Key Points
- ISSA 5000 applies to sustainability assurance engagements under any reporting framework, not only the ESRS.
- The IAASB approved ISSA 5000 in September 2024 and published it in November 2024. It takes effect for periods beginning on or after 15 December 2026.
- Limited assurance requires risk assessment at the disclosure level (ISSA 5000.103L), while reasonable assurance requires it at the assertion level.
- The Omnibus I Directive (February 2026) removed the planned EU transition to reasonable assurance, so limited assurance remains the baseline indefinitely.
What ISSA 5000 changes for engagement teams
Most firms doing sustainability assurance right now are retrofitting ISAE 3000 (Revised), a standard that was never designed for this work. It covers any non-historical-financial-information engagement, from carbon footprints to customer satisfaction surveys. That breadth forces teams to improvise on scope, risk assessment depth, and reporting wording for every sustainability engagement. ISSA 5000 is the IAASB's fix: the first international standard written specifically for sustainability assurance.
It's framework-neutral. Whether the client reports under the ESRS, GRI, IFRS Sustainability Disclosure Standards, or entity-developed criteria, ISSA 5000 applies. Paragraph 8 makes this explicit: the standard covers assurance on "sustainability information reported for periods" regardless of the underlying framework.
The engagement workflow will feel familiar. You accept after verifying preconditions (ISSA 5000.75-84), run risk assessment procedures, design further procedures responsive to assessed risks, evaluate evidence, and report. But here's where it diverges from what audit teams are used to: ISSA 5000.103L requires risk identification at the disclosure level for limited assurance, while 103R requires assertion-level risk assessment for reasonable assurance. That disclosure-versus-assertion distinction doesn't exist anywhere in ISA 315 , and it's where we've seen the most confusion on early engagements.
ISSA 5000 also requires ISQM 1 at the firm level. Non-accountant assurance providers must demonstrate equivalent quality management arrangements, which creates real friction for non-audit firms entering the market.
Worked example: Henriksen Shipping A/S
Henriksen Shipping A/S is a Danish maritime logistics company. FY2027, revenue EUR 140M, IFRS reporter, 1,200 employees. A mid-tier Danish firm performs a limited assurance engagement under ISSA 5000 on Henriksen's sustainability statement prepared under the ESRS.
Verify preconditions and accept the engagement
The engagement partner (EP) confirms that the sustainability information is identifiable within the management report and that the ESRS serves as suitable criteria. Can the firm access the underlying data? Can the team assess maritime-specific emissions data (bunker fuel consumption, ballast water treatment records)? The EP assigns a team member with shipping-sector experience to cover the technical gap.
Identify and assess risks at the disclosure level
The team reviews Henriksen's double materiality assessment and maps five material ESRS topics: climate change (E1), pollution (E2), own workforce (S1), business conduct (G1), and consumers and end-users (S4). The principal risk is completeness and accuracy of Scope 1 emissions from a fleet of 14 vessels burning 22,400 tonnes of heavy fuel oil per year. If the file doesn't tell this story clearly (which disclosures carry the highest misstatement risk, and why), an experienced reviewer with no prior connection to the engagement won't be able to follow the logic from risk assessment through to conclusion.
Design and perform procedures responsive to assessed risks
For Scope 1 fleet emissions (reported at 69,700 tonnes CO2e), the team runs analytical procedures comparing fuel purchase invoices against voyage logs and applies the IMO default emission factor for heavy fuel oil (3.114 tonnes CO2 per tonne of fuel). For own workforce disclosures, the team compares reported headcount and injury-frequency rates against HR system extracts and insurance claims data.
Evaluate evidence and form the conclusion
The emission recalculation yields 70,100 tonnes CO2e against the reported 69,700 tonnes. That's a 0.6% variance, well within the quantitative threshold set for climate disclosures. Workforce injury-frequency rates align with insurance records within rounding tolerance. No matters come to the team's attention indicating material misstatement.
