ISO 45001

ISO 45001: an overview​

This much-anticipated standard on occupational health and safety (OH&S) management systems was published in March 2018. 

With a global economy, increasingly complex business operating models, extended supply chains, new technologies and associated emerging risks, the need to manage health and safety in a more formal systems-based approach is apparent.

In addition, a greater focus on organisations’ corporate social responsibility agenda by stakeholders means that failures in health and safety can have significant reputational damage to an organisation.

Published in March 2018, ISO 45001 will enable “global conformity” with a focus on “risk prevention, innovation and continual improvement”.

Key differences

Although it draws heavily on this standard, the ISO emphasises that ISO 45001 is a new and distinct standard and not a revision of OHSAS 18001. According to the ISO, the main difference is that ISO 45001 “concentrates on the interaction between an organisation and its business environment while OHSAS 18001 was focused on “managing OH&S hazards and other internal issues”. It continues to highlight that ISO 45001: is process-based rather than procedure-based is dynamic in all clauses considers risks and opportunities rather than risks only requires that the views of interested parties are considered. In terms of the latter point, it is worth noting that Clause 4 relates to understanding the “needs and expectations of workers and other interested parties”. Guidance to the standard then provides a detailed list of interested parties, noting that some needs may be mandatory (eg legislative compliance) while others may be voluntary. ISO 45001 makes it clear that this consultation must happen at specific points, such as when drawing up an H&S policy. From a practical perspective, although both OHSAS 18001 and ISO 45001 utilise the Plan–Do–Check–Act concept, there are significant differences in approach. In particular, Clause 4 requires an “understanding of the organisation and its context”. This clause links health and safety to the wider business agenda as, in essence, to meet the clause a high-level understanding of the important internal and external issues that can significantly impact on the organisation as a whole is needed. This means understanding and influencing the safety culture of the organisation. Clause 5 places greater emphasis on leadership and commitment. Whereas OHSAS 18001 required top management to demonstrate its commitment and appoint a top manager with health and safety responsibilities, ISO 45001 requires management to be responsible and accountable. Key activities are to ensure: health and safety objectives are compatible with the strategic direction of the organisation the integration of the OH&S management system requirements into the organisation’s business processes appropriate financial, human and organisational resources needed are available the importance of effective management and of conforming to the management system requirements is communicated organisational culture is led and promoted. Clause 5 also contains recommendations in relation to the consultation and participation of workers in applying the management system and must “determine and remove obstacles or barriers to participation and minimise those that cannot be removed”. Clauses 6 to 10 reflect the requirements of OHSAS 18001, but with some differences, such as: the need to assess H&S opportunities to improve performance more detailed requirements for external communication additional clauses in relation to procurement and change implementation. The clause on procurement is included to recognise the increased use of supply chains and aims to ensure risks are considered and controlled much earlier, at the tender stage. ISO 45001 also recognises change as a health and safety risk. Where OHSAS 18001 implied management of change, it was generally reactionary. ISO 45001 acknowledges that change is a constant element in the business world and should be planned for. In terms of performance, ISO 45001 has enhanced requirements for monitoring — both performance and the effectiveness of controls.

Migration and integration

Be it certificated or not, organisations utilising the OHSAS 18001 standard will be required to migrate to ISO 45001. Despite the differences in standards, the older standard will still be a solid building block. There is a three-year period for migration, which gives organisations time to consider what action will need to be taken. A good starting point would be to review the International Accreditation Forum guidance document, Requirements for the Migration to ISO 45001:2018 from OHSAS 18001:2007. This recommends that organisations: obtain a copy of the final ISO 45001 (not a draft) identify the gaps in the occupational health and safety management system that need to be addressed to meet any new requirements through an impact analysis/gap assessment develop an implementation plan to address the impacts and gaps ensure that any new competence needs are met and create awareness in all parties who have an impact on the effectiveness of the system update the existing system to meet the new requirements and provide verification of its effectiveness where applicable, liaise with the Certification Body for migration arrangements. The ISO has recognised that the proliferation of standards that are subtly or substantially different has caused confusion and inconsistent understanding of implementation. ISO 45001 is based upon the ISO common framework detailed in its Annex SL publication. Annex SL describes the framework for a generic management system so that all management system standards will have the same overall look and feel, but with addition of discipline-specific requirements. A key aspect of the Annex SL approach is to enable the integration of the various management systems such as those for environmental management, quality and compliance. Organisations that have more than one formal management system can benefit significantly by merging their systems into one system as part of an enterprise-wide approach. However, there are counterarguments to integration. The BSI recommends that before commencing integration the organisation should assess its ability to integrate, considering the following areas in advance. The extent to which integration should occur taking into account the business case. The political and cultural situation within the organisation. The levels of competency necessary. Legal and other regulatory requirements. Clear objectives and aims of the integration project. Adequacy of existing arrangements and future needs of the organisation.


