🦺 ISO 45001: The Complete Guide
Clause-by-clause requirements, the PDCA cycle, the real certification/audit process, and the nonconformities that trip up most organizations — explained by an IRCA-certified ISO 45001 Lead Auditor.
Clause-by-clause requirements, the PDCA cycle, the real certification/audit process, and the nonconformities that trip up most organizations — explained by an IRCA-certified ISO 45001 Lead Auditor.
ISO 45001:2018 is the international standard for occupational health and safety (OH&S) management systems, and if you're reading this you're probably trying to answer one of two questions: what does my organization actually have to do to get certified, or what do I need to know to pass an ISO 45001 exam or audit. The short answer is that ISO 45001 asks an organization to run health and safety the way it already runs quality or finance — with a documented system, clear accountability, planned risk controls, and a cycle of checking and improving that never really stops. This guide walks through the ten clauses in order, shows how they map onto the Plan-Do-Check-Act cycle, explains what actually happens during a certification audit, and lists the nonconformities that show up again and again in real audits — so you know exactly where organizations lose points before you ever sit one.
Quick orientation: ISO 45001 replaced OHSAS 18001, which was formally withdrawn in March 2021 after a three-year transition period. If your organization (or a supplier) still references OHSAS 18001, that certificate is no longer valid — ISO 45001 is the current standard worldwide.
ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, is published by the International Organization for Standardization and specifies requirements for an OH&S management system, together with guidance for using it. Its stated purpose is to enable an organization to provide safe and healthy workplaces by preventing work-related injury and ill health, and by proactively improving its OH&S performance — not merely reacting to incidents after they happen.
Two design choices matter more than anything else once you get into the clauses:
ISO 45001 is built around Plan-Do-Check-Act (PDCA), a continual-improvement cycle borrowed from quality management. Every clause in the standard sits inside one loop of that cycle, and understanding this mapping makes the rest of the standard far easier to hold in your head:
| PDCA stage | Clauses | What happens |
|---|---|---|
| Plan | 4, 5, 6 | Understand the organization's context, secure leadership commitment and worker participation, identify hazards, assess risks and opportunities, and set OH&S objectives. |
| Do | 7, 8 | Provide the resources, competence and communication needed (Support), then actually run operational controls and emergency preparedness (Operation). |
| Check | 9 | Monitor and measure performance, run internal audits, and hold a formal management review. |
| Act | 10 | Investigate incidents and nonconformities, take corrective action, and continually improve the system. |
The cycle never terminates — an organization certified today is expected to keep planning, doing, checking and acting indefinitely, which is exactly why certification isn't a one-time event but a three-year cycle of surveillance and recertification audits (more on that below).
Clauses 1–3 (scope, normative references, terms and definitions) contain no auditable requirements — an auditor will never write a finding against them. Everything an auditor can actually test lives in clauses 4 through 10.
Before anything else, the organization must understand the environment it operates in. This clause has two operative sub-clauses:
This is where ISO 45001 visibly departs from a purely paperwork exercise. Clause 5.1 requires top management — not a delegated safety officer — to demonstrate leadership and commitment, including taking overall accountability for preventing work-related injury and ill health. Clause 5.2 requires an OH&S policy; 5.3 requires clearly assigned roles, responsibilities and authorities. Clause 5.4, Consultation and participation of workers, is one of the standard's signature requirements: workers at all levels, including non-managerial staff, must have a documented mechanism to be consulted on OH&S matters that affect them and to participate in hazard identification, incident investigation and policy development. Auditors specifically look for evidence workers can point to — committee minutes, toolbox-talk records, near-miss reporting logs — not just a policy statement claiming participation exists.
Clause 6 is the engine room of the standard, and the clause most heavily tested in both real audits and exam-prep courses.
Five sub-clauses cover the infrastructure the system needs to function: 7.1 Resources (people, budget, equipment), 7.2 Competence (ensuring people doing safety-critical work are trained and qualified, with records to prove it), 7.3 Awareness (workers understand the policy, their contribution, and the consequences of not following procedures), 7.4 Communication (internal and external, including what, when, with whom and how), and 7.5 Documented information (creating, updating and controlling the records and procedures the system depends on).
This is where planning becomes action on the ground. 8.1 Operational planning and control requires the organization to establish, implement and control the processes needed to meet system requirements — and, critically, 8.1.2 Eliminating hazards and reducing OH&S risks mandates a specific hierarchy of controls, applied in this priority order:
Auditors are trained to push back hard when an organization's control for a hazard jumps straight to PPE without documented evidence that elimination, substitution or engineering controls were genuinely considered first. Clause 8.1 also covers management of change and procurement; 8.2 Emergency preparedness and response requires the organization to plan, test (via periodic drills or simulations) and review its response to potential emergency situations.
The "Check" stage. 9.1.1 Monitoring, measurement, analysis and performance evaluation requires the organization to decide what needs to be measured, how, and how often — typically incident rates, near-miss reporting, inspection completion and training compliance. 9.1.2 Evaluation of compliance checks legal and other requirements are actually being met. 9.2 Internal audit requires a planned program of audits at defined intervals, conducted by people who are objective and impartial (often, but not always, meaning they don't audit their own area of direct responsibility). 9.3 Management review requires top management to periodically review the whole system's suitability, adequacy and effectiveness — with defined inputs (audit results, incident trends, worker feedback) and outputs (decisions on changes, resource needs).
The "Act" stage closes the loop. 10.1 General sets the expectation of continual improvement. 10.2 Incident, nonconformity and corrective action requires a documented process to react to incidents and nonconformities: control and correct them, evaluate the need for action to eliminate root causes, implement any action needed, review its effectiveness, and make changes to the OH&S management system if necessary. 10.3 Continual improvement requires the organization to keep improving the suitability, adequacy and effectiveness of the system over time — the clause that, in effect, restarts the PDCA cycle.
