As well as the ISO27k standards, there are many other ISO/IEC and non-ISO/IEC standards and methods relating to information security, risk management and similar fields. Here is a selection of some of the most widely known and relevant standards and method.
THIS IS NOT A COMPLETE/COMPREHENSIVE
OR DEFINITIVE LIST!
If you know of other relevant standards, or if we have incorrectly described any here, please let us know.
Security-related ISO standards
ISO 9000 and related SDLC/QA standards
The ISO 9000 family of quality management standards define quality as the features of a product or service which are required by the customer. Quality management is what an organization does to ensure that its products or services satisfy the customers’ quality requirements and comply with applicable regulations.
The following standards cover the application of quality management principles specifically to the Software Development Life Cycle:
ISO/IEC 7498 Open Systems Interconnect (OSI) security model
This multi-partite standard defines the OSI reference model, describing an architecture to secure network communications through security services (access control, authentication, data integrity, data confidentiality and non-repudiation) and security mechanisms (encipherment, digital signature, access control, data integrity, authentication exchange, traffic padding, routing control and notarization).
ISO/IEC 10181 Security frameworks
This eight-part standard addresses the application of security services in an OSI environment with ODP, databases and distributed applications. The eight parts cover:
- Access control;
- Audit; and
- Key Management.
Through core concepts such as security domains, security authorities, security policies, trust and trusted third parties, the standard describes the basic concepts of the specific security service, identifies mechanisms to support the service, defines the management and supporting services and identifies functional requirement for protocols (but without actually specifying the protocols).
ISO TR 13569 Financial services - information security guidelines
ISO TR 13569:2005 guides financial services organizations on the development of an information security programme with advice on policies, organization and structure, plus legal and regulatory compliance. The selection and implementation of security controls necessary to manage information risks are discussed in the context of the business environment, practices and procedures.
ISO/IEC 13888 Non-repudiation
This tripartite standard describes non-repudiation mechanisms based on digital certificates generated using symmetric or asymmetric encryption, used to generate evidence and resolve disputes.
- ISO/IEC 13888-1: General model
- ISO/IEC 13888-2: Mechanisms using symmetric techniques
- ISO/IEC 13888-3: Mechanisms using asymmetric techniques
ISO 15292 Protection profile registration procedures
A Protection Profile is an implementation-independent set of security requirements for a category of IT products or systems, which meet specific consumer needs. ISO 15292 defines the procedures to be applied by a Registration Authority in operating a Register of Protection Profiles and ‘packages’ (reusable sets of functional or assurance components combined together to satisfy a set of identified security objectives) for the purposes of IT security evaluation.
ISO 15408 Common Criteria
ISO 15408:1999 is a multipartite standard describing the Common Criteria for Information Technology Security Evaluation. Products that are evaluated against the Common Criteria (CC) have a defined level of assurance as to their information security capabilities that is recognized in most of the world. Unfortunately, the evaluation process is extremely costly and slow, and is therefore not widely used outside of the government and defense markets. It also impedes product development since patching can invalidate the certified assurance.
- ISO/IEC 15408-1: Introduction and general model defines general concepts and principles of IT security evaluation and presents a general model of evaluation. Part 1 also presents constructs for expressing IT security objectives, for selecting and defining IT security requirements, and for writing high-level specifications for products and systems. In addition, the usefulness of each part of the CC is described in terms of each of the target audiences.
- ISO/IEC 15408-2: Security functional requirements establishes a set of security functional components as a standard way of expressing the security functional requirements for Targets of Evaluation (TOEs). It catalogues the functional components, families and classes.
- ISO/IEC 15408-3: Security assurance requirements establishes a set of assurance components as a standard way of expressing the assurance requirements for TOEs. It catalogues the set of assurance components, families and classes, defines evaluation criteria for Protection Profiles (PPs) and Security Targets (STs), and presents Evaluation Assurance Levels (EALs), the CC’s scale for rating assurance for TOEs. [Sorry about the alphabet soup, it’s an occupational hazard in this field.]
ISO 15408 also provides two useful threat-related definitions:
- Threats are the potential for abuse of protected assets;
- Threat agents may place a value on assets and seek to abuse or damage assets in a manner contradictory to the interests of the asset owner.
