Software Quality Standards: ISO 5055 Overview

Encora | February 18, 2022

Poorly designed and developed software can be dangerous at worst and costly at best. Weaknesses in software can damage the operations of a business as well as lead to larger IT costs. In response to these issues, the ISO/IEC 5055:2021 was developed as an international standard for measuring violations of good coding and architecture practices. In this article, we’ll discuss what is ISO/IEC 5055:2021, and why it’s important. 

What is ISO/IEC 5055:2021?

ISO/IEC 5055:201, or ISO 5055 is an international standard for “measuring the quality and integrity of a software system by analyzing its internal construction to detect several structural weaknesses.” It bases this measurement based on four different, “business-critical” factors: security, reliability, performance efficiency, and maintainability. A software’s trustworthiness, dependability, and resiliency will be determined by those four factors. In short, it is a “software quality standard that calculates quality measures based on the number of critical weaknesses in the software.”. 

The four business-critical factors of security, reliability, performance efficiency, and maintainability are part of the Automated Source Code measurement standards developed by CISQ. These were approved by OMG standards. Next, they were changed to include both embedded software weaknesses and IT and combined to form the Automated Source Code Quality Measures standard. This latter standard was submitted by OMG to the International Organization for Standards, which named the protocols as ISO/IEC 5055:2021. In this article, we will be referring to both OMG and the ISO Automated Source Code Quality Measures standards (ISO/IEC 5055:2021) as ISO 5055, since they are both identical. 

Why is ISO 5055 Important?

Imagine that building software is like building a house. If you don’t build it properly, it won’t function properly, and can even be dangerous. Software that’s poorly built won’t work well, which is frustrating to users. However, it can also be a danger to users, if poorly build software results in data leaks or another kind of security breach. When you build a home, there are specific rules or codes you must follow. These pertain to things like the foundation and wiring, etc, because a home without a solid floor and faulty wiring are in danger of falling or catching on fire. 

For software development, part of that building code is ISO 5055. The ISO 5055 is the first international standard for evaluating software systems by taking a look at their internal mechanisms. This is like what a home inspector does; they look at the internal construction and mechanisms of a home to determine if it’s safe or not. The use of the ISO 5055 allows companies to address potentially risky or faulty software design before it becomes operational and potentially causes costly damage. 

ISO 5055 Overview

The following table gives an overview of the software engineering rules that each code quality characteristic contains at the technology level and system level. 

Software quality characteristic

Unit Level

System Level


-Missing initialization

-Incorrect validation of array index

-Incorrect locking

-Failing to use vetted libraries or networks

-Uncontrolled format strings

-Buffer overflow

-Input validation

-SQL injection

-Cross-site scripting

-Secure architecture design compliance


-Error and exception handling

-Complexity of algorithms

-Error-prone programming

-Safe use of inheritance and polymorphism

-Managing allocated resources, timeouts

-Exception handling through transaction

-Protecting state in multi-thread environments

-Resource bounds management

-Null pointers deference detection


-Expensive computations in loops

-Compliance with garbage collection best practices

-Appropriate interactions with expensive or remote resources

-Data access performance and data management

-Centralized handling of client requests

-Use of middle-tier components versus procedures/DB functions

-Algorithm complexity


-Unstructured and duplicated code

-High cyclomatic complexity

-Controlled level of dynamic coding

-Over-parameterization of methods

-Hard coding of literals

-Excessive component size

-Tightly coupled modules

-Strict hierarchy of calling being architectural layers

-Excessive horizontal layers

-Encapsulated data access


ISO 5055 In Relation to the ISO 25000 Series

ISO 5055 is intended to supplement the levels of measurement in the ISO/IEC 25000 series. Also known as SQaRE, the ISO 25000 series uses a set of eight software quality characteristics, including our four from earlier, to measure a software’s quality at a behavioral level. This is different from ISO 5055, which is looking at software at a code level. ISO/IEC 25000 and ISO 5055 are designed to complement each other. 

Engage with Encora

Encora’s team of experts can help your organization stay ahead of cyber security and other risks that come with poorly built software. Evaluate your software for its security, reliability, performance efficiency, and maintainability. Encora can help with this evaluation and then take on any necessary software repairs. Contact us today to get started. 

Insight Content

Share this Post

Featured Insights