这是用户在 2024-6-11 11:06 为 https://app.immersivetranslate.com/word/ 保存的双语快照页面,由 沉浸式翻译 提供双语支持。了解如何保存?

GSMA

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology

Security Accreditation Scheme for UICC Production - Methodology
UICC生产安全认可计划 - 方法论

Version 10.1
版本 10.1

12 April 2023
二零二三年四月十二日

Security Classification: Non-confidential
安全分类:非机密

Access to and distribution of this document is restricted to the persons permitted by the security classification. This document is subject to
本文件的访问和分发仅限于安全分类允许的人员。本文档受制于

copyright protection. This document is to be used only for the purposes for which it has been supplied and information contained in it must not be disclosed or in any other way made available, in whole or in part, to persons other than those permitted under the security classification without
版权保护。本文件仅用于提供本文件的目的,其中所含信息不得全部或部分披露或以任何其他方式提供给安全分类所允许的人以外的人,除非

the prior written approval of the Association.
协会事先书面批准。

Copyright Notice
版权声明

Copyright © 2023 GSM Association
版权所有 © 2023 GSM 协会

Disclaimer
免責聲明

The GSM Association (“Association”) makes no representation, warranty or undertaking (express or implied) with respect to and does not accept any responsibility for, and hereby disclaims liability for the accuracy or completeness or timeliness of the information contained in this document. The information contained in this document may be subject to change without prior notice.
GSM协会(“协会”)对本文档所含信息的准确性、完整性或及时性不作任何陈述、保证或承诺(明示或暗示),也不承担任何责任,特此声明不承担任何责任。本文件所载资料如有更改,恕不另行通知。

Compliance Notice
合规通知

The information contain herein is in full compliance with the GSM Association’s antitrust compliance policy.
此处包含的信息完全符合GSM协会的反垄断合规政策。

This Permanent Reference Document is classified by GSMA as an Industry Specification, as such it has been developed and is maintained by GSMA in accordance with the provisions set out in GSMA AA.35 - Procedures for Industry Specifications.
本永久参考文件被GSMA归类为行业规范,因此由GSMA根据GSMA AA.35 - 行业规范程序中的规定制定和维护。

V10.1 Page 1 of 63

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

Table of Contents
目录

1 Introduction 5
1 引言 5

1.1 Overview 5
1.1 概述 5

1.2 Scope 5
1.2 范围 5

1.3 Intended Audience 5
1.3 目标受众 5

1.4 Language 5
1.4 语言 5

1.5 Definitions 6
1.5 定义 6

1.6 Abbreviations 8
1.6 缩略语 8

1.7 References 8
1.7 参考资料 8

2 Participants 9
2 参与者 9

2.1 Auditee 9
2.1 被审计方 9

2.2 Audit Team 9
2.2 审计组 9

2.2.1 Observing Auditor 9
2.2.1 旁听审计师 9

2.3 SAS Group 10
2.3 SAS 组 10

2.4 Audit Management 11
2.4 审计管理 11

2.5 Participant Relationships 11
2.5 参与者关系 11

3 Audit Process 13
3 审计流程 13

3.1 Audit Setup 13
3.1 审计设置 13

3.1.1 Audit Request 13
3.1.1 审计请求 13

3.1.2 Confirmation of Audit Date 13
3.1.2 确认审计日期 13

3.1.3 Contract 13
3.1.3 合同 13

3.2 Audit Preparation (off-site) 13
3.2 审核准备(场外) 13

3.2.1 Audit Agenda 13
3.2.1 审计议程 13

3.2.2 Audit Pre-requisites 14
3.2.2 审计先决条件 14

3.3 Audit Process (on-site) 14
3.3 审核流程(现场) 14

3.3.1 Presentation and Documentation for the Audit Team 14
3.3.1 审计组的列报和文件编制 14

3.3.2 Information collection 14
3.3.2 信息收集 14

3.3.3 Assessment of compliance 14
3.3.3 遵守情况评估 14

3.3.4 Preparation of the Audit Report 15
3.3.4 审计报告的编制 15

3.3.5 Presentation of the Audit Results 15
3.3.5 审计结果的列报 15

3.4 Distribution of the Audit Report 15
3.4 审计报告的分发 15

3.5 Certification 16
3.5 认证 16

3.6 Appeal 16
3.6 上诉 16

3.7 Notification and Publication of Certification 16
3.7 认证的通知和公布 16

4 Certification Process 17
4 认证流程 17

4.1 Certification Process 17
4.1 认证流程 17

4.2 Certification Period 17
4.2 认证期限 17

4.3 Duration of Certification 18
4.3 认证期限 18

4.3.1 Standard durations 18
4.3.1 标准工期 18

4.3.2 Exceptions 19
4.3.2 例外 19

4.3.3 Minimum period of certification 19
4.3.3 最短认证期限 19

4.3.4 Extension of the period of certification 19
4.3.4 延长认证期限 19

5 Scope of certification 20
5 认证范围 20

V10.1 Page 2 of 63
V10.1 第 2 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

5.1 Provisional Certification 20
5.1 临时认证 20

5.1.1 Provisional Certification Process 20
5.1.1 临时认证流程 20

5.1.2 Provisional Certification Period 21
5.1.2 暂定认证期 21

5.1.3 Duration of Provisional Certification 21
5.1.3 临时核证期限 21

5.1.4 Duration of Provisional Certification Audits 22
5.1.4 临时认证审核的期限 22

5.2 Auditing and Certification of Supporting Sites 22
5.2 支持站点的审核和认证 22

5.2.1 Definition 22
5.2.1 定义 22

5.2.2 Auditing and Certification Approach 23
5.2.2 审核和认证方法 23

Centralised or Outsourced IT Services 23
集中或外包的IT服务 23

5.3 Management of PKI Certificates 24
5.3 PKI证书的管理 24

6 Audit Report Scoring and Assessment 26
6 审计报告评分与评估 26

6.1 Audit Result 26
6.1 审计结果 26

7 Maintaining SAS Compliance 28
7 维护 SAS 合规性 28

7.1 Notifiable Events for PKI certificate management 28
7.1 PKI 证书管理的通报事件 28

7.2 Examples of other Notifiable Events 28
7.2 其他须予通报的事件例子 28

7.2.1 What should be Notified 29
7.2.1 应通知的内容 29

7.2.2 What Would not Normally Require Notification: 29
7.2.2 通常不需要通知的内容: 29

8 Costs 30
8 费用 30

8.1 First Audit or Renewal Audit 30
8.1 首次审计或续期审计 30

8.2 Audit of Small and Large Sites, and Sites with Limited Scope 31
8.2 小型和大型站点以及范围有限的站点的审核 31

8.3 Audit of Central / Corporate Functions 31
8.3 中央/公司职能的审计 31

8.4 Repeat Audit 31
8.4 重复审计 31

8.5 Off-Site Review of Improvements 32
8.5 改进的场外审查 32

8.6 Cancellation Policy 33
8.6 取消政策 33

8.7 Appeals 33
8.7 上诉 33

Annex A Sample audit agenda 34
附件A 审计议程样本 34

Annex B Audit modules 35
附件B 审计单元 35

B.1 Audit modules 35
B.1 审计单元 35

Annex C Sample required documents list 47
附件 C 所需文件清单样本 47

C.1 Document List 47
C.1 文件清单 47

C.1.1 Security Management System (modules B, C) 47
C.1.1 安全管理系统(B、C单元) 47

C.1.2 Key Management (modules J, K) 47
C.1.2 密钥管理(模块 J、K) 47

C.1.3 Production (modules O, P) 47
C.1.3 生产(模块O、P) 47

C.1.4 Human Resources (module D) 47
C.1.4 人力资源(D单元) 47

C.1.5 Security Internal Audit System (module U) 48
C.1.5 安全内部审计系统(模块U) 48

Annex D Collection of information 49
附件D 资料收集 49

Information 49
信息 49

Annex E Assessment of compliance 52
附件 E 遵约评估 52

E.1 Audit assessment and compliance 52
E.1 审计评估和遵守情况 52

Annex F Final Audit Report Structure 56
附件F 最终审计报告结构 56

F.1 First Page: 56
F.1 首页: 56

F.2 Following Pages: 56
F.2 以下页数:56

Annex G Data Processing Audit 59
附件 G 数据处理审计 59

G.1 Before the Audit 59
G.1 审计前 59

V10.1 Page 3 of 63
V10.1 第 3 页,共 63 页

G.1.1 Preparation 59
G.1.1 准备工作 59

G.1.2 Key Exchange 59
G.1.2 密钥交换 59

G.1.3 Input File Exchange 60
G.1.3 输入文件交换 60

G.1.4 Processing of Input File 1 60
G.1.4 输入文件的处理 1 60

G.1.5 Output File Exchange 60
G.1.5 输出文件交换 60

G.1.6 Timescales 60
G.1.6 时间表 60

G.2 During the Audit 60
G.2 审计期间 60

G.2.1 Review of Key Exchange 60
G.2.1 密钥交换审查 60

G.2.2 Review of Input File 1 Processing 60
G.2.2 输入文件审查 1 处理 60

G.2.3 Demonstration of Input File 2 Processing 61
G.2.3 输入文件 2 处理演示 61

G.3 After the Audit 61
G.3 审计后 61

Annex H Document Management 62
附件 H 文件管理 62

H.1 Document History 62
H.1 文件历史 62

H.2 Other Information 63
H.2 其他信息 63

V10.1 Page 4 of 63
V10.1 第 4 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

1 Introduction
1 引言

1.1 Overview
1.1 概述

The GSMA Security Accreditation Scheme (SAS) for UICC Production (SAS-UP) is a
GSMAUICC生产安全认证计划(SAS)是一个

scheme through which UICC suppliers subject their production Sites to an Audit. The
UICC供应商对其生产基地进行审核的方案。这

purpose of the Audit is to ensure that UICC suppliers have implemented adequate security measures to protect the interests of mobile network operators (MNOs).
审计的目的是确保UICC供应商已实施足够的安全措施,以保护移动网络运营商(MNO)的利益。