ISO 15489 Records management
ISO 15489:2001 is a records management standard in two parts:
- Part 1 describes a “high level framework for recordkeeping and specifically addresses the benefits of records management, regulatory considerations affecting its operation and the importance of assigning of responsibilities for recordkeeping. It also discusses high level records management requirements, the design of recordkeeping systems and actual processes involved in records management, such as record capture, retention, storage, access etc. It concludes with a discussion of records management audit operations and training requirements for all staff of an organisation.”
- Part 2 provides “practical and more detailed guidance about how to implement the framework outlined in Part 1. For example it provides specific detail about the development of records management policy and responsibility statements and outlines the DIRKS process for developing recordkeeping systems. Part 2 also provides practical guidance about the development of records processes and controls and specifically addresses the development of key recordkeeping instruments such as thesauri, disposal authorities and security and access classification schemes. It then discusses the use of these tools to capture, register, classify, store, provide access to and otherwise manage records. Part 2 also provides specific guidance about the establishment of monitoring, auditing and training programs to promote and effectively implement records management within an organisation.”
ISO/IEC 17021 Conformity assessment -- requirements for bodies providing audit and certification of management systems
This standard defines generic requirements for audit and certification bodies in relation to assessing and certifying management systems.
ISO/IEC 17021 is referenced as a normative standard by ISO/IEC 27006, meaning that it is considered essential for users of ’27006.
ISO/IEC 18043 Selection, deployment and operations of Intrusion Detection Systems (IDS)
ISO/IEC 18043:2006 focuses on the security principles behind unauthorized intrusion into computer systems/networks and how organizations can establish frameworks to enable comprehensive Intrusion Detection Systems (IDS). It addresses IDS selection, deployment and operation to help IT managers set up standard, and hence interoperable, IDS configurations.
ISO 19011 Guidelines for auditing management systems
ISO 19011:2011 provides an introduction to compliance auditing against various ISO management systems standards. Although ISO27k is not covered explicitly, Annex A uses ISMS as an example of the discipline-specific knowledge and skills expected of auditors. The 2011 edition clarifies the relationship between ISO 19011 and ISO 17021:2011 - Conformity assessment - Requirements for bodies providing audit and certification of management systems, focusing on SMEs and internal audit. The concept of risk in auditing is addressed and guidance on auditing combined management systems (for example, ISMS and quality) is provided. Guidance on competence and evaluation of auditors is provided in line with ISO 27011:2011. Annex B introduces the concept of remote audits, acknowledging the universality of ICT. It is recommended reading for ISMS internal auditors as well as certification auditors and other IT auditors.
ISO/IEC 19770 Software asset management
ISO/IEC 19770-1:2006 promotes the implementation of an integrated set of software asset management processes, using good practices for efficient software management. Contents:
- Scope, terms and definitions;
- Field of application;
- Intended usage;
- Agreement compliance;
- General Software Asset Management processes;
- Control environment for Software Asset Management;
- Planning and implementation;
- Inventory processes;
- Verification and compliance processes;
- Operations management processes and interfaces;
- Life cycle process interfaces.
ISO/IEC 20000 IT service management
“ITIL (IT Infrastructure Library) is the most widely accepted approach to IT service management in the world. ITIL provides a cohesive set of best practice, drawn from the public and private sectors internationally. It is supported by a comprehensive qualifications scheme, accredited training organisations, and implementation and assessment tools.” While ISO 20000 is not strictly the same as ITIL, ITIL became BS 15000 then ISO/IEC 20000 in 2005:
- ISO/IEC 20000 Part 1:2005 Information technology service management. Specification for Service Management describes the requirements for IT service management against which organizations may be independently certified.
- ISO/IEC 20000 Part 2:2005 Information technology service management. Code of Practice for Service Management gives more practical guidance to implementers, a suite of best practices for IT service management.
An ISMS makes a lot of sense in a framework such as ITIL that implies structured work practices and sound governance, albeit with the confines of IT.
ISO 21827 Systems Security Engineering Capability Maturity Model (SSE CMM)
Like other Capability Maturity Models (CMMs), the Systems Security Engineering (SSE) CMM defines the essential characteristics of SSE processes, emphasizing those which indicate process maturity. The model covers the entire systems development lifecycle from concept definition to decommissioning. It applies to those developing or integrating secure products/systems, and those providing specialist security services such as security engineering. It was published as ISO 21827 in 2002.