Summary For organisations wishing to utilise ISO 45001, the cost of implementation will need to be weighed against the benefits. Organisational context can be challenging to understand but the completion of a PESTLE exercise can support meeting this clause (where you look at your business and identify the political, economic, social, technological, legal and environmental factors that may impact it). It may be challenging in terms of ensuring top management take responsibility and accountability, and will require a well-planned engagement process. Migration to ISO 45001 from OHSAS 18001 will require careful planning and potentially additional time and resources to achieve. A gap assessment and/or impact analysis is essential if migrating from the older standard. Integration with other ISO standards can be achieved with ISO 45001, but should follow careful thought about the benefits and disadvantages of integration.

What is an occupational health and safety management system?

An occupational health and safety management system (OHSMS) is a set of processes and practices that provide a framework for managing the risks to health and safety at work. It aims to prevent work-related injury and ill health and continually improve the organisation’s health and safety performance.

ISO 45001 is not a compliance system — it is a management system (although compliance is a required element of it). It should be part of the whole business strategy. ISO 45001 is applicable to all organisations and businesses, regardless of size and type. It is the successor to BS OHSAS 18001.

Why have an OHSMS?

All business activities, products and services can create health and safety risks. The business benefits of adopting an OHSMS include improved health and safety performance and productivity, and reduced risks and liabilities. In turn, this can lead to a happier workforce, reduced costs and improved reputation.

Implementing an OHSMS demonstrates a high level of commitment to both manage and minimise health and safety risk within the organisation and a willingness to act responsibly by anticipating and responding to the concerns and expectations of the workforce, regulators, investors and other stakeholders.

ISO 45001 — Main Clauses

1. Clause 1. Scope

The scope of an OHSMS should be consistent with an organisation’s health and safety policy. The intended outcomes should aim to: enhance health and safety performance fulfil compliance obligations achieve health and safety objectives.

2. Clause 2. Normative references

There are no normative references for ISO 45001.

3. Clause 3. Terms and definitions

Terms and definitions have been revised from those contained in OHSAS 18001

4. Clause 4. Context of the organisation

This new section requires organisations to consider external and internal issues that can impact on their strategic objectives and how they influence the scope of the OHSMS and its ability to achieve outcomes. Subsections include: understanding the organisation and its context, including external and internal issues that affect its ability to achieve the intended outcomes understanding the needs and expectations of interested parties, and which become compliance obligations determining the scope of the occupational health and safety management system including organisational units, functions and physical boundaries occupational health and safety management system, including enhancing health and safety performance and the OHSMS.

5. Clause 5. Leadership

This takes on a more prominent role in the revised standard, and requires top managers to take responsibility for health and safety policy and the implementation of the OHSMS. Subsections include the following. Leadership and commitment — including accountability for the effectiveness of the OHSMS; managers are also responsible for ensuring resources are available, communication is effective, promoting continual improvement and ensuring the OHSMA meets intended outcomes. Occupational Health & Safety Policy — it is the role of senior managers to ensure the policy is appropriate and provides a framework for setting health and safety objectives and includes a commitment to fulfil legal requirements. Organisational roles, responsibilities and authorities — top managers must ensure relevant roles are assigned appropriately and those responsible report on occupational health and safety performance and ensure the OHSMS conforms to the requirements of the standard. Consultation and participation of workers –the organization should establish and maintain processes to enable consultation with and participation of workers in the implementation of the OHSMS.

6. Clause 6. Planning

refers to actions to address including risks and opportunities relating to health and safety as well as compliance obligations. It also covers setting OHSMS objectives and planning to achieve them. Subclauses include the following. 6.1 Actions to address risks and opportunities. General requirements to consider issues, risks, opportunities and other issues to ensure continual improvement. Hazard identification and assessment of risks and opportunities — establish, implement and maintain a process to identify hazards, assess risks and opportunities. Legal and other requirements — determine and have access to legal and other requirements and take these into account when establishing, implementing and maintaining an OHSMS. Planning action — in particular to address risks, opportunities and legal requirements. 6.2 Occupational health and safety objectives and planning to achieve them. Occupational health and safety objectives — this involves setting objectives in line with the health and safety policy and ensure these are measured, monitored and communicated, and updated as necessary. Planning actions — including defining what needs to be done and when, what resources are available and who is responsible.

