ISO 45001-2018

ISO 45001:2018


An organization is responsible for the occupational health and safety of workers and others who can be affected by its activities. This responsibility includes promoting and protecting their physical and mental health.

The adoption of an OH&S management system is intended to enable an organization to provide safe and healthy workplaces, prevent work-related injury and ill health, and continually improve its OH&S performance.

Aim of an OH&S management system:

The purpose of an OH&S management system is to provide a framework for man aging OH&S

risks and opportunities. The aim and intended outcomes of the OH&S management system are to prevent work-related injury and ill health to workers and to provide safe and healthy workplaces; consequently, it is critically important for the organization to eliminate hazards and minimize OH&S risks by taking effective preventive and protective measures.

When these measures are applied by the organization through its OH&S management system, they improve its OH&S performance. An OH&S management system can be more effective and efficient when taking early action to address opportunities for improvement of OH&S performance.

Implementing an OH&S management system conforming to this document enables an organization to manage its OH&S risks and improve its OH&S performance. An OH&S management system can assist an organization to fulfil its legal requirements and other requirements.

Success factors:

The implementation of an OH&S management system is a strategic and operational decision for an organization. The success of the OH&S management system depends on leadership, commitment and participation from all levels and functions of the organization.

The implementation and maintenance of an OH&S management system, its effectiveness and its ability to achieve its intended outcomes are dependent on a number of key factors, which can include:

  • a) top management leadership, commitment, responsibilities and accountability;

  • b) top management developing, leading and promoting a culture in the organization that supports the intended outcomes of the OH&S management system;

  • c) communication;

  • d) consultation and participation of workers, and, where they exist, workers’ representatives;

  • e) allocation of the necessary resources to maintain it;

  • f) OH&S policies, which are compatible with the overall strategic objectives and direction of the organization;

  • g) effective process(es) for identifying hazards, controlling OH&S risks and taking advantage of OH&S opportunities;

  • h) continual performance evaluation and monitoring of the OH&S management system to improve OH&S performance;

  • i) integration of the OH&S management system into the organization’s business processes;

  • j) OH&S objectives that align with the OH&S policy and take into account the organization’s hazards, OH&S risks and OH&S opportunities;

  • k) compliance with its legal requirements and other requirements.

History & Revision Updates:

An international management system standard focusing on an organizations’ OH&SMS.

  • Not an "ISO" standard earlier, however, now it is structured to be compatible with the ISO 9001 and ISO 14001.
  • Applicable to any organization - all sizes at any locations with any activities.
  • BS OHSAS 18001 standard : Developed by a consortium of 13 European leading international certification bodies and released in April 1999.
  • Amended in Nov 2002 (Amendment 1: 2002). New version OHSAS 18001:2007 released on 1st July, 2007

ISO 45001 released on 12th March 2018 which will replace OHSAS 18001: 2007.


There are many differences, but the main change is that ISO 45001 concentrates on the interaction between an organization and its business environment while OHSAS 18001 was focused on managing OH&S hazards and other internal issues. But the standards also diverge in many other ways:

  • ISO 45001 is process-based – OHSAS 18001 is procedure-based
  • ISO 45001 is dynamic in all clauses – OHSAS 18001 is not
  • ISO 45001 considers both risk and opportunities – OHSAS 18001 deals exclusively with risk
  • ISO 45001 includes the views of interested parties – OHSAS 18001 does not

These points represent a significant shift in the way health and safety management is perceived. OH&S is no longer treated as a “stand alone”, but must be viewed within the perspective of running a sound and sustainable organization. That being said, although the two standards differ in their approach, a management system established in accordance with OHSAS 18001 will be a solid platform for migrating to ISO 45001.

Who does the ISO 45001:2018 standard apply to?

ISO 45001:2018 is applicable to any organization that wishes to establish, implement and maintain an OH&S management system to improve occupational health and safety, eliminate hazards and minimize OH&S risks (including system deficiencies), take advantage of OH&S opportunities, and address OH&S management system nonconformities associated with its activities.

ISO 45001:2018 helps an organization to achieve the intended outcomes of its OH&S management system. Consistent with the organization's OH&S policy, the intended outcomes of an OH&S management system include:

        a) continual improvement of OH&S performance;

        b) fulfilment of legal requirements and other requirements;

        c) achievement of OH&S objectives.

ISO 45001:2018 is applicable to any organization regardless of its size, type and activities. It is applicable to the OH&S risks under the organization's control, taking into account factors such as the context in which the organization operates and the needs and expectations of its workers and other interested parties.

ISO 45001:2018 does not state specific criteria for OH&S performance, nor is it prescriptive about the design of an OH&S management system.

