Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO 25089:2025 — Software Quality Requirements Specification
Best Practices for Defining and Managing Software Quality Requirements in Agile and AI-Enabled Systems
ISO 25089:2025 provides a comprehensive framework for specifying software quality requirements, with a particular focus on the quality requirements engineering process within agile and iterative development contexts. As the latest addition to the SQuaRE 2503n requirements division, it consolidates and extends the guidance previously distributed across multiple SQuaRE documents into a unified, practitioner-focused standard. It addresses the growing need for rigorous quality requirements specification in domains ranging from embedded systems to cloud-native applications.
ISO 25089:2025 is the go-to standard for organizations that need to produce high-quality software requirements specifications (SRS) with measurable quality criteria. It is designed to be used with ISO 25010 for the quality model, ISO 25003 for the requirements engineering process, and ISO 25086-1 for the measurement process.
Understanding ISO 25089 and Its Quality Requirements Specification Framework
ISO 25089:2025 introduces a structured quality requirements specification (QRS) framework that extends traditional software requirements specification (SRS) approaches. The framework defines three specification levels: quality requirements overview (system-level quality goals and constraints), detailed quality requirements (measurable quality criteria for each quality characteristic), and quality requirements traceability (links between quality requirements, design decisions, verification methods, and risk assessments).
The 2025 edition places particular emphasis on quality requirements for systems incorporating artificial intelligence and machine learning components. It introduces novel requirement categories for AI-specific quality attributes such as explainability, fairness, robustness, and data quality. This forward-looking scope makes ISO 25089:2025 one of the first international standards to address AI software quality requirements in a structured, measurable manner.
| Quality Requirements Category | Description | Example Requirement | Verification Approach |
|---|---|---|---|
| Functional Quality | Accuracy and correctness of functional behavior | Recommendation relevance precision >= 0.85 | A/B testing with ground truth data |
| Performance Quality | Response time, throughput, resource utilization | p99 latency < 200ms under 10K RPS | Load testing with distributed agents |
| AI Explainability | Ability to explain model decisions | SHAP or LIME explanations available for all predictions | Explainability coverage audit |
| Fairness | Absence of bias across demographic groups | Demographic parity ratio within [0.8, 1.25] for all groups | Bias audit with stratified evaluation |
| Data Quality | Completeness, consistency, and accuracy of training data | Label accuracy >= 0.99 for training dataset | Statistical sampling and manual verification |
| Resilience | Graceful degradation under partial failure | System maintains 50% throughput during 3-node failure in 10-node cluster | Chaos engineering experiments |
Engineering Design Insights for Quality Requirements Specification
A key engineering contribution of ISO 25089:2025 is the quality requirements pattern catalog. The standard provides reusable requirement patterns organized by quality characteristic and application domain. Each pattern includes a structured template with placeholders for context-specific parameters, measurement thresholds, and verification conditions. For example, a performance quality pattern for a web service would include templates for specifying latency percentiles, throughput requirements, and concurrency limits, with guidance on appropriate threshold values for different service tiers (critical, standard, best-effort).
Using the quality requirements patterns from ISO 25089 can reduce the time required to produce a comprehensive quality requirements specification by 40-50%, while simultaneously improving specification completeness and reducing ambiguity. Patterns ensure that critical quality dimensions are not overlooked.
The standard also introduces the requirements verification maturity model, which classifies quality requirements based on their verifiability. Level 0 requirements are unverifiable statements (e.g., “the system should be user-friendly”). Level 1 requirements have defined metrics but no threshold values. Level 2 requirements have defined metrics and thresholds but no specified verification method. Level 3 requirements are fully specified with metrics, thresholds, and verification methods. ISO 25089 mandates that all quality requirements in a specification must be at least Level 2, with critical requirements achieving Level 3.
Another important design insight is the requirements conflict resolution framework. Quality requirements often conflict — for example, security requirements that mandate encryption may conflict with performance requirements for low latency. ISO 25089 provides a structured conflict resolution process that involves: (1) identifying conflicting requirements through automated or manual analysis, (2) quantifying the trade-off using measurable attributes, (3) facilitating stakeholder negotiation with empirical trade-off data, and (4) documenting the resolution rationale in the requirements specification.
Practical Implementation: Writing Quality Requirements with ISO 25089
Implementing ISO 25089 in practice involves adopting its specification templates and integrating them into the requirements management workflow. Organizations should create or configure requirements management tools (e.g., Jira, Jama, IBM DOORS) with ISO 25089-compliant templates that enforce the standard’s structure: unique identifier, quality characteristic mapping, condition of use, required level, expected level, verification method, and priority. Each requirement should also include a rationale field explaining why the specific threshold was chosen, linking back to stakeholder needs or regulatory requirements.
The standard also recommends conducting quality requirements reviews at defined checkpoints in the development lifecycle. These reviews assess specification completeness (are all relevant quality characteristics addressed?), verifiability (can each requirement be objectively tested?), consistency (are there conflicting requirements?), and traceability (is each requirement linked to a stakeholder need or regulatory mandate?). ISO 25089 provides detailed review checklists and acceptance criteria for each review type.
A common pitfall in quality requirements specification is the “everything is critical” fallacy, where all quality requirements are assigned the highest priority. This renders prioritization meaningless and leads to resource dilution across too many competing quality objectives. ISO 25089 recommends that no more than 20% of quality requirements be classified as critical, forcing explicit trade-off decisions and ensuring that truly critical requirements receive adequate attention and resources.
Q1: How does ISO 25089 differ from ISO 25003?
A: ISO 25003 focuses on the process of quality requirements engineering (the how), while ISO 25089 focuses on the specification artifact (the what). ISO 25089 provides templates, patterns, and quality criteria for writing the requirements document itself, whereas ISO 25003 describes the process for eliciting and validating those requirements.
A: ISO 25003 focuses on the process of quality requirements engineering (the how), while ISO 25089 focuses on the specification artifact (the what). ISO 25089 provides templates, patterns, and quality criteria for writing the requirements document itself, whereas ISO 25003 describes the process for eliciting and validating those requirements.
Q2: Is ISO 25089 applicable to AI/ML systems?
A: Yes. The 2025 edition includes specific guidance and requirement templates for AI quality attributes including explainability, fairness, model robustness, and training data quality. This makes it one of the first SQuaRE standards to explicitly address AI software quality requirements.
A: Yes. The 2025 edition includes specific guidance and requirement templates for AI quality attributes including explainability, fairness, model robustness, and training data quality. This makes it one of the first SQuaRE standards to explicitly address AI software quality requirements.
Q3: What tool support is available for ISO 25089?
A: Most modern requirements management tools (Jira with adapters, Jama, DOORS Next Generation) can be configured with custom fields and templates that implement ISO 25089’s specification structure. Some vendors offer pre-built ISO 25000 template packs.
A: Most modern requirements management tools (Jira with adapters, Jama, DOORS Next Generation) can be configured with custom fields and templates that implement ISO 25089’s specification structure. Some vendors offer pre-built ISO 25000 template packs.
Q4: How do I handle conflicting quality requirements?
A: ISO 25089 provides a structured conflict resolution process: identify conflicts through automated analysis, quantify trade-offs with measurable attributes, facilitate data-driven stakeholder negotiation, and document the resolution rationale. Trade-off analysis tables are included in the standard.
A: ISO 25089 provides a structured conflict resolution process: identify conflicts through automated analysis, quantify trade-offs with measurable attributes, facilitate data-driven stakeholder negotiation, and document the resolution rationale. Trade-off analysis tables are included in the standard.