Audits are conducted by specialist Auditing Companies over a number of days, typically in a single Site visit. The Auditors will check compliance against the GSMA SAS-UP Standard[1]
审核由专业审核公司在几天内进行,通常在一次现场访问中进行。审核员将检查是否符合GSMA SAS-UP标准[1]

and the requirements specified in[3]by various methods such as document review
以及[3]中规定的要求,通过各种方法,如文件审查
,

interviews and tests in specific areas. Sites that demonstrate compliance with the SAS-UP Standard are certified by the GSMA.
特定领域的面试和测试。符合SAS-UP标准的网站将获得GSMA认证。

NOTE: All references to UICCs and UICC suppliers in this document apply equally
注意:本文档中对 UICC 和 UICC 供应商的所有引用均适用

to eUICCs and eUICC suppliers unless specifically stated otherwise.
除非另有特别说明,否则向 eUICC 和 eUICC 供应商提供。

1.2 Scope
1.2 范围

This scope of this document covers:
本文档的范围包括:

• SAS-UP participating stakeholders and their roles
• SAS-UP参与的利益攸关方及其作用

• Processes for arrangement and conduct of an SAS-UP Audit
• SAS-UP审计的安排和实施流程

Audit scoring and Audit Report structure
• 审计评分和审计报告结构

• Certification and Provisional Certification Processes
• 认证和临时认证程序

SAS-UP costs
• SAS-UP成本

1.3 Intended Audience
1.3 目标受众

• Security professionals and others within UICC supplier organisations seeking to obtain accreditation for Sites under SAS-UP.
• UICC供应商组织内寻求获得SAS-UP站点认证的安全专业人员和其他人员。

• Security professionals and others within organisations seeking to procure UICCs
• 寻求采购 UICC 的安全专业人员和组织内的其他人

SAS Group members
• SAS集团成员

Auditors
•核 数 师

1.4 Language
1.4 语言

The language of the scheme is English.
该计划的语言是英语。

The language of the scheme will be used for the management and administration of the scheme itself, and for the Audit Process.
该计划的语言将用于计划本身的管理和行政,以及审计过程。

The Audit will, in all cases, be conducted in the language of the scheme. The Auditee is responsible to ensure that documents are available in the language of the scheme, as described inAnnex C. .Other documents may be in a language other than English but translation facilities should be available during the conduct of the Audit.
在所有情况下,审计都将以该计划的语言进行。被审计方有责任确保文件以计划的语言提供,如附件C所述。其他文件可能使用英语以外的语言,但在进行审计期间应提供翻译设施。

Where it is likely to be difficult to conduct Audit discussions with personnel in English,
如果可能难以用英语与人员进行审计讨论,

Auditees should arrange for one or more translators with knowledge of the business and subject matter to be available to the Audit Team.
被审计方应安排一名或多名具有业务和主题知识的翻译人员提供给审计组。

V10.1 Page 5 of 63
V10.1 第 5 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

1.5 Definitions
1.5 定义

Term
术语

Description
描述

Appeals Board
上诉委员会

Two Auditors, one each from different GSMA selected Auditing
两名审核员,分别来自不同的GSMA审核员

Companies who consider and rule on appealed Audit Results. Auditors for the SAS-UP Appeals Board will be drawn from the SAS-SM Auditing Companies and vice versa.
考虑并裁定上诉审计结果的公司。SAS-UP上诉委员会的审计员将从SAS-SM审计公司中选出,反之亦然。

Audit
审计

The SAS audit carried out by the Audit Team at the Auditee’s Site.
审计小组在被审计人现场进行的SAS审计。

Audit Management
审计管理

A GSMA team, as described in2.4, which:
GSMA团队,如2.4所述,其中:

• Manages the scheme documentation.
• 管理计划文档。

Appoints the Auditing Companies
• 任命审计公司

Administers SAS-UP
• 管理 SAS-UP

• Monitors and assures the quality and consistency of the Audit Process and Audit Team
• 监督并确保审计流程和审计团队的质量和一致性

• Issues Certificates to those Sites that the Audit Team assesses as compliant with the requirements.
• 向审核小组评估为符合要求的站点颁发证书。

Audit Process
审核流程

The overall process followed by the Audit Management and Audit Team to deliver the Audit, as defined in section3.
审计管理层和审计团队执行审计的整个过程,如第 3 节所定义。

Audit Report, Audit
审计报告,审计

Result, Audit Summary and Auditors’
结果、审计摘要和审计师

Comments
评论

As defined inAnnex A.
定义见附件A。

Audit Team
审计团队

Two Auditors, one each from different GSMA selected Auditing
两名审核员,分别来自不同的GSMA审核员

Companies, jointly carrying out the Audit on behalf of the GSMA, as described in2.1.
代表GSMA共同进行审核的公司,如2.1所述。

Auditee
被审计方

An entity involved in the production of UICCs that is seeking SAS-UP certification of its Sites, as described in2.1.
参与生产 UICC 的实体,正在寻求对其站点进行 SAS-UP 认证,如 2.1 所述。

Auditing Companies
审计公司

Companies appointed by the GSMA to provide Auditors.
由GSMA任命的公司提供审计师。

Auditor
审计员

A person qualified to perform SAS-UP audits.
有资格执行SAS-UP审核的人员。

Certificate
证书

Certificate issued by the GSMA to the Auditee following demonstration of compliance by the Site with the SAS requirements specified in[3].
GSMA在证明网站符合[3]中规定的SAS要求后,向被审核方颁发的证书。

Certification Process,
认证流程,

Certification Period and Duration of Certification
认证期限和认证期限

As defined in section4.
如第 4 节中所定义。

Dry Audit, and Wet Audit
干式审计和湿式审计

As defined in section5.
如第 5 节中所定义。

eUICC
eUICC公司

A removable or non-removable UICC which enables the remote and/or local management of Profiles in a secure way.
可移动或不可移动的 UICC,可以安全的方式远程和/或本地管理配置文件。

Note: The term originates from “embedded UICC”
注意:该术语源自“嵌入式 UICC”
.

Full Certification
全面认证

SAS certification of Site controls in live operation.
现场控制在实时操作中的SAS认证。

PKI Certificate Management
PKI 证书管理

The process of:
流程:

• Securely generating a key pair and certificate signing request and submitting this to a recognised certificate authority / issuer
• 安全地生成密钥对和证书签名请求,并将其提交给公认的证书颁发机构/颁发者

• Securely storing the key pair and certificate and making them available under appropriate control for the generation of eUICC certificates.
• 安全地存储密钥对和证书,并在适当的控制下使它们可用于生成 eUICC 证书。

V10.1 Page 6 of 63
V10.1 第 6 页,共 63 页

Term
术语

Description
描述

The definition refers only to the management of the key pair and certificate. The process of generating individual eUICC device
该定义仅涉及密钥对和证书的管理。生成单个 eUICC 设备的过程

certificates is included within the definition of “Generation of Data for Personalisation” for eUICCs.
证书包含在 eUICC 的“生成个性化数据”的定义中。

Primary Site
主站点

See Site
请参阅“网站”
.

Profile
轮廓

A combination of data and applications to be provisioned on an eUICC for the purpose of providing services.
在eUICC上配置的数据和应用程序的组合,以提供服务。

Provisional
临时

Certification,
认证

Provisional Certification Process, Provisional
临时认证程序,临时

Certification Period and Duration of Provisional Certification
核证期限及临时核证期限

As defined in section5.
如第 5 节中所定义。

Renewal Audit
续订审核

Audit performed towards the end of a period of SAS certification to check continued compliance by the Site with the SAS requirements and provide the basis for a decision to award further SAS certification.
在SAS认证期结束时进行审核,以检查站点是否持续遵守SAS要求,并为决定授予进一步的SAS认证提供依据。

Re-audit
重新审核

Audit performed to confirm that updated controls implemented by the
执行审核以确认更新的控制措施由

Auditee following non-compliances found at an earlier Audit are sufficient to satisfy the SAS requirements.
在先前的审核中发现的不合规行为的被审核方足以满足SAS的要求。

SAS Group
SAS集团

A group of GSMA members and staff (including the Audit Management) that, together with the SAS Auditors, is responsible for maintenance and development of the SAS Standards, Methodologies, Consolidated
由GSMA成员和员工(包括审核管理层)组成的小组,与SAS审核员一起负责维护和制定SAS标准、方法、综合

Security Requirements and Guidelines.
安全要求和准则。

See also2.3.
另见2.3。

Scope Extension
范围扩展

Extension of the scope of certification of a Site that already holds some SAS-UP certification.
扩展已持有某些 SAS-UP 认证的站点的认证范围。

Secondary Site
辅助站点

See Site
请参阅“网站”
.

Site
网站

Auditee’s physical facility and its relevant controls that are subject to the Audit. May be a
Auditee 的物理设施及其受审计的相关控制可能是
:

Primary Site
主站点

Supporting Site
支持站点

Secondary Site
辅助站点

The main audit site for which the SAS-UP certificate will be issued.
将为其颁发 SAS-UP 证书的主要审核站点。

Any independent locations that are subject to
任何受

separate certification audits. Audit findings will be documented separately in another SAS-UP audit report. Dependence of the Primary Site on the
单独的认证审核。审计结果将单独记录在另一份SAS-UP审计报告中。主站点对

Supporting Site(s) will be noted as part of the certification of the primary site.
支持站点将作为主站点认证的一部分进行说明。

Any location directly supporting the activities of a Primary Site and included as part of the same
直接支持主站点活动并作为主站点的一部分包含在主站点中的任何位置

audit process and audit report. Secondary Sites
审核流程和审核报告。辅助站点

will not be issued with SAS-UP certificates, but will be noted as part of the certification of the Primary Site
不会颁发 SAS-UP 证书,但会作为主站点认证的一部分注明
.

