ISO 45001 Incident Investigation Requirements: What the Standard Actually Demands

ISO 45001 incident investigation requirements sit inside Clause 10.2, and they are one of the most scrutinised areas in any OH&S certification audit. Auditors love this clause because it tells you almost everything you need to know about whether a safety management system is working in practice or just sitting in a folder. If your investigations are shallow, your corrective actions are weak, and your workers are not involved, no amount of tidy documentation will hide it.

This article walks through exactly what ISO 45001 demands when an incident occurs, what auditors look for when they review your investigation records, and where organisations consistently fall short. Whether you are a WHS Manager preparing for a certification audit, an internal auditor building your checklist, or someone who has just been handed responsibility for the incident management process, this is the practical breakdown you need.

What Is an Incident Under ISO 45001?

Before getting into the investigation requirements, it is worth being precise about what ISO 45001 means by the word incident. The standard defines an incident as an occurrence arising from, or in connection with, work that could or does result in injury and ill health.

That definition is deliberately broad. It covers three distinct categories:

• Injuries and ill health that actually occur, including fatalities, lost time injuries, medical treatment cases, and occupational diseases
• Near misses, which are incidents where no injury or ill health occurred but could have
• Dangerous occurrences, which are unplanned events that had the potential for harm even if no one was hurt

This matters enormously for auditors. When you ask to see incident investigation records and you only get records of injuries, that is already a red flag. An organisation with a healthy safety culture investigates near misses with the same rigour as actual injuries, because near misses are the warning signs the system is giving you before something serious happens.

The Core Requirements of Clause 10.2

Clause 10.2 of ISO 45001 requires organisations to establish, implement, and maintain a process for reporting, investigating, and taking action on incidents and nonconformities. The two are handled together in this clause, which makes sense because both require you to react, investigate, correct, and learn.

Timely Reporting and Response

The first thing the clause requires is that incidents are reported in a timely manner. The standard does not prescribe a specific timeframe, but your own procedure should define one. Auditors will check whether your procedure sets a reporting deadline and whether your actual records show that deadline being met.

In practice, the expectation is that workers can report incidents without fear of blame or reprisal. This connects directly to Clause 5.4, which covers worker consultation and participation. If workers are not reporting near misses, it is often because the reporting culture is punitive rather than supportive. Auditors will ask workers directly about this during interviews, and the answers are often more revealing than any document.

Investigation to Determine Root Causes

This is the heart of the clause. ISO 45001 requires that incidents are investigated to determine whether nonconformities exist and, critically, to identify root causes. The standard does not mandate a specific root cause analysis method, but it does require that you actually get to the root cause rather than stopping at the immediate cause.

Here is where most organisations struggle. Consider a common scenario: a worker slips on a wet floor and sprains their wrist. The immediate cause is a wet floor. A shallow investigation concludes that the floor was wet because a spill was not cleaned up promptly, and the corrective action is to remind workers to clean spills immediately. That is a correction, not a corrective action. The root cause question is: why was the spill not cleaned up? Was there no procedure? Was the procedure not communicated? Was there inadequate supervision? Was the worker under time pressure that discouraged stopping to clean up? Were cleaning materials not readily accessible?

Auditors will read your investigation reports looking for evidence that someone asked the deeper questions. A report that stops at the immediate cause and issues a toolbox talk as the corrective action will attract a nonconformity finding almost every time.

Review of Existing Risk Assessments

Clause 10.2 also requires that when an incident occurs, you review whether your existing risk assessments and controls were adequate. This is a critical linkage that many organisations miss. An incident is evidence that something in your hazard identification and risk control process did not work. The investigation should therefore feed back into your hazard register and risk assessment process.

In an audit, you should be able to show an auditor a completed investigation report and then trace from that report back to the relevant hazard in your register, demonstrating that the hazard entry was reviewed and updated if necessary. If that linkage does not exist, your investigation process is not fully conforming to the standard.

Determining Whether Corrective Action Is Needed

After identifying root causes and reviewing existing controls, the organisation must determine whether corrective action is needed and implement it. The corrective action must be appropriate to the severity and nature of the incident.

This proportionality requirement is important. A minor near miss with a very low potential severity might warrant a simple correction. A near miss that could have resulted in a fatality demands a thorough investigation and robust corrective action, even though no one was actually hurt. Auditors will check whether your response is proportionate to the potential consequences, not just the actual outcome.

