Key Takeaways
  • ISAE 3000 (Revised) is a general-purpose assurance standard widely used for sustainability engagements since 2015, but it was not designed specifically for sustainability subject matter.
  • AA1000AS v3 uniquely evaluates adherence to the AccountAbility Principles (Inclusivity, Materiality, Responsiveness, Impact) alongside performance data, making it the only standard focused on stakeholder-centric assurance.
  • ISSA 5000 is the IAASB's purpose-built sustainability assurance standard, effective December 2026, designed to address forward-looking information, value-chain data, and qualitative disclosures.
  • ISO/IEC 17029 and ISO 14065 establish the conformity assessment framework for validation and verification bodies, ensuring competence and impartiality through accreditation.
  • Most organizations will transition to ISSA 5000 as the primary standard, potentially supplemented by AA1000AS principles or ISO 14064-3 for GHG-specific work.

Introduction: The Standards Landscape

Sustainability assurance does not have a single, universally mandated standard. Instead, three standards dominate the landscape, each developed by a different body with a different philosophical approach. Understanding these standards — their origins, structures, strengths, and limitations — is essential for organizations selecting an assurance approach and for practitioners delivering assurance engagements.

The three standards are:

  1. ISAE 3000 (Revised) — issued by the International Auditing and Assurance Standards Board (IAASB), the general-purpose assurance standard currently serving as the primary framework for most sustainability assurance engagements globally.
  2. AA1000AS v3 — issued by AccountAbility, a sustainability-focused standard that uniquely evaluates adherence to stakeholder engagement principles alongside performance data.
  3. ISSA 5000 — issued by the IAASB, the first purpose-built international standard for sustainability assurance, approved in 2024 and effective from December 2026.

In addition to these assurance standards, the conformity assessment standards ISO/IEC 17029 and ISO 14065 establish the framework for validation and verification bodies — a related but distinct mechanism for ensuring the credibility of sustainability claims. This guide examines all three assurance standards and the validation/verification framework in detail.

ISAE 3000 (Revised): The General-Purpose Workhorse

Overview and Origin

ISAE 3000 (Revised), formally titled "Assurance Engagements Other than Audits or Reviews of Historical Financial Information," was issued by the IAASB and became effective for assurance reports dated on or after 15 December 2015. It replaced the original ISAE 3000 issued in 2003.

Critically, ISAE 3000 is not a sustainability-specific standard. It is a general-purpose framework applicable to any assurance engagement on non-financial subject matter, including sustainability reports, internal controls, compliance statements, and key performance indicators. Its application to sustainability is a function of market need rather than design intent.

Structure and Requirements

ISAE 3000 (Revised) establishes requirements across the full assurance engagement lifecycle:

  • Preconditions for engagement acceptance: The practitioner must confirm the subject matter is appropriate, suitable criteria exist, the practitioner has access to sufficient evidence, and the conclusion will be meaningful to intended users.
  • Planning: The practitioner must understand the entity's environment, identify and assess risks of material misstatement, and plan procedures to address those risks.
  • Performing procedures: Evidence gathering through inquiry, observation, inspection, confirmation, recalculation, re-performance, and analytical procedures. The nature and extent of procedures depend on whether the engagement is limited or reasonable assurance.
  • Evaluating evidence: Assessing whether sufficient appropriate evidence has been obtained and whether the subject matter information is free from material misstatement.
  • Reporting: Issuing an assurance report containing the conclusion, scope description, criteria identification, and other required elements.

Strengths

  • Widely recognized and accepted: ISAE 3000 is referenced by the CSRD, numerous national regulators, and stock exchanges globally
  • Robust audit methodology: Built on the same principles as financial auditing (ISA standards), providing procedural rigor
  • Flexible: Applicable to any non-financial subject matter, allowing practitioners to address diverse sustainability topics within a single framework
  • Quality infrastructure: Supported by ISQM 1 (quality management) and the IESBA Code of Ethics, ensuring consistent quality and independence
  • Established practitioner base: Thousands of audit firms worldwide are trained in and apply ISAE 3000