ISO 22301:2012 Societal security - Business continuity management systems - Requirements
ISO 22301 formally specifies a Business Continuity Management System (BCMS) for any type or size of organization. Organizations may choose to be certified compliant with the standard by accredited certification bodies, or simply use the standard to develop their BCMS. The standard was developed from - and replaced - British Standard BS 25999-2 and draws on other business continuity standards.
ISO 22313:2012 Societal security - Business continuity management systems - Guidance
In the same way that ISO/IEC 27002 builds on ISO/IEC 27001, ISO 22313 accompanies and expands on ISO 22301. It was developed from - and replaced - British Standard BS 25999-1.
ISO/PAS 22399 Societal security - Guideline for incident preparedness and operational continuity management
ISO/PAS 22399:2007 provides general guidance for private, governmental, and nongovernmental organizations to develop specific performance criteria for incident preparedness and operational continuity, and design appropriate management systems. It provides a basis for understanding, developing and implementing continuity of operations and services within the organization and to provide confidence in business, community, customer, first responder and organizational interactions. It also enables the organization to measure its resilience in a consistent and recognized manner.
ISO/IEC 24762 Guidelines for information and communications technology disaster recovery services
ISO/IEC 24762:2008 offers guidance on Information and Communications Technology Disaster Recovery (ICT DR) within the context of business continuity management. It supports the operation of an ISMS by addressing the information security and availability aspects of business continuity management in times of crisis. A business continuity plan comprises an organization’s strategies to prepare for future national, regional or local crises that could jeopardize its capacity to continue with its core mission, as well as its long term stability. Business continuity management is an integral part of holistic risk management that involves:
- Identifying potential threats that may cause adverse impacts on an organization’s business operations, and associated risks;
- Providing a framework for building resilience for business operations;
- Providing capabilities, facilities, processes, action task lists, etc., for effective responses to disasters and failures.
Using the standard, organizations can build greater resilience into their ICT infrastructure supporting critical business activities and complementing their business continuity management and information security management activities.
ISO/PAS 28000 Specification for security management systems for the supply chain
This standard specifies the requirements for a security management system [as opposed to an information security management system - see the ISO27k standards for that], including those aspects critical to security assurance of the supply chain such as financing, manufacturing, information management and the facilities for packing, storing and transferring goods between modes of transport and locations. Security management is linked to many other aspects of business management. These other aspects should be considered directly, where and when they have an impact on security management, including transporting goods along the supply chain.
ISO/PAS 28000 is applicable to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to:
1. Establish, implement, maintain and improve a security management system;
2. Assure compliance with stated security management policy;
3. Demonstrate such compliance to others;
4. Seek certification/registration of its security management system by an accredited certification body or self-declare compliance with ISO/PAS 28000. Organizations that choose certification demonstrate that they are not merely concerned about, but are actively attempting to secure, the supply chain.
ISO/IEC 29134 Privacy impact assessment - methodology (draft)
This standard will explain how go about assessing the possibility and potential consequences of privacy breaches and other incidents involving personal information.
ISO 31000 Risk management — Principles and guidelines
ISO 31000:2009 superseded AS/NZS 4360, a widely respected and used Australia/New Zealand risk management standard. “This International Standard recognizes the variety of the nature, level and complexity of risks and provides generic guidelines on principles and implementation of risk management. To apply these generic guidelines in a specific situation, this International Standard sets out how an organization should understand the specific context in which it implements risk management.” In other words, ISO 31000 covers risk management in the broad, not specifically information security or even IT risks.
ISO/IEC 31010 Risk management – Risk assessment techniques
ISO/IEC 31010:2009 treats risk assessment as an integral part of risk management, helping managers understand risks that could affect the achievement of business objectives and assess the adequacy and effectiveness of various risk mitigation controls. It covers risk assessment concepts as well as processes and a range of techniques. It is aimed at risk management professionals and novices through a set of good practices.
