If you've ever stared at a blank folder structure and wondered exactly what documents your ISO 45001 occupational health and safety management system (OHSMS) actually requires, you're not alone. Documentation confusion is one of the top reasons organizations stumble during their Stage 1 audit — and it's almost entirely preventable.
I'm Jared Clark, Principal Consultant at Certify Consulting. Over the past eight-plus years, I've helped more than 200 clients build documentation systems that satisfy auditors without drowning staff in paperwork. In this guide, I'll give you the definitive list of every document ISO 45001:2018 mandates, explain why each one exists, and show you how to avoid the most common documentation pitfalls.
Why ISO 45001 Documentation Matters
ISO 45001:2018 uses the term documented information rather than "documents" and "records" (the older ISO 9001/OHSAS 18001 terminology). Documented information can be maintained (a living document you update) or retained (a record you keep as evidence). Understanding that distinction is critical — it shapes how you control, store, and review each item.
According to the ISO Survey of Certifications, over 85,000 organizations held ISO 45001 certificates as of the most recent reporting year, and audit nonconformities related to incomplete or poorly controlled documented information consistently rank among the top three findings globally. Getting documentation right from the start is not a bureaucratic exercise — it is a strategic advantage.
Citation hook: ISO 45001:2018 requires organizations to maintain and retain documented information as evidence of conformity, not simply as a filing exercise — meaning every document must demonstrably link to a process, risk, or legal obligation.
How ISO 45001:2018 Structures Documentation Requirements
The standard spreads documentation requirements across all ten clauses. Some clauses say "the organization shall maintain documented information" (a document you update), while others say "the organization shall retain documented information" (a record proving something happened). A few clauses require both.
Here is a quick orientation before the full list:
| Term | Meaning | Examples |
|---|---|---|
| Maintain documented information | Living document, updated as needed | OH&S Policy, Objectives, Procedures |
| Retain documented information | Historical record, kept as evidence | Audit results, Incident records, Competence records |
| Both | Document that is also periodically updated AND kept for history | Risk register, Legal register |
The Complete ISO 45001 Required Documents List
Clause 4 — Context of the Organization
Clause 4.1 & 4.2 — Scope and Interested Parties
While the standard does not use the phrase "documented information" in clause 4.1 explicitly, clause 4.3 states that the scope shall be available as documented information.
- Scope of the OHSMS (maintain) — A concise statement defining which locations, activities, and workers are covered. Auditors will ask for this on day one of your Stage 1 audit.
Pro tip: The scope document should reference your physical boundaries, organizational functions, and any exclusions. Vague scopes are a leading cause of Stage 1 nonconformities.
Clause 5 — Leadership
Clause 5.2 — OH&S Policy
- OH&S Policy (maintain + available to interested parties) — Must include commitments to provide safe working conditions, eliminate hazards, fulfill legal obligations, consult and participate workers, and continually improve. It must be available to workers and, where appropriate, to other interested parties.
Clause 5.4 — Consultation and Participation
- Evidence of worker consultation and participation (retain) — Meeting minutes, survey results, or sign-in sheets demonstrating that workers at all levels were involved in OH&S decisions.
Clause 6 — Planning
This clause is documentation-heavy for good reason: planning is where you identify what can go wrong before it does.
Clause 6.1.1 — Actions to Address Risks and Opportunities
- Risks and opportunities register (maintain) — Documents the OH&S risks and opportunities identified through hazard identification and risk assessment processes. This is arguably the most audited document in your entire system.
Clause 6.1.2 — Hazard Identification and Risk Assessment
- Hazard identification results (retain) — Evidence that you systematically identified hazards for all activities, including routine, non-routine, emergency situations, and contractor activities.
- OH&S risk assessment results (retain) — The output of your risk evaluation process, showing how each identified hazard was assessed and what control measures were selected.
Clause 6.1.3 — Legal and Other Requirements
- Legal and other requirements register (maintain) — A living list of all applicable OH&S legislation, regulations, permits, and voluntary commitments. Must be reviewed regularly as laws change.
Citation hook: ISO 45001:2018 clause 6.1.3 requires organizations to maintain a legal register and determine how those requirements apply to their OH&S management system — making compliance tracking a mandatory, documented activity, not an informal one.
Clause 6.2 — OH&S Objectives
- OH&S Objectives and plans to achieve them (maintain) — Must be measurable, monitored, communicated, and updated as needed. The standard requires you to document what you will do, what resources are needed, who is responsible, when it will be completed, and how results will be evaluated.
Clause 7 — Support
Clause 7.2 — Competence
- Evidence of competence (retain) — Training records, certificates, skills matrices, qualifications, or any documented proof that workers performing OH&S-critical roles are competent to do so. This is one of the most commonly cited documentation gaps during audits.
Clause 7.3 — Awareness
No specific documented information is mandated, but in practice, maintaining training attendance records, toolbox talk logs, and induction records serves as evidence that awareness activities occurred.
Clause 7.4 — Communication
No mandatory documented information is specified, but documented communication plans and records (e.g., safety bulletin logs, newsletter archives) demonstrate systematic communication.
