Is ISO 45001 certification legally required in Australia?

No, ISO 45001 certification is not a legal requirement under Australian law. Businesses are required to comply with state and territory Work Health and Safety legislation, but ISO 45001 is a voluntary international standard. That said, many government tenders, large corporate contracts, and supply chain agreements effectively make it a commercial requirement by listing it as a prequalification condition.

What is the difference between ISO 45001 and OHSAS 18001?

OHSAS 18001 was the previous international benchmark for occupational health and safety management systems. ISO 45001 replaced it in 2018 and introduced a number of improvements, including a stronger focus on worker participation, a greater emphasis on context and leadership, and alignment with the High Level Structure used by other ISO management system standards like ISO 9001 and ISO 14001. Businesses that were certified to OHSAS 18001 were required to transition to ISO 45001 by March 2021.

How long does it take to get ISO 45001 certified?

For most small to medium businesses, the process from starting implementation to achieving certification takes between three and twelve months. The timeline depends on how developed your existing safety practices are, how quickly you can implement the required system elements, and how soon the certification body can schedule your audit. Businesses with more complex operations or multiple sites will generally take longer.

Can a small business realistically get ISO 45001 certified?

Yes, ISO 45001 is designed to be applicable to organisations of any size. The standard is scalable, meaning the complexity of your management system should match the size and nature of your operations. A small business does not need the same level of documentation and process complexity as a large corporation. That said, small businesses in low-risk industries should carefully weigh whether the investment is justified given their specific circumstances.

Does ISO 45001 certification cover psychosocial risks like stress and burnout?

ISO 45001 requires organisations to identify and manage all occupational health and safety hazards, which includes psychosocial hazards such as work-related stress, fatigue, and bullying. However, the related standard ISO 45003 provides specific guidance on managing psychosocial risks in the workplace and is designed to be used alongside ISO 45001 rather than replacing it.

Do I need a consultant to get ISO 45001 certified?

You are not required to use a consultant, but most businesses find that working with an experienced ISO 45001 consultant significantly reduces the time and risk involved in implementation. A good consultant will help you understand the requirements, build a system that fits your business rather than a generic template, and prepare you properly for the certification audit. The key is choosing someone with genuine experience in your industry and a track record of successful certifications.

Does My Business Need ISO 45001 Certification?

What Is ISO 45001 and Why Are Businesses Asking This Question?

ISO 45001 is the international standard for occupational health and safety management systems. It gives businesses a structured framework to identify workplace hazards, control risks, and protect workers from injury and illness. Published by the International Organisation for Standardisation, it replaced the older OHSAS 18001 standard and is now the globally recognised benchmark for workplace safety management.

On this page

The question of whether your business actually needs ISO 45001 certification comes up constantly, and it is a fair one to ask. Certification costs money, takes time, and requires ongoing commitment. So before you commit, it is worth understanding exactly what the standard involves, who genuinely benefits from it, and when it is optional versus when it is effectively a business requirement.

If you want a solid grounding in what the standard covers before reading further, our beginner's guide to ISO 45001 is a good place to start.

Who Actually Needs ISO 45001 Certification?

Let me be direct about this. ISO 45001 is not a legal requirement in Australia or most other countries. No law forces you to certify against it. But that does not mean you can ignore it, because in practice, the pressure to get certified often comes from somewhere other than legislation.

Businesses That Face Strong External Pressure to Certify

There are certain industries and business situations where ISO 45001 certification is effectively mandatory, even if it is not written into law. Here are the most common ones.

Government and large corporate tenders: Many government contracts and large private sector tenders now require ISO 45001 certification as a prequalification condition. If you want to bid for infrastructure projects, defence contracts, or major construction work, you will often find it listed alongside ISO 9001 as a non-negotiable requirement. Our article on which ISO certifications are required for government tenders covers this in more detail.
High-risk industries: Construction, mining, manufacturing, oil and gas, utilities, and transport are sectors where workplace injuries are statistically more common and where clients and regulators look closely at safety management. If your business operates in any of these areas, certification signals that your safety practices have been independently verified.
Supply chain requirements: Large organisations increasingly require their suppliers and subcontractors to hold ISO 45001 certification. If your biggest client asks for it, the business case becomes straightforward.
Businesses with international clients: ISO 45001 is recognised globally. If you are working with clients in the UK, Europe, the Middle East, or Asia, certification can be a prerequisite for doing business in those markets.