ISO 45001:2018 enables an organization, through its OH&S management system, to integrate other aspects of health and safety, such as worker wellness/wellbeing.

ISO 45001:2018 does not address issues such as product safety, property damage or environmental impacts, beyond the risks to workers and other relevant interested parties.

ISO 45001:2018 can be used in whole or in part to systematically improve occupational health and safety management. However, claims of conformity to this document are not acceptable unless all its requirements are incorporated into an organization's OH&S management system and fulfilled without exclusion.


Companies certified against OHSAS 18001 may use the transition period to migrate their existing management systems to ISO 45001, for example in the context of a previously planned audit. This typically requires an additional day of auditing. Furthermore, certification bodies for these audits must meet all the requirements of IAF MD 22:2018, published in January under the title Application of ISO/IEC17021-1 for the Certification of Page 29 of 39 Occupational Health and Safety Management Systems (OH&SMS). This may also affect the length and procedure of the audit.
Now is a good time to start familiarizing yourself with the requirements of ISO 45001. This allows you to effectively estimate the effort involved in the upcoming changeover.

10 fantastic benefits of ISO 45001:

1. Positions your business as industry leaders

By implementing the most up-to-date occupational health and safety standard, your organization will be seen as an elite category of business, and be internationally recognized. It is a level of excellence that is acknowledged worldwide and will help to set you apart from your competitors.

2. Increases trust

By demonstrating that you are actively facilitating continuous improvement of your employees’ morale, safety and performance, it will enable people to trust you and hold you socially accountable for your staff’s well-being. Being transparent and promoting your corporate social responsibility efforts can have a huge impact on how the public, your future employees and prospective clients perceive your business.

3. Consistency means efficiency

ISO 45001 creates an organization built around best practice. This is then mirrored across the company and sets a standard for managing risks. Having a strong, consistent standard means that the organization is more efficient across the board.

4. Lowers insurance premiums

By simply implementing ISO 45001, it provides a platform to attract lower insurance premiums as it proves the organization is performing strong due diligence in managing and protecting their employees.

5. Improves individual safety as well as organizational

ISO 45001 has been widely anticipated by the global business community because it addresses the personal health and safety risks to the individual of any process or use of machinery within an organization. This relates both to their mental health and physical safety within your workplace.

6. Improves managerial oversight

This particular ISO ensures responsibility and ownership lies with safety management personnel or top level management. By having the involvement of top leadership and a clearly communicated process for identifying hazards, the occupational health and safety of employees is continually improved over time.

7. Preventative risk and hazard assessment

Implementing ISO 45001 helps your organization prevent risks as opposed to reacting to them once they are detected by others. The internal auditing system provides an ‘early warning system’ to help you spot potential threats to health and safety.

8. Increases return on investment (ROI)

There are various ways that ISO 45001 will provide ROI for your organization. By implementing ISO 45001, the efficiency of your staff improves, whilst workplace injury reduces. This means your productivity levels can be improved significantly across the board. This improvement in productivity and general employee safety can have a positive impact on the insurance premiums for your organization. A by-product of this is that work-related insurance claims decrease and further improve the cost of insurance for the business.

9. Occupational focus:

The focus is primarily on the employees physical and mental well-being at work as opposed to the quality management of the workplace systems and tools that are used. This is an important factor to recognize when looking to implement ISO 45001 into your organization, as it improves staff morale, which has a significant impact on staff turnover and retention rates.

10. Deals with risk and opportunities:

Fundamentally, it deals with both the risk and opportunities whereas OHSAS 18001 and previous standards primarily deal with the risks presented by an organization.


Like the BS OHSAS 18001 policy, the new ISO 45001standard is based on the ‘Plan Do Check Act’ (PDCA) model. ISO 45001, in the same way as other standards, is aligned with what is referred to as the HLS ‘High Level Structure’ (standardized structure, text modules and definitions) and therefore facilitates integration into management systems which have been implemented with several standards. The company context also gains in significance. The topics of occupational health & safety management and continual development are brought to the fore as the central focus of a company. The opportunity therefore arises for companies to align their strategic direction with the occupational health & safety management system.

ISO 45001 illustrates that companies must think beyond their own horizons when it comes to occupational health & safety and that working conditions must also be taken into account for suppliers and service providers.