Clause 7.5 — Documented Information
This clause governs all documented information itself and requires:
- Document control procedure (maintain) — Defines how documents are created, reviewed, approved, distributed, protected, and disposed of. Although the standard does not explicitly mandate a procedure, auditors will expect to see evidence of a controlled process.
Clause 8 — Operation
Clause 8.1 — Operational Planning and Control
- Operational controls / Safe Work Procedures (SWPs) (maintain) — Documented procedures, work instructions, or controls for activities where the absence of them could lead to deviations from the OH&S policy or unacceptable risk. This includes contractor and outsourced process controls.
- Management of change documentation (maintain) — Records of planned and unplanned changes to processes, equipment, or the work environment, and the associated hazard assessment.
Clause 8.1.3 — Management of Change
- Change management records (retain) — Evidence that changes were evaluated for OH&S implications before implementation.
Clause 8.1.4 — Procurement
- Contractor and supplier OH&S requirements (maintain) — Documented criteria for evaluating contractors and suppliers on OH&S performance. Many organizations incorporate these into contract templates or pre-qualification checklists.
Clause 8.2 — Emergency Preparedness and Response
- Emergency preparedness and response plans (maintain) — Must cover potential emergency situations identified during hazard identification. Plans must be tested periodically, with test records retained.
- Emergency drill records (retain) — Evidence that emergency response procedures were tested (e.g., evacuation drills, fire response drills).
Clause 9 — Performance Evaluation
Clause 9.1 — Monitoring, Measurement, Analysis, and Evaluation
- Monitoring and measurement results (retain) — Data from OH&S performance monitoring activities such as safety inspections, equipment testing, exposure monitoring, and leading/lagging indicator tracking.
- Evaluation of compliance results (retain) — Evidence that legal and other requirements were evaluated for compliance and the outcomes of those evaluations.
Clause 9.2 — Internal Audit
- Internal audit programme (maintain) — The documented schedule and scope of internal audits.
- Internal audit results (retain) — Audit reports, findings, nonconformities, and evidence of follow-up.
Clause 9.3 — Management Review
- Management review results (retain) — Minutes or records of management review meetings, including inputs reviewed and outputs/decisions made. This is non-negotiable: auditors will request management review records at every surveillance audit.
Clause 10 — Improvement
Clause 10.2 — Incident, Nonconformity, and Corrective Action
- Incident investigation records (retain) — Documentation of all incidents (including near misses), their investigation, root cause analysis, and resulting corrective actions.
- Nonconformity and corrective action records (retain) — Evidence of identified nonconformities, the actions taken to address them, and verification of effectiveness.
- Results of corrective actions (retain) — Proof that corrective actions were implemented and their effectiveness reviewed.
Consolidated Reference Table: ISO 45001 Required Documents
The table below consolidates every mandatory documentation requirement into a single reference. Use this as the foundation for your document control index.
| # | Document / Record | Clause | Type | Maintain or Retain |
|---|---|---|---|---|
| 1 | Scope of the OHSMS | 4.3 | Document | Maintain |
| 2 | OH&S Policy | 5.2 | Document | Maintain |
| 3 | Worker consultation evidence | 5.4 | Record | Retain |
| 4 | Risks and opportunities register | 6.1.1 | Document | Maintain |
| 5 | Hazard identification results | 6.1.2 | Record | Retain |
| 6 | OH&S risk assessment results | 6.1.2 | Record | Retain |
| 7 | Legal and other requirements register | 6.1.3 | Document | Maintain |
| 8 | OH&S objectives and plans | 6.2 | Document | Maintain |
| 9 | Evidence of competence | 7.2 | Record | Retain |
| 10 | Operational controls / SWPs | 8.1 | Document | Maintain |
| 11 | Management of change records | 8.1.3 | Record | Retain |
| 12 | Contractor/supplier OH&S requirements | 8.1.4 | Document | Maintain |
| 13 | Emergency preparedness and response plans | 8.2 | Document | Maintain |
| 14 | Emergency drill records | 8.2 | Record | Retain |
| 15 | Monitoring and measurement results | 9.1.1 | Record | Retain |
| 16 | Compliance evaluation results | 9.1.2 | Record | Retain |
| 17 | Internal audit programme | 9.2 | Document | Maintain |
| 18 | Internal audit results | 9.2 | Record | Retain |
| 19 | Management review results | 9.3 | Record | Retain |
| 20 | Incident investigation records | 10.2 | Record | Retain |
| 21 | Nonconformity and corrective action records | 10.2 | Record | Retain |
Documents That Are NOT Mandatory (But Commonly Expected)
ISO 45001 is deliberately flexible — it does not mandate a specific set of procedures the way OHSAS 18001 did. However, based on my experience guiding more than 200 organizations through certification audits with a 100% first-time pass rate, these "non-mandatory" documents consistently add significant audit confidence:
- OH&S Manual — Not required, but provides an excellent system overview for auditors and new employees.
