的审计公司，并可能因上诉而改变。

The Appeals Board will consider and rule on appealed Audit Results. The process to be followed by the Appeals Board will include:
上诉委员会将考虑并裁定被上诉的审计结果。上诉委员会应遵循的程序将包括：

• Review of the Audit Report, focussing on the appealed assessment(s)
• 审查审计报告，重点关注被上诉的评估

• Discussion with the Audit Team and the Auditee The Appeals Board should not need to visit the Site.
• 与审计小组和被审计方的讨论上诉委员会不应访问该网站。

The Auditee may request the members of the Appeals Board to sign an NDA prior to receiving a copy of the Audit Report and other information about the Site.
被审计方可以要求上诉委员会成员在收到审计报告副本和有关本网站的其他信息之前签署保密协议。

The Appeals Board will seek to rule on appeals within twenty (20) business days of
上诉委员会将寻求在二十（20）个工作日内对上诉作出裁决

lodgement of the appeal, subject to the availability of the Audit Team and the Auditee and the prompt provision of any information requested from either party.
提出上诉，但须视审计组和被审计方的出席情况以及任何一方要求提供的任何资料而定。

The Auditee and the Audit Team agree to accept the decision of the Appeals Board as final.
被审计方和审计小组同意接受上诉委员会的决定为最终决定。

A description of the costs associated with the appeals process is included in section0.
第0节中包括了与上诉程序相关的费用说明。

3.7 Notification and Publication of Certification
3.7 认证的通知和公布

The GSMA will list certified Sites on theSAS website. The listing will include
GSMA将在SAS网站上列出经过认证的网站，该列表将包括:

• The Auditee name and the address of the certified Site.
• 被审核机构名称和认证站点的地址。

• The scope of certification, including whether the certification is full or provisional.
• 认证范围，包括认证是全面认证还是临时认证。

• The expiry date of the certification
• 认证的有效期.

• Details of any exceptions or specific comments that apply to the Site’s certificates.
• 适用于本网站证书的任何例外情况或特定评论的详细信息。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

4 Certification Process
4 认证流程

The Certification Process is described below.
认证过程如下所述。

4.1 Certification Process
4.1 认证流程

The Certification Process begins with the first full Audit, first Dry Audit (provisional certification) or Renewal Audit at a Site.
认证过程从现场的第一次全面审核、第一次干审核（临时认证）或更新审核开始。

The Certification Process ends when:
认证过程在以下情况下结束：

• A Certificate is issued based on the decision of the Audit Team.
• 根据审核小组的决定颁发证书。

or

• The Site withdraws from the Certification Process by either:
• 本网站通过以下任一方式退出认证流程：

• Indicating that it does not intend to continue with the Certification Process.
• 表明不打算继续进行认证程序。

or

• Not complying with the Audit Team’s requirements for continuing with the Certification Process following a non-compliant Audit Result (Typically, the Audit Team requires the Site to arrange a Repeat Audit, or to provide appropriate evidence of improvement within agreed periods).
• 在审核结果不合规后，不遵守审核小组的要求，继续进行认证流程（通常，审核小组要求现场安排重复审核，或在约定的期限内提供适当的改进证据）。

For an existing certified Site the Certification Process can begin up to 3 months before the expiry of the current Certificate.
对于现有的认证站点，认证过程可以在当前证书到期前 3 个月开始。

4.2 Certification Period
4.2 认证期限

The Certification Period begins when a Certificate is issued based on the decision of the Audit Team
认证期从根据审核小组的决定颁发证书时开始.

The Certification Period ends at the date specified on the Site’s SAS Certificate.
认证期在网站SAS证书上指定的日期结束。

The Certification Period will be determined by the Audit Team based on the following criteria:
认证期限将由审核小组根据以下标准确定：

• For Sites with an existing valid Certificate:
• 对于具有现有有效证书的站点：

• If the Certification Process begins up to 3 months before the expiry of the existing Certificate
• 如果认证过程在现有证书到期前 3 个月开始

and

• the certification is awarded before the expiry of the existing Certificate
• 该证书是在现有证书到期之前颁发的

then
然后

• the Certification Period will begin at the expiry of the existing Certificate
• 认证期将从现有证书到期时开始

In all other cases the Certification Period will begin at the time that the Certificate is issued.
在所有其他情况下，认证期将从证书颁发时开始。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

Existing
现存

Certificate
证书

expiry
满期

Certification of sites with existing certificates
对具有现有证书的站点进行认证

Existing certification
现有认证

Certification
认证

process
过程

Renewal
更新 Certification
认证

Duration of certification
认证期限

Certification period
认证期限

Renewal
更新

Certificate
证书

expiry
满期

Figure 2 - Certification of Sites with existing Certificates
图2 - 具有现有证书的站点认证

• For Sites without an existing valid Certificate (new Sites, Sites where certification has lapsed):
• 对于没有现有有效证书的站点（新站点、认证已失效的站点）：

• the Certification Period will begin at the time that the Certificate is issued.
• 认证期将从证书颁发之时开始。

Certification of new
新认证sites
网站

First audit
第一次审核

Certification process
认证流程

Certifi
证书

Re- audit
重新审核

cation
阳离子

Certification period
认证期限

Certificate expiry
证书到期

Figure 3 - Certification of new Sites
图3 - 新站点的认证

Under the terms of their contract with the GSMA, all Sites must be aware of their obligations relating to notification of significant changes at certified Sites within the Certification Period, as specified in section7.
根据其与GSMA签订的合同条款，所有站点必须了解其在认证期内通知认证站点重大变更的义务，如第7节所述。

4.3 Duration of Certification
4.3 认证期限

4.3.1 Standard durations
4.3.1 标准持续时间

The duration of certification is determined by the Audit Team based on a standard framework:
认证期限由审核小组根据标准框架确定：

Type of certificate 证书类型	Standard duration of certification 认证的标准期限
First full certification 首次全面认证	1 year 1年
Renewal full certification 续展全面认证	2 years 2年
First provisional certification 第一个临时认证	9 months 9个月

Table 2 - Standard Durations of Certification
表 2 - 认证的标准期限

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

These durations will be applied in most cases.
在大多数情况下，这些持续时间将适用。

4.3.2 Exceptions
4.3.2 例外

The Audit Team may, at its discretion, decide that certification should be for a shorter duration, for reasons including:
审核组可自行决定认证期限应缩短，原因包括：

• Significant changes planned at the Site related to security-critical processes or facilities
• 现场计划进行与安全关键流程或设施相关的重大变更

• A significant reliance on very recently introduced processes or systems where there is little or no history of successful operation of similar or equivalent controls
• 严重依赖最近引入的流程或系统，而这些流程或系统很少或根本没有成功运行类似或同等控制措施的历史

• A repeated failure to maintain security controls at an appropriate level for the entire Certification Period (as evidenced by significant failure to meet the requirements of the standard[1]at the initial Renewal Audit).
• 在整个认证期间多次未能将安全控制保持在适当的水平（如在初始更新审核中严重未能满足标准[1]的要求）。

The Audit Team may also, at its discretion, decide that certification should be for two years for Sites without an existing valid Certificate that perform exceptionally well at the first Audit.
审核小组还可以自行决定，对于没有现有有效证书且在第一次审核中表现异常出色的站点，认证期限为两年。

The Audit Management will review decisions made on exceptional circumstances as part of its control of scheme quality and consistency.
审计管理部门将审查在特殊情况下做出的决定，作为其控制计划质量和一致性的一部分。

4.3.3 Minimum period of certification
4.3.3 最短认证期限

Sites without an existing valid Certificate shall, in all cases, be granted certification for a minimum of seven months from the month during which a Certificate is issued. This
在任何情况下，没有现有有效证书的站点应从颁发证书的月份起至少七个月获得认证。这

allowance reduces the likelihood that the next Renewal Audit at the Site resulting in 2-year certification is influenced by the most recent Repeat Audit rather than being an assessment of steady-state controls in operation at the Site.
余地降低了导致 2 年认证的现场下一次更新审核受最近一次重复审核影响的可能性，而不是对现场运行的稳态控制的评估。

4.3.4 Extension of the period of certification
4.3.4 认证期限的延长

The SAS-UP Methodology does not normally allow the GSMA to extend a Site’s duration of certification. Sites with an existing Certificate that are planning or making major changes in advance of a Renewal Audit, which could affect the ability to demonstrate the necessary
SAS-UP方法通常不允许GSMA延长站点的认证期限。拥有现有证书的站点在续订审核之前正在计划或进行重大更改，这可能会影响证明必要内容的能力

period of evidence, may be eligible for a temporary extension of certification based on the TEA process described in the GSMA SAS remote auditing and certification policy.
证据期限内，可能有资格根据 GSMA SAS 远程审核和认证政策中描述的 TEA 流程获得临时延期认证。

Sites wishing to be considered for a temporary extension are encouraged to contact the GSMA as early as possible.
我们鼓励希望考虑临时延期的工厂尽早联系GSMA。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

5 Scope of certification
5 认证范围

As part of the application process, the Auditee will be required to specify the scope of activities for which it is applying for certification.
作为申请过程的一部分，被审核方将被要求指定其申请认证的活动范围。

The possible scope items for certification are defined as part of the Audit Application Form.
认证的可能范围项目定义为审核申请表的一部分。

In most cases, Audits take place of Primary Sites leading to Full Certification, however SAS- UP also offers the ability for Audits to take place:
在大多数情况下，审核会对主站点进行审核，从而获得全面认证，但 SAS-UP 还提供进行审核的功能：

• For Sites that are not yet operating; under the provisional certification scheme.
• 对于尚未运营的网站;根据临时证书计划。

• Of Supporting Sites that perform specific functions or activities in support of activities at one or more Primary Sites.
• 执行特定功能或活动以支持一个或多个主要站点的活动的支持站点。

SAS-UP certification is also a pre-requisite for Sites wishing to apply for an EUM PKI
SAS-UP认证也是希望申请EUM PKI的站点的先决条件

certificate from one of the GSMA’s root CIs. Sites wishing to obtain such PKI certificates will be required to demonstrate compliance with the specific requirements for:
来自 GSMA 根 CI 之一的证书。希望获得此类 PKI 证书的站点将被要求证明符合以下特定要求：

• PKI certification management.
• PKI认证管理。

These certification scopes are described in more detail below.
下面将更详细地介绍这些认证范围。

5.1 Provisional Certification
5.1 临时认证

SAS-UP is open to both established and new UICC supplier Sites.
SAS-UP对已建立的和新的UICC供应商站点开放。

To help newly-established Sites to achieve certification, two options are offered:
为了帮助新成立的网站获得认证，提供了两种选择：

• Undergo a Full Certification Audit once sufficient production is in place at the Site to provide evidence of controls in operation.
• 一旦工厂有足够的生产，就进行全面的认证审核，以提供运行中控制的证据。

• The Full Certification process requires that reasonable evidence exists of continued operation of controls (the Guidelines [3] suggest 4-6 weeks of continuous operation).
• 全面认证过程要求存在持续运行控制的合理证据（指南 [3] 建议连续运行 4-6 周）。

• Undergo a two-stage Provisional Certification Process specifically designed for new Sites that do not have sufficient production volumes to submit to a Full Certification Audit. This Provisional Certification Process will initially lead to Provisional Certification
• 经过两个阶段的临时认证流程，专门为生产量不足的新工厂设计，无法提交全面认证审核。此临时认证流程最初将导致临时认证.

The Auditee will be responsible for choosing its preferred approach.
被审计方将负责选择其首选方法。

5.1.1 Provisional Certification Process
5.1.1 临时认证流程

The Provisional Certification Process requires two audits at the production Site.
临时认证流程需要在生产现场进行两次审核。

The first, which is referred to as a Dry Audit, takes place before live production commences at the Site. For a Dry Audit to take place, the Site must have a complete set of operational
第一种称为干审核，在现场开始现场生产之前进行。为了进行干审核，站点必须具有一套完整的操作

systems, processes and controls in place in all areas of the SAS-UP Standard. The Site
在SAS-UP标准的所有领域都有系统、流程和控制。网站

should be in a position to begin production for a customer immediately when an order is
当订单

received, although it is not necessary to have processed live customer orders before or
已收到，但不必在

during the Audit. The Auditors will expect to see that at least one test or live production batch of a reasonable size has been processed prior to the Audit, exercising all aspects of the
在审计期间。审核员希望看到在审核之前至少处理了一次合理规模的测试或现场生产批次，行使了

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

production data flow and asset control mechanism. The Auditee should be able to process at
生产数据流和资产控制机制。被审计者应能够在

least one further batch of a reasonable size during the Audit if requested. A batch of a
如果要求，在审计期间至少再增加一批合理规模的批次。一批

“reasonable size” will normally be expected to demonstrate controls consistent with those for the typical size of a customer order (as a guide, in a mass production environment, batches of 1’s, 10’s or 100’s of devices would be unlikely to be considered representative, but 1000’s of devices would).
通常，“合理尺寸”将展示与客户订单典型规模一致的控制措施（作为指导，在大规模生产环境中，1、10 或 100 批设备不太可能被视为具有代表性，但 1000 件设备会）。

If the Site demonstrates compliance with the Standard[1], a Provisional Certification is
如果网站证明符合标准[1]，则临时认证是

granted that remains valid for a period of nine months. A non-compliant result at a Dry Audit requires the UICC supplier to remedy identified non-compliances within three months.
授予，有效期为九个月。在干审核中出现不合规结果，要求UICC供应商在三个月内纠正已发现的不合规行为。

Successful certification will be valid from the date of the repeat Dry Audit.
成功的认证将从重复干审核之日起生效。

A follow up Wet Audit is required to upgrade the Provisional Certification to Full Certification. This Audit can only be undertaken if the Site has been in continuous live production for a
需要进行后续湿审核才能将临时认证升级为全面认证。只有当网站已经连续进行现场生产时，才能进行此审核

minimum period of six weeks and it must be undertaken within nine months of the successful Dry Audit.
至少六周的时间，并且必须在成功进行干审核后的九个月内进行。

Successful completion of a Wet Audit leads to Full Certification. The period of this
成功完成湿审核后将获得全面认证。这个时期

certification runs from the date of the successful Dry Audit. Provisional Certification will be withdrawn if:
认证从干审核成功之日起计算。如果出现以下情况，临时认证将被撤销：

• The Wet Audit is not conducted within nine months of the conduct of the initial Dry Audit
• 湿式审核不会在初次干式审核后九个月内进行

• The Wet Audit result is non-compliant, and a successful Repeat Audit is not completed within three months
• 湿审核结果不合规，三个月内未成功完成重复审核

• Live production for a continuous period of six weeks cannot be demonstrated within nine months of the initial Dry Audit
• 在初次干审核后的九个月内，无法证明连续六周的现场生产

• The UICC supplier chooses to withdraw from the Certification Process
• UICC供应商选择退出认证流程

5.1.2 Provisional Certification Period
5.1.2 暂定认证期

The nine-month Provisional Certification Period begins when the Site is first certified.
为期九个月的临时认证期从网站首次获得认证时开始。

NOTE: The Provisional Certification Period extends from the date of the successful
注意：临时认证期从成功之日起延伸

completion of a Dry Audit whether that Audit is an initial or repeat Dry Audit. This differs from the normal Certification Process, which backdates
完成干审核，无论该审核是初始审核还是重复审核。这与正常的认证过程不同，后者会追溯

certification to the initial Audit. An exception has been made in the case of
初始审核的认证。例外情况是：

