ISO 45001:2018 Overview: Clauses and Requirements Explained

What ISO 45001:2018 Is and Why It Matters

ISO 45001:2018 is the international standard for occupational health and safety management systems. It replaced OHSAS 18001 in March 2018 and gave organisations around the world a single, consistent framework for managing workplace safety risks. In Australia, it sits alongside the Work Health and Safety Act and associated regulations, not as a legal substitute, but as a structured way to demonstrate that your organisation takes safety seriously and manages it systematically.

If you are a WHS Manager, HSE professional, or internal auditor working with an OH&S management system, understanding the clause structure of ISO 45001 is essential. Not just for audit preparation, but for building a system that actually reduces harm. This article walks through the standard clause by clause, explains what each section requires, and flags the areas where auditors most commonly find gaps.

For context on how ISO 45001 compares to the older Australian standard, see our article on ISO 45001 vs AS/NZS 4801.

The Structure of ISO 45001: High Level Structure

ISO 45001 follows the same High Level Structure used by ISO 9001 and ISO 14001. This means the clause numbering and core framework are consistent across all three standards, which makes integration easier if your organisation holds or is pursuing multiple certifications.

The standard contains ten clauses. Clauses 1 through 3 cover scope, normative references, and terms and definitions. The operational requirements begin at Clause 4. Clauses 4 through 10 follow the Plan, Do, Check, Act cycle, which underpins every modern ISO management system standard.

• Clause 4: Context of the Organisation
• Clause 5: Leadership and Worker Participation
• Clause 6: Planning
• Clause 7: Support
• Clause 8: Operation
• Clause 9: Performance Evaluation
• Clause 10: Improvement

What sets ISO 45001 apart from ISO 9001 and ISO 14001 is its strong emphasis on worker participation and consultation. This is not a token requirement. The standard treats workers as the primary interested party in the OH&S system, and auditors will probe whether that participation is genuine.

Clause 4: Context of the Organisation

Clause 4.1: Understanding the Organisation and Its Context

This clause asks the organisation to identify internal and external factors that affect its ability to achieve the intended outcomes of the OH&S management system. Internal factors include things like organisational culture, shift patterns, contractor arrangements, and the nature of the work itself. External factors include legislation, industry codes, client requirements, and community expectations.

Auditors look for evidence that this analysis has actually been done and that it informs the rest of the system. A list of generic factors copied from a template rarely satisfies this clause. The context analysis should reflect what this organisation actually does and where it operates.

Clause 4.2: Needs and Expectations of Workers and Other Interested Parties

ISO 45001 requires the organisation to identify interested parties beyond workers, including regulators, contractors, unions, clients, and community groups. For each, the organisation needs to understand their relevant needs and expectations, and determine which of those become legal or other requirements.

Workers are explicitly called out as the primary interested party. This distinction matters when you are auditing. If the organisation cannot demonstrate that it understands what workers need from the OH&S system, this clause is likely to produce a finding.

Clause 4.3: Determining the Scope of the OH&S Management System

The scope defines what the system covers in terms of physical locations, activities, and workers. It must be documented and available to interested parties. Auditors check that the scope is realistic and that nothing significant has been excluded without justification.

Clause 4.4: The OH&S Management System

This clause requires the organisation to establish, implement, maintain, and continually improve the OH&S management system. It is the foundational commitment to the system as a whole. In practice, auditors use this clause to assess whether the system is genuinely operational or just documented on paper.

Clause 5: Leadership and Worker Participation

Clause 5.1: Leadership and Commitment

Top management must demonstrate visible, active leadership in the OH&S system. This goes well beyond signing a policy. The standard requires top management to take accountability for the prevention of work-related injury and ill health, ensure that OH&S objectives are established and aligned with the strategic direction of the organisation, and actively promote a culture that supports the system.

In audits, this is where many organisations fall short. Senior leaders often delegate safety entirely to the WHS team and have little direct involvement in hazard identification, objective setting, or system review. Auditors will interview top management directly to test whether their commitment is real or ceremonial.

Clause 5.2: OH&S Policy

The OH&S policy must include commitments to provide safe and healthy working conditions, eliminate hazards and reduce OH&S risks, fulfil legal and other requirements, and support worker consultation and participation. It must be documented, communicated to workers, and available to interested parties.

A common finding is that the policy contains the right words but workers on the floor have never seen it and cannot explain what it means for their work.

Clause 5.3: Organisational Roles, Responsibilities and Authorities

Top management must assign and communicate responsibilities and authorities for relevant roles within the OH&S system. This includes ensuring that the system conforms to the requirements of the standard and that performance is reported to top management.

