LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What kinds of things does ISO/IEC 27004 specify, using "password quality – automated" (B.17) as an example?

27004 is the measurement / metrics companion to 27001: it defines how to measure ISMS effectiveness by giving each metric a standard template — what to count, the formula, target thresholds, frequency, who owns it, and which 27001 control it evidences.

The point of 27004 is to turn vague assurances ("our passwords are fine") into a repeatable, comparable number. It does this by forcing every metric into a fixed template, so that two organisations — or the same organisation a year apart — measure the same thing the same way. The standard ships worked examples in its annex; clause B.17 "Password quality – automated" is one, and reading its fields shows how a metric is fully specified:

Template field Value in the B.17 example
Measure ID Organization-defined (you assign it)
Information need Assess the quality of passwords users use to access the organisation's IT systems
Measure Total passwords, and total uncrackable passwords
Formula / scoring Ratio = uncrackable ÷ total; compare with the previous ratio (trend)
Target Ratio > 0.9 = control objective met; 0.8–0.9 = not met but improving; < 0.8 = act now
Frequency Collect / analyse / report weekly; review the measure yearly
Responsible parties System administrator (owner), security staff (collector), ISMS managers (client)
Relationship Evidences ISO/IEC 27001:2013 control A.9.3.1 — Use of secret authentication information

Note the metric is defined by an objective threshold (the 0.9 ratio), not a gut feeling — that is what makes it auditable. Without metrics like these, an ISMS is feel-good policy; with them, management can watch over time whether a control is actually working.

Tip: Start small. Pick 5 metrics from 27004 that you can collect cheaply (password quality, patch latency, phishing-click rate, MFA-coverage, control-gap closure rate). Resist the urge to instrument everything — half-tracked metrics get ignored.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 14, 2026