Limitations for Sustainability

  • Not designed for sustainability: Lacks specific guidance on sustainability-unique challenges such as forward-looking information, value-chain (Scope 3) data, qualitative disclosures, and evolving reporting criteria
  • Materiality guidance is generic: Does not address the concept of double materiality (financial and impact materiality) central to frameworks like ESRS
  • No stakeholder engagement requirement: Unlike AA1000AS, ISAE 3000 does not evaluate the quality of the organization's stakeholder engagement processes
  • Limited guidance on estimation uncertainty: Sustainability data frequently involves significant estimation (emission factors, Scope 3 calculations), and ISAE 3000 provides limited specific guidance on this

AA1000AS v3: The Stakeholder-Centric Standard

Overview and Origin

The AA1000 Assurance Standard version 3 (AA1000AS v3) was published in 2020 by AccountAbility, a global consulting and standards organization focused on sustainability performance and accountability. The standard's lineage dates back to 2003 (AA1000AS:2003, revised in 2008), making it one of the earliest purpose-built sustainability assurance standards.

AA1000AS is philosophically distinct from ISAE 3000. While ISAE 3000 focuses on whether reported information is free from material misstatement, AA1000AS also evaluates the organization's adherence to the AA1000 AccountAbility Principles — a set of foundational principles that define what it means for an organization to be accountable to its stakeholders.

The Four AccountAbility Principles

  1. Inclusivity: The organization actively identifies and engages with its stakeholders, understanding their needs, expectations, and perspectives. Inclusivity is the foundation — without meaningful stakeholder engagement, the other principles cannot be effectively implemented.
  2. Materiality: The organization identifies and prioritizes the most relevant sustainability topics based on their significance to both the organization and its stakeholders. This goes beyond financial materiality to encompass impact materiality — the concept now embedded in the CSRD's European Sustainability Reporting Standards.
  3. Responsiveness: The organization responds to stakeholder issues that affect its sustainability performance through decisions, actions, and communication. This principle evaluates whether the organization acts on what it learns from stakeholder engagement.
  4. Impact: The organization monitors, measures, and is accountable for how its actions affect its broader ecosystems. This principle focuses on outcomes and systemic effects rather than inputs and outputs alone.

Engagement Types

AA1000AS v3 defines two types of assurance engagement:

Aspect Type 1 Engagement Type 2 Engagement
Scope Adherence to the four AccountAbility Principles only Adherence to the four AccountAbility Principles PLUS specified performance information
Focus Process quality: how the organization engages stakeholders, determines materiality, responds, and measures impact Process quality AND data quality: evaluates both the underlying processes and the reliability of reported performance data
Outcome Conclusion on principles adherence Conclusion on principles adherence and the reliability of specified information
Typical use case Organizations at early stages of sustainability reporting maturity Organizations seeking comprehensive assurance covering both process and data

Strengths

  • Purpose-built for sustainability: Designed specifically for sustainability assurance, with sustainability-relevant concepts embedded throughout
  • Stakeholder focus: The only major assurance standard that evaluates the quality of stakeholder engagement and response, which is increasingly valued by investors and regulators
  • Impact orientation: The Impact principle pushes organizations to consider systemic effects, aligning with the direction of regulations like the CSRD
  • Recommendations permitted: Unlike ISAE 3000, AA1000AS allows (and encourages) assurance practitioners to provide improvement recommendations, adding value beyond the assurance conclusion
  • Double materiality alignment: The Materiality principle's dual focus on organizational and stakeholder significance aligns with the CSRD's double materiality concept

Limitations

  • Narrower regulatory recognition: The CSRD and most jurisdictional requirements reference ISAE 3000 (and will reference ISSA 5000); AA1000AS is not specifically referenced in these regulations
  • Smaller practitioner base: Fewer practitioners and firms are trained in AA1000AS compared to ISAE 3000
  • Less prescriptive methodology: AA1000AS provides less detailed procedural guidance than ISAE 3000, which can lead to variability in engagement quality
  • Quality infrastructure: Does not have the same quality management (ISQM 1) and ethics (IESBA) infrastructure that supports ISAE 3000 engagements

ISSA 5000: The Purpose-Built Future Standard

Overview and Origin

The International Standard on Sustainability Assurance 5000 (ISSA 5000) was approved by the IAASB in September 2024 after an extensive multi-year development process involving public consultation, stakeholder outreach, and coordination with regulators and standard-setters globally. It is effective for assurance engagements on sustainability information for periods beginning on or after 15 December 2026, with early adoption permitted.

