Definition and guide

Understanding the ISO/IEC 25010: framework for software quality

Explore ISO/IEC 25010 and its 9 quality characteristics. Boost code quality, enhance security, and deliver reliable software at scale.

요약
  • The ISO/IEC 25010 framework is an international standard defining nine primary characteristics, such as functional suitability and reliability, to objectively evaluate and measure software quality.
  • This model addresses software quality by providing a systematic language for developers and leaders to manage technical debt and ensure systems perform under stated conditions.
  • Maintaining security and maintainability is critical in the AI era to prevent "AI slop" and ensure that high volumes of generated code remain effective and efficient.
  • Organizations use these standards to overcome the "verification bottleneck," ensuring rapid AI-driven output meets enterprise-grade requirements for production-ready, reliable code.

Software quality is often difficult to define until an application fails in production, security vulnerabilities are discovered, or technical debt makes future development increasingly expensive. The ISO/IEC 25010:2023 standard provides a common vocabulary and structured framework for evaluating what makes software "high quality."

Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), the standard defines a comprehensive software product quality model consisting of nine quality characteristics. These characteristics enable organizations to objectively evaluate software products throughout planning, development, testing, deployment, and maintenance.

Rather than relying on subjective judgments, development teams can use ISO/IEC 25010 to establish measurable quality objectives, guide software verification, improve code review practices, and align engineering work with business outcomes.

Whether you're a software developer working inside your IDE, an application security engineer reviewing pull requests, or an engineering executive managing a portfolio of applications, understanding the ISO/IEC 25010:2023 model provides a foundation for building software users can trust.

The nine software product quality characteristics of ISO/IEC 25010:2023

ISO/IEC 25010:2023 defines nine software product quality characteristics that together provide a comprehensive model for evaluating software products. Each characteristic contains multiple sub-characteristics that enable organizations to assess software quality through static analysis, testing, code review, software verification, and continuous quality improvement.

Functional suitability

Functional suitability measures how well software provides functions that satisfy stated and implied user needs. At its core, it answers a simple question: Does the software perform the right functions correctly?

Functional suitability includes:

  • Functional completeness: covering all required functionality
  • Functional correctness: producing accurate and expected results
  • Functional appropriateness: enabling users to accomplish their objectives efficiently

In modern software engineering—particularly when AI coding assistants generate large volumes of code—functional suitability requires more than successful compilation. Organizations increasingly rely on automated testing, static code analysis, and deterministic verification to confirm that generated implementations behave correctly under real-world conditions.

Maintaining strong functional suitability reduces production defects, improves customer satisfaction, and helps ensure that AI-generated code solves the intended business problem instead of simply producing syntactically valid output.

Performance efficiency

Performance efficiency evaluates how effectively software uses computational resources while meeting required levels of performance under specified conditions.

Its primary sub-characteristics include:

  • Time behavior: response time, latency, and throughput
  • Resource utilization: efficient use of CPU, memory, storage, and network resources
  • Capacity: ability to handle expected workloads and growth

Performance problems often become a hidden source of technical debt. Poorly optimized algorithms, unnecessary complexity, and inefficient AI-generated implementations can significantly increase infrastructure costs while degrading user experience.

Modern engineering teams continuously monitor performance throughout development using automated testing, profiling, and static analysis to ensure applications remain responsive, scalable, and efficient as systems evolve.

Compatibility

Compatibility measures how effectively software operates alongside other systems while sharing data, infrastructure, and computing resources.

Compatibility consists of:

  • Co-existence: operating efficiently alongside other software without conflict
  • Interoperability: exchanging and using information across systems and services

Compatibility has become increasingly important as organizations adopt cloud-native architectures, distributed systems, APIs, microservices, and third-party integrations.

Strong compatibility improves software resilience while reducing integration failures, operational complexity, and security risks associated with incompatible interfaces or inconsistent data exchange.

Interaction capability

One of the most significant updates introduced in ISO/IEC 25010:2023 is the replacement of Usability with Interaction capability.