- Hazard identification procedure — Not mandated as a separate document, but practical for ensuring consistent hazard identification across departments.
- Internal audit procedure — The standard requires you to conduct internal audits, but does not explicitly require a documented procedure. In practice, having one prevents nonconformities.
- Corrective action procedure — Same logic as above; documenting the process improves consistency.
- Training needs analysis — Not required explicitly, but auditors routinely ask how you identify competence gaps.
- Contractor pre-qualification questionnaire — Supports clause 8.1.4 evidence.
Common Documentation Mistakes to Avoid
After conducting hundreds of pre-certification gap assessments, these are the five documentation mistakes I see most often:
- Confusing "maintain" with "retain." Keeping an outdated policy draft as a "record" does not satisfy clause 5.2. Policies are living documents, not archives.
- An incomplete legal register. Organizations often list federal laws but miss state/provincial regulations, local permits, and voluntary commitments. Every applicable requirement must appear.
- Undated or unsigned documents. Documented information must include identification (title, date, author, version number). Undated documents have unknown validity.
- No evidence of review. The OH&S policy, objectives, and legal register must all show periodic review. Auditors look for review dates and approvals.
- Missing near-miss records. Clause 10.2 covers incidents AND near-misses. Organizations that only record injury incidents are leaving a significant documentation gap.
Citation hook: Near-miss reporting is a leading indicator of safety culture maturity; ISO 45001:2018 clause 10.2 explicitly requires organizations to retain documented information for near-miss events — organizations that omit near-miss records are out of conformance with the standard.
How to Build a Document Control System for ISO 45001
Here is the practical framework I use with Certify Consulting clients:
Step 1: Create a Master Document Register
List every document and record, assign a unique identifier, owner, version number, review frequency, and storage location. This register becomes the backbone of your clause 7.5 compliance.
Step 2: Define Retention Periods
For each retained record, document the minimum retention period. Many jurisdictions have legal minimums (e.g., injury records kept for 5–30 years depending on jurisdiction). When in doubt, keep longer.
Step 3: Assign Document Owners
Every document must have a named owner responsible for keeping it current. Without an owner, documents go stale — and stale documents create nonconformities.
Step 4: Establish Review Triggers
Beyond scheduled annual reviews, documents should be reviewed whenever there is a significant change to operations, a legal update, an incident, or an audit finding.
Step 5: Secure and Accessible
Documented information must be available where and when it is needed. Cloud-based document management platforms significantly reduce version control errors. Restrict edit access; do not restrict read access.
Documentation and the Broader OHSMS
Good documentation does not create safety — safe workplaces do. But documentation is the evidence that your safety management system is real, consistent, and improving over time. The International Labour Organization estimates that over 2.3 million workers die annually from work-related accidents and diseases globally, representing an enormous preventable burden. A well-documented ISO 45001 OHSMS is one of the most effective tools organizations have for systematically driving down that number.
For a deeper look at how documentation connects to your overall hazard control strategy, see our guide on ISO 45001 clause 6.1 risk assessment and hazard identification and our breakdown of ISO 45001 internal audit requirements.
Frequently Asked Questions
How many documents does ISO 45001 require?
ISO 45001:2018 mandates approximately 21 distinct items of documented information across its ten clauses. These include documents you maintain (living documents like policies and registers) and records you retain (evidence of activities like audit results and incident investigations). The exact count can vary slightly depending on how your organization structures its system.
What is the difference between "documented information" and "records" in ISO 45001?
ISO 45001 uses the umbrella term "documented information" for both documents and records. When the standard says an organization shall maintain documented information, it means a living document updated over time (e.g., the OH&S policy). When it says retain documented information, it means a historical record kept as evidence (e.g., audit results). Some items require both.
Does ISO 45001 require an OH&S manual?
No. Unlike older quality management standards, ISO 45001:2018 does not require an OH&S manual. However, many organizations create one voluntarily because it provides auditors and employees with a helpful system overview and maps each element of the OHSMS to the relevant standard clause.
Can documentation be electronic?
Yes. ISO 45001:2018 clause 7.5 explicitly accommodates documented information in any format or media, including electronic systems. Cloud-based document management tools are widely used and accepted by certification bodies, provided adequate controls exist for version management, access, and protection.
What happens if you are missing required documents during a certification audit?
Missing mandatory documented information (e.g., no legal register, no documented scope) will result in a major nonconformity, which means certification cannot be granted until it is resolved. Missing supporting evidence for key processes may result in a minor nonconformity or an observation, each requiring corrective action within a defined timeframe.
Last updated: 2026-04-07
Jared Clark, JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, RAC is Principal Consultant at Certify Consulting, where he has helped 200+ organizations achieve ISO 45001 certification with a 100% first-time audit pass rate.
Jared Clark
Principal Consultant, JD, MBA, PMP, CMQ-OE
Jared Clark is the founder of Certify Consulting and a recognized expert in occupational health and safety management systems. With credentials including JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, and RAC, Jared helps organizations implement ISO 45001 and build safety cultures that protect workers and drive business results.