ISO 45001 Consultancy Guide

A guide to ISO 45001:2018

ISO 45001:2018 is the global standard for managing health and safety. The internationally agreed framework outlines the elements of best practice an organisation should employ. Its purpose is to:

a) help businesses to build a strong health & safety management system

b) create a benchmark against which the performance of companies can be judged

c) prevent work-related illness and ill health to workers and provide safe & healthy workplaces



Why is ISO 45001 certification so important?

There are a number of benefits to having a well implemented ISO 45001 Occupational Health & Safety Management System (OH&S):


It strengthens your image and credibility, helping you to win projects

Without a doubt, the ability to show clients that you have a certified OH&S management system in your business is one of the most powerful arguments for achieving certification. Having an independent third party verify your organisations health & safety processes sends a strong message to clients and prospective clients that you place safety at the centre of what you do.


It creates a safer & healthier working environment

Although all businesses will be concerned with creating a safe and healthy working environment, employing the ISO 45001 framework will in most businesses create a more comprehensive and consistent approach to health & safety.


It lowers business risk

There is wide ranging health & safety legislation with which organisations must comply. Failing to meet these legal requirements can result in enforcement actions, fines, reputational damage and in the most serious circumstances prison sentences if there is significant negligence by the organisation. By applying a structured approach to health & safety, organisations are able to identify hazards and mitigate the risks they pose. Systematic and proactive risk mitigation reduces accidents, safeguards life, saves money, preserves reputation and prevents lost time incidents.


It increases morale

Good health and safety controls improve morale. It is a right for all workers to come to work and return home safely. Creating a safe working environment and displaying a strong commitment to health & safety from senior leadership downwards, provides workers with the physical and psychological safety they are entitled to.



How is the standard structured?

When you first look at the standard, the layout and terminology can be confusing. However, as you understand further how the ISO 45001 standard is structured the logic starts to appear.


The 10 Clauses

The ISO 45001:2018 standard is written around 10 clauses. Of the ten clauses, it is clauses 4-10 that are audited. Clause 1-3 are used to set the scene of the standard but are less important when it comes to your ISO 45001 implementation.


Clause 4 - Context of the Organisation

Your organisation must identify, monitor and review external and internal issues that are relevant to your health & safety performance. This could be issues ranging from the nature of the activities undertaken and the way work is organised, through to cultural perceptions of health & safety and the legislative environment. You should document your findings and review them regularly. This clause also asks you to document all the interested parties who have needs and expectations of your business. Finally, this is the clause that requires you to have documented health & safety procedures, e.g. for how you undertake risk assessments, manage fire arrangements and investigate incidents.


Clause 5 - Leadership & Worker Participation

Leadership involvement is a critical component in making an OH&S management system work, and for this reason the standard makes it a requirement. Leadership are required to create your Health & Safety Policy, set objectives, be present in health & safety reviews and communicate the importance of safety throughout the organisation. Some of the ways leaders are involved will be tangible, e.g. the writing of the Health & Safety Policy, but in other ways their involvement will be intangible, e.g. by acting in a way that positively promotes a safety culture.

Clause 5 also requires organisations to proactively involve staff through consultation and participation. Organisations need to establish a framework that allows them to genuinely harness non-managerial worker involvement in planning and implementing H&S arrangements.


Clause 6 - Planning

In Clause 6 you need to demonstrate that you have a robust planning procedure in place for your health & safety arrangements. The standard asks you to document the major risks facing your organisation and any health & safety opportunities you believe that you have. These risks & opportunities should be linked to the contextual issues and expectations of your interested parties (Clause 4). This clause also requires you to set and document health & safety objectives, and to have a way to plan for changes in your business that may impact the safety of workers and other parties.

You must establish a robust process for hazard identification and treatment, which will generally involve risk assessments of work activities and the work environment. You will also need to produce a health & safety legal register in which you recognise all the health & safety related regulations which are applicable to your work and how you ensure that you are meeting these requirements.