Worker Participation in Incident Investigation

One of the distinguishing features of ISO 45001 compared to earlier OH&S standards is the strong emphasis on worker participation. Clause 5.4 requires that workers are consulted and participate in the investigation of incidents. This is not a soft requirement. It is a shall statement, and auditors take it seriously.

Worker participation in investigations serves several purposes. Workers often have the most accurate knowledge of what actually happened and why. They understand the real work environment, the informal pressures, and the practical constraints that formal procedures may not capture. Involving them also builds trust and encourages future reporting.

In an audit, you might be asked to show evidence that workers were involved in a specific investigation. That evidence could be meeting records, signed investigation forms, photographs taken by workers, or witness statements. Simply having the supervisor conduct the investigation and sign it off does not satisfy this requirement.

I have seen organisations where the HSE Manager conducts every investigation alone, writes the report, and sends it to management. Workers are told what happened and what the corrective action is. That approach will generate a nonconformity against Clause 5.4 every time.

Documented Information Requirements

ISO 45001 requires that you retain documented information as evidence of the results of investigations of incidents and nonconformities, and of the corrective actions taken. This means your investigation records need to be retained and controlled.

What does a complete investigation record look like? At a minimum, auditors expect to see:

• A description of the incident, including date, time, location, and people involved
• The immediate cause of the incident
• The root cause analysis, showing the method used and the conclusions reached
• A review of the relevant risk assessment and controls
• The corrective actions identified, with assigned responsibility and target completion dates
• Evidence that corrective actions were implemented and verified as effective
• Worker participation records

The effectiveness verification piece is one that organisations frequently overlook. Implementing a corrective action is not the end of the process. You need to verify that the action actually worked. If you installed a new drainage system to prevent pooling water, did you check three months later that the pooling has not recurred? If you provided additional training, did you verify that workers retained and applied the knowledge?

For more on how to write investigation findings in a way that drives genuine improvement, the article on incident investigation root cause and worker involvement is worth reading alongside this one.

Communication of Investigation Outcomes

The standard requires that the results of incident investigations are communicated to relevant workers and their representatives. This is another area where organisations often have a gap between what the procedure says and what actually happens.

Communicating outcomes does not mean emailing a PDF to everyone and ticking a box. It means ensuring that the workers who need to know about the findings and the changes actually receive that information in a way they can understand and act on. For workers who are not desk based, that might mean a toolbox talk, a safety alert posted in the work area, or a team briefing.

Auditors will ask workers whether they are aware of recent incident investigations and what changed as a result. If workers cannot tell you anything about recent incidents or corrective actions, that is evidence the communication is not working, regardless of what the records show.

The Link Between Incident Investigation and Management Review

Clause 9.3 of ISO 45001 requires that management review includes information about incidents, nonconformities, corrective actions, and continual improvement. This means your incident data needs to flow upward to top management on a regular basis.

In an audit, you should be able to show that incident trends, investigation outcomes, and corrective action status are reported at management review. If management review minutes contain no reference to incidents, that is a gap. If they reference incidents only as a count of injuries without any analysis of trends or root causes, that is a shallow approach that auditors will note.

The intent is that top management is using incident data to drive strategic decisions about safety, not just counting injuries as a performance metric. Are certain work areas generating repeated incidents? Are the same root causes appearing across multiple investigations? Is the corrective action process actually closing out on time? These are the questions management should be asking, and the evidence that they are asking them should appear in management review records.

Common Nonconformities Auditors Raise Against Clause 10.2

Based on real audit experience across a range of industries, these are the nonconformities that appear most frequently when auditors assess incident investigation processes:

• Near misses are not investigated at all, or only recorded without any root cause analysis
• Root cause analysis stops at the immediate cause, with corrective actions that are really just corrections
• Workers are not involved in investigations, with investigations conducted entirely by management or the HSE team
• Corrective actions are not verified for effectiveness, with the file closed once the action is marked complete
• Risk assessments are not reviewed following an incident that reveals a gap in existing controls
• Investigation records are incomplete, missing root cause analysis, responsibility assignments, or completion evidence
• Communication of outcomes is not documented, so there is no evidence workers were informed
• Incident data does not appear in management review, or appears only as a raw count without analysis

If you are an internal auditor preparing to audit your organisation's incident management process, this list is essentially your checklist. Pull a sample of investigation records from the past twelve months, including near misses, and work through each of these points. You will quickly identify where the gaps are.

For a broader look at how auditors approach the OH&S management system, the article on auditing occupational health and safety under ISO 45001 provides useful context on the overall audit approach.

