ISO 45001 — Occupational Health and Safety Management System Standard

ISO 45001:2018 is the international standard for occupational health and safety management systems. It was published by the International Organization for Standardization in March 2018 and replaced both OHSAS 18001:2007 and the Australian and New Zealand standard AS/NZS 4801:2001. The migration deadline for OHSAS 18001 passed in March 2021, and certificates issued against OHSAS 18001 are no longer valid. AS/NZS 4801 was formally withdrawn by Standards Australia in 2023 and can no longer be used for new certifications. Organisations that still reference AS/NZS 4801 in their management system documentation, prequalification submissions, or tender responses are operating against a withdrawn standard and should transition to ISO 45001 as a priority. ISO 45001 was developed by an ISO project committee with representation from over 70 countries, including Australia. It adopts the Annex SL high-level structure that is common to all ISO management system standards published since 2012, including ISO 9001:2015 for quality and ISO 14001:2015 for environmental management. This common structure facilitates integration of multiple management systems into a single framework, which is particularly valuable for organisations that maintain certifications across quality, environment, and safety. The key differences between ISO 45001 and its predecessors include a stronger emphasis on organisational context and stakeholder expectations, the requirement for top management leadership and commitment rather than management representative delegation, the integration of OH&S into business processes rather than treating it as a standalone function, a more sophisticated approach to risk and opportunity management using risk-based thinking, explicit requirements for worker participation and consultation, the removal of the concept of preventive action as a separate element in favour of risk-based thinking throughout, and requirements for managing the OH&S implications of outsourced processes and the supply chain. In Australia, ISO 45001 certification is recognised by the Federal Safety Commissioner for construction prequalification, by state and territory government procurement agencies, and by principal contractors across mining, oil and gas, construction, and manufacturing industries.

ISO 45001 follows the Plan-Do-Check-Act cycle, which provides the systematic framework for continual improvement. The standard contains ten clauses, with Clauses 1 to 3 covering scope, normative references, and terms and definitions, and Clauses 4 to 10 containing the auditable requirements. Clause 4 — Context of the Organisation requires the organisation to determine external and internal issues relevant to its purpose and that affect its ability to achieve the intended outcomes of the OH&S management system. It requires identification of interested parties including workers, regulators, unions, customers, insurers, and the community, and determination of their needs and expectations. It requires determination of the scope of the management system and establishment of the OH&S management system. Clause 5 — Leadership and Worker Participation requires top management to demonstrate leadership and commitment by taking accountability for the prevention of work-related injury and ill health, ensuring the OH&S policy and objectives are established and compatible with the strategic direction of the organisation, integrating OH&S requirements into business processes, and ensuring resources are available. It requires establishment of an OH&S policy and assignment of roles, responsibilities, and authorities. Critically, it requires consultation with and participation of workers and worker representatives. Clause 6 — Planning requires the organisation to determine risks and opportunities arising from the issues identified in Clause 4, to identify hazards using a proactive and ongoing process, to assess OH&S risks and other risks to the management system, to identify OH&S opportunities, to determine applicable legal and other requirements, and to plan actions to address risks, opportunities, and legal requirements. It requires establishment of OH&S objectives and planning to achieve them. Clause 7 — Support covers resource determination, competence, awareness, communication, and documented information. Clause 8 — Operation covers operational planning and control, elimination of hazards and reduction of OH&S risks using the hierarchy of controls, management of change, procurement, contractors, and outsourcing, and emergency preparedness and response. Clause 9 — Performance Evaluation covers monitoring, measurement, analysis, and evaluation; evaluation of compliance with legal and other requirements; internal audit; and management review. Clause 10 — Improvement covers incident investigation, nonconformity and corrective action, and continual improvement.

Organisations that held AS/NZS 4801 certification and have not yet transitioned to ISO 45001 are operating against a withdrawn standard. The transition requires a structured gap analysis that identifies the differences between the organisation's current management system and the ISO 45001 requirements. The most significant gaps for organisations transitioning from AS/NZS 4801 typically occur in the following areas. Context of the organisation is an entirely new requirement that did not exist in AS/NZS 4801. The organisation must conduct a formal analysis of its internal and external context, identify interested parties, and determine their needs and expectations. This analysis informs the scope of the management system and the planning of actions to address risks and opportunities. Leadership and worker participation requirements are more prescriptive in ISO 45001 than in AS/NZS 4801. Top management must demonstrate personal leadership and commitment rather than delegating OH&S management to a management representative. The standard requires that specific top management responsibilities cannot be delegated, including accountability for the OH&S management system and ensuring the OH&S policy and objectives are compatible with the strategic direction. Risk-based thinking replaces the AS/NZS 4801 concept of hazard identification, risk assessment, and risk control. While the practical activities are similar, ISO 45001 extends risk-based thinking beyond OH&S risks to include risks and opportunities for the management system itself, including risks from internal and external issues and interested party expectations. Worker participation requirements in ISO 45001 go beyond the AS/NZS 4801 consultation requirements. ISO 45001 distinguishes between consultation, which involves seeking views before making a decision, and participation, which involves involving workers in decision-making. The standard specifies particular matters that require consultation and particular matters that require participation. Performance evaluation requirements in ISO 45001 include a formal process for evaluating compliance with legal and other requirements, which was not explicitly required by AS/NZS 4801. The organisation must determine the frequency and methods for compliance evaluation and must take action when compliance gaps are identified. A typical transition project takes 6 to 12 months depending on the maturity of the existing management system, the size and complexity of the organisation, and the availability of internal resources.