ISO/IEC 38500 Corporate governance of information technology
ISO/IEC 38500:2008 “provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations. [The standard] applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization. It also provides guidance to those advising, informing or assisting directors. They include:
- senior managers;
- members of groups monitoring the resources within the organization;
- external business or technical specialists, such as legal or accounting specialists, retail associations, or professional bodies;
- vendors of hardware, software, communications and other IT products;
- internal and external service providers (including consultants);
- IT auditors.”
The governance model appears relatively simple: senior managers evaluate the organization’s requirements and make plans, cascade them through the organization as directives, policies etc., and monitor their implementation, revising the plans or directives where necessary.
ISO Guide 73:2009 Risk management – Vocabulary – Guidelines for use in standards
ISO Guide 73, first published in 2002 and updated in 2009, is not formally an ISO/IEC standard but a glossary of risk-related terms that was originally written as an internal guide to encourage the consistent use of terminology by ISO/IEC committees writing risk-related standards.
In recognition of the variety of specialist terms in the field of risk management, Guide 73 lays out specific interpretations of more than 50 terms in 16 pages in order that ISO/IEC risk management standards are consistent in their use of the terminology. As an example, ‘risk assessment’ and ‘risk analysis’ are often used loosely and interchangeably by practitioners. Guide 73 defines risk assessment as the overall process of identifying, analyzing and evaluating risks, putting risk analysis is a sub-component of risk assessment. ‘Residual risk’ is another example that has a variety of meanings in common use. Guide 73 defines it specifically as “risk remaining after risk treatments”, with notes pointing out that residual risk includes risks than have not been identified, and is also known as ‘retained risk’ (although ‘risk retention’ is also defined separately).
ISO/IEC JTC1/SC 27 Standing Document 6 (SD6) - Glossary of IT Security Terminology
SD6 is another glossary of information and IT security terms used in ISO27k and other security standards developed by SC 27. Like Guide 73, SD6 is intended as an internal guideline for the committee, not a formal ISO/IEC standard. Unlike Guide 73, however, SD6 has about 2,000 entries (!) and is actively maintained by DIN.
Back to top
Non-ISO information security standards and methods
Australian Government Information Security Manual
The unclassified version is available on the web. I can neither confirm nor deny the existence of a classified version.
ANSI American National Standards Institute
ANSI publishes a range of technical security standards under the X.9 series e.g. ANSI X9.43 Key archiving and retrieval explains why cryptographic keys need to be archived and describes the archival and retrieval mechanisms.
BSI = British Standards Institute
BS 7799, of course, was the progenitor, the granddaddy of the ISO/IEC 27000 family. The code of practice for information security management now known as ISO/IEC 27002 was originally published as a DTI guide and became BS 7799 in 1995. When the accompanying certification standard that later became ISO/IEC 27001 was released as BS 7799 part 2 in 1999, the original standard was renamed BS 7799 part 1. Part 3 Information security management systems - guidelines for information security risk management was published in 2006. Parts 1, 2 and 3 have all since been withdrawn.
BSI = Bundesamt fur Sicherheit in der Informationstechnik
The German federal office for information security is well known for its IT-Grundschutz [IT baseline protection] manual, originally released in 1994. This painstakingly-detailed manual describes an ISMS comprising a governance structure and suite of information security controls ranging from technological, organizational and sociological to infrastructural (physical) in nature. It has now been divided to separate the methods (which are gradually being aligned with ISO27k) from the huge catalogue of threats and controls (which is like ISO/IEC 27002 on steroids).
While in various places it claims to be based on ISO27k, IT-Grundschutz has in reality been adapted slightly to reflect some aspects of ISO27k. There are some oddities as a consequence of shoehorning the German standard into the ISO27k mold, for instance noting that it uses the term ‘IT security’ instead of ‘information security’ “because it is equivalent but shorter” whereas most professionals accept that they are conceptually and literally different. The main difference is that IT-Grundschutz recommends the adoption of a standardized and pragmatic de facto security baseline as a starting point rather than ISO27k’s pure de novo risk-based and somewhat theoretical approach. Neither approach is necessarily right or wrong - both have their merits.
BSI Standard 100-1 Information Security Management Systems (ISMS) is an overview of the IT-Grundschutz approach to developing and implementing an ISMS, not dissimilar to ISO/IEC 27000’s introduction to ISO27k.