The Plan-Do-Check-Act cycle:

The “Plan-Do-Check-Act” cycle (PDCA) is critical to the operation of the Occupational Health & Safety Management System as specified by ISO 45001:2018, in terms of achievement against set objectives and continual improvement. It can be described as follows:

Plan: the establishment of objectives, and the processes that may deliver them, in harmony with the Occupational Health & Safety Policy established by the organization

Do: the implementation of the planned processes

Check: the monitoring and measuring of results versus the Occupational Health & Safety Policy, including all commitments, objectives, and criteria, and the reporting of them

Act: the consequent actions taken to ensure continual improvement

It should be noted that the PDCA cycle is a recognized management system methodology that is used across various business management systems, but its use is both compulsory and highly beneficial within ISO 45001:2018.The standard is written so that the sections of the ISO 

Risk Based Thinking/Audits


Risk Based Thinking (RBT) is a central tenet of ISO 45001. RBT requires the Management Team to continually assess the issues that affect OH&S aspects of an organization and ensure that appropriate targets, resources and controls are in place. RBT empowers organizations to make dynamic changes to their objectives and focus, whilst at the same time ensuring that resources are in place to control changes and unforeseen circumstances.

In relation to OH&S, risk-based thinking extends to areas outside of the organization which may influence safety.

For example, procurement of products and services (including contractors) and the impact of supplied products and services. The organization must determine the methodology for risk-based thinking with consideration of compliance obligations and the participation of workers.

For operational aspects the standard clearly defines the hierarchy of control for hazard identification and the reduction of risks with the involvement of workers. This methodology requires the organization to reduce risks associated with hazards to a reasonably practicable level.


Internal audits are taken at a moment in time to determine if policies and practices are effective and achieving the intended aim. The internal audit is an opportunity to engage with workers and to capture a true reflection of processes. Audits may identify positive evidence of conformity including compliance obligations, however through inspection and observation they may identify improvement opportunities and non-compliance in breach of the management standard.


Developing an audit plan does not have to be a complicated process. Through risk based thinking a series of audits can be scheduled to focus areas of higher risk and to engage with identified groups of workers. It’s up to the organization to determine the frequency provided it is defined. In addition to operational aspects the plan will cover core processes including compliance obligations, management review and documented information.


A less formal approach maybe adopted in addition to the audit plan by conducting ‘walk through’ audits. This may be conducted by senior leadership or at operational level to inspect areas of the organization to pre-determined questions. This is a further opportunity to engage with workers, promote communication and build a positive safety culture within the organization.


Second party audits are usually conducted by customers or organizations on their behalf, however they may be conducted by regulators to ensure the organization complies with legal requirements. External audits are a useful way to substantiate an organization OH&S claim and to gather first-hand information and contact with workers prior to commitment to a formal business relationship.

Second party audits may be planned; however, notice may not be provided from regulators emphasizing the requirement to ensure OH&S organizational requirements are prepared.


Third party audits are conducted by UKAS accredited certification bodies such as NQA in compliance of the ISO 45001 OH&S standard. Depending on the number of employees, sites, risk and complexity of the organization, the certification body will determine the number of audit days required to cover the full scope of the standard. Prior to certification, the organization may consider a gap analysis conducted by either consultant or certification body to identify gaps against the OH&S standard.

Certification is a demonstration to interested parties including workers, customers and regulators that there is:

  • A mechanism for regular assessment to monitor and implement compliance obligations

  • Regular assessment to monitor and improve OH&S processes

  • Identification of hazards and reduce OH&S risk

  • Regular review and assessment of OH&S risk and opportunities

  • Worker participation in the decision-making process to ensure a safe working environment, continuous improvement and safety culture

Section 1: Scope

For registration all clause requirements must be applied. This section sets the intent and parameters within which the ISO 45001 OH&S management standard can be used to attain its intended outcome.

The intended outcome of the OH&S management system is for the organization to:

  • Provide a safe and healthy workplace(s)

  • Prevent work related injury and / or ill health

  • Proactively monitor and improve OH&S performance

  • Eliminate hazards and minimize OH&S risks (including system deficiencies)

  • Take advantage of OH&S opportunities and address management system non-conformities associated with its activities

  • Fulfil legal and other requirements

  • Achieve OH&S objectives

  • Integrate other aspects of health and safety including worker wellness / wellbeing

This section makes it clear that the standard does not address issues such as product safety, property damage or environmental impacts beyond the risks they present to workers and other relevant interested parties.

Section 2: Normative References

Reference to ‘normative references’ are common across all management system standards however in the case of ISO 45001 there are no normative references.

If applicable to a standard, normative references are essential documents used for the application of the document. In other words, the reference document is considered essential for the application of the referenced standard.

ISO 45001 provides a bibliography with further information including associated ISO management standards.

Section 3: Terms and Definitions

ISO standards are written in such a way that their meaning can be open to interpretation. As with all standards, this interpretation can lead to confusion. To assist the user section 3 of the standard provides prescriptive terms of definition to prevent the wrong interpretation.