Provisional Certification because the three month period required to make improvements that may be necessary after an initial Dry Audit would
临时认证，因为在初始干审核后可能需要进行必要的改进所需的三个月时间将

significantly reduce the window of opportunity within the nine month Provisional Certification Period to ramp-up production.
在九个月的临时认证期内大幅缩短机会窗口，以提高产量。

The Provisional Certification Period ends at the date specified on the Site’s SAS Provisional
临时认证期在网站SAS临时认证中指定的日期结束

Certificate of compliance or when the Site is fully certified following the successful completion of a Wet Audit.
合规证书，或在成功完成湿审核后对站点进行全面认证时。

5.1.3 Duration of Provisional Certification
5.1.3 临时认证期限

The Duration of Provisional Certification is fixed at nine months and it is the responsibility of
临时认证的期限固定为九个月，由以下机构负责

the participating UICC supplier to ensure the necessary Wet Audit to achieve Full Certification is undertaken within the nine month Provisional Certification Period.
参与的UICC供应商确保在九个月的临时认证期内进行必要的湿审核以获得全面认证。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

If a Provisionally-Certified Site receives a non-compliant result at a Wet Audit, its Provisional Certification will not be immediately withdrawn and it will retain its Provisional Certification
如果临时认证站点在湿审核中收到不合规结果，则其临时认证不会立即撤销，并将保留其临时认证

status until the end of the nine month Provisional Certification Period.
在九个月的临时认证期结束前的状态。

Full Certification will normally run for one year, in accordance with the provisions set out at
根据以下规定，全面认证通常为一年

4.3 above for Sites not holding an existing valid Certificate, and this will be back dated to the date on which the first Wet Audit was concluded. If the Wet Audit extends the scope of
4.3 对于未持有现有有效证书的站点，该证书的日期将追溯到第一次湿审核结束的日期。如果湿审计扩展了

existing Full Certification for a Site, and there is significant overlap in controls between the
站点的现有完整认证，并且

existing and new scope elements, the Audit Team may extend the Full Certification expiry
现有和新的范围要素，审核小组可以延长完整认证的到期时间

date for the new scope element to match the expiry date of the existing certification (if later).
新范围元素与现有证书的到期日期相匹配的日期（如果较晚）。

5.1.4 Duration of Provisional Certification Audits
5.1.4 临时认证审核的持续时间

The initial Dry Audit is conducted over a four day period and all controls will be audited.
最初的干式审核为期四天，所有控制措施都将进行审核。

Production processes will also be examined but in the absence of live production it will not be possible to sample test controls. The duration of a repeat Dry Audit will depend on the areas to be re-audited and will be agreed with the supplier in accordance with section 8.4 below.
还将检查生产过程，但由于没有现场生产，将无法对测试控制进行抽样。重复干审核的持续时间将取决于要重新审核的领域，并将根据下文第 8.4 节与供应商达成一致。

The Wet Audit is normally conducted over a two day period to review the controls in
湿审计通常在两天内进行，以审查

operation. If the Wet Audit is conducted together with a Renewal Audit for other fully certified scope elements, some time savings on the total Audit duration may be possible.
操作。如果湿审核与其他完全认证的范围要素的续展审核一起进行，则可以节省一些时间。

5.2 Auditing and Certification of Supporting Sites
5.2 支持站点的审核和认证

SAS provides auditing and certification on a Site-by-Site basis. However, Sites that
SAS提供逐个站点的审核和认证。但是，网站

participate in the scheme may use additional physical Sites owned and operated by
参与该计划可以使用其他实体网站

themselves or by third party subcontractors to provide some supporting infrastructure or services within the scope of certification. This section specifies how Supporting Sites are formally handled within the scheme.
自行或由第三方分包商在认证范围内提供某些配套基础设施或服务。本部分指定如何在方案中正式处理支持站点。

5.2.1 Definition
5.2.1 定义

A Supporting Site is one that meets all of the following criteria:
支持站点是满足以下所有条件的站点：

• Provides supporting infrastructure and/or services within the scope of SAS certification to the Primary Site seeking certification.
• 在SAS认证范围内向寻求认证的主站点提供支持基础设施和/或服务。

• Does not wish to hold its own SAS certification, or is not eligible to do so.
• 不希望持有自己的SAS认证，或者没有资格持有SAS认证。

• To be eligible for SAS-UP certification as a Primary Site, a Site must operate, or be planning to operate, live and primary (not just backup) production or services that fulfil at least one of the primary SAS-UP scope elements.
• 要获得 SAS-UP 认证作为主站点的资格，站点必须运行或计划运营至少满足一个主要 SAS-UP 范围要素的主要和主要（而不仅仅是备份）生产或服务。

• Exceptional applications for SAS certification by Sites that do not meet these criteria will be considered by the GSMA on a case-by-case basis.
• 不符合这些标准的站点的特殊SAS认证申请将由GSMA根据具体情况予以考虑。

In most cases the Supporting Site is primarily accountable (via internal or contractual
在大多数情况下，支持站点主要负责（通过内部或合同

agreements) to the Primary Site rather than to the GSMA for its compliance with the SAS requirements. However, a Supporting Site must still be subject to the terms of SAS
协议）给主站点，而不是GSMA，以使其符合SAS要求。但是，支持站点仍必须遵守 SAS 的条款

participation, and therefore must be named on an SAS agreement signed by the Primary Site or the Primary Site’s parent company.
参与，因此必须在主站点或主站点的母公司签署的 SAS 协议上命名。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

A Secondary Site is a Supporting Site that is included as part of the same Audit Process and Audit Report as the Primary Site.
辅助站点是作为与主站点相同的审核流程和审核报告的一部分包含在内的支持站点。

5.2.2 Auditing and Certification Approach
5.2.2 审核和认证方法

The auditing and Certification Process to be followed is slightly different depending on the type of Supporting Site. To date, a single type of Supporting Site has been encountered
根据支持站点的类型，要遵循的审核和认证流程略有不同。迄今为止，只遇到过单一类型的支持站点

within SAS-UP, as follows:
在 SAS-UP 中，如下所示：

Centralised or Outsourced IT Services
集中式或外包式 IT 服务

Item
项目

Description
描述

Examples
例子

Centralised IT administration, network operations centre, server farm, firewall management
集中式 IT 管理、网络运营中心、服务器场、防火墙管理

Application form
申请表

The application form provides space to provide Supporting Site details and to outline the Site activities.
申请表提供了空间，以提供支持站点的详细信息并概述站点活动。

Audit scheduling and duration
审计计划和持续时间

Supporting Sites providing centralised or outsourced IT services may host initial audits scheduled back-to-back or closely scheduled with
提供集中式或外包 IT 服务的支持站点可以连续或密切安排

Primary Site audits. Audits of additional Primary Sites that depend on the Supporting Site’s certification are scheduled independently.
主站点审核。对依赖于支持站点认证的其他主站点的审核是独立安排的。

The Audit duration depends on the Supporting Site activities, and
审核持续时间取决于支持站点的活动，以及

should be agreed on a case-by-case basis with the Audit Team. For
应根据具体情况与审计小组达成一致。为

back-to-back audits, transfer time between Sites should also be agreed.
还应商定背靠背审核，站点之间的转移时间。

SAS agreement and invoicing
SAS 协议和发票

The Supporting Site (whether owned by the Primary Site applicant or a third-party subcontractor) must be subject to the terms of the SAS
支持站点（无论是由主站点申请人还是第三方分包商拥有）必须受 SAS 条款的约束

participation agreement. The Site should be specified in the Primary
参与协议。应在主站点中指定站点

Site’s agreement. If the Supporting Site Audit request is received after the Primary Site’s agreement has already been executed, then another instance of the agreement specifying the Supporting Site will need to be signed.
网站的协议。如果在主站点的协议已执行后收到支持站点审核请求，则需要签署指定支持站点的协议的另一个实例。

The Primary Site applicant or its parent company is invoiced for the Audit.
主站点申请人或其母公司已开具审核发票。

Audit Report
审计报告

Only the sections of the Audit Report relevant to the activities performed by the Site need to be completed by the Audit Team. Relevant
审计小组只需要完成审计报告中与网站所执行活动相关的部分。相关

contextual information about the Supporting Site Audit should be
有关支持性现场审核的上下文信息应为

provided within all Audit Reports. The information provided should
在所有审计报告中提供。所提供的信息应

include Site location(s), dates and duration, Audit type and approach,
包括站点位置、日期和持续时间、审核类型和方法、

summary of activities performed at each Site, any relevant Audit history, and explanatory notes in relation to how the report has been prepared
每个站点所开展活动的摘要、任何相关的审计历史以及与报告编制方式相关的解释性说明

and any deviations from standard Audit practice if necessary.
如有必要，以及任何偏离标准审计实践的情况。

SAS Certificate and website listing
SAS证书和网站列表

The Supporting Site name and address are mentioned on the SAS
SAS 上提到了支持站点的名称和地址

Certificate of the Primary Site(s) to which they provide support.
他们提供支持的主站点的证书。

If the certification expiry dates of a Primary Site and a supporting
如果主站点和支持站点的认证到期日期

backup Site are different, the GSMA will include both expiry dates on the Certificate. This approach will trigger reissue of Certificates to
备份站点不同，GSMA将在证书上包含两个到期日期。此方法将触发向以下人员重新颁发证书

Primary Site(s) by the GSMA each time a Supporting Site with a different certification expiry date renews certification.
GSMA的主站点，每次具有不同认证到期日期的支持站点更新认证时。

If the certification of a Supporting Site lapses, the GSMA may withdraw the SAS certification of the associated Primary Site(s).
如果支持站点的认证失效，GSMA可能会撤销相关主站点的SAS认证。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

5.3 Management of PKI Certificates
5.3 PKI证书的管理

Certification for management of PKI certificates is slightly different to other elements of SAS- UP Audit scope.
PKI证书管理的认证与SAS-UP审核范围的其他要素略有不同。

SAS-UP certified Sites may make use of eUICC Manufacturer (EUM) PKI test or live
SAS-UP认证站点可以使用eUICC制造商（EUM）PKI测试或实时

certificates that are issued as part of the GSMA ecosystem, or other, non-GSMA PKIs (e.g. national, supplier or product-specific PKIs). Controls are likely to be the same, or very
作为GSMA生态系统的一部分颁发的证书，或其他非GSMA PKI（例如国家、供应商或特定产品的PKI）。控件可能相同，或者非常

similar, in all cases; however, SAS-UP certification for PKI certificate management focusses specifically on a Site’s compliance with the requirements for use of live PKI certificates as
在所有情况下都相似;但是，用于 PKI 证书管理的 SAS-UP 认证特别关注站点是否符合使用实时 PKI 证书的要求，例如

part of the GSMA PKI ecosystem.
GSMA PKI生态系统的一部分。

SAS-UP certification with this scope is one pre-requisite for a Site to apply for a GSMA EUM PKI certificate from a GSMA-appointed Certificate Issuer.
此范围的SAS-UP认证是站点向GSMA指定的证书颁发者申请GSMA EUM PKI证书的先决条件之一。

Any Site that demonstrates an appropriate level of compliance with the relevant
任何证明适当程度遵守相关

requirements during an SAS-UP audit may be certified with PKI certificate management within scope, however certification will distinguish between those Sites that have:
SAS-UP审核期间的要求可能会在范围内通过PKI证书管理进行认证，但认证将区分那些具有以下特征的站点：

• Demonstrated SAS-UP compliance without GSMA PKI live certificates in use (i.e. either via test/self-signed PKI certificates or via non-GSMA PKI certificates).
• 在未使用 GSMA PKI 实时证书的情况下证明符合 SAS-UP 标准（即通过测试/自签名 PKI 证书或通过非 GSMA PKI 证书）。

• Demonstrated SAS-UP compliance with GSMA PKI certificates in use. SAS-UP certification will be indicated as shown inTable 3.
• 证明SAS-UP符合正在使用的GSMA PKI证书。SAS-UP认证如表3所示。

Value
价值

Symbol
象征

Criteria
标准

GSMA PKI Ready
GSMA PKI 就绪

Site has demonstrated compliant controls for PKI certificate management, either via
站点已演示了 PKI 证书管理的合规控制，通过

a) test/self-signed PKI certificates (controls audited ‘dry’, i.e. no live operations) or
a）测试/自签名 PKI 证书（控制审核干，即无实时操作）或

b) certificates used in live operations issued by non- GSMA CAs.
b）由非 GSMA CA 颁发的用于实时运营的证书。

GSMA PKI Live
GSMA PKI 直播

Site has demonstrated compliant controls with GSMA PKI live certificate(s) in use
Site已证明使用GSMA PKI实时证书的合规控制措施.

Table 3 – Possible values for “Management of PKI Certificates”
表3 – “PKI证书管理”的可能值

In all cases, a Site must first be certified as “GSMA PKI Ready” before being issued with a GSMA PKI live certificate to act as an eUICC manufacturer. Once the first GSMA PKI EUM live certificate has been issued, the Site’s SAS-UP certification can be updated to “GSMA PKI Live” following a further successful audit of activities.
在所有情况下，网站必须首先获得“GSMA PKI Ready”认证，然后才能获得GSMA PKI实时证书，以充当eUICC制造商。一旦颁发了第一个GSMA PKI EUM实时证书，在对活动进行进一步成功的审核后，站点的SAS-UP认证可以更新为“GSMA PKI Live”。

SAS-UP certification with “GSMA PKI Ready” or “GSMA PKI Live” certification will be awarded as shown inTable 4.
如表4所示，将获得“GSMA PKI Ready”或“GSMA PKI Live”认证的SAS-UP认证。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

		PKI Certificate(s) held at time of audit 审核时持有的PKI证书			SAS-UP status on SAS-UP 状态开启 successful completion of 成功完成 audit 审计
	Audit type 审核类型	Test/self-signed 测试/自签名 only 只 (no live （没有直播 operations) 操作）	GSMA PKI live certificate GSMA PKI 实时证书	Non-GSMA PKI used in live 直播中使用的非GSMA PKI operations 操作	Certification Status 认证状态	Certification duration 认证期限
1	Initial(i) 首字母（i）	X	Not available 不可用			(ii) （二）
2	Initial(i) 首字母（i）		Not available 不可用	N/A		X		(iii) （三）
3	Wet	N/A		X		(iii) （三）
4					X
5					X		X
6	Renewal 更新	N/A		X		(iii) （三）
7					X
8					X		X

(i)	Initial audit of PKI certificate management, carried out as part of a first audit for a new Site or as a renewal or scope extension audit for an existing SAS-UP certified Site. PKI 证书管理的初始审核，作为新站点首次审核的一部分，或作为现有 SAS-UP 认证站点的续订或范围扩展审核的一部分进行。 The duration of certification will be dictated by whether this is a new activity (equivalent to a dry 认证的持续时间将取决于这是否是一项新活动（相当于干 audit under the provisional certification scheme) or an existing activity (equivalent to full certification). 根据临时认证计划进行审核）或现有活动（相当于全面认证）。
(ii) （二）	Certification is valid until provisional certification expiry date of other scope elements audited during dry audit (typically 9 months) 认证有效期至干审核期间审核的其他范围要素的临时认证到期日（通常为 9 个月）
(iii) （三）	Certification is valid until certification expiry date of other full certified scope elements (1 year following first full or wet audit, 2 years following renewal audit) 认证有效期至其他完整认证范围要素的认证到期日（第一次全面或湿审核后 1 年，续期审核后 2 年）

