ISO 45001:2018 is the international standard for Occupational Health and Safety (OH&S) Management Systems. Published by the International Organization for Standardization in March 2018, it replaced OHSAS 18001 and specifies requirements for an OH&S management system that enables an organisation to proactively improve its OH&S performance, prevent work-related injury and ill health, and provide safe and healthy workplaces. ISO 45001 is structured using the Annex SL High Level Structure, making it compatible with ISO 9001 (Quality) and ISO 14001 (Environmental) management systems for integrated implementation.

What are the core requirements of ISO 45001?

ISO 45001 is structured around ten clauses, with Clauses 4–10 containing the requirements. The key requirements include: Clause 4 — understanding the organisation's context, interested parties, and the scope of the OH&S MS; Clause 5 — demonstrated leadership commitment, OH&S policy, worker participation, and consultation; Clause 6 — risk and opportunity assessment, hazard identification, legal compliance obligations, and objectives; Clause 7 — competency, awareness, communication, and documented information; Clause 8 — operational planning, hierarchy of controls, management of change, and contractor management; Clause 9 — performance monitoring, internal audit, and management review; Clause 10 — incident investigation, nonconformity management, and continual improvement.

ISO 45001: The Complete Guide to OH&S Management System Certification | HSETrack

What Is ISO 45001?

ISO 45001:2018 is the international standard for Occupational Health and Safety (OH&S) Management Systems, published by the International Organization for Standardization in March 2018. It is the successor to OHSAS 18001 and the most widely recognised framework for formal OH&S management system certification worldwide.

The standard specifies requirements for an OH&S management system that enables organisations to proactively improve OH&S performance, prevent work-related injury and ill health, and provide safe and healthy workplaces. Unlike OHSAS 18001, which focused primarily on hazard and risk management, ISO 45001 takes a broader systems approach — requiring organisations to understand their context, engage their workers, and demonstrate visible leadership commitment.

ISO 45001 is structured using the Annex SL High Level Structure — the same framework used by ISO 9001 (Quality Management) and ISO 14001 (Environmental Management). This makes integrated management system (IMS) implementation significantly more efficient for organisations pursuing QHSE certification.

~45,000+

Certifications worldwide

As of 2024, ISO 45001 is one of the fastest-growing management system standards globally

10 clauses

Standard structure

Clauses 1–3 are introductory; Clauses 4–10 contain the actual requirements

March 2021

OHSAS 18001 expired

All OHSAS 18001 certificates became invalid; organisations must hold ISO 45001

For a broader understanding of how ISO 45001 fits within a complete health and safety management system, see our guide to HSE management systems.

ISO 45001 vs OHSAS 18001: Key Differences

Organisations that held OHSAS 18001 certification were required to migrate to ISO 45001 by March 2021. The standards address the same discipline but ISO 45001 is substantially more demanding in several areas:

Aspect	OHSAS 18001	ISO 45001
Context of organisation	Not required	Mandatory — Clause 4.1 and 4.2
Leadership emphasis	General management responsibility	Top management must demonstrate active, visible commitment (Clause 5.1)
Worker participation	Consultation mentioned	Explicit requirement for consultation and participation at all levels (Clause 5.4)
Risk and opportunity management	Hazard and risk focus	Broader risk-based thinking including risks and opportunities beyond hazards (Clause 6.1.1)
Structure	OHSAS-specific structure	Annex SL — compatible with ISO 9001 and ISO 14001 for integrated MS
Contractor management	Limited requirements	Explicit procurement and contractor management requirements (Clause 8.1.4)
Management of change	Implied	Explicit process requirement (Clause 8.1.3)
Performance evaluation	Basic monitoring	Structured monitoring, measurement, analysis, and evaluation (Clause 9.1)

ISO 45001 Clause Requirements (Clauses 4–10)

The normative requirements of ISO 45001 are contained in Clauses 4 through 10. This section provides a practical summary of each clause, its sub-clauses, and how HSETrack supports conformance.

Clause 4: Context of the Organisation

4.1

Understanding the organisation and its context

Determine external and external issues that affect the ability to achieve intended OH&S outcomes. Includes business, cultural, social, technological, economic, legal, and competitive factors.

4.2

Understanding workers' needs and expectations

Identify interested parties (workers, contractors, visitors, regulators, communities) and their relevant requirements. Determine which requirements become compliance obligations.

