ISO 45001:2018 specifies requirements for an occupational health and safety (OH&S) management system to enable organizations to provide safe and healthy workplaces, prevent work-related injury and ill health, and proactively improve OH&S performance. The standard replaced OHSAS 18001 and aligns with the ISO High Level Structure shared by ISO 14001 and ISO 9001. Internal audits under Clause 9.2 verify that the OH&S management system conforms to the organization’s requirements and ISO 45001, and is effectively implemented and maintained. This clause-by-clause audit checklist covers Clauses 4 through 10, with particular emphasis on the standard’s strong requirements for worker consultation and participation, hazard identification, and the hierarchy of controls.
Free ISO 45001 OH&S Internal Audit Checklist
Download our Word document checklist for iso 45001 oh&s program audits.
Download Checklist (.docx)Regulatory Requirements
ISO 45001:2018 — Occupational Health and Safety Management Systems
ISO 45001:2018 specifies requirements for an OH&S management system that an organization can use to proactively improve its OH&S performance in preventing injury and ill health. The standard is applicable to any organization regardless of size, type, or activities. It follows the Plan-Do-Check-Act framework and places strong emphasis on leadership, worker participation, hazard identification, risk assessment, and the hierarchy of controls.
ISO 19011:2018 — Guidelines for Auditing Management Systems
ISO 19011 provides guidance on auditing management systems including principles of auditing, managing audit programs, and conducting audits. It is the primary reference for planning and conducting ISO 45001 internal audits and establishing auditor competence.
ISO 45002:2023 — OH&S General Guidelines for Implementation
ISO 45002 provides guidance on establishing, implementing, maintaining, and improving an ISO 45001 OH&S management system. It provides explanations of ISO 45001 requirements with examples and is useful for organizations interpreting and applying the standard’s requirements.
ISO 45001 places significantly stronger emphasis on worker consultation and participation than its predecessor OHSAS 18001. Top management must establish mechanisms for worker consultation (Clause 5.4) and workers at all levels must participate in the development, planning, implementation, performance evaluation, and improvement of the OH&S management system. This is a common area of nonconformity during certification audits.
Clause 4: Context of the Organization
| Audit Item | Expected Finding / What to Evaluate |
|---|---|
| Internal and external issues (4.1) | The organization has determined external and internal issues relevant to its purpose that affect its ability to achieve the intended outcomes of the OH&S management system. Issues include regulatory requirements, industry hazard profiles, organizational culture, workforce demographics, technology changes, economic factors, and supply chain considerations. Issues are monitored and reviewed. |
| Workers and interested parties (4.2) | Workers and other interested parties relevant to the OH&S management system have been identified along with their relevant needs and expectations. Workers are specifically identified as interested parties. The organization has determined which needs and expectations are or could become legal requirements and other requirements. |
| OH&S management system scope (4.3) | The scope of the OH&S management system has been determined considering internal/external issues (4.1), legal and other requirements (4.2), and planned or performed work-related activities. The scope is documented, available, and includes all activities, products, and services that can affect OH&S performance. |
| OH&S management system (4.4) | The organization has established, implemented, maintained, and continually improves the OH&S management system including needed processes and their interactions, in accordance with ISO 45001 requirements. |
Clause 5: Leadership and Worker Participation
| Audit Item | Expected Finding / What to Evaluate |
|---|---|
| Leadership and commitment (5.1) | Top management demonstrates leadership and commitment by taking overall responsibility and accountability for prevention of work-related injury and ill health, ensuring OH&S policy and objectives are established, ensuring integration of OH&S into business processes, providing resources, communicating the importance of effective OH&S, ensuring the system achieves intended outcomes, directing and supporting workers to contribute, promoting continual improvement, supporting other relevant management roles, and developing a culture that supports the OH&S management system. |
| OH&S policy (5.2) | An OH&S policy is established that includes a commitment to provide safe and healthy working conditions for prevention of work-related injury and ill health, a commitment to eliminate hazards and reduce OH&S risks using the hierarchy of controls, a commitment to fulfill legal and other requirements, a commitment to consultation and participation of workers, and a commitment to continual improvement. The policy is documented, communicated, and available to interested parties. |
| Roles, responsibilities, and authorities (5.3) | Top management has assigned responsibility and authority for ensuring the OH&S management system conforms to ISO 45001 requirements and for reporting on OH&S management system performance. Responsibilities are assigned at relevant levels, documented, and communicated. |
| Worker consultation and participation (5.4) | The organization has established, implemented, and maintains processes for consultation and participation of workers at all applicable levels and functions. Workers are consulted on determining interested parties’ needs, establishing the OH&S policy, assigning roles, determining legal requirements, establishing OH&S objectives, determining controls, identifying training needs, and determining what to communicate. Workers participate in determining mechanisms for consultation and participation, identifying hazards and assessing risks, determining actions to control hazards, investigating incidents, and determining competence needs. |