ISSA 5000 was created in direct response to the limitations of applying a general-purpose standard (ISAE 3000) to the rapidly growing and increasingly complex field of sustainability assurance. The IAASB recognized that sustainability information has characteristics that differ fundamentally from other types of non-financial information and warranted a dedicated standard.

Why ISSA 5000 Was Created

Several factors drove the development of ISSA 5000:

  • Mandatory assurance is expanding: With CSRD, SEC rules, and ISSB adoption, the volume of sustainability assurance engagements will increase dramatically, requiring a fit-for-purpose standard
  • Sustainability data is unique: Forward-looking information (targets, transition plans), value-chain data (Scope 3 emissions, supply-chain due diligence), qualitative disclosures, and evolving reporting criteria all present challenges that ISAE 3000 does not specifically address
  • Consistency and quality: A common global standard reduces variability in assurance engagement quality and facilitates regulatory acceptance across jurisdictions
  • Profession-agnostic design: ISSA 5000 is designed to be used by both professional accountants and non-accountant assurance practitioners, acknowledging that sustainability assurance requires diverse expertise

Key Features and Changes from ISAE 3000

  • Sustainability-specific materiality guidance: Addresses the concept of materiality in the context of sustainability, including quantitative and qualitative materiality, and acknowledges that different frameworks may define materiality differently (single materiality vs. double materiality)
  • Forward-looking information: Provides specific requirements and guidance for assuring targets, projections, transition plans, and other forward-looking sustainability claims — a type of information rarely encountered in traditional assurance
  • Value-chain data: Addresses the challenges of obtaining evidence for information that extends beyond the entity's direct operations into its upstream and downstream value chain (e.g., Scope 3 emissions, supply-chain labor practices)
  • Qualitative disclosures: Provides guidance on assuring narrative and qualitative sustainability disclosures, which are inherently more judgmental than quantitative data
  • Framework-agnostic: Designed to work with any sustainability reporting framework — GRI, ISSB (IFRS S1/S2), ESRS, CDP, and others — without being tied to any specific criteria
  • Scalable: Applicable to both limited and reasonable assurance engagements, with clear differentiation of requirements for each level
  • Profession-agnostic (with safeguards): Permits use by non-accountant practitioners while requiring adherence to ethical requirements at least as demanding as the IESBA Code

Structure

ISSA 5000 is organized into key sections covering:

  1. Scope and authority
  2. Ethical requirements and quality management
  3. Engagement acceptance and continuance
  4. Planning the engagement
  5. Understanding the entity and its environment
  6. Materiality
  7. Risk assessment and response
  8. Performing procedures (limited and reasonable)
  9. Evaluating misstatements
  10. Forming the conclusion
  11. Reporting

Transition from ISAE 3000 to ISSA 5000

The transition timeline is important for both organizations and assurance providers:

  • Now through December 2026: ISAE 3000 (Revised) remains the applicable standard for sustainability assurance engagements
  • December 2026 onwards: ISSA 5000 becomes effective; early adoption is encouraged
  • Transition period: Assurance providers should begin training teams, updating methodologies, and engaging with clients about the transition during 2025-2026

Organizations should discuss the ISSA 5000 transition with their assurance providers now. Understanding the enhanced requirements — particularly around value-chain data, forward-looking information, and materiality — allows organizations to strengthen their data systems and internal controls before the standard takes effect.

Side-by-Side Comparison

The following table provides a comprehensive comparison of the three standards across key dimensions.