Clause 5.4: Consultation and Participation of Workers

This is one of the most distinctive clauses in ISO 45001. The standard requires the organisation to establish, implement, and maintain processes for both consultation and participation of workers at all applicable levels and functions. The standard distinguishes between the two: consultation is asking workers for their views before a decision is made, while participation involves workers being actively involved in decision making.

Auditors will look for evidence of genuine two-way engagement. Safety committees, toolbox talks, and hazard reporting systems are all relevant, but the key question is whether workers actually influence decisions about the OH&S system. Our article on auditing occupational health and safety under ISO 45001 covers how auditors assess this in practice.

Clause 6: Planning

Clause 6.1.1: Actions to Address Risks and Opportunities

The organisation must determine risks and opportunities relevant to the OH&S management system. This includes risks to the system itself, not just physical hazards. The organisation must plan actions to address these and integrate those actions into the management system processes.

Clause 6.1.2: Hazard Identification and Assessment of OH&S Risks

This is arguably the most operationally significant part of the standard. The organisation must establish, implement, and maintain processes for proactive and ongoing hazard identification. The standard lists factors that must be considered, including routine and non-routine activities, human factors, social factors, infrastructure, equipment, and incidents in comparable organisations.

Once hazards are identified, the organisation must assess the associated OH&S risks and determine appropriate controls. The risk assessment methodology must be defined, and the results must be documented and maintained.

Auditors frequently find that hazard identification is reactive rather than proactive. If the only hazards in the register are those that caused an incident in the past, the process is not meeting the intent of this clause.

Clause 6.1.3: Legal Requirements and Other Requirements

The organisation must identify and have access to current legal and other requirements applicable to its OH&S hazards and risks. This includes WHS legislation, codes of practice, industry standards, and contractual requirements. The legal register must be kept current, which means it needs to be reviewed whenever legislation changes.

Clause 6.1.4: Planning Action

The organisation must plan actions to address hazards, risks and opportunities, and legal requirements. These actions must be integrated into the management system and evaluated for effectiveness.

Clause 6.2: OH&S Objectives and Planning to Achieve Them

OH&S objectives must be established at relevant functions and levels, be consistent with the OH&S policy, be measurable where practicable, and take into account applicable requirements and the results of risk assessment. The organisation must document how it will achieve its objectives, including resources, responsibilities, timelines, and how results will be evaluated.

Vague objectives such as “improve safety culture” without measurable targets or action plans are a common finding in certification audits.

Clause 7: Support

Clause 7.1: Resources

The organisation must determine and provide the resources needed to establish, implement, maintain, and continually improve the OH&S management system. This includes human resources, infrastructure, and financial resources.

Clause 7.2: Competence

Workers must be competent to perform work that affects OH&S performance. Competence must be determined, workers trained or otherwise developed to meet those requirements, and evidence of competence retained. This applies to employees, contractors, and any other workers under the organisation's control.

Clause 7.3: Awareness

Workers must be aware of the OH&S policy and objectives, their contribution to the effectiveness of the OH&S management system, the implications of not conforming with requirements, and their right to remove themselves from work situations that present an imminent and serious danger. That last point is often overlooked. Workers must know they have the right to refuse unsafe work without fear of reprisal.

Clause 7.4: Communication

The organisation must establish processes for internal and external communication relevant to the OH&S management system. This includes determining what to communicate, when, with whom, and how. Communication processes must take into account diversity considerations, including language, literacy, and disability.

Clause 7.5: Documented Information

The standard specifies both mandatory documented information and documented information that the organisation determines is necessary for the effectiveness of the system. Auditors check that documents are controlled, current, and accessible to those who need them, and that records are retained for appropriate periods.

Clause 8: Operation

Clause 8.1: Operational Planning and Control

The organisation must plan, implement, control, maintain, and review processes needed to meet requirements and implement actions determined in Clause 6. This includes establishing criteria for processes and implementing controls in accordance with the hierarchy of controls.

The hierarchy of controls is fundamental to ISO 45001. Controls must be considered in order: elimination, substitution, engineering controls, administrative controls, and personal protective equipment. PPE is the last resort, not the first response. Auditors will check whether the organisation has genuinely worked through the hierarchy before defaulting to PPE.

Clause 8.1.2: Eliminating Hazards and Reducing OH&S Risks

This subclause specifically requires the organisation to apply the hierarchy of controls to eliminate hazards and reduce OH&S risks. The intent is that the organisation should always be seeking to move up the hierarchy, not simply maintain existing controls.