Clause 7 - Support

This section of the standard is about all the pieces of a management system that act like the oil, allowing everything to run smoothly. We are talking about making sure you have competently trained staff, a high level of awareness of health & safety arrangements, established procedures for communicating internally and externally about health & safety issues, and control over the documentation in your management system.


Clause 8 - Operations

In Clause 8 you will need to demonstrate that your planned arrangements for health & safety are consistently implemented in practice. This can include processes for; consultation and participation of workers; hazard identification and risk assessment; compliance with legal requirements; communication; management of change; emergency preparedness and response; monitoring; ensuring competence; and procuring goods and services. You will need to demonstrate that you are applying the hierarchy of controls to eliminate hazards or control risks. Evidencing this clause to an assessor is usually by a walk through of your workspace, observation of a job from end-to-end and interviews with staff.


Clause 9 - Performance evaluation

There are four main components of performance evaluation. Firstly you will need to demonstrate that you are monitoring your health & safety performance, be it through site inspections, incident investigations or accident statistics as examples. Secondly is a periodic evaluation of compliance in which you need to confirm you are working in line with all the legislation that applies to your business. Thirdly is the important business of internal auditing - you will need to demonstrate that you regularly audit all the key components of the management system to review performance. Lastly, you will need to hold periodic 'management reviews' in which the person responsible for the daily running of the management system reports back to the leadership team against a set agenda.


Clause 10 - Improvement

The key mechanism for continual improvement is a 'nonconformance process'. Although this sounds a bit foreboding, it is actually a constructive way to review your systems when something goes wrong and address the root cause of the issue. It is not about finding fault with individuals, rather the focus is on understanding why a process has broken down or incident has occurred. The other half of improvement is the general way in which your business continually improves how it operates, either through small incremental changes or larger step changes.

How do your customers benefit?

  • Gain confidence that you will deliver products and services with high levels of control around safety

  • Streamline their own due diligence & tender process if you are certified

  • Have assurance that your controls will help others who are working collaboratively to remain safe

How does your company benefit?

  • Streamlined tendering processes and point of competitive advantage

  • Structured approach to mitigating risk to your employees, visitors, the public and your business

  • Sense of pride that you run your business to international best practice

Key components of an OH&S Management System

  • An analysis of the internal and external issues that can impact your business

  • A well utilised risk management process

  • Documented and communicated H&S processes

  • A well deployed process for training staff and measuring competency

  • Utilisation of well chosen indicators (KPIs) to monitor H&S performance

  • A process for managing the relationship with suppliers

  • A process for addressing incidents, accidents and unexpected circumstances

  • Regular consultation and participation of workers

  • Internal audits to check H&S arrangements are implemented as intended

  • Documented management meetings to review H&S arrangements


ISO 45001 is based upon a 'Plan-Do-Check-Act' Cycle to drive continual H&S improvements

Three different approaches to implementing ISO 45001


  • Appoint or train someone internally to implement the management system
  • Build in additional time to learn the standard and its requirements
  • Embrace slightly greater uncertainty when entering the audit phase

Consultant support

  • Hire consultants who can guide you efficiently through implementation
  • Accelerate the implementation timeframe
  • Use the consultant's knowledge to enter the audit with confidence

External compliance officer

  • Employ an external consultant to take responsibility for you management system
  • Weigh up the cost versus benefit of outsourcing this responsibility
  • Benefit from years of experience of industry best practice

What does it take to be successful?

Here are what we consider to be the key ingredients to make a really strong health & safety management system. It is also important to recognise that ISO is a journey and no company will have a perfect system in the first few years.


Senior manager involvement

Senior management must be involved to give legitimacy to the H&S management system, ensure the team buy in & provide the resources needed


Engagement of staff

Staff should be consulted on H&S arrangements, actively participating in making suggestions for improvements


Thirst for continual improvement

Ideally the whole organisation, or at least a number of influential members must have a real desire to push the business to continually improve, learning from mistakes and seeking suggestions from all team members for improvements


Consistency & discipline

An OH&S management system should not be a once a year consideration just before the auditors come in - instead work should be carried out on the management system little and often (e.g. spreading the internal audits throughout the year; or arranging regular H&S meetings)


Collaboration with suppliers & subcontractors

The role suppliers & subcontractors play in your success shouldn't be underestimated - the best companies develop strong mutually beneficial relationships with suppliers & subcontractors and help each other make health & safety improvements

How does the certification process work?