7. Clause 7. Support

this covers key requirements needed to implement an OHSMS with reference to resources, competences, awareness, internal and external communication and documented information. 7.1 Resources — as covered in the Leadership clause, the OHSMS must be properly resourced. 7.2 Competences — determining the level of competence required to ensure workers are competent and retain documented information as evidence of competence. 7.3 Awareness — a requirement for staff to be aware of the health and safety policy, the implications of non-conformance and ability to remove themselves from imminent danger. 7.4 Communication — this relates to both internal and external communication and ensuring that relevant and appropriate information is communicated, including changes to the OHSMS as required. 7.5 Documented information — the term “documented information” includes all records and information required by ISO 45001 and supplementary documentation required for the effectiveness of the OHSMS. This also includes creating, describing, formatting, updating and controlling documents as necessary.

8. Clause 8. Operation

including operational planning and control and ensuring these are consistent with hazards and risks. Emergency preparedness and response is also covered in this section. 8.1 Operational planning and control — includes establishing and implementing operating criteria for controlling or influencing processes that are within the OHSMS. Operational control should take account of the need to eliminate hazards and reduce risks. This clause also requires processes to manage change that can impact on health and safety performance and requires processes to effectively manage contractors. 8.2 Emergency preparedness and response — organisations are required to prepare plans to prevent or mitigate impacts from emergency situations and respond to emergencies. This also includes periodically testing and reviewing planned response actions and providing relevant training where required, accompanied by documentation to show these procedures are working.

9. Clause 9. Performance evaluation

The emphasis is on evaluating the activities and operations related to the identified hazards, risks and opportunities. This section also explains requirements for internal auditing and gives a detailed explanation of the occupational health and safety management review. 9.1 Monitoring, measuring, analysis and performance evaluation — focuses on elements of the OHSMS that need to be monitored, measured, analysed and evaluated, and when these procedures should be carried out. Communicating occupational health and safety performance is also required, both internally and externally, as stated. 9.2 Internal audit programme — an essential requirement of the standard, the programme must incorporate frequency, methods, responsibilities, planning and reporting requirements of the audit. The audit criteria and scope should be agreed and audits carried out “objectively” with results reported to relevant management. 9.3 Management review — the review should be carried out at planned intervals, including the status of actions already agreed and any changes to internal and external issues relevant to the OHSMS. The review should also take account of changes to risks and opportunities and the extent to which earlier objectives have been achieved. The output of the review should be an assessment of the effectiveness of the OHSMS, actions to achieve outstanding objectives and implications for business strategies

10. Clause 10. Improvement

Following the occupational health and safety performance evaluation, this section covers issues that need to be addressed such as nonconformities, corrective action and continual improvement to enhance performance going forward. 10.1 General — following the review the organisation should be able to identify opportunities for improvement and identify actions to achieve intended outcomes of the OHSMS. 10.2 Nonconformity and corrective action — the review will also identify elements of the OHSMS or health and safety performance that do not conform with intended outcomes of the OHSMS. Corrective action to address nonconformities should be taken and the effectiveness of such action reviewed. 10.3 Continual improvement — the review will also highlight where improvements can be made to the OHSMS to enhance overall health and safety performance.

How to implement your OHSMS

1. Set the scope

Determine the scope of the OHSMS, ie what is to be included in it and which locations or sites, etc. It can include the whole of the organisation, or selected departments or functions.

2. Establish the context of the organisation

Issues relevant to the context of your organisation can be classified under three headings. Changing expectations on occupational health and safety, internal or external. These might include technological and market changes, or changes in ethical policies or business direction. Perhaps undertake a SWOT (strengths, weaknesses, opportunities and threats) exercise. External issues: legal, regulatory, economic, political or cultural. A PESTLE (political, economic, social, technological, legal and environmental) exercise could help here. Internal issues: activities, products and services, strategic direction, culture and capabilities that may affect current and future occupational health and safety performance.

3. Focus on leadership

Managers at the highest level in your organisation have ultimate responsibility for ensuring the effective implementation and maintenance of the OHSMS. They must ensure that the occupational health and safety policy and underlying objectives are compatible with the context of the organisation. Leadership involves: ensuring that the resources needed for the OHSMS are available directing and encouraging staff to contribute to the effectiveness of the management system and promoting continual improvement (compared to BS 18001, ISO 45001 has a much greater emphasis on workforce consultation and participation; it is a leadership responsibility to ensure this is achieved) supporting other management roles as applies to responsibility for the OHSMS.

4. Set your health and safety policy

A health and safety policy should incorporate a set of principles and objectives to: provide safe and healthy working conditions for the prevention of injury and ill health fulfil legal and other requirements eliminate hazards and reduce health and safety risks commit to worker consultation and participation.

5. Clarify roles and responsibilities

Staff involved in health and safety should have a clear understanding of their roles, responsibilities and level of authority. Consider who will have overall responsibility for the implementation and maintenance of the OHSMS, and for reporting to top management on progress. Maybe start with the Responsibilities of Directors and Senior Managers.