Interaction capability evaluates how effectively users can interact with software to accomplish their goals. While it encompasses traditional usability principles, the updated characteristic recognizes that modern software must support a broader range of users, interaction models, and accessibility requirements.

Interaction capability includes:

  • Appropriateness recognizability
  • Learnability
  • Operability
  • User error protection
  • User engagement
  • Inclusivity
  • User assistance
  • Self-descriptiveness

For modern applications—including AI-powered solutions—interaction capability extends beyond attractive user interfaces. Users must be able to understand system behavior, receive appropriate guidance, recover from mistakes, and successfully complete tasks regardless of their experience level or accessibility needs.

Organizations that prioritize interaction capability improve customer satisfaction, reduce support costs, increase adoption, and build greater trust in AI-assisted workflows.

Reliability

Reliability measures the degree to which software performs specified functions consistently under defined conditions over time without interruptions and failures.

Reliable software minimizes unexpected failures while maintaining service availability during both normal operations and adverse conditions.

The ISO/IEC 25010:2023 standard defines four primary sub-characteristics:

  • Faultlessness
  • Availability
  • Fault tolerance
  • Recoverability

As organizations increasingly deploy AI-generated code into production, reliability becomes even more important. While AI can accelerate software delivery, generated implementations may introduce subtle logic errors or edge-case failures that traditional reviews can overlook.

Continuous testing, automated verification, code review, and static analysis help organizations identify these issues before deployment, improving system resilience while reducing operational risk.

Security

Security measures the degree to which software protects information, systems, and services against unauthorized access, modification, disclosure, or disruption while ensuring that only authorized users and processes can perform permitted actions. It is a foundational characteristic of application security, secure coding, and software quality.

ISO/IEC 25010:2023 defines the following security sub-characteristics:

  • Confidentiality: protecting information from unauthorized disclosure
  • Integrity: preventing unauthorized modification of data
  • Non-repudiation: ensuring actions and transactions cannot later be denied
  • Accountability: enabling actions to be traced to responsible entities
  • Authenticity: verifying the identities of users, systems, and services
  • Resistance: withstanding, responding to, and recovering from attacks or malicious actions

As software supply chains become increasingly complex and AI-assisted development accelerates code generation, security must be embedded throughout the software development lifecycle rather than treated as a final validation step. Organizations increasingly rely on static code analysis, vulnerability scanners, software verification, and secure coding practices to identify vulnerabilities early, reduce remediation costs, and ensure applications remain resilient against evolving threats.

Maintainability

Maintainability measures how effectively software can be analyzed, modified, tested, and improved throughout its lifecycle. Highly maintainable software enables engineering teams to respond quickly to changing business requirements while controlling technical debt and preserving long-term software quality.

The maintainability characteristic includes:

  • Modularity: separating functionality into well-defined components
  • Reusability: leveraging existing assets across systems and projects
  • Analyzability: efficiently diagnosing defects, vulnerabilities, and performance issues
  • Modifiability: implementing changes without introducing unintended side effects
  • Testability: verifying that changes behave as expected

Maintainability becomes increasingly important in AI-assisted software development. While generative AI can dramatically increase code production, it can also introduce unnecessary complexity, duplicated logic, inconsistent coding patterns, and fragile implementations.

Organizations that prioritize maintainability through continuous code review, static analysis, code cleanup, code refactoring, and automated testing can reduce technical debt while improving developer productivity, software verification, and long-term application sustainability.

Flexibility

ISO/IEC 25010:2023 replaces the previous Portability characteristic with Flexibility, reflecting the growing need for software that can evolve alongside changing technologies, deployment environments, and business requirements.

Flexibility measures the degree to which software can adapt to new environments, changing workloads, evolving infrastructure, and future operational needs.

Its sub-characteristics include:

  • Adaptability: adjusting to different operating environments and configurations
  • Installability: enabling efficient deployment and installation
  • Replaceability: substituting components or systems with minimal disruption
  • Scalability: maintaining performance and functionality as workloads increase

Modern software increasingly runs across hybrid cloud, multi-cloud, containerized, and distributed environments. Flexibility allows organizations to reduce vendor lock-in, modernize infrastructure, support cloud migrations, and scale applications efficiently while maintaining software quality.

