Guide to ISO 45001 Clause 6 Planning With Examples

What Is Clause 6 in ISO 45001?

Clause 6 is the planning engine of your ISO 45001 occupational health and safety management system. It is where you take everything you learned from Clause 4 (context) and Clause 5 (leadership) and turn it into concrete actions. Without a well-built Clause 6, your entire OH&S system is built on guesswork rather than evidence.

In plain terms, Clause 6 asks three fundamental questions: What could go wrong? What do we need to comply with? And what are we going to do about it? If you can answer those three questions clearly and back them up with documented evidence, you are well on your way to a successful certification audit.

This guide walks through every sub-clause of Clause 6 in detail, with real-world examples drawn from industries like construction, manufacturing, healthcare, and logistics. Whether you are implementing ISO 45001 for the first time or preparing for a surveillance audit, this breakdown will give you something practical to work with. If you are new to the standard altogether, our beginner's guide to ISO 45001 is a good place to start before diving into clause-level detail.

The Structure of Clause 6

Clause 6 is divided into three main sections:

• Clause 6.1 covers actions to address risks and opportunities
• Clause 6.2 covers OH&S objectives and planning to achieve them
• Clause 6.3 covers planning of changes (this was added in the standard and is sometimes overlooked)

Each section builds on the previous one. You identify hazards and risks, you set objectives to address the most significant ones, and you plan how to manage changes that could affect your system. Let us go through each in detail.

Clause 6.1: Actions to Address Risks and Opportunities

This is the most complex and most important part of Clause 6. It has four sub-clauses, and each one requires specific documented outputs.

Clause 6.1.1: General

The standard requires you to consider the issues and interested parties you identified in Clause 4 when planning your OH&S system. You need to determine the risks and opportunities that need to be addressed to give your system a reasonable chance of achieving its intended outcomes, preventing or reducing undesired effects, and driving continual improvement.

This is not just a box-ticking exercise. An auditor will look at whether your risk and opportunity assessment actually reflects the real hazards in your workplace. A generic risk register copied from a template will not pass scrutiny if it does not match what your workers actually face day to day.

Example: A logistics company in Brisbane identifies through their Clause 4 context review that they operate a high-volume warehouse with forklift traffic and manual handling tasks. Under Clause 6.1.1, they document that the key risks to their OH&S system include forklift-pedestrian collisions and musculoskeletal injuries from repetitive lifting. They also identify the opportunity to reduce incident rates by installing physical segregation barriers and implementing a manual handling training programme.

Clause 6.1.2: Hazard Identification and Assessment of Risks and Opportunities

This sub-clause has two distinct parts. First, you must establish, implement and maintain a process for the ongoing identification of hazards. Second, you must assess OH&S risks and other risks to the management system itself.

The hazard identification process must be proactive, not reactive. It cannot just be triggered by incidents after they happen. The standard specifically requires you to consider how work is organised, social factors, routine and non-routine activities, emergency situations, and even changes in knowledge about hazards.

On the risk assessment side, you need to assess both OH&S risks (the likelihood and consequence of harm to workers) and risks to the management system (things that could prevent the system from functioning properly, like high staff turnover in your safety team).

You must also look for opportunities. These include opportunities to improve OH&S performance and opportunities to improve the management system itself.

Example: A commercial construction firm in Melbourne uses a job safety analysis (JSA) process for every new task type on site. For a concrete pour scheduled at height, they document hazards including falls from formwork, struck-by risks from overhead concrete delivery, and heat stress given the summer schedule. Each hazard is rated for likelihood and consequence. Controls are assigned using the hierarchy of controls, which we will come back to shortly. The firm also notes an opportunity to trial a new lightweight formwork system that reduces manual handling risk.

The ISO 45001 standard itself is explicit that hazard identification must consider past incidents, near misses, and worker consultation. That last point matters a lot during audits. Auditors will often speak directly to workers to verify that they have been involved in hazard identification, not just told about it after the fact.

