In This Guide
- ISAE 3000 (Revised) is the current workhorse standard for ESG assurance globally, supporting both limited and reasonable assurance levels.
- ISSA 5000 is the IAASB's purpose-built sustainability assurance standard, effective from December 2026, expected to become the global baseline.
- AA1000AS v3 uniquely evaluates both accountability principles and performance data through Type 1 and Type 2 engagements.
- BRSR Core assurance in India uses IAASB standards (ISAE 3000 / ISSA 5000) at reasonable assurance level.
- CSRD assurance in the EU currently defaults to ISAE 3000, with ISSA 5000 expected as the future reference standard.
The ESG Assurance Standards Landscape
The ESG assurance market relies on three primary standards that govern how independent assurance engagements on environmental, social, and governance information are planned, executed, and reported. Each standard was developed by a different body, serves a different primary purpose, and carries different regulatory recognition. Understanding these differences is critical for organizations selecting an assurance approach, and for stakeholders interpreting assurance statements.
The three standards are:
- ISAE 3000 (Revised) -- issued by the IAASB (International Auditing and Assurance Standards Board), a general-purpose standard for assurance on non-financial information
- AA1000AS v3 -- issued by AccountAbility, a standard focused on accountability principles and performance data
- ISSA 5000 -- issued by the IAASB, a purpose-built standard for sustainability assurance, expected to become the global benchmark
Additionally, two foundational standards underpin provider credibility: ISO/IEC 17029 (conformity assessment for verification and validation bodies) and ISO 14065 (requirements for GHG verification bodies). These are accreditation standards -- not assurance engagement standards -- but they are frequently referenced in regulatory frameworks that require accredited assurance providers.
This guide provides a detailed examination of each standard through an ESG lens, followed by a structured comparison to support decision-making.
ISAE 3000 (Revised) for ESG Assurance
ISAE 3000 (Revised), formally titled "Assurance Engagements Other than Audits or Reviews of Historical Financial Information," has been the foundational standard for ESG assurance since its revision in 2013. It was not designed specifically for ESG or sustainability but provides a robust framework applicable to any non-financial assurance engagement.
Structure and Key Requirements
ISAE 3000 establishes requirements across several key areas:
- Ethical requirements: Compliance with the International Ethics Standards Board for Accountants (IESBA) Code, including independence, objectivity, and professional scepticism
- Quality management: Adherence to ISQM 1 (International Standard on Quality Management) for the assurance firm
- Engagement acceptance: Assessment of preconditions including suitable criteria, subject matter, competence, and meaningful assurance level
- Planning and risk assessment: Understanding the entity, identifying risks of material misstatement, and designing procedures to address those risks
- Evidence gathering: Performing procedures sufficient to reduce assurance engagement risk to an acceptable level
- Reporting: Issuing an assurance report with a conclusion expressed in either limited or reasonable form
ISAE 3000 in ESG Context
When applied to ESG assurance, ISAE 3000 requires practitioners to:
- Identify suitable ESG reporting criteria (e.g., GRI Standards, ESRS, BRSR framework, GHG Protocol)
- Assess the risk that ESG disclosures contain material misstatements
- Design and perform procedures including inquiry, analytical review, recalculation, and inspection of supporting documentation
- Consider the reliability of ESG data systems and internal controls
- Apply materiality thresholds appropriate to the subject matter (which may differ from financial materiality)
- Form and express a conclusion on whether the ESG information is free from material misstatement
Strengths for ESG
- Universally recognized by regulators, investors, and rating agencies
- Mature standard with established implementation practices
- Supports both limited and reasonable assurance in a single framework
- Backed by IAASB quality management requirements (ISQM 1/2)
- Compatible with all major ESG reporting frameworks
Limitations for ESG
- Not designed specifically for sustainability -- lacks ESG-specific guidance on materiality, estimates, and forward-looking information
- Does not address assurance of qualitative sustainability narratives or strategy disclosures
- Requires practitioners to exercise significant judgement when adapting general requirements to ESG subject matter
- Does not explicitly address stakeholder engagement or materiality assessment processes
AA1000AS v3 for ESG Assurance
AA1000AS v3, published by AccountAbility in 2020, takes a fundamentally different approach to assurance. Rather than focusing solely on whether reported data is accurate, it evaluates whether the organization's underlying sustainability management processes are robust and whether they adhere to the AA1000 AccountAbility Principles.