Table 4 - SAS-UP PKI certification lifecycle
表 4 - SAS-UP PKI 认证生命周期

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

6 Audit Report Scoring and Assessment
6 审计报告评分和评估

The Audit Report (see section3.3.4) contains detailed Audit Results. An indexed matrix of requirements is used as a means to structure and standardise recording of compliance.
审计报告（见第3.3.4节）包含详细的审计结果。索引需求矩阵被用作构建和标准化合规性记录的一种手段。

Possible assessments are described in Table 5.
表5描述了可能的评估。

Compliant (C) 合规（C）	indicates that the Auditors’ assessment of the Site has found that a 表明审计员对网站的评估发现 satisfactory level of compliance with the requirements of the standard has been demonstrated during the Audit. 在审核期间，已经证明了对标准要求的合规程度令人满意。 To assist Auditees in assessing their Audit performance, and to plan 协助被审计方评估其审计表现，并制定计划 improvements, the Auditors may, at their discretion, indicate the level of compliance as follows: 改进，审计师可自行决定以下合规水平：
Compliant (C): 合规（C）：		in the Auditors’ assessment the Auditee has met the standard to an acceptable level. 在核数师的评估中，被核数师已达到可接受的标准。 Comments for further improvement may be offered by Auditors. 审计师可能会提出进一步改进的意见。
Substantially compliant (C-): 基本符合（C-）：		in the Auditors’ assessment the Auditee has just met the standard, but additional 在审计师的评估中，被审计者刚刚达到了标准，但额外的 improvement is thought appropriate to bring 改进被认为是适当的 the Auditee to a level at which compliance can easily be maintained. An assessment of C- 被审计者达到可以轻松保持合规性的水平。An assessment of C- will be qualified with comments indicating the improvements required. Future audits will 将通过指示所需改进的评论进行限定。未来的审计将 expect to see improvement in areas marked as C-. 预计在标记为 C- 的领域会有所改善。
Non-compliant (NC) 不合规（NC）	In the Auditors’ assessment, the Auditee has not achieved an acceptable level of compliance with the standard due to one or more issues identified. The 在审核员的评估中，由于发现的一个或多个问题，被审核方没有达到可接受的标准合规水平。这 issues identified require remedial action to be taken to ensure that an 发现的问题需要采取补救措施，以确保 acceptable level of compliance is achieved. Remedial action is compulsory to ensure continued certification. 达到可接受的合规水平。必须采取补救措施，以确保持续认证。

Table 5 - Assessments possible under SAS-UP
表5 - SAS-UP下可能的评估

Non compliances and required actions will normally be summarised at the front of the Audit Report, and described further in the detailed findings.
不合规和所需采取的行动通常会在审计报告的前面进行总结，并在详细的调查结果中进一步描述。

Comments will normally be provided, marked as (+) and (-) in the Auditor remarks to indicate positive and negative comments made based on the Audit findings. Comments with no
通常会在核数师备注中提供评论，标记为（+）和（-），以表示根据审计结果作出的正面和负面评论。没有评论

symbol represent general comments. The number of (+) or (-) comments bears no relation to the section or sub-section score.
符号表示一般性注释。（+）或（-）评论的数量与该部分或小节分数无关。

6.1 Audit Result
6.1 审计结果

The Audit Result will be determined based on the level of compliance achieved in all sections of the Audit Report.
审计结果将根据审计报告所有部分的合规水平确定。

In the event that no sections of the Audit Report are assessed as non-compliant by the
如果审计报告中的任何部分被

Auditors then the Audit Report will normally specify that certification will be awarded by the GSMA without further improvement.
审核员，然后审核报告通常会指定 GSMA 将授予认证，而无需进一步改进。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

In the event that one or more sections of the Audit Report are assessed as non-compliant, then the Auditee will be required to submit to further assessment in those areas. The
如果审计报告的一个或多个部分被评估为不合规，则被审计方将被要求接受这些领域的进一步评估。这

assessment may be carried out:
可以进行以下评估：

• On-site during a Repeat Audit within 3 months of the non-compliant Audit
• 在不合规审核后 3 个月内在重复审核期间进行现场审核

• Off-site through presentation of evidence of improvement within 3 months of the non- compliant Audit
• 在不合规审核后 3 个月内通过提交改进证据进行场外审查

The re-assessment method will be determined by the number and nature of issues identified and will be indicated in the Audit summary.
重新评估方法将根据所发现问题的数量和性质确定，并将在审计摘要中注明。

Certification will not be awarded where one or more areas of non-compliance are identified.
如果发现一个或多个不合规领域，则不会颁发认证。

Once the Auditee has submitted to successful re-assessment of the issues identified an updated Audit Report will be issued specifying that certification will be awarded.
一旦被审核方成功提交了对所发现问题的重新评估，将发布更新的审核报告，指定将授予认证。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

7 Maintaining SAS Compliance
7 维护 SAS 合规性

SAS certification is awarded based on an assessment by the Audit Team that the Site met the requirements of the SAS Standard during the Audit, and that it demonstrated an ability
SAS认证是根据审核小组的评估授予的，该站点在审核期间符合SAS标准的要求，并展示了其能力

and intent to sustain compliance during the Certification Period. Continued Site compliance with the SAS Standard during the Certification Period, including the implementation of SAS- compliant controls following any changes to the certified environment, is the responsibility of the Site.
以及在认证期间保持合规的意图。在认证期间，站点继续遵守SAS标准，包括在认证环境发生任何变化后实施符合SAS标准的控制措施，是站点的责任。

Certified Sites are required, under their agreement with the GSMA, to notify the GSMA of
根据与GSMA的协议，认证网站必须通知GSMA

any major change planned or proposed within the audited domain at the Site, and to host
在网站审核域内计划或提议的任何重大更改，以及托管

within three months any audits deemed necessary by the GSMA to verify the continued
在三个月内进行GSMA认为必要的任何审计，以验证是否继续

compliance of the site with the SAS Standard as a result of such change. Major changes to the Site that require notification include but shall not be limited to significant production,
由于此类更改，网站是否符合SAS标准。需要通知的网站的重大变更包括但不限于重大生产，

process or relevant policy changes, and sale of the Site.
处理或相关政策变更，以及本网站的销售。

7.1 Notifiable Events for PKI certificate management
7.1 PKI 证书管理的通报事件

Sites that are SAS-UP certified for PKI certificate management must notify the GSMA of some specific events that are directly related to that activity:
获得 SAS-UP 认证的 PKI 证书管理站点必须将与该活动直接相关的某些特定事件通知 GSMA：

• Revocation of EUM certificate(s)
• 撤销EUM证书

If any live EUM PKI certificate (whether issued as part of the GSMA or other PKI) is revoked by the relevant certificate issuer, by the Site itself or by another party this must be notified to the GSMA. Certificates used solely for test purposes that are
如果相关证书颁发者、网站本身或另一方撤销了任何实时EUM PKI证书（无论是作为GSMA还是其他PKI的一部分颁发），则必须通知GSMA。仅用于测试目的的证书

revoked at end-of-life are excluded from this requirement.
在生命周期结束时撤销的不在此要求中。

• Security incidents
• 安全事件

Any security incident involving personnel, processes, physical locations, systems or sensitive materials related to management of EUM PKI certificates or key pairs must
任何涉及与EUM PKI证书或密钥对管理相关的人员、流程、物理位置、系统或敏感材料的安全事件都必须

be notified to the GSMA, even if the security incident itself does not relate to certificates or key pairs within the scope of SAS-UP certification.
即使安全事件本身与SAS-UP认证范围内的证书或密钥对无关，也要通知GSMA。

• Transfer of GSMA PKI EUM certificate private keys.
• GSMA PKI EUM证书私钥的转移。

Any activity involving the transfer of GSMA PKI EUM certificate private keys to a new physical location (e.g. transfer between sites or relocation of key management
涉及将 GSMA PKI EUM 证书私钥转移到新物理位置的任何活动（例如，站点之间的转移或密钥管理的重新定位）

systems or HSMs) or logical transfer or replication to a new key management system or HSM must be notified to the GSMA.
系统或 HSM）或逻辑传输或复制到新的密钥管理系统或 HSM 必须通知 GSMA。

Transfer of GSMA PKI EUM certificate private keys must always be carried out in accordance with the requirements of section 6.6 of[3].
GSMA PKI EUM证书私钥的传输必须始终按照[3]第6.6节的要求进行。

7.2 Examples of other Notifiable Events
7.2 其他须予通报的事件示例

The following examples are provided to help Auditees understand what level of change
提供以下示例可帮助被审计方了解更改级别

should be notifiable. The list is provided to help guide Auditees only. Auditees are always
应予通报。提供此列表仅用于帮助指导被审核者。被审计者始终是

encouraged to contact the GSMA in the event of any uncertainty about whether an event is notifiable.
鼓励您在不确定某项活动是否应予通报时与GSMA联系。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

7.2.1 What should be Notified
7.2.1 应通知的内容

• Revisions to policy or procedure that change controls audited within the scope of the SAS Audit, e.g.:
• 对政策或程序的修订，改变SAS审计范围内的审计控制，例如：

• A change from dual control to single control
• 从双控制到单控制的变化

• Removal of a procedural count or control of sensitive assets
• 取消对敏感资产的程序性清点或控制

• Removal of a security screening step for new employees.
• 取消对新员工的安全检查步骤。

• Reduction in the frequency of a risk assessment process, security awareness training programme or IT vulnerability scan.
• 减少风险评估过程、安全意识培训方案或信息技术漏洞扫描的频率。

• Changes to the responsibility for security management at the Site.
• 更改了网站安全管理责任。

• Changes to the physical environment where sensitive processes are located or housed, e.g.:
• 敏感过程所在或容纳的物理环境发生变化，例如：

• Relocation of sensitive processes to new premises or alternative locations within the existing certified Site.
• 将敏感流程搬迁到现有认证场地内的新场所或替代地点。

• Enlargement or other physical change to a room or workshop containing a sensitive process
• 对包含敏感过程的房间或车间进行扩大或其他物理更改

• Changes to the physical construction of areas of the Site where sensitive processes are carried out.
• 更改网站内执行敏感流程的区域的物理结构。

• Changes to the architecture of the networks used for sensitive processes, or to the security level of networks where sensitive processes take place.
• 更改用于敏感进程的网络体系结构，或更改发生敏感进程的网络的安全级别。

7.2.2 What Would not Normally Require Notification:
7.2.2 通常不需要通知的内容：

• Replacement or implementation like-for-like of a data processing, production or infrastructure supporting system, e.g.:
• 替换或实施数据处理、生产或基础设施支持系统的类似系统，例如：

• Replacing a firewall with a new device implementing an identical policy
• 将防火墙替换为实施相同策略的新设备

• Implementing a new instance of an existing platform with a configuration that applies the same policies.
• 使用应用相同策略的配置实现现有平台的新实例。

• Changes to layout of existing certified areas where CCTV visibility and other controls are maintained at an equivalent standard, e.g. changing the positions of:
• 改变现有认证区域的布局，使闭路电视能见度和其他控制保持在同等标准，例如改变以下位置：

• Systems in a server room
• 服务器机房中的系统

• Production or counting equipment in a certified production workshop
• 在经过认证的生产车间内使用生产或计数设备

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

8 Costs
8 费用

The costs of an Audit differ depending on whether it is a first Audit, a Renewal Audit, or a
审核的成本取决于它是第一次审核、续期审核还是

Re-Audit following a non-compliant result at a previous Audit. Costs may also depend on the exact scope of activities and the logistics involved in carrying out the Audit i.e. if more than
在上一次审核中出现不合规结果后重新审核。成本还可能取决于活动的确切范围和进行审计所涉及的后勤工作，即如果超过

one Site is included in each visit the presentations, document reviews and Audit
每次访问都包括一个网站，包括演示、文件审查和审计

performances may take longer than that prescribed in the example outlined in Table 7below. Quotations for each Audit will be sent by the Audit Management to the Auditee in advance of each Audit.
执行所需的时间可能比下表 7 中概述的示例中规定的时间更长审计管理层将在每次审计之前将每次审计的报价发送给被审计方。

8.1 First Audit or Renewal Audit
8.1 首次审计或续期审计

The Audit duration will depend on the logistics involved and the scope of certification but will normally be based on the following.
审核时间将取决于所涉及的物流和认证范围，但通常基于以下几点。

	UICC	eUICC(2) eUICC（2）
Production(1) only (no data generation) 仅生产（1）（不生成数据）	8 person-days(3) 8人日（3）
	Production(1) and data generation 生产（1）和数据生成	8 person-days(3) 8人日（3）	10 person-days(3) 10人日（3）
	Data generation only 仅数据生成	5 person-days(3) 5人日（3）	7 person-days(3) 7人日（3）

Table 6 – Influence of Scope on Audit Duration
表6 – 范围对审计期限的影响

Note 1: “Production” includes personalisation of the UICC and any value-added
注1：“生产”包括UICC的个性化和任何增值

fulfilment activities carried out at the Site.
在网站上开展的履行活动。

Note 2: Sites requiring certification as an eUICC manufacturer (EUM), where
注2：需要认证为eUICC制造商（EUM）的站点，其中

personalisation and/or data generation for eUICC personalisation takes place, will require a longer Audit to consider the processing of data for subscription management.
eUICC个性化的个性化和/或数据生成将需要更长的审计时间，以考虑订阅管理的数据处理。

Note 3: Each Audit is conducted by two Auditors on-site simultaneously; therefore
注3：每次审核由两名审核员同时在现场进行;因此

the duration of the Audit will be half the time in person-days (i.e. 8 person- days = 4 Audit-days with 2 Auditors).
审计的持续时间将是人日时间的一半（即 8 人日 = 4 个审计日，有 2 名审计员）。

It is the Auditee’s responsibility to notify the Audit Management of the Audit scope at the time
被审计人有责任在当时将审计范围通知审计管理层

of application for each Audit. A proposed Audit duration will be agreed in advance and
每次审计的申请。拟议的审计期限将事先商定，并且

detailed costs will be quoted in the GSMA SAS standard agreement[2]which is sent to each Auditee.
详细费用将在GSMA SAS标准协议[2]中列出，该协议将发送给每个被审核人。

Variable costs such as accommodation and travel will be agreed between the Auditors and the Auditee on an individual basis with a view to minimising costs while maintaining
可变成本，如住宿和差旅，将由审计师和被审计方单独商定，以期在保持

reasonable standards (see the agreement[2]for more information). The Auditors or the
合理的标准（有关更多信息，请参阅协议[2]）。审计师或

Auditee may book and pay for travel and accommodation as agreed between the parties on a case-by-case basis. Where audits are conducted at long haul destinations during
被审计方可根据具体情况，按照双方的约定预订和支付差旅和住宿费用。在长途目的地进行审核时

consecutive weeks every effort will be made to minimise costs by conducting several audits
连续几周，我们将尽一切努力通过进行多次审核来最大限度地降低成本

during one trip and allocating the travel and accommodation proportionately between multiple Auditees.
在一次旅行中，并在多个被审员之间按比例分配旅行和住宿。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