Supporting Site
支持站点

See Site
请参阅“网站”
.

UICC

The platform, specified by ETSI, which can be used to run multiple
该平台,由 ETSI 指定,可用于运行多个

V10.1 Page 7 of 63
V10.1 第 7 页,共 63 页

Term
术语

Description
描述

security applications. These applications include the SIM for 2G
安全应用程序。这些应用包括用于 2G 的 SIM 卡

networks, USIM for 3G, 4G and 5G networks, CSIM for CDMA, and ISIM (not to be confused with integrated SIM) for IP multimedia services.
networksUSIM用于3G、4G和5G网络,CSIM用于CDMA,ISIM(不要与集成SIM卡混淆)用于IP多媒体服务。

UICC is neither an abbreviation nor an acronym.
UICC既不是缩写也不是首字母缩写词。

See section2for more detailed explanations of SAS-UP roles
有关SAS-UP角色的更详细说明,请参见第2节
.

1.6 Abbreviations
1.6 缩略语

Term
术语

Description
描述

CSRG

Consolidated Security Requirements and Guidelines
综合安全要求和准则

eUICC
eUICC公司

Embedded UICC
嵌入式UICC

GSMA

GSM Association
GSM协会

MNO

Mobile Network Operator
移动网络运营商

SAS

Security Accreditation Scheme
保安认可计划

SAS-UP

Security Accreditation Scheme for UICC Production
UICC生产安全认可计划

SAS-SM

Security Accreditation Scheme for Subscription Management
订阅管理安全认可计划

SGP.nn
SGP.nn(英语:SGP.nn)

Prefix identifier for official documents belonging to the GSMA SIM Group
属于 GSMA SIM 组的官方文件的前缀标识符

SP

Sensitive Process
敏感过程

1.7 References
1.7 参考资料

Ref

Doc Number
文档编号

Title
标题

[1]

PRD FS.04
珠三角 FS.04

GSMA SAS-UP Standard, latest version available at
GSMA SAS-UP 标准,最新版本可在

www.gsma.com/sas

[2]

N/A

GSMA SAS-UP Standard Agreement, available from sas@gsma.com
GSMA SAS-UP标准协议,可从 sas@gsma.com 获得

[3]

PRD FS.18
珠三角 FS.18

GSMA SAS Consolidated Security Requirements and Guidelines, available atwww.gsma.com/sas
GSMA SAS综合安全要求和指南,atwww.gsma.com/sas 提供

V10.1 Page 8 of 63
V10.1 第 8 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

2 Participants
2 参与者

The following section describes the roles of the participants during the standard Audit
以下部分介绍参与者在标准审核期间的角色

Process. The role of the Appeals Board is not considered here (see section3.6for details instead).
过程。这里不考虑上诉委员会的作用(详见第3.6节)。

2.1 Auditee
2.1 被审计单位

The Auditee is the participant in the UICC supply chain that is to be subject to Audit. The Auditee is responsible for:
被审核方是UICC供应链中要接受审核的参与者。被审计方负责:

• Providing all necessary information during the Audit to enable the Audit Team to perform its assessment of compliance with SAS-UP requirements for activities within the scope of certification.
• 在审核期间提供所有必要的信息,使审核小组能够对认证范围内的活动是否符合 SAS-UP 要求进行评估。

• Ensuring that all key individuals are present when required.
• 确保所有关键人员在需要时都在场。

• Delivering a short presentation at the beginning of the Audit describing how it believes that it is compliant with the Standard [1], and the relevant documentation that will be made available to the Audit Team during the Audit.
• 在审核开始时做一个简短的介绍,描述它如何认为它符合标准[1],以及在审核期间将提供给审计小组的相关文件。

• Disclosing to the Audit Team all areas of the Site where assets related to UICC production may be created, stored or processed. The Auditee may be required by the Audit Team to demonstrate that other areas of the Site are not being used to create, store or process relevant assets, and should honour any reasonable request to validate this
• 向审计小组披露网站中可能创建、存储或处理与UICC生产相关的资产的所有区域。审计团队可能会要求被审计方证明网站的其他区域未用于创建、存储或处理相关资产,并应遵守任何合理的请求以验证这一点
.

2.2 Audit Team
2.2 审计小组

The Audit Team consists of two independent Auditors, one from each of the Auditing
审计组由两名独立审计员组成,每个审计组各一名

Companies selected by the GSMA following a competitive tender for the supply of SAS auditing services and in accordance with selection criteria defined by the GSMA.
GSMA根据GSMA定义的遴选标准,通过竞争性招标选出提供SAS审核服务的公司。

The Audit Team conducts the Audit by reviewing documentation, conducting interviews with key individuals and carrying out tests in key areas. After the Audit is conducted, the Audit
审计小组通过审查文件、与关键人物进行访谈和在关键领域进行测试来进行审计。审计完成后,审计

Team writes a report (see3.3.4)
团队编写报告(见3.3.4)
.

The independence of the Audit Team is of paramount importance to the integrity of the
审计小组的独立性对审计组的诚信至关重要

scheme. It is recognised that the chosen Auditing Companies are professional in the conduct of their business. Where the Auditing Companies previously supplied consultancy services
方案。我们认可所选择的审计公司在开展业务方面是专业的。审计公司以前提供咨询服务的地方

to an Auditee, the GSMA should be informed of this fact prior to commencement of the Audit, and the Auditors performing the Audit should be different individuals to those who have provided the consultancy services.
对于被审计者,GSMA应在审计开始前被告知这一事实,并且执行审计的审计师应与提供咨询服务的审计师是不同的个人。

2.2.1 Observing Auditor
2.2.1 观察审计员

On some audits, an additional observing SAS Auditor may accompany the Audit Team, in order to:
在一些审计中,审计团队可能会有一名额外的观察员陪同审计小组,以便:

• Support the development of a common understanding of SAS-UP between the Auditing Companies
• 支持审计公司之间就SAS-UP达成共识

• Ensure consistency in standards and the Audit Process
• 确保标准和审核流程的一致性

V10.1 Page 9 of 63
V10.1 第 9 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

• Facilitate sharing of best practice in the Audit approach
• 促进分享审计方法中的最佳做法

Audit observation will be carried out at no additional cost to the Auditee, and subject to the following guidelines:
审计观察将不向被审计者收取额外费用,并遵守以下准则:

A maximum of one observer will be present on any one Audit, except by the prior agreement with the Auditee. Auditees will be under no obligation to agree to any requests for participation of more than one observer.
• 任何一次审计最多有一名观察员在场,除非事先与被审计人达成协议。被审计方没有义务同意任何要求一名以上观察员参加的请求。

The observer will comply with all requirements of the Auditee
• 观察员将遵守被审计方的所有要求
:

• Prior to the Audit (e.g. signing NDAs, providing personal information for visitor authorisation).
• 在审核之前(例如签署保密协议,为访客授权提供个人信息)。

• On-site (e.g. behaviour and supervision).
• 现场(例如行为和监督)。

• The role of the observer is to observe. The observation process should not interfere with the conduct of the Audit. Specifically, the observing Auditor should:
• 观察者的作用是观察。观察过程不应干扰审计的进行。具体而言,观察审计师应:

• Not normally engage directly with the Auditee during the Audit Process to ask Audit questions
• 在审计过程中,通常不会直接与被审计者接触以询问审计问题
.

• Only engage in discussion with the Auditee about the observer’s own SAS scheme when such discussion will not interfere with the Audit Process.
• 只有在不干扰审计过程的情况下,才与被审计者就观察员自己的SAS计划进行讨论。

• Not present or participate in any discussions during the closing meeting.
• 在闭幕会议期间不出席或参与任何讨论。

• Not contribute to the preparation of the Audit Report.
• 不参与编制审计报告。

To maximise the benefits of the observation process the observer and Audit Team are expected to discuss elements of the Audit Process and approach. Such discussions:
为了最大限度地发挥观察过程的好处,观察员和审计小组应讨论审计过程的要素和方法。这样的讨论:

• Should only take place outside of the Audit Process, and not in the presence of the Auditee.
• 只能在审计程序之外进行,不得在被审计者在场的情况下进行。

• Should include an opportunity for the observer to read the Audit Report.
• 应包括观察员阅读审计报告的机会。

• May include a post-Audit discussion, either on- or off-site to discuss any questions or observations. The post-Audit discussion may be extended to include other Auditors if appropriate.
• 可能包括审计后讨论,在现场或场外讨论任何问题或意见。审计后的讨论可酌情扩大到包括其他审计师。

Members of the Audit Management may also seek to attend and observe audits from time to time. They guidelines above will also apply to them.
审计管理层成员亦可不时出席及旁听审计工作。上述准则也适用于他们。

2.3 SAS Group
2.3 SAS集团

The SAS Group is a committee comprised of GSMA staff (including the Audit Management)
SAS集团是一个由GSMA员工(包括审计管理层)组成的委员会

and members, and representatives of the Auditing Companies. It is responsible for maintenance of the following SAS-UP documentation:
以及审计公司的成员和代表。它负责维护以下 SAS-UP 文档:

The Standard[1]which contains the security objectives for SAS-UP
• 标准[1],其中包含SAS-UP的安全目标
.