It is highly recommended that persons responsible for implementation of the standard clarify and have a clear understanding of words described in this section. For example, ‘worker’ may be interpreted without guidance as an operator who works in a factory, when in reality a worker covers many different occupational aspects including agency, contractors, all employees including Top Management and external provider staff.

Each term is listed in accordance with the hierarchy of concepts reflecting the sequencing of the introduction of the standard. In addition to the term or definition, notes provide further information and clarity.
If an electronic version of the standard has been purchased the definitions are hyperlinked to other definitions so that their interrelationships can be seen.


‘Annex A’ of the standard provides useful clarification of selected concepts in relation to OH&S to avoid misunderstanding. Concepts including:

  • Continual

  • Ensure

  • Interested party

  • Documented information

If the organization requires the use of specific industry related terms and their meanings relative to the OH&S system, these terms can be used, however they must still conform to the ISO 45001 document.

Section 4: Context of the Organization

The rationale of this clause is that the system focuses on the processes and requirements needed to achieve the OH&S policy objectives. This can be achieved by understanding the organization and the ‘context’ in which it operates. Clause 4 also sets out the requirements for the ‘Scope’ and the system to be defined, and the subsequent high-level planning of the system to achieve the objectives.

Understanding the context of the organization is usually conducted by senior leadership with information about the business and activities gathered at every level of the
organization. Discussion points focus on internal and external issues which have an impact on the OH&S system.

Clause 4 has four sub-clauses that each set out an element of what is needed to define the Context of the Organization, and to design the OH&S management system.

These four requirements follow a sequence:

  • In 4.1: Clarification of the strategic aims of the organization and determine any issues that could affect these aims being achieved.

  • In 4.2: Consideration of the interested parties (Stakeholders) including workers to the organization and how they can affect how the organization operates.

  • In 4.3: Setting the scope of the OH&S Management System from the information discussed and considered in 4.1 and 4.2

  • In 4.4: Laying out a design for the OH&S management system and the high-level planning around it


Clause 4.1 requires the provision of a high-level understanding of key issues that can affect OH&S both positively and negatively within the organization. Using this information will help develop an understanding of internal and external issues and the interaction of activities to help plan and develop controls within the system.


Internal and external issues are circumstances, characteristics and changes which can positively or negatively influence the OH&S management system. ‘Annex A’ of the standard has been developed to provide examples of internal and external issues. Below are typical examples, however each issue will be focused on the individual organization:

  • External issues

    • Cultural, social, political, legal, financial, technological, economic and natural surroundings including the environment in which the organization operates

    • Who the competitors are and any contractors, subcontractors, suppliers, partners and providers

    • National and international law

    • Industry drivers and trends which have influence on the organization

    • The organization products and services and their influence on occupational health and safety

  • Internal issues

    • Governance, organizational structure, roles and accountabilities

    • Policies, objectives and the strategies in place to achieve them

    • Resources (including human), knowledge and competence

    • OH&S culture within the organization and the relationship with workers

    • Process for the introduction of new products, materials, services, tools, software, premises and equipment

    • Working conditions

With the information that is gathered during discussions at all levels of the organization to determine context, it is recommended this information is placed into a report. The benefit of this is it provides a cohesive explanation and a good reference to support present and future business strategy. (For review of context refer to section 9).


‘Interested parties’ is the preferred term introduced by ISO however commonly referred to as ‘Stakeholders’. Unlike other common standards this clause introduces the term ‘Workers’ which is a broad term as described in section 3 of the standard ‘Terms and definitions’.

This section requires the determination of, in addition to workers, interested parties that can influence OH&S positively and negatively. Once it has been decided which interested parties are relevant and significant, their needs and expectations within the OH&S management system should be addressed.

Remember when considering interested parties, some needs and expectations are mandatory and incorporated into law and regulatory requirements therefore must be considered. Having defined who your Interested Parties are, ISO 45001 requires that you determine their potential and actual effects.

Interested parties can be documented in the form of a map:


From the context information gathered in 4.1 and understanding of needs and expectations of workers and interested parties in 4.2 the ‘scope’ can be developed. The Scope sets out the areas of the business that are going to be managed in the OH&S Management System.

Usually, this will include the key processes and activities that are engaged in the service or production of goods, including any customer facing activity and post-delivery warranty work. Where an organization is complex, the scope is used to ring- fence only the activities or locations where the system is being used. This can be referred to as ‘boundaries of applicability’.


From the information gathered in 4.1, 4.2 and 4.3 the standard requires the design and integration of processes within the management system to satisfy the requirements of ISO 45001. This may include such processes as design and development, procurement, marketing and manufacturing.