8.2 Audit of Small and Large Sites, and Sites with Limited Scope
8.2 小型和大型站点以及范围有限的站点的审核

The size and scope of Sites audited will vary. For very small Sites or where the scope and
被审核网站的规模和范围会有所不同。对于非常小的站点或范围和

scale of production is limited, it may be possible to cover all of the Audit areas adequately in a shorter period of time. For very large or complex Sites it may be necessary to increase the Audit duration to ensure that all of the Audit areas can be covered in sufficient detail.
由于生产规模有限，有可能在较短的时间内充分涵盖所有审计领域。对于非常大或复杂的站点，可能需要增加审核时间，以确保可以足够详细地涵盖所有审核领域。

Auditees’ perceptions of the size of their Site will vary:
Auditees 对其网站规模的看法会有所不同：

• In all cases, Auditees should notify the Audit Management of the Audit scope at the time of application for first Audit. A proposed Audit duration will be agreed in advance of the first Audit.
• 在任何情况下，被审计单位都应在申请第一次审计时将审计范围通知审计管理部门。拟议的审计期限将在第一次审计之前商定。

• First audits for Sites will be carried out based on the standard structure as described in section 8.1. Where it is the Auditors’ opinion that the duration of future Renewal Audits could be reduced for small Sites, or should be increased for large Sites, the proposed duration will be documented in the Audit Report. Future audits may be carried out with the revised duration until such time as the size or scope of production changes and the Auditors update their recommendation for the length of Renewal Audits at the Site.
• 对站点的首次审核将根据第 8.1 节所述的标准结构进行。如果审核员认为小型站点的未来更新审核期限可以缩短，或者大型站点应增加，则建议的持续时间将记录在审计报告中。未来的审核可能会以修订后的期限进行，直到生产规模或范围发生变化，并且审核员更新了他们对现场更新审核时间的建议。

• The proposed duration for subsequent Renewal Audits will be documented by the Auditors in the Audit Report.
• 后续续期审计的拟议期限将由审计员记录在审计报告中。

8.3 Audit of Central / Corporate Functions
8.3 中央/公司职能的审计

Suppliers may be group companies that have a number of GSM UICC manufacturing Sites. In some cases some functions, knowledge or expertise may be centralized, with common
供应商可以是拥有多个GSM UICC生产基地的集团公司。在某些情况下，某些职能、知识或专长可能是集中的，具有共同的

solutions deployed on multiple Sites.
在多个站点上部署的解决方案。

Suppliers may request that common solutions are audited in detail centrally against the requirements of SAS. Successful audits will result in approval of such solutions for
供应商可以要求根据SAS的要求对通用解决方案进行详细的集中审核。成功的审核将导致此类解决方案的批准

deployment across SAS-UP certified Sites. Audits will be undertaken by the Audit Team to a scope agreed in advance between the Auditee, Audit Management and Audit Team.
跨 SAS-UP 认证站点进行部署。审计组将在审计组、审计管理层和审计组事先商定的范围内进行审计。

Approval will be granted via an Audit Report prepared by the Audit Team, issued to the Audit Management, and notified in writing to the Auditee. A formal Certificate will not normally be issued.
批准将通过审计小组准备的审计报告授予，发给审计管理层，并以书面形式通知被审计人。一般不会颁发正式证书。

Subsequent audits at individual Sites will ensure that centrally-approved solutions are deployed appropriately, but will not consider the detail of the solutions themselves.
随后对各个站点的审核将确保正确部署中央批准的解决方案，但不会考虑解决方案本身的细节。

Certification of all Sites deploying such solutions will become dependent on renewal of approval of centralized solutions. Renewal will be required every two years.
所有部署此类解决方案的站点的认证将取决于集中式解决方案的更新批准。每两年需要更新一次。

Audits of centralized functions will be agreed on a case-by-case basis with suppliers. The duration of audits at individual Sites may be reduced where appropriate.
集中职能的审计将根据具体情况与供应商达成一致。在适当的情况下，可以缩短各个站点的审核时间。

8.4 Repeat Audit
8.4 重复审计

The costs for a Re-Audit will depend on the required duration of the Re-Audit, which in turn
重新审计的费用将取决于重新审计所需的持续时间，而重新审计又取决于重新审计所需的持续时间

depends on the number of areas assessed as non-compliant during the initial Audit. The
取决于在初始审核期间被评估为不合规的领域数量。这

Repeat Audit duration is agreed between the Audit Team and the Auditee at the end of the
重复审核期限由审核小组和被审核方在

preceding Audit and the fixed cost is the daily rate quoted in the contract between the GSMA
审计前的固定成本是GSMA之间合同中引用的每日费率

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

and the Auditee, multiplied by the number of Auditor days required to conduct the Repeat- Audit.
和被审计人，乘以进行重复审计所需的审计天数。

Re-audits must be conducted within three months of the original non-compliant Audit and the Auditee must certify that no significant changes have taken place to affect the Site security
重新审核必须在原始不合规审核后的三个月内进行，并且被审核方必须证明没有发生任何影响站点安全的重大变化

during the time period between the original and the Re-Audits.
在原始审计和重新审计之间的时间段内。

8.5 Off-Site Review of Improvements
8.5 改进的场外审查

Where the Auditors’ recommendation at an Audit is non-compliant with an off-site
如果审核员在审核中提出的建议不符合非现场情况

reassessment method, it is likely that additional time will be required to review evidence of changes provided by Auditees. Such time may be chargeable to Auditees in addition to the cost of the Audit itself.
重新评估方法，可能需要额外的时间来审查被审员提供的变更证据。除审计本身的费用外，该时间还可能向被审计方收取。

Where an off-site reassessment method is recommended by the Auditors, the Audit Report will include an estimate of the time required to review the evidence and update the Audit
如果审计员建议采用非现场重新评估方法，审计报告将包括审查证据和更新审计所需时间的估计

Report. This estimate will be used as the basis for charging.
报告。该估计将用作收费的基础。

The estimate will be based on the following structure:
估算将基于以下结构：

Total units = Administration + Minor items + Major items
总数量 = 管理 + 次要项目 + 主要项目

where
哪里:

Administration
管理

1 unit
1台

Applies to all off-site reassessment. Covers updates to
适用于所有场外重新评估。涵盖

report, general communication with Auditee and the GSMA
报告，与被审计方和GSMA的一般沟通

Minor items
次要项目

1 unit per item
每件 1 件

Applies to each Audit Report sub-section assessed as NC where the scope of improvement is limited to:
适用于每个被评估为 NC 的审计报告小节，其中改进范围仅限于：

• Minor changes to individual documents
• 对个别文件的细微改动

• Changes to individual controls, where changes can be illustrated by simple photographs, plans or updated
• 对单个控件的更改，其中可以通过简单的照片、计划或更新来说明更改

documents
文件

Major items
主要项目

4 units per item
每件 4 件

Applies to each Audit Report sub-section assessed as NC where the scope of improvement is:
适用于评估为NC的每个审计报告小节，其改进范围为：

• Significant changes to processes (new or existing) with multiple documents or elements to be reviewed
• 对流程（新的或现有的）进行重大更改，需要审查多个文件或要素

• Changes to individual controls, where changes require detailed review or analysis of multiple documents,
• 对单个控件的更改，其中更改需要对多个文档进行详细审查或分析，

photographs, plans or video
照片、平面图或视频

• Changes to multiple linked controls
• 对多个链接控件的更改

Table 7 - Estimating Auditor Time for Off-Site Review of Improvements
表 7 - 估计审计员对改进进行非现场审查的时间

For each Audit, charging will be based on the total applicable units:
对于每次审核，收费将基于适用单位总数：

• 0-3 units (one or two minor issues, plus admin) – no charge
• 0-3 个单位（一两个小问题，加上管理）——免费

• 4-6 units (three or more minor items or one major item) – half-day charge per Auditor
• 4-6 个单位（三个或更多次要项目或一个主要项目）——每位审核员半天收费

• >6 units – full day charge per Auditor.
• >6 个单位 – 每位审核员全天收费。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

8.6 Cancellation Policy
8.6 取消政策

An Audit cancellation fee shall be payable by the Auditee where less than fourteen (14) business days’ notice of cancellation, from the date that an Audit is due to commence, is given by the Auditee.
如果被审计方自审计开始之日起少于十四（14）个工作日发出取消通知，则被审计方应支付审计取消费。

The Auditee shall also be liable for certain unavoidable and non-recoverable expenses (e.g.
被审计方还应对某些不可避免和不可收回的费用负责（例如

visa application fees) incurred by the Auditors where less than 60 days’ notice of
签证申请费）由审计员在不到 60 天通知的情况下产生

cancellation, from the date than an Audit is due to commence, is given by the Auditee, or where the GSMA cancels the Audit as a result of non-compliance by the Auditee with the terms of the SAS-UP standard agreement. Such expenses shall be evidenced by receipts. More details are contained in the SAS-UP standard agreement[2].
自审核开始之日起，由被审核方取消审核，或者GSMA因被审核方不遵守SAS-UP标准协议的条款而取消审核。此类费用应以收据证明。更多细节包含在SAS-UP标准协议中[2]。

8.7 Appeals
8.7 上诉

Charges for each appeal will be based on the same principles as for estimating charges for off-site review of improvements, as specified in section8.5.
根据第8.5节的规定，每次上诉的费用将基于与估算非现场审查改进费用相同的原则。

If an appeal results in a change to the certification decision for a Site, then no fee shall be
如果上诉导致网站认证决定发生变化，则不收取任何费用

payable by the Auditee and the Appeals Board cost will be borne by the GSMA. If an appeal results in no change to the certification decision for a Site, then the costs of the appeal shall be payable by the Auditee.
由被审计方和上诉委员会支付的费用将由GSMA承担。如果上诉导致网站的认证决定没有改变，则上诉费用应由被审方支付。

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

Annex A Sample audit agenda
附件A 审计议程样本

The following agenda proposes a mapping of audit modules (as described inAnnex B) onto audit sessions for standard audits (First and Renewal Audits) as a guide for Auditees. Non- standard audits (re-audits; audits with extended or reduced scope) may have different
以下议程建议将审计模块（如附件B所述）映射到标准审计（第一次审计和续期审计）的审计会议中，作为审计人员的指南。非标准审核（重新审核;扩大或缩小范围的审核）可能有不同的

duration and a specific agenda will be agreed.
将商定持续时间和具体议程。

The agenda is split into sessions which will normally be carried out in the sequence set out below. Auditees should ensure that appropriate information has been prepared to facilitate the Audit Process (see module details inB.1)
议程分为若干场次，通常按下列顺序进行。被审计方应确保已准备适当的信息，以促进审计过程（见B.1中的模块细节）.

For each part of the Audit the Auditors will normally expect to:
对于审计的每个部分，审计师通常期望：

• Discuss the controls in place (documentation, processes, systems) with responsible personnel to understand the security management system. Discussions will typically take place within a meeting room environment.
• 与负责人员讨论现有的控制措施（文档、流程、系统），以了解安全管理体系。讨论通常在会议室环境中进行。

• Review and validate controls on-site where the sensitive processes are carried out.
• 审查和验证执行敏感流程的现场控制措施。

The Audit agenda may be adjusted based on production schedules or availability of key personnel. The Auditors may also wish to change the amount of time spent on different aspects during the Audit itself.
审核议程可能会根据生产计划或关键人员的可用性进行调整。审计员还可能希望在审计过程中改变在不同方面花费的时间。

Morning session 上午会议		Afternoon session 下午会议
Modules 模块

A	Introduction 介绍
B	Documents 文件
E	Awareness training 意识培训

S, T S、T	IT systems IT系统
J, K J，K	Key management 密钥管理

O, P O、P	Production security 生产安全
D	HR

H, I H、I	Physical security 物理安全
C	Risk assessment BCP 风险评估 BCP

GSMA
GSMA公司

Security Accreditation Scheme for UICC Production - Methodology
UICC生产安全认可计划 - 方法论

Annex B Audit modules
附件B 审计单元

The audit agenda will typically comprise a number of audit sessions that will be agreed with each auditee based on the scope of the audit.
审计议程通常包括若干次审计会议，这些会议将根据审计范围与每个被审计对象达成一致。

During each session, one or more audit modules will be planned. The modules will typically be conducted across the audit sessions to allow the auditor team to build their understanding of controls, then test/validate them. The table below is intended to help auditees understand the
在每届会议期间，将计划一个或多个审计模块。这些模块通常会在审计会议期间进行，以使审计团队能够建立对控制的理解，然后对其进行测试/验证。下表旨在帮助被审计者了解

contents of each module, how they relate to the requirements, how the auditee should prepare to simplify the audit process (see also the sample document list inAnnex C). A sample mapping of modules onto atypical agenda for a 4-day audit is included inAnnex A.
每个模块的内容，它们与要求的关系，被审核方应如何准备简化审核流程（另见附件C中的样本文件清单）。附件 A 中包括了将模块与非典型议程对应 4 天的样本

B.1 Audit modules
B.1 审计模块

Module
模块

FS.18

Outline agenda
议程大纲

Assessment source (ref.Annex E)
评估来源（参考文献附件E）

Suggested Auditee preparation
建议的被审核人准备工作

Auditee personnel
被审核人员

A

• Company / Site introduction and overview.
• 公司/网站介绍和概述。

• Overview of changes to Site and security management system.
• 网站和安全管理系统变更概述。

• Description of security management system.
• 安全管理体系说明。

Auditee presentation [ D , S ]
被审计人介绍 [ D S ]

Preparation of introductory presentations to include:
准备介绍性演讲，包括：

• Company/corporate background and overview.
• 公司/企业背景和概述。

• Site introduction/overview.
• 网站介绍/概述。

• Confirmation of Audit scope and sensitive processes carried out at the Site.
• 确认审核范围和在现场执行的敏感流程。

• Security management
• 安全管理

organisation, responsibility and system.
组织、责任和制度。

• IT and information security overview.
• IT 和信息安全概述。

Key members of
主要成员

security organisation
安全组织

B

1.1 2.x 3.x

• Review of security policy and organisation.
• 审查安全政策和组织。

• Detailed review of security
• 详细审查安全性

management system documentation.
管理体系文档。

Auditee presentation
被审计人介绍

Off-line review by Audit
审计离线审核

Team
团队

Question and answer [ D , S , P , L ]
问题与解答 [ D S P L ]