4.3

Determining the scope

Define the boundaries and applicability of the OH&S MS. Consider internal/external issues, compliance obligations, and the types of work undertaken. Document the scope.

4.4

OH&S management system

Establish, implement, maintain, and continually improve an OH&S MS in accordance with the standard's requirements.

HSETrack: Document and maintain your context analysis, interested party register, and scope statement in HSETrack's compliance module.

Clause 5: Leadership and Worker Participation

5.1

Leadership and commitment

Top management must demonstrate leadership by taking accountability for the OH&S MS, establishing policy and objectives, integrating OH&S into business processes, and actively participating in safety activities.

5.2

OH&S policy

Establish, implement, and maintain an OH&S policy that includes commitments to prevent injury and ill health, comply with legal requirements, eliminate hazards, and continually improve.

5.3

Roles, responsibilities, and authorities

Assign and communicate OH&S responsibilities at all levels. Top management retains overall accountability.

5.4

Consultation and participation of workers

One of ISO 45001's most distinctive requirements. Workers at all levels must be consulted and participate in hazard identification, risk assessment, control determination, and incident investigation.

HSETrack: HSETrack's role-based access and worker-facing mobile reporting tools operationalise worker participation requirements under Clause 5.4.

Clause 6: Planning

6.1.1

Actions to address risks and opportunities

Determine risks and opportunities that need to be addressed to give assurance the OH&S MS can achieve intended outcomes, prevent or reduce undesired effects, and achieve continual improvement.

6.1.2

Hazard identification and risk assessment

Establish a proactive and systematic process for identifying hazards, assessing OH&S risks, and determining controls. Must consider work organisation, social factors, and management of change.

6.1.3

Determination of compliance obligations

Determine and maintain access to all applicable legal requirements and other requirements. Determine how these apply and what needs to be communicated.

6.2

OH&S objectives and planning

Establish OH&S objectives at relevant functions and levels. Objectives must be measurable, consistent with the OH&S policy, monitored, communicated, and updated as appropriate.

HSETrack: HSETrack's risk assessment module, legal register, and KPI dashboard directly support Clauses 6.1.2, 6.1.3, and 6.2.

Clause 7: Support

7.2

Competence

Determine the necessary competence for workers affecting OH&S performance. Ensure workers are competent through education, training, or experience. Retain documented evidence of competence.

7.3

Awareness

All workers must be aware of the OH&S policy, their contribution to the OH&S MS, the implications of not conforming, and relevant incidents and outcomes.

7.4

Communication

Determine the internal and external communications relevant to the OH&S MS — what to communicate, when, to whom, and how.

7.5

Documented information

Maintain documented information required by the standard and determined by the organisation as necessary for the effectiveness of the OH&S MS. Control documented information for suitability, adequacy, and protection.

HSETrack: HSETrack's training records and competency management module provides the documented evidence required by Clause 7.2.

Clause 8: Operation

8.1.1

General operational planning and control

Establish, implement, control, and maintain processes to meet requirements and implement actions determined in Clause 6. Implement the hierarchy of controls.

8.1.3

Management of change

Establish a process for implementing and controlling planned temporary and permanent changes that can impact OH&S performance, including new or modified products, services, processes, and facilities.

8.1.4

Procurement and contractor management

Establish processes to ensure purchased products and services conform to OH&S requirements. Coordinate procurement activities with contractors and establish criteria for contractor selection.

8.2

Emergency preparedness and response

Establish, implement, and maintain processes for potential emergency situations. Include planned response actions, emergency drills, and procedures for providing first aid.

HSETrack: HSETrack's contractor management and permit-to-work modules support Clause 8.1.4 contractor coordination requirements.

Clause 9: Performance Evaluation

9.1

Monitoring, measurement, analysis and evaluation

Determine what needs to be monitored and measured, the methods to be used, the criteria for evaluation, and when the results are to be analysed. Retain documented evidence.

9.2

Internal audit

Conduct internal audits at planned intervals to provide information on whether the OH&S MS conforms to requirements and is effectively implemented and maintained. Maintain an audit programme.

9.3

Management review

Top management must review the OH&S MS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. Retain documented evidence of management review results.

HSETrack: HSETrack's audit management module and KPI dashboards provide the documented performance monitoring evidence required under Clause 9.1 and 9.2.

Clause 10: Improvement

10.1

General — continual improvement

Continually improve the suitability, adequacy, and effectiveness of the OH&S MS to enhance OH&S performance, promote a culture that supports the OH&S MS, and promote worker participation.