Certification is carried out by an independent, accredited certification body — not by ISO itself, which only publishes the standard. The process nearly always runs in the following sequence:
Realistic timeline: for an organization that already runs a reasonably structured safety program, budgeting roughly 3–9 months from starting a gap analysis to passing Stage 2 is a common planning range — smaller, single-site operations often move faster; multi-site or higher-hazard organizations (construction, oil & gas, heavy manufacturing) usually need more. Treat this as a planning estimate, not a guarantee — your certification body's own quote is the number that matters.
Having sat on both sides of the audit table, the same handful of gaps show up again and again — often in organizations that otherwise look well-prepared on paper. Knowing these in advance is the single highest-leverage thing you can do before an audit:
Most of these have a common root: a system built to look complete on paper, without the operational habits (consultation, drills, effectiveness checks) that make it real. The fix is rarely more documentation — it's making the existing documentation match what people actually do.
ISO 45001 certification is voluntary in the large majority of jurisdictions — it sits alongside national occupational health and safety law, not in place of it. Employers remain legally bound by whatever OH&S regulations apply in their country (OSHA regulations in the US, for example, or equivalent national frameworks elsewhere) regardless of whether they hold ISO 45001 certification. What certification adds is a structured, independently verified management system layered on top of legal compliance — and, in practice, a credential that increasingly shows up as a contractual requirement in construction, oil & gas, manufacturing, logistics and other higher-hazard sectors, where clients and insurers use it as a proxy for safety maturity when selecting contractors.
You don't need to buy an expensive course to build a genuine, working understanding of ISO 45001 before you sit an internal audit, support a certification project, or move toward a formal Lead Auditor qualification. AMAADOR ACADEMY offers a free, structured path through the standard:
Start here if you're new to the standard — a foundational course covering the ten clauses, PDCA, and the core vocabulary of an OH&S management system, with a graded exam and signed certificate.
The deeper, professional-track course — built around auditing technique, ISO 19011 audit principles, nonconformity classification, and the certification audit process end to end.
A focused course on the hazard identification and risk assessment methodology that underpins Clause 6.1.2 — the part of ISO 45001 that shows up most often in both audits and exams.
Related courses worth pairing with these: Incident Investigation (feeds directly into Clause 10.2 corrective action), Permit-to-Work (a common Clause 8.1 operational control), Behaviour-Based Safety, and ISO 14001 Awareness if you're heading toward an integrated management system. You can browse the complete list on the Occupational Safety field page, or see how ISO 45001 fits into a broader learning track on Learning Paths. Every course ends with a graded exam and a free, signed, QR-verifiable certificate — you can check any certificate's authenticity anytime on the verification page.
ISO 45001:2018 is the international standard for occupational health and safety (OH&S) management systems. It specifies requirements for an organization to proactively prevent work-related injury and ill health, and to provide safe and healthy workplaces. It replaced OHSAS 18001, which was formally withdrawn in March 2021.
ISO 45001 has 10 clauses. Clauses 1–3 cover scope, normative references and terms/definitions. Clauses 4–10 contain the auditable requirements: Context of the Organization, Leadership and Worker Participation, Planning, Support, Operation, Performance Evaluation, and Improvement. This is the Annex SL harmonized structure shared with ISO 9001 and ISO 14001.
For an organization with a management system already partly in place, a realistic timeline is roughly 3–9 months from gap analysis to the Stage 2 certification audit, depending on size, complexity and how mature existing safety processes already are. Building a system from nothing typically takes longer.
Stage 1 is a documentation and readiness review — the auditor checks that your OH&S policy, scope, risk register, legal register and key procedures exist and are structured to meet the standard, and flags major gaps before you proceed. Stage 2 tests whether the system actually works in practice, through site visits, worker interviews, and sampling of records and evidence.
A nonconformity is a documented gap between what the standard (or your own management system) requires and what the auditor actually finds. A major nonconformity indicates a systemic failure or absence of a required process; a minor nonconformity is an isolated lapse in an otherwise working process. Both normally require a documented corrective action before or shortly after certification.
No. ISO 45001 certification is voluntary in most jurisdictions — it does not replace national occupational health and safety law, which remains mandatory regardless of certification status. Organizations pursue certification for competitive, contractual, insurance or supply-chain reasons, and because the framework itself drives better safety performance.
Clause 8.1.2 requires organizations to reduce OH&S risk using a hierarchy, from most to least effective: eliminate the hazard, substitute with a less hazardous process or material, use engineering controls, use administrative controls (including training and procedures), and use personal protective equipment (PPE) as the last line of defense. Higher-priority controls are preferred because they don't depend on human behavior to work.
No. Clause 9.2 requires internal auditors to be competent and objective, but it does not mandate a formal lead auditor certificate for internal audits. A recognized IRCA-style Lead Auditor course is generally expected, however, for anyone conducting third-party certification audits professionally, and it is widely valued for internal auditors on more complex or higher-risk sites.
Yes. Because all three standards share the Annex SL high-level structure (same clause numbers and much of the same terminology), most organizations that hold ISO 9001 (quality) or ISO 14001 (environment) integrate ISO 45001 into a single Integrated Management System rather than running three parallel systems, sharing documentation, internal audits and management review where the requirements overlap.
This guide was written by Youssef Amaador, founder and lead instructor of AMAADOR ACADEMY and an IRCA ISO 45001 Lead Auditor (also IRCA ISO 14001 Lead Auditor and ISO 50001 Auditor), with a background in environment, health & safety, energy, quality and management-systems auditing. Read more on the About page, or looking for an on-site trainer or auditor instead of self-paced study? See Find a Trainer.