Clear
Glossary

SAS-SM (Security Accreditation Scheme – Subscription Management)

« Back to Glossary Index

What is SAS-SM (Security Accreditation Scheme — Subscription Management)?

SAS-SM (Subscription Management) is part of the GSMA’s Security Accreditation Scheme (SAS) specifically for entities involved in subscription management i.e. the platforms and services that generate, deliver, and manage operator profiles for eUICC / eSIM under Remote SIM Provisioning (RSP).

It ensures that SM-DP, SM-DP+, SM-SR, and SM-DS operators adhere to rigorous security standards in their infrastructure, processes, and operations. 

The SAS-SM audit covers everything from physical security, personnel policies, system access, and key/certificate management, to data protection, IT operations, and supply chain controls — essentially all aspects critical to protecting subscriber profiles and preventing misuse or data breach. 

Why SAS-SM Matters (and What It Guarantees)

  • Trust & assurance: Mobile Network Operators (MNOs) and OEMs rely on SAS-SM certification to trust that profile management is handled securely and reliably. 
  • Standardised security: SAS provides a universal audit framework so subscription management providers are evaluated against common criteria, reducing inconsistent supplier audits. 
  • Barrier mitigation: It helps reduce risks that might come from third-party integration, key leakage, insider threats, or misconfiguration across the remote provisioning ecosystem.
  • Regulatory alignment: Many regulators, operators, or procurement teams demand such certification as part of supply chain risk and compliance assessments.

Kigen’s SAS-SM Certification Example

Kigen has achieved full GSMA SAS-SM accreditation for its Dublin subscription management site, including for its eIM (eSIM IoT Manager) functions, audited under the SAS-SM standard version 4.1. 

This means that our service environment for subscription management is certified for Data Preparation, Secure Routing, and core eIM operations under live conditions. 

This accreditation supports our ability to provision profiles securely at scale for IoT devices, including devices using the GSMA SGP.32 IoT eSIM standard. 

Important Technical Details & Scope

  • SAS-SM audits cover the subscription management roles: SM-DP, SM-DP+, SM-SR, and SM-DS, ensuring that each sensitive process is controlled.
  • The standard addresses sensitive assets such as cryptographic keys, profile data, certificate management, secure interfaces and audit trails.