Preparation of printed copies of security management system
准备安全管理系统的印刷副本

documents, as described inAnnex C.
文件，如附件C所述。

Key members of
主要成员

security organisation
安全组织

Module 模块	FS.18	Outline agenda 议程大纲	Assessment source (ref.Annex E) 评估来源（参考文献附件E）	Suggested Auditee preparation 建议的被审核人准备工作	Auditee personnel 被审核人员
C	1.2 1.3	• Risk assessment •风险评估 • Business Continuity Plan • 业务连续性计划	Q+A [ D , S , L ]	Preparation of copies of documents for 准备文件副本 review by the Auditors (see also document list). 审计员的审查（另见文件清单）。 Evidence of the most recent security risk assessment completed. 最近完成安全风险评估的证据。 Business continuity training and testing records. 业务连续性培训和测试记录。	Risk assessment responsible 风险评估责任人 representative 代表 BCP responsible representative BCP负责代表
D	4.x	• Human resources •人力资源	Q+A Presentation of 介绍 requested samples 要求的样品 [ D , S , L ]	Description of processes for: 流程说明： • Security screening as part of on- boarding process. • 安全检查是入职流程的一部分。 • Regular re-screening of personnel. • 定期对人员进行重新筛查。 • Defining security responsibilities within job description. • 在职位描述中定义安全责任。 • Security and confidentiality within legal documentation (e.g. • 法律文件的安全性和保密性（例如 employment contracts). 雇佣合同）。 • Security incident reporting and whistleblowing. • 安全事件报告和举报。 • Disciplinary action. •纪律处分。 • Off-boarding at end of employment. • 离职离职。 • Sample employee files to provide evidence of controls being • 员工档案样本，以提供控制措施的证据 applied (Audit Team will specify the requested files for the HR 应用（审核小组将为 HR 指定请求的文件 team to present). 团队呈现）。	HR representative Security manager 人力资源代表安全经理
E	4.3	• Security awareness training • 安全意识培训	Q+A	• Copies of employee security • 员工安全证明复印件	Security manager / HR 安全经理/人力资源

Module 模块	FS.18	Outline agenda 议程大纲	Assessment source (ref.Annex E) 评估来源（参考文献附件E）	Suggested Auditee preparation 建议的被审核人准备工作	Auditee personnel 被审核人员
			[ D , S , P , L ]	awareness training materials. 意识培训材料。	/ training as / 培训为
				Employee security awareness training records for the past 2 years 过去2年员工安全意识培训记录.	appropriate 适当
F	5.x	• Physical security • 物理安全	For physical security, the scope of the audit will be primarily based around the activities at 对于物理安全，审计范围将主要基于以下活动 the site within the scope of SAS-UP certification (UICC/eUICC data generation, personalisation and post-personalisation packaging, and any key and certificate management related to those activities) SAS-UP认证范围内的网站（UICC/eUICC数据生成、个性化和个性化后打包，以及与这些活动相关的任何密钥和证书管理） The audit will consider all areas involved in: 审计将考虑以下所有领域： • The storage and processing of relevant assets: • 相关资产的储存和处理： • Information (including production data) • IT • 信息（包括生产数据） • IT • Production •生产 • Cryptographic keys • 加密密钥 • Operational management of systems and components related to: • 与以下方面相关的系统和组件的运营管理： • Activities within the scope of SAS-UP certification • SAS-UP认证范围内的活动 • The management of logical and physical security controls for activities within the scope if SAS-UP certification. • 管理SAS-UP认证范围内活动的逻辑和物理安全控制。 Specifically, this will include the: 具体而言，这将包括： • Overall site perimeter. • 整体场地周长。 • Building perimeter for each building housing activities or assets within the scope of SAS-UP certification. • SAS-UP认证范围内每栋建筑的建筑周边，住房活动或资产。 • Floors or areas within each building housing activities or assets within the scope of SAS-UP certification. • 每栋建筑内的楼层或区域，包括 SAS-UP 认证范围内的活动或资产。 • The areas of normal or potential access between the site perimeter and building perimeter. • 场地周边和建筑物周边之间的正常或潜在通道区域。 • The points of normal or potential access between the building perimeter and relevant floors or areas. • 建筑物周边与相关楼层或区域之间的正常或潜在通道点。

Module
模块

FS.18

Outline agenda
议程大纲

Assessment source (ref.Annex E)
评估来源（参考文献附件E）

Suggested Auditee preparation
建议的被审核人准备工作

Auditee personnel
被审核人员

• Activities within areas where site security is managed, monitored or administered, including:
• 在管理、监测或管理场地安全的区域内开展的活动，包括：

• Security control rooms.
• 安全控制室。

• Access / badge administration offices.
• 出入/徽章管理办公室。

• Security reception desks.
• 保安接待处。

5.x

• Physical security concept
• 物理安全概念

Q+A

[ D , S , P , C , T , L , R ]

Detailed plans showing:
详细计划显示：

• The mapping of security levels onto the site’s physical layout.
• 将安全级别映射到站点的物理布局上。

• The location of all physical security hardware within the environments including:
• 环境中所有物理安全硬件的位置，包括：

• CCTV cameras.
• 闭路电视摄像机。

• Alarm system sensors.
• 报警系统传感器。

• Points of entry / exit (personnel access, vehicle access,
• 出入境点（人员通道、车辆通道、

materials transfer, emergency exits).
材料转移，紧急出口）。

• Access control hardware (access card readers,
• 门禁硬件（门禁读卡器、

biometric sensors etc).
生物识别传感器等）。

Documentation of the physical security concept:
物理安全概念文档：

• Security levels:
• 安全级别：

• Level definitions.
• 级别定义。

• Baseline security controls (for access control, CCTV, alarm systems) applied at each
• 基线安全控制（用于门禁、闭路电视、报警系统）应用于每个

security level.
安全级别。

Security manager Physical security supervisor and/or technical systems representative
安全经理物理安全主管和/或技术系统代表

Module
模块

FS.18

Outline agenda
议程大纲

Assessment source (ref.Annex E)
评估来源（参考文献附件E）

Suggested Auditee preparation
建议的被审核人准备工作

Auditee personnel
被审核人员

Presentation of the implementation of the concept for areas within the scope of the SAS-UP audit (as described
介绍SAS-UP审计范围内各领域概念的实施情况（如上所述）

below).
下）。

Presentation of management controls for physical security elements:
介绍物理安全要素的管理控制：

• CCTV
•闭路电视:

• CCTV layout concept.
• 闭路电视布局概念。

• Recording and retention policies.
• 记录和保留策略。

• Operational system checks.
• 操作系统检查。

• Preventative and reactive maintenance.
• 预防性和反应性维护。

• Alarm system:
• 报警系统：

• Alarm system concept.
• 报警系统概念。

• Arming and disarming policies.
• 武装和解除武装政策。

• Alarm review and response process.
• 报警审查和响应过程。

• Operational system checks.
• 操作系统检查。

• Preventative and reactive maintenance.
• 预防性和反应性维护。

• Access control:
•存取控制：

• Operational system checks
• 操作系统检查

• Preventative and reactive maintenance.
• 预防性和反应性维护。

• Lifecycle management of access for permanent and temporary employees,
• 长期和临时雇员的访问生命周期管理，

Module
模块

FS.18

Outline agenda
议程大纲

Assessment source (ref.Annex E)
评估来源（参考文献附件E）

Suggested Auditee preparation
建议的被审核人准备工作

Auditee personnel
被审核人员

contractors, visitors etc, to include:
承包商、访客等，包括：

• Policies for granting access.
• 授予访问权限的策略。

• Processes for application,
• 申请流程

approval, granting,
批准、授予、

modification, revocation and removal of access.
修改、撤销和删除访问权限。

• Management of physical
• 身体管理

access tokens (access cards / badges).
访问令牌（访问卡/徽章）。

• Control of unauthorised use
• 控制未经授权的使用.

• Processes for periodic
• 定期流程

review and re-approval of access rights.
审查和重新批准访问权限。

• Monitoring and response for access control events.
• 对访问控制事件的监控和响应。

• Forced opening.
• 强制打开。

• Denied access.
• 拒绝访问。

• Door open too long
• 门打开时间过长.

• Anti-passback.
• 防回传。

G

5.x

• Physical security
• 物理安全

• External inspection
• 外部检查

• Physical protection at the site boundary.
• 在场地边界进行实物保护。

• Control of authorised and unauthorised access.
• 控制授权和未经授权的访问。

• Deployment of physical
• 部署物理

Live audit
现场审核

[ P , O , C , T , L , R ]

Plans (as above).
计划（如上）。

Preparation of appropriate test
准备适当的测试

equipment to enable physical security system components (e.g. alarm
启用物理安全系统组件的设备（例如报警器

sensors, emergency exits) to be tested during the live audit.
传感器、紧急出口）在现场审核期间进行测试。

The ability to simultaneously view
能够同时查看

Security manager Physical security supervisor
安全经理物理安全主管

Module 模块	FS.18	Outline agenda 议程大纲	Assessment source (ref.Annex E) 评估来源（参考文献附件E）	Suggested Auditee preparation 建议的被审核人准备工作	Auditee personnel 被审核人员
		security systems (CCTV, alarms, access control). 安全系统（闭路电视、警报器、门禁）。		video from the live audit location with streams from the alarm console(s) 来自实时审核位置的视频，以及来自警报控制台的流 may allow significant time to be saved if this can be achieved reliably. 如果可以可靠地实现这一点，则可以节省大量时间。
H		• Internal inspection • 内部检查 • Physical protection within the areas of the site linked to the scope of SAS-UP certification. • 在与SAS-UP认证范围相关的场地区域内进行实物保护。 • Control of authorised and unauthorised access. • 控制授权和未经授权的访问。 • Deployment of physical security systems (CCTV, alarms, access control). • 部署物理安全系统（闭路电视、警报、访问控制）。				Security manager Physical security supervisor 安全经理物理安全主管
I		• Security control room operations • 安全控制室操作 • Validation of physical security system operation. • 验证物理安全系统运行情况。 • Evaluation of control room operating procedures and discipline of personnel. • 评估控制室操作程序和人员纪律。				Security manager Physical security supervisor 安全经理物理安全主管
J	6.x	• Key management. • 密钥管理。 • Overview of key storage • 密钥存储概述 mechanisms in use for UICC production activities. 用于UICC生产活动的机制。 • Processes for secure generation and exchange of keys with other entities in the production chain. • 与生产链中的其他实体安全生成和交换密钥的流程。 • Processes for secure generation and management of keys for • 安全生成和管理密钥的流程 internal protection of data. 对数据进行内部保护。	Q+A Presentation of samples [ D , S , P , C , T , L , R ] 样品介绍 [ D S P C T L R ]	Preparation of key management 密钥管理的准备 process documentation and supporting evidence, including: 流程文件和支持证据，包括： • Process documentation. • 流程文档。 • Roles and responsibilities. • 角色和职责。 • Training records. • 培训记录。 • Key management activity records. • 关键管理活动记录。 • Technical details of key storage mechanisms. • 关键存储机制的技术细节。	Security manager 安全经理 Key manager 密钥管理器 Key administrator(s) Technical system 主要管理员技术体系 architect / developer representative 架构师/开发代表

Module 模块	FS.18	Outline agenda 议程大纲	Assessment source (ref.Annex E) 评估来源（参考文献附件E）	Suggested Auditee preparation 建议的被审核人准备工作	Auditee personnel 被审核人员
		• Examination of physical storage facilities for keys/key components (key safes or similar). • 检查钥匙/钥匙部件（钥匙保险箱或类似物品）的物理储存设施。 • Examination of key management system / HSM configuration. • 检查密钥管理系统/HSM 配置。 • Review and reconciliation of sample keys • 审查和对样本密钥.		The Auditors may request completion of a demonstration key ceremony 审核员可要求完成演示钥匙仪式 during the Audit using test/dummy keys 在使用测试/虚拟密钥进行审核期间.
K	6.x	• Key management. • 密钥管理。	Live audit 现场审核 [ P , O , C , T , L ]	Sample systems and checks to be agreed during audit. 在审核期间商定的样品系统和检查。	Security manager Key manager 安全管理器密钥管理器 Key administrator(s) Key custodian(s) 密钥管理员密钥保管人
L	7.x 11.x	• Data generation • 数据生成 • Development and • 发展和 management of data generation profiles. 数据生成配置文件的管理。 • Secure exchange of data (input files, output files • 安全交换数据（输入文件、输出文件, production data etc.). 生产数据等）。 • Generation of sensitive data • 敏感数据的生成. • Authentication and other keys. • 身份验证和其他密钥。 • Device certificates • 设备证书. • Protection of sensitive data • 保护敏感数据 (encryption and access control) （加密和访问控制） . • Prevention of duplicate production. • 防止重复生产。 • Production audit trails. • 生产审计跟踪。	Q+A [ D , S , P , C , T , L , R ]	Preparation of detailed data flow 准备详细的数据流 diagrams and supporting information to show end-to-end lifecycle of 图表和支持信息，以显示端到端的生命周期 production data, to include: 生产数据，包括： • Exchange of: • 交换： • Input files / data • 输入文件/数据. • Personalisation data • 个性化数据. • Response / output data • 响应/输出数据. With other entities in the production chain. 与生产链中的其他实体。 • Generation / processing of data for: • 数据的生成/处理： • Electrical personalisation • 电气个性化. • Graphical personalisation. • 图形个性化。 • Customer response/output • 客户响应/输出. • Management of personalisation data and UICC status during and • 在和	Security manager 安全经理 Data processing team representative 数据处理团队代表 Technical system 技术体系 architect / developer representative 架构师/开发代表
M	7.x	• Production data management. • 生产数据管理。	Q+A			Security manager 安全经理

Module 模块	FS.18	Outline agenda 议程大纲	Assessment source (ref.Annex E) 评估来源（参考文献附件E）	Suggested Auditee preparation 建议的被审核人准备工作	Auditee personnel 被审核人员
	11.x	• Receipt and transfer of • 接收和转移	[ D , S , P , C , T , L , R ]	after the personalisation process. 在个性化过程之后。	Data processing team 数据处理团队
		personalisation data into the production network. 将个性化数据导入生产网络。 • Protection of sensitive data • 保护敏感数据 (encryption and access control). （加密和访问控制）。 • Control of personalisation. • 个性化控制。 • Repersonalisation flow. • 重新个性化流程。 • Prevention of duplicate production. • 防止重复生产。 • Production audit trails. • 生产审计跟踪。		Diagrams should include detailed 图表应包括详细的 description of controls in place to 对到位的控制措施的描述 preserve the confidentiality, integrity and availability of data throughout the process and its auditability. 在整个过程中保持数据的机密性、完整性和可用性及其可审计性。 Preparation of detailed description of data generation mechanism used for sensitive personalisation data (e.g. 准备用于敏感个性化数据的数据生成机制的详细描述（例如 individual subscriber keys) 个人订阅者密钥） . Overview of controls in place to 现有控制措施概述 prevent duplicate production occurring. 防止重复生产的发生。 The Auditors may arrange for 核数师可安排 exchange of test data files with the Site as part of the Audit preparation 作为审核准备工作的一部分，与网站交换测试数据文件 (as described in the SAS-UP Methodology). （如 SAS-UP 方法中所述）。	representative Production data management 代表生产数据管理 representative 代表 Technical system 技术体系 architect / developer representative 架构师/开发代表
N	7.x 11.x	• Production data processing. • 生产数据处理。	Live audit 现场审核 [ P , O , C , T , L ]	Sample systems and checks to be agreed during audit. 在审核期间商定的样品系统和检查。	Data processing team 数据处理团队 representative Production data management 代表生产数据管理 representative 代表
O	9.x	• Production process. • 生产工艺。 • Storage of materials. • 材料的储存。 • Asset control within the personalisation process. • 个性化流程中的资产控制。 • Repersonalisation. • 重新个性化。	Q+A [ D , S , T , L , R ]	Presentation of the production process flow describing controls in place for the personalisation process, including: 介绍生产流程，描述个性化流程的控制措施，包括： • Incoming materials flow for • 进料流 devices prior to personalisation, including storage and stock 个性化前的设备，包括存储和库存	Logistics manager 物流经理 Logistics supervisor(s) Production manager 物流主管生产经理 Production 生产 supervisor(s) 监事

Module
模块

FS.18

Outline agenda
议程大纲

Assessment source (ref.Annex E)
评估来源（参考文献附件E）

Suggested Auditee preparation
建议的被审核人准备工作

Auditee personnel
被审核人员

• Post-personalisation packaging.
• 个性化后包装。

• Finished goods storage.
• 成品仓储。

• Reject handling and destruction.
• 拒绝处理和销毁。

control.
控制。

• Control of quantity of devices
• 设备数量控制

entering environment where the personalisation process is carried out
进入执行个性化过程的环境.