ISO 45001 certification is awarded by accredited certification bodies following a two-stage initial certification audit process. In Australia, certification bodies must be accredited by the Joint Accreditation System of Australia and New Zealand to conduct ISO 45001 audits. The major accredited certification bodies operating in Australia include BSI Group, SAI Global (now part of Intertek), Bureau Veritas, DNV, TUV Rheinland, SGS, LRQA, and NQA. Stage 1 Audit is a documentation review and readiness assessment. The certification body auditor reviews the OH&S management system documentation including the OH&S policy, scope statement, context analysis, risk and opportunity assessment, legal register, objectives and plans, documented procedures, and records of management system operation. The auditor also conducts a limited on-site assessment to evaluate the readiness of the organisation for the Stage 2 audit. The Stage 1 audit identifies any areas of concern or gaps that must be addressed before the Stage 2 audit can proceed. There is typically a period of 1 to 3 months between Stage 1 and Stage 2 to allow the organisation to address any findings. Stage 2 Audit is a comprehensive on-site audit that evaluates the implementation and effectiveness of the OH&S management system against all requirements of ISO 45001. The audit involves document review, interviews with top management, managers, supervisors, workers, and health and safety representatives, observation of work activities, and verification of records. The audit covers all clauses of the standard and all sites within the scope of certification. Audit findings are classified as major nonconformities, minor nonconformities, or opportunities for improvement. A major nonconformity indicates a systemic failure that affects the ability of the management system to achieve its intended outcomes and must be corrected and verified before certification can be recommended. Minor nonconformities indicate isolated failures that do not affect overall system effectiveness and must be corrected within a defined timeframe, typically 90 days. Following successful Stage 2 audit, the lead auditor recommends certification to the certification body's certification decision committee, which makes the formal certification decision. The certification is valid for three years, subject to annual surveillance audits that verify continued compliance and effective operation.

ISO 45001 certification costs vary significantly based on the size of the organisation, the number of sites, the complexity of operations, the hazard profile, and the maturity of the existing management system. For a single-site organisation with 50 to 100 workers in a moderate-risk industry, typical costs for initial certification include gap analysis and readiness assessment at $5,000 to $15,000 if using an external consultant, management system development and documentation at $10,000 to $30,000 for external consultant support or equivalent internal staff time, implementation support including training, internal audits, and management review facilitation at $5,000 to $15,000, and certification body audit fees for Stage 1 and Stage 2 at $8,000 to $15,000. Total initial certification costs for a small to medium organisation typically range from $30,000 to $75,000 including both consultant and certification body fees. Ongoing costs include annual surveillance audit fees of $4,000 to $8,000, triennial recertification audit fees of $6,000 to $12,000, and internal resource costs for system maintenance, internal auditing, and management review. For larger organisations with multiple sites, costs scale with the number of audit days required. A multi-site mining or construction company with 500 to 1,000 workers across five sites may face initial certification costs of $150,000 to $300,000 and annual maintenance costs of $30,000 to $60,000. The return on investment for ISO 45001 certification is realised through multiple channels. Workers compensation premium reductions are available from most insurers for certified organisations, typically ranging from 5 to 15 per cent. Prequalification and tender success rates improve because ISO 45001 certification is increasingly a mandatory requirement for government and principal contractor work. The Federal Safety Commissioner requires demonstrated evidence of safety management system maturity for accreditation, and ISO 45001 certification provides that evidence. Regulatory enforcement outcomes are generally more favourable for organisations that can demonstrate a certified management system, as it provides evidence that the PCBU has taken a systematic approach to risk management. Incident rates typically decrease following certification implementation, reducing direct and indirect incident costs.