The Consolidated Security Requirements and Guidelines (CSRG)[3]which
• 综合安全要求和准则 (CSRG)[3]其中
:

• Provides requirements for all sensitive processes (SPs) within the scope of the different SAS schemes. Many of the requirements are common across all schemes, however some requirements are specific to individual SPs, including UICC production. The requirements that apply to UICC production indicated in
• 为不同 SAS 方案范围内的所有敏感进程 (SP) 提供要求。许多要求在所有方案中都是通用的,但有些要求特定于单个 SP,包括 UICC 生产。适用于UICC生产的要求

V10.1 Page 10 of 63
V10.1 第 10 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

that document. These are the requirements that the UICC supplier must satisfy in order to be certified.
该文件。这些是UICC供应商必须满足的要求才能获得认证。

• Provides guidelines to guide interpretation and operational application of the requirements
• 提供指导要求的解释和操作应用的准则

The Methodology (this document)
• 方法论(本文件)

Updates will normally arise from an annual review meeting of the SAS Group. Where acute issues are identified ad hoc meetings may be convened to discuss updates to the SAS-UP documentation.
更新通常由SAS集团的年度审查会议提供。如果发现严重问题,可以召开特别会议来讨论对SAS-UP文档的更新。

The SAS Group also contributes to the development of Auditing Company selection criteria when the GSMA is procuring SAS auditing services from time to time. Operator members of the SAS Group that do not offer any products or services within the scope of SAS will be
当GSMA不时采购SAS审计服务时,SAS集团还为审计公司选择标准的制定做出了贡献。SAS集团的运营商成员如果不在SAS范围内提供任何产品或服务,则将

invited by the GSMA to participate in the review of tender responses and the selection of Auditing Companies.
受GSMA邀请参与投标响应的审查和审计公司的遴选。

2.4 Audit Management
2.4 审计管理

The Audit Management comprises a team of GSMA staff members responsible for administering the scheme, including:
审计管理层由负责管理该计划的GSMA工作人员组成,包括:

• Selecting suitably qualified Auditing Companies to carry out the audits, in conjunction with the SAS Group as indicated in section2.3, and ensuring that they provide a high- quality service
• 如第2.3节所述,选择具有适当资格的审计公司与SAS集团一起进行审计,并确保他们提供高质量的服务
.

• Ensuring that audits are conducted in accordance with the SAS-UP Methodology and that Audit Reports meet GSMA quality requirements.
• 确保审核按照SAS-UP方法进行,并确保审核报告符合GSMA的质量要求。

• Managing Audit lifecycle tasks, pre and post Audit, for example maintenance of the Audit logs and list of certified and provisionally certified Sites
• 管理审计前后的审计生命周期任务,例如维护审计日志以及认证和临时认证站点列表

• Contract and financial management between the GSMA and Auditees and the GSMA and Auditing Companies
• GSMA与被审计单位以及GSMA与审计公司之间的合同和财务管理

• Distribution of SAS-UP documentation (this document, the Standard [1], the Consolidated Security Requirements and Guidelines [3], and other supporting documents to Auditees and Auditors.
• 向被审计方和审计师分发SAS-UP文件(本文件、标准[1]、综合安全要求和指南[3]以及其他支持文件)。

Handling general queries for example, via sas@gsma.com.
• 处理一般查询,例如,通过sas@gsmacom

2.5 Participant Relationships
2.5 参与者关系

The relationships between SAS-UP participants are indicated inFigure 1.
SAS-UP参与者之间的关系如图1所示。

V10.1 Page 11 of 63
V10.1 第 11 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

Figure 1: SAS-UP Participant Relationships
图 1:SAS-UP 参与者关系

V10.1 Page 12 of 63
V10.1 第 12 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

3 Audit Process
3 审核流程

The Audit Process is described below.
审计流程如下所述。

3.1 Audit Setup
3.1 审计设置

3.1.1 Audit Request
3.1.1 审计请求

If an entity involved in the UICC production chain wishes to be SAS-UP certified, the entity should present itself to the Audit Management as a potential participant in the scheme.
如果参与UICC生产链的实体希望获得SAS-UP认证,则该实体应向审计管理层表明自己是该计划的潜在参与者。

Prior to contacting the Audit Management, the potential participant should have familiarised itself with the current published scheme documentation.
在联系审计管理部门之前,潜在参与者应熟悉当前发布的计划文件。

The potential participant should contact the Audit Management to obtain a copy of the Audit Application Form and supporting guidance notes. The completed Audit Application Form
潜在参与者应联系审计管理部门,以获取审计申请表和支持性指导说明的副本。填妥的审核申请表

should be formally submitted to the Audit Management to request a certification audit. On receipt of the request the Audit Management will log the details of the request.
应正式提交给审核管理层,以请求认证审核。收到请求后,审计管理部门将记录请求的详细信息。

Audit applications should be submitted to the GSMA several months in advance to increase the likelihood of the SAS Audit Teams being available to conduct an Audit on or near the
审核申请应提前几个月提交给GSMA,以增加SAS审核团队在

dates requested by the Auditee. As a guide:
被审员要求的日期。作为指南:

If SAS Audit application is submitted
如果提交了SAS审核申请...

3 months before
3个月前

requested Audit dates,
请求的审计日期,

then GSMA will try to schedule Audit within
然后GSMA将尝试在...

4 weeks of requested dates
4 周的请求日期

2 months before
2个月前

requested Audit dates
请求的审核日期

6 weeks of requested dates
6 周的请求日期

1 month before
1个月前

requested Audit dates
请求的审核日期

8 weeks of requested dates
8 周的请求日期

Table 1 - Audit Scheduling Guidance
表 1 - 审核计划指南

It always remains the responsibility of the Auditee to ensure that certification is in place to meet the requirements of any specific contract, customer or bid.
被审核方始终有责任确保认证到位,以满足任何特定合同、客户或投标的要求。

3.1.2 Confirmation of Audit Date
3.1.2 审核日期的确认

After logging the details of the Audit request, the information is sent to the Audit Team. The Audit Team will contact the Auditee to agree Audit dates.
记录审核请求的详细信息后,信息将发送给审核团队。审计小组将与被审计方联系,商定审计日期。

3.1.3 Contract
3.1.3 合同

The Auditee enters into a standard agreement[2]with the GSMA and pays the GSMA in advance for the Audit.
被审计方与GSMA签订标准协议[2],并提前向GSMA支付审计费用。

3.2 Audit Preparation (off-site)
3.2 审核准备(场外)

After Audit dates have been agreed, the Audit Team and Auditee will liaise to agree arrangements for the Audit.
在商定审计日期后,审计团队和被审计方将联络以商定审计安排。

3.2.1 Audit Agenda
3.2.1 审计议程

A provisional agenda will normally be agreed at least one week before the Audit Team travels to the Site to be audited.
一般在审计组前往现场接受审计之前至少一周,将商定一个临时议程。

V10.1 Page 13 of 63
V10.1 第 13 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

A sample agenda is included in Annex A. The sample agenda includes guidance for Auditees on information that should be prepared for each element of the Audit.
议程样本载于附件A。议程样本包括为被审计单位提供的关于应为审计的每个要素准备的信息的指南。

Changes to the agenda may need to be made during the Audit itself, as agreed between the Audit Team and Auditee.
根据审计组和被审计人之间的商定,可能需要在审计期间对议程进行更改。

3.2.2 Audit Pre-requisites
3.2.2 审核先决条件

To assist in the process of auditing the data generation process (for Sites where this is part of the audit or certification scope), the Audit Team may request that a test/demonstration of the Site’s data processing operations is carried out. The process may include advance
为了协助审核数据生成过程(对于属于审核或认证范围的站点),审核小组可能会要求对站点的数据处理操作进行测试/演示。该过程可能包括提前

arrangements with the Auditee to:
与被审计方的安排:

• Exchange transport keys
• 交换传输密钥

• Submit test input files to the Auditee
• 向被审核方提交测试输入文件

• Perform data generation for the specified test input file(s)
• 为指定的测试输入文件执行数据生成

• Return the corresponding output file(s) to the Audit Team
• 将相应的输出文件返回给审计小组

The Auditee will be expected to make appropriate arrangements within its systems to enable a test/demonstration of the data processing to take place.
被审计方应在其系统内做出适当的安排,以便对数据处理进行测试/演示。

The Audit Team will liaise with the Auditee to ensure that pre-requisites are in place.
审计小组将与被审计方联络,以确保先决条件到位。

A more detailed guide to this process for Auditees is included inAnnex G.
附件G中为被审计方提供了更详细的流程指南

3.3 Audit Process (on-site)
3.3 审核流程(现场)

The process of conducting the audit follows a number of defined phases.
进行审计的过程遵循若干规定的阶段。

3.3.1 Presentation and Documentation for the Audit Team
3.3.1 审计小组的演示和文件

During the first half day of the Audit the Auditee introduces the Site’s activities and security management system, and presents to the Audit Team the information and documentation specified in the Audit agenda.
在审核的前半天,被审核方介绍网站的活动和安全管理系统,并向审核小组提交审核议程中指定的信息和文件。

A list of the required documentation is included inAnnex C. Documentation must be available to the Audit Team in English.
所需文件清单载于附件C。文件必须以英文提供给审计组。

Based on the Audit agenda, presentation and documentation, the Audit Team agrees the key individuals to be interviewed during the Audit. It is the responsibility of the Auditee to ensure the availability of these key individuals.
根据审计议程、演示文稿和文件,审计小组同意在审计期间与关键人物进行面谈。被审计方有责任确保这些关键人员的可用性。

3.3.2 Information collection
3.3.2 信息收集

The Audit Team collects information according to the agreed agenda to form the basis of the assessment of compliance.
审计组根据商定的议程收集信息,以形成对遵守情况的评估。

The approach to collection of information is described in more detail in Annex D.
附件D更详细地描述了收集信息的方法。

3.3.3 Assessment of compliance
3.3.3 合规评估

Based on the information collected during the Audit, the Audit Team assesses the compliance of the Auditee’s controls with the SAS requirements.
根据审计期间收集的信息,审计小组评估被审计方的控制措施是否符合SAS的要求。

V10.1 Page 14 of 63
V10.1 第 14 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