• Embedded cards or embedded form-factor devices for
• 嵌入式卡或嵌入式外形设备

dedicated personalisation workshops.
专门的个性化研讨会。

• White or printed card bodies for combined card body /
• 白色或印刷卡体用于组合卡体 /

personalisation workshops.
个性化研讨会。

• Control of quantity of good, reject and unused devices at end of
• 在结束时控制有效和未使用的设备的数量

personalisation process.
个性化过程。

• Control of quantity of good, reject and unused devices at end of any post-personalisation packaging
• 在任何个性化后包装结束时控制合格、不合格和未使用设备的数量

process.
过程。

• Confirmation of point of final
• 确认最终点

control and sealing of finished, personalised UICCs.
控制和密封成品、个性化的 UICC。

• Materials flows for:
• 物料流用于：

• Finished, sealed personalised UICCs
• 成品、密封的个性化 UICC.

• Surplus unused devices from the personalisation process.
• 个性化过程中剩余的未使用设备。

• Rejects from the
• 拒绝

personalisation and/or post-
个性化和/或后期

Module 模块	FS.18	Outline agenda 议程大纲	Assessment source (ref.Annex E) 评估来源（参考文献附件E）	Suggested Auditee preparation 建议的被审核人准备工作	Auditee personnel 被审核人员
				personalisation packaging processes. 个性化包装流程。 • Remake processes for devices: • 设备的重制过程： • Rejected during the • 在 personalisation process. 个性化过程。 Rejected after the personalisation process. 在个性化过程后被拒绝。
P	9.x	• Production process. • 生产工艺。	Live audit 现场审核 [ P , O , T , L ]	Sample systems and checks to be agreed during audit. 在审核期间商定的样品系统和检查。	Logistics manager 物流经理 Logistics supervisor(s) Production manager 物流主管生产经理 Production 生产 supervisor(s) 监事
Q	10.1 10.2	• IT security policy • IT安全政策	Q+A [ D , S , P ] [ 德斯 P ]	Preparation of copies of appropriate documents for review by the Auditors during the Audit, including: 准备适当文件的副本，供审计师在审计期间审查，包括： IT security policy. IT 安全策略。	IT security business owner/representative IT 安全业务所有者/代表
R	10.5	• IT network security • IT网络安全	Q+A Presentation of 介绍 requested samples 要求的样品 [ D , S , P , C , T , L , R ]	• Overall network layout. • 整体网络布局。 • Production network layout. • 生产网络布局。 • Firewall configuration policy and rules • 防火墙配置策略和规则. • Samples of documentation for recent firewall rule change. • 最近防火墙规则更改的文档示例。 • Samples of documentation for recent firewall rule review. • 最近防火墙规则审查的文档示例。 Penetration test and vulnerability scan results. 渗透测试和漏洞扫描结果。	Network security team representative 网络安全团队代表 System 系统 administrator(s) 管理员
S	10.6 10.3	• IT systems security • IT系统安全	Q+A	• System hardening checklists. • 系统强化清单。	Systems security team 系统安全团队

Module 模块	FS.18	Outline agenda 议程大纲	Assessment source (ref.Annex E) 评估来源（参考文献附件E）	Suggested Auditee preparation 建议的被审核人准备工作	Auditee personnel 被审核人员
			Presentation of 介绍 requested samples 要求的样品 [ D , S , P , C , T , L , R ]	• Patch and virus management records. • 补丁和病毒管理记录。 • User authorisation / account • 用户授权/帐户 creation process and example records. 创建过程和示例记录。 • System backup process and example records. • 系统备份流程和示例记录。 • Component destruction records. System event log review records. • 组件销毁记录。系统事件日志审查记录。	representative System 代表制 administrator(s) 管理员
T	10.x	• IT security • IT安全	Live audit 现场审核 [ P , O , C , T , L ]	Sample systems and checks to be agreed during audit. 在审核期间商定的样品系统和检查。	Network security team representative 网络安全团队代表 Systems security team 系统安全团队 representative System 代表制 administrator(s) 管理员
U	1.4 5.5 7.7 9.7 10.11	• Internal audit system • 内部审计制度	Q+A Presentation of 介绍 requested samples 要求的样品 [ D , S , P , L , I ]	Overall plan for internal 内部总体规划 audits/operational controls covering physical security, production, data processing and IT security controls. Internal audit checklists used at 审计/运营控制，涵盖物理安全、生产、数据处理和 IT 安全控制。内部审计清单用于 operational, supervisory and 运营、监督和 independent audit levels for each area. 每个领域的独立审核级别。 Access to samples of completed 访问已完成的样本 checklists and tracking mechanisms for remediation actions as requested. 根据要求采取补救措施的清单和跟踪机制。	Internal audit lead Internal auditors 内部审计主管内部审计员
V		• Closing meeting • 闭幕会议	Audit Team summary presentation of findings. 审计组对调查结果的简要介绍。		Auditee 被审计方 representatives 代表

GSMA
GSMA公司

Security Accreditation Scheme for UICC Production - Methodology
UICC生产安全认可计划 - 方法论

Annex C Sample required documents list
附件C 所需文件清单样本

The Auditors will normally require access to the documents listed below during the Audit, where such documents are used by the Auditee. Copies of the current version of these
审计师通常会要求在审计期间访问下列文件，而这些文件由被审计人使用。这些的当前版本的副本

documents must be available in the language of the Audit (English) for each Auditor.
每位审核员的文件必须以审核语言（英语）提供。

Sites should note that failure to provide these printed documents in the language of the Audit may result in:
网站应注意，未能以审核语言提供这些打印文件可能会导致：

• Significant delays in the Audit process
• 审计过程严重拖延

• Inability to fully evaluate their content and make an appropriate Audit assessment
• 无法全面评估其内容并进行适当的审计评估

• A recommendation to extend the Audit duration of future audits at the Site (at the Auditee’s expense).
• 建议延长现场今后审计的审计期限（费用由被审计方承担）。

Additional documentation may be requested by the Auditors during the Audit; where such documents are not available in the language of the Audit, translation facilities must be
在审计期间，审计师可能会要求提供其他文件;如果这些文件没有审计语言的，翻译设施必须

provided by the Auditee within a reasonable timescale. The Auditors will seek to minimise such requests, whilst still fulfilling the requirements of the Audit.
由被审计方在合理的时间范围内提供。审计师将努力尽量减少此类请求，同时仍满足审计的要求。

C.1 Document List
C.1 文件清单

C.1.1 Security Management System (modules B, C)
C.1.1 安全管理系统（B、C单元）

• Overall security policy
• 总体安全策略

• IT security policy
• IT安全政策

• Security handbook / manual
• 安全手册/手册

• Security management system documentation as provided to all employees
• 向所有员工提供安全管理体系文件

• Information and asset classification system documentation
• 信息和资产分类系统文件

• Risk assessment process
• 风险评估过程

• Business continuity plan
• 业务连续性计划

C.1.2 Key Management (modules J, K)
C.1.2 密钥管理（模块 J、K）

• Key management processes and supporting documentation
• 关键管理流程和支持文档

• Records of appointment and training for key management personnel
• 主要管理人员的任用和培训记录

• Lifecycle management records for HSMs (where used)
• HSM 的生命周期管理记录（如果使用）

• Key management records
• 关键管理记录

C.1.3 Production (modules O, P)
C.1.3 生产（模块O、P）

• UICC production reconciliation process
• UICC生产对账流程

• UICC production tracking / reconciliation documentation
• UICC生产跟踪/对账文件

C.1.4 Human Resources (module D)
C.1.4 人力资源（D单元）

• Sample job descriptions for all employees with security responsibilities
• 所有负有安全责任的员工的职位描述样本

• Confidentiality agreement for employees
• 员工保密协议

• Standard employment contract
• 标准雇佣合同

• Employee exit checklists
• 员工离职清单

GSMA
GSMA公司

Security Accreditation Scheme for UICC Production - Methodology
UICC生产安全认可计划 - 方法论

C.1.5 Security Internal Audit System (module U)
C.1.5 安全内部审计系统（模块U）

• Overall audit policy and plan
• 总体审计政策和计划

• Audit concept (operational checks, supervisory audits, independent audit)
• 审计概念（运营检查、监督审计、独立审计）

• Audit checklists for each area (physical security, key management, data processing, production processes, IT) for each level of audit/control (operational checks, supervisory audit, independent audit etc.)
• 每个领域（物理安全、密钥管理、数据处理、生产流程、IT）的审计清单，适用于每个级别的审计/控制（运营检查、监督审计、独立审计等）

It is accepted that in some cases not all of these documents will be used by Auditees, or that one document may fulfil multiple functions.
可以接受的是，在某些情况下，并非所有这些文件都会被被审计人使用，或者一份文件可以履行多种功能。

All documents shall be used on-site during the Audit only; the Auditors shall not remove documents from the Site during the Audit and shall return all materials at the end of each Audit day.
所有文件只能在审核期间在现场使用;审核员在审核期间不得从网站上删除文件，并应在每个审核日结束时归还所有材料。

GSMA
GSMA公司

Security Accreditation Scheme for UICC Production - Methodology
UICC生产安全认可计划 - 方法论

Annex D Collection of information
附件D 资料收集

The table below provides a detailed mapping of how the Audit Team will normally expect to collect information to assess each applicable SAS requirement. The mapping identifies whether the information is being used to support:
下表详细列出了审计团队通常期望如何收集信息以评估每个适用的SAS要求。映射标识信息是否用于支持：

CMP	Compliance 合规	Review of the auditee’s defined and implemented policies, procedures and operational controls to confirm that they are compliant with the requirements of SAS-UP. 审查被审核方定义和实施的政策、程序和运营控制，以确认它们符合 SAS-UP 的要求。
CSY	Consistency 一致性	Review of the understanding and operation of controls by personnel at all levels to confirm that they are consistent with those defined and documented. 审查各级人员对控制措施的理解和操作情况，以确认这些控制措施与定义和记录的控制措施相一致。
CNF	Confidence 信心	Review of evidence to confirm appropriate operation of controls over an extended period and the application of a system of internal audits to ensure the level of effectiveness is maintained. 审查证据，以确认在较长时期内适当实施控制措施，并应用内部审计制度以确保保持有效性水平。

Assessed through
评估通过

See explanations in Audit tools reference
请参阅审核工具参考中的说明

System
系统

configuration
配置

review
回顾

C

Policy, Strategy and Documentation
政策、战略和文件

1.1 Policy
1.1 政策

1.2 Strategy
1.2 策略

1.3 Business continuity planning 1.4 Internal audit and control
1.3 业务连续性规划 1.4 内部审计与控制

Organisation and responsibility
组织和责任

2.1 Organisation 2.2 Responsibility
2.1 组织 2.2 责任

2.3 Incident response and reporting 2.4 Contracts and liabilities
2.3 事件响应和报告 2.4 合同和责任

Information
信息

3.1 Classification
3.1 分类

3.2 Data and media handling
3.2 数据和媒体处理

GSMA
GSMA公司

Security Accreditation Scheme for UICC Production - Methodology
UICC生产安全认可计划 - 方法论

Assessed through
评估通过

See explanations in Audit tools reference
请参阅审核工具参考中的说明

System
系统

configuration
配置

review
回顾

C

Personnel security
人员安全

4.1 Security in job description 4.2 Recruitment screening
4.1 职位描述的安全性 4.2 招聘筛选

4.3 Acceptance of security rules
4.3 安全规则的接受

4.4 Incident response and reporting 4.5 Contract termination
4.4 事件响应和报告 4.5 合同终止

Physical security
物理安全

5.1 Security plan
5.1 安全计划

5.2 Physical protection 5.3 Access control
5.2 物理保护 5.3 访问控制

5.4 Security staff
5.4 保安人员

5.5 Internal audit and control
5.5 内部审计与控制

Certificate and key management
证书和密钥管理

6.1 Classification
6.1 分类

6.2 Roles and Responsibilities
6.2 角色和职责

6.3 Cryptographic key specification 6.4 Cryptographic key management 6.5 Audit and accountability
6.3 加密密钥规范 6.4 加密密钥管理 6.5 审计和问责制

6.6 GSMA PKI Certificates
6.6 GSMA PKI证书

Sensitive process data management
敏感过程数据管理

7.1 Data transfer
7.1 数据传输

7.2 Sensitive data access, storage, retention
7.2 敏感数据访问、存储、保留

7.3 Data generation
7.3 数据生成

7.4 Auditability and accountability 7.5 Duplicate production
7.4 可审计性和问责制 7.5 重复生产

GSMA
GSMA公司

Security Accreditation Scheme for UICC Production - Methodology
UICC生产安全认可计划 - 方法论

Assessed through
评估通过

See explanations in Audit tools reference
请参阅审核工具参考中的说明

System
系统

configuration
配置

review
回顾

C

CSY CSY
CSY的CSY

Logistics and production management
物流和生产管理

9.1 Order management 9.2 Raw materials
9.1 订单管理 9.2 原材料

9.3 Control, audit and monitoring
9.3 控制、审计和监测

9.4 Destruction
9.4 销毁

9.5 Storage
9.5 储存

9.6 Packaging and delivery 9.7 Internal audit and control
9.6 包装和交付 9.7 内部审计和控制

Computer and network management
计算机和网络管理

10.1 Policy
10.1 政策

10.2 Segregation of roles and
10.2 隔离 oroles 和

responsibilities
责任

10.3 Access control
10.3 访问控制

10.4 Remote access
10.4 远程访问

10.5 Network security
10.5 网络安全

10.6 Systems security
10.6 系统安全

10.7 Audit and monitoring
10.7 审计和监测

10.8 External facilities management
10.8 外部设施管理

10.11 Internal audit and control
10.11 内部审计与控制

Two-step personalisation process
两步个性化流程

11.1 Control of duplicate production
11.1 重复生产的控制

11.2 Generation of hardware security credentials
11.2 硬件安全凭证的生成

11.3 Personalisation of security credentials (Perso_SC)
11.3 安全凭证的个性化（Perso_SC）

11.4 Generation of UICC OS security credentials (Perso_UICC)
11.4 生成 UICC OS 安全凭证（Perso_UICC）

GSMA
GSMA公司

Security Accreditation Scheme for UICC Production - Methodology
UICC生产安全认可计划 - 方法论