The AA1000 AccountAbility Principles
Four principles form the foundation of AA1000AS:
- Inclusivity: Has the organization identified and engaged with its stakeholders in a meaningful way?
- Materiality: Has the organization identified, prioritized, and responded to the most material sustainability issues?
- Responsiveness: Has the organization taken timely and appropriate actions in response to identified sustainability issues?
- Impact: Does the organization monitor, measure, and account for the wider effects of its actions and decisions?
Type 1 vs Type 2 Engagements
AA1000AS v3 defines two engagement types:
| Dimension | Type 1 | Type 2 |
|---|---|---|
| What it evaluates | Adherence to the four AA1000 AccountAbility Principles | Adherence to principles AND reliability of specified performance data |
| Output | Findings and recommendations on processes | Findings on processes plus opinion on data reliability |
| Common use case | Organizations focusing on stakeholder engagement and materiality quality | Organizations wanting comprehensive assurance over both processes and metrics |
| Assurance levels | High or moderate | High or moderate |
Strengths for ESG
- Explicitly evaluates stakeholder engagement quality -- a critical element of ESG credibility
- Assesses materiality determination process, not just data accuracy
- Provides findings and recommendations that drive governance improvements
- Well-suited for organizations using GRI Standards or integrated reporting frameworks
- Recognized by GRI as an appropriate assurance standard for GRI-based reports
Limitations for ESG
- Less widely recognized by financial regulators compared to ISAE 3000
- Not typically accepted as standalone assurance for CSRD or BRSR compliance
- Smaller pool of qualified practitioners compared to IAASB standards
- Quality management requirements are less comprehensive than ISQM 1
ISSA 5000 for ESG Assurance
ISSA 5000, titled "General Requirements for Sustainability Assurance Engagements," represents the IAASB's response to the global demand for a purpose-built sustainability assurance standard. Approved in September 2024 and effective for assurance engagements on sustainability information for periods beginning on or after December 15, 2026, ISSA 5000 is expected to become the global reference standard for ESG assurance.
What Makes ISSA 5000 Different
ISSA 5000 builds on the foundation of ISAE 3000 but introduces several sustainability-specific innovations:
- Sustainability-specific materiality: Recognizes that materiality for sustainability information may be assessed differently from financial materiality, including consideration of impact materiality and double materiality concepts
- Estimates and forward-looking information: Provides guidance on assuring sustainability metrics that inherently involve estimation (e.g., Scope 3 emissions, biodiversity impacts) and forward-looking statements (e.g., net-zero targets, transition plans)
- Qualitative disclosures: Addresses assurance of narrative sustainability disclosures, governance descriptions, and strategy statements -- not just numerical KPIs
- Value chain information: Recognizes the unique challenges of assuring data sourced from beyond the organizational boundary, including supplier-reported metrics
- Multi-framework compatibility: Designed to work with any sustainability reporting framework (ESRS, ISSB, GRI, BRSR, TCFD/TNFD)
- Professional scepticism for sustainability: Addresses the specific biases and challenges that arise in sustainability contexts, including optimism bias in target-setting and cherry-picking of metrics
ISSA 5000 Engagement Workflow
The standard defines a structured engagement flow:
- Preconditions assessment: Evaluating whether suitable criteria exist, the subject matter is appropriate, and the practitioner has the necessary competence
- Engagement acceptance and planning: Defining scope, identifying risks of material misstatement, determining materiality, and planning procedures
- Understanding the entity: Gaining knowledge of the entity's sustainability reporting processes, data systems, governance, and internal controls
- Risk assessment: Identifying and assessing risks of material misstatement at both the overall sustainability information level and the assertion level for specific disclosures
- Designing and performing procedures: Planning and executing procedures responsive to assessed risks, including tests of details, analytical procedures, and inquiry
- Evaluating misstatements: Assessing identified misstatements individually and in aggregate against materiality
- Forming the conclusion: Forming an overall conclusion and expressing it in either limited or reasonable assurance form
- Reporting: Issuing the assurance report in accordance with prescribed elements