For engineering leaders, flexibility helps future-proof software investments by ensuring systems can evolve without requiring expensive rewrites or disruptive architectural changes.

Safety

One of the most significant additions in ISO/IEC 25010:2023 is Safety, recognizing that software quality extends beyond reliability and security to include protection against unintended harm.

Safety measures the degree to which software avoids causing unacceptable risk to people, organizations, property, or the environment during normal operation and foreseeable misuse.

Safety includes sub-characteristics such as:

  • Operational constraint: preventing operation outside safe limits
  • Risk identification: recognizing hazardous conditions before failures occur
  • Fail-safe behavior: transitioning to safe operating states during failures
  • Hazard warning: informing users and operators of unsafe conditions
  • Safe integration: ensuring interactions with other systems do not introduce unacceptable risks

Although safety has traditionally been associated with industries such as healthcare, automotive, aerospace, manufacturing, and critical infrastructure, it is becoming increasingly relevant across enterprise software. AI-enabled applications, autonomous systems, and software that influences business or operational decisions can all introduce risks that extend beyond conventional software defects.

By incorporating safety into software quality evaluation, organizations can better assess operational risks, improve system resilience, and build greater trust in AI-assisted software systems.

Why the ISO/IEC 25010:2023 framework matters in the AI era

Software engineering is entering an era where AI agents can generate code at unprecedented speed. While this acceleration enables organizations to deliver features faster than ever before, it also introduces new challenges. AI-generated code may be functionally correct yet inefficient, difficult to maintain, insecure, or inconsistent with organizational coding standards.

The result is a growing verification bottleneck: engineering teams can generate software faster than they can confidently verify its quality.

The ISO/IEC 25010:2023 framework provides a comprehensive model for addressing this challenge. Rather than evaluating code solely for correctness, organizations can assess software across nine complementary quality characteristics, including maintainability, security, reliability, interaction capability, flexibility, and safety.

This broader perspective helps engineering teams identify quality issues before they reach production, reduce technical debt, improve software verification, and ensure AI-generated code satisfies enterprise requirements.

As organizations adopt agentic development workflows, the ability to continuously evaluate software quality becomes a strategic advantage. AI may accelerate software creation, but only rigorous verification ensures that generated software is trustworthy, secure, maintainable, and ready for production.

How SonarQube helps organizations implement ISO/IEC 25010:2023

Implementing ISO/IEC 25010:2023 requires more than defining quality objectives—it requires continuously measuring and improving software quality throughout the software development lifecycle.

SonarQube helps organizations operationalize many of the quality characteristics defined by the standard by providing continuous code quality and security analysis directly within developer workflows and CI/CD pipelines.

By identifying bugs, code smells, security vulnerabilities, security hotspots, and maintainability issues through static code analysis, SonarQube enables developers to improve code before it reaches production. These capabilities directly support characteristics such as Functional suitability, Performance efficiency, Reliability, Security, and Maintainability while reducing technical debt and improving overall software quality.

SonarQube Cloud extends these capabilities with scalable cloud-based analysis for modern development environments, while SonarQube Server enables organizations to implement comprehensive code quality and security practices within self-managed infrastructures.

Integrating SonarQube for IDE into developers' daily workflows allows issues to be identified and resolved as code is written, reducing the cost of remediation and improving developer productivity. By providing immediate feedback, developers can continuously improve code quality without interrupting development flow.

As AI-assisted development becomes increasingly common, SonarQube plays an important role in verifying both human-written and AI-generated code. Organizations can apply consistent quality gates, enforce coding standards, detect vulnerabilities, and validate maintainability regardless of how code is produced.

While no single tool measures every ISO/IEC 25010 quality characteristic, SonarQube provides actionable insights across several of the model's most critical dimensions, helping organizations build software that is secure, reliable, maintainable, and ready for production while supporting continuous improvement across the software development lifecycle.


ISO/IEC 25010 FAQs

What is ISO/IEC 25010:2023 and why is it important?