The assessment of compliance with the SAS requirements is described in more detail in Annex E.
附件E更详细地描述了对SAS要求的遵守情况的评估。

3.3.4 Preparation of the Audit Report
3.3.4 编制审计报告

The Audit Team summarises the findings of the Audit in a report that follows a fixed structure, as described in Annex F, that comprises
审计组在一份报告中总结了审计结果,该报告遵循附件F所述的固定结构,其中包括
:

Audit summary and overall assessment
• 审计总结和总体评估

Summary of certification
• 认证摘要

Auditorscomments
• 审计员的意见

Actions required
• 需要采取的行动

• Detailed results
• 详细结果

Detailed results are provided in an annex to the Audit Report, following the structure of the SAS requirements.
详细结果见审计报告的附件,按照SAS要求的结构提供。

3.3.5 Presentation of the Audit Results
3.3.5 审计结果的列报

The Audit Report is normally completed during the Audit and delivered to the Auditee on completion of the closing meeting.
审计报告通常在审计期间完成,并在闭幕会议结束后交付给被审计方。

During the final half day of the Audit, the Audit Team will normally finalise the Audit Report. The Audit Team will present the Audit Results to the Auditee, focussing on the key points identified in the Audit Report.
在审计的最后半天,审计组通常会完成审计报告。审计组将向被审计人提交审计结果,重点关注审计报告中确定的要点。

The Audit Result includes the Audit Team’s decision on certification of the Site, which is passed to the Audit Management.
审核结果包括审核小组对网站认证的决定,该决定将传递给审核管理层。

It is not deemed necessary to have a slide presentation, or to undertake a detailed review of the Audit Report, as part of the presentation of the Audit Results.
作为审计结果介绍的一部分,认为没有必要进行幻灯片演示或对审计报告进行详细审查。

3.4 Distribution of the Audit Report
3.4 审计报告的分发

On completion, the Audit Team will distribute the Audit Report to:
完成后,审计小组将把审计报告分发给:

The Auditee for the purpose of internal review and formulation of action plan(s).
• 被审计方进行内部审查和制定行动计划。

The Audit Management for the purpose of quality control and certification.
• 以质量控制和认证为目的的审核管理。

Neither the Auditee nor Audit Management will distribute the report to any other party as part of the Audit Process, except:
作为审计过程的一部分,被审计方和审计管理层都不会将报告分发给任何其他方,但以下情况除外:

• In case of an appeal (see below), the Audit Report will also be provided to the Appeals Board.
• 如有上诉(见下文),审计报告也将提供给上诉委员会。

• For the purpose of Auditor training and SAS quality management, the Audit Report may be provided by the Audit Management to other SAS-UP and SAS-SM Auditors.
• 出于审核员培训和SAS质量管理的目的,审核管理层可能会向其他SAS-UP和SAS-SM审核员提供审核报告。

The Auditee is free to distribute the report to its customers, but is responsible to ensure that neither the Audit Findings, Audit Result or status of Certification are misrepresented.
被审核方可以自由地将报告分发给其客户,但有责任确保审核结果、审核结果或认证状态均未被歪曲。

V10.1 Page 15 of 63
V10.1 第 15 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

3.5 Certification
3.5 认证

The Audit Management checks the report to confirm that the Audit has been carried out in accordance with this Methodology document and that the report meets GSMA quality
审核管理层会检查报告,以确认审核已按照本方法文件进行,并且报告符合GSMA质量

requirements.
要求。

In the event of a successful Audit the Audit Management issues a Certificate to the Auditee within fifteen (15) business days of completion of the Audit.
如果审核成功,审核管理层将在审核完成后十五 (15) 个工作日内向被审核方颁发证书。

3.6 Appeal
3.6 上诉

In the event that the certification decision and/or duration of certification are in dispute the Auditee may lodge a submission with the Audit Management within twenty (20) business
如果认证决定和/或认证期限有争议,被审核方可以在二十 (20) 项业务中向审核管理层提交意见

days of completion of the Audit. The Audit Management will refer the appeal to the Appeals Board.
审计完成后的天数。审计管理部门将把上诉转交上诉委员会。

The Appeals Board is comprised of two Auditors, one each from different GSMA selected Auditing Companies and separate from the Auditing Companies that performed the Audit that is the subject of the appeal. For SAS-UP, the Appeals Board is comprised of
上诉委员会由两名审计师组成,分别来自不同的GSMA选定的审计公司,并且与执行上诉标的审计的审计公司分开。对于SAS-UP,上诉委员会由以下人员组成

representatives of the SAS-SM Auditing Companies, and vice versa. The individual Auditors from each Auditing Company that serve on the Appeals Board may be assigned by those
SAS-SM审计公司的代表,反之亦然。在上诉委员会任职的各审计公司的个人审计师可由以下人员指派

Auditing Companies from a pool of suitably experienced Auditors pre-approved by the GSMA, and may change per appeal.
从GSMA预先批准的具有适当经验的审计师库中选出的审计公司,并可能因上诉而改变。

The Appeals Board will consider and rule on appealed Audit Results. The process to be followed by the Appeals Board will include:
上诉委员会将考虑并裁定被上诉的审计结果。上诉委员会应遵循的程序将包括:

• Review of the Audit Report, focussing on the appealed assessment(s)
• 审查审计报告,重点关注被上诉的评估

• Discussion with the Audit Team and the Auditee The Appeals Board should not need to visit the Site.
• 与审计小组和被审计方的讨论 上诉委员会不应访问该网站。

The Auditee may request the members of the Appeals Board to sign an NDA prior to receiving a copy of the Audit Report and other information about the Site.
被审计方可以要求上诉委员会成员在收到审计报告副本和有关本网站的其他信息之前签署保密协议。

The Appeals Board will seek to rule on appeals within twenty (20) business days of
上诉委员会将寻求在二十 (20) 个工作日内对上诉作出裁决

lodgement of the appeal, subject to the availability of the Audit Team and the Auditee and the prompt provision of any information requested from either party.
提出上诉,但须视审计组和被审计方的出席情况以及任何一方要求提供的任何资料而定。

The Auditee and the Audit Team agree to accept the decision of the Appeals Board as final.
被审计方和审计小组同意接受上诉委员会的决定为最终决定。

A description of the costs associated with the appeals process is included in section0.
第0节中包括了与上诉程序相关的费用说明。

3.7 Notification and Publication of Certification
3.7 认证的通知和公布

The GSMA will list certified Sites on theSAS website. The listing will include
GSMA将在SAS网站上列出经过认证的网站,该列表将包括
:

The Auditee name and the address of the certified Site.
• 被审核机构名称和认证站点的地址。

The scope of certification, including whether the certification is full or provisional.
• 认证范围,包括认证是全面认证还是临时认证。

The expiry date of the certification
• 认证的有效期
.

• Details of any exceptions or specific comments that apply to the Site’s certificates.
• 适用于本网站证书的任何例外情况或特定评论的详细信息。

V10.1 Page 16 of 63
V10.1 第 16 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

4 Certification Process
4 认证流程

The Certification Process is described below.
认证过程如下所述。

4.1 Certification Process
4.1 认证流程

The Certification Process begins with the first full Audit, first Dry Audit (provisional certification) or Renewal Audit at a Site.
认证过程从现场的第一次全面审核、第一次干审核(临时认证)或更新审核开始。

The Certification Process ends when:
认证过程在以下情况下结束:

A Certificate is issued based on the decision of the Audit Team.
• 根据审核小组的决定颁发证书。

or

The Site withdraws from the Certification Process by either:
• 本网站通过以下任一方式退出认证流程:

• Indicating that it does not intend to continue with the Certification Process.
• 表明不打算继续进行认证程序。

or

• Not complying with the Audit Team’s requirements for continuing with the Certification Process following a non-compliant Audit Result (Typically, the Audit Team requires the Site to arrange a Repeat Audit, or to provide appropriate evidence of improvement within agreed periods).
• 在审核结果不合规后,不遵守审核小组的要求,继续进行认证流程(通常,审核小组要求现场安排重复审核,或在约定的期限内提供适当的改进证据)。

For an existing certified Site the Certification Process can begin up to 3 months before the expiry of the current Certificate.
对于现有的认证站点,认证过程可以在当前证书到期前 3 个月开始。

4.2 Certification Period
4.2 认证期限

The Certification Period begins when a Certificate is issued based on the decision of the Audit Team
认证期从根据审核小组的决定颁发证书时开始
.