Clause 6.1.3: Determination of Legal and Other Requirements

Your organisation must establish, implement and maintain a process to determine and have access to the legal and other requirements that apply to your OH&S hazards and risks. This includes legislation, regulations, codes of practice, and any other requirements your organisation has agreed to follow (such as client requirements or industry standards).

This is where many businesses fall short. They create a compliance register when they first implement the system and then never update it. Legislation changes. New codes of practice are issued. If your legal register has not been reviewed in 18 months, an auditor will flag it as a potential nonconformity.

Example: A healthcare provider in Sydney maintains a legal register that includes the Work Health and Safety Act 2011 (NSW), the Code of Practice for Hazardous Manual Tasks, and specific regulations around the handling of cytotoxic drugs. The register is reviewed quarterly and assigned to a named person responsible for monitoring legislative updates. When a new code of practice was issued for managing psychosocial hazards in 2022, the organisation updated its register and its hazard identification process within 30 days.

It is also worth noting that Clause 6.1.3 requires you to determine how these requirements apply to your organisation and what you need to communicate. This feeds directly into Clause 7.4 (communication) and Clause 9.1.2 (compliance evaluation).

Clause 6.1.4: Planning Action

Once you have identified your hazards, assessed your risks, and determined your legal requirements, you need to plan what actions you will take to address them. Clause 6.1.4 requires you to plan actions to address the risks and opportunities identified in 6.1.2, and to address legal and other requirements from 6.1.3.

Critically, the standard requires you to plan how to integrate and implement these actions into your OH&S management system processes, and to evaluate the effectiveness of those actions. This is not just about writing down a list of controls. It is about making sure those controls are actually embedded into how work gets done.

The standard also references the hierarchy of controls here. When addressing OH&S risks, you must consider the hierarchy in this order:

1. Elimination of the hazard
2. Substitution with less hazardous materials, processes or equipment
3. Engineering controls
4. Administrative controls (including training and procedures)
5. Personal protective equipment (PPE)

A common mistake is jumping straight to PPE as the primary control. Auditors know this shortcut and will challenge it. If you can eliminate or substitute the hazard but have chosen PPE instead, you need a very good reason documented.

Example: A food manufacturing plant identifies noise-induced hearing loss as a significant risk from packaging machinery. Rather than issuing earplugs and calling it done, they document their hierarchy of controls evaluation: elimination is not feasible (the machinery is core to operations), substitution with quieter equipment is being evaluated for the next capital budget cycle, engineering controls include acoustic enclosures around the noisiest machines, administrative controls include limiting worker exposure time in the area, and PPE (hearing protection) is used as an additional layer. The plan includes a timeline and a responsible person for each action.

Clause 6.2: OH&S Objectives and Planning to Achieve Them

Clause 6.2.1: OH&S Objectives

Your organisation must establish OH&S objectives at relevant functions and levels. These objectives must be consistent with your OH&S policy, measurable (where practicable), monitored, communicated, and updated as appropriate.

The objectives also need to take into account applicable legal requirements and the results of your risk assessment. They must consider the views of workers and other interested parties, and they must be consistent with the commitment to continual improvement.

Where a lot of organisations go wrong is setting vague objectives like “improve safety culture” or “reduce incidents.” These are not measurable. An auditor will ask: how do you know if you have achieved it? Your objectives need a target, a baseline, and a way to measure progress.

Example: A mining services company sets the following OH&S objectives for the year:

• Reduce the lost time injury frequency rate (LTIFR) from 4.2 to below 3.0 per million hours worked by 31 December
• Complete 100% of scheduled safety inspections each month
• Achieve a minimum of 90% completion rate on mandatory safety training by the end of Q2
• Reduce the number of high-potential near miss events by 20% compared to the previous year

Each objective has a baseline, a target, a measurement method, and a review frequency. That is exactly what an auditor wants to see.

Clause 6.2.2: Planning to Achieve OH&S Objectives

Setting objectives is only half the job. You also need a plan for how you will achieve them. For each objective, the standard requires you to document what will be done, what resources are required, who is responsible, when it will be completed, and how the results will be evaluated.

This is essentially a project plan for each objective. It does not need to be elaborate, but it does need to exist and be actively used. Objectives that sit in a document and are never reviewed are a red flag in any audit.

