ISO 45001
Implementation Guide

Conduct a Gap Analysis

Begin by assessing your current state against ISO 45001:2018 requirements. A gap analysis compares existing occupational health and safety practices to each clause (4 through 10) and identifies what needs to be developed, modified, or formalized. This assessment produces a prioritized action plan with timelines and resource requirements.

• Review each clause of ISO 45001 against current practices
• Document existing OH&S policies, procedures, and records
• Identify regulatory and legal compliance obligations already tracked
• Prioritize gaps by risk level and implementation effort

Secure Top Management Commitment

Research consistently shows that top management commitment is the single strongest predictor of implementation success. Management must demonstrate leadership by establishing an OH&S policy, ensuring resources are available, and integrating OH&S requirements into business processes. Unlike its predecessor OHSAS 18001, ISO 45001 places explicit requirements on top management accountability that cannot be delegated.

Establish the Implementation Team

Form a cross-functional implementation team with representatives from operations, maintenance, human resources, and worker representatives. Develop a project plan with milestones, responsibilities, and deadlines. Assign an implementation leader who has the authority and organizational support to drive the project forward.

Determine Organizational Context

Establish the OHSMS foundation by determining the internal and external issues relevant to your organization's purpose that affect its ability to achieve the intended outcomes of the OH&S management system. Identify interested parties (workers, contractors, regulators, visitors, neighbors) and their needs and expectations.

Define the Scope

Define the boundaries and applicability of your OH&S management system. Consider the internal and external issues from Clause 4.1, the requirements of interested parties from Clause 4.2, and planned or performed work-related activities. The scope must be available as documented information.

Develop the OH&S Policy

Top management must establish an OH&S policy that includes commitments to provide safe and healthy working conditions, eliminate hazards and reduce OH&S risks, comply with legal and other requirements, and continually improve the management system. The policy must be appropriate to the nature and scale of the organization's OH&S risks.

Assign Roles, Responsibilities, and Authorities

Define and communicate organizational roles relevant to the OH&S management system. Workers at each level must understand their responsibilities for the aspects of the management system over which they have control. Establish processes for worker consultation and participation per Clause 5.4.

Hazard Identification and Risk Assessment

Establish systematic, proactive processes for ongoing hazard identification. Consider routine and non-routine activities, emergency situations, human factors, and how work is organized. Assess OH&S risks using appropriate methodologies and determine controls using the hierarchy of controls: elimination, substitution, engineering controls, administrative controls, and personal protective equipment.

• Workplace activities, equipment, materials, and physical conditions
• Product/service design, research, and development stages
• Human factors and capabilities (fatigue, competence, stress)
• Past incidents (internal and external) and emergency situations
• Changes in knowledge, technology, or regulatory requirements

Determine Legal and Other Requirements

Identify applicable OSHA regulations, state safety codes, industry standards, and other compliance obligations. These must be kept current and accessible. Determine how they apply to the organization and must be communicated to relevant parties. Legal requirements include federal and state OSHA standards, workers' compensation requirements, and industry-specific safety regulations.

Set OH&S Objectives

Establish measurable OH&S objectives at relevant functions and levels that are consistent with the OH&S policy. Objectives should follow the SMART framework: Specific, Measurable, Achievable, Relevant, and Time-bound. Develop action plans that define what will be done, what resources are required, who will be responsible, when it will be completed, and how results will be evaluated.

Competence, Awareness, and Training

Determine necessary competence for workers who affect OH&S performance. Ensure workers are competent based on education, training, or experience. Workers must be aware of the OH&S policy, their contribution to the effectiveness of the OHSMS, the implications of not conforming, and relevant incidents and investigation outcomes.

Communication

Establish internal and external communication processes. Determine what, when, with whom, and how to communicate OH&S information. Internal communications must flow both upward and downward and must accommodate worker consultation and participation requirements.

Documented Information

Create, update, and control documented information required by ISO 45001 and determined necessary by the organization. This includes policies, procedures, risk assessments, legal registers, training records, incident reports, audit findings, and management review minutes. ISO 45001 does not prescribe a specific documentation structure; focus on what adds value to your OHSMS.

Operational Planning and Control

Implement and control processes needed to meet OH&S requirements. Establish criteria for processes and implement controls in accordance with those criteria. Address the hierarchy of controls, manage change, manage procurement (including contractors and outsourcing), and develop emergency preparedness and response procedures.

• Elimination of hazards where possible
• Management of change processes for new equipment, processes, or materials
• Procurement controls for goods, equipment, and services
• Contractor management and outsourced process controls
• Emergency preparedness, response plans, and periodic testing

Monitoring, Measurement, Analysis, and Evaluation

Determine what needs to be monitored and measured (including legal compliance), the methods to be used, when monitoring shall be performed, and when results shall be analyzed and evaluated. Retain documented information as evidence of results. Performance indicators should include both leading indicators (proactive measures) and lagging indicators (reactive measures).

Internal Audit

Plan, establish, implement, and maintain an internal audit program that covers the frequency, methods, responsibilities, and reporting requirements. Internal audits must assess whether the OHSMS conforms to ISO 45001 requirements and the organization's own requirements, and whether it is effectively implemented and maintained. Complete at least one full cycle of internal audits before the certification audit.

Management Review

Top management must review the OHSMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. Review inputs include audit results, worker feedback and participation, OH&S performance trends, incident data, risks and opportunities, and the status of corrective actions. Outputs must include decisions related to the continuing improvement of the system.

Select a Registrar

Choose an accredited certification body that has expertise in your industry, an excellent reputation, and experience performing ISO 45001 audits. Verify accreditation through recognized bodies such as ANAB (in the US) or UKAS (in the UK). Request references from organizations of similar size and complexity.

Stage 1 Audit (Documentation Review)

The registrar reviews your OHSMS documentation to assess readiness for the full certification audit. This typically takes 1 to 2 days and may be conducted partly or fully remotely. The auditor evaluates whether your documented system meets the requirements of ISO 45001. Any deficiencies are documented as findings that must be addressed before Stage 2.

Stage 2 Audit (Certification Audit)

The on-site certification audit evaluates full implementation effectiveness. Auditors verify that documented procedures are being followed, interview workers at all levels, observe work activities, and review records. Duration depends on organization size and complexity. Deficiencies are documented as nonconformities (major or minor) that must be corrected before certification is issued.

Ongoing Surveillance and Recertification

After certification, your registrar conducts annual surveillance audits (partial system reviews) in Years 1 and 2. A full recertification audit occurs every 3 years. These audits verify continuing conformance and look for evidence of continual improvement. Use each surveillance audit as an opportunity to demonstrate progression of your OHSMS.

Incident Investigation and Corrective Action

Establish processes for reporting and investigating incidents, including near misses. Determine root causes and take corrective action to prevent recurrence. Review the effectiveness of actions taken. ISO 45001 treats incidents and nonconformities as opportunities for improvement, not just compliance obligations.

Drive Continual Improvement

Certification is the beginning, not the end. Enhance OH&S performance through ongoing objective achievement, system maturation, and integration of OH&S into business strategy. Promote a culture of safety where workers at all levels actively participate in identifying hazards, reporting near misses, and suggesting improvements.