Wikipedia on Non-functional Requirements
List of NFRs (from Wikipedia):
- Accessibility
- Adaptability
- Auditability and control
- Availability (see service level agreement)
- Backup
- Capacity, current and forecast
- Certification
- Compliance
- Configuration management
- Cost, initial and Life-cycle cost
- Data integrity
- Data retention
- Dependency on other parties
- Deployment
- Development environment
- Disaster recovery
- Documentation
- Durability
- Efficiency (resource consumption for given load)
- Effectiveness (resulting performance in relation to effort)
- Emotional factors (like fun or absorbing or has “Wow! Factor”)
- Environmental protection
- Escrow
- Exploitability
- Extensibility (adding features, and carry-forward of customizations at next major version upgrade)
- Failure management
- Fault tolerance (e.g. Operational System Monitoring, Measuring, and Management)
- Legal and licensing issues or patent-infringement-avoidability
- Interoperability
- Maintainability (e.g. Mean Time To Repair – MTTR)
- Management
- Modifiability
- Network topology
- Open source
- Operability
- Performance / response time (performance engineering)
- Platform compatibility
- Privacy (compliance to privacy laws)
- Portability
- Quality (e.g. faults discovered, faults delivered, fault removal efficacy)
- Readability
- Reliability (e.g. Mean Time Between/To Failures – MTBF/MTTF )
- Reporting
- Resilience
- Resource constraints (processor speed, memory, disk space, network bandwidth, etc.)
- Response time
- Reusability
- Robustness
- Safety or Factor of safety
- Scalability (horizontal, vertical)
- Security (cyber and physical)
- Software, tools, standards etc. Compatibility
- Stability
- Supportability
- Testability
- Throughput
- Transparency
- Usability (Human Factors) by target user community
- Integrability ability to integrate components
ISO Quality Standards (includes functional and non-functional)
https://en.wikipedia.org/wiki/ISO/IEC_9126 is relevant for the -ability NFRs. Now known as ISO 25010:

Summary of ISO25010
https://en.wikipedia.org/wiki/Decision-matrix_method (or Pugh method of Pugh concept selection)
Non-functional requirements (linguistic, definition) – Planguage:
Tutorial: Specifying non-functionals
Due Dilligence – M&A
Basic points:
- What will it take to modify and add new functionality
- Maintainability and automated testing
- Scalability risks and strengths
- System design, code size, technologies, and complexity
- Open source and other dependencies
- Security and privacy risks
- Development capability, data center practices
- Defect/incident analysis
- Sophistication and robustness of algorithms and data models
- Internationalization, portability, or other quality attributes
- Your specific questions
Another view of points (from http://www.crosslaketech.com/technical-due-diligence-checklist-why-acquiring-firms-need-it/)
A refined technical due diligence process is quick, efficient, and answers the investment questions in easy-to-understand terms with sufficient detail. Target companies are typically analyzed from three perspectives:
Each of these perspectives is analyzed from the following categories. Included below are some sample questions to ask and answer:
While many items found during technology due diligence may not make or break a deal, it is important to understand the risks and opportunities to evaluate a potential investment. The existence of technical risks may affect the ultimate deal conditions or price. The cost of a technical due diligence is insignificant compared to the magnitude of a software company investment and the benefits abound, which leaves us with the question, why wouldn’t an investment firm conduct pre-acquisition technical due diligence? I certainly wouldn’t buy a new home without an inspection.
Downloaded sheet: