Work-related stress, burnout, harassment, and trauma are no longer "soft" issues that organizations can quietly sideline. In 2026, psychological health and safety (PHS) has moved firmly into the mainstream of occupational health and safety management — and ISO 45001 auditors are paying close attention.
Over my eight-plus years helping 200+ organizations achieve and maintain ISO 45001 certification — with a 100% first-time audit pass rate — I've watched PHS evolve from a footnote in audit conversations to a front-and-center expectation. This pillar article breaks down exactly what the standard requires, where organizations typically fall short, and how to build a psychologically safe workplace that satisfies auditors and, more importantly, protects your people.
What Is Psychological Health and Safety?
Psychological health and safety refers to the protection of workers from harm to their mental health and wellbeing that originates in the workplace. This includes risks such as:
- Chronic work-related stress from excessive workload or lack of control
- Workplace harassment and bullying (including online/remote forms)
- Traumatic events and critical incidents (violence, accidents, near-misses)
- Burnout resulting from sustained demands without adequate recovery
- Organizational factors such as poor communication, lack of role clarity, and low psychological safety in teams
The World Health Organization estimates that depression and anxiety cost the global economy US $1 trillion per year in lost productivity, making psychological risk one of the single largest OHS-related financial exposures an organization faces. That number alone should command executive attention.
Does ISO 45001 Explicitly Require Psychological Health and Safety?
This is the question I get most often. The short answer: yes — and more explicitly than many organizations realize.
ISO 45001:2018 does not use the phrase "psychological health and safety" as a standalone term throughout the standard, but the requirements that address it are unambiguous when read carefully. Here is where they live:
Clause 4.2 — Understanding the Needs and Expectations of Workers and Other Interested Parties
Workers have a legitimate expectation of protection from psychological harm. Identifying and documenting these expectations is a foundational step. In 2026, auditors are increasingly checking whether organizations have explicitly captured psychosocial risks in their stakeholder needs analyses.
Clause 6.1.2 — Hazard Identification
This is the most important clause for PHS compliance. ISO 45001:2018 clause 6.1.2 explicitly lists "work organization, social factors (including workload, work hours, victimization, harassment and bullying), leadership and culture of the organization" as hazard categories that must be considered during hazard identification. There is no ambiguity here — psychosocial hazards are in-scope by design.
Clause 6.1.2.1 — Hazard Identification: General
Organizations must consider hazards arising from how work is organized, the work environment, and the social context of work. This means that a hazard register that only lists slips, trips, falls, and chemical exposures is incomplete under ISO 45001.
Clause 8.1.2 — Eliminating Hazards and Reducing OH&S Risks
Once psychosocial hazards are identified, the hierarchy of controls must be applied. This is where many organizations stall — they acknowledge the hazards but stop short of implementing structured controls. That gap is an audit finding waiting to happen.
Clause 9.1 — Monitoring, Measurement, Analysis, and Performance Evaluation
Organizations must measure their OH&S performance. PHS metrics — such as psychological injury rates, employee assistance program (EAP) utilization trends, and psychosocial hazard survey results — need to be part of the performance monitoring framework.
The ISO 45003:2021 Connection
You cannot talk about ISO 45001 and PHS in 2026 without referencing ISO 45003:2021 — Occupational health and safety management — Psychological health and safety at work — Guidelines for managing psychosocial risks.
ISO 45003 is not a certifiable standard — it is a guidance document designed to be used alongside ISO 45001. Think of it as the technical specification for implementing the PHS-related requirements of ISO 45001. It provides:
- A taxonomy of psychosocial hazards and risk factors
- Guidance on applying the hierarchy of controls to psychosocial risks
- Recommendations for worker participation in PHS processes
- Metrics and indicators for measuring PHS performance
ISO 45003:2021 is now the de facto reference document that certification bodies use to assess whether an organization's psychosocial hazard management is adequate. If your auditor asks how you manage psychosocial risks and you cannot reference ISO 45003, that is a red flag in your audit.
The 2026 Audit Landscape: What's Changed
Certification bodies have materially raised the bar on PHS over the past two years. Based on current audit trends, here is what organizations are experiencing:
Auditors Are Now Probing Psychosocial Hazard Registers
It is no longer sufficient to have a generic line item that says "work-related stress" in your hazard register. Auditors want to see specific psychosocial hazard categories (job demands, job control, role clarity, relationships, change management, remote/hybrid work factors) identified and assessed with credible risk scores.
Worker Consultation on PHS Is Being Scrutinized Under Clause 5.4
ISO 45001 clause 5.4 requires that workers be consulted and participate in hazard identification and risk assessment. In 2026, auditors are specifically asking: "How were workers involved in identifying psychosocial hazards?" A top-down management exercise does not satisfy this requirement.
PHS Incident Data Is Expected in Management Reviews
Clause 9.3 (Management Review) requires reviewing OH&S performance data. Auditors are increasingly checking whether psychological injury data — including near-misses involving psychological distress — is presented alongside traditional injury statistics.
Corrective Actions for Psychosocial Hazards Must Be Organizational, Not Just Individual
This is a critical distinction. Under clause 10.2 (Incident, Nonconformity, and Corrective Action), corrective actions for psychosocial risks must address root causes — which are almost always organizational and systemic (e.g., workload design, management practices, culture) — not just individual referrals to an EAP. Auditors are trained to identify when corrective actions merely paper over systemic problems.
A Practical Framework for PHS Under ISO 45001
Here is the implementation framework I use with clients at Certify Consulting. It maps directly to ISO 45001 clauses and is audit-ready.
Step 1: Integrate Psychosocial Hazards Into Hazard Identification (Clause 6.1.2)
Use ISO 45003:2021's hazard taxonomy as your identification checklist. At minimum, assess:
| Psychosocial Hazard Category | Example Risk Factors |
|---|---|
| Job Demands | High workload, time pressure, emotional demands, cognitive overload |
| Job Control | Low autonomy, limited input into decisions, rigid scheduling |
| Support | Poor manager support, lack of peer support, social isolation |
| Relationships | Harassment, bullying, discrimination, incivility |
| Role | Role ambiguity, role conflict, unclear reporting lines |
| Change | Poorly managed organizational change, job insecurity |
| Trauma | Exposure to violence, critical incidents, vicarious trauma |
| Remote/Hybrid Work | Isolation, always-on culture, blurred work-life boundaries |
Step 2: Apply the Hierarchy of Controls (Clause 8.1.2)
The hierarchy of controls applies to psychosocial risks exactly as it does to physical hazards:
| Control Level | Psychosocial Application |
|---|---|
| Elimination | Remove the hazard (e.g., eliminate unrealistic deadlines, remove hostile managers) |
| Substitution | Replace the hazardous condition (e.g., redesign job roles to reduce excessive demands) |
| Engineering Controls | Structural solutions (e.g., workload management systems, scheduling tools) |
| Administrative Controls | Policies, procedures, training (e.g., anti-harassment policy, return-to-work protocols, manager mental health training) |
| PPE Equivalent | Individual support mechanisms (e.g., EAP, resilience programs, counseling access) |
Note: Auditors understand that elimination and substitution are harder to achieve for psychosocial hazards. What they will not accept is an organization that jumps straight to EAP referrals (the PPE equivalent) without demonstrating that organizational-level controls have been considered and implemented where practicable.
Step 3: Establish PHS Metrics and Monitoring (Clause 9.1)
Effective PHS measurement combines leading and lagging indicators:
Lagging Indicators (Outcome Measures): - Psychological injury/illness claim rates - Absenteeism attributable to psychosocial causes - Turnover rates correlated with psychosocial risk factors
Leading Indicators (Preventive Measures): - Psychosocial hazard survey scores (e.g., using validated tools such as the Copenhagen Psychosocial Questionnaire — COPSOQ) - Completion rates for manager PHS training - Number of psychosocial hazards identified vs. controlled - Worker-reported psychosocial risk concerns (near-misses)
Step 4: Ensure Worker Participation Is Genuine (Clause 5.4)
Worker participation in PHS cannot be a checkbox exercise. Genuine participation includes:
- Anonymous psychosocial risk surveys conducted at regular intervals
- Worker representatives involved in reviewing survey results
- Visible feedback loops — workers must see that their input leads to action
- Safety committees with a standing PHS agenda item
Step 5: Include PHS in Management Review (Clause 9.3)
Your management review agenda must include a PHS performance summary. This should cover: - Trend data from psychosocial hazard surveys - Psychological injury/illness statistics - Status of open corrective actions related to psychosocial hazards - PHS-related objectives and targets and progress against them
Common PHS Nonconformities Found in ISO 45001 Audits
Based on my experience conducting and supporting over 200 ISO 45001 certification projects, these are the most common PHS-related nonconformities:
-
Psychosocial hazards absent from the hazard register — The hazard register contains only physical and chemical hazards, with no documented identification of psychosocial risks. (Nonconformity against clause 6.1.2)
-
No evidence of worker consultation on psychosocial risks — Hazard identification was conducted by EHS staff without documented worker input. (Nonconformity against clause 5.4)
-
Controls limited to EAP referral — The only documented control for work-related stress or harassment is "refer to EAP." No organizational-level controls are documented. (Nonconformity against clause 8.1.2)
-
PHS incidents not captured in the incident management system — Psychological injuries, stress leave, and harassment complaints are managed through HR but are not included in the OHS incident system, meaning they never feed into corrective action or management review. (Nonconformity against clauses 9.1 and 9.3)
-
No PHS objectives — The OH&S objectives (clause 6.2) do not include any psychosocial health targets, suggesting PHS is not integrated into the management system.