Section 5: Leadership

Critical to the success of the OH&S management system is leadership and commitment from ‘Top Management’. The expectation on leaders within an organization is to become champions of the system and provide the necessary resources to protect workers from harm.

This section provides the tone and expectation on senior leadership to take an active part in the OH&S system and generation of a positive health and safety culture within the organization.

The following are examples of how leadership can be demonstrated within the OH&S management system:

  • Take overall responsibility and accountability for the prevention of work related injury / ill health, as well as the provision of a safe and healthy work environment

  • Facilitating positive culture and continual improvement

  • Ensure the OH&S system is integrated within business processes

  • Promote communication internally and externally and at all levels (cascading from the top)

  • Protect workers from reprisal when reporting incidents, hazards, risk and opportunities

  • Provision and support for safety committees

For an external audit the expectation is for senior leadership to be at the heart of the OH&S management system with a clear demonstration of understanding the system.


An OH&S Policy is a ‘Statement of Intent’ or ‘Mission Statement’ which sets out the framework to manage the Occupational Health and Safety Management System. The OH&S policy is approved by senior leadership and will drive the controls that are in place and the actions that are carried out to improve it.
The standard specifically requires that the OH&S policy should include commitments to:

  • Provide a framework for setting objectives

  • Provide safe and healthy working conditions for the prevention of work related injury and / or ill health

  • Eliminate hazards and reduce OH&S risks

  • Continual improvement of the OH&S system

  • Consultation and participation of workers and where they exist worker representatives

  • Fulfilment of legal and other requirements


This section requires the organization to define clear roles, responsibilities and authorities throughout the organization. It is recognized that overall responsibility for the OH&S management system falls to ‘Top Management’ however individuals must take account of their own health and safety and that of others.

Consider documenting roles, responsibilities and authorities within high-level and localized organizational charts. Individual policies and work instructions may also include responsibility and authority however competence must be considered.


A key factor for the success of an OH&S system is to ensure there are clear lines of communication, consultation and participation of workers with sufficient allocation of time and resources. This section requires the development of processes to ensure information that has an impact on OH&S is communicated at all levels of the organization.

This can be achieved in many different ways depending on the scope and scale of your organization.

Here is a selection of suggested methods of promoting consultation and participation of workers:

  • Periodic meetings with senior leadership to discuss processes including OH&S issues

  • Safety committee with worker representatives (where required)

  • Identification and elimination of hazards (risk assessments)

  • Development of training Tool Box Talks and presentations (This may include training tools for workers outside of your organization such as visiting contractors)

  • Development of Safe Systems of Work and Work Instructions

  • Cross communication between sites within the organization

  • Near miss reporting schemes with follow up actions including root cause analysis

  • Site tours

  • Open door policy to talk to a safety or HR representative

  • OH&S suggestion boxes

  • Communication – Notice boards, newsletters, email, blogs, health promotion campaigns

Once a selection of methods of consultation and participation of workers has been chosen, consider documenting the methodologies within a process. This will enable the organization to periodically check the process within your audit programme to ensure any identified requirements have been fulfilled.

Section 6: Planning

Planning is one of the key components of any management system. ISO 45001 is based on the ‘Plan-Do-Check-Act’ cycle, where planning is used to set the actions in motion for how the system will work.

Planning occurs at several points in the framework for OH&S management system. In order to set out the management system planning is required using information gathered in clause 4. At various points in time there will be the need to ‘plan’ again; this includes the periodic planning for achieving objectives that are set and reviewed, and also in the event of a ‘change’ which could arise from a planned or unplanned event.

The requirements are to:

  • Plan the actions based on risk assessment to manage risks and opportunities in the prevention of undesired effects including work related injury or ill health

  • Manage events and continually determine risk and opportunities for both workers and the OH&S system

  • Establish and manage objectives

  • Plan and manage changes to the system and re-evaluate once change has been made

  • Consider relationships and interactions between activities

  • Define a methodology for hazard identification

  • Define the methodology for identification and management of legal and other requirements

  • Understand the knowledge within the organization to manage activities safely


Hazard identification is fundamental in the planning process to prioritize actions to address risks and opportunities. Using the ‘Hierarchy of Controls’ (see illustration opposite) the standard requires the organization to conduct risk assessment based on internal and external activities.
Hazard identification will enable the organization to recognize and understand hazards in the workplace. It will also allow workers to assess, prioritize and eliminate hazards or to reduce OH&S risks. Hazards can appear in many different circumstances and conditions including physical, chemical, biological, psychosocial, physiological, mechanical, electrical, or those based on movement and energy.