Dimension ISAE 3000 (Revised) AA1000AS v3 ISSA 5000
Issuing body IAASB AccountAbility IAASB
Effective date December 2015 2020 December 2026
Scope All non-financial assurance Sustainability only Sustainability only
Assurance levels Limited and reasonable Moderate (limited) and high (reasonable) Limited and reasonable
Engagement types Single type (varies by assurance level) Type 1 (principles) and Type 2 (principles + data) Single type (varies by assurance level)
Stakeholder engagement evaluation Not specifically addressed Core requirement (Inclusivity, Responsiveness) Considered in understanding the entity
Forward-looking information General guidance only Limited guidance Specific requirements and guidance
Value-chain data Not specifically addressed Not specifically addressed Specific requirements and guidance
Materiality approach Generic Stakeholder-driven materiality Framework-aware (supports single/double materiality)
Practitioner eligibility Professional accountants (primarily) Licensed AA1000 practitioners Profession-agnostic (with ethical requirements)
Recommendations allowed Generally not in the assurance report Yes, encouraged Generally not in the assurance report
CSRD compatibility Yes (currently referenced) Not specifically referenced Yes (designed for CSRD and ISSB)
Quality management ISQM 1 required AccountAbility licensing At least as demanding as ISQM 1
Ethics framework IESBA Code AccountAbility principles At least as demanding as IESBA Code

Validation, Verification, and Assurance: What's the Difference?

While often used interchangeably in casual conversation, validation, verification, and assurance are distinct concepts in conformity assessment. Understanding these distinctions is essential for organizations selecting the right mechanism for their sustainability claims and for stakeholders interpreting the resulting statements.

Defining the Three Concepts

Concept Definition Temporal Focus Example
Validation Confirmation that a claim or statement about the future is plausible, based on available evidence and assumptions Forward-looking Validating a net-zero target for 2050 — is the target achievable given current technology, pathways, and commitments?
Verification Confirmation that a claim or statement about the past or present is truthfully stated, based on evidence Historical/current Verifying a GHG inventory — are the reported Scope 1 and Scope 2 emissions for FY 2024 accurate and complete?
Assurance A broader engagement encompassing both validation and verification, resulting in a formal conclusion expressed with a specified level of confidence Both historical and forward-looking Assuring a full sustainability report that includes both historical performance data and forward-looking targets and commitments

ISO/IEC 17029: Requirements for Validation and Verification Bodies

ISO/IEC 17029:2019, "Conformity assessment — General principles and requirements for validation and verification bodies," is the overarching standard that establishes requirements for organizations performing validation and verification activities. It is not specific to sustainability or environmental claims; it applies to validation and verification in any domain.

Key requirements under ISO/IEC 17029 include:

  • Structural requirements: The body must have a defined organizational structure with clear governance, management, and operational responsibilities
  • Impartiality: The body must demonstrate freedom from conflicts of interest and commercial, financial, or other pressures that could compromise its judgment
  • Competence: Personnel performing validation and verification must have demonstrated competence in the relevant subject matter, methodologies, and applicable criteria
  • Process requirements: Defined processes for planning, performing, reviewing, and reporting on validation and verification activities
  • Management system: Either ISO 9001-based or a management system meeting specified criteria to ensure consistency and continuous improvement

Bodies seeking accreditation under ISO/IEC 17029 are assessed by national accreditation bodies (e.g., UKAS in the UK, ANAB in the US, JAS-ANZ in Australia and New Zealand, NABCB in India) to confirm ongoing compliance with these requirements.

ISO 14065: Environmental Information — Verification and Validation Bodies

ISO 14065:2020, "General principles and requirements for bodies validating and verifying environmental information," builds on ISO/IEC 17029 by adding specific requirements for bodies that validate and verify environmental claims. This includes GHG inventories, carbon footprint statements, environmental product declarations, and other environmental information.

ISO 14065 is particularly important in the sustainability assurance ecosystem because:

  • GHG verification: It is the standard under which verification bodies are accredited to verify GHG inventories under ISO 14064-1 (organization-level) and ISO 14064-2 (project-level), as well as carbon-market mechanisms
  • Emissions trading schemes: Many regulatory carbon markets (EU ETS, California Cap-and-Trade, Korea ETS) require verification by ISO 14065-accredited bodies
  • Voluntary carbon markets: Standards like Gold Standard and Verra require validation and verification by ISO 14065-accredited bodies
  • Environmental claims: ISO 14065 provides the accreditation framework for verifying environmental claims under ISO 14066 (competence requirements) and related standards

The Role of Accreditation

Accreditation under ISO/IEC 17029 and ISO 14065 provides a critical layer of credibility that self-declared competence cannot match:

