ISO 5055 Overview
June 10, 2021

What Is ISO 5055?

Software Quality
Static Analysis

ISO/IEC 5055:2021, titled “Information technology — Software measurement — Software quality measurement — Automated source code quality measures”, is a software quality standard. Software flaws at the technology and system level account for 8% of total errors, but consume over half the effort spent fixing problems that lead to 90% of the most serious production issues. ISO 5055 has been designed to directly measure those critical software flaws.

Here, we explain what is ISO 5055, why it is important, and how to use it to ensure software quality.

Read along or jump ahead to the section that interests you the most:

➡️ Start Your Free Static Code Analysis Trial

What Is ISO 5055?

ISO 5055 is a software quality standard that calculates quality measures based on the number of critical weaknesses in the software. Specifically, it looks at four software quality characteristics: security, reliability, performance efficiency, and maintainability.

📕 Related Resource: Learn more about which software quality metrics matter.

Why Is ISO 5055 Important?

ISO 5055 is important because it helps determine the trustworthiness, dependability, and resilience of software application at both a system and component level. This enables organizations — such as financial institutions, governments, telecoms, and manufacturers — to avoid disruptions, reputational damage, or excessive IT costs. In addition to IT systems, it is also applicable to embedded software which is important due to the growth of embedded devices and the Internet of Things.

ISO 5055 can also be used as an indicator of the amount of risk that an organization is exposed to through its software applications.

How CWE Relates to ISO 5055

Each of the software quality characteristics — security, reliability, performance efficiency, and maintainability — are measured by a prespecified set of weaknesses that are defined in the Common Weakness Enumeration (CWE) list. The CWEs included in ISO 5055 are those identified as the most critical, such as SQL injection and buffer overflow.

Find the full list of CWE weaknesses included in ISO 5055.

📕 Related Resource: Learn more about what’s included in the CWE list.

ISO 5055 Overview

The following table outlines the major categories of weaknesses measured for each of the software quality characteristics.

Software Quality Characteristic

Unit Level

Technology Level

System Level


  • Missing initialization
  • Improper validation of array index
  • Improper locking
  • Failure to use vetted libraries or frameworks
  • Uncontrolled format string
  • Use of hard-coded credentials
  • References to release resources
  • Buffer Overflow
  • Input validation
  • SQL injection
  • Cross-site scripting
  • Secure architecture design compliance


  • Error and Exception handling
  • Complexity of algorithms
  • Error prone programming
  • Safe use of inheritance and polymorphism
  • Managing allocated resources, timeouts
  • Multi-layer design compliance
  • Software manages data integrity and consistency


  • Exception handling through transactions
  • Protecting state in multi-threaded environments
  • Resource bounds management
  • Null pointers dereference detection


  • Expensive computations in loops
  • Compliance with garbage collection best practices
  • Compliance with object-oriented best practices
  • Compliance with SQL best practices
  • Memory, network, and disk space management


  • Appropriate interactions with expensive or remote resources
  • Data access performance and data management
  • Centralized handling of client requests
  • Use of middle tier components versus procedures/DB functions
  • Algorithm complexity


  • High cyclomatic complexity
  • Over-parameterization of methods
  • Hard coding of literals
  • Excessive component size
  • Unstructured and duplicated code
  • Controlled level of dynamic coding
  • Compliance with OO best practices
  • Tightly coupled modules
  • Strict hierarchy of calling between architectural layers
  • Excessive horizontal layers
  • Encapsulated data access



How ISO 5055 Relates to ISO 25000 series

ISO 25010 presents a software quality model which defines a set of software quality characteristics.  ISO/IEC 25023 defines software measures for the quality model in ISO 25010, but only at the behavioral level. ISO 5055 supplements this by defining measures to be applied at source code level for the software quality characteristics: security, reliability, performance efficiency, and maintainability to conform to the definitions in ISO 25010 which adds product level measurement.

📕 Related Resource: Learn about the software quality characteristics outlined in ISO 25010.

Use Static Code Analysis to Support ISO 5055

A static code analysis tool — such as Helix QAC and Klocwork — is essential for ensuring software quality. By using a static code analysis tool, you are able to identify software security weaknesses, verify compliance with coding guidelines, and provide evidence of that compliance.

By identifying the weaknesses described in CWE and the use of coding standards such as AUTOSAR, and MISRA  you can detect both security issues and general deficiencies in your code. In addition, by using a static code analysis tool, you are also able to verify compliance with coding standards and provide evidence that compliance requirements have been met.

By using a static code analyzer — like Helix QAC and Klocwork — you are able to ensure software quality by:

  • Enforcing coding standards and detecting rule violations.
  • Detecting weaknesses, errors, and compliance issues earlier in development.
  • Accelerating code reviews and manual testing efforts.
  • Reporting on compliance over time and across product versions.

See how Helix QAC and Klocwork can help you improve your software quality. Register for a free trial.

➡️ static analysis free trial