6. Consider risks and opportunities

ISO 45001 requires that risks and opportunities should be incorporated in the planning process by the following means. Hazard identification, including considering the design of the work area and the vicinity around it; hazards could relate to occupational health as much as safety. Determining legal and other requirements. Identifying the risks and opportunities that impact on the OHSMS; in some complex organisations the leadership team may need to decide upon the priorities due to cost considerations.

7. Understand your compliance obligations

ISO 45001 certification requires organisations to comply with health and safety legislation. This requires up-to-date knowledge of the regulations relating to your organisation’s process, an understanding of how compliant the organisation is, and a means of continually monitoring for any changes. A legal register is one way of doing this. Try our simple Legal Register Tool, which can be found at the top of the Home Page, or as a drop-down option under your login name. You can also find relevant legislation by work activity or subject area; remember that each Croner-i topic has a List of Relevant Legislation at the end of its In Depth section.

8. Set health and safety objectives and actions

The risks and opportunities facing the organisation should inform your health and safety objectives. These might include opportunities to eliminate hazards, to adapt work or working practices, or to better monitor health risks. The objectives and other actions of an OHSMS should follow the health and safety policy and flow directly into day-to-day operational controls. As with other management standards, ISO 45001 can be integrated with the Plan-Do-Check-Act cycle.

9. Provide support and COMMUNICATE

Implementing and maintaining an OHSMS that delivers continual occupational health and safety performance improvement will draw on your organisation’s staff. The other resources needed, eg financial, technological, human or material, will depend on your organisation’s activities and processes and the aims set out in the health and safety policy. Communicate clearly with employees and stakeholders to raise staff awareness of health and safety issues and provide training to improve competence levels where required. Clauses 7.4.1, 7.4.2, 7.4.3 and 8.1.4 of ISO 45001 should be read in detail as this outlines the processes expected in terms of the types and methods of communication and consultation, whether with the workforce, contractors or other interested parties

10. Document information

It is important to create and maintain documented information to record and monitor progress and to demonstrate improvements in health and safety performance. Put in place systems to control the organisation’s documents.

11. Control operations

Establishing operational control ensures that OHSMS activities or projects function properly and that any identified risks to safety or occupational health are managed. Consider these Safe Systems of Work or Permits to Work forms. If your organisation outsources any processes or uses contractors, then the health and safety objectives should consider how far their activities need to be taken into account. This will be proportionate to their contribution to the organisation’s risks and opportunities. The idea that contractors are solely responsible for their own health and safety is not one recognised by ISO 45001 nor, indeed, the law. Depending on the nature of your organisation’s activities and processes, you will need to prepare plans for emergency situations. This will be proportionate to the risk, ie if your organisation is a small office then the level of planning and provision for emergencies will be very different to that of an oil refinery. This will involve periodically testing and reviewing planned response actions and providing relevant training where required, with documentation. See your Emergency Management Resources for useful forms and training presentations.

12. Evaluate performance

Monitoring, measuring and analysis provides information on the health and safety aspects and impacts relating to your organisation’s activities and processes. Some of these processes may be subject to legal or regulatory requirements, eg noise and vibration. Results from monitoring and measuring should be documented. Keeping accident and near miss records would be another example of key records for an OHSMS and the process for analyzing them; for example, an objective to reduce near misses by 20% over a 12-month period can be analysed and reported upon to leadership. Other internal auditing helps determine whether your OHSMS meets the certifiable requirements of the international standard. Your organisation will need to establish and implement a safety audit programme, including the frequency, methods, responsibilities, planning requirements and report on findings.

13. Focus on improvement

Continual improvement is a requirement of ISO 45001 certification. A regular management review is an opportunity to review your OHSMS progress and any operational changes that may be required following the checking, monitoring, auditing and corrective action process to ensure continual improvement of the OHSMS and general health and safety performance, including reviewing the risks and opportunities.

14. Finally, self-declaration or certification?

Your organisation can self-declare that it has fulfilled the specific requirements of its OHSMS and is accountable for its attestation. It can also seek conformation of its self-declaration by customers and other third parties. ISO/IEC 17050-1 is a useful ISO document often used by suppliers for undertaking self-declaration. Certification is an independent assessment process, carried out by independent accredited organisations. Using an accredited professional certification body ensures your OHSMS is fit for purpose and conforms to the requirements of ISO 45001.


All Rights | © reserved by Lloyds IA Certification Services LLC USA  . A US Company by Limited Liability , Registered in USA , No: 803191813 . LIA Group of Companies .


USA : +1 (818 ) 878 - 8088

KUWAIT : + (965 ) - 6006 1947 , 6992 4100

INDIA : + (91 ) - 484 485 3090 , 484 423 9590

UAE : + (971 ) -58 910 2580