ISO 45001 Competence Requirements: Training Records Auditors Want

Q: Are contractor training records required under ISO 45001?

Yes. ISO 45001 defines 'workers' to include contractors, subcontractors, and agency workers within the organization's control. Organizations must verify and retain evidence that contractors performing OH&S-affecting work are competent, including site-specific induction records and verification of any required external certifications.

Last updated: 2026-03-30

Every year, organizations investing thousands of dollars in ISO 45001 certification stumble at the finish line — not because their safety program is weak, but because their training records can't hold up under audit scrutiny. Clause 7.2 (Competence) is deceptively simple on paper yet routinely generates nonconformances that delay certification and cost real money.

After more than eight years and 200+ clients guided through first-time certification at Certify Consulting, I've watched auditors dissect training records in hundreds of audit rooms. This guide captures exactly what they're looking for — and how to make sure your documentation delivers.

Why Clause 7.2 Is a Top Source of ISO 45001 Nonconformances

ISO 45001:2018 clause 7.2 requires organizations to:

Determine the necessary competence of workers affecting OH&S performance
Ensure workers are competent on the basis of appropriate education, training, or experience
Where applicable, take action to acquire the necessary competence and evaluate the effectiveness of those actions
Retain documented information as evidence of competence

That last bullet is where most organizations fall short. According to data compiled by certification bodies, clause 7.2 (Competence) consistently ranks among the top five most frequently cited clauses for major and minor nonconformances during ISO 45001 Stage 2 and surveillance audits. Organizations routinely mistake "training completion" for "demonstrated competence" — and auditors know the difference.

The standard doesn't ask you to prove that people attended training. It asks you to prove that they are competent. That's a fundamentally different evidentiary bar.

What ISO 45001 Clause 7.2 Actually Requires (Plain Language Breakdown)

Determining Competence Needs

Before any training record is created, your organization must document what competence is required for each role that affects OH&S performance. This means maintaining:

Job descriptions or role profiles that specify required qualifications, certifications, or demonstrated skills
Competency matrices mapping roles to specific OH&S competencies (e.g., lockout/tagout, confined space entry, chemical handling)
Regulatory licensing requirements cross-referenced to job roles (e.g., OSHA 10/30 cards, forklift operator certifications, first aid/CPR licenses)

Auditors will often start here — before they even ask to see training records. If you can't show a documented basis for why competence is needed for a given role, the records you've kept become much harder to defend.

The "Education, Training, or Experience" Triad

ISO 45001 recognizes three legitimate pathways to competence:

Pathway	Examples	Common Documentation
Education	Degree, diploma, vocational qualification	Transcripts, certificates, diplomas
Training	Safety courses, toolbox talks, LMS completions	Attendance records, assessment results, certificates
Experience	Prior industry work, demonstrated on-the-job skill	CV/resume, supervisor attestations, skills assessments

A critical point many organizations miss: experience alone is a valid basis for competence under ISO 45001, provided it is documented and verified. A 20-year veteran millwright may not need a formal confined space training course if their competence can be evidenced through documented observation and supervisor sign-off — but that evidence must exist on paper.

Evaluating Effectiveness: The Most Overlooked Requirement

Clause 7.2 doesn't just ask you to train people. It requires you to evaluate whether the training worked. This is the element auditors probe most aggressively and organizations document least consistently.

Effective evaluation evidence includes:

Pre/post knowledge assessments with minimum passing scores
Practical skills observations documented by a qualified assessor
On-the-job performance records showing safe behavior over time
Incident/near-miss analysis connecting competence gaps to training actions
Supervisor sign-off confirming observed application of trained skills

A sign-in sheet alone will never satisfy this requirement. Organizations that cannot demonstrate how they evaluated whether training was effective receive clause 7.2 nonconformances at a significantly higher rate during certification audits.

The Training Records Auditors Actually Want to See

Let me be direct: I've seen binders the size of phone books that auditors dismissed in under 10 minutes, and I've seen lean, well-organized documentation packages that sailed through a three-day audit without a single finding. Volume is not the goal. Completeness, traceability, and effectiveness evidence are the goal.