BSI Standard 100-2 IT-Grundschutz Methodology is loosely equivalent to ISO/IEC 27001, in the sense that it is basically about governance of information security within the organization using an ISMS. It explains how to develop and operate an ISMS, for example how to establish an information security management body, develop an information security policy, select appropriate information security controls etc. It uses worked examples based on a fictitious government agency to demonstrate certain aspects of the approach. It makes little if any reference to PDCA, and runs out of steam at the ISMS implementation stage (neglecting ISMS maintenance, audits/management reviews, risk/control updates etc.).
BSI Standard 100-3 Risk Analysis Based on IT-Grundschutz vaguely resembles ISO/IEC 27005. In contrast to ISO27k, the IT-Grundschutz baseline approach uses the catalogues to specify security controls for ‘normal’ systems that are assumed to have ‘normal’ risks, using risk analysis only to identify additional risk and control requirements for ‘high’ or ‘very high’ systems (which, in military and government organizations, presumably equate to unclassified, secret and top secret systems, respectively). The threats catalogue lists 45 ‘elementary threats’.
BSI Standard 100-4 Business Continuity Management explains how to establish and maintain a BCM system, based on IT-Grundschutz. It incorporates a useful summary of several other BCM standards and, like most of them, it is purely concerned with preparing for activities that will be necessary in the event of a crisis or disaster affecting critical business operations and/or the supporting IT systems and networks, rather than attempting to avoid or avert such crises and disasters (for example through resilience, redundancy, high-availability systems etc.).
BSI IS audit guideline [unnumbered] Information Security Audit (IS Audit) - a guideline for IS audits based on IT-Grundschutz is primarily aimed at IS auditors working for German federal agencies. It is, however, a solid and well-written description of the performance of typical IS audits, although rather light on the strategic planning of a portfolio of IS audits (e.g. IS audits are normally conducted by IT auditors, who often audit various aspects of information security in the course of other audits, or by certification auditors, who have to follow strict processes laid down by the certification bodies).
IT-Grundschutz Catalogues, updated annually. Over 4,000 pages (!) of excruciatingly detailed advice on information security threats, controls etc., roughly equivalent to ISO/IEC 27002 but much more specific. “One of the most important objectives of IT-Grundschutz is to reduce the expense of the information security process by offering reusable bundles of familiar procedures to improve information security. In this manner, the IT-Grundschutz Catalogues contain standard threats and security safeguards for typical business processes and IT systems which can be used in your organisation, if necessary. Through appropriate application of the standard technical, organisational, personnel, and infrastructural security safeguards recommended for IT-Grundschutz, a security level is reached for the business processes being analysed that is appropriate and adequate to protect business-related information having normal protection requirements. Furthermore, the safeguards in the IT-Grundschutz Catalogues not only form a basis for IT systems and applications requiring a high level of protection, but also provide an even higher level of security in many areas.” The idea is basically for users to thumb through the catalogue and select standard controls for the situations they face, forming the baseline onto which additional security controls may then be added where necessary.
COBIT Control OBjectives in IT
COBIT from ISACA (originally an acronym for the IS Audit and Control Association, now merely a string of characters) has matured from quite modest beginnings as a guide for computer auditors on best practice IT management controls into a comprehensive model or tool to guide the implementation of sound IT governance processes.
Accordng to ISACA, COBIT is “an end-to-end business view of the governance of enterprise IT that reflects the central role of information and technology in creating value for enterprises. The principles, practices, analytical tools and models found in COBIT 5 embody thought leadership and guidance from business, IT and governance experts around the world.”
ISACA also offers the RiskIT and ValIT methods.
ITU International Telecommunications Union
The ITU’s ICT Security Standards Roadmap outlines the ITU’s work on security standards.
The ITU Telecommunication Standardization Sector (ITU-T), formerly the CCITT, is the part of ITU which publishes the X-series standards for the telecomms industry, including X.1051 (also known as ISO/IEC 27011).
NFPA National Fire Protection Association
NFPA 1600, the Standard on Disaster/Emergency Management and Business Continuity Programs, advises on disaster management structures and governance. The PDF version is free.
The US National Institute of Standards and Technology (NIST) is renowned for producing a wide range of well-written, clear and comprehensive technical standards and (unlike ISO27k) they are free of charge. If you want to know the professional way to do information security, check NIST’s Special Publications 800 series in particular.