  • Independent oversight: National accreditation bodies regularly assess validation and verification bodies against the standard requirements, including witness audits of actual engagements
  • Competence assurance: Accreditation confirms that the body has qualified personnel, appropriate methodologies, and effective quality management for the specific scope of work
  • Impartiality safeguards: Accreditation bodies verify that adequate safeguards against conflicts of interest are in place and functioning
  • International recognition: Through the International Accreditation Forum (IAF) and the International Laboratory Accreditation Cooperation (ILAC), accreditation is recognized globally via multilateral recognition arrangements
  • Stakeholder confidence: When a verification or validation statement is issued by an accredited body, stakeholders can have confidence that the body's competence and impartiality have been independently confirmed
Why Accreditation Matters for Sustainability Claims

In an unregulated assurance market, the quality of sustainability assurance varies significantly. Accreditation under ISO 14065 or ISO/IEC 17029 provides the strongest available assurance of practitioner competence and impartiality. Organizations selecting a verification or validation body should prioritize accredited providers, particularly for GHG inventories, carbon credit claims, and regulatory submissions where accuracy is critical and the consequences of error are significant.

How Validation/Verification Relates to Assurance Standards

The relationship between the conformity assessment framework (ISO/IEC 17029, ISO 14065) and the assurance standards (ISAE 3000, AA1000AS, ISSA 5000) can be summarized as follows:

  • ISAE 3000 and ISSA 5000 define how to perform the assurance engagement — the methodology, procedures, and reporting requirements
  • ISO/IEC 17029 and ISO 14065 define who can perform validation and verification — the organizational requirements, competence, and impartiality safeguards for the body itself
  • A verification body accredited under ISO 14065 may apply ISAE 3000 or ISSA 5000 as the engagement-level methodology, or it may apply ISO 14064-3 (the specific verification standard for GHG statements)
  • An audit firm applying ISAE 3000 is subject to ISQM 1 and the IESBA Code rather than ISO/IEC 17029 accreditation, but both mechanisms serve the same goal: ensuring competent, independent, and quality-managed assurance

When Each Standard Applies

Selecting the right standard depends on several factors: regulatory requirements, stakeholder expectations, subject matter, provider type, and organizational maturity.

Use ISAE 3000 When:

  • Your regulatory environment references ISAE 3000 specifically (e.g., CSRD pre-ISSA 5000 adoption)
  • Your assurance provider is an audit firm using IAASB standards
  • You need assurance before ISSA 5000 takes effect (December 2026)
  • The engagement covers a broad range of non-financial information (not only sustainability)
  • Investors or customers specifically request ISAE 3000-based assurance

Use AA1000AS When:

  • Stakeholder engagement quality is a priority and you want this evaluated as part of the assurance
  • Your organization values the improvement recommendations that AA1000AS practitioners provide
  • You want assurance that goes beyond data accuracy to evaluate underlying accountability processes
  • Your assurance provider is a specialist sustainability firm licensed under AA1000
  • You are at an earlier stage of sustainability reporting maturity and want a Type 1 (principles-only) engagement as a stepping stone

Use ISSA 5000 When:

  • The engagement is for periods beginning after December 2026
  • Your disclosures include significant forward-looking information (targets, transition plans)
  • Value-chain (Scope 3) data is material and within the assurance scope
  • You report under ISSB standards (IFRS S1/S2) or ESRS
  • You want the most current, purpose-built standard for sustainability assurance
  • Your provider is willing to early-adopt before the mandatory effective date

Use ISO 14064-3 with ISO 14065-Accredited Bodies When:

  • The scope is specifically GHG inventory verification (Scope 1, 2, and/or 3)
  • Regulatory requirements mandate verification by an accredited body (EU ETS, voluntary carbon standards)
  • You participate in carbon markets or offset programs
  • You need validation of GHG reduction projects or carbon credits

Transition Planning: Preparing for ISSA 5000

With ISSA 5000 becoming effective in December 2026, organizations and assurance providers should be planning their transition now.

