An Exploration of the ISO/IEC 25010 Software Quality Model

Ensuring software quality today is paramount. From seamless user experiences to robust functionality, software quality directly impacts user satisfaction, organizational efficiency, and even safety critical systems. 

There are many software quality models and frameworks for measuring software quality. One of the most commonly adhered to is the ISO/IEC 25010 Software Quality Model, which offers a comprehensive framework to evaluate and improve software product quality.

Let’s take a deep dive into the product quality model ISO/IEC 25010, unraveling its significance and shedding light on how your software development team can use it to unlock excellence and uphold code quality standards. 

Understanding ISO/IEC 25010 Components

The ISO/IEC 25010 Software Quality Model, developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), provides a systematic approach to assessing and measuring software quality. 

Originally derived from the earlier ISO/IEC 9126 standard, ISO/IEC 25010 offers a more comprehensive and updated framework for evaluating software characteristics and sub-characteristics.

ISO/IEC 25010 organizes software quality into two dimensions: product quality and quality in use. By considering both product quality and quality in use, organizations can adopt a holistic approach to software quality assurance, ensuring that their products meet technical specifications and deliver value and satisfaction to end-users.

Product Quality

Product quality refers to the inherent characteristics of the software product itself. It encompasses functionality, reliability, usability, efficiency, maintainability, and portability. These characteristics are evaluated based on predefined criteria and metrics to assess how well the software meets its intended quality requirements and objectives.

By examining product quality characteristics, organizations can better understand their software's strengths and weaknesses, enabling them to make informed decisions about enhancements, optimizations, and future development efforts.

Quality in Use

Quality in use, on the other hand, moves focus from the inherent characteristics of the software product to its effectiveness and satisfaction in real-world usage scenarios. When interacting with the software in its intended environment, it considers user satisfaction, productivity, efficiency, and safety factors.

Unlike product quality, which is evaluated based on predefined criteria, quality in use is subjective and context-dependent. It requires gathering feedback from users and stakeholders to understand their experiences, preferences, and needs.

Product Quality Characteristics

Product quality relates to the static and dynamic properties of the software itself. It is divided into eight characteristics.

Functional Suitability

Functional Suitability pertains to the capability system or computer program to deliver functions that precisely address both explicit and implicit user requirements.

• Functional Completeness evaluates the inclusivity of functions covering all designated tasks and user objectives without omission.
• Functional Correctness evaluates the product's accuracy in delivering precise outcomes, aligning precisely with the required level of precision.
• Functional Appropriateness examines the effectiveness of functions in accomplishing designated tasks and objectives within the intended context.

Reliability

Reliability focuses on the dependability of a system, product, or component in executing predefined functions under stipulated conditions.

• Maturity evaluates the readiness of a system, product, or component to meet reliability needs satisfactorily.
• Availability assesses the operational state and accessibility of a system, product, or component.
• Fault Tolerance gauges the system's operational continuity despite potential hardware or software faults.
• Recoverability evaluates the system's capability to retrieve data following interruptions or failures.

Performance Efficiency

Performance Efficiency involves the optimization of resource utilization concerning the performance output of a system or product.

• Time Behavior focuses on the system's response, processing times, and throughput rates during operational phases.
• Resource Utilization concerns the effective utilization of resources, such as CPU, memory, and network bandwidth, during system operation.
• Capacity evaluates the system's maximum limits concerning parameters and its ability to meet them adequately.

Usability

Usability assesses the ease and effectiveness users can achieve predefined goals using a product or system.

• Appropriateness Recognizability examines the user's ability to discern the product's suitability for their requirements.
• Learnability evaluates the ease of learning to use the product or system effectively, particularly in emergencies.
• Operability measures the ease of operation and control of the product or system.
• User Error Protection gauges the system's safeguards against user errors to minimize their occurrence and impact.
• User Interface Aesthetics evaluates the aesthetic appeal of the user interface and its impact on user engagement.
• Accessibility evaluates the product's usability across various user characteristics and capabilities.

Security

Security refers to protecting information and data from potential security vulnerabilities.

• Confidentiality focuses on ensuring that data remains accessible only to authorized individuals.
• Integrity evaluates the system's capability to prevent unauthorized access or modification to data and programs.
• Non-repudiation ensures that actions or events can be irrefutably proven to have occurred.
• Accountability refers to the traceability of unauthorized actions back to their originator.
• Authenticity concerns the verification of a subject or resource's identity.

Compatibility

Compatibility assesses a product, system, or component's ability to exchange information and perform its functions seamlessly within a shared hardware or software environment.

• Co-existence evaluates a product's ability to operate efficiently alongside other products without adverse effects
• Interoperability examines the seamless exchange of information and its utilization across multiple systems and software components.

Maintainability

Maintainability evaluates a product or system's ease of modification to enhance, correct, or adapt to environmental or requirement changes.