Strengths for ESG
- Purpose-built for sustainability -- addresses all major ESG assurance challenges directly
- Expected to become the global baseline referenced by CSRD, ISSB-adopting jurisdictions, and other regulators
- Handles mixed information types (quantitative KPIs, qualitative narratives, forward-looking targets)
- Explicitly addresses value chain data and estimation uncertainty
- Backed by IAASB quality management framework
Current Limitations
- Not yet effective (December 2026 onwards) -- limited practical implementation experience
- Practitioner training and capacity building still in progress
- Some jurisdictions may delay adoption or modify requirements
- Early-stage interpretive guidance still developing
Head-to-Head Comparison Table
The following table provides a detailed comparison of the three standards across key dimensions relevant to ESG assurance decision-making:
| Dimension | ISAE 3000 (Revised) | AA1000AS v3 | ISSA 5000 |
|---|---|---|---|
| Issuing body | IAASB | AccountAbility | IAASB |
| Year of current version | 2013 (Revised) | 2020 (v3) | 2024 (effective Dec 2026) |
| Designed for | Any non-financial assurance | Sustainability / CSR assurance | Sustainability assurance specifically |
| Assurance levels | Limited and reasonable | Moderate and high | Limited and reasonable |
| Principles evaluation | No | Yes (core feature) | No (but considers governance processes) |
| Data reliability assurance | Yes | Type 2 only | Yes |
| Qualitative disclosure assurance | Limited guidance | Through principles lens | Comprehensive guidance |
| Value chain data | Not specifically addressed | Considered through inclusivity | Explicitly addressed |
| Forward-looking information | Not specifically addressed | Not specifically addressed | Explicitly addressed |
| Materiality approach | General (practitioner judgement) | AA1000 materiality principle | Sustainability-specific materiality |
| CSRD acceptance | Yes (current default) | Not standalone (may supplement) | Expected (once effective) |
| BRSR acceptance | Yes | Not specified | Expected (once effective) |
| Quality management | ISQM 1/2 required | AA1000-specific requirements | ISQM 1/2 required |
| Ethical framework | IESBA Code | AA1000 + own requirements | IESBA Code |
BRSR Assurance Requirements
India's BRSR Core framework, mandated by SEBI, requires reasonable assurance on nine ESG attributes for the top listed companies. Understanding how the assurance standards align with BRSR is critical for Indian listed companies and their assurance providers.
SEBI's Requirements
- Assurance must be at the reasonable level (not limited) -- a notable departure from most other jurisdictions
- Assurance must be performed in accordance with standards issued by the IAASB or equivalent national standards
- The assurance provider must be a member of ICAI (for chartered accountant firms) or meet SEBI's specified accreditation criteria
- The nine BRSR Core attributes cover both environmental metrics (GHG emissions, energy, water, waste) and social metrics (gender diversity, wages, supply chain practices)
Standard Mapping
For BRSR Core assurance:
- ISAE 3000 (Revised) is the primary standard used currently, as it is the only effective IAASB standard supporting reasonable assurance on non-financial information
- ISSA 5000 will likely become the preferred standard once effective, given its sustainability-specific design
- AA1000AS v3 is not typically used as the primary standard for BRSR but may supplement an ISAE 3000 engagement for organizations also reporting under GRI
CSRD Assurance Alignment
The EU's CSRD introduces mandatory assurance on sustainability statements prepared under the European Sustainability Reporting Standards (ESRS). The assurance landscape for CSRD has several important characteristics:
Current State
- Limited assurance is required initially (from FY 2024 reporting onwards)
- Most engagements use ISAE 3000 (Revised) as the reference standard
- The statutory auditor or an independent assurance services provider (IASP) may perform the engagement
- Member states are implementing national transposition of the directive, with some variations in provider eligibility
Future Direction
- The European Commission is empowered to adopt a reasonable assurance standard, with a decision expected by October 2028
- ISSA 5000 is widely expected to be the basis for EU-specific assurance standards
- The transition from limited to reasonable assurance will require significant capacity building among assurance providers
- Organizations should prepare for reasonable assurance readiness even before it becomes mandatory
Choosing the Right Standard
Standard selection should be driven by regulatory requirements, stakeholder expectations, and organizational maturity. The following decision framework can guide the selection:
