The one-page test policy the whole org reads.
Mission, risk-based method, four test levels, two KPIs — and the modern additions that belong next to them.
A sample test policy that fits on one page: mission of testing, risk-based strategy, the four test levels with owners and objectives, the degree-of-formality principle, and the two KPIs every test-owning group is measured on. Adapt the placeholders, keep the structural shape.
A test policy is the shortest document with the strongest implications in the organization. It states what testing exists for, how it decides what to do, who is accountable at which level, and what it is measured on — in one page. Everything downstream (strategies, plans, cases, reports) must be consistent with it.
Key Takeaways
Four things to remember.
Policy, strategy, plan — keep them separate
Policy: one per org, answers "what is testing for here." Strategy: one per program, answers "how do we test this family of products." Plan: one per release, answers "how do we test this release." Collapsing them is the most common policy failure.
Risk-based is a commitment, not a flavor
A test policy that says "risk-based" has to name how risk is identified, assessed, and mapped to test effort. Without that, the policy is just a statement of values, not a governance document.
Test-level ownership is policy, not project-negotiation
Who owns unit, integration, system, and acceptance testing is an organizational question that every project should not re-negotiate. The policy pins the owners; projects follow.
Two KPIs keep it honest
Defect detection effectiveness (DDE) and risk coverage. A policy with more than a handful of KPIs optimizes for the metric, not the outcome. Two are enough.
Overview
This is the sample test policy we use as the starting point for an enterprise quality-function policy document. It answers the four governance questions every test policy must answer: what testing is for, how risk drives test effort, which test levels exist with which owners, and what the quality function is measured on.
Adapt the bracketed placeholders ([Company Name Here] / [company name]) to your organization. Keep the structural sections — each one is there because its absence creates a specific gap that downstream documents cannot repair.
This policy aligns with ISO/IEC/IEEE 29119-2 Test Policy concepts. In regulated contexts or formal procurement, the mapping to 29119 satisfies external documentation requirements without changing the substance.
Four levels · four owners
Test-level ownership is policy.
Who owns unit, integration, system, and acceptance testing is an organizational question. Every project should not re-negotiate it. The policy pins the owners; projects follow.
01
1. Mission of testing
[Company Name Here] exists in the quality function to effectively and efficiently provide timely, accurate, and useful quality-risk-management information and services to the organization.
- Effectively — the information is actionable. A defect report a product manager can prioritize. A release signal an executive can rely on. A coverage view a program manager can plan against.
- Efficiently — the cost of producing the information is proportional to its value. Testing is an investment; the policy constrains the testing function to spend in proportion to risk.
- Timely — information arrives in time to act on it. A post-release finding is not a test result; it is a production incident.
- Accurate — reports distinguish what is measured, what is inferred, and what is unknown. Precision is not confidence.
- Useful — the information answers a question the organization is actually asking. A metric nobody uses is a budget line item, not a contribution.
02
2. Risk-based testing strategy
Depending on project objectives, [company name] selects the degree of quality-risk mitigation desired. Quality risks are identified and assessed to determine their level of risk. The level of risk determines test effort and test sequencing. Test results are reported in terms of mitigated and unmitigated risks.
- Identification — risks are surfaced in a structured risk-analysis session (FMEA or equivalent), drawing from the general quality risk categories taxonomy and product-specific failure-mode knowledge.
- Assessment — each risk item is scored for likelihood and impact, producing a risk priority number (RPN) or equivalent aggregate measure.
- Mapping to effort — risk level determines extent of testing (extensive → broad → cursory → opportunity → report-bugs-only → none) and sequencing (highest risk first).
- Reporting — residual quality risk is the primary release-readiness artifact, shared across project, product, and executive audiences. See risk-based-test-results-reporting for the four-approach ladder.
03
3. Sequential test levels, performed by the best-qualified participants
Test levels promote mitigation of quality risk as early as possible and to the highest practical extent. Each level is owned by the group best qualified to design, execute, and interpret its tests.
Unit — owner: Development
Objectives: detect defective code in units; reduce the risk of unit-level failure in production. Key areas of testing: functionality and resource utilization. Modern additions: contract tests against internal APIs, property-based tests for pure functions, mutation tests as a coverage-quality check.
Integration — owner: Development
Objectives: detect defects in unit interfaces; reduce the risk of dataflow and workflow failures in production. Key areas of testing: functionality, data quality, unit interoperability and compatibility, performance. Modern additions: consumer-driven contract testing (Pact, Spring Cloud Contract), schema-compatibility tests, service-level interaction tests on ephemeral infrastructure.
System — owner: Risk Mitigation and Quality Assurance (test function)
Objectives: detect defects in use cases and end-to-end scenarios; assist in mitigating the risk of unmet business requirements in production. Key areas of testing: functionality, data quality, performance, reliability, usability, resource utilization, maintainability, installability, portability, and interoperability. Modern additions: distributed-trace-based verification, chaos / fault injection, AI-system evaluation against held-out sets, observability-signal correctness.
Acceptance — owner: Business
Objectives: demonstrate readiness for deployment; detect defects in user workflows. Key areas of testing: functionality. (Note: not all acceptance-test activities for all projects will have defect detection as an objective — many are readiness confirmations rather than discovery exercises.)
04
4. Test process for each test level, and degree of formality
Each test level runs a consistent process — plan, design, prepare, execute, report, and close — but the degree of formality at each step is proportional to the level of risk associated with the project as a whole.
- High-risk projects (regulated, safety-critical, mission-critical, heavily-customer-visible) apply each step formally with auditable artifacts.
- Medium-risk projects apply each step pragmatically: documented, reviewed, stored, but not re-verified.
- Low-risk projects apply each step lightly: the steps still happen, but the artifacts are minimal and often live in code (test names, PR descriptions) rather than separate documents.
- The policy sets the bands; each project's test strategy specifies where it sits against the bands. Formality is not a virtue; fitness-for-purpose is.
05
5. Key process indicators (KPIs)
Each group responsible for one or more test levels establishes KPIs for its test activities against the following two required areas. Groups may add a small number of additional KPIs; they may not drop these.
- Defect detection effectiveness (DDE) — the percentage of defects found at this level before they escape to a later level (or production). The industry baseline is roughly 85% DDE at system integration test; 95%+ is achievable in disciplined organizations. See the Metrics Part 2 whitepaper for calibration.
- Risk coverage and sequencing — the percentage of identified risk items that have at least one test designed and executed against them, weighted by risk level. Unmitigated high-risk items are reported explicitly in every status cycle.
06
6. Planning discipline across groups
In consultation with IT management (or its equivalent for non-IT-functioned organizations), each group manager develops and executes two planning artifacts.
- Project-by-project alignment — how the KPIs harmonize across groups on a given project. Example: unit-test DDE is low-90s; integration DDE takes the rest to 95%+; system test adds the last risk-weighted coverage. Projects that see DDE drop below bands trigger a process-improvement review.
- Long-term improvement — plans for test process improvement at each level and across levels, reviewed and re-set annually. Improvement is a named activity with named owners, not an aspiration.
07
7. 2026 additions to the policy
Four additions we would include in a policy written today that were not required in the 2002-era original.
- Production-telemetry feedback loop — the test function has a named role in interpreting production telemetry (error rates, SLO compliance, customer-reported defects) and feeding findings back into test design. Testing does not stop at release; the policy names the loop.
- AI-system evaluation — for products whose primary job is inference, the test policy names the evaluation discipline (held-out eval sets, golden sets, slice-based metrics, calibration) and who owns model-release gating. Example-based assertion testing is insufficient for probabilistic output.
- Continuous-delivery level mapping — for continuously-delivered systems, map the four test levels to their CD equivalents: unit tests in pre-commit hooks, integration tests in PR CI, system tests in staging against realistic load, acceptance via canary / progressive rollout with SLO gates. The levels still exist; they run continuously rather than sequentially.
- Observability as policy surface — the policy states that observability artifacts (structured logs, metrics, traces, dashboards) are a first-class testable surface. "The system ships observability" is a release requirement, not a nice-to-have.
