Clear
Glossary

SAS-UP (Security Accreditation Scheme – UICC Production)

« Back to Glossary Index

What is SAS-UP (Security Accreditation Scheme – UICC Production)?

SAS-UP is the GSMA’s Security Accreditation Scheme for UICC / eUICC production. It mandates that UICC / eUICC (embedded SIM) manufacturers submit their production facilities, operational processes, and supply chain controls to rigorous security audits. Only manufacturers that meet GSMA’s security standards are awarded accreditation. 

SAS-UP covers the secure handling of all production and personalization steps—such as data generation, certificate and key management, personalization (writing credentials into chips), packaging, and post-processing—ensuring that the eUICCs leaving a factory are trustworthy, tamper-resistant, and ready for secure use in the field. 

Because the trustworthiness of eSIM / eUICC modules depends heavily on how securely they are manufactured, SAS-UP is an essential credential for any UICC / eUICC manufacturer aiming to operate in the GSMA eSIM ecosystem.

Why SAS-UP Matters

  • Baseline security guarantee: SAS-UP certification signals to mobile operators, OEMs, and ecosystem stakeholders that a manufacturer’s production systems adhere to high security standards.
  • Ecosystem trust & acceptance: Accredited eUICC modules are accepted within the GSMA Remote SIM Provisioning (RSP) framework, essential for deploying eSIM functionality globally.
  • Reduces audit burden: Operators and service providers can rely on SAS-UP certification, rather than conducting individual factory security assessments.
  • Protects critical credentials and assets: SAS-UP enforces strict controls over cryptographic keys, profile data, certificate issuance, and secure storage in the production supply chain.
  • Defends against supply chain attacks: By auditing every step of the production and personalization process, SAS-UP mitigates risks like insider threats, unauthorized access or leakage of credentials, or tampering.

What the SAS-UP Audit Reviews

During its security audit, SAS-UP examines:

  • Physical security & facility controls: Access control, surveillance, shielding, tamper detection
  • Personnel and role segregation: Background checks, controlled permissions, separation of sensitive tasks
  • Key and certificate management: Secure generation, handling, rotation,and revocation of cryptographic keys and certificates
  • Sensitive data handling: How operator profiles, IMSIs, Ki values, and personalization data are managed before and during chip personalization
  • IT systems & network security: Firewalls, encrypted channels, intrusion detection, patch management
  • Production / personalization processes: Ensuring correct, audited workflows, change management, traceability
  • Packaging, post-processing & logistics: Secure handling after personalization to prevent unauthorized access or substitution
  • Audit trails & incident response: Immutable logs and processes for detecting, investigating, and responding to security incidents

Only production sites that satisfy all applicable requirements and demonstrate their ability to sustain compliance are granted SAS-UP accreditation. 

Kigen & SAS-UP

Kigen’s adherence to SAS-UP helps ensure that eUICCs produced under their oversight meet the stringent security requirements needed for secure remote provisioning and profile management in their RSP services.