ISTQB + ISO 9001 + ISO 27001 Certified

Our QA Process — How Testriq Delivers Software Quality

A six-phase, risk-first, evidence-based methodology — Discovery, Strategy, Planning, Execution, Reporting, Closure. Built for teams that ship continuously but answer to auditors quarterly. Refined across hundreds of engagements spanning SaaS, BFSI, healthcare, manufacturing, IoT, and gaming.

Talk to a QA Lead See it applied — case studies

Four principles behind the process

Process diagrams without principles are decoration. These four govern every phase below.

Risk-first prioritisation

Coverage targets follow risk impact, not feature count. A 10-test suite that exercises the 3 highest-revenue flows beats a 200-test suite that exercises every settings checkbox.

Shift-left + shift-right

We engage at design review (catch ambiguities early) and operate synthetic monitors in production (catch regressions post-deploy). The middle — pre-merge automation — is the cheap part.

Evidence-grade, not just exec-summary

Every test produces a record an auditor can verify. No untracked spreadsheets, no "trust me" sign-offs. Audit cycles become 3-day exports instead of 3-week scrambles.

ISTQB-certified people, ISO-controlled processes

Testers are ISTQB-certified; the lab itself operates under ISO 9001 + ISO/IEC 27001. Customer data and test artifacts are handled accordingly.

The six phases

Each phase has a defined output. Skip a phase, lose the evidence trail behind every later one.

1. Discovery & Risk Modeling

Week 1

We start by mapping your product, users, integration surface, and regulatory perimeter. The output is a prioritised risk register that drives every subsequent decision — what to automate first, where to invest manual effort, which compliance frameworks apply.

Deliverables

  • System + integration map
  • Risk register (probability × impact)
  • Compliance scope (SOC 2 / GDPR / HIPAA / IEC 62443 / etc.)
  • Existing test asset inventory

2. Test Strategy

Week 1-2

A test strategy answers what we test and why — driven by the risk register. It commits to the testing types in scope, the coverage targets, the entry / exit criteria, and the boundary between Testriq + client responsibilities. Cross-reference our test strategy template.

Deliverables

  • Test strategy document (scope, approach, ownership)
  • Test pyramid + automation target ratio
  • Tooling + framework decisions
  • Resource plan + RACI matrix

3. Test Planning & Case Design

Week 2-4

Strategy turns into concrete plans — per-release test plans, environment requirements, test data needs, and detailed test cases. We follow our test case template + standard test plan template so deliverables are auditor-ready and onboarding-friendly.

Deliverables

  • Release-level test plan
  • Functional + non-functional test cases
  • Test-data + environment requirements
  • Automation script library

4. Test Execution

Continuous (per release / per sprint)

Cases get executed against the build under test — automated suites in CI for fast feedback, manual exploratory for high-risk areas. Defects get logged with full reproduction context + severity rating + impact analysis. Wires into regression testing and automation testing practices.

Deliverables

  • Daily test execution status
  • Defect log with severity + reproducibility
  • Automation run reports (CI-integrated)
  • Exploratory testing session charters + notes

5. Reporting & Evidence

Per release + per audit cycle

Every test run produces auditable evidence — coverage metrics, pass/fail trends, defect-density per module, time-to-resolution. For regulated industries, evidence packs are bundled per control framework (SOC 2 TSC / IEC 61508 SIL / FDA 21 CFR Part 11) so auditors can trace every control to its proof.

Deliverables

  • Per-release QA report (executive summary + drilldown)
  • Coverage + defect-density dashboards
  • Compliance evidence packs (audit-ready)
  • Sign-off recommendations with risk callouts

6. Closure & Retrospective

Per release / per project end

We don't just close tickets — we close loops. Every release retrospective surfaces process gaps, automation candidates, recurring defect classes, and team coaching opportunities. The next discovery cycle inherits a sharper risk register because of it.

Deliverables

  • Release retrospective deck
  • Process-improvement backlog
  • Automation-candidate prioritisation
  • Quality metric trend vs prior releases

Related templates & deep-dives

Each phase has a dedicated reference doc you can copy as a starting point.

STLC Explained

The 6-phase Software Testing Life Cycle in depth.

Read

Test Strategy Template

What a test-strategy doc actually contains.

Read

Test Plan Template

IEEE-829-aligned test plan structure.

Read

Test Case Template

Field-by-field test-case format + examples.

Read

Frequently Asked Questions

How does Testriq's QA process differ from STLC?

STLC is the academic six-phase framework — Requirement Analysis, Test Planning, Test Case Design, Test Environment Setup, Test Execution, Test Cycle Closure. Our 6-phase process is operationally similar but front-loads a Discovery + Risk Modeling step that drives every subsequent decision, and adds an explicit Reporting + Evidence phase tuned for regulated-industry audit cycles. See our /stlc-explained page for a detailed breakdown of the academic STLC framework itself.

Can the process be compressed for small or fast-moving projects?

Yes. For a 2-week startup MVP, Discovery + Strategy compress to a half-day workshop, Planning + Case Design happen in parallel with execution, and Reporting is a single PR comment + dashboard rather than a formal evidence pack. The phases stay; the artifacts shrink to match the risk profile.

Do you replace our existing QA team or augment it?

Either model. Augmentation: Testriq engineers embed in your existing team, follow your ticket flow, contribute to your test suite, and exit cleanly. Replacement: we own the entire QA function with a dedicated lead, escalation channel, and monthly steering reviews. Most engagements start augmented and grow into managed if it works.

How is risk-based testing different from generic risk-based testing claims?

Risk-based testing requires a quantified risk register — probability × impact, scored, prioritised, dated, and traceable to a specific test case. We build that register in Discovery, refresh it per release, and decline to run tests that don't map to a register entry. That discipline is what makes the "risk-based" claim real rather than marketing.

What QA tools do you typically use?

Stack varies by client. Common: Playwright / Cypress / Selenium for web automation; Appium / Espresso / XCUITest for mobile; Postman / Newman / Pact for API; JMeter / k6 / Locust for performance; Burp / OWASP ZAP for security; Xray / TestRail / Zephyr for test management; Jira / Linear for defect tracking. We extend whatever you already have rather than impose a Testriq-only stack.

How long until we see measurable improvement?

First-pass results inside 4-6 weeks (defect-leakage reduction, coverage visibility, evidence-pack discipline). Sustained improvement on the 8-16 week mark — automation ROI compounds, audit prep collapses from weeks to days, and release confidence stops needing "hope" in standup status reports.

Get a QA Process tailored to your release cadence

Talk to a QA lead. We'll map your release rhythm + compliance scope to a 6-phase plan you can act on this quarter.

Talk to a QA Lead