Key Points
- ISSA 5000 applies to sustainability assurance engagements under any reporting framework, not only the ESRS.
- The standard was approved by the IAASB in September 2024, published in November 2024, and takes effect on 15 December 2026.
- Limited assurance requires risk assessment at the disclosure level (ISSA 5000.103L), while reasonable assurance requires it at the assertion level.
- The Omnibus I Directive (February 2026) removed the planned EU transition to reasonable assurance, so limited assurance remains the baseline indefinitely.
What is ISSA 5000?
ISSA 5000 is the first international standard written specifically for sustainability assurance. It replaces the need to apply ISAE 3000 (Revised) for these engagements, though practitioners performing sustainability assurance before 15 December 2026 still fall back on ISAE 3000 or the applicable national equivalent.
The standard is framework-neutral. It applies whether the entity reports under the ESRS, GRI, IFRS Sustainability Disclosure Standards, or entity-developed criteria. ISSA 5000.8 makes this explicit: the standard covers assurance on "sustainability information reported for periods" regardless of the underlying framework.
The engagement follows a sequence familiar to auditors. The practitioner accepts the engagement after verifying preconditions (ISSA 5000.75-84), performs risk assessment procedures, designs further procedures responsive to assessed risks, evaluates evidence, forms a conclusion, and reports. Where limited and reasonable assurance diverge is in the depth of risk assessment. ISSA 5000.103L requires risk identification at the disclosure level for limited assurance. ISSA 5000.103R requires assertion-level risk assessment for each disclosure in a reasonable assurance engagement.
ISSA 5000 also requires the practitioner to apply ISQM 1 at the firm level. Non-accountant assurance providers must demonstrate equivalent quality management arrangements.
Worked example: Henriksen Shipping A/S
Client: Danish maritime logistics company, FY2027, revenue EUR 140M, IFRS reporter, 1,200 employees. A mid-tier Danish firm performs a limited assurance engagement under ISSA 5000 on Henriksen's sustainability statement prepared under the ESRS.
Step 1 — Verify preconditions and accept the engagement
The engagement partner confirms that the sustainability information is identifiable within the management report, that the ESRS serves as suitable criteria, and that the firm can access underlying data. The partner evaluates whether the team has the competence to assess maritime-specific emissions data (bunker fuel consumption, ballast water treatment records) and assigns a team member with shipping-sector experience.
Step 2 — Identify and assess risks of material misstatement at the disclosure level
The team reviews Henriksen's double materiality assessment and maps five material ESRS topics: climate change (E1), pollution (E2), own workforce (S1), business conduct (G1), and consumers and end-users (S4). The principal risk is the completeness and accuracy of Scope 1 emissions from a fleet of 14 vessels burning 22,400 tonnes of heavy fuel oil per year.
Step 3 — Design and perform procedures responsive to assessed risks
For Scope 1 fleet emissions (reported at 69,700 tonnes CO2e), the team performs analytical procedures comparing fuel purchase invoices against voyage logs and applying the IMO default emission factor for heavy fuel oil (3.114 tonnes CO2 per tonne of fuel). For own workforce disclosures, the team compares reported headcount and injury-frequency rates against HR system extracts and insurance claims data.
Step 4 — Evaluate evidence and form the conclusion
The emission recalculation yields 70,100 tonnes CO2e against the reported 69,700 tonnes. The 0.6% variance falls within the quantitative threshold set for climate disclosures. Workforce injury-frequency rates align with insurance records within rounding tolerance. No matters come to the team's attention indicating material misstatement.
Conclusion: the engagement produces an unmodified limited assurance conclusion, defensible because risk assessment was performed at the disclosure level across all five material ESRS topics, procedures were traced to identified risks, and the fleet emission recalculation confirmed reported figures within tolerance.
Why it matters in practice
Teams experienced in financial statement audits frequently attempt to map ISSA 5000's requirements one-to-one against the ISA framework. ISSA 5000 is a stand-alone standard by design (ISSA 5000.A47-A57). Importing ISA terminology, risk categories, or documentation templates without adaptation creates confusion about the required level of work, particularly the distinction between disclosure-level and assertion-level risk assessment that does not exist in ISA 315.
Firms performing sustainability assurance before December 2026 sometimes describe their engagement as "performed under ISSA 5000" despite the standard not yet being effective. The IAASB's January 2025 FAQ clarifies that pre-effective-date engagements fall under ISAE 3000 (Revised) or the applicable national standard. Early adoption of ISSA 5000 is permitted but must be explicitly documented in the engagement letter. Mislabelling the applicable standard exposes the firm to regulatory challenge on the basis for the conclusion.
ISSA 5000 vs. ISAE 3000 (Revised)
| Dimension | ISSA 5000 | ISAE 3000 (Revised) |
|---|---|---|
| Subject matter | Sustainability information only | Any non-historical-financial-information subject matter |
| Design | Stand-alone; all requirements in one document | Framework standard; supplemented by subject-matter-specific ISAEs |
| Risk assessment (limited assurance) | Disclosure level (ISSA 5000.103L) | "Sufficient to identify areas where material misstatement is likely" (ISAE 3000.52L) |
| Risk assessment (reasonable assurance) | Assertion level per disclosure (ISSA 5000.103R) | Risk assessment at assertion level (ISAE 3000.52R) |
| Effective date | Periods beginning on or after 15 December 2026 | Effective since 2015; continues to apply for non-sustainability assurance engagements |
| Practitioner scope | Professional accountants and qualifying non-accountant assurance providers | Primarily professional accountants; non-accountant applicability varies by jurisdiction |
The distinction matters on engagements where the reporting period straddles the effective date. A practitioner issuing a report on FY2026 sustainability information applies ISAE 3000 (Revised). The same practitioner issuing a report on FY2027 information applies ISSA 5000. Firms that fail to update engagement letters, methodology templates, and report wording between those two years risk issuing a conclusion under the wrong standard.
Related terms
Frequently asked questions
Do I need to apply ISSA 5000 for FY2025 sustainability reports?
No. ISSA 5000 is effective for periods beginning on or after 15 December 2026, so FY2027 is the first mandatory year for calendar-year reporters. For FY2025 and FY2026, practitioners apply ISAE 3000 (Revised) or the national equivalent. Early adoption is permitted if the firm documents the decision in the engagement letter and confirms its quality management infrastructure meets the standard's requirements.
Does ISSA 5000 apply only to ESRS-based sustainability reports?
ISSA 5000 is framework-neutral. It applies to sustainability assurance engagements under the ESRS, GRI Standards, IFRS Sustainability Disclosure Standards (IFRS S1/S2), or entity-developed criteria, provided the criteria are suitable. ISSA 5000.8-14 defines scope by reference to "sustainability information" without restricting it to a single framework. A voluntary GRI assurance engagement falls within scope once the standard is effective.
Can a non-accountant perform a sustainability assurance engagement under ISSA 5000?
Yes, provided the non-accountant assurance provider complies with the IESBA Code (or requirements at least as demanding) and operates within a firm that applies ISQM 1 or equivalent quality management arrangements. ISSA 5000.A68-A74 addresses the firm-level quality management precondition. Member States transposing the CSRD determine which categories of assurance provider are authorised within their jurisdiction.