Clause 6: Planning
| Audit Item | Expected Finding / What to Evaluate |
|---|---|
| Hazard identification (6.1.2.1) | The organization has established ongoing and proactive processes for hazard identification considering how work is organized, social factors, leadership, culture, routine and non-routine activities, past incidents, potential emergencies, people (including contractors and visitors), other factors (equipment design, workplace conditions, human factors), and changes or potential changes. The hazard identification process is maintained as documented information. |
| Risk assessment and opportunities (6.1.2.2–6.1.2.3) | The organization has established processes to assess OH&S risks from identified hazards (considering existing controls) and assess opportunities to enhance OH&S performance. Assessment methodology is defined, documented, and applied consistently. Risk assessment includes evaluation of the effectiveness of existing controls. |
| Legal and other requirements (6.1.3) | The organization has determined and has access to legal requirements and other requirements applicable to its hazards and OH&S management system. It has determined how these apply and has taken them into account in the OH&S management system. The organization maintains documented information on its legal and other requirements and ensures they are up to date. |
| OH&S objectives and planning (6.2) | OH&S objectives are established at relevant functions and levels, consistent with the OH&S policy, measurable (or capable of performance evaluation), take into account applicable requirements, results of risk/opportunity assessment, and results of consultation with workers. Objectives are monitored, communicated, and updated. Plans for achieving objectives include what, resources, responsibility, timeframes, evaluation methods, and how actions will be integrated into business processes. |
Clause 7: Support
| Audit Item | Expected Finding / What to Evaluate |
|---|---|
| Resources and competence (7.1–7.2) | Resources needed for the OH&S management system are determined and provided. Persons affecting OH&S performance are competent on the basis of education, training, or experience. Competence needs associated with hazards and the OH&S management system are determined. Actions to acquire competence include training, mentoring, reassignment, or hiring. Effectiveness of actions is evaluated. Documented information is retained. |
| Awareness (7.3) | Workers are aware of the OH&S policy and objectives, their contribution to OH&S management system effectiveness, implications of nonconformity, incidents and investigation results relevant to them, hazards and OH&S risks and actions determined that are relevant to them, and the ability to remove themselves from work situations they consider present an imminent and serious danger to their life or health (without undue consequence). |
| Communication (7.4) | Processes are established for internal and external communications relevant to the OH&S management system including what, when, with whom, and how to communicate. Communications take into account diversity aspects (language, culture, literacy, disability). Views of interested parties are considered. Legal and other communication requirements are addressed. Information communicated is consistent with OH&S management system information and is reliable. |
| Documented information (7.5) | The OH&S management system includes documented information required by ISO 45001 and determined necessary by the organization. Documented information is appropriately created, updated, controlled, and protected. Controls address distribution, access, retrieval, storage, retention, and disposition. |
Clause 8: Operation
| Audit Item | Expected Finding / What to Evaluate |
|---|---|
| Hierarchy of controls (8.1.2) | The organization has established processes for eliminating hazards and reducing OH&S risks using the hierarchy of controls: (a) eliminate the hazard, (b) substitute with less hazardous processes/operations/materials/equipment, (c) use engineering controls and reorganization of work, (d) use administrative controls including training, (e) use adequate personal protective equipment. The hierarchy is applied systematically and documented. Workers are involved in developing controls. |
| Management of change (8.1.3) | The organization has established processes for managing planned temporary and permanent changes that can impact OH&S performance including new products/services/processes, work organization/conditions/equipment, legal and other requirements, knowledge/information about hazards, and developments in knowledge and technology. Consequences of unintended changes are reviewed and action taken to mitigate adverse effects. |
| Procurement and contractors (8.1.4) | Processes are established for procurement to ensure conformity with the OH&S management system. Processes coordinate with contractors to identify hazards and assess/control OH&S risks arising from contractor activities, the organization’s activities affecting contractor workers, and contractor activities affecting other interested parties. Criteria for selecting contractors include OH&S considerations. |
| Emergency preparedness and response (8.2) | Processes are established for preparing for and responding to potential emergency situations including planned response actions, first aid provision, training and drills, periodic testing of planned actions, evaluation and revision after occurrences or drills, and communication of relevant information to all workers. Emergency processes account for the needs of interested parties, local emergency services, and neighboring organizations. |
Clause 9: Performance Evaluation
