ISO 45001:2018 is the international standard that specifies requirements for an occupational health and safety (OH&S) management system, with guidance for its use. Its purpose is to enable organizations to provide safe and healthy workplaces by preventing work-related injury and ill health and by proactively improving OH&S performance. It was published in 2018 and replaced the earlier British standard OHSAS 18001.
The standard applies to organizations of all sizes, sectors, and geographies, regardless of their level of risk. It is voluntary: ISO develops the standard but does not perform certification. Organizations may implement it on their own, or choose to be independently audited and certified by a third-party certification body.
What is an OH&S management system under ISO 45001?
An occupational health and safety (OH&S) management system is a structured framework for managing the risks and opportunities that affect worker safety and health. Under ISO 45001, the system establishes criteria for an OH&S policy, objectives, planning, implementation, operation, auditing, and review.
Key elements include:
- Leadership commitment and accountability from top management
- Worker participation and consultation
- Hazard identification and risk assessment
- Meeting legal and other requirements
- Emergency preparedness and response
- Incident investigation and corrective action
- Continual improvement of OH&S performance
The intended outcome is fewer work-related injuries and illnesses, and a workplace where health and safety risks are systematically controlled.
What is the Annex SL high-level structure and Plan-Do-Check-Act?
ISO 45001 follows Annex SL, the common high-level structure shared across modern ISO management system standards (such as ISO 9001 and ISO 14001). This shared structure uses harmonized clauses, terms, and definitions so that an organization can integrate multiple management systems more easily.
The core requirements sit in clauses 4 to 10:
- Clause 4 — Context of the organization
- Clause 5 — Leadership and worker participation
- Clause 6 — Planning
- Clause 7 — Support
- Clause 8 — Operation
- Clause 9 — Performance evaluation
- Clause 10 — Improvement
These clauses map onto the Plan-Do-Check-Act (PDCA) cycle, the methodology ISO 45001 uses to systematically manage health and safety risks. PDCA is iterative: organizations plan objectives and controls, implement them, check results through monitoring and audit, and act to continually improve.
How does ISO 45001 require worker participation?
Worker participation is a defining feature of ISO 45001. The standard requires meaningful consultation and participation of workers at all applicable levels and functions, including non-managerial workers.
The standard distinguishes two related concepts:
- Consultation — seeking the views and input of workers before making a decision
- Participation — involving workers in the decision-making process itself
Workers are expected to be engaged in activities such as hazard identification, risk assessment, and the development of OH&S policy, because those closest to the work often have the clearest view of the hazards. Organizations are also expected to protect workers from reprisals for reporting hazards or raising concerns.
How are hazards identified and risks assessed?
Hazard identification and risk assessment are central planning activities under ISO 45001. The standard requires organizations to establish processes for the ongoing, proactive identification of hazards arising from their activities, and to assess the OH&S risks and opportunities associated with them.
This includes considering:
- Routine and non-routine activities and situations
- How work is organized, social factors, and human factors
- Past incidents and emergencies
- Potential emergency situations
Once risks are understood, the organization plans actions to address them and determines appropriate controls. The emphasis is proactive — preventing harm before it occurs rather than reacting to incidents after the fact.
What are the legal compliance obligations?
ISO 45001 is not itself a law, but it requires organizations to identify and comply with the legal requirements and other requirements applicable to their OH&S risks.
In practice this means an organization must:
- Determine the applicable legal and regulatory requirements relevant to its OH&S hazards and management system
- Maintain access to and understand those requirements
- Take them into account when establishing and maintaining the management system
- Periodically evaluate its compliance with them
This embeds compliance with occupational safety law into the management system as an ongoing, evaluated obligation — but the standard sits on top of, and does not replace, the health and safety laws of the jurisdictions in which the organization operates.
How did organizations migrate from OHSAS 18001?
ISO 45001 replaced OHSAS 18001, the earlier British standard for occupational health and safety management. When ISO 45001 was published in 2018, organizations holding OHSAS 18001 certification were given a transition (migration) period to move to the new standard.
The original migration deadline was set for March 2021 — roughly three years after publication. Because of disruption caused by the COVID-19 pandemic, the International Accreditation Forum (IAF) extended the deadline, and OHSAS 18001 certificates ceased to be valid by September 2021. After the migration period closed, OHSAS 18001 was withdrawn and ISO 45001 became the recognized international OH&S management system standard.
How does ISO 45001 certification work, and who is it for?
Certification to ISO 45001 is voluntary. ISO writes the standard but does not certify organizations; independent third-party certification bodies audit an organization's management system against the standard's requirements and issue a certificate if it conforms.
The typical process involves implementing the management system, conducting internal audits and a management review, then undergoing an external audit (commonly a two-stage initial assessment), followed by periodic surveillance audits and recertification over a multi-year cycle.
ISO 45001 is designed for organizations of any size, sector, or geography, regardless of their level of risk — from small businesses to large multinationals. Any organization that wants to reduce work-related injury and ill health and demonstrate a systematic approach to worker safety can adopt it, whether or not it pursues formal certification.
Frequently asked questions
Is ISO 45001 mandatory?
No. ISO 45001 is a voluntary international standard. It does not replace national health and safety law, though it does require certified organizations to identify and comply with the legal requirements that apply to them.
What is the difference between ISO 45001 and OHSAS 18001?
ISO 45001 is the international standard that replaced the older British standard OHSAS 18001. ISO 45001 adopts the Annex SL high-level structure for consistency with other ISO standards and places stronger emphasis on leadership, worker participation, and the organization's context. OHSAS 18001 certificates were no longer valid after the migration period ended in September 2021.
Does ISO 45001 apply to small organizations?
Yes. ISO 45001 is intended for organizations of all sizes and sectors, regardless of geographic location or level of risk, including small businesses.
Does ISO certify organizations to ISO 45001?
No. ISO develops and publishes the standard but does not perform certification. Independent third-party certification bodies audit organizations against the standard and issue certificates.
What methodology does ISO 45001 use?
ISO 45001 uses the Plan-Do-Check-Act (PDCA) cycle to systematically manage health and safety risks, mapped across the standard's clauses for context, leadership, planning, support, operation, performance evaluation, and improvement.
Is worker participation required by ISO 45001?
Yes. The standard requires meaningful consultation and participation of workers at all applicable levels and functions, including non-managerial workers, in activities such as hazard identification, risk assessment, and policy development.