ISO 45001: What the Standard Requires and How Sites Meet It

Factory team in high-visibility vests discusses safety with a woman holding a tablet

ISO 45001 is the international standard for occupational health and safety management systems. It sets out what an organisation has to do to identify hazards, control risk, and prevent harm to everyone who works on its sites, including employees, contractors, and visitors. It was published by the International Organization for Standardization and applies to any organisation, of any size, in any sector. The standard describes what a health and safety management system has to achieve. The method is left to the organisation. That distinction matters more than it first appears, because it means two certified sites can run their safety systems in completely different ways and both be compliant. What they share is the underlying logic: understand the risk, put controls in place, check that the controls work, and improve them when they fall short. Where ISO 45001 Came From For most of the two decades before ISO 45001 existed, the reference point for health and safety management was OHSAS 18001, first published in 1999 by a group of national standards bodies and certification houses. It was widely adopted and reasonably well respected. It was also never a true ISO standard, which limited how neatly it could sit alongside the quality and environmental systems most manufacturers were already running. Work on a proper international standard began in 2013. ISO 45001 was published in March 2018, after a drafting process that ran longer than planned and drew comment from more than seventy countries. Organisations holding OHSAS 18001 certification were given a transition period to migrate, and that window closed in 2021. OHSAS 18001 is now withdrawn. What Changed in the Move from OHSAS 18001 Three shifts are worth understanding, because they explain why ISO 45001 feels different to live with. The first is context. ISO 45001 asks an organisation to look outward at the conditions it operates in: regulators, supply chain, community, workforce demographics, and anything else that shapes safety performance. The second is leadership. Responsibility for the safety management system sits with top management and cannot be delegated to an EHS function. The third is worker participation. The standard is explicit that workers at all levels must be consulted on hazards, controls, and the design of the system itself, and that barriers to their participation must be removed. Taken together, these moved health and safety out of the safety office and into the way the site is run every day. How the Standard Is Structured ISO 45001 follows the harmonised structure that ISO uses across its management system standards, which is why it maps cleanly onto ISO 9001 for quality and ISO 14001 for environment. Clauses one to three cover scope, references, and definitions. The requirements sit in clauses four to ten. Clause four covers the context of the organisation and the needs of interested parties. Clause five covers leadership, policy, roles, and worker consultation. Clause six covers planning, which is where hazard identification, risk assessment, legal requirements, and safety objectives live. Clause seven covers support: competence, awareness, communication, and documented information. Clause eight covers operation, including operational controls, management of change, procurement and contractors, and emergency preparedness. Clause nine covers performance evaluation through monitoring, internal audit, and management review. Clause ten covers improvement, including incident investigation, corrective action, and continual improvement. The whole thing runs on the PDCA cycle. Clauses six and seven plan, clause eight does, clause nine checks, and clause ten acts. The Hierarchy of Controls One requirement inside clause eight tends to shape day to day EHS work more than any other. When a hazard has been identified, the standard requires controls to be applied in a set order of preference: eliminate the hazard first, then substitute it for something less hazardous, then apply engineering controls and reorganise the work, then apply administrative controls such as procedures and training, and only then rely on personal protective equipment. Auditors look for evidence that this order was genuinely followed. A risk assessment that jumps straight to PPE and training, without any record of whether elimination or engineering controls were considered, is a common finding. How a Site Adopts ISO 45001 The sequence below is roughly what implementation looks like from the first meeting to a certificate on the wall, and it usually takes somewhere between nine and eighteen months depending on where the site is starting from. Gap Analysis and Scope Work begins by defining which sites, activities, and workers the system will cover, then comparing what already exists against what the standard requires. Most manufacturing sites discover they are already doing perhaps sixty per cent of the work, and that the gaps are in evidence, consultation records, and management review rather than in the safety controls themselves. Building the System Next comes the policy, the hazard identification and risk assessment method, the register of legal and other requirements, the objectives, and the operational controls. This is also when responsibilities are assigned and competence requirements are set. The temptation at this stage is to write a large volume of documentation and call it a management system. Documentation on its own certifies nothing. Internal Audit and Management Review Before any certification body arrives, the organisation has to audit itself against the standard and hold a formal management review covering performance, incidents, audit findings, and the status of objectives. Internal audit maturity is usually the clearest signal of whether a site is ready. Certification and the Three Year Cycle Certification runs in two stages. The first checks that the system exists and is documented. The second tests whether it is working in practice, which means talking to operators, watching work happen, and tracing incidents through to closure. Certificates last three years, with surveillance audits each year and a full recertification at the end. Certification itself is voluntary, and plenty of organisations conform to the standard without being certified to it. What ISO 45001 Means for Daily EHS Operations This is where the standard stops being a document and starts being a way of working. Hazard and near miss reporting