Consideration must also be given to the types of activity including the following:

  • Groups of workers exposed to the hazard

  • Shift work, hours of activity, lone working, supervision

  • Human factors including demanding physical activities

  • Design of the workplace, for example segregation of traffic and pedestrian routes

  • Changes in work pattern including increase or decrease in productivity

  • Noise, cold, heat

  • Legal requirements and mechanism to adapt to changes in legal requirements

  • How the risk assessment will be communicated and subsequent worker training of control measures

  • Emergency situations such as unplanned events including fire and loss of power

  • Availability of resources to ensure hierarchy of controls can be applied to risk assessment findings

The organization needs to be confident that during the risk assessment process it is adhering to the latest applicable legal and other requirements. The legal and other requirements process of assessment will vary depending on the complexity of the business.

Sources of information may be gathered in many ways including:

  • Subscription to publisher legal update newsletters

  • Membership of trade associations

  • Research via reputable government websites

  • Use of competent consultants

  • Competent employee membership of occupational health and safety institutes

  • Employee attendance of occupational health and safety training courses

Following the initial assessment of compliance obligations, the organization may consider placing the relevant information in a document. A spreadsheet may be useful for this purpose.
A live document may include the following information and be referenced within individual risk assessments:

  • Name and reference number of regulation / requirement

  • Revision status

  • Date the regulation was last reviewed

  • Competent person responsible for reviewing the requirement

  • Area of the organization the requirement impacts including a short description of activity and associated documented information

  • A hyperlink or description of the source of information

  • Name and customer / external provider contact details if relevant to ‘other requirement’

  • Next review date


Following the hazard identification process, the organization should plan actions in order of priority to reduce risk. These should consider the consequences of these actions before the actions are introduced. Planning actions and including the introduction of control measures must be within the framework of the OH&S management system.

Control measures may be either integrated into existing quality system work instructions or based on risk and developed into a dedicated Safe Systems of Work. Tasks may be delegated by senior leadership individually or as a collective group.

Tasks will be allocated to persons based on competency with consideration as to how any training will be delivered to different groups of workers.


It is a requirement of the standard to set achievable OH&S objectives with the means to periodically measure progress, demonstrating continuous improvement. Often objectives are set and reviewed at management review (see clause 9.3) or locally at departmental or committee meetings. Once set, there must be the means to communicate objectives throughout the organization to support and generate a positive OH&S culture.

If many requirements have been identified the organization may consider developing a documented Occupational Health and Safety Strategic Plan. The plan should be agreed by senior leadership and include risk rating tasks, in order of priority, and the alignment with senior leadership responsible for overseeing the task.

A strategic OH&S plan is a live document and periodically should be reviewed to monitor progress to achieving objectives and continuous improvement.

The document may include:

  • Strategic prioritized topic

  • Action, this could be conducting assessments according to compliance obligations such as a noise assessment

  • Method in which the action can be achieved

  • Resources required to achieve the action. For example human, equipment, financial and external provider expertise

  • The key performance indicator to demonstrate achievement of the action

  • General responsibility

  • Top Management responsibility

  • Timescale

  • Risk rating (order of priority)

Section 7: Support

This section looks at the requirements which underpin the OH&S management system to ensure it runs effectively.


Resources will be required to fulfil the requirements identified during the planning stages of the system to maintain continuous improvement. These include human, natural, infrastructure (buildings, plant, equipment, utilities, emergency containment systems) technological and financial resources.

It is essential that allocation of resources has the full support from Top Management, under the requirements of Clause 5, to drive the maintenance of a safe and healthy work environment. As part of identifying resources, the organization needs to look at the information produced in Section 6 to acknowledge the risk, opportunities and resulting objectives. They then need to allocate sufficient resources to mitigate or manage them.


An organization working effectively and efficiently must have competent workers. In terms of OH&S it is essential that workers have access to information and have been suitably trained to prevent accidents or ill health to themselves and others. Competence can include consideration for:

  • Capability to fulfil the task based on defined job roles and clear understanding of the required OH&S aspects

  • Defined methods of recruitment with consideration for temporary or agency workers

  • Awareness of hazards associated with the environment and processes

  • Legal requirements

  • Individual capabilities including experience, language skills, literacy and diversity


Awareness of the requirements of the OH&S system is critical to both internal and external workers. There must be a clear understanding of the organization’s H&S Policy including the requirement for individuals to protect themselves and others from exposure to hazards. Awareness training starts before work commencement for both internal and external workers and may include:

  • OH&S Policy and requirements

  • Hazards associated with the environment and processes

  • Means to report incidents and receive information following investigation

  • Means to report near misses or safety critical defects

  • Structure of supervision

  • Provision of information including Safe Systems of Work or Work Instructions

  • Clear understanding that there are no recriminations for reporting hazards or precautionary removal of individuals from exposure to harm which is life threatening. This must be actively encouraged as part of a positive safety culture


​Defined channels of communication is key for the success of the OH&S management system. It is recommended that there is clear policy on communication endorsed by Top Management identifying the process of communication. The organization will need to determine:

Question Examples What will be communicated? OH&S Policy, site rules including personal responsibilities, hazards, risk assessments, Work Instructions, minutes from committee meetings, investigation results, organizational structure, performance When communication occurs?

