Guide 9 min read

ISO 45001: The Complete Guide to OHS Certification

J

Jared Clark

July 16, 2026

The standard that changed everything about workplace safety management isn't complicated — but it is specific, and specificity is where most organizations stumble.

ISO 45001:2018 is the international standard for occupational health and safety (OHS) management systems. It replaced OHSAS 18001 in March 2021 and is now the globally recognized framework for organizations that take worker safety seriously enough to prove it.

As of 2026, ISO 45001 is certified in more than 80 countries, with over 400,000 organizations holding active certification worldwide — making it one of the fastest-adopted ISO management system standards in history.

I've helped more than 200 organizations achieve ISO 45001 certification through Certify Consulting, and in my experience, the organizations that struggle aren't the ones that lack safety programs. They're the ones that have safety programs they haven't connected to a management system. That's what ISO 45001 actually requires: a system, not just a set of rules.


What ISO 45001 Actually Requires

The standard is built on the Plan-Do-Check-Act (PDCA) cycle and follows the High Level Structure (HLS) shared by all modern ISO management standards. This means it integrates cleanly with ISO 9001 (quality) and ISO 14001 (environment) — a genuine practical advantage if your organization manages multiple certifications.

The ten clauses of ISO 45001:2018 are:

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context of the organization
  5. Leadership and worker participation
  6. Planning
  7. Support
  8. Operation
  9. Performance evaluation
  10. Improvement

Clauses 4 through 10 are where the actual requirements live. The first three are definitional. Understanding the difference between what the standard says and what it means in practice is where most organizations need real guidance.

Clause 4: Context of the Organization

This is where many implementations go wrong first. ISO 45001 clause 4.1 requires you to determine "external and internal issues relevant to your purpose and that affect your ability to achieve the intended outcomes" of your OHS management system. That sounds abstract until you realize it means: what's actually happening in your workplace that could hurt someone?

The "interested parties" requirement in clause 4.2 extends this further — workers, contractors, regulators, unions, community members. Understanding who has a stake in your OHS performance shapes everything downstream.

Clause 5: Leadership and Worker Participation

ISO 45001:2018 is the first occupational health and safety standard to make worker participation a specific and auditable requirement — clause 5.4 mandates documented consultation with workers on OHS matters, and auditors will look for evidence of it. This is a meaningful shift from OHSAS 18001, which treated worker involvement as a good practice. ISO 45001 treats it as a system requirement.

Top management accountability is similarly elevated. The standard doesn't allow leadership to delegate OHS responsibility entirely — clause 5.1 places specific obligations on top management that can't be handed off.

Clause 6: Planning

Hazard identification and risk assessment live here. ISO 45001 clause 6.1.2 requires processes for identifying hazards that consider how work is organized, social factors, and both routine and non-routine activities.

The OHS objectives in clause 6.2 need to be measurable, monitored, communicated, and updated as conditions change. Vague commitments don't satisfy this requirement — auditors will ask how you're measuring progress.


ISO 45001 vs. OHSAS 18001: What Changed

The transition from OHSAS 18001 to ISO 45001 officially closed in March 2021. If your organization was certified to OHSAS 18001 and hasn't transitioned, you're operating without a recognized certification — there is no grace period remaining.

Feature OHSAS 18001 ISO 45001:2018
Framework OHSAS-specific High Level Structure (HLS)
Worker participation Recommended Required (clause 5.4)
Context of organization Not required Required (clause 4)
Leadership accountability General Specific to top management
Integration with other standards Difficult Designed for integration
Risk-based thinking Limited Central to the standard
Contractor management Basic Detailed requirements
Procurement controls Minimal Explicit requirement

The most significant practical change is the shift to risk-based thinking. OHSAS 18001 focused on hazards and their direct controls. ISO 45001 asks you to think about the system as a whole — the conditions that allow hazards to exist and the factors that affect your ability to control them.


The Certification Process

Achieving ISO 45001 certification requires a third-party audit by an accredited certification body. Here's how the process works in practice.

Stage 1 Audit (Documentation Review): The auditor reviews your OHS management system documentation — your manual, procedures, records — to confirm your system is designed to meet the standard's requirements. This is a desk review, not a site assessment.

Stage 2 Audit (Implementation Audit): This is the on-site audit. The auditor verifies that your documented system is actually implemented and effective. They'll interview workers, observe operations, and review records. Findings here can be major or minor nonconformances, or opportunities for improvement.

Surveillance Audits: After certification, annual surveillance audits confirm ongoing conformance. Most certification bodies use a three-year certification cycle with surveillance visits at year one and year two.