• Modularity assesses the extent to which system components can be altered with minimal impact on others.
• Reusability concerns the potential for assets to be utilized across multiple systems.
• Analysability evaluates the effectiveness of impact assessments on planned changes and the system's diagnosability for deficiencies.
• Modifiability examines the ease of system modification without compromising quality.
• Testability concerns the effectiveness of establishing test criteria and conducting tests to ascertain compliance.

Portability

Portability evaluates a system, product, or component's ease of transfer between different environments.

• Adaptability examines the system's ability to adapt to diverse or evolving hardware, software, and usage environments.
• Installability evaluates the system's success in installation and uninstallation processes.
• Replaceability gauges a product's potential to substitute another comparable product effectively.

Quality in Use Characteristics 

Quality in use relates to the outcome of human interaction with the software. It is divided into five characteristics.

Effectiveness

Effectiveness refers to how software enables users to achieve specific goals wholly and accurately within a given context. It focuses on the software's ability to facilitate successful task completion and attain desired outcomes, ultimately contributing to user productivity and satisfaction.

• Task Completion ensures that users can perform intended actions accurately and efficiently to achieve desired results, enhancing overall system effectiveness.
• Accuracy and Precision involves delivering results that align precisely with user expectations and requirements, minimizing errors and discrepancies to enhance user confidence and trust in the software's capabilities.
• Goal Achievement involves providing necessary functionalities and support to enable users to accomplish tasks and achieve desired outcomes, ensuring user satisfaction and system success.

Efficiency

Efficiency pertains to optimizing resources and effort expended by users in accomplishing tasks with the software. It emphasizes minimizing the time, energy, and cognitive load required to achieve desired outcomes, enhancing user productivity and overall system performance.

• Resource Utilization evaluates how effectively the software utilizes system resources such as CPU, memory, and network bandwidth during task execution. Optimizing resource usage (CPU, memory, and network bandwidth ensures efficient operation and prevents wastage, contributing to overall system efficiency.
• Time Optimization involves streamlining workflows, reducing latency, and enhancing system responsiveness to facilitate faster task execution and improve user efficiency.
• Workflow Efficiency assesses the smoothness and effectiveness of user interactions within the software. It involves eliminating unnecessary steps, reducing user effort, and providing intuitive navigation to enhance workflow efficiency and user productivity.

Satisfaction

Satisfaction reflects users' subjective perceptions and feelings regarding their interaction with the software. It encompasses usability, aesthetics, and emotional responses, influencing user engagement, loyalty, and overall satisfaction with the software experience.

• Usefulness evaluates their satisfaction with their perceived achievement of pragmatic goals, including the results and consequences of use.
• Trust assesses how confident the user is that a product will behave as intended.
• Pleasure assesses the degree to which a user obtains pleasure from fulfilling their personal needs.
• Comfort assesses the degree to which the user is satisfied with physical comfort.

Freedom from Risk

Freedom from risk refers to how well software mitigates or eliminates potential hazards, errors, or adverse consequences arising from its use. It ensures user safety, data integrity, and protection against security threats, enhancing user trust and confidence in the software's reliability and security.

• Economic Risk Mitigation measures the degree to which a product or system mitigates the potential risk to financial status, efficient operation, commercial property, reputation, or other resources in the intended contexts of use.
• Health and Safety Risk Mitigation assesses the degree to which a product or system mitigates the potential risk to people in the intended contexts of use.
• Environmental Risk Mitigation measures the degree to which a product or system mitigates the potential risk to property or the environment in the intended contexts of use.

Context Coverage

Context coverage evaluates the software's suitability and adaptability across various usage contexts and environmental conditions. It considers factors such as the diversity of users, tasks, and operating environments, ensuring that the software remains practical and usable across different scenarios and user groups.

• Context Completeness assesses the effectiveness, efficiency, freedom from risk, and satisfaction in all contexts of use.
• Flexibility assesses the effectiveness, efficiency, freedom from risk, and satisfaction in contexts not originally specified in the requirements.

ISO/IEC 25010 in Modern Engineering Systems

ISO/IEC 25010 is defined as a software product quality model used for evaluation and assessment of system quality. It is typically applied by engineering teams as a framework for assessing software quality.

Engineering teams commonly implement controls that align with its characteristics using automated enforcement mechanisms. Static analysis rules, CI/CD quality gates, security scanning, and repository-wide policy enforcement are typical instances of automated engineering controls.

Translating ISO/IEC 25010 into engineering quality signals

ISO/IEC 25010 defines quality dimensions. However, teams need to translate them into measurable indicators and enforceable engineering controls to make them operational in practice.

Below is an illustration of how ISO 25010 moves from theory into day-to-day engineering operations:

These control areas are increasingly integrated into engineering pipelines to continuously evaluate software against ISO/IEC 25010 quality dimensions.