10.2

Incident investigation and nonconformity management

React to incidents and nonconformities in a timely manner, determine root causes, implement corrective actions, review the effectiveness of corrective actions, and make changes to the OH&S MS if necessary.

HSETrack: HSETrack's incident investigation workflows and corrective action tracking directly satisfy Clause 10.2 requirements with a complete audit trail.

Conducting an ISO 45001 Gap Analysis

A gap analysis compares your current OH&S management system against the requirements of ISO 45001 and identifies where you are conformant, partially conformant, and not conformant. It is the essential first step in any certification journey — it tells you the scope of work required and prevents unpleasant surprises during the certification audit.

Assemble Your Gap Analysis Team

The gap analysis should be led by the OH&S Manager or a qualified consultant, with input from departmental managers, HSE officers, and worker representatives. Avoid conducting the gap analysis in isolation — the process of discussing requirements with operational teams often surfaces issues that a desk review would miss.

Obtain and Review the Standard

Purchase a copy of ISO 45001:2018 from ISO or your national standards body. Read Clauses 4–10 in full. For each clause and sub-clause, document whether your current system has evidence of conformance, partial conformance, or no conformance.

Review Existing Documentation

Collect all existing OH&S documentation: policies, procedures, risk assessments, legal registers, training records, incident logs, audit reports, and management review records. Assess each document against the relevant ISO 45001 clause. Identify documents that need to be created, revised, or consolidated.

Interview Operational Staff

Document review alone cannot tell you whether procedures are actually being followed. Interview front-line workers and supervisors to understand what actually happens in practice. Discrepancies between documented procedures and actual practice are among the most common nonconformities found in certification audits.

Prioritise Gap Remediation

Categorise each gap by significance: major gaps (likely to result in a major nonconformity that prevents certification), minor gaps (likely to result in an observation or minor nonconformity), and improvement opportunities. Create a remediation plan with named owners, activities, and realistic deadlines for each gap.

Implement Remediation and Verify

Work through the remediation plan systematically, starting with major gaps. After implementing each remediation, verify that the gap has been adequately closed before moving to the next. Allow at least three months of evidence generation (incident reports, inspection records, training completions) before scheduling your Stage 1 audit.

The ISO 45001 Certification Process

ISO 45001 certification is conducted by an accredited Certification Body (CB) — also called a Registrar. The certification audit is a two-stage process followed by ongoing surveillance audits and a recertification audit every three years.

Phase 1: Select a Certification Body

Choose an accredited CB whose accreditation is recognised in your target markets. Key accreditation bodies include UKAS (UK), DAkkS (Germany), ANAB (US), and IAF MLA signatories globally. Request quotes from 2–3 CBs — pricing and auditor expertise vary significantly. Verify that the CB has auditors with experience in your industry sector.

Phase 2: Stage 1 Audit — Documentation Review

The Stage 1 audit (typically 1–2 days on-site or remote) is a documentation review and readiness assessment. The auditor reviews your OH&S MS documentation, confirms that the scope is appropriately defined, assesses your understanding of the standard requirements, and identifies areas of concern for the Stage 2 audit. At the end of Stage 1, you receive a report identifying any issues to address before proceeding to Stage 2.

Phase 3: Stage 2 Audit — Implementation Assessment

The Stage 2 audit (typically 2–5 days on-site, depending on organisation size) assesses whether your OH&S MS is effectively implemented in practice. Auditors conduct interviews, observe work activities, review records, and test the effectiveness of your controls. Any nonconformities (major or minor) must be addressed before or shortly after certification is granted.

Phase 4: Certification Decision and Certificate Issuance

If no major nonconformities are identified, or after major nonconformities are closed, the CB issues your ISO 45001 certificate. The certificate is valid for three years and lists the scope of certification and the accreditation body. Update your company communications, tenders, and pre-qualification submissions to reflect certification.

Phase 5: Surveillance Audits (Years 1 and 2)

Surveillance audits (typically 1–2 days) occur annually in Years 1 and 2 of the certification cycle. They assess continued conformance and progress against improvement objectives. Auditors focus on different areas in each surveillance audit, so you must maintain your OH&S MS consistently throughout the cycle — not just at certification.

Phase 6: Recertification Audit (Year 3)

The recertification audit (similar in scope to the original certification audit) takes place before your certificate expires. It reviews the full OH&S MS to confirm continued conformance and the effectiveness of continual improvement over the three-year cycle. Successfully completing recertification extends the certificate for another three years.