The certification process can be confusing when you first research it.

Here, we will throw light on how the process works.



The Key Certification Steps


Step 1

Firstly, you will need to have implemented or be in the process of implementing the Occupational Health & Safety Management System. You don’t need to have fully implemented the system before contacting the certification bodies, however having made a start or knowing how far you have to go can help set a date to aim for.


Step 2

The next step is to contact one or more certification bodies to ask for quotes. You will be required to provide information about your business (i.e. nature of your work, number of employees and the roles they do, number of sites) so the certification body can make a good approximation about how many days it will take an assessor to audit your business. 

We recommend contacting at least two certification bodies since the price and number of days they expect the audit to take can vary.


Step 3

Based upon the quotes received, you will need to decide the most appropriate body to certify your business and set a fixed date for your Stage 1 and Stage 2 audits.


Step 4

Before the external audits you must fully implement your management system. This includes organising processes, creating policies, conducting internal audits, holding a management review and putting in place other mechanisms. A good consultant can help you put in place a management system with maximum efficiency.


Step 5

On the agreed dates, you will receive two rounds of audits, a Stage 1 and Stage 2 audit, usually 4 - 6 weeks apart. On successful completion of these audits, you will receive the certificate


The Stage 1 Audit

A Stage 1 audit is an initial visit from the assessor in which they aim to; get a feeling for your business and the processes involved; check your readiness for the full Stage 2 audit; and see if there are any major gaps that need to be filled before Stage 2  


This is an important step as if anything is missing it can be resolved before the full audit. You cannot ‘fail’ a Stage 1 audit however you should have your management system as fully implemented as possible. If your system is particularly weak at Stage 1, the Stage 2 audit may be postponed and you may need another Stage 1 audit to determine readiness at a later date. A good consultancy like 2SB will help you be ready for your Stage 1 so nothing major is missing from your system and that you can move on smoothly to the Stage 2 audit.


The Stage 2 Audit

At Stage 2 the assessor will take a much deeper look into your business processes. They will be walking around, speaking to staff in the organisation, looking at whether your own processes are well implemented, and checking to see if the systems meet the requirements of the ISO standard. The auditor will typically take a job, project or process and look at it from start to finish to understand how you build health & safety into your operations.


The Stage 2 audit will give one of three results:

i. Your system is well implemented and meets the requirements of the standard. There may be some recommendations for improvements but there are no nonconformances. You will receive your certificate.

ii. There have been minor nonconformances observed, and these need to resolved. You will receive a report giving you details of the minor nonconformance(s) and a timeframe to address them within. Once you have submitted proof that the nonconformance(s) has been addressed you will receive your certificate.

iii. There is a major nonconformance observed. In this case it is likely you will have to resolve the issue and undergo another audit to confirm it has been addressed. Generally, major nonconformances will be prevented by the Stage 1 audit which should highlight any major gaps in the system.


Once gained, the certificate is valid for three years, with the UKAS requirement that surveillance audits carried out annually and re-certification audits every third year.


What are surveillance audits?

Once you have gained your initial certification, you will be required to have annual surveillance audits to ensure that your system is still functioning as intended.

Surveillance audits are ‘lighter’ audits than the initial certification audit and will generally focus on higher risk/more critical business functions and on areas that nonconformances have been previously observed. If a minor nonconformance is raised during a surveillance audit, you will be required to address this before the next annual audit. If a major nonconformance is raised, this will need to be addressed and proof submitted or further audits carried out to ensure the system has been repaired.


What is a re-certification audit?

The re-certification audit forms the final part of the certification cycle. It is more in depth than the surveillance audits and successfully passing it will give a renewed certificate for a further three year cycle (with annual surveillance audits).

Case Study view all

Meet a Consultant view all

Lucy Trimmer
Management Systems Consultant
Lucy Trimmer

Frequently asked question view all

Contact an ISO Consultant