Comparison with ISO 9001
30.4.1. ISO 9001 Overview
ISO 9001 is the international standard for Quality Management Systems (QMS). Established by the International Organization for Standardization (ISO), it defines a management framework for organizations to consistently provide products and services that meet customer and regulatory requirements.
ISO 9001 has been revised several times since its initial publication in 1987, and the current version is ISO 9001:2015. Its most notable characteristic is that it is a universal standard applicable to all industries, including manufacturing, services, construction, and IT. It is the most widely adopted management system standard worldwide, with over one million organizations in more than 170 countries holding certification.
There are cases where software companies also obtain ISO 9001 certification. It is frequently required for public procurement bids or registration as a supplier to large corporations. However, since ISO 9001 is not a standard specialized for software, it does not include mechanisms for directly verifying code quality or technical implementation.
30.4.2. Core Principles
ISO 9001:2015 is based on 7 quality management principles.
| Principle | Description | Software Application |
|---|---|---|
| Customer Focus | Understand and meet customer requirements, exceed customer expectations | User requirements analysis, UX quality, performance criteria compliance |
| Leadership | Management sets quality direction and provides resources | Technical leadership, quality goal setting, tool/infrastructure investment |
| Engagement of People | People at all levels participate in achieving quality | Code review culture, quality awareness training |
| Process Approach | Manage activities as processes to produce consistent results | Development process standardization, CI/CD pipeline construction |
| Improvement | Pursue continual performance improvement | Technical debt management, performance optimization, refactoring |
| Evidence-based Decision Making | Decision making based on data analysis | Decisions based on code metrics, coverage figures, performance measurement results |
| Relationship Management | Manage relationships with interested parties for sustained performance | Supplier/outsourced developer quality management, open-source license management |
These principles can be meaningfully applied to software development. However, ISO 9001 focuses on "what processes should be used to manage" these principles, and does not prescribe "how to implement them at the code level."
30.4.3. Application to the Software Domain
30.4.3.1. ISO 9001 Requirements Relevant to Software
The following clauses of ISO 9001:2015 are highly relevant to software development.
| Clause | Title | Software Domain Application |
|---|---|---|
| 7.1.6 | Organizational Knowledge | Development standards, technical documentation, architecture document management |
| 8.1 | Operational Planning and Control | Development process definition, release management procedures |
| 8.2 | Requirements for Products and Services | Requirements specification, change management |
| 8.3 | Design and Development of Products and Services | Software design, review, verification, validation |
| 8.5 | Production and Service Provision | Build, deployment, operations processes |
| 8.6 | Release of Products and Services | Release approval, QA procedures |
| 8.7 | Control of Nonconforming Outputs | Defect management, bug tracking |
| 9.1 | Monitoring, Measurement, Analysis and Evaluation | Quality metric collection and analysis |
| 10.2 | Nonconformity and Corrective Action | Incident response, root cause analysis, recurrence prevention |
30.4.3.2. Limitations When Applied to Software
The following limitations exist when applying ISO 9001 to the software domain.
Inability to Directly Verify Code Quality
ISO 9001 requires that "the outputs of design and development must be verified to meet input requirements." However, it does not define specific methods of "verification." The organization must independently determine what test coverage percentage is required, what code formatting rules apply, and which lint rules should be enforced.
Limitations of a Universal Standard
ISO 9001 is a universal standard applicable to all industries including manufacturing, services, and construction. While this universality is an advantage, it has the limitation of not reflecting characteristics unique to software (continuous integration, automated testing, code review, etc.).
Process-centric vs Output-centric
ISO 9001 is based on the philosophy that "following the right process will produce the right results." In software, following a process does not necessarily guarantee code quality. Even if a code review process exists, the depth and quality of reviews may be insufficient. Even if a testing process is defined, test coverage may not be adequate.
Absence of Technical Specifications
ISO 9001 does not require specific technology stacks or tools. It requires that "the organization must determine and provide the monitoring and measurement resources needed," but it does not specify which tools (ESLint, JaCoCo, Lighthouse, etc.) should be used or which numerical criteria (80% coverage, JS bundle under 300KB, etc.) must be met.
