What kinds of things does ISO/IEC 27004 specify, using "password quality – automated" (B.17) as an example?
27004 is the measurement / metrics companion to 27001: it defines how to measure ISMS effectiveness by giving each metric a standard template — what to count, the formula, target thresholds, frequency, who owns it, and which 27001 control it evidences.
The point of 27004 is to turn vague assurances ("our passwords are fine") into a repeatable, comparable number. It does this by forcing every metric into a fixed template, so that two organisations — or the same organisation a year apart — measure the same thing the same way. The standard ships worked examples in its annex; clause B.17 "Password quality – automated" is one, and reading its fields shows how a metric is fully specified:
| Template field | Value in the B.17 example |
|---|---|
| Measure ID | Organization-defined (you assign it) |
| Information need | Assess the quality of passwords users use to access the organisation's IT systems |
| Measure | Total passwords, and total uncrackable passwords |
| Formula / scoring | Ratio = uncrackable ÷ total; compare with the previous ratio (trend) |
| Target | Ratio > 0.9 = control objective met; 0.8–0.9 = not met but improving; < 0.8 = act now |
| Frequency | Collect / analyse / report weekly; review the measure yearly |
| Responsible parties | System administrator (owner), security staff (collector), ISMS managers (client) |
| Relationship | Evidences ISO/IEC 27001:2013 control A.9.3.1 — Use of secret authentication information |
Note the metric is defined by an objective threshold (the 0.9 ratio), not a gut feeling — that is what makes it auditable. Without metrics like these, an ISMS is feel-good policy; with them, management can watch over time whether a control is actually working.
Tip: Start small. Pick 5 metrics from 27004 that you can collect cheaply (password quality, patch latency, phishing-click rate, MFA-coverage, control-gap closure rate). Resist the urge to instrument everything — half-tracked metrics get ignored.
Go deeper:
NIST SP 800-63B — modern password/secret guidance — the length-over-complexity and breached-password rules a password-quality metric should now score against.
Password strength and entropy — the underlying idea a B.17-style metric turns into a measurable ratio.