Why PHS Is a Business Imperative, Not Just a Compliance Exercise
ISO 45001 compliance is the floor, not the ceiling. The business case for proactive PHS management is compelling:
- According to Safe Work Australia, psychological injuries have the longest median time away from work of any injury type — 14.8 weeks compared to 5.4 weeks for physical injuries.
- The American Institute of Stress estimates that workplace stress costs U.S. employers approximately $300 billion annually through absenteeism, reduced productivity, employee turnover, and workers' compensation claims.
- Organizations with mature PHS programs report measurable improvements in employee engagement, retention, and productivity — outcomes that directly affect financial performance.
- Regulatory pressure is intensifying globally: Australia's Work Health and Safety regulations now include explicit positive duties around psychosocial hazards, the UK's HSE Management Standards address work-related stress, and the EU's OSH Strategic Framework 2021–2027 prioritizes psychosocial risk. ISO 45001 certification that includes robust PHS management positions organizations ahead of this regulatory curve.
Getting Audit-Ready for PHS in 2026
Here is a rapid-assessment checklist to identify your current PHS gaps:
- [ ] Psychosocial hazards documented in the hazard register (clause 6.1.2)
- [ ] Psychosocial risk assessment conducted with worker input (clauses 5.4 and 6.1.2)
- [ ] Organizational-level controls implemented and documented (clause 8.1.2)
- [ ] PHS policy or commitment statement visible to workers (clause 5.2)
- [ ] Manager training on psychosocial hazard identification and response (clause 7.2)
- [ ] PHS metrics included in performance monitoring (clause 9.1)
- [ ] Psychological injuries/incidents captured in the incident system (clause 9.1)
- [ ] PHS performance presented at management review (clause 9.3)
- [ ] PHS objectives established and tracked (clause 6.2)
- [ ] ISO 45003:2021 referenced as guidance in the management system
If you have gaps across multiple items, I recommend a structured PHS gap assessment before your next surveillance or recertification audit. At Certify Consulting, this is one of the most impactful interventions we deliver for clients preparing for ISO 45001 audits.
The Bottom Line
Psychological health and safety is not an optional add-on to ISO 45001 — it is a core requirement, embedded in clauses 4.2, 5.4, 6.1.2, 8.1.2, 9.1, 9.3, and 10.2. In 2026, certification bodies are auditing PHS with the same rigor they apply to physical hazard management. Organizations that have not integrated psychosocial hazards into their OH&S management system face genuine nonconformity risk — and, more importantly, are failing the workers they are obligated to protect.
The organizations that treat PHS as a strategic priority — not a compliance afterthought — will be the ones that build safer, more resilient, and more productive workplaces.
For guidance on integrating psychological health and safety into your ISO 45001 management system, explore our ISO 45001 implementation resources or visit Certify Consulting to speak with our team directly.
Frequently Asked Questions
Does ISO 45001 require psychosocial hazard identification?
Yes. ISO 45001:2018 clause 6.1.2 explicitly requires organizations to identify hazards arising from social factors including workload, work hours, victimization, harassment, and bullying. Psychosocial hazard identification is not optional.
What is ISO 45003 and how does it relate to ISO 45001?
ISO 45003:2021 is a guidance document that provides detailed recommendations for managing psychosocial risks within an ISO 45001 OH&S management system. It is not a certifiable standard, but it is the primary reference used by auditors to assess the adequacy of psychosocial risk management.
Can an EAP count as a control for work-related stress under ISO 45001?
An EAP can be part of a control strategy, but it cannot be the only control. Under the hierarchy of controls (clause 8.1.2), individual-level supports like EAPs are the lowest level of control. Organizations must demonstrate that organizational-level controls — such as workload redesign, management training, and cultural interventions — have been considered and implemented.
What psychosocial metrics should be included in an ISO 45001 management review?
At minimum, management reviews should include: psychological injury/illness rates, absenteeism data linked to psychosocial causes, results from psychosocial hazard surveys, status of corrective actions for psychosocial hazards, and progress against PHS objectives.
What are the most common ISO 45001 nonconformities related to psychological health and safety?
The most common PHS nonconformities are: psychosocial hazards absent from the hazard register, no evidence of worker consultation on psychosocial risks, controls limited to EAP referral only, psychological incidents not captured in the OHS incident management system, and no documented PHS objectives.
Last updated: 2026-03-29
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.