For Reporting Organizations

  1. Understand the enhanced requirements: ISSA 5000 will require assurance providers to gather more evidence on forward-looking information, value-chain data, and qualitative disclosures. Organizations should ensure their internal systems can support this
  2. Strengthen data governance: Improve data collection, documentation, and internal controls — particularly for Scope 3 emissions, supply-chain data, and sustainability targets
  3. Discuss with your provider: Understand your current provider's transition timeline and any changes to engagement scope, procedures, or fees
  4. Review reporting frameworks: Ensure your chosen reporting framework (ESRS, ISSB, GRI) is compatible with ISSA 5000 requirements

For Assurance Providers

  1. Train teams: Ensure practitioners understand ISSA 5000's specific requirements, particularly those that go beyond ISAE 3000
  2. Update methodologies: Revise engagement workflows, templates, and quality review processes to reflect ISSA 5000 requirements
  3. Assess competence gaps: ISSA 5000's profession-agnostic design may require teams with broader expertise (environmental science, social impact, governance)
  4. Engage with clients: Proactively communicate the transition and its implications for engagement scope and timing

Combined Approaches

In practice, many sustainability assurance engagements combine elements from multiple standards. This is permissible and often desirable, provided the practitioner clearly states which standards are applied and how.

Common Combinations

  • ISAE 3000 + AA1000AS principles: An audit firm applies ISAE 3000 as the assurance methodology while incorporating AA1000AS's stakeholder inclusivity evaluation to provide a richer assessment
  • ISAE 3000 + ISO 14064-3: The overall sustainability report is assured under ISAE 3000, while the GHG inventory section is verified under ISO 14064-3 by an ISO 14065-accredited team or body
  • ISSA 5000 + sector-specific criteria: After December 2026, ISSA 5000 will serve as the overarching standard, supplemented by sector-specific verification standards (e.g., ISO 14064-3 for GHG, EU ETS MRR for emissions trading)
Practical Guidance

When evaluating assurance proposals, ask your provider to clearly specify: (1) which assurance standard will be applied, (2) which reporting criteria will be used to evaluate the information, (3) whether any specialized verification standards apply to specific subject matter (e.g., GHG data), and (4) what level of assurance (limited or reasonable) will be provided. Clarity on these points ensures you understand exactly what you are getting.

Frequently Asked Questions

What is the difference between ISAE 3000 and ISSA 5000?

ISAE 3000 (Revised) is a general-purpose assurance standard applicable to any non-financial subject matter. ISSA 5000 is a purpose-built standard specifically designed for sustainability assurance, addressing unique challenges like forward-looking statements, value-chain data, and qualitative disclosures. ISSA 5000 becomes effective in December 2026 and is expected to become the primary standard for sustainability assurance engagements globally.

Which sustainability assurance standard should my organization use?

The choice depends on regulatory requirements, stakeholder expectations, and provider preference. For CSRD compliance, ISAE 3000 or ISSA 5000 (after December 2026) is appropriate. For stakeholder-centric assurance emphasizing inclusivity and materiality processes, AA1000AS is well-suited. For GHG inventory verification, ISO 14064-3 applied by an ISO 14065-accredited body is the established approach. Many engagements combine standards.

What is the difference between validation, verification, and assurance?

Validation confirms that forward-looking claims (targets, projections) are reasonable and achievable based on current evidence. Verification confirms that historical information (reported emissions, past performance data) is accurate and complete. Assurance is the broader engagement that encompasses both and results in a formal conclusion. ISO/IEC 17029 and ISO 14065 establish requirements for bodies performing validation and verification.

When does ISSA 5000 take effect?

ISSA 5000 was approved by the IAASB in September 2024 and takes effect for assurance engagements on sustainability information for periods beginning on or after 15 December 2026. Early adoption is permitted. Organizations and assurance providers should begin familiarizing themselves with the standard and planning the transition from ISAE 3000.

Can different assurance standards be used together?

Yes. It is common to combine standards. For example, an engagement might apply ISAE 3000 for the overall assurance methodology while incorporating AA1000AS's stakeholder inclusivity principles. GHG-specific portions may reference ISO 14064-3. ISSA 5000 is designed to be the overarching framework but acknowledges the role of other standards for specialized subject matter.

Sustainability Assurance ISAE 3000 ISSA 5000 AA1000AS