How This Clause Connects to the Rest of ISO 45001

Clause 10.2 does not operate in isolation. It connects to several other parts of the standard, and auditors will follow those connections during an audit.

The most important linkages are:

• Clause 6.1.2.1 (Hazard Identification): Incidents should trigger a review of whether hazards were properly identified in the first place
• Clause 6.1.2.2 (OH&S Risk Assessment): The risk assessment for the relevant activity should be reviewed and updated if necessary
• Clause 5.4 (Worker Consultation and Participation): Workers must be involved in investigations
• Clause 8.1 (Operational Planning and Control): If an incident reveals a gap in operational controls, those controls need to be updated
• Clause 9.3 (Management Review): Incident data and investigation outcomes must be reported to top management

A sophisticated auditor will not just look at your investigation records in isolation. They will trace a specific incident through all of these connections, checking that the investigation triggered appropriate updates in the risk register, that workers were involved, that the corrective action was proportionate, and that the outcome was reported to management. If any link in that chain is broken, it will show up as a finding.

Practical Advice for Building a Conforming Investigation Process

If you are reviewing your incident investigation process against ISO 45001 requirements, here are the practical steps that make the biggest difference:

1. Define what must be investigated. Your procedure should clearly state that near misses and dangerous occurrences are investigated, not just injuries. Set investigation tiers based on severity and potential severity.
2. Choose a root cause analysis method and train people in it. The 5 Whys method is simple and effective for most workplace incidents. Fishbone diagrams work well for more complex events. Whatever you choose, make sure investigators actually know how to use it.
3. Build worker involvement into the process. Your investigation form should have a field for worker representatives involved. Make it a required field, not optional.
4. Link investigations to the hazard register. Every investigation should include a step that asks: was this hazard in our register, and were the controls adequate? Document the answer.
5. Set and track corrective action deadlines. Use a register or system that shows open corrective actions, assigned owners, and due dates. Review this at management meetings.
6. Verify effectiveness before closing. Define how effectiveness will be verified and when. Record the verification outcome in the investigation file.
7. Communicate outcomes in a way that reaches workers. Document how and when workers were informed. Keep records of toolbox talks or safety alerts issued.

What Auditors Ask Workers During an Incident Investigation Audit

When an auditor is assessing your incident investigation process, they will not just review documents. They will speak with workers, and the questions they ask are direct. Typical questions include:

• Have you ever reported a near miss or unsafe condition? What happened after you reported it?
• Are you aware of any recent incident investigations in this area? Do you know what changed as a result?
• Have you ever been involved in an incident investigation? What was your role?
• Do you feel comfortable reporting incidents without fear of blame?

The answers to these questions tell an auditor more than any document review. If workers say they reported near misses and nothing happened, or that they did not know they were allowed to report near misses, or that they were blamed after a previous report, those are serious findings that go beyond Clause 10.2 and into the organisation's safety culture and leadership commitment.

This is why the incident investigation process cannot be treated as an administrative exercise. It is a direct reflection of whether the OH&S management system is genuinely embedded in how the organisation operates.

Preparing for an ISO 45001 Audit on Clause 10.2

If you are preparing for a certification audit or surveillance audit and want to be confident your incident investigation process will hold up, the most useful thing you can do is conduct a thorough internal audit of Clause 10.2 before the external auditor arrives.

Pull a representative sample of investigation records from the past twelve months. Include at least one near miss, one injury, and one dangerous occurrence if your records contain them. For each record, check every element listed earlier in this article. Trace each investigation through to the corrective action, the effectiveness verification, the risk register update, and the management review record. Document what you find.

If you find gaps, address them before the external audit. If you find that near misses are simply not being reported, that is a cultural issue that requires more than a procedure update. It requires conversations with workers and supervisors about why reporting is not happening and what needs to change.

Understanding how to audit this clause effectively is also a core skill for anyone working toward ISO 45001 auditor credentials. If you are looking to develop your auditing skills in this area, the ISO 45001 auditor training levels explained article outlines how training at the internal auditor and lead auditor level builds the competence to assess these requirements in practice.

At Audit Workshop, the ISO 45001 Internal Auditor and Lead Auditor courses cover Clause 10.2 in depth, including practical exercises on reviewing investigation records, identifying shallow root cause analysis, and writing nonconformity findings against this clause. The training is built on real audit experience, not textbook theory, so you leave with the skills to actually apply what you have learned.