How HSE Software Supports ISO 45001 Conformance

One of the practical challenges in ISO 45001 certification is generating and maintaining the documented evidence required by the standard across Clauses 7.5, 9.1, 9.2, 9.3, and 10.2. Manual documentation approaches — binders, spreadsheets, shared drives — are technically compliant but create significant administrative burden and increase the risk of audit findings related to documentation control.

Clause 6.1.2

Risk Assessment Module

Hazard identification, risk rating, and control documentation with version history for Clause 6.1.2 conformance

Clause 6.1.3

Legal Register

Maintain a live register of compliance obligations with review scheduling and obligation ownership

Clause 7.2

Training Records

Competency records, certificate tracking, expiry alerts, and training compliance reporting

Clause 7.5

Document Management

Version-controlled documented information with access controls and retention scheduling

Clause 9.1

KPI Dashboards

Real-time monitoring and measurement of OH&S performance with exportable management review reports

Clause 9.2

Audit Management

Plan, conduct, and track internal audits with findings linked directly to corrective actions

Clause 10.2

Incident Investigation

Structured investigation workflows, root cause analysis, and corrective action tracking with full audit trail

Clause 5.4

Mobile Reporting

Worker-facing mobile app enables broad workforce participation in hazard reporting and near miss submission

For organisations pursuing ISO 45001 certification, HSETrack's HSE management system provides a single platform that generates the documented evidence required across all normative clauses — reducing audit preparation time and eliminating the risk of records being unavailable when the auditor arrives.

Accelerate Your ISO 45001 Certification with HSETrack

HSETrack provides the documented evidence required across ISO 45001 Clauses 6–10 — risk assessments, incident investigations, audit reports, training records, and KPI dashboards — all in one auditor-ready platform. Start your free trial today.

Start Free Trial HSE Management System

HSE Management System

Build a complete HSEMS aligned with ISO 45001 requirements

HSE Compliance Software

Manage your legal register and compliance obligations (Clause 6.1.3)

HSE Tracking Software

Performance monitoring and KPI dashboards for Clause 9.1

What Is HSE? Complete Guide

Understanding the HSE discipline that ISO 45001 governs

Frequently Asked Questions

What is ISO 45001?

ISO 45001:2018 is the international standard for Occupational Health and Safety Management Systems, published in March 2018. It replaced OHSAS 18001 and specifies requirements for an OH&S management system that enables organisations to proactively improve OH&S performance and prevent work-related injury and ill health. It uses the Annex SL High Level Structure for compatibility with ISO 9001 and ISO 14001.

What is the difference between ISO 45001 and OHSAS 18001?

ISO 45001 superseded OHSAS 18001 in 2018, with all OHSAS certificates expiring in March 2021. Key differences: ISO 45001 requires organisations to understand their context (Clause 4), places far greater emphasis on leadership and worker participation (Clause 5), uses a broader risk-based approach beyond hazard management, and is structured using Annex SL for integration with other ISO standards.

How long does ISO 45001 certification take?

Timelines vary by organisation size and OH&S maturity. Small organisations can typically achieve certification in 3–6 months. Medium-sized organisations take 6–12 months. Large, multi-site organisations can take 12–24 months. The certification audit itself is a two-stage process lasting 3–7 days depending on organisation size.

Does ISO 45001 replace OSHA compliance?

No. ISO 45001 is a voluntary international standard; OSHA is mandatory federal law in the United States. ISO 45001 Clause 6.1.3 specifically requires organisations to identify and comply with all applicable legal requirements. Certification supports but does not substitute for OSHA compliance.

How does HSE software support ISO 45001 conformance?

HSE software supports ISO 45001 across multiple clauses: risk assessment modules support Clause 6.1.2; legal register tools support Clause 6.1.3; training records support Clause 7.2; performance dashboards support Clause 9.1; audit management supports Clause 9.2; and incident investigation workflows support Clause 10.2. A platform like HSETrack provides auditor-ready evidence across all normative clauses in a single system.

Build the Evidence Base for ISO 45001 Certification

HSETrack gives you the risk assessment registers, incident investigation records, audit trails, and performance dashboards that auditors look for across ISO 45001 Clauses 6–10. Start your free trial and build your conformance evidence from day one.

Start Free Trial Explore HSE Management System →