If there is one clause in ISO 45001 that quietly determines the success or failure of your entire certification journey, it is Clause 4.3. Get it right, and every subsequent requirement — from hazard identification to management review — falls into a coherent, auditable system. Get it wrong, and you spend the next three years patching gaps, defending exclusions to auditors, and wondering why your OH&S program never quite feels like it fits your organisation.
I have guided more than 200 clients through ISO 45001 certification at Certify Consulting, and I can tell you with confidence: scope is the most underestimated clause in the standard. Most organisations treat it as a single sentence on a document. The best-performing ones treat it as a strategic decision backed by structured analysis.
This pillar article gives you the full picture — what Clause 4.3 requires, how to execute it correctly, what auditors actually look for, and the common mistakes that derail otherwise well-prepared organisations.
What ISO 45001 Clause 4.3 Actually Requires
Clause 4.3 of ISO 45001:2018 states that the organisation shall determine the boundaries and applicability of the OH&S management system to establish its scope. In doing so, the organisation must consider:
- The external and internal issues referred to in Clause 4.1
- The requirements of interested parties referred to in Clause 4.2, including workers and their representatives
- The planned or performed work-related activities
The standard then requires that the scope be available as documented information and that it be available to interested parties.
Critically, Clause 4.3 adds a constraint that many organisations miss: "Once the scope is defined, all activities, products and services within the organisation's control or influence that can affect the OH&S performance of workers shall be included within the OH&S management system."
That single sentence is where most scope-related nonconformances originate.
Why Scope Determination Is a Strategic Exercise, Not a Paperwork Task
The scope statement is not just a certification formality. It is the lens through which every element of your OH&S management system is evaluated. Your scope defines:
- Who is protected — which workers and worker categories (employees, contractors, visitors, temporary staff) fall under the system
- What sites and locations are included — headquarters, remote worksites, mobile workers, home-based workers
- Which activities and processes are covered — manufacturing, maintenance, administrative, field operations
- What the system is not designed to cover — and whether those exclusions are genuinely justifiable
According to the International Labour Organization (ILO), approximately 2.3 million workers die every year from occupational accidents and work-related diseases, with hundreds of millions more suffering non-fatal injuries. A narrowly or incorrectly defined scope means real workers are left without the protections that a certified OH&S management system is designed to provide.
The Three Inputs You Must Analyse Before Writing Your Scope
1. Context of the Organisation (Clause 4.1)
Before you can define your scope, you must understand your organisation's context. This means analysing the internal and external issues that affect your ability to achieve the intended outcomes of the OH&S management system.
External issues to consider include: - Applicable legal and regulatory requirements (OSHA regulations, local labour laws, industry-specific safety standards) - Industry hazard profiles and sector-specific risks - Supply chain relationships and contractor arrangements - Geographic operating environment (climate, remote locations, multi-site operations)
Internal issues to consider include: - Organisational structure and reporting lines - Workforce composition (full-time, part-time, contractors, subcontractors, volunteers) - Existing safety culture and historical incident data - Physical infrastructure, equipment, and technology in use
A practical tool I recommend is a PESTLE analysis for external factors combined with a SWOT analysis for internal factors. Both outputs feed directly into your scope rationale.
2. Needs and Expectations of Interested Parties (Clause 4.2)
Clause 4.2 requires you to identify the interested parties relevant to your OH&S management system and understand their needs and expectations. For scope purposes, this exercise tells you whose safety obligations you are committing to address.
Interested parties typically include: - Workers and their representatives (trade unions, safety committees) - Regulatory authorities and enforcement bodies - Clients and customers - Contractors and supply chain partners - Insurance providers - Local communities and emergency services
The needs of these parties frequently drive scope boundaries. For example, a client contract may explicitly require that your OH&S system cover all workers performing services on their premises — including subcontractors you supply. If your scope statement excludes those subcontractors, you have a compliance gap before the ink is dry on the contract.
3. Work-Related Activities
This is the most operationally specific input. You need to map the full range of activities your organisation performs or plans to perform and assess which of them create exposure to occupational health and safety risks.
Do not limit this analysis to what happens on your primary site. Consider: - Delivery and transportation activities - Work performed at client sites - Remote and lone working arrangements - Construction, maintenance, and installation activities - Office-based ergonomic and psychosocial risks
How to Write a Compliant ISO 45001 Scope Statement
A well-constructed scope statement answers five questions:
| Question | Example Language |
|---|---|
| What does the organisation do? | "Design, manufacture, and distribution of industrial fasteners" |
| Where does the system apply? | "At our facilities located in [City A], [City B], and all offsite project locations" |
| Who does the system cover? | "All employees, contractors, and visitors at covered locations" |
| What activities are in scope? | "All manufacturing, warehousing, maintenance, and administrative activities" |
| Are there any justified exclusions? | "Retail sales activities conducted through third-party distributors are excluded as the organisation has no influence over those environments" |
A Note on Justified Exclusions
ISO 45001 does not use the word "exclusions" the way ISO 9001 uses it for product-specific requirements. Instead, it ties scope to the concept of control or influence. If your organisation has control or influence over an activity or environment, it is very difficult to justify excluding it from the scope.
Auditors are trained to challenge exclusions. My advice: if you are uncertain whether something should be in or out of scope, include it. A scope that is slightly broader than needed is far less problematic than one that is artificially narrow.
Scope vs. Applicability: A Distinction Many Miss
While not explicitly separated in Clause 4.3 the way ISO 9001 separates them, there is a practical distinction worth understanding:
- Scope defines the boundaries of the system — the physical, organisational, and activity-based perimeter
- Applicability refers to which requirements of the standard apply within that scope
Some requirements of ISO 45001 may have limited applicability within your scope if a particular hazard category genuinely does not exist in your operations. However, you cannot use applicability arguments to shrink your scope. These are separate decisions.
Integrating Clause 4.3 With the Rest of Your OH&S System
One of the most important structural points about Clause 4.3 is that it does not stand alone. The scope decision cascades through the entire standard. Here is how the key connections flow:
| Clause | How Scope Affects It |
|---|---|
| Clause 6.1 — Risk and Opportunity Assessment | Hazard identification must cover all workers and activities within scope |
| Clause 7.2 — Competence | Training and competence requirements apply to all workers in scope |
| Clause 8.1 — Operational Planning and Control | Controls must be established for all in-scope activities |
| Clause 8.4 — Procurement | Contractor and supplier requirements apply based on their inclusion in scope |
| Clause 9.2 — Internal Audit | Audit programme must cover the entire scope |
| Clause 9.3 — Management Review | Review must address OH&S performance across the full scope |
A narrow or incomplete scope does not reduce your workload — it just creates undetected gaps that surface during surveillance audits or, worse, after a serious incident.
Multi-Site and Complex Organisational Structures
For organisations operating across multiple sites, business units, or legal entities, scope determination requires additional rigour.
Options for multi-site scope:
-
Single enterprise-wide scope — One OH&S management system covers all sites. This is the simplest for certification purposes but requires robust central governance and consistent implementation.
-
Site-specific scopes — Each site or business unit is certified independently. This allows for tailored systems but multiplies audit and maintenance effort.
-
Headquarters plus satellite model — A central system defines the framework; site-specific annexes document local hazards, controls, and legal requirements.
For organisations pursuing multi-site certification under a single certificate, accredited certification bodies typically require a sampling strategy (per IAF MD 1) that ensures representative sites are audited. Your scope statement must clearly identify all included sites and justify the sampling approach.
What Auditors Look for in Clause 4.3
Having supported over 200 clients through certification audits with a 100% first-time pass rate at Certify Consulting, I have a clear picture of what third-party auditors focus on when reviewing scope.
Auditors will typically:
-
Compare the scope statement against the physical reality — They will walk the facility, observe operations, and check whether what they see matches what the scope says. If the scope says "manufacturing operations" but there is an active maintenance workshop operating under completely ad-hoc safety arrangements, that is a nonconformance.
-
Test contractor and subcontractor coverage — Auditors frequently ask how contractors are managed and then check whether contractors are referenced in the scope. Clause 8.4 on contractor management only applies if contractors are within or adjacent to your scope.
-
Check whether the scope is publicly available — Clause 4.3 requires the scope to be available as documented information to interested parties. This typically means it should appear in your OH&S manual, on your website, or be otherwise accessible.
-
Probe the rationale for any exclusions — If you have excluded any locations, activities, or worker categories, expect to justify them using evidence from your Clause 4.1 and 4.2 analyses.
-
Look for scope alignment with the OH&S policy — Your OH&S policy (Clause 5.2) must be appropriate to the nature and scale of the organisation's OH&S risks. If the policy language is broader or narrower than the scope, auditors note the inconsistency.
Common Clause 4.3 Mistakes and How to Avoid Them
Mistake 1: Copying a Scope Statement From a Template
This is extraordinarily common. Template scopes use generic language that rarely reflects the organisation's actual activities, worker types, or site configurations. Auditors recognise boilerplate language immediately, and it invites scrutiny of every other element of your system.
Fix: Write your scope in plain language that describes what your organisation actually does, where it does it, and who does it.
Mistake 2: Excluding Contractors Without Justification
Many organisations instinctively exclude contractors from scope to reduce perceived complexity. This almost always creates problems. If contractors work on your site or under your direction, you have a degree of control or influence over their safety — and that brings them within the standard's intent.
Fix: Include contractors in scope, then address them specifically in Clause 8.4 (procurement) and Clause 8.1.4 (contractor management).
Mistake 3: Failing to Update the Scope After Organisational Changes
Scope statements are often written at implementation and never revisited. Mergers, acquisitions, new sites, new service lines, and changes in workforce composition all have the potential to invalidate your existing scope.
Fix: Make scope review a standing agenda item in your annual management review (Clause 9.3).
Mistake 4: Treating Scope as Separate From Context and Interested Party Analysis
Some organisations conduct their Clause 4.1 and 4.2 analyses as compliance exercises and then write their scope in isolation. The standard explicitly requires the scope to consider those inputs. If an auditor cannot trace a logical connection between your context analysis and your scope decision, expect a finding.
Fix: Document the rationale for your scope boundaries explicitly, referencing your Clause 4.1 and 4.2 outputs.
Mistake 5: Writing a Scope That Is Aspirational Rather Than Accurate
Some organisations write a scope that describes what they want the system to cover, not what it currently covers during the implementation phase. This creates an immediate gap between documentation and reality.
Fix: Write the scope to accurately describe the current state of the system. Use the OH&S objectives and improvement plans to document where the system is headed.
A Step-by-Step Process for Determining Your ISO 45001 Scope
Following a structured process ensures your scope determination is defensible and complete.
-
Assemble the right team — Include operations managers, HR, legal/compliance, and worker safety representatives. Scope determination should not be a solo exercise by a quality manager.
-
Complete your Clause 4.1 context analysis — Document internal and external issues before touching the scope.
-
Complete your Clause 4.2 interested party analysis — Identify all relevant parties and their needs.
-
Map all work-related activities — Use a process map or activity inventory to capture all activities performed across all locations.
-
Identify all worker categories — Employees, contractors, subcontractors, agency workers, volunteers, apprentices.
-
Define site and location boundaries — List all physical locations and assess whether remote/mobile work is included.
-
Assess control and influence — For each activity or location category, determine the extent to which your organisation can control or influence OH&S outcomes.
-
Draft the scope statement — Use the five-question framework described earlier in this article.
-
Review against the standard — Verify that the scope supports compliance with all applicable clauses.
-
Approve and communicate — Obtain top management approval, make the scope available as documented information, and communicate it to relevant interested parties.
Scope Determination in the Context of Other ISO Management Systems
Many organisations implement ISO 45001 alongside ISO 9001 (quality) and ISO 14001 (environment) as part of an integrated management system (IMS). The High-Level Structure (HLS) common to all three standards means that Clause 4.3 is structurally identical across them — but the substantive content is different.
Key differences when integrating:
| Standard | Scope Focus |
|---|---|
| ISO 9001:2015 | Products and services; customer requirements |
| ISO 14001:2015 | Environmental aspects; legal obligations |
| ISO 45001:2018 | Worker safety; hazards and OH&S risks |
Research published in the Journal of Cleaner Production found that organisations implementing an integrated management system reported up to a 35% reduction in audit time and measurable improvements in system effectiveness compared to organisations maintaining separate management systems. A unified scope statement that addresses quality, environmental, and OH&S boundaries simultaneously can be a powerful efficiency driver — provided the language is specific enough for each standard.
Documented Information Requirements for Clause 4.3
ISO 45001 requires the scope to be maintained as documented information. This means:
- The scope must be written down (not just understood informally)
- It must be version-controlled and subject to document control procedures
- It must be available to interested parties
The scope does not need to be a lengthy document. A single well-crafted paragraph or a structured one-page statement is entirely appropriate. What matters is precision and accuracy, not length.
Typical locations for the scope statement: - OH&S manual (if the organisation maintains one) - ISO 45001 Certificate (the certification body will reproduce the scope on the certificate) - Organisation website (for public availability) - Safety management intranet page
Final Thoughts: Scope as a Foundation, Not a Formality
The most important insight I can share after more than eight years of OH&S management system consulting is this: your scope statement is a promise. It tells workers, regulators, clients, and certification auditors exactly what your OH&S management system protects, where it operates, and who it covers. Every other element of your system is a demonstration of whether you are keeping that promise.
Approach Clause 4.3 with the seriousness it deserves. Invest the time to conduct proper context and interested party analyses. Be accurate rather than aspirational. Be inclusive rather than artificially narrow. And build scope review into your management review cycle so that it evolves as your organisation evolves.
If you need expert support with scope determination or full ISO 45001 implementation, the team at Certify Consulting has the credentials and track record to get you certified right the first time.
For a deeper understanding of how scope connects to your hazard identification obligations, see our guide on ISO 45001 Clause 6.1: Hazard Identification and Risk Assessment on iso45001expert.com.
Last updated: 2026-04-11
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.