| Audit Item | Expected Finding / What to Evaluate |
|---|---|
| Monitoring, measurement, and evaluation (9.1.1–9.1.2) | The organization monitors, measures, analyzes, and evaluates OH&S performance including extent to which legal and other requirements are fulfilled, activities and operations related to identified hazards/risks/opportunities, progress toward OH&S objectives, and effectiveness of operational and other controls. Equipment is calibrated. Compliance evaluation processes are established, frequency determined, and compliance status is maintained. |
| Internal audit (9.2) | Internal audits are conducted at planned intervals providing information on whether the OH&S management system conforms to the organization’s requirements and ISO 45001, and is effectively implemented and maintained. An audit program is established considering importance of processes, changes, and previous audit results. Audit criteria, scope, frequency, and methods are defined. Auditors are objective and impartial. Results are reported to relevant management and workers. Corrective action is taken without undue delay. Documented information is retained. |
| Management review (9.3) | Top management reviews the OH&S management system at planned intervals considering: status of previous actions, changes in external/internal issues, fulfillment of OH&S policy and objectives, OH&S performance, adequacy of resources, communications from interested parties, opportunities for continual improvement, and results of worker consultation and participation. Outputs include decisions on improvement opportunities, resource needs, OH&S management system changes, and actions when objectives are not achieved. Outcomes are communicated to workers. |
Clause 10: Improvement
| Audit Item | Expected Finding / What to Evaluate |
|---|---|
| Incident investigation and nonconformity (10.2) | The organization has established processes for reporting, investigating, and taking action on incidents and nonconformities. Investigation is timely and determines root causes. Workers participate in investigation. The organization evaluates the need for corrective action, implements any needed action, reviews effectiveness of corrective action, and makes changes to the OH&S management system if necessary. Results of incident investigation are communicated to relevant workers and their representatives. Documented information is retained. |
| Continual improvement (10.3) | The organization continually improves the suitability, adequacy, and effectiveness of the OH&S management system by enhancing OH&S performance, promoting a culture supporting the OH&S management system, promoting worker participation in implementing continual improvement actions, communicating relevant results to workers, and maintaining and retaining documented information as evidence. |
Audit frequency: ISO 45001 requires internal audits at planned intervals. Best practice is to audit the entire OH&S management system at least once per year, with critical processes and high-risk areas audited more frequently. Schedule audits to ensure all clauses are covered before each management review and surveillance/recertification audit.
Corrective Actions
Common Issues and Responses
- Inadequate worker consultation: Establish formal mechanisms for worker consultation and participation at all levels. This may include safety committees, toolbox talks, suggestion systems, hazard reporting processes, and involvement in risk assessments. Ensure non-managerial workers participate in hazard identification, incident investigation, and action development.
- Hierarchy of controls not applied: Review existing controls against the hierarchy of controls framework. Document justification when higher-level controls (elimination, substitution, engineering) are not feasible. Ensure PPE is used as a last resort, not a first response. Involve workers in developing control solutions.
- Incomplete hazard identification: Conduct a comprehensive hazard identification using multiple methods (workplace inspections, job hazard analysis, incident review, worker input). Consider routine and non-routine activities, all persons in the workplace including contractors and visitors, and organizational/social factors. Implement an ongoing hazard reporting system.
- No incident investigation process: Establish a documented incident investigation procedure including timely investigation, root cause analysis, worker participation, corrective action implementation, and effectiveness verification. Train investigation team members. Communicate findings to relevant workers.
- Management review gaps: Schedule management reviews at planned intervals (at least annually). Ensure all required inputs are addressed. Document decisions and actions from the review. Communicate outcomes to workers. Assign responsibility for follow-up actions with deadlines.
Download the Free Checklist
Get our iso 45001 oh&s program audit checklist in Word format. Customize it for your organization.
Download Checklist (.docx)
Go digital with Ecesis. Streamline your OH&S management system with Ecesis ISO 45001 software. Manage hazard identification, track objectives, schedule audits, document worker consultation, and automate corrective action workflows. Request a free demo.
Ecesis EHS Software
ISO 45001 Software
Complete OH&S management with hazard registers, risk assessments, objectives tracking, and audit management.
Inspections
Internal audit scheduling, workplace inspections, and finding documentation with corrective action workflows.
Incident Management
Incident reporting and investigation with root cause analysis, worker participation tracking, and CAPA management.
Training
Competence management, safety training tracking, and worker awareness program administration.
Task Management
Corrective action tracking with hierarchy of controls classification and effectiveness verification.
Compliance Calendar
Schedule audit cycles, management reviews, compliance evaluations, and training deadlines.