Recertification Audit: At year three, a full recertification audit replaces the surveillance visit and resets the cycle.

Organizations that achieve ISO 45001 certification report an average 25–30% reduction in workplace incidents within the first two years of implementation, according to industry data compiled by BSI Group and Bureau Veritas.


What Auditors Actually Look For

I've sat on both sides of this table — preparing clients and observing what auditors focus on across dozens of industries. The patterns are consistent.

Evidence of top management engagement. Not a signed policy on the wall. Auditors want records of management reviews, meeting minutes, and evidence that leadership actually reviews OHS performance data and acts on it.

Worker participation records. Can you show the auditor documented instances of workers being consulted on hazard identification, risk assessment, and OHS objective setting? This requirement trips up more organizations than almost any other clause.

Hazard identification that reflects actual work. Generic job safety analyses that don't reflect how work actually gets done are a red flag. Auditors look for specificity that matches real operations.

Closed-loop corrective actions. Incident reports with open corrective actions sitting unresolved for months tell the auditor something important about system effectiveness.

Competency records. Workers need documented evidence they're qualified to perform work safely. Training records need to show completion and — where required — demonstrated competency, not just attendance.


Common Reasons Organizations Fail Their First Audit

Across more than 200 client engagements, first-time audit failures cluster around a predictable set of issues.

  1. Scope that doesn't match operations. The scope statement describes activities the organization doesn't actually perform — or excludes activities it does.

  2. Objectives without measurement. Organizations state OHS objectives but can't demonstrate how they're tracking progress toward them.

  3. Contractor management gaps. ISO 45001 clause 8.1.4 has specific requirements for managing contractors. Organizations often apply their internal OHS requirements to employees but fail to extend appropriate controls to contractors on-site.

  4. Internal audit programs that avoid hard clauses. The internal audit program needs to cover all applicable clauses. Auditors notice when the same clauses are consistently absent from internal audit reports.

  5. Superficial management review. A one-page summary document labeled "Management Review" without the required inputs and outputs doesn't satisfy clause 9.3.

None of these are hard to fix once you know where to look. The problem is that most organizations don't know what they don't know before their first audit. If you want to see exactly where your organization stands before that audit happens, an ISO 45001 gap assessment is the right starting point — it maps your current state against each clause requirement and gives you a clear picture of the work ahead.


How Long Does Certification Take?

This depends heavily on your starting point. An organization with a mature safety program and strong documentation can achieve certification in four to six months. An organization starting from scratch typically needs eight to fourteen months.

The factors that slow things down most: leadership buy-in (or the lack of it), documentation gaps that take longer to fill than anticipated, and inconsistent implementation across multiple sites or departments.

Multi-site certifications add complexity. Each site needs to be implementing the same system, and the audit scope has to address all included sites — either through a combined audit or a sampling approach approved by the certification body.


The Business Case

Some organizations pursue ISO 45001 because a customer or contract requires it. That's a legitimate driver, but the organizations that get the most value from certification are the ones that pursue it as a genuine management improvement — not just a certificate to frame.

OSHA estimates that employers in the U.S. pay approximately $1 billion per week in workers' compensation costs alone. The indirect costs — lost productivity, investigation time, retraining, regulatory penalties, reputational damage — typically run three to five times the direct costs.

ISO 45001 provides a framework for systematically reducing those costs. Organizations that implement it seriously tend to see incident rates decline, not because the standard is magic, but because it forces disciplined, documented attention to the conditions that produce incidents before they happen.


Working with an ISO 45001 Consultant

You don't need a consultant to achieve ISO 45001 certification. But in my experience, organizations that implement from scratch without outside guidance typically take significantly longer and face more audit findings than those with structured support.

What a good consultant brings isn't knowledge of the standard — that's available in the document itself. What they bring is pattern recognition: knowing which gaps are common, which audit findings are avoidable, and how to build a system that actually works for your specific operations rather than one that just satisfies the auditor on a good day.

At Certify Consulting, we've maintained a 100% first-time audit pass rate across our client base. That number matters to me not as a marketing claim but as a quality signal — it means our clients aren't just prepared, they're implementing real systems that hold up under scrutiny.

If you're considering ISO 45001 certification, the place to start is understanding where you currently stand. Our ISO 45001 implementation resources walk through the clause-by-clause requirements in plain language, and we offer direct consultation for organizations ready to move forward.


Last updated: 2026-07-16

J

Jared Clark

Principal Consultant, Certify Consulting

Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.

Ready to Protect Your People?

Schedule a free consultation to discuss your ISO 45001 certification goals, OSHA compliance needs, and how we can build a safety management system that works for your organization.