ISO/IEC 25010:2023 is an international standard that defines a comprehensive framework for evaluating and improving software product quality. It establishes a common vocabulary and a structured model based on nine software product quality characteristics, enabling organizations to specify, measure, and continuously improve software quality throughout the software development lifecycle (SDLC).

The framework is important because it helps organizations:

  • Establish objective software quality requirements
  • Improve code quality and security
  • Reduce technical debt
  • Strengthen software verification and validation
  • Support secure coding and application security practices
  • Build software that meets both business objectives and user expectations

As AI-assisted software development accelerates code generation, ISO/IEC 25010:2023 provides a consistent framework for ensuring that rapidly produced software remains reliable, maintainable, secure, and fit for production.

What are the nine software product quality characteristics of ISO/IEC 25010:2023?

The ISO/IEC 25010:2023 software product quality model consists of nine quality characteristics:

  • Functional suitability
  • Performance efficiency
  • Compatibility
  • Interaction capability
  • Reliability
  • Security
  • Maintainability
  • Flexibility
  • Safety

Each characteristic is supported by multiple sub-characteristics that help organizations evaluate software quality through software verification, code review, automated testing, static code analysis, and continuous quality improvement.

Together, these characteristics provide a comprehensive framework for evaluating software products throughout development, deployment, and maintenance.

What changed in ISO/IEC 25010:2023?

The 2023 revision modernizes the software product quality model to better reflect today's software engineering practices.

The most significant changes include:

  • Expanding the model from eight to nine software product quality characteristics
  • Replacing Usability with Interaction capability
  • Replacing Portability with Flexibility
  • Introducing Safety as a new top-level quality characteristic
  • Adding new sub-characteristics such as Resistance under Security and Scalability under Flexibility
  • Updating several existing sub-characteristics to better address modern software systems, cloud-native architectures, accessibility, and AI-enabled applications

These updates recognize that modern software must be secure, adaptable, inclusive, resilient, and safe—not simply functional.

What is the difference between product quality and quality in use?

ISO/IEC 25010 distinguishes product quality from quality in use.

Product quality focuses on the intrinsic characteristics of software itself, including functionality, security, maintainability, reliability, performance efficiency, interaction capability, flexibility, and safety.

Quality in use evaluates how effectively users achieve their goals when interacting with the software in real-world contexts. It considers factors such as effectiveness, efficiency, satisfaction, freedom from risk, and context coverage.

Product quality helps ensure software is well engineered, while quality in use evaluates whether it delivers value and positive outcomes for users.

Organizations achieve the best results by improving both models simultaneously.

How does ISO/IEC 25010:2023 relate to application security?

Security remains one of the core software product quality characteristics within ISO/IEC 25010:2023.

The Security characteristic includes:

  • Confidentiality
  • Integrity
  • Non-repudiation
  • Accountability
  • Authenticity
  • Resistance

The framework supports application security by encouraging organizations to integrate security throughout the software development lifecycle using practices such as:

  • Secure coding
  • Static code analysis
  • Vulnerability scanning
  • Code review
  • Continuous security testing
  • Security verification before deployment

Rather than treating security as a final testing activity, ISO/IEC 25010 encourages organizations to make security an integral part of software quality.

How does ISO/IEC 25010 help reduce technical debt?

Technical debt accumulates when software becomes increasingly difficult to understand, modify, test, and maintain.

ISO/IEC 25010 helps organizations reduce technical debt by encouraging practices that improve:

  • Maintainability
  • Reliability
  • Performance efficiency
  • Functional suitability
  • Security
  • Flexibility

Engineering teams reduce long-term maintenance costs by emphasizing:

  • Modular architecture
  • Code refactoring
  • Code cleanup
  • Automated testing
  • Continuous code review
  • Static code analysis
  • Early defect detection

Rather than treating technical debt as an inevitable consequence of rapid development, the framework encourages continuous quality improvement throughout the software lifecycle.

How does ISO/IEC 25010 apply to AI-generated code?

AI coding assistants and autonomous software agents can dramatically increase development velocity, but they also introduce new software quality risks.