Recruitment permanent or temporary, induction internally and externally, morning briefing, safety committee meetings,

pending legal requirements Who will information be communicated to? Workers including agency, contractors, external providers, product end users and other interested parties How will information be communicated? Notice boards, tool box talks, email, website, newsletters, supervision


As with all management systems the extent of documented information will vary depending on the size, scope and complexity of processes within the organization. A practical approach to development and control of documented information will assist in business protection as well as providing sources of information for workers relating to hazard identification.

Consider a risk-based approach to the level of documented information required including consideration for literacy and language. Documented information is not restricted to hard copy and will appear in a variety of media including electronic format, emails and web based. Below is a selection of the variety of documented information:


It’s essential to have a robust but simple system of control for documented information. This will ensure workers are always aware of the latest requirements relating to OH&S. In support of the latest revision of documented information there must be the means to communicate the latest policies, practices and work instructions. As previously indicated documented information will come from internal and external sources.

Below are suggested means of controlling both internal and external documented information:

  • Internal

    • Develop a document reference system within the header or footer e.g. Maintenance Procedure No. 1 – MP01, Maintenance Form 01 – MF01 etc

    • Identify the revision status, revision date and author within the document footer

    • Use the same document control methodology for electronic documents and data

    • Develop a spread sheet identifying the reasons why previous revisions have been updated

    • Determine the method of issue for documented information with consideration for recovery of pre-modified documented information and communication

    • Archive in electronic format previous revisions of documents based on risk ensuring there is a means of backing up and recovering data

    • Determine and identify in the spread sheet the intended document retention timescale. This may be based on legal requirements such as insurance documentation

  • External

    • Determine what should be communicated and retained based on risk

    • Consider scanning to reduce reliance on paper

    • Maintain the integrity of archived documentation

Remember to create a simple system to use for all to understand and access accordingly. Consider supporting the chosen method with an instructional procedure with applicable training.

Section 8: Operation

Once processes within the organization have been identified (see clause 4.4) and planned, the method in which the business will operate (see Clause 6.0), the company needs to plan and control each process within the OH&S management system.

Operational Planning and Control is the method in which the organization determines what is required for each process and the method in which requirements are controlled to ensure workers are protected from harm. Operational Planning and Control is achieved by identifying the criteria for each process which may include:

  • The boundaries of each process and how they interact

  • What resources are required to manage the process including leadership, equipment, time, human (competency and training aspects) and financial

  • What documented information is required to aid management of the process including procedures and safe systems of work

  • The method in which changes to the process are planned and controlled including unintended events

  • Application of legal and other requirements or manufacturer’s instructions for equipment

  • Engineering controls, for example interlocked guards and exhaust systems


Having chosen the methodology for risk assessment determined in clause 6.0, the organization will use the ‘Hierarchy of Controls’ outlined in section 6 to eliminate or reduce hazards to the lowest practicable risk. It is essential that when conducting risk assessment workers, including external providers, are competent.

On completion of risk assessment results should be communicated with those workers directly affected within the operation and to aid the development of control measures. Workers need to be included in the process of assessment and other system elements.


It is recognized that accidents can occur when processes deviate from defined established control measures. This may include changes in competent supervision and workers or the introduction of new materials, machinery and processes.

The organization must define and implement a process which considers change throughout the business. This may be a written policy which accounts for different scenarios based on risk and opportunity. The change process may be supported by a documented system to acknowledge issue and receipt of the notification to ensure it is communicated and understood.


Many businesses use the services of contractors (external providers) to fulfil gaps in processes and to complete tasks requiring specialist knowledge. The standard requires the organization to conduct an assessment on those contractors including due diligence competency checks. The organization may consider the use of contractor selection criteria to ensure services are within scope of the task.

The organization must be satisfied there is a process to protect contractors (workers) and other workers who may be exposed to hazards due to their activities. During the procurement process written agreements may be established between the organization and contractor specifying the organizations rules. This may be supported by risk assessments and method statements conducted by both parties with communication of results.

It is key that necessary checks have been made to ensure contractors are competent and may, in some circumstances, require confirmation of compliance to legal requirements. For example, certification to work on electrical switch gear or to work on a gas boiler.

Once the procurement process has been completed it is good practice to support site activities with an induction programme.