Annex E Assessment of compliance
附件E 遵约评估

E.1 Audit assessment and compliance
E.1 审计评估和遵守情况

The audit seeks to utilise a number of different sources to allow the auditors to assess compliance, consistency and confidence of the controls in place. As described in section6, the Auditee must receive a C or C- assessment in each section of the audit report for certification to be
审计旨在利用许多不同的来源，使审计师能够评估现有控制措施的合规性、一致性和信心。如第 6 节所述，被审核方必须在审核报告的每个部分获得 C 或 C- 评估才能获得认证

granted - reflecting an appropriate level of conformity across all applicable sections of the FS.18 SAS Consolidated Security Requirements and Guidelines[3].
授予 - 反映了 FS.18 SAS 综合安全要求和指南[3]所有适用部分的适当一致性水平。

Assessment source 评估来源
D	Documentation review 文档审查	O	Live observation of activities/behaviour 实时观察活动/行为	L	Records, logs and reports 记录、日志和报告
S	Stakeholder interview 利益相关者访谈	C	System configuration review 系统配置审查	I	Internal audit reports and findings 内部审计报告和调查结果
P	Operational personnel interview and activity review 业务人员访谈和活动审查	T	Operational sampling and testing 操作取样和测试	R	CCTV recordings 闭路电视录像

For the Audit to demonstrate operation of SAS-UP compliant controls, the Auditee must provide appropriate access to relevant information to
为了使审计证明符合 SAS-UP 的控制措施的运行情况，被审计方必须提供对相关信息的适当访问权限，以便

enable the Audit Team to assess compliance, consistency and confidence. Assessment will normally consider the information sources documented below. For reference, an indication of what might be considered poor conformity (resulting in an NC assessment) and good conformity (resulting in a C assessment) is also included. In general:
使审计团队能够评估合规性、一致性和置信度。评估通常会考虑下面记录的信息来源。作为参考，还包括可能被视为较差的符合性（导致 NC 评估）和良好符合性（导致 C 评估）的指示。通常：

An assessment of C will be made for each section of the audit report where the auditee demonstrates a good level of conformity for compliance, consistency and confidence.
将对审计报告的每个部分进行 C 评估，其中被审计者在合规性、一致性和信心方面表现出良好的一致性水平。

An assessment of NC will be made for each section of the audit report where the auditee demonstrates a poor level of conformity for one or more of compliance, consistency or confidence.
将对审计报告的每个部分进行 NC 评估，其中被审计者在一项或多项合规性、一致性或置信度方面表现出较差的符合性水平。

An assessment of C- will be made, at the Audit Team’s discretion, for any section of the audit report where the auditee demonstrates a level of conformity that is substantially conformant for compliance, consistency and confidence, but where improvements should be considered by the site to achieve a sustainable level of compliance.
审核小组将酌情对审核报告的任何部分进行 C- 评估，如果被审核者表现出的符合性水平基本上符合合规性、一致性和信心，但现场应考虑改进以达到可持续的合规水平。

GSMA
GSMA公司

Security Accreditation Scheme for UICC Production - Methodology
UICC生产安全认可计划 - 方法论

Assess 评估	Target 目标	Assessed through 评估通过		Poor conformity (NC) 一致性差（NC）	Good conformity (C) 良好符合性（C）
Compliance 合规	The Auditee has defined 被审计方已定义	[ D ]	Documentation 文档	Controls appear to be new and/or 控件似乎是新的和/或	Controls are well-established and 控制措施完善且
	and implemented 并实施 policy, procedures and operational controls 政策、程序和操作控制 that meet the 满足 requirements of SAS- UP. SAS-UP的要求。	[ S ] [ 小号 ]	review. 回顾。 Stakeholder interview. 利益相关者访谈。	untested. Documentation is missing or incomplete, or shows a very high level of inconsistency at the same 未经测试。文档缺失或不完整，或同时显示非常严重的不一致 level (e.g. policies are inconsistent) or across levels (e.g. work instructions 级别（例如政策不一致）或跨级别（例如工作说明） are not consistent with procedures; 与程序不符; processes do not comply with policies). 流程不符合策略）。 Controls defined and documented are not consistent with SAS-UP 定义和记录的控制与 SAS-UP 不一致 requirements. 要求。	documented and have been in 记录在案并已在 regular operation for an extended 延长的常规操作 period. Controls documented fulfil 时期。记录在案的控制履行 SAS-UP requirements. There is a high level of stability, with major changes happening infrequently. Where SAS-UP 要求。稳定性很高，重大变化很少发生。哪里 changes do occur, their introduction is carefully managed through training 变化确实会发生，它们的引入是通过培训精心管理的 and monitoring to ensure effectiveness. 以及监测以确保有效性。
Consistency 一致性	Controls are clearly 控制很清楚 understood by 理解 personnel at all levels and are operated 各级人员和操作 consistent with those 与这些一致 defined and documented. 定义和记录。	[ S ] [ 小号 ] [ P ]	Stakeholder interview. 利益相关者访谈。 Operational personnel interview and activity review. 运营人员访谈和活动审查。	Personnel do not appear to clearly understand the controls that should be in place through a lack of training and/or familiarity. General discipline appears poor. 由于缺乏培训和/或熟悉，工作人员似乎不清楚应该采取的控制措施。一般的纪律似乎很差。	Personnel understand the controls and their responsibilities clearly and are able to explain and demonstrate them when asked. The need for 人员清楚地了解控制措施及其职责，并能够在被问到时解释和演示它们。需要 sustained compliance is understood, based on personnel having a clear 持续合规是可以理解的，基于人员具有明确的 recognition of the importance of the controls to the business and 认识到控制对业务的重要性，以及 certification and their personal 认证和他们的个人 accountability for maintaining the appropriate level of control. 保持适当控制水平的问责制。 Personnel are disciplined and 人员纪律严明，并且 demonstrate a clear culture of 展示清晰的文化 security and compliance ascore to their actions. Personnel embrace their individual and collective 安全性和合规性是他们行动的得分。员工拥抱他们的个人和集体 accountability. 问责。

Assess 评估	Target 目标	Assessed through 评估通过		Poor conformity (NC) 一致性差（NC）	Good conformity (C) 良好符合性（C）
		[ O ]	Live observation of 现场观察	Appropriate records are not 适当的记录不是	Complete, comprehensive and 完整、全面和
		[ C ] [ 中 ] [ T ] [ 吨 ]	activities and behaviour. 活动和行为。 System configuration review. 系统配置审查。 Operational sampling and testing. 操作取样和测试。	maintained or cannot be provided. Records that are available are 维护或无法提供。可用的记录包括 incorrect or incomplete. 不正确或不完整。 There is little or no evidence available that live activities are being carried 几乎没有或根本没有证据表明正在进行现场活动 out following the defined processes. Quality, consistency and accuracy of record taking is consistently poor. 按照定义的流程进行操作。记录的质量、一致性和准确性一直很差。 Samples taken during the audit are often incorrect or unclear, showing a 在审核期间采集的样本通常不正确或不清楚，显示 high level of deviations or discrepancies. 高度偏差或差异。	accurate records exist. Records are reliable and genuine. Different 存在准确的记录。记录是可靠和真实的。不同 sources are consistent and can 来源是一致的，可以 readily be validated through cross cross-correlation to validate them. Sampling checks of live operational activities, inventories, records and system configurations show no 很容易通过交叉互相关来验证它们。对实时业务活动、库存、记录和系统配置的抽样检查显示没有 significant errors or discrepancies. 重大错误或差异。
Confidence 信心	Reliable evidence exists 有可靠的证据 of appropriate 的适当 operation of controls over an extended 对扩展控件的操作 period, with an 句点，带有 effective system of 有效的制度 internal audits acting to 内部审计 ensure the level of effectiveness is 确保有效性水平 maintained. 保持。	[ L ] [ 大 ] [ L ] [ L ] [ I ] [ R ] [ 右 ]	Written records. Notifications and reports. 书面记录。通知和报告。 System audit logs and trails. 系统审核日志和跟踪。 Internal audit reports and findings. 内部审计报告和调查结果。 CCTV recordings. 闭路电视录像。	Records are not available to 记录不适用于 demonstrate that controls have been applied prior to the audit. Where 证明在审核之前已应用控制措施。哪里 records do exist, they are incomplete or inconsistent or do not show that 记录确实存在，它们不完整或不一致或没有表明 controls have been applied 已应用控制措施 consistent with those described or presented. 与描述或呈现的内容一致。 The internal audit system is poorly 内部审计制度很差	Sampling checks of operational 操作抽样检查 activities carried out over an 在 extended period prior to the audit 审计前的延长期 show a sustained level of 显示持续水平 performance with very few errors or discrepancies. Where errors or 几乎没有错误或差异的性能。如果错误或 deviations have occurred, these have been identified quickly and handled appropriately to resolve them and 偏差已经发生，这些偏差已被迅速识别并妥善处理以解决，并且 prevent recurrence. 防止复发。 A comprehensive system of internal 内部综合系统

Assess
评估

Target
目标

Assessed through
评估通过

Poor conformity (NC)
一致性差（NC）

Good conformity (C)
良好符合性（C）

defined, infrequent and carried out by personnel without a clear
定义，不频繁，由人员执行，没有明确的

understanding of the requirements.
了解要求。

audits is in place at a number of
审计已到位

levels. Clear evidence exists of audits being carried out based on well-
水平。有明确证据表明，审计是根据良好情况进行的。

defined checklists. Details of samples are recorded. Personnel conducting audits are trained and experienced. Where improvements and non-
定义的清单。记录样品的详细信息。进行审核的人员经过培训，经验丰富。哪里改进和非

compliances are identified these are reported through a clear escalation process to ensure appropriate action is taken to address them quickly and effectively.
确定合规性，并通过明确的升级流程进行报告，以确保采取适当的行动快速有效地解决这些问题。

GSMA
GSMA公司

Security Accreditation Scheme for UICC Production - Methodology
UICC生产安全认可计划 - 方法论

Annex F Final Audit Report Structure
附件F 最终审计报告结构

F.1 First Page:
F.1 第一页：

• Headline: GSM Association SAS for UICC Production (SAS-UP) Qualification Report
• 标题：GSM协会SAS生产（SAS-UP）认证报告

• Type of Audit
• 审计类型:

• “First-Audit” for the first Audit at the Site
• “首次审核”，即现场首次审核

• “Renewal Audit” in the following years after a first Audit
• 在第一次审计后的后续几年内进行“续期审计”

• “ Re-Audit” because the result of the “First Audit” or the “Renewal Audit” was unsatisfactory
• “重新审核”，因为“第一次审核”或“续期审核”的结果不令人满意

• “Dry Audit” / “Wet Audit”, if applicable
• “干式审核”/“湿式审核”（如适用）

• Name of the Auditee and location of the audited Site
• 被审核机构的名称和被审核网站的位置

• Date of the Audit
• 审计日期

• Audit number
• 审核编号

• Audit team participants
• 审计小组参与者

F.2 Following Pages:
F.2 以下页：

• Audit summary
• 审计摘要

• Summary of certification
• 认证摘要

• Auditors’ comments
• 审计员的意见

• Actions required
• 需要采取的行动

• Annex A – Detailed results
• 附件 A – 详细结果

Section 部分	Result of sub- section 小节的结果	Auditor remarks 审计员备注
Policy, Strategy and Documentation Result 政策、战略和文件结果
Policy 政策 Strategy 策略 Business continuity planning Internal audit and control 业务连续性规划内部审计与控制	C C NC C NC C型	+ comment + 评论 - comment -评论
Organisation and Responsibility Result 组织与责任结果
Organisation 组织	C
Responsibility 责任	NC Comment NC评论
Incident response and reporting 事件响应和报告	C-
Contracts and liabilities 合同和负债	NC
Information Result 信息结果
Classification 分类	NC	- comment -评论 - comment -评论
Data and media handling 数据和媒体处理	C-

Section 部分	Result of sub- section 小节的结果	Auditor remarks 审计员备注
Personnel Security Result 人员安全结果
Security in job description 职位描述中的安全性	C comment C 注释
Recruitment screening 招聘筛选	C + comment C + 注释
Acceptance of security rules 接受安全规则	C
Incident response and reporting 事件响应和报告	C
Contract termination 合同终止	C-
Physical Security Result 物理安全结果
Security plan 安全计划	C
Physical protection 物理保护	NC
Access control 存取控制	NC	- comment -评论
Security staff 保安人员	NC
Internal audit and control 内部审计与控制	C	+ comment + 评论
Certificate and Key Management Result 证书和密钥管理结果
Classification 分类	C
Roles and Responsibilities 角色和职责	C
Cryptographic key specification 加密密钥规范	C	- comment -评论
Cryptographic key management 加密密钥管理	NC
Audit and accountability 审计和问责制	NC	- comment -评论
GSMA PKI Certificates GSMA PKI 证书	C-
Production Data Management Result 生产数据管理结果
Data transfer 数据传输	C
Sensitive data access, storage and retention 敏感数据访问、存储和保留	C
Data generation 数据生成	C
Auditability and accountability 可审计性和问责制	C	+ comment + 评论 - comment -评论
Duplicate production 重复生产	C	+ comment + 评论
Data integrity 数据完整性	C
Internal audit and control 内部审计与控制	C
Logistics and Production Management Result 物流和生产管理成果
Order management 订单管理	NC
Raw materials 原材料	C	+ comment + 评论 - comment -评论
Control, audit and monitoring 控制、审计和监测	C
Destruction 破坏	C-
Storage 存储	C	+ comment + 评论 - comment -评论
Packaging and delivery 包装和交付	C

Section Result Auditor remarks 部分结果审核员备注 of sub- section 小节
Internal audit and control C 内部审计与控制 C
Computer and Network Management Result 计算机和网络管理结果
Policy 政策 Segregation of roles and responsibilities 角色和职责的分离 Access control 存取控制 Remote access 远程访问 Network security 网络安全 Systems security 系统安全 Audit and monitoring 审计和监控 External facilities management Internal audit and control 外部设施管理内部审计与控制	C NC C NC C型 C- C C-C NC C NC C型 C C	- comment -评论 - comment -评论
Two-step personalisation process 两步个性化流程
Control of duplicate production C Generation of hardware security credentials NC Personalisation of security credentials C Generation of UICC OS credentials C- Personalisation of UICC OS credentials C 控制重复生产 C 生成硬件安全凭证 NC 安全凭证的个性化 C UICC OS 凭证的生成 C- UICC OS 凭证的个性化 C

• Annex B – SAS scoring mechanism (that is,a copy ofTable 5of this document)
• 附件 B – SAS 评分机制（即本文件表 5 的副本）

• Annex C – Document management
• 附件 C – 文件管理

GSMA
GSMA公司

Security Accreditation Scheme for UICC Production - Methodology
UICC生产安全认可计划 - 方法论

Annex G Data Processing Audit
附件 G 数据处理审计

As part of the Audit of the Site’s data processing system and supporting processes it is
作为网站数据处理系统和支持流程审计的一部分，它是

preferred that Auditees prepare some SAS-specific test data files in advance of the Audit
希望被审计方在审计之前准备一些特定于 SAS 的测试数据文件

date. This document provides a suggested approach; the Auditee and Audit Team will agree the precise approach for each Audit.
日期。本文档提供了一种建议的方法;被审计方和审计团队将就每次审计的确切方法达成一致。