Start with Regulatory Requirements
If your assurance is mandated by regulation, the standard is often predetermined or narrowly constrained:
- BRSR Core (India): ISAE 3000 (Revised) at reasonable assurance level, transitioning to ISSA 5000 when effective
- CSRD (EU): ISAE 3000 (Revised) at limited assurance level, expected to transition to ISSA 5000
- GHG emissions verification: Often ISAE 3410 (a companion to ISAE 3000, specific to GHG statements) or ISO 14064-3
Consider Stakeholder Expectations
- Investors and rating agencies: Prefer ISAE 3000 / ISSA 5000 for their rigour and regulatory backing
- NGOs and civil society: May value the accountability principles focus of AA1000AS
- Customers and supply chain partners: Typically accept any recognized standard, with growing preference for IAASB standards
Evaluate Organizational Maturity
- Early-stage ESG reporters: May start with AA1000AS Type 1 to validate their materiality and stakeholder engagement processes before pursuing data-level assurance
- Data-mature organizations: Should proceed directly to ISAE 3000 / ISSA 5000 for investor-grade data assurance
- Leading organizations: May adopt dual-standard approaches for comprehensive coverage
Dual-Standard Engagements
Some organizations commission engagements that reference more than one standard. For example, an organization might obtain ISAE 3000-based assurance on its GHG emissions and key ESG KPIs while simultaneously engaging an AA1000AS Type 1 evaluation of its stakeholder engagement and materiality processes.
Benefits of dual-standard engagements include:
- Comprehensive coverage of both quantitative data and qualitative processes
- Satisfying diverse stakeholder expectations simultaneously
- Identifying improvement areas across both data quality and governance
However, dual-standard engagements are more complex and costly. They require careful coordination between potentially different assurance teams and clear communication of dual conclusions in the assurance report. Most organizations find that a single standard -- typically ISAE 3000, transitioning to ISSA 5000 -- meets their primary needs.
For most organizations in 2025-2026, ISAE 3000 (Revised) remains the practical default for ESG assurance. Begin preparing for ISSA 5000 by familiarizing your team with its additional requirements, particularly around qualitative disclosures, value chain data, and sustainability-specific materiality. Engage your assurance provider early to discuss the transition timeline and any changes to the engagement approach.
Frequently Asked Questions
What is the difference between ISAE 3000 and ISSA 5000?
ISAE 3000 (Revised) is a general-purpose assurance standard for non-financial information, widely used for ESG assurance since 2013. ISSA 5000 is a new standard developed specifically for sustainability assurance by the IAASB, effective from December 2026. ISSA 5000 introduces sustainability-specific concepts such as materiality for sustainability matters, use of estimates, and qualitative disclosures, making it more fit-for-purpose than the generic ISAE 3000.
Which assurance standard does CSRD require?
The CSRD does not mandate a specific assurance standard but requires limited assurance from an independent assurance services provider. In practice, most EU engagements currently use ISAE 3000 (Revised). The European Commission is expected to adopt ISSA 5000 as the reference standard once it becomes effective, providing a single global baseline for CSRD assurance.
Which standard is required for BRSR assurance in India?
SEBI's BRSR Core framework requires reasonable assurance. While SEBI does not prescribe a specific standard name, the assurance must be performed in accordance with standards issued by the IAASB -- effectively ISAE 3000 (Revised) or, once effective, ISSA 5000. Assurance providers must be members of ICAI or meet SEBI's accreditation criteria.
What is AA1000AS Type 1 vs Type 2?
AA1000AS v3 offers two engagement types. Type 1 evaluates the organization's adherence to the AA1000 AccountAbility Principles (inclusivity, materiality, responsiveness, and impact) without assessing performance data. Type 2 evaluates both adherence to principles and the reliability of specified performance information, making it more comprehensive and suitable for organizations seeking data-level assurance alongside process evaluation.
Can I use more than one assurance standard simultaneously?
Yes. Some organizations commission dual-standard engagements -- for example, ISAE 3000 for investor-grade data assurance combined with AA1000AS Type 2 for stakeholder engagement and materiality process evaluation. This approach provides both quantitative rigor and qualitative process assurance, though it increases engagement complexity and cost.