Here is a breakdown of the specific records that matter most:

1. Competency Matrix (Role × Requirement Map)

This is your anchor document. A well-built competency matrix:

Lists every role (or category of worker) that affects OH&S
Maps each role to specific competency requirements
Indicates the acceptable evidence of competence for each requirement
Shows current status (competent / in progress / gap identified)
Is reviewed and updated at a defined frequency

Auditor tip: If your competency matrix isn't current — meaning it reflects your workforce as it stands today, including contractors — expect a finding.

2. Individual Worker Competence Records

For each worker (and relevant contractors), auditors want to see a consolidated record showing:

Required competencies per the matrix
Evidence held (training certificate, assessment result, experience attestation)
Issue date and expiry date (where applicable)
Any identified gaps and the action taken

This doesn't have to be a single document — it can be a folder, an LMS profile, or a system-generated report — but it must be easily retrievable and complete.

3. Training Completion Records With Assessment Results

Every training event should generate a record that captures:

Who attended (full name, employee/contractor ID)
What was covered (specific topic, regulatory standard referenced)
When it occurred (date, duration)
Who delivered it (trainer name, qualifications)
How competence was assessed (test score, observation sign-off, pass/fail outcome)

Sign-in sheets without assessment outcomes are the single most common documentation failure I see. They prove attendance; they prove nothing about competence.

4. Training Effectiveness Evaluations

This is the record auditors dig for and rarely find. Acceptable forms include:

Completed pre/post assessment comparison forms
Supervisor observation checklists used within 30–90 days of training
Behavioral safety observation data tied to trained topics
Learning management system (LMS) quiz results with benchmark pass rates
Post-training incident rate analysis for targeted risk areas

5. Retraining and Refresher Records

ISO 45001 doesn't specify a mandatory retraining frequency, but your own OH&S management system must define it — and then auditors will check whether you're meeting your own commitments. Retraining triggers to document include:

Regulatory recertification timelines (e.g., annual forklift refreshers, 3-year first aid renewal)
Changes in work processes, equipment, or hazards
Post-incident corrective actions requiring training
Management of change outputs that identify competence needs

6. Competence Records for Contractors and Visitors

Clause 7.2 applies to workers — and ISO 45001 defines workers broadly, including contractors, subcontractors, and agency workers. Organizations that maintain robust training records for direct employees but lack equivalent documentation for contractors represent one of the most common systemic gaps identified during ISO 45001 audits.

Minimum contractor competence documentation should include:

Verification of contractor's own training certifications (hazardous substances, height work, electrical, etc.)
Site-specific safety induction records
Evidence of competency checks before high-risk task authorization

Building an Audit-Ready Training Records System

Centralize and Standardize

Whether you use paper binders, spreadsheets, or a dedicated LMS, the system must allow you to answer three auditor questions in under 60 seconds:

What competence is required for Role X?
What evidence exists that Worker Y is competent?
When does that evidence expire, and what's the renewal plan?

If it takes more than a minute to answer any of these, your system needs work before the audit begins.

Connect Records to Risk

Auditors operating under ISO 45001 are risk-focused. The strongest training documentation packages I've seen explicitly connect competency requirements to the hazard and risk register. For example: "Confined space entry competence required because [confined space hazard identified in risk register ref. RS-047] — verified by [assessment ref. CS-COMP-2024-03]."

This traceability is not explicitly required by clause 7.2, but it demonstrates systematic thinking that auditors recognize and respect. It's also a best practice I recommend to every client at Certify Consulting.

Maintain a Training Needs Analysis (TNA)

A formal Training Needs Analysis process — conducted at least annually and triggered by management of change events — provides the documented planning backbone that supports all other competence records. Your TNA should feed directly into an annual training plan, which in turn generates completion records, which close the loop at management review.