Businesses That Benefit Strongly Without Being Forced

Beyond the external pressure cases, there is a large group of businesses that are not being told they must certify but would genuinely benefit from doing so. These are typically businesses that have experienced a serious workplace incident, are growing rapidly and struggling to maintain safety standards across multiple sites, or are preparing to enter markets where certification will eventually become expected.

If you have had a serious near miss, a workers compensation claim that cost you significantly, or a SafeWork investigation, that is often the moment business owners start taking a structured safety management system seriously. ISO 45001 gives you the framework to prevent those situations from recurring.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

When ISO 45001 Certification Is Probably Not Necessary

Not every business needs a certified occupational health and safety management system. Here is an honest assessment of situations where certification may not be the right investment right now.

Very Small Businesses With Low-Risk Work

If you run a small professional services firm, a two-person accounting practice, or a solo consulting business where the primary workplace hazard is sitting at a desk, ISO 45001 certification is almost certainly not worth the cost and administrative burden at this stage. The standard was designed to be scalable, but the certification process still requires documented systems, internal audits, and management reviews that can feel disproportionate for a micro-business with minimal physical risk.

Businesses With No Client or Tender Requirement

If none of your current or target clients require it, and you operate in a low-risk industry, it may make more sense to focus on compliance with your state-based work health and safety legislation first. In Australia, each state and territory has its own WHS Act, and meeting those obligations is the baseline requirement. ISO 45001 builds on top of that, but it is not a substitute for legal compliance.

Businesses Early in Their Safety Journey

If your business does not yet have basic safety procedures documented, hazard registers in place, or a consistent incident reporting process, jumping straight to ISO 45001 certification may set you up for failure. The standard requires a functioning management system, not just documentation. Getting the foundations right first often makes the certification process smoother and more meaningful.

The Real Benefits of ISO 45001 Certification

If you are weighing up whether to proceed, it helps to understand what you actually get from certification beyond a certificate on the wall. Our detailed breakdown of the top 10 benefits of ISO 45001 covers this thoroughly, but here are the most commercially significant ones.

Reduced Workplace Incidents and Workers Compensation Costs

This is the most tangible financial benefit. Businesses that implement ISO 45001 properly tend to see a measurable reduction in workplace incidents over time. Fewer incidents means fewer workers compensation claims, lower insurance premiums, less productivity lost to injuries, and reduced exposure to regulatory action. For a business in a high-risk industry, the savings from even one serious incident avoided can exceed the entire cost of certification.

Winning Work You Could Not Win Before

For many businesses, the immediate trigger for certification is a tender they cannot bid on without it. Once certified, that barrier disappears. And because certification is ongoing, you do not have to scramble each time a new tender requires it. You can bid with confidence knowing your safety credentials are current and independently verified.

Improved Safety Culture

One of the less obvious benefits is what happens internally. When management visibly commits to a structured safety system, it sends a message to workers that safety is taken seriously. That changes behaviour on the floor, on the site, and in the warehouse. It also helps with recruitment and retention, particularly in industries where workers have a choice about who they work for.

Legal and Regulatory Risk Reduction

ISO 45001 requires you to identify applicable legal requirements and demonstrate compliance with them. Going through that process systematically means you are far less likely to have gaps in your legal compliance that you were not even aware of. In the event of an incident, having a certified management system in place can also demonstrate to regulators that you took your duty of care seriously.

The ISO 45001 overview on ISO.org outlines the standard's purpose and scope if you want to review the official position directly.

ISO 45001 vs Simply Complying With WHS Legislation

A question I hear regularly is: “We already comply with the Work Health and Safety Act. Do we actually need ISO 45001 on top of that?”

The short answer is that legal compliance and ISO 45001 certification are not the same thing, and one does not replace the other. WHS legislation sets minimum legal requirements. ISO 45001 provides a management system framework that helps you meet and maintain those requirements more consistently, and then go beyond them.