The engagement produces an unmodified limited assurance conclusion. It's defensible because risk assessment was performed at the disclosure level across all five material ESRS topics, procedures traced back to identified risks, and the fleet emission recalculation confirmed reported figures within tolerance.
Where teams get this wrong
Audit teams instinctively try to map ISSA 5000's requirements one-to-one against the ISA framework. We've seen this on about half the engagements we've reviewed. ISSA 5000 is a stand-alone standard by design (A47-A57). Importing ISA terminology, risk categories, and documentation templates without adaptation creates confusion about the required level of work. The disclosure-level versus assertion-level risk assessment distinction doesn't exist in ISA 315 , and it's the single biggest source of scoping errors on early sustainability engagements. Nobody gets this right the first time. Expect to rebuild your templates from scratch rather than adapting your ISA 315 WPs.
A second problem: firms doing sustainability assurance before December 2026 sometimes describe the engagement as "performed under ISSA 5000" even though the standard isn't effective yet. The IAASB's January 2025 FAQ is clear: pre-effective-date engagements fall under ISAE 3000 (Revised) or the applicable national standard. Early adoption is permitted but you must document it explicitly in the engagement letter. Mislabelling the applicable standard exposes the firm to regulatory challenge on the basis for the conclusion.
ISSA 5000 vs. ISAE 3000 (Revised)
| Dimension | ISSA 5000 | ISAE 3000 (Revised) |
|---|---|---|
| Subject matter | Sustainability information only | Any non-historical-financial-information subject matter |
| Design | Stand-alone; all requirements in one document | Framework standard; supplemented by subject-matter-specific ISAEs |
| Risk assessment (limited assurance) | Disclosure level (ISSA 5000.103L) | "Sufficient to identify areas where material misstatement is likely" (ISAE 3000.52L) |
| Risk assessment (reasonable assurance) | Assertion level per disclosure (ISSA 5000.103R) | Risk assessment at assertion level (ISAE 3000.52R) |
| Effective date | Periods beginning on or after 15 December 2026 | Effective since 2015; continues to apply for non-sustainability assurance engagements |
| Practitioner scope | Professional accountants and qualifying non-accountant assurance providers | Primarily professional accountants; non-accountant applicability varies by jurisdiction |
This distinction matters when the reporting period straddles the effective date. A practitioner issuing a report on FY2026 sustainability information applies ISAE 3000 (Revised). For FY2027, the same practitioner applies ISSA 5000. Firms that don't update engagement letters and methodology templates between those two years risk issuing a conclusion under the wrong standard. It sounds like a minor administrative point until the regulator asks which standard your conclusion was issued under and your engagement letter says the wrong one.
Related terms
Related tools
Related reading
Frequently asked questions
Do I need to apply ISSA 5000 for FY2025 sustainability reports?
No. ISSA 5000 is effective for periods beginning on or after 15 December 2026, so FY2027 is the first mandatory year for calendar-year reporters. For FY2025 and FY2026, practitioners apply ISAE 3000 (Revised) or the national equivalent. Early adoption is permitted if the firm documents the decision in the engagement letter and confirms its quality management infrastructure meets the standard's requirements.
Does ISSA 5000 apply only to ESRS-based sustainability reports?
ISSA 5000 is framework-neutral. It applies to sustainability assurance engagements under the ESRS, GRI Standards, IFRS Sustainability Disclosure Standards (IFRS S1/S2), or entity-developed criteria, provided the criteria are suitable. ISSA 5000.8-14 defines scope by reference to "sustainability information" without restricting it to a single framework. A voluntary GRI assurance engagement falls within scope once the standard is effective.
Can a non-accountant perform a sustainability assurance engagement under ISSA 5000?
Yes, provided the non-accountant assurance provider complies with the IESBA Code (or requirements at least as demanding) and operates within a firm that applies ISQM 1 or equivalent quality management arrangements. ISSA 5000.A68-A74 addresses the firm-level quality management precondition. Member States transposing the CSRD determine which categories of assurance provider are authorised within their jurisdiction.