Don't Forget Documented Information Control

Under ISO 45001 clause 7.5, training records are documented information that must be controlled. This means:

Records must be identifiable and retrievable
They must be protected from unintended alteration or loss
Retention periods must be defined (consider regulatory minimums — e.g., OSHA requires certain training records be retained 1–30 years depending on the standard)
Access controls must exist for sensitive personnel records

Common Clause 7.2 Nonconformance Findings (and How to Prevent Them)

Nonconformance Finding	Root Cause	Prevention
"No evidence competence was evaluated for effectiveness"	Training logged as complete with no assessment	Add pass/fail assessment or observation sign-off to every training record
"Competency matrix not current / does not reflect all roles"	Matrix built for certification, not maintained	Assign ownership; require annual review and change-triggered updates
"Contractor competence not verified prior to high-risk work"	Contractor records not integrated into the system	Create contractor onboarding checklist with competence verification gate
"No documented basis for competence requirements in role X"	Job descriptions lack OH&S competency requirements	Update all role profiles to specify required OH&S competencies
"Training records cannot be located for workers in [department]"	Decentralized recordkeeping, no single system of record	Centralize under one owner; conduct internal audit of record completeness before certification
"No evidence of retraining following process change in [area]"	Management of change process not linked to competence review	Add competence impact review as a mandatory step in your MoC procedure

What a 100% First-Time Pass Rate Teaches You About Clause 7.2

Across 200+ client engagements at Certify Consulting, the organizations that pass clause 7.2 scrutiny on their first attempt share three traits:

They treat competence as an outcome, not an activity. Training is a means to competence — not proof of it. Every record they generate is asking and answering: "Is this person competent?"
Their records are role-specific, not generic. A safety awareness training completion record looks different from a crane operator competence record. The level of rigor matches the level of risk.
Their system runs itself between audits. The competency matrix is a living document. Expiry dates trigger renewal workflows automatically or through scheduled reviews. Nothing is discovered during audit prep — it's already done.

The organizations that earn ISO 45001 certification on the first attempt don't have more training records than those who fail — they have better-designed, better-maintained, and better-connected records.

Frequently Asked Questions: ISO 45001 Competence and Training Records

What is the minimum documentation required for ISO 45001 clause 7.2?

ISO 45001 clause 7.2 requires organizations to retain documented information as evidence of competence. At minimum, this means records showing: (1) what competence is required for each OH&S-affecting role, (2) evidence that workers hold that competence via education, training, or experience, and (3) evidence that training effectiveness was evaluated. A sign-in sheet alone does not satisfy this requirement.

Do training records need to include assessment results to satisfy ISO 45001?

Yes — clause 7.2 requires evaluation of training effectiveness, which means records must go beyond attendance to capture how competence was verified. This can include written test scores, practical observation sign-offs, or supervisor attestations confirming applied skill, depending on the nature and risk level of the competency.

Are contractor training records required under ISO 45001?

Yes. ISO 45001 defines "workers" to include contractors, subcontractors, and agency workers within the organization's control. Organizations must verify and retain evidence that contractors performing OH&S-affecting work are competent, including site-specific induction records and verification of any required external certifications.

How long should ISO 45001 training records be retained?

ISO 45001 does not specify a retention period, but organizations must define one in their documented information control procedure. Retention periods should be informed by applicable regulatory requirements (e.g., OSHA-specific minimums range from 1 to 30 years), industry norms, and organizational policy. At minimum, records should be retained for the duration of an individual's employment plus one full external audit cycle.

What's the difference between a training record and a competence record?

A training record documents that a specific learning event occurred (who attended, what was covered, when). A competence record documents that a worker has achieved and maintains the required level of ability. Competence records may be supported by training records but also incorporate experience evidence, assessment results, and effectiveness evaluations — they are broader and more outcome-focused.

Jared Clark, JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, RAC is the Principal Consultant at Certify Consulting, where he has guided 200+ organizations to ISO 45001 and related management system certifications with a 100% first-time audit pass rate. For implementation support or pre-audit readiness reviews, visit certify.consulting.