The Certification Period ends at the date specified on the Site’s SAS Certificate.
认证期在网站SAS证书上指定的日期结束。

The Certification Period will be determined by the Audit Team based on the following criteria:
认证期限将由审核小组根据以下标准确定:

• For Sites with an existing valid Certificate:
• 对于具有现有有效证书的站点:

• If the Certification Process begins up to 3 months before the expiry of the existing Certificate
• 如果认证过程在现有证书到期前 3 个月开始

and

• the certification is awarded before the expiry of the existing Certificate
• 该证书是在现有证书到期之前颁发的

then
然后

• the Certification Period will begin at the expiry of the existing Certificate
• 认证期将从现有证书到期时开始

In all other cases the Certification Period will begin at the time that the Certificate is issued.
在所有其他情况下,认证期将从证书颁发时开始。

V10.1 Page 17 of 63
V10.1 第 17 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

V10.1 Page 18 of 63
V10.1 第 18 页,共 63 页

Existing
现存

Certificate
证书

expiry
满期

Certification of sites with existing certificates
对具有现有证书的站点进行认证

Existing certification
现有认证

Certification
认证

process
过程

Renewal
更新
Certification
认证

audit

Duration of certification
认证期限

Certification period
认证期限

Renewal
更新

3 months

Certificate
证书

expiry
满期

Figure 2 - Certification of Sites with existing Certificates
图2 - 具有现有证书的站点认证

• For Sites without an existing valid Certificate (new Sites, Sites where certification has lapsed):
• 对于没有现有有效证书的站点(新站点、认证已失效的站点):

• the Certification Period will begin at the time that the Certificate is issued.
• 认证期将从证书颁发之时开始。

Certification of new
新认证
sites
网站

First audit
第一次审核

Certification process
认证流程

Certifi
证书

Re- audit
重新审核

Duration of certification

cation
阳离子

Certification period
认证期限

Certificate expiry
证书到期

Figure 3 - Certification of new Sites
图3 - 新站点的认证

Under the terms of their contract with the GSMA, all Sites must be aware of their obligations relating to notification of significant changes at certified Sites within the Certification Period, as specified in section7.
根据其与GSMA签订的合同条款,所有站点必须了解其在认证期内通知认证站点重大变更的义务,如第7节所述。

4.3 Duration of Certification
4.3 认证期限

4.3.1 Standard durations
4.3.1 标准持续时间

The duration of certification is determined by the Audit Team based on a standard framework:
认证期限由审核小组根据标准框架确定:

Type of certificate
证书类型

Standard duration of certification
认证的标准期限

First full certification
首次全面认证

1 year
1年

Renewal full certification
续展全面认证

2 years
2年

First provisional certification
第一个临时认证

9 months
9个月

Table 2 - Standard Durations of Certification
表 2 - 认证的标准期限

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

These durations will be applied in most cases.
在大多数情况下,这些持续时间将适用。

4.3.2 Exceptions
4.3.2 例外

The Audit Team may, at its discretion, decide that certification should be for a shorter duration, for reasons including:
审核组可自行决定认证期限应缩短,原因包括:

• Significant changes planned at the Site related to security-critical processes or facilities
• 现场计划进行与安全关键流程或设施相关的重大变更

A significant reliance on very recently introduced processes or systems where there is little or no history of successful operation of similar or equivalent controls
• 严重依赖最近引入的流程或系统,而这些流程或系统很少或根本没有成功运行类似或同等控制措施的历史

A repeated failure to maintain security controls at an appropriate level for the entire Certification Period (as evidenced by significant failure to meet the requirements of the standard[1]at the initial Renewal Audit).
• 在整个认证期间多次未能将安全控制保持在适当的水平(如在初始更新审核中严重未能满足标准[1]的要求)。

The Audit Team may also, at its discretion, decide that certification should be for two years for Sites without an existing valid Certificate that perform exceptionally well at the first Audit.
审核小组还可以自行决定,对于没有现有有效证书且在第一次审核中表现异常出色的站点,认证期限为两年。

The Audit Management will review decisions made on exceptional circumstances as part of its control of scheme quality and consistency.
审计管理部门将审查在特殊情况下做出的决定,作为其控制计划质量和一致性的一部分。

4.3.3 Minimum period of certification
4.3.3 最短认证期限

Sites without an existing valid Certificate shall, in all cases, be granted certification for a minimum of seven months from the month during which a Certificate is issued. This
在任何情况下,没有现有有效证书的站点应从颁发证书的月份起至少七个月获得认证。这

allowance reduces the likelihood that the next Renewal Audit at the Site resulting in 2-year certification is influenced by the most recent Repeat Audit rather than being an assessment of steady-state controls in operation at the Site.
余地降低了导致 2 年认证的现场下一次更新审核受最近一次重复审核影响的可能性,而不是对现场运行的稳态控制的评估。

4.3.4 Extension of the period of certification
4.3.4 认证期限的延长

The SAS-UP Methodology does not normally allow the GSMA to extend a Site’s duration of certification. Sites with an existing Certificate that are planning or making major changes in advance of a Renewal Audit, which could affect the ability to demonstrate the necessary
SAS-UP方法通常不允许GSMA延长站点的认证期限。拥有现有证书的站点在续订审核之前正在计划或进行重大更改,这可能会影响证明必要内容的能力

period of evidence, may be eligible for a temporary extension of certification based on the TEA process described in the GSMA SAS remote auditing and certification policy.
证据期限内,可能有资格根据 GSMA SAS 远程审核和认证政策中描述的 TEA 流程获得临时延期认证。

Sites wishing to be considered for a temporary extension are encouraged to contact the GSMA as early as possible.
我们鼓励希望考虑临时延期的工厂尽早联系GSMA。

V10.1 Page 19 of 63
V10.1 第 19 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

5 Scope of certification
5 认证范围

As part of the application process, the Auditee will be required to specify the scope of activities for which it is applying for certification.
作为申请过程的一部分,被审核方将被要求指定其申请认证的活动范围。

The possible scope items for certification are defined as part of the Audit Application Form.
认证的可能范围项目定义为审核申请表的一部分。

In most cases, Audits take place of Primary Sites leading to Full Certification, however SAS- UP also offers the ability for Audits to take place:
在大多数情况下,审核会对主站点进行审核,从而获得全面认证,但 SAS-UP 还提供进行审核的功能:

• For Sites that are not yet operating; under the provisional certification scheme.
• 对于尚未运营的网站;根据临时证书计划。

• Of Supporting Sites that perform specific functions or activities in support of activities at one or more Primary Sites.
• 执行特定功能或活动以支持一个或多个主要站点的活动的支持站点。

SAS-UP certification is also a pre-requisite for Sites wishing to apply for an EUM PKI
SAS-UP认证也是希望申请EUM PKI的站点的先决条件

certificate from one of the GSMA’s root CIs. Sites wishing to obtain such PKI certificates will be required to demonstrate compliance with the specific requirements for:
来自 GSMA 根 CI 之一的证书。希望获得此类 PKI 证书的站点将被要求证明符合以下特定要求:

• PKI certification management.
• PKI认证管理。

These certification scopes are described in more detail below.
下面将更详细地介绍这些认证范围。

5.1 Provisional Certification
5.1 临时认证

SAS-UP is open to both established and new UICC supplier Sites.
SAS-UP对已建立的和新的UICC供应商站点开放。

To help newly-established Sites to achieve certification, two options are offered:
为了帮助新成立的网站获得认证,提供了两种选择:

• Undergo a Full Certification Audit once sufficient production is in place at the Site to provide evidence of controls in operation.
• 一旦工厂有足够的生产,就进行全面的认证审核,以提供运行中控制的证据。

• The Full Certification process requires that reasonable evidence exists of continued operation of controls (the Guidelines [3] suggest 4-6 weeks of continuous operation).
• 全面认证过程要求存在持续运行控制的合理证据(指南 [3] 建议连续运行 4-6 周)。

• Undergo a two-stage Provisional Certification Process specifically designed for new Sites that do not have sufficient production volumes to submit to a Full Certification Audit. This Provisional Certification Process will initially lead to Provisional Certification
• 经过两个阶段的临时认证流程,专门为生产量不足的新工厂设计,无法提交全面认证审核。此临时认证流程最初将导致临时认证
.

The Auditee will be responsible for choosing its preferred approach.
被审计方将负责选择其首选方法。

5.1.1 Provisional Certification Process
5.1.1 临时认证流程

The Provisional Certification Process requires two audits at the production Site.
临时认证流程需要在生产现场进行两次审核。

The first, which is referred to as a Dry Audit, takes place before live production commences at the Site. For a Dry Audit to take place, the Site must have a complete set of operational
第一种称为干审核,在现场开始现场生产之前进行。为了进行干审核,站点必须具有一套完整的操作

systems, processes and controls in place in all areas of the SAS-UP Standard. The Site
在SAS-UP标准的所有领域都有系统、流程和控制。网站

should be in a position to begin production for a customer immediately when an order is
当订单

received, although it is not necessary to have processed live customer orders before or
已收到,但不必在

during the Audit. The Auditors will expect to see that at least one test or live production batch of a reasonable size has been processed prior to the Audit, exercising all aspects of the
在审计期间。审核员希望看到在审核之前至少处理了一次合理规模的测试或现场生产批次,行使了

V10.1 Page 20 of 63
V10.1 第 20 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

production data flow and asset control mechanism. The Auditee should be able to process at
生产数据流和资产控制机制。被审计者应能够在

least one further batch of a reasonable size during the Audit if requested. A batch of a
如果要求,在审计期间至少再增加一批合理规模的批次。一批

reasonable sizewill normally be expected to demonstrate controls consistent with those for the typical size of a customer order (as a guide, in a mass production environment, batches of 1’s, 10’s or 100’s of devices would be unlikely to be considered representative, but 1000’s of devices would).
通常,“合理尺寸”将展示与客户订单典型规模一致的控制措施(作为指导,在大规模生产环境中,1、10 或 100 批设备不太可能被视为具有代表性,但 1000 件设备会)。

If the Site demonstrates compliance with the Standard[1], a Provisional Certification is
如果网站证明符合标准[1],则临时认证是

granted that remains valid for a period of nine months. A non-compliant result at a Dry Audit requires the UICC supplier to remedy identified non-compliances within three months.
授予,有效期为九个月。在干审核中出现不合规结果,要求UICC供应商在三个月内纠正已发现的不合规行为。

Successful certification will be valid from the date of the repeat Dry Audit.
成功的认证将从重复干审核之日起生效。

A follow up Wet Audit is required to upgrade the Provisional Certification to Full Certification. This Audit can only be undertaken if the Site has been in continuous live production for a
需要进行后续湿审核才能将临时认证升级为全面认证。只有当网站已经连续进行现场生产时,才能进行此审核

minimum period of six weeks and it must be undertaken within nine months of the successful Dry Audit.
至少六周的时间,并且必须在成功进行干审核后的九个月内进行。

Successful completion of a Wet Audit leads to Full Certification. The period of this
成功完成湿审核后将获得全面认证。这个时期

certification runs from the date of the successful Dry Audit. Provisional Certification will be withdrawn if:
认证从干审核成功之日起计算。如果出现以下情况,临时认证将被撤销:

• The Wet Audit is not conducted within nine months of the conduct of the initial Dry Audit
• 湿式审核不会在初次干式审核后九个月内进行

• The Wet Audit result is non-compliant, and a successful Repeat Audit is not completed within three months
• 湿审核结果不合规,三个月内未成功完成重复审核

• Live production for a continuous period of six weeks cannot be demonstrated within nine months of the initial Dry Audit
• 在初次干审核后的九个月内,无法证明连续六周的现场生产

The UICC supplier chooses to withdraw from the Certification Process
• UICC供应商选择退出认证流程

5.1.2 Provisional Certification Period
5.1.2 暂定认证期

The nine-month Provisional Certification Period begins when the Site is first certified.
为期九个月的临时认证期从网站首次获得认证时开始。

NOTE: The Provisional Certification Period extends from the date of the successful
注意:临时认证期从成功之日起延伸

completion of a Dry Audit whether that Audit is an initial or repeat Dry Audit. This differs from the normal Certification Process, which backdates
完成干审核,无论该审核是初始审核还是重复审核。这与正常的认证过程不同,后者会追溯

certification to the initial Audit. An exception has been made in the case of
初始审核的认证。例外情况是:

Provisional Certification because the three month period required to make improvements that may be necessary after an initial Dry Audit would
临时认证,因为在初始干审核后可能需要进行必要的改进所需的三个月时间将

significantly reduce the window of opportunity within the nine month Provisional Certification Period to ramp-up production.
在九个月的临时认证期内大幅缩短机会窗口,以提高产量。

The Provisional Certification Period ends at the date specified on the Site’s SAS Provisional
临时认证期在网站SAS临时认证中指定的日期结束

Certificate of compliance or when the Site is fully certified following the successful completion of a Wet Audit.
合规证书,或在成功完成湿审核后对站点进行全面认证时。

5.1.3 Duration of Provisional Certification
5.1.3 临时认证期限

The Duration of Provisional Certification is fixed at nine months and it is the responsibility of
临时认证的期限固定为九个月,由以下机构负责

the participating UICC supplier to ensure the necessary Wet Audit to achieve Full Certification is undertaken within the nine month Provisional Certification Period.
参与的UICC供应商确保在九个月的临时认证期内进行必要的湿审核以获得全面认证。

V10.1 Page 21 of 63
V10.1 第 21 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

If a Provisionally-Certified Site receives a non-compliant result at a Wet Audit, its Provisional Certification will not be immediately withdrawn and it will retain its Provisional Certification
如果临时认证站点在湿审核中收到不合规结果,则其临时认证不会立即撤销,并将保留其临时认证

status until the end of the nine month Provisional Certification Period.
在九个月的临时认证期结束前的状态。

Full Certification will normally run for one year, in accordance with the provisions set out at
根据以下规定,全面认证通常为一年

4.3 above for Sites not holding an existing valid Certificate, and this will be back dated to the date on which the first Wet Audit was concluded. If the Wet Audit extends the scope of
4.3 对于未持有现有有效证书的站点,该证书的日期将追溯到第一次湿审核结束的日期。如果湿审计扩展了

existing Full Certification for a Site, and there is significant overlap in controls between the
站点的现有完整认证,并且

existing and new scope elements, the Audit Team may extend the Full Certification expiry
现有和新的范围要素,审核小组可以延长完整认证的到期时间

date for the new scope element to match the expiry date of the existing certification (if later).
新范围元素与现有证书的到期日期相匹配的日期(如果较晚)。

5.1.4 Duration of Provisional Certification Audits
5.1.4 临时认证审核的持续时间

The initial Dry Audit is conducted over a four day period and all controls will be audited.
最初的干式审核为期四天,所有控制措施都将进行审核。

Production processes will also be examined but in the absence of live production it will not be possible to sample test controls. The duration of a repeat Dry Audit will depend on the areas to be re-audited and will be agreed with the supplier in accordance with section 8.4 below.
还将检查生产过程,但由于没有现场生产,将无法对测试控制进行抽样。重复干审核的持续时间将取决于要重新审核的领域,并将根据下文第 8.4 节与供应商达成一致。

The Wet Audit is normally conducted over a two day period to review the controls in
湿审计通常在两天内进行,以审查

operation. If the Wet Audit is conducted together with a Renewal Audit for other fully certified scope elements, some time savings on the total Audit duration may be possible.
操作。如果湿审核与其他完全认证的范围要素的续展审核一起进行,则可以节省一些时间。

5.2 Auditing and Certification of Supporting Sites
5.2 支持站点的审核和认证

SAS provides auditing and certification on a Site-by-Site basis. However, Sites that
SAS提供逐个站点的审核和认证。但是,网站

participate in the scheme may use additional physical Sites owned and operated by
参与该计划可以使用其他实体网站

themselves or by third party subcontractors to provide some supporting infrastructure or services within the scope of certification. This section specifies how Supporting Sites are formally handled within the scheme.
自行或由第三方分包商在认证范围内提供某些配套基础设施或服务。本部分指定如何在方案中正式处理支持站点。

5.2.1 Definition
5.2.1 定义

A Supporting Site is one that meets all of the following criteria:
支持站点是满足以下所有条件的站点:

• Provides supporting infrastructure and/or services within the scope of SAS certification to the Primary Site seeking certification.
• 在SAS认证范围内向寻求认证的主站点提供支持基础设施和/或服务。

• Does not wish to hold its own SAS certification, or is not eligible to do so.
• 不希望持有自己的SAS认证,或者没有资格持有SAS认证。

To be eligible for SAS-UP certification as a Primary Site, a Site must operate, or be planning to operate, live and primary (not just backup) production or services that fulfil at least one of the primary SAS-UP scope elements.
• 要获得 SAS-UP 认证作为主站点的资格,站点必须运行或计划运营至少满足一个主要 SAS-UP 范围要素的主要和主要(而不仅仅是备份)生产或服务。

• Exceptional applications for SAS certification by Sites that do not meet these criteria will be considered by the GSMA on a case-by-case basis.
• 不符合这些标准的站点的特殊SAS认证申请将由GSMA根据具体情况予以考虑。

In most cases the Supporting Site is primarily accountable (via internal or contractual
在大多数情况下,支持站点主要负责(通过内部或合同

agreements) to the Primary Site rather than to the GSMA for its compliance with the SAS requirements. However, a Supporting Site must still be subject to the terms of SAS
协议)给主站点,而不是GSMA,以使其符合SAS要求。但是,支持站点仍必须遵守 SAS 的条款

participation, and therefore must be named on an SAS agreement signed by the Primary Site or the Primary Site’s parent company.
参与,因此必须在主站点或主站点的母公司签署的 SAS 协议上命名。

V10.1 Page 22 of 63
V10.1 第 22 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

A Secondary Site is a Supporting Site that is included as part of the same Audit Process and Audit Report as the Primary Site.
辅助站点是作为与主站点相同的审核流程和审核报告的一部分包含在内的支持站点。

5.2.2 Auditing and Certification Approach
5.2.2 审核和认证方法

The auditing and Certification Process to be followed is slightly different depending on the type of Supporting Site. To date, a single type of Supporting Site has been encountered
根据支持站点的类型,要遵循的审核和认证流程略有不同。迄今为止,只遇到过单一类型的支持站点

within SAS-UP, as follows:
在 SAS-UP 中,如下所示:

Centralised or Outsourced IT Services
集中式或外包式 IT 服务

Item
项目

Description
描述

Examples
例子

Centralised IT administration, network operations centre, server farm, firewall management
集中式 IT 管理、网络运营中心、服务器场、防火墙管理

Application form
申请表

The application form provides space to provide Supporting Site details and to outline the Site activities.
申请表提供了空间,以提供支持站点的详细信息并概述站点活动。

Audit scheduling and duration
审计计划和持续时间

Supporting Sites providing centralised or outsourced IT services may host initial audits scheduled back-to-back or closely scheduled with
提供集中式或外包 IT 服务的支持站点可以连续或密切安排

Primary Site audits. Audits of additional Primary Sites that depend on the Supporting Site’s certification are scheduled independently.
主站点审核。对依赖于支持站点认证的其他主站点的审核是独立安排的。

The Audit duration depends on the Supporting Site activities, and
审核持续时间取决于支持站点的活动,以及

should be agreed on a case-by-case basis with the Audit Team. For
应根据具体情况与审计小组达成一致。为

back-to-back audits, transfer time between Sites should also be agreed.
还应商定背靠背审核,站点之间的转移时间。

SAS agreement and invoicing
SAS 协议和发票

The Supporting Site (whether owned by the Primary Site applicant or a third-party subcontractor) must be subject to the terms of the SAS
支持站点(无论是由主站点申请人还是第三方分包商拥有)必须受 SAS 条款的约束

participation agreement. The Site should be specified in the Primary
参与协议。应在主站点中指定站点

Site’s agreement. If the Supporting Site Audit request is received after the Primary Site’s agreement has already been executed, then another instance of the agreement specifying the Supporting Site will need to be signed.
网站的协议。如果在主站点的协议已执行后收到支持站点审核请求,则需要签署指定支持站点的协议的另一个实例。

The Primary Site applicant or its parent company is invoiced for the Audit.
主站点申请人或其母公司已开具审核发票。

Audit Report
审计报告

Only the sections of the Audit Report relevant to the activities performed by the Site need to be completed by the Audit Team. Relevant
审计小组只需要完成审计报告中与网站所执行活动相关的部分。相关

contextual information about the Supporting Site Audit should be
有关支持性现场审核的上下文信息应为

provided within all Audit Reports. The information provided should
在所有审计报告中提供。所提供的信息应

include Site location(s), dates and duration, Audit type and approach,
包括站点位置、日期和持续时间、审核类型和方法、

summary of activities performed at each Site, any relevant Audit history, and explanatory notes in relation to how the report has been prepared
每个站点所开展活动的摘要、任何相关的审计历史以及与报告编制方式相关的解释性说明

and any deviations from standard Audit practice if necessary.
如有必要,以及任何偏离标准审计实践的情况。

