Software Improvement Group is compliant with-and co-editor of-leading global standards.
Software Improvement Group (SIG) operates the world’s first and only laboratory accredited under ISO/IEC 17025 for software quality analysis, certified in collaboration with TÃœViT.
Our lab meets the strict international standards for testing and calibration laboratories. We use standardized, repeatable measurements of source code based on globally recognized ISO/IEC standards, including ISO/IEC 25010 for software quality, ISO/IEC 5055 for code quality, and ISO/IEC 27001 for information security management. In addition, we co-developed ISO/IEC 5338 the new global standard for AI lifecycle managementand actively collaborate with NEN on developing and refining ISO and NPR guidance for software and systems engineering, as well as AI and big data standards.
Our quality models provide concrete, measurable guidance for improving software quality and security.
SIG uses a standardized, repeatable methodology to measure source code quality against the ISO/IEC 25010 standard. Our maintainability quality model, built on ISO 25010, is independently certified by TÃœVIT, giving reliable, comparable outcomes for software assessments across technologies, system sizes, and development teams in both cloud and on-premise environments.
SIG operates an independent software evaluation laboratory governed by a Quality Management System compliant with ISO/IEC 17025 for testing and calibration laboratories. Our lab is accredited by TÃœVIT specifically for software quality analysis, confirming our procedures and results meet stringent international requirements for reliable, repeatable software assessments worldwide.
ISO/IEC 5338 defines processes and concepts for managing the full life cycle of AI systems based on machine learning and heuristic techniques. It extends ISO/IEC/IEEE 15288 and 12207 with AI-specific processes from ISO/IEC 22989 and 23053. Software Improvement Group proudly led the international expert group drafting this standard in practice.
ISO/IEC 27001 is the leading international standard for information security management systems (ISMS). It specifies requirements an ISMS must meet and provides guidance for organizations of any size and sector to establish, implement, maintain, and continually improve structured controls that protect information confidentiality, integrity, and availability, reflecting widely recognized best-practices.
We analyze system properties through in-depth reviews of source code, infrastructure, and supporting artifacts such as documentation. From these analyses, we derive scores for key system characteristics and map them to the OWASP Top 10, highlighting the most critical web application security risks and guiding targeted risk reduction over time.
For over a decade, Software Improvement Group has closely collaborated with NEN, the Royal Netherlands Standardization Institute. We contribute to the development and refinement of ISO standards and NPR publications covering software and systems engineering, as well as emerging domains such as AI and big data for industry and government.
We maintain a dedicated ‘SIG Privacy Management/PII Data Processing Register (GDPR)’ that is reviewed and updated annually. In addition, we have defined procedures for conducting data protection impact assessments and managing privacy across engagements, ensuring personal data is processed transparently, lawfully, and with appropriate technical and organizational safeguards over time.
We have built a benchmarking system that maps CWEs to CVSS scores using historical CVE data from the last five years. This effectively creates expert-judgment benchmarks, using real-world vulnerability information to prioritize and score potential weaknesses more accurately before they develop into exploitable security issues in production systems for clients.
We use the National Vulnerability Database (NVD) as our authoritative source for CVSS scoring. The NVD provides standardized severity ratings from 0.0 to 10.0, along with rich metadata, helping us interpret vulnerabilities consistently and prioritize remediation work based on their potential impact on systems, applications, and supporting infrastructure for clients.
A practical companion to the Trusted Product Maintainability criteria, helping software producers understand the measurements and what to improve to reach 4-star certification.
Reference document outlining the maintainability model, measurement areas, and thresholds used to evaluate and certify software products against the Trusted Product Maintainability standard.
Guidance for software producers on how SIG evaluates system security, based on ISO 25010 and a star rating from one to five for implemented security controls.
Guidance for software producers on SIG’s Architecture Quality Model, explaining how architecture flexibility is measured using code-based metrics, sub-characteristics, and 4-star thresholds.
Guidance for software producers on SIG’s Open Source Health Quality Model, explaining how open source dependencies are measured and what is needed to reach a 4-star risk profile for vulnerabilities, freshness, licenses, activity, and management.