The purpose of these test data files is to allow the Audit to be carried out in a consistent way to consider:
这些测试数据文件的目的是允许以一致的方式进行审计，以考虑：

• Data transfer with MNO customers
• 与移动网络运营商客户进行数据传输

• Data protection
• 数据保护

• Log files
• 日志文件

Using test data files created specifically for the Audit avoids any issues with the confidentiality or integrity of live production or customer data.
使用专门为审核创建的测试数据文件可以避免实时生产或客户数据的机密性或完整性出现任何问题。

The tests are intended to be transparent and will not deliberately involve any form of system intrusion.
这些测试旨在保持透明，不会故意涉及任何形式的系统入侵。

The tests will focus exclusively on data processing and will not involve any physical production.
测试将完全侧重于数据处理，不涉及任何实际生产。

G.1 Before the Audit
G.1 审计前

G.1.1 Preparation
G.1.1 准备工作

The Auditee should make arrangements to create a customer (or use an existing customer profile) and corresponding orders for the SAS-UP Audit within its systems. The customer
被审核方应安排在其系统内创建客户（或使用现有客户配置文件）和相应的订单，以便进行SAS-UP审核。客户

and orders may be set up for testing only, or for production (although no physical production will take place), as judged appropriate by the Site.
订单可以设置为仅用于测试，或用于生产（尽管不会进行实际生产），由网站认为合适。

It is recognised that different configurations will be used for different customers. One should be selected that is representative of the current production of the Site. The Audit will focus on those security processes that are typical and/or recommended by the Auditee to MNO
众所周知，不同的客户将使用不同的配置。应选择一个能够代表网站当前生产的产品。审计将重点关注被审计方向移动网络运营商推荐的典型和/或推荐的安全流程

customers. It is the Auditee’s responsibility to select appropriate, representative processes.
客户。被审方有责任选择适当的、有代表性的流程。

If more than one production data solution is offered to customers (excluding any customer- specific solutions) then the number of different solutions and the nature of the differences should be confirmed with the Audit Team before setting up the tests.
如果向客户提供多个生产数据解决方案（不包括任何客户特定的解决方案），则在设置测试之前，应与审核团队确认不同解决方案的数量和差异的性质。

Product or customer-related profiles and file formats already in use may be chosen by the Auditee for their convenience – e.g. by using/replicating existing customer profiles.
为方便起见，被审核方可以选择已经使用的产品或客户相关配置文件和文件格式，例如使用/复制现有客户配置文件。

G.1.2 Key Exchange
G.1.2 密钥交换

The Auditee should initiate its recommended process for secure key exchange, to include:
被审计方应启动其建议的安全密钥交换流程，包括：

• Exchange of transport keys for encryption of sensitive data in test output files
• 交换传输密钥，以加密测试输出文件中的敏感数据

• Exchange of encryption keys for test input and output files
• 交换测试输入和输出文件的加密密钥

GSMA
GSMA公司

Security Accreditation Scheme for UICC Production - Methodology
UICC生产安全认可计划 - 方法论

G.1.3 Input File Exchange
G.1.3 输入文件交换

Two input files will normally be submitted to the Auditee in advance of the Audit. The input
在审计之前，通常会向被审计方提交两个输入文件。输入

files will be submitted electronically by the Auditee’s nominated mechanism or an alternative mechanism if set up cost is implied.
文件将由被审方的指定机制以电子方式提交，如果隐含了设置成本，则由替代机制提交。

The format of the input files will be agreed between the Auditee and Audit Team, but in most cases could utilise an existing file format used by the Auditee.
输入文件的格式将由被审计方和审计团队商定，但在大多数情况下，可以使用被审计方使用的现有文件格式。

G.1.4 Processing of Input File 1
G.1.4 输入文件的处理 1

Auditees should carry out data generation for the first input file in advance of the Audit. NOTE: Input file 2 should not be processed before the Audit
被审计方应在审计之前为第一个输入文件生成数据。注意：在审核之前不应处理输入文件 2

G.1.5 Output File Exchange
G.1.5 输出文件交换

Auditees should return the corresponding output file. The output file should be returned
被审核者应返回相应的输出文件。应返回输出文件

electronically by the Auditee’s nominated mechanism or an alternative mechanism if set up cost is implied.
由被审方的指定机制以电子方式进行，如果隐含了设置成本，则由替代机制进行。

The format of the output file will be agreed between the Auditee and Audit Team, but in most cases could utilise an existing file format used by the Auditee.
输出文件的格式将由被审计方和审计团队商定，但在大多数情况下，可以使用被审计方使用的现有文件格式。

G.1.6 Timescales
G.1.6 时间表

Exact timescales for the process will be agreed between the Audit Team and Auditee, but would typically involve:
审计小组和审计人员将商定该过程的确切时间表，但通常涉及：

Time before Audit 审计前时间	Actions 行动
Week –4 第 –4 周	Opening discussions regarding process 关于流程的开放讨论
Week –3 第 –3 周	Auditee to conduct internal preparations for data processing exercise 被审计方为数据处理工作进行内部准备
Week –2 第 2 周	Auditee to communicate requirements for key exchange, file formats and input/output file exchange 被审核方传达密钥交换、文件格式和输入/输出文件交换的要求 Audit team to undertake key exchange 审计小组进行密钥交换
Week –1 第 1 周	Audit team to deliver input files Auditee to process first input file 审核团队交付输入文件被审核方处理第一个输入文件 Auditee to return output file for first input file. 被审核方返回第一个输入文件的输出文件。

G.2 During the Audit
G.2 审计期间

G.2.1 Review of Key Exchange
G.2.1 密钥交换审查

The Audit Team will discuss and review the key exchange process with the Auditee, including reference to relevant logs and records.
审计小组将与被审方讨论和审查密钥交换过程，包括参考相关日志和记录。

G.2.2 Review of Input File 1 Processing
G.2.2 审查输入文件 1 的处理

The Audit Team will discuss and review the processing of input file 1 with the Auditee, including reference to relevant logs and records.
审计小组将与被审方讨论和审查输入文件1的处理情况，包括参考相关日志和记录。

GSMA
GSMA公司

Security Accreditation Scheme for UICC Production - Methodology
UICC生产安全认可计划 - 方法论

G.2.3 Demonstration of Input File 2 Processing
G.2.3 输入文件 2 处理演示

The Audit Team may request that Auditees use input file 2 to provide a live demonstration of the data processing flow (receipt, data generation, output file creation etc.).
审计小组可以要求被审计方使用输入文件2来提供数据处理流程（接收、数据生成、输出文件创建等）的现场演示。

G.3 After the Audit
G.3 审计后

Following the Audit the Audit Team will confirm that data files and records are no longer required and can be removed/archived as appropriate by the Auditee and deleted by the Audit Team (output file).
审核结束后，审核团队将确认不再需要数据文件和记录，并且可以由被审核方酌情删除/存档，并由审核团队删除（输出文件）。

GSMA
GSMA公司

Security Accreditation Scheme for UICC Production - Methodology
UICC生产安全认可计划 - 方法论

Annex H Document Management
附件 H 文件管理

H.1 Document History
H.1 文档历史记录

Version 版本	Date 日期	Brief Description of Change 变更简述	Editor / 编辑器/ Company 公司
3.2.0	24 Jul 2003 2003 年 7 月 24 日	Stable version in use. 稳定版本正在使用中。	James Moran, GSMA 詹姆斯·莫兰（James Moran），GSMA
3.3.0	5 Sep 2006 2006 年 9 月 5 日	Updates to reflect role of GSMC & qualified pass classification, new coversheet 更新以反映GSMC和合格通行证分类的作用，新的封面	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA
3.3.1	16 Nov 2006 2006 年 11 月 16 日	Updated evaluation matrix and Audit Report content to match security requirements in SAS Standard 更新了评估矩阵和审计报告内容，以符合SAS标准中的安全要求 v.3.2.2 3.2.2 版	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA
3.3.2	17 Jul 2007 2007 年 7 月 17 日	Minor changes to reflect GSMC as GSMA subsidiary that undertakes Auditee contracts. 细微的改动，以反映GSMC作为承接被审计方合同的GSMA子公司。	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA
3.4.0	13 Sep 2007 2007 年 9 月 13 日	Updated with proposed changes to small Site and corporate function audits and QP charging. 更新了对小型站点和公司职能审计以及 QP 收费的拟议更改。 Approved at SAS annual review 13 Sep 2007 2007 年 9 月 13 日在 SAS 年度审查中批准	James Messham, FML 詹姆斯·梅沙姆（James Messham），FML
3.5.0	11 Sep 2008 2008 年 9 月 11 日	Added explicit requirement for openness in SAS 添加了对 SAS 开放性的明确要求 Methodology, as agreed at SAS annual review 2008. SAS 2008 年年度审查商定的方法。	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA
3.6.0	14 Sep 2009 2009 年 9 月 14 日	Added section for Certification Process and comments relating to Audit scheduling. 添加了“认证过程”部分以及与审核计划相关的注释。	James Messham, FML 詹姆斯·梅沙姆（James Messham），FML
3.7.0	01 Mar 2010 01 三月 2010	Document updated to cater for the certification of new manufacturing facilities where production may not already be established 更新了文件，以满足可能尚未建立生产的新制造设施的认证	James Moran, GSMA 詹姆斯·莫兰（James Moran），GSMA
3.8.0	01 Oct 2010 2010 年 10 月 1 日	Updated report scoring and assessment scheme (replace pass/fail terminology with compliant/non- compliant) 更新了报告评分和评估方案（将通过/失败术语替换为合规/不合规）	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA
3.9	16 Oct 2012 2012 年 10 月 16 日	Added details of data process Audit, including additional appendix. 添加了数据处理审计的详细信息，包括其他附录。 Minor editorial modifications to update other 小的编辑修改以更新其他 sections, and application of latest GSMA document template. 部分，以及最新GSMA文档模板的应用。	James Messham, FML & David 詹姆斯·梅沙姆（James Messham），FML和大卫（David） Maxwell, GSMA 麦克斯韦，GSMA
3.10	5 Mar 2013 2013 年 3 月 5 日	Default Certification Period for new Sites reduced to one year. 新站点的默认认证期缩短至一年。	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA
3.11	10 Apr 2013 10 4 2013	Replaced term “smart card” with “UICC” to clarify that non-card form factor (e.g. M2M) products are included in SAS scope. 将术语“智能卡”替换为“UICC”，以阐明非卡外形规格（例如M2M）产品包含在SAS范围内。	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA
3.12	30 Oct 2013 30 10 2013	Clarified that Sites with limited in-scope activities may qualify for audits shorter than the standard duration. 阐明了范围内活动有限的站点可能有资格接受短于标准持续时间的审核。	James Messham, FML 詹姆斯·梅沙姆（James Messham），FML
3.13	11 Apr 2014 11 4月 2014	Correction to maximum timeframe allowed for hosting Re-Audits. 更正为允许托管重新审核的最大时间范围。	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA
4.0	23 Apr 2015 23 4月 2015	Extend Certification Period following transition from Provisional Certification. General editorial review & update to reflect creation of SAS for Subscription 从临时认证过渡后延长认证期限。一般编辑审查和更新，以反映 SAS for Subscription 的创建	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA

GSMA
GSMA公司

Security Accreditation Scheme for UICC Production - Methodology
UICC生产安全认可计划 - 方法论

		Management (SAS-SM). 管理（SAS-SM）。
4.1	10 May 2016 10 五月 2016	Clarify Dry Audit prerequisites. Update to Provisional Certification duration to 9 months. Specify minimum certification duration for new Sites. 阐明干审核的先决条件。将临时认证期限更新为 9 个月。指定新站点的最短认证期限。	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA
5.0	27 Jul 2016 27 7月 2016	Update to reflect new Consolidated Security 更新以反映新的整合安全性 Requirements (CSR) and Consolidated Security Guidelines (CSG) PRDs. 要求（CSR）和综合安全指南（CSG） PRD。	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA
6.0	31 Mar 2017 31 3月 2017	Specify that auditing of processing of data for 指定对数据处理的审核 subscription management requires increased Audit duration. Specify that Certification Period may be 订阅管理需要增加审核持续时间。指定认证期可能是 extended in exceptional circumstances where Site due for Renewal Audit is completing major changes 在特殊情况下延长，即应进行更新审核的站点正在完成重大更改	David Maxwell, GSMA & James Messham, FML 大卫·麦克斯韦（David Maxwell），GSMA和詹姆斯·梅沙姆（James Messham），FML
7.0	16 Feb 2018 16 2月 2018	Remove Certification Body. Specify that Audit Team makes certification decision. Introduce Appeals 删除认证机构。指定审核团队做出认证决策。引入上诉 Body. Revise cancellation policy. New section on maintaining SAS compliance. 身体。修改取消政策。新增了有关维护 SAS 合规性的部分。	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA
7.1	19 Feb 2019 19 2月 2019	Clarify Provisional Certification and Wet Audit durations 明确临时认证和湿审核期限	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA
8.0	25 Jul 2019 25 7月 2019	Add process for auditing and certification of Supporting Sites 添加支持站点的审核和认证流程	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA
9.0	3 Apr 2020 3 4月 2020	Updates to standard Audit agenda and document list to reflect current practice. 更新标准审计议程和文件清单，以反映当前的做法。	SAS-UP Auditors SAS-UP审核员
9.1	1 Jul 2020 1 7月 2020	Editorial changes adding defined terms to support legal framework for SAS-UP. 编辑更改添加了定义的术语以支持 SAS-UP 的法律框架。	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA
9.2	21 Apr 2021 21 4月 2021	Updates to how certification for PKI certificate PKI 证书认证方式的更新 management is communicated. Added notifiable events for PKI certificate management 沟通管理。添加了用于 PKI 证书管理的通告事件	David Maxwell, GSMA & James Messham, FML 大卫·麦克斯韦（David Maxwell），GSMA和詹姆斯·梅沙姆（James Messham），FML
9.3	1 Apr 2022 1 4月 2022	Removed references to SAS Consolidated Security Requirements PRD FS.17, allowing withdrawal of that document (content merged into FS.18). 删除了对 SAS 综合安全要求 PRD FS.17 的引用，允许撤回该文档（内容合并到 FS.18 中）。	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA
10.0	22 Feb 2023 22 2月 2023	Integrated information collection and assessment 综合信息收集和评估 from Covid 19 Methodology Variation. Restructured and updated core document. 来自 Covid 19 方法论变化。调整和更新了核心文件。	James Messham, FML 詹姆斯·梅沙姆（James Messham），FML
10.1	12 Apr 2023 12 4月 2023	Updated GSMA logo 更新了GSMA标识	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA

H.2 Other Information
H.2 其他信息

Type 类型	Description 描述
Document Owner 文档所有者	GSMA Fraud and Security Group GSMA反欺诈与安全小组
Editor / Company 编辑/公司	David Maxwell, GSMA 大卫·麦克斯韦（David Maxwell），GSMA

It is our intention to provide a quality product for your use. If you find any errors or omissions,
我们的目的是为您提供优质的产品。如果您发现任何错误或遗漏，

please contact us with your comments. You may notify us at sas@gsma.com. Your comments or suggestions & questions are always welcome.
请与我们联系，提出您的意见。您可以通过 sas@gsma.com 通知我们，随时欢迎您的意见或建议和问题。