This will provide contractor workers with an understanding of the rules including any specific requirements, for example, site hazards, authorized areas, near miss reporting processes, safe walking routes, emergency action plans, supervision and required permits to work.


Planning for unexpected events is a good all-round organizational discipline. The risk assessment process, for ISO 45001 identification of hazards, may have highlighted potential emergency situations with possible catastrophic consequences. Therefore, it is necessary to put control measures in place to mitigate for these potential events.

Once emergency situations have been identified, which may involve workers at every level of the organization, a plan needs to be formulated and tested. Check that emergency preparedness and response have been tested within the internal audit plan.

Testing emergency response plans are critical to raise awareness of potential events and ensure control measures function including supervision, individual responsibilities, suitability of training and communication. Below are some examples of when emergency plans will be required:

Section 9: Performance Evaluation

Performance evaluation is a constructive process that aims to improve an organization’s operation and is crucial to the ‘Plan, Do, Check and Act’ model prescribed by ISO 45001. These processes should help achieve and support organizational strategy and goals.


An organization should check, review, inspect and observe its planned activities to ensure they are occurring as intended. An organization must make sure they have determined the appropriate processes, so they can evaluate how well they are performing based on risk and opportunities. Monitoring generally indicates processes that can check whether something is occurring as intended or planned.

The tables below provide examples of monitoring and specific control measures:

Any equipment used to determine the measurement ‘indicator’ should be calibrated and maintained so that a high degree of confidence is gained in the credibility of data. The standard also requires the organization to implement a process to evaluate legal and other compliance including:

  • The frequency and method of evaluation

  • If action is needed, the process in which it will be evaluated and implemented

  • Maintain knowledge and understanding of its compliance status

  • Retain documented information to support the evaluation of legal and other requirements


An internal audit is a systematic method to check organizational processes and requirements, as well as those detailed in the ISO 45001 standard. This will ensure the processes in place are effective and the procedures are being adhered to. The internal audit programme will aid the organization to achieve the OH&S objectives and targets. It helps:

  • Monitor compliance to policy and objectives

  • Provide evidence that all necessary checks are carried out

  • Ensure all current legislative and other requirements are met

  • Assess the effectiveness of risk management

  • Worker engagement leading to a positive safety culture

  • Identify improvement using ‘fresh eyes’ to review a process

  • Aid continual improvement


Management Review is an essential element of the Occupational Health and Safety Management System. The aim of the review Bis for Top Management to assess the performance of the management system to ensure it has been effective and suitable for the needs of the business, ultimately preventing injury or harm to workers. The management review is also a planned activity to review objectives including compliance and to set new objectives.

Usually management review meetings are conducted annually, however many organizations conduct management reviews every six months or quarterly to track the performance of the system. If more frequent meetings are conducted, often the meeting agenda is reduced with the full agenda occurring annually.

Section 10: Improvement

  • From the results discussed in section 9 Management Review including the analysis and evaluation of OH&S performance, internal auditing and feedback from worker engagement

  • Non-conformity and corrective action

  • Incident investigation and corrective action

  • Accident investigation and corrective action

  • Compliance obligations including output from the introduction of new regulation

Several different methods of capturing improvement opportunities may be designed in the system based on the structure, activities and risk within the business discussed in section 4 and 6. The chosen methods must consider the following:

  • Means of reporting including incidents to the right groups of workers and interested parties

  • The timescale of reporting

  • How the information is going to be recorded as documented information for example near miss report cards, accident reports, defect reports, reports to senior leadership

  • Using workers to participate in investigations to determine root cause analysis

  • A structured system to prevent reoccurrence

  • Hierarchy of control measures to reduce risk as far as is reasonably practicable

  • Assessment of OH&S risks prior to the introduction of a corrective action to prevent the introduction of new hazards

  • Training and competence for workers and interested parties on the means of reporting OH&S hazards, incidents and opportunities for improvement


Unlike ISO 9001 Quality and ISO 14001 Environmental management systems, ISO 45001 introduces ‘Incident’ alongside non- conformity and corrective action. Clause 3 ‘Terms of Definition’ within the standard provides the parameters in which ‘incident’ can be interpreted and reported. An ‘incident’ is an occurrence that does not result in an injury and / or ill health.

Therefore, the organization must implement a system of reporting that captures events which have not necessarily been foreseen within processes of the management system. Often these are referred to as ‘near misses’, ‘near-hit’ or a ‘close call’. When a near miss is reported there may be a process in which during the investigation the findings are recorded within a non-conformance report.

Click the below link to down load the chemical exposure check sheet & signage

ISO 45001:2018 Change summary

ISO 45001:2018 Audit check sheet