ISO 45001 and Australian WHS legislation share the same fundamental objective of preventing work-related injury and ill health, but they approach that objective from different directions. Understanding the mapping between ISO 45001 clauses and WHS Act and Regulation requirements is essential for organisations seeking to build a management system that achieves both certification and regulatory compliance. Clause 4 — Context maps to the WHS Act's concept of the PCBU's scope of duty. The PCBU must understand its operating environment, the nature of its business or undertaking, and the persons who may be affected by its work. The legal register component of Clause 4 maps directly to the obligation to identify applicable WHS Regulations, approved codes of practice, and other relevant standards. Clause 5 — Leadership maps to the officer due diligence obligations under Section 27 of the WHS Act. Officers must exercise due diligence to ensure the PCBU complies with its WHS duties, which includes acquiring and keeping up-to-date knowledge of WHS matters, understanding the nature of operations and associated hazards, ensuring appropriate resources and processes, ensuring processes for receiving and responding to information, and verifying the provision and use of resources. The ISO 45001 requirements for top management leadership and commitment provide the systematic framework through which officers can demonstrate due diligence. Clause 6 — Planning maps to the risk management obligations under Part 3.1 of the WHS Regulation 2025, which requires the identification of reasonably foreseeable hazards, risk assessment, control implementation using the hierarchy of controls, and review. The legal requirements element maps to the obligation to comply with all applicable provisions of the WHS Act and Regulation. Clause 7 — Support maps to the training, information, instruction, and supervision obligations under Section 19 of the WHS Act and the consultation obligations under Part 5 of the WHS Act. Clause 8 — Operation maps to the specific hazard management obligations throughout the WHS Regulation 2025 including plant, hazardous chemicals, falls, confined spaces, and psychosocial hazards. Clause 9 — Performance Evaluation maps to the monitoring and review obligations, including compliance evaluation against regulatory requirements. Clause 10 — Improvement maps to the incident investigation and corrective action obligations. Maximum penalties for WHS Act primary duty breaches are $3,451,500 for a body corporate and $690,300 for an individual as of 2025-26 CPI indexation for Category 1 offences.

Internal auditing is one of the most important mechanisms for continual improvement within an ISO 45001 management system. Clause 9.2 requires the organisation to conduct internal audits at planned intervals to provide information on whether the management system conforms to the organisation's own requirements and the requirements of ISO 45001, and whether it is effectively implemented and maintained. The internal audit programme must consider the importance of the processes concerned, changes affecting the organisation, and the results of previous audits. Internal auditors must be competent and must be independent of the area being audited. For smaller organisations where independence is difficult to achieve, auditor pairs or external internal auditing arrangements can be used. The audit programme should cover all requirements of ISO 45001 over a defined cycle, typically one to three years depending on the size of the organisation and the risk profile of its operations. High-risk processes and processes with a history of nonconformities should be audited more frequently. Each internal audit should be planned with defined objectives, scope, and criteria. The auditor conducts the audit through document review, interviews, and observation, and records findings as conformities, nonconformities, or observations. Nonconformities require corrective action including root cause analysis, implementation of correction and corrective action, and verification of effectiveness. Continual improvement under Clause 10.3 requires the organisation to continually improve the suitability, adequacy, and effectiveness of the management system. This is achieved through the policy commitment to continual improvement, the achievement of OH&S objectives, the results of monitoring and measurement, evaluation of compliance, internal audit and management review outcomes, worker participation and consultation inputs, and analysis of incidents and nonconformities. Management review under Clause 9.3 is the formal process through which top management evaluates the management system performance and makes decisions about improvement. Management review inputs include the status of previous management review actions, changes in external and internal issues, OH&S performance including trends in incidents, monitoring results, compliance evaluation, audit findings, consultation outcomes, and risks and opportunities. Management review outputs include conclusions on the continuing suitability, adequacy, and effectiveness of the management system, continual improvement decisions, resource needs, any changes to the management system, and actions needed when OH&S objectives have not been achieved.

EHS Atlas is designed with ISO 45001 clause alignment built into the platform architecture. Each module maps to specific ISO 45001 clauses, enabling organisations to build their management system on the platform and demonstrate conformity during both internal and external audits. The risk register module addresses Clause 6.1 planning requirements with hazard identification, risk assessment, hierarchy of controls, and risk review workflows. The legal register module addresses Clause 6.1.3 by maintaining a current register of applicable WHS legislation, regulations, codes of practice, and other requirements with compliance evaluation scheduling. The document control module addresses Clause 7.5 with version control, approval workflows, access controls, and retention management for all management system documented information. The training and competency module addresses Clause 7.2 and 7.3 by defining competency requirements for each role, tracking training completion and currency, and generating alerts for expiring competencies. The incident management module addresses Clause 10.2 with incident reporting, investigation workflows including root cause analysis, corrective and preventive action tracking, and effectiveness verification. The inspection and audit module addresses Clause 9.2 with configurable audit programmes, audit checklists mapped to ISO 45001 clauses, finding classification, corrective action tracking, and audit trend analysis. The management review module addresses Clause 9.3 by generating management review packs from system data, recording management review decisions, and tracking resultant actions. The consultation module addresses Clause 5.4 by documenting worker consultation and participation activities, HSR and committee meetings, and worker feedback mechanisms. For organisations preparing for certification, the platform provides an ISO 45001 readiness assessment tool that evaluates the status of each clause requirement and identifies gaps requiring action before the Stage 1 audit. The platform generates audit-ready evidence packages that compile the documented information, records, and data required to demonstrate conformity during certification audits.