OECD Organization for Economic and Cultural Development
The OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (2002) presented some useful high level principles for information security that were incorporated in ISO/IEC 27000.
Open Group security standards
The Open Group offers several information security standards supporting risk analysis, authentication etc.
PCI DSS Payment Card Industry Data Security Standard
The main credit card companies collaborated through the PCI Security Standards Council on the cardholder data security standard PCI DSS. Contracts with the merchants and banks who accept and process credit cards specify PCI DSS compliance. Structured compliance activities, including routine independent security assessments by accredited PCI experts, are intended to enforce the standards, maintain consumer confidence in the security arrangements and so protect the credit card industry as a whole.
PCI DSS is very narrowly scoped: it solely concerns protecting the confidentiality of cardholder data (credit card numbers and related information). Merchants and banks face many other information risks, hence PCI DSS compliance alone is woefully inadequate to protect all their information assets. It covers one piece of a much bigger jigsaw.
RFCs Requests For Comment
Many RFCs are a throwback to the early days of the Internet when proposals for new protocols etc. were circulated to the relatively small Internet user community for comments and input. The RFC mechanism remains and is still used although a wealth of standards bodies now dominate Internet and Web development.
RFC 1281 Guidelines for the Secure Operation of the Internet (1991), for example, may be of historical interest and embodies security principles that many would argue remain valid today but it’s hardly cutting-edge.
Nevertheless, many current Internet security-related protocols (such as S/MIME and MD5) were first defined as RFCs. Indeed, the TCP/IP family was conceived as RFCs ... and various fundamental security issues that were well known in the original architecture plague us to this day.
SSAE16 Statement on Standards for Attestation Engagements #16, Reporting on Controls at a Service Organization and ISAE 3402, Assurance reports on controls at a service organization
SSAE16 is an auditing or attestation standard, meaning a method for auditors to check and then attest to the control status of their financial services industry clients, from the Auditing Standards Board of AICPA, the American Institute of Certified Public Accountants (CPAs). SSAE16 is aligned with the International Standard on Assurance Engagements ISAE 3402, Assurance Reports on Controls at a Service Organization, produced by the International Auditing and Assurance Standards Board of the International Federation of Accountants. ISAE 3402 is essentially an international version of the US-only SSAE16.
The purpose of these standards is to reduce the need for interdependent financial services companies to audit each other’s security arrangements incessantly: confirming that a partner company has received a positive SSAE16 or ISAE 3402 report from a trustworthy auditor is generally taken as due diligence, without the need to conduct their own controls audit.
However, the truth is that risks, risk perceptions and risk appetites vary: management of any organization that is dependent on another is well advised to review their risks explicitly for business continuity reasons and implement suitable controls, of which SSAE16/ISAE 3402 might be just a part. Business continuity and contingency arrangements are a good idea, especially given that the systemic risk of global economic meltdown has become a stark reality of late (pure coincidence? What do you think?).
SEI Software Engineering Institute
OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) from Carnegie Mellon University’s Software Engineering Institute defines a systematic, context-driven information risk evaluation process. Through a self-directed three-phase approach, risk assessors come to understand the risks and make informed risk management decisions. OCTAVE examines organizational and technical issues, building up a comprehensive picture of the organization’s information security requirements.
TIA-942 Telecommunications Infrastructure Standard for Data Centers
The US-based Telecommunications Industry Association, Electronic Industries Alliance and ANSI published this specification for data centers in 2005. The specification offers a lot of advice on the architecture, design and engineering of the facilities, including the critical matters of resilient power and air conditioning for ICT equipment, going well beyond section 11 of ISO/IEC 27002. There are numerous references to IEEE and other standards, electrical codes etc. However, national and local building, power, safety and other regulations often vary from those noted in the specification, hence the generic advice needs to be tempered according to local regs and practice, requiring the involvement of qualified specialists at all stages from specification to demolition. Furthermore, the rack power densities mentioned in the original specification are substantially exceeded by modern blade server racks, creating power, heat, ventilation and perhaps fire risks: their advice to provide excess capacity for growth was conservative. [A 2013 addendum may have addressed this.]
Back to top