AI-generated code may contain:

  • Incorrect business logic
  • Security vulnerabilities
  • Performance inefficiencies
  • Duplicated implementations
  • Poor maintainability
  • Inconsistent coding patterns
  • Excessive complexity

ISO/IEC 25010:2023 provides a structured framework for verifying AI-generated software across all nine quality characteristics rather than focusing solely on functional correctness.

Organizations can use the framework to:

  • Validate functionality
  • Detect security vulnerabilities
  • Improve maintainability
  • Verify performance
  • Assess interaction capability
  • Evaluate reliability
  • Ensure flexibility
  • Consider operational safety

Applying these quality characteristics helps organizations overcome the growing verification bottleneck associated with AI-assisted software development.

What role does code review play in ISO/IEC 25010?

Code review is one of the most effective practices for implementing ISO/IEC 25010.

Reviews help engineering teams identify:

  • Functional defects
  • Security vulnerabilities
  • Reliability issues
  • Maintainability concerns
  • Performance problems
  • Coding standard violations
  • Architecture inconsistencies

When combined with automated static code analysis and testing, code review enables organizations to consistently enforce software quality standards while reducing the number of issues that reach production.

How does ISO/IEC 25010 fit into the software development lifecycle (SDLC)?

ISO/IEC 25010 can be applied throughout every stage of the software development lifecycle.

Requirements

Define measurable software quality objectives alongside functional requirements.

Architecture and design

Design systems that support maintainability, security, reliability, flexibility, interaction capability, and performance efficiency.

Implementation

Apply coding standards, secure coding practices, static analysis, and peer review.

Testing

Verify functional suitability, performance, security, compatibility, reliability, interaction capability, and safety using automated and manual testing.

Deployment

Validate software quality through CI/CD pipelines and production readiness checks.

Maintenance

Continuously improve software through monitoring, refactoring, vulnerability remediation, performance optimization, and technical debt reduction.

Applying ISO/IEC 25010 throughout the SDLC enables organizations to continuously improve software quality instead of relying solely on final testing.

What tools help implement ISO/IEC 25010 in practice?

Organizations typically combine several categories of tools to operationalize ISO/IEC 25010, including:

  • Static code analysis tools
  • Code quality and security platforms
  • Vulnerability scanners
  • Automated testing frameworks
  • Code review platforms
  • CI/CD pipelines
  • Software composition analysis (SCA) tools
  • Performance testing solutions
  • Monitoring and observability platforms

Together, these tools provide the automation, visibility, and feedback necessary to continuously evaluate software quality across multiple characteristics defined by the standard.

How does ISO/IEC 25010 improve software quality in cloud environments?

Modern cloud-native applications operate across distributed systems, APIs, containers, Kubernetes clusters, and multiple cloud providers.

ISO/IEC 25010 helps organizations evaluate cloud software by emphasizing:

  • Performance efficiency under dynamic workloads
  • Compatibility across services and platforms
  • Security throughout distributed architectures
  • Reliability during infrastructure failures
  • Flexibility for evolving deployment environments
  • Maintainability of rapidly changing codebases
  • Safety for mission-critical applications

These characteristics help engineering teams build resilient, scalable, and secure cloud applications while reducing operational complexity.

Is ISO/IEC 25010:2023 still relevant today?

Yes.

In many ways, ISO/IEC 25010:2023 is more relevant than ever.

Organizations today face rapidly increasing software complexity driven by AI-assisted development, cloud-native architectures, microservices, stricter regulatory requirements, and escalating cybersecurity threats.

The updated standard provides a modern framework for evaluating software across nine complementary quality characteristics, helping organizations balance development speed with long-term software quality.

Rather than prescribing specific technologies or development methodologies, ISO/IEC 25010 offers a technology-neutral foundation that complements Agile, DevOps, DevSecOps, cloud-native engineering, and AI-assisted software development.

For organizations seeking to build trustworthy software in an era of accelerating change, ISO/IEC 25010:2023 remains one of the most comprehensive and widely recognized software quality models available.

모든 코드 줄에 신뢰를 구축하라

Rating image

4.6 / 5