- Resources
- Blog
What to expect on the path to GSMA eSIM certification
Tom Burke But first, your device must adhere with the strict eSIM compliance scheme the GSMA established. This, thorough assessment, validates the selected eSIM product and makes it possible for it to securely receive operator subscription data through encrypted connections, with data protection and system reliability.
Here’s what to expect as the GSMA ensures eSIM trust.
Prepare for a multi-layered compliance process with GSMA
The GSMA covers functional and security certifications and documents assurance requirements for the machine-to-machine (M2M) solution in the SGP.16 M2M Compliance Process.
The compliance scheme evaluates components and associated processes and then subjects them to assessment and testing to determine eligibility for trust tokens confirming compliance with relevant GSMA standards.
Outcome: SGP.16 Declaration and PKI Digital Certificate
1. Functional interoperability testing
Purpose: The functional compliance tests at this early stage are considered essential to compliance.
They include black box testing that checks for integrity and interoperability. Qualified labs perform the testing on behalf of the GSMA. Importantly, eUICC vendors can prepare in advance using self-testing and validation with qualified test tools.
Outcome: Confirmation product complies with SGP.01 and SGP.02 specifications.
2. Security by design evaluation
Purpose: This step confirms that the designed security features are property implemented.
Penetration testing at both the hardware and software levels evaluates security by design of the eSIM and considers a range of first and second level threats. Essentially, requirements documents detail the target for the assessment, methodology, and the Common Criteria security assurance level and consider off-card actors or on-card application threat agents. Only a qualified security laboratory can perform these tests.
Outcome: An eUICC must reach an assurance level of EAL4+ to qualify for certification. Penetration testing is conducted in line with the SGP.05 protection profile.
3. Production-phase testing
Purpose: To identify and assess the production sites where the eSIM will be personalized so the audit can assess the security at these points.
Identification and assessment of the systems and processes at the sites where eSIM personalization occurs focuses on handling sensitive data during eUICC production. Importantly, GSMA issues certifications on a site-by-site basis after security confirmation.
Outcome Specific sites receive certifications. Every processing stage at that site is considered within the scope of a SAS-UP audit. A SAS-UP certificate is issued for a defined period, typically one year. Existing certified production site renewal certificates generally lasts for two years.
4. Subscription management server security testing
Purpose: Ensure the remote profile management is secure and protected.
Finally, the GSMA requires eSIM service suppliers to subject their operational sites to a comprehensive network security audit. The focus on RSP server deployment, including implementation, processes, and system architecture, ensures end-to-end server compliance to reduce the risk of subscriber and network security breaches. The audits evaluate each service to assess the servers profile management, including:
- Handling of profile data onto and within.
- Profile introduction into an eUICC.
- Profile management over the lifecycle.
Outcome: The SAS-SM audits against FS.08 and covers Subscription Manager-Secure Routing (SM-SR) and Subscription Manager-Data Preparation (SM-DP).
Learn more about compliance requirements and specifications
Kigen’s eSIM and iSIM solutions make it easier to integrate SIM technologies and cellular IoT connectivity across devices and platforms to create new business models.
In conclusion, GSMA certification gives you confidence that any potential innovations remain secure at every stage of the user experience.
Download the white paper An Essential Guide to GSMA eSIM Certification to learn more.
