A clause-by-clause internal audit checklist for ISO 45001:2018 covering Clauses 4 to 10 — the auditable clauses. Use it to prepare for your Clause 9.2 internal audit programme, self-assess before a Stage 2 certification audit, or train new internal auditors on the evidence certification bodies actually sample.
Each item is phrased as an evidence question — the same way certification-body auditors sample. Clauses 1–3 (scope, references, definitions) are informational and not auditable.
Clause 4
Context of the organisation
Is there a written analysis of internal + external issues affecting the OH&S management system (4.1)?
Is the list of interested parties (workers, contractors, regulators, communities) documented with their needs and expectations (4.2)?
Is the scope statement of the OH&S management system documented, and does it justify any exclusions (4.3)?
Are the OH&S processes, their inputs/outputs, and their interactions defined (4.4)?
Clause 5
Leadership & worker participation
Has top management issued a signed OH&S policy that commits to legal compliance, prevention of injury/ill-health, and continual improvement (5.2)?
Are OH&S roles, responsibilities and authorities documented and communicated (5.3)?
Is there evidence of consultation with non-managerial workers on hazard identification, risk assessment, incident investigation, and change (5.4)?
Are the mechanisms for worker participation free of retaliation, cost, or time barriers (5.4)?
Clause 6
Planning: risks, opportunities & objectives
Is hazard identification ongoing and proactive, covering routine + non-routine work, human factors, and change (6.1.2)?
Is there a documented process to assess OH&S risks and opportunities, and the risks/opportunities to the management system itself (6.1.2)?
Is the legal register up to date, with a documented compliance evaluation cycle (6.1.3)?
Are OH&S objectives measurable, resourced, time-bound, and tracked against a plan (6.2)?
Clause 7
Support: resources, competence, awareness, communication
Are competence requirements defined per role, and are training records complete and current (7.2)?
Do workers demonstrate awareness of the policy, their hazards, and consequences of non-conformance (7.3)?
Is there a documented internal + external communication plan (what, when, to whom, how) (7.4)?
Is documented information version-controlled, retrievable, and protected from unauthorised change (7.5)?
Clause 8
Operation: controls, MoC, procurement, emergency
Are operational controls applied using the hierarchy of controls (elimination → PPE) and documented per activity (8.1.2)?
Is there a management-of-change process covering new/altered activities, equipment, and legal changes (8.1.3)?
Are procurement, contractor, and outsourcing controls in place to extend OH&S requirements to third parties (8.1.4)?
Are emergency preparedness plans documented, drilled at least annually, and reviewed after every activation (8.2)?
Clause 9
Performance evaluation
Is there a documented plan for monitoring, measurement, analysis and evaluation of OH&S performance (9.1.1)?
Is compliance evaluation against the legal register performed and evidenced at a defined frequency (9.1.2)?
Is the internal audit programme risk-based, with auditor competence, scope, criteria, and independence documented (9.2)?
Are management reviews held at planned intervals with all Clause 9.3 inputs and documented outputs (9.3)?
Clause 10
Improvement
Are incidents and nonconformities investigated, root-caused, and closed with corrective actions verified for effectiveness (10.2)?
Is there evidence of continual improvement across suitability, adequacy and effectiveness of the OH&S management system (10.3)?
Do trend data (incidents, near misses, audit findings, corrective actions) feed the management review inputs (10.3)?
How to run an ISO 45001 internal audit in six steps
The audit programme required by Clause 9.2, from planning to closing the loop into management review.
Step 1
Plan the audit programme
Build a 12-month audit programme that covers every clause and every site at a frequency proportionate to risk. Assign competent, independent auditors and document their qualifications.
Step 2
Prepare the audit checklist
Use the Clause 4–10 checklist below as the baseline. Add site-specific items for high-risk activities (confined space, LOTO, contractor management) and legal register clauses that apply.
Step 3
Conduct the audit
Interview workers at all levels, sample records, and observe operations. For each checklist item, capture conforming evidence, minor nonconformities, and major nonconformities separately.
Step 4
Report findings
Issue a written report within two weeks: scope, methodology, evidence, findings by clause, and severity. Findings must be traceable back to the specific ISO 45001 clause they breach.
Step 5
Track corrective actions
Log every nonconformity as a corrective action with owner, due date and effectiveness verification. Verification is a separate step — signing the action off is not the same as proving it worked.
Step 6
Feed the management review
Roll the audit results, trends, and open corrective actions into the next management review (Clause 9.3). This closes the ISO 45001 improvement loop and is a mandatory input.
Evidence auditors sample
What certification bodies actually ask for
Recurring evidence gaps that trigger major nonconformities at Stage 2.
Signed OH&S policy
Current version, communicated to workers, aligned to the scope statement.
We use strictly necessary storage to run this site and, with your consent, optional analytics and marketing measurement to improve it. Read our cookie policy.