Think of WHS compliance as the floor. ISO 45001 is the structure you build on top of it. Many businesses that believe they are compliant with WHS law have significant gaps in their actual practices that only become visible when they go through a formal gap analysis as part of an ISO 45001 implementation. The standard forces you to look at things like worker consultation, contractor management, and emergency preparedness in a more rigorous and documented way than most businesses manage on their own.

What Does ISO 45001 Certification Actually Involve?

Before deciding whether to pursue certification, it is worth understanding what you are committing to. The process is not quick, and it is not just about getting a certificate. Here is a realistic overview.

Building the Management System

You need to establish a documented occupational health and safety management system that meets the requirements of ISO 45001. This includes defining the scope of your system, conducting a hazard identification and risk assessment process, establishing objectives and targets, creating documented procedures for key activities, and setting up processes for incident reporting, investigation, and corrective action.

Internal Audits and Management Review

Before you go for certification, you need to run at least one internal audit of your system and hold a management review. These are not box-ticking exercises. A good internal audit will find real gaps before an external auditor does. If you want to understand how to run internal audits that actually add value, our guide on how to run ISO internal audits that actually find problems is worth reading.

The Certification Audit

The certification audit is conducted by an accredited certification body and happens in two stages. The Stage 1 audit reviews your documentation and readiness. The Stage 2 audit assesses whether your system is actually implemented and working in practice. After certification, you will have annual surveillance audits and a full recertification audit every three years.

Ongoing Maintenance

Certification is not a one-time achievement. You need to maintain the system continuously, respond to any non-conformities raised during surveillance audits, and keep your documentation and practices current as your business changes. This is where many businesses underestimate the ongoing commitment involved.

How Much Does ISO 45001 Certification Cost?

Costs vary significantly depending on the size of your business, the complexity of your operations, and whether you use a consultant to help you implement the system. For Australian businesses, our detailed breakdown of ISO 45001 certification costs in Australia covers real pricing from providers across the market.

As a rough guide, a small business might spend between $8,000 and $20,000 on the full process including consulting and certification fees in the first year. Larger or more complex organisations will spend more. The ongoing annual costs for surveillance audits and system maintenance are lower but still need to be budgeted for.

One important point: do not make the decision purely based on upfront cost. The relevant question is what the cost of not having ISO 45001 might be. If you lose a major contract because you are not certified, or if you have a serious workplace incident that results in a regulatory investigation, the cost of those outcomes will almost certainly exceed what you would have spent on certification.

How to Decide: A Practical Framework

If you are still unsure whether ISO 45001 certification is right for your business, work through these questions honestly.

Do any of your current or target clients require it? If yes, the decision is largely made for you.
Do you operate in a high-risk industry? Construction, manufacturing, mining, utilities, transport, and similar sectors have a strong case for certification regardless of client requirements.
Have you had workplace incidents, near misses, or regulatory attention in the last few years? If yes, a structured management system is overdue.
Are you planning to grow, take on more staff, or move into new markets? Getting certified before you scale is much easier than retrofitting it later.
Do you already have basic safety practices in place? If not, start there before pursuing certification.

If you answered yes to any of the first four questions, ISO 45001 certification deserves serious consideration. If you answered no to all of them and operate in a genuinely low-risk environment with no external pressure, it may not be the right investment right now.

Getting the Right Help

One of the most common mistakes businesses make is either trying to implement ISO 45001 entirely on their own without understanding the standard properly, or paying too much for a consultant who does not understand their industry. Both outcomes waste time and money.

If you decide to proceed, getting quotes from multiple providers is the sensible approach. The market for ISO consultants and certification bodies is competitive, and pricing varies considerably for what can be a very similar service. It is also worth checking that any consultant you engage has genuine experience in your industry, not just with the standard in general. Our guide on how to select the best ISO consultant walks through what to look for.

CertBetter makes this process straightforward. You submit one form describing your business and what you need, and you receive up to three competing quotes from vetted consultants and certification bodies. The service is free for businesses, and it saves you the time of chasing multiple providers individually. It is a practical starting point if you want to understand what certification would actually cost for your specific situation before committing to anything.