30.4.4. Comparative Analysis with TQS
The following table summarizes the comparison between ISO 9001 and TQS along key comparison axes.
| Comparison Axis | ISO 9001 | TQS |
|---|---|---|
| Certification Purpose | Establishment and continuous improvement of a quality management system | Code-level technical quality verification |
| Scope of Application | All industries (universal) | Software development (specialized) |
| Verification Level | Process level ("Has a process been defined?") | Code level ("Does the code meet the criteria?") |
| Quality Criteria | Self-defined by the organization (no specific numerical values) | Specified in the standard (80% coverage, JS bundle under 300KB, etc.) |
| Verification Method | Document audit + on-site audit (manual) | Automated tools + code review |
| Design Verification | "Does the design output meet the input requirements?" (abstract) | "Does the Spring Boot configuration follow the standard?" (concrete) |
| Test Verification | "Has a testing process been defined?" | "Is JaCoCo line coverage 80% or above?" |
| Code Quality | Not directly verified | Verifies Google Java Format, ESLint, Prettier compliance |
| Monitoring | "Monitoring resources must be provided" (abstract) | "Lighthouse performance score 90+, Core Web Vitals met" (concrete) |
| Certification Cost | Medium cost (millions to tens of millions of KRW) | Free (internal self-certification) |
| Renewal Cycle | 3 years (annual surveillance audit) | Per major version (continuous CI verification) |
| Certification Body | Internationally accredited Certification Body (CB) | TIENIPIA Technical Standards Committee |
30.4.4.1. Abstraction vs Specificity
The most prominent difference between ISO 9001 and TQS is the specificity of requirements.
ISO 9001 requires that "the organization must determine and provide the monitoring and measurement resources needed to ensure the conformity of products and services." What tools to use, what to measure, and what the threshold values are is left to the organization.
TQS specifies concrete tools and numerical criteria such as "JaCoCo line coverage 80% or above," "branch coverage 70% or above," "initial load JS under 300KB (gzip)," and "Lighthouse performance score 90 or above." During audits, these metrics are measured using automated tools to objectively determine compliance.
30.4.4.2. Process Verification vs Output Verification
ISO 9001 verifies "whether the processes for managing quality are correctly established and operated." It checks whether a code review process exists, whether testing procedures are documented, and whether a release approval process is defined.
TQS verifies "whether the outputs of those processes — code, configurations, and build artifacts — meet the criteria." Rather than checking whether a code review process exists, it verifies whether the actual code follows conventions. Rather than checking whether testing procedures are documented, it verifies whether actual test coverage meets the criteria.
30.4.5. Complementary Relationship
Since ISO 9001 and TQS address different aspects of quality, applying them together increases the completeness of quality management.
30.4.5.1. Complementary Structure
| Layer | Responsible Certification | Role | Question |
|---|---|---|---|
| Quality Management Layer | ISO 9001 | Establishment and operation of quality management system | "How is quality managed?" |
| Quality Verification Layer | TQS | Direct verification of output (code) quality | "Does the output meet quality criteria?" |
30.4.5.2. ISO 9001 Requirements Linked to TQS
The following summarizes how key ISO 9001 requirements are concretized in TQS.
| ISO 9001 Requirement | ISO 9001 Level | TQS Concretization |
|---|---|---|
| Design and Development Verification (8.3.4) | "Verify that outputs meet inputs" | JUnit 5 tests, 80%+ coverage |
| Monitoring and Measurement (9.1.1) | "Provide appropriate monitoring resources" | JaCoCo, Lighthouse, ESLint automated verification |
| Control of Nonconforming Outputs (8.7) | "Identify and control nonconforming products" | Deployment blocked on CI/CD build failure |
| Corrective Action (10.2) | "Eliminate the cause of nonconformity" | Code review, automated lint rule violation detection |
| Continual Improvement (10.3) | "Improve QMS suitability, adequacy, and effectiveness" | Test coverage trends, bundle size trends, performance score trends |
| Documented Information (7.5) | "Maintain necessary documented information" | Project structure standards, API documentation (SpringDoc), configuration file standards |
30.4.5.3. Combined Application Scenarios
Scenarios where applying ISO 9001 and TQS together is effective include the following.
- Companies participating in public procurement: In cases where ISO 9001 certification is a bonus factor or required condition for public procurement bids, ISO 9001 demonstrates the quality management system while TQS guarantees actual code quality.
- Large enterprise suppliers: When large enterprises require ISO 9001 certification from their suppliers, applying ISO 9001 and TQS together provides quality assurance from both the process and output perspectives.
- Organizations advancing quality culture: After establishing a quality management foundation with ISO 9001, introducing code-level quality criteria through TQS can elevate the quality culture to the next level.
ISO 9001 verifies "the system that manages quality," and TQS verifies "the quality of the outputs produced by that system." The two certifications are in a complementary relationship, each responsible for the input (process) and output (deliverables) of quality management.