Clause 8.1.3: Management of Change

Changes that can affect OH&S performance must be managed in a controlled way. This includes changes to products, services, processes, equipment, the workforce, and legal requirements. Many organisations have change management processes for quality or production purposes but have not extended them to cover OH&S implications.

Clause 8.1.4: Procurement

The organisation must establish processes to control the procurement of products and services to ensure they conform to the OH&S management system. This includes contractor management (Clause 8.1.4.2) and outsourcing (Clause 8.1.4.3). Contractor management is a significant area of focus in Australian workplaces, particularly in construction, mining, and resources sectors.

Clause 8.2: Emergency Preparedness and Response

The organisation must plan for potential emergency situations and establish processes to respond to them. This includes testing emergency response procedures, providing first aid, and communicating with workers and relevant external parties. Drills must be conducted and their outcomes reviewed to drive improvement.

Clause 9: Performance Evaluation

Clause 9.1: Monitoring, Measurement, Analysis and Evaluation

The organisation must determine what needs to be monitored and measured, what methods will be used, when the monitoring and measurement will be performed, and when the results will be analysed and evaluated. This includes both proactive measures such as inspection completion rates and reactive measures such as incident frequency rates.

Clause 9.1.2: Evaluation of Compliance

The organisation must establish, implement, and maintain processes to evaluate compliance with legal and other requirements. This is not a one-off exercise. Compliance must be evaluated at planned intervals, and the results must be documented. Auditors check that the compliance evaluation is actually happening, not just that a legal register exists.

Clause 9.2: Internal Audit

The organisation must conduct internal audits at planned intervals to provide information on whether the OH&S management system conforms to requirements and is effectively implemented and maintained. The internal audit programme must be established, implemented, and maintained, taking into account the importance of the processes concerned and the results of previous audits.

Clause 9.3: Management Review

Top management must review the OH&S management system at planned intervals. The standard specifies what must be included as inputs to the review, including changes in external and internal issues, OH&S performance trends, the extent to which objectives have been achieved, and worker participation. Outputs must include decisions related to continual improvement opportunities.

Clause 10: Improvement

Clause 10.1: General

The organisation must determine opportunities for improvement and implement necessary actions to achieve the intended outcomes of the OH&S management system.

Clause 10.2: Incident, Nonconformity and Corrective Action

When an incident or nonconformity occurs, the organisation must react in a timely way, investigate to determine root causes, and implement corrective actions to prevent recurrence. The standard requires worker involvement in incident investigation. Corrective actions must be reviewed for effectiveness, and the results must be documented.

A frequent finding is that incident investigations identify immediate causes but stop short of root cause analysis. The corrective action then addresses the symptom rather than the underlying problem, and the incident recurs.

Clause 10.3: Continual Improvement

The organisation must continually improve the suitability, adequacy, and effectiveness of the OH&S management system. This is demonstrated through the achievement of OH&S objectives, the results of audits, corrective actions, and management review outputs. Continual improvement is not optional. It is a core requirement of the standard.

Key Differences Between ISO 45001 and Its Predecessor

For those familiar with OHSAS 18001, ISO 45001 introduced several significant changes. The most notable are the requirement for top management to demonstrate personal leadership and accountability rather than simply appointing a management representative, the explicit and detailed requirements for worker consultation and participation, the integration of the OH&S system into the organisation's business processes rather than treating it as a separate safety function, and the adoption of risk-based thinking as a driver for planning.

These changes reflect a shift in philosophy. ISO 45001 is designed to embed safety into how the organisation operates, not bolt it on as a compliance exercise.

Practical Implications for Auditors

If you are auditing an ISO 45001 system, the clauses that most commonly produce findings in Australian workplaces are worker consultation and participation under Clause 5.4, proactive hazard identification under Clause 6.1.2, application of the hierarchy of controls under Clause 8.1.2, contractor management under Clause 8.1.4.2, root cause analysis in incident investigations under Clause 10.2, and compliance evaluation under Clause 9.1.2.

The standard rewards organisations that treat safety as a business function, not a compliance obligation. When you audit, look for evidence that the system is actually driving decisions, not just generating paperwork. Talk to workers on the floor, not just the WHS Manager. Check whether hazard reports lead to action. Test whether workers know their rights under Clause 7.3. These conversations reveal more than any document review.

If you are building your auditing skills in this area, the Audit Workshop ISO 45001 auditor training programmes cover both internal and lead auditor levels, with practical exercises grounded in real audit scenarios. Whether you are new to OH&S auditing or looking to formalise your experience with a recognised qualification, the training is designed to give you the competence to audit this standard with confidence.