08
8. Maintenance
This policy is reviewed annually by the quality-function lead with sign-off from executive management. Material changes (test-level ownership, KPI definitions, risk-method changes) require CCB-equivalent review. Minor changes (placeholder updates, link refreshes) are logged in a change history.
DDE ladder · how the KPI harmonizes
Each level catches more before escape.
A disciplined organization’s DDE stacks. Unit catches most unit-level defects; integration catches the subsystem-interaction residuals; system brings cumulative DDE to 95%+. Policy expects the harmonization. Projects that see DDE drop below band trigger a process-improvement review.
Cumulative DDE at each stage · disciplined organization
Defect Detection Effectiveness — stacked across levels
Industry baseline is ~85% at system integration; 95%+ is achievable.
The lift from 85% to 95% is where the test function earns its budget. The lift past 95% is the 2026 modernization gap — production telemetry + AI-system evaluation carry it further.
Take it with you
Download the piece you just read.
We keep this library free. All we ask is that you tell us who you are, so we know who to follow up with if we release an updated version. One-time form, this browser remembers you after that.
Related in the library
Pair this with.
Need a QA program to back this up in your organization?
If a checklist is not enough and you want help applying it to a live engagement, we can have a call this week.
Related reading
Articles, talks, guides, and case studies tagged for the same audience.
- Whitepaper
Evaluation Before Shipping: How to Test an AI Application Before It Hits Production
The release-gate playbook for AI features. Covers the five evaluation dimensions, how to build a lean golden set, where LLM-as-judge is trustworthy and where it lies, rollout mechanics with named exit criteria, and the regression suite that keeps a shipped AI feature from quietly rotting in production.
Read → - Whitepaper
Choosing the Right Model (and Knowing When to Switch)
A practical framework for matching LLM model tier to task. Covers the four axes (capability, latency, cost, reliability), cascade routing patterns that cut cost 60 to 80 percent without measurable quality loss, switching costs you did not plan for, and the worked economics at 10K, 100K, and 1M decisions per day.
Read → - Whitepaper
Beyond ISTQB: A Multi-Domain Certification Roadmap for Technical L&D
Most engineering L&D programs over-index on a single certification family, usually ISTQB on the QA side, AWS on the infrastructure side, and under-invest across the rest of the technical domains the org actually needs. This paper covers a multi-domain certification roadmap (QA, AI, cloud, data, security, project management, software engineering) with sequencing logic for each level of the engineering ladder, plus the maintenance discipline that keeps the roadmap relevant as the technology shifts underneath it.
Read → - Guide
The ISTQB Advanced Level path, mapped
The Advanced Level landscape keeps changing — CTAL-TA v4.0 shipped May 2025, CTAL-TM is on v3.0, CTAL-TAE is on v2.0. This guide maps all four core modules, prerequisites, exam formats, sunset dates, and which module a given role should take first. Links directly to the authoritative istqb.org syllabi.
Read → - Whitepaper
Bug Triage: A Cross-Functional Framework for Deciding Which Defects to Fix
Bug triage is the cross-functional decision process that converts raw defect reports into prioritized action. Done well, it optimizes limited engineering capacity against risk; done poorly, it becomes a backlog-management ritual that neither fixes the important defects nor drops the unimportant ones. This whitepaper covers the triage process, the participants, the six action outcomes, the four decision factors, and the governance disciplines that keep triage effective in continuous-delivery environments.
Read → - Whitepaper
Building Quality In: What Engineering Organizations Do from Day One
Testing at the end builds confidence, but the most efficient quality assurance is building the system the right way from day one. This whitepaper covers the upstream disciplines — requirements clarity, lifecycle selection, per-unit programmer practices, and continuous integration — that make system-level testing cheap and fast rather than the only thing holding a release together.
Read →
Where this leads
- Service · Quality engineering
Software Quality & Security
Independent test programs, security testing, and quality engineering for systems where defects cost real money.
Learn more → - Solution
Risk Reduction & Clear Decisions
Quality programs and decision frameworks that shift risk discussions from anecdote to evidence.
Learn more → - Solution
Reliable Software at Scale
Quality engineering programs for organizations whose software is now operationally critical.
Learn more →