AI development and ISO/IEC 25010

The use of coding agents increases software output dramatically, and has changed how software is produced and reviewed. Code volume increases, and many engineering teams often rely more heavily on automated reviews and verification mechanisms, especially as implementation patterns can become less consistent between repositories.

Naturally, this shifts the problem into the quality space described by ISO/IEC 25010. The risk is now that rapid code generation may erode consistency and maintainability unless review and verification practices evolve at the same pace. ISO/IEC 25010 characteristics must still be preserved.

This change aligns with the broader industry approaches to AI-assisted development, which highlights that software quality, especially as automated generation increases, must be evaluated also through the system’s ability to maintain defined characteristics under changing conditions (evolving inputs, outputs, and behavior).

How Teams Implement ISO/IEC 25010

ISO/IEC 25010 becomes operational when its quality characteristics are continuously supported by engineering practices that act as enforcement mechanisms. In modern engineering, “enforcement” typically extends beyond “correctness” to the preservation of the product's quality characteristics.

Generally speaking, these mechanisms are often grouped into four common areas:

• Design-time enforcement (architecture + constraints): Engineers can pre-shape ISO/IEC 25010 characteristics (rather than inspection later on) through architectural decisions, coding standards, and style guides, as well as security constraints defined upfront. With coding agents, this layer remains critical, but it must be explicitly encoded so that AI-generated implementations adhere to system-level constraints rather than just local correctness.

• Implementation-time enforcement (code generation + peer review): Traditionally, software quality controls aligned with ISO/IEC 25010 characteristics are applied at implementation and review stages. Nowadays, with coding agents generating large portions of implementation, humans still perform peer reviews, though the scope of review may increasingly be supported by automated systems. This shifts enforcement's emphasis to ensuring that review practices continue to adequately verify that the implemented changes satisfy the relevant quality characteristics.

• Tooling enforcement (CI/CD, static analysis, automated checks): In many modern engineering environments, this is one of the most consistently applied layers. Including linting rules, security scanning, static analysis, etc., these mechanisms implement automated checks that help enforce engineering rules derived from quality requirements aligned with ISO/IEC 25010 characteristics. With coding agents, this layer becomes more important because of its inherent scalability.

• Runtime enforcement (observability + production feedback): Quality checks can also take place after deployment. Here, real-world application behavior is monitored against expected reliability, security, and performance objectives derived from ISO/IEC 25010 characteristics. Monitoring, incident detection, telemetry, etc. are all signals at this layer. In some agent-heavy development workflows, this layer may play a larger role in detecting issues that escape earlier stages.

ISO 25010 in Practice 

ISO 25010 is an excellent addition for software teams who want a framework for evaluating software product quality. By breaking down quality characteristics into sub-characteristics, developers can go on to translate abstract goals into measurable expectations and software metrics that make sense for their projects.

However, ISO/IEC 25010 does not provide a comprehensive and systematic mapping of sub-characteristics to software metrics. This is deliberate: quality is contextual, and acceptable trade-offs differ between different types of systems and operational environments. For example, the quality requirements for high-frequency trading systems differ significantly from those for safety-critical embedded systems in aviation or healthcare.

The stakes in each development project are different and call for different priorities, metrics, and contingency plans. Consequently, engineering teams are in charge of defining how quality is enforced in practice and ensuring that it is consistent across rapidly changing codebases.

Codacy for compliance enforcement

Codacy supports automated quality and security enforcement by embedding these controls directly into the development workflow. Through static analysis, configurable rules, and coding standards, engineering teams can define requirements that reflect their internal quality and security objectives. These are evaluated automatically at pull request level and through repository-level checks.

From a compliance and governance perspective, Codacy provides relevant visibility, reporting, and policy enforcement capabilities, including:

• Continuous and integrated SAST, SCA, secret detection, IaC, container, and DAST scanning
• Support for secure development practices through automated scanning, pull request enforcement, and repository-level quality controls
• Centralized visibility into detected issues (security findings, AI coding policies, and compliance posture across repositories)
• Audit-ready reporting and exportable SBOM outputs
• AI inventory for models, libraries, API keys, MCP servers, and coding tools used across the codebase
• AI coding policy checks to identify risks such as unapproved models, vulnerable libraries, and unsafe AI-generated code
• SOC 2 and GDPR-compliant
• Continuous feedback across IDE, Git workflows, containers, and runtime environments

ISO/IEC 25010 gives teams a structured way to think about software quality. But in modern engineering environments, the differentiator is whether those quality expectations are actually enforced in day-to-day development.

Codacy’s role is to make that enforcement continuous by applying quality and security rules consistently through automated scanning, policy checks, and reportable results across the development workflow. To see how it works, start your free 14-day Codacy trial today.