Navigated to SafeGuard EHS — See Every Risk. Protect Every Worker.

    Guide · ISO 45001 compliance

    ISO 45001 certification: requirements & process

    A practical, clause-by-clause guide to ISO 45001:2018 for EHS leaders preparing a certification programme — what the standard requires, how the Stage 1 and Stage 2 audits actually run, the evidence certification bodies sample, and where a native EHS platform generates that evidence automatically.

    What ISO 45001 is

    The international OH&S management system standard

    ISO 45001:2018 is the international standard for occupational health and safety management systems. It replaced OHSAS 18001 in March 2021 and shares the Annex SL high-level structure used by ISO 9001 (quality) and ISO 14001 (environment), so it integrates cleanly with an existing integrated management system. Certification is voluntary — but it is increasingly demanded in enterprise procurement, insurance underwriting, and public-sector tenders as external proof that OH&S controls meet an internationally recognised benchmark.

    Clauses 4–10

    What the standard actually requires

    4

    Context of the organisation

    Identify internal and external issues, interested parties (workers, regulators, contractors, communities), and the scope and boundaries of your OH&S management system. Auditors expect a documented context analysis and a defined scope statement.

    5

    Leadership & worker participation

    Top management must demonstrate leadership, publish an OH&S policy, assign roles and authorities, and — uniquely to ISO 45001 — provide mechanisms for consultation and participation of non-managerial workers. This is the clause new implementers most often underestimate.

    6

    Planning: risks, opportunities & objectives

    Assess OH&S risks and opportunities, identify legal and other requirements, and set measurable OH&S objectives with plans to achieve them. Hazard identification must be ongoing, proactive, and cover routine and non-routine activities, human factors, and change.

    7

    Support: resources, competence, awareness, communication

    Provide the people, infrastructure, and information the system needs. Evidence competence (training records, qualifications), awareness (workers understand the policy and their contribution), and internal + external communication (what, when, to whom, how).

    8

    Operation: controls, MoC, procurement, emergency

    Plan, implement, and control the operational processes needed to meet requirements. Includes the hierarchy of controls, management of change, procurement (including contractors and outsourcing), and emergency preparedness and response with periodic drills.

    9

    Performance evaluation

    Monitor, measure, analyse, and evaluate OH&S performance. Includes evaluation of compliance, internal audit programme, and management review. Certification bodies scrutinise this clause heavily — 'we don't measure it' is a fast route to a major nonconformity.

    10

    Improvement

    Manage incidents and nonconformities, take corrective action, and continually improve the suitability, adequacy, and effectiveness of the OH&S management system. Root cause analysis and effectiveness verification of corrective actions are explicit requirements.

    The certification path

    Six steps from gap analysis to certificate

    1

    1. Gap analysis against ISO 45001:2018

    Map current OH&S practices to Clauses 4–10. Score each clause and sub-clause as conforming, partial, or absent, and produce a remediation backlog. This is not the certification audit — it is your internal readiness check, typically 6–12 months before Stage 1.

    2

    2. Build the OH&S management system

    Publish the OH&S policy, define scope, run risk assessments, capture legal register, define competence and training matrices, and stand up incident, near-miss, corrective action, audit, and management review workflows. Document what you do; do what you document.

    3

    3. Run internal audits and management review

    Certification bodies require evidence that your internal audit programme and at least one management review have been completed before Stage 2. Findings, corrective actions, and effectiveness verification must be on file with dates and owners.

    4

    4. Stage 1 audit (readiness review)

    The certification body reviews your documented system, scope, internal audit results, and management review outputs. They confirm your system is mature enough for a Stage 2 assessment and issue findings you must clear before proceeding.

    5

    5. Stage 2 audit (certification audit)

    On-site assessment of the OH&S management system in operation: interviews with top management and workers, sampling of records (risk assessments, incidents, training, audits), and evidence of worker consultation. Major nonconformities must be closed before certificate issue.

    6

    6. Surveillance and recertification

    Certification is valid for three years, with annual surveillance audits sampling parts of the system. Recertification at year three re-audits the whole system. Continual improvement — evidenced through KPIs and closed corrective actions — is a certification requirement, not a nice-to-have.

    Evidence checklist

    What certification bodies actually sample

    OH&S policy signed by top management

    Clause 5.2

    Scope statement of the OH&S management system

    Clause 4.3

    Worker consultation & participation records

    Clause 5.4

    Hazard identification & risk assessment register

    Clause 6.1.2

    Legal and other requirements register + compliance evaluation

    Clause 6.1.3 / 9.1.2

    OH&S objectives with measurable targets and plans

    Clause 6.2

    Competence and training records by role

    Clause 7.2

    Operational controls, MoC, and procurement records

    Clause 8.1

    Emergency preparedness plans and drill records

    Clause 8.2

    Incident, near-miss, and corrective action records with RCA

    Clause 10.2

    Internal audit programme, reports, and closed findings

    Clause 9.2

    Management review inputs, minutes, and outputs

    Clause 9.3

    Software support

    Where a native EHS platform closes the gap

    Risk & hazard register (Cl. 6.1)

    Live hazard identification and 5×5 risk matrix per site, task, and change — with residual-risk history for audit sampling.

    Incident, near-miss & CAPA (Cl. 10)

    Structured RCA, corrective actions with owners and due dates, and effectiveness-verification workflow before closure.

    Competence & training (Cl. 7.2)

    Role-based training matrices, expiry tracking, and worker-level competence records ready for evidence sampling.

    Legal register & compliance (Cl. 6.1.3 / 9.1.2)

    Jurisdiction-aware obligations with periodic compliance evaluation, evidence attachments, and review cadence.

    Internal audit programme (Cl. 9.2)

    Scheduled audits against ISO 45001 checklists, findings tracker, and CAPA linkage — with an aging tracker for open items.

    Management review pack (Cl. 9.3)

    One-click generation of the Clause 9.3 input pack: KPIs, trends, incident summaries, audit results, and objective status.

    Management of change (Cl. 8.1.3)

    MOC workflow with multi-level approvals, impact assessments, and action items — the evidence auditors expect on any change.

    Immutable audit trail

    Field-level change history across every record, so 'who did what, when' is never a spreadsheet reconciliation exercise.

    Related reading: how to implement a safety management system covers the foundational build that Clause 4–10 conformance sits on top of. The safety audits guide walks through the internal audit programme Clause 9.2 requires before Stage 2 — pair it with our ISO 45001 internal audit checklist for the clause-by-clause evidence questions. The EHS regulatory reporting guide covers the statutory reporting evidence Clause 6.1.3 expects in the legal register. If you're integrating environmental management into the same system, the ISO 14001 environmental management systems guide maps the shared Annex SL clauses so one integrated management system covers both 45001 and 14001.

    FAQs

    ISO 45001 certification — common questions

    See the ISO 45001 evidence trail wired to your live safety data

    SafeGuard EHS ships the risk register, incident and CAPA workflows, competence matrices, audit programme, and management review dashboards Clauses 6–10 require — with an immutable audit trail so surveillance audits stay clean across the three-year cycle.

    We value your privacy

    We use strictly necessary storage to run this site and, with your consent, optional analytics and marketing measurement to improve it. Read our cookie policy.