SAS Certificate and website listing
SAS证书和网站列表

The Supporting Site name and address are mentioned on the SAS
SAS 上提到了支持站点的名称和地址

Certificate of the Primary Site(s) to which they provide support.
他们提供支持的主站点的证书。

If the certification expiry dates of a Primary Site and a supporting
如果主站点和支持站点的认证到期日期

backup Site are different, the GSMA will include both expiry dates on the Certificate. This approach will trigger reissue of Certificates to
备份站点不同,GSMA将在证书上包含两个到期日期。此方法将触发向以下人员重新颁发证书

Primary Site(s) by the GSMA each time a Supporting Site with a different certification expiry date renews certification.
GSMA的主站点,每次具有不同认证到期日期的支持站点更新认证时。

If the certification of a Supporting Site lapses, the GSMA may withdraw the SAS certification of the associated Primary Site(s).
如果支持站点的认证失效,GSMA可能会撤销相关主站点的SAS认证。

V10.1 Page 23 of 63
V10.1 第 23 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

5.3 Management of PKI Certificates
5.3 PKI证书的管理

Certification for management of PKI certificates is slightly different to other elements of SAS- UP Audit scope.
PKI证书管理的认证与SAS-UP审核范围的其他要素略有不同。

SAS-UP certified Sites may make use of eUICC Manufacturer (EUM) PKI test or live
SAS-UP认证站点可以使用eUICC制造商(EUM)PKI测试或实时

certificates that are issued as part of the GSMA ecosystem, or other, non-GSMA PKIs (e.g. national, supplier or product-specific PKIs). Controls are likely to be the same, or very
作为GSMA生态系统的一部分颁发的证书,或其他非GSMA PKI(例如国家、供应商或特定产品的PKI)。控件可能相同,或者非常

similar, in all cases; however, SAS-UP certification for PKI certificate management focusses specifically on a Site’s compliance with the requirements for use of live PKI certificates as
在所有情况下都相似;但是,用于 PKI 证书管理的 SAS-UP 认证特别关注站点是否符合使用实时 PKI 证书的要求,例如

part of the GSMA PKI ecosystem.
GSMA PKI生态系统的一部分。

SAS-UP certification with this scope is one pre-requisite for a Site to apply for a GSMA EUM PKI certificate from a GSMA-appointed Certificate Issuer.
此范围的SAS-UP认证是站点向GSMA指定的证书颁发者申请GSMA EUM PKI证书的先决条件之一。

Any Site that demonstrates an appropriate level of compliance with the relevant
任何证明适当程度遵守相关

requirements during an SAS-UP audit may be certified with PKI certificate management within scope, however certification will distinguish between those Sites that have:
SAS-UP审核期间的要求可能会在范围内通过PKI证书管理进行认证,但认证将区分那些具有以下特征的站点:

• Demonstrated SAS-UP compliance without GSMA PKI live certificates in use (i.e. either via test/self-signed PKI certificates or via non-GSMA PKI certificates).
• 在未使用 GSMA PKI 实时证书的情况下证明符合 SAS-UP 标准(即通过测试/自签名 PKI 证书或通过非 GSMA PKI 证书)。

• Demonstrated SAS-UP compliance with GSMA PKI certificates in use. SAS-UP certification will be indicated as shown inTable 3.
• 证明SAS-UP符合正在使用的GSMA PKI证书。SAS-UP认证如表3所示。

Value
价值

Symbol
象征

Criteria
标准

GSMA PKI Ready
GSMA PKI 就绪

Site has demonstrated compliant controls for PKI certificate management, either via
站点已演示了 PKI 证书管理的合规控制,通过

a) test/self-signed PKI certificates (controls audited dry’, i.e. no live operations) or
a) 测试/自签名 PKI 证书(控制审核干,即无实时操作)或

b) certificates used in live operations issued by non- GSMA CAs.
b) 由非 GSMA CA 颁发的用于实时运营的证书。

GSMA PKI Live
GSMA PKI 直播

Site has demonstrated compliant controls with GSMA PKI live certificate(s) in use
Site已证明使用GSMA PKI实时证书的合规控制措施
.

Table 3 – Possible values forManagement of PKI Certificates
表3 – “PKI证书管理”的可能值

In all cases, a Site must first be certified as “GSMA PKI Ready” before being issued with a GSMA PKI live certificate to act as an eUICC manufacturer. Once the first GSMA PKI EUM live certificate has been issued, the Site’s SAS-UP certification can be updated to “GSMA PKI Live” following a further successful audit of activities.
在所有情况下,网站必须首先获得“GSMA PKI Ready”认证,然后才能获得GSMA PKI实时证书,以充当eUICC制造商。一旦颁发了第一个GSMA PKI EUM实时证书,在对活动进行进一步成功的审核后,站点的SAS-UP认证可以更新为“GSMA PKI Live”。

SAS-UP certification with “GSMA PKI Ready” or “GSMA PKI Live” certification will be awarded as shown inTable 4.
如表4所示,将获得“GSMA PKI Ready”或“GSMA PKI Live”认证的SAS-UP认证。

V10.1 Page 24 of 63
V10.1 第 24 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

PKI Certificate(s) held at time of audit
审核时持有的PKI证书

SAS-UP status on
SAS-UP 状态开启

successful completion of
成功完成

audit
审计

Audit type
审核类型

Test/self-signed
测试/自签名

only

(no live
(没有直播

operations)
操作)

GSMA PKI live certificate
GSMA PKI 实时证书

Non-GSMA PKI used in live
直播中使用的非GSMA PKI

operations
操作

Certification Status
认证状态

Certification duration
认证期限

1

Initial(i)
首字母(i)

X

Not available
不可用

(ii)
(二)

2

N/A

X

(iii)
(三)

3

Wet

N/A

X

(iii)
(三)

4

X

5

X

X

6

Renewal
更新

N/A

X

(iii)
(三)

7

X

8

X

X

(i)

Initial audit of PKI certificate management, carried out as part of a first audit for a new Site or as a renewal or scope extension audit for an existing SAS-UP certified Site.
PKI 证书管理的初始审核,作为新站点首次审核的一部分,或作为现有 SAS-UP 认证站点的续订或范围扩展审核的一部分进行。

The duration of certification will be dictated by whether this is a new activity (equivalent to a dry
认证的持续时间将取决于这是否是一项新活动(相当于干

audit under the provisional certification scheme) or an existing activity (equivalent to full certification).
根据临时认证计划进行审核)或现有活动(相当于全面认证)。

(ii)
(二)

Certification is valid until provisional certification expiry date of other scope elements audited during dry audit (typically 9 months)
认证有效期至干审核期间审核的其他范围要素的临时认证到期日(通常为 9 个月)

(iii)
(三)

Certification is valid until certification expiry date of other full certified scope elements (1 year following first full or wet audit, 2 years following renewal audit)
认证有效期至其他完整认证范围要素的认证到期日(第一次全面或湿审核后 1 年,续期审核后 2 年)

Table 4 - SAS-UP PKI certification lifecycle
表 4 - SAS-UP PKI 认证生命周期

V10.1 Page 25 of 63
V10.1 第 25 页,共 63 页

GSMA
GSMA公司

Official Document FS.05 - Security Accreditation Scheme for UICC Production - Methodology
正式文件FS.05 - UICC生产安全认证计划-方法

6 Audit Report Scoring and Assessment
6 审计报告评分和评估

The Audit Report (see section3.3.4) contains detailed Audit Results. An indexed matrix of requirements is used as a means to structure and standardise recording of compliance.
审计报告(见第3.3.4节)包含详细的审计结果。索引需求矩阵被用作构建和标准化合规性记录的一种手段。

Possible assessments are described in Table 5.
表5描述了可能的评估。

Compliant (C)
合规 (C)

indicates that the Auditors’ assessment of the Site has found that a
表明审计员对网站的评估发现

satisfactory level of compliance with the requirements of the standard has been demonstrated during the Audit.
在审核期间,已经证明了对标准要求的合规程度令人满意。

To assist Auditees in assessing their Audit performance, and to plan
协助被审计方评估其审计表现,并制定计划

improvements, the Auditors may, at their discretion, indicate the level of compliance as follows:
改进,审计师可自行决定以下合规水平:

Compliant (C):
合规 (C):

in the Auditors’ assessment the Auditee has met the standard to an acceptable level.
在核数师的评估中,被核数师已达到可接受的标准。

Comments for further improvement may be offered by Auditors.
审计师可能会提出进一步改进的意见。

Substantially compliant (C-):
基本符合 (C-):

in the Auditors’ assessment the Auditee has just met the standard, but additional
在审计师的评估中,被审计者刚刚达到了标准,但额外的

improvement is thought appropriate to bring
改进被认为是适当的

the Auditee to a level at which compliance can easily be maintained. An assessment of C-
被审计者达到可以轻松保持合规性的水平。An assessment of C-

will be qualified with comments indicating the improvements required. Future audits will
将通过指示所需改进的评论进行限定。未来的审计将

expect to see improvement in areas marked as C-.
预计在标记为 C- 的领域会有所改善。

Non-compliant (NC)
不合规 (NC)

In the Auditors’ assessment, the Auditee has not achieved an acceptable level of compliance with the standard due to one or more issues identified. The
在审核员的评估中,由于发现的一个或多个问题,被审核方没有达到可接受的标准合规水平。这

issues identified require remedial action to be taken to ensure that an
发现的问题需要采取补救措施,以确保

acceptable level of compliance is achieved. Remedial action is compulsory to ensure continued certification.
达到可接受的合规水平。必须采取补救措施,以确保持续认证。

Table 5 - Assessments possible<