Example: For the objective of achieving 90% completion of mandatory safety training, the mining services company documents: the training matrix showing which roles require which training modules, the current completion rate by team, the responsible person (the OH&S manager), the deadline (end of Q2), and the review mechanism (monthly report to the senior leadership team). Progress is tracked in their HR system and reported at the monthly safety committee meeting.

For more context on how objectives connect to performance monitoring, our guide to ISO 9001 Clause 9 performance evaluation covers the measurement side of the equation in detail, and many of the same principles apply across ISO management system standards.

Clause 6.3: Planning of Changes

This clause is often underestimated, but it is one of the areas where real-world OH&S failures happen. When your organisation plans changes that could affect the OH&S management system, those changes must be carried out in a planned manner.

The standard requires you to consider the purpose of the change and its potential consequences, the integrity of the management system, the availability of resources, and the allocation or reallocation of responsibilities and authorities.

Example: A manufacturing company decides to introduce a new production line that involves robotic welding equipment. Under Clause 6.3, they are required to assess how this change affects their existing hazard identification and risk assessment, whether new legal requirements apply (for example, around electrical safety or robotic guarding), whether current workers have the competence to work safely around the new equipment, and whether their emergency response procedures need updating. This assessment is documented before the change is implemented, not after.

Changes that are not planned properly are a common source of serious incidents. Clause 6.3 exists precisely to prevent organisations from making operational changes without thinking through the safety implications first.

Common Audit Findings in Clause 6

After years of auditing and consulting, these are the patterns that come up repeatedly:

• Generic risk registers: Templates copied from the internet with no connection to actual workplace hazards. Auditors see these immediately.
• Outdated legal registers: Compliance registers that have not been reviewed since initial certification.
• Unmeasurable objectives: Objectives like “improve safety” with no baseline, no target, and no measurement method.
• PPE as the primary control: Jumping to PPE without documenting why higher-order controls are not reasonably practicable.
• No evidence of worker consultation: Hazard identification processes that workers were not involved in, despite the standard's explicit requirement.
• Changes implemented without planning: New equipment, new processes, or organisational restructures that were not assessed under Clause 6.3 before being rolled out.

If you are preparing for a Stage 2 audit, reviewing your Clause 6 documentation against these common findings is a worthwhile exercise. Our article on things to do before an ISO Stage 2 certification audit covers the broader preparation process in detail.

Documented Information Required Under Clause 6

The standard requires you to retain documented information as evidence of your Clause 6 processes. At a minimum, auditors will expect to see:

• A hazard identification and risk assessment process (documented procedure or methodology)
• A risk register or equivalent record showing identified hazards, risk ratings, and controls
• A legal and other requirements register
• OH&S objectives with associated plans, responsibilities, and timelines
• Records showing how changes to the system were assessed and managed

The format is flexible. The standard does not prescribe how you document these things. A well-maintained spreadsheet is perfectly acceptable if it contains the right information and is actively used.

How Clause 6 Connects to the Rest of ISO 45001

Clause 6 does not operate in isolation. It feeds directly into Clause 8 (operational planning and control), where the controls you identified in your risk assessment are actually implemented. It also connects to Clause 9 (performance evaluation), where you measure whether your objectives are being achieved and whether your controls are effective. And it feeds into Clause 10 (improvement), where you use what you have learned to drive continual improvement.

Think of Clause 6 as the planning layer that makes everything else in the system purposeful. Without it, Clause 8 is just a list of procedures with no risk basis, and Clause 9 is measuring things that may not matter.

If you are also implementing or maintaining ISO 45003 for psychosocial risk management, it is worth noting that the hazard identification requirements in Clause 6.1.2 extend to psychosocial hazards as well. Our beginner's guide to ISO 45003 explains how psychosocial risks fit into the broader OH&S framework.

Practical Tips for Implementing Clause 6 Effectively

• Start with a genuine hazard identification exercise. Walk the workplace. Talk to workers. Review incident records and near miss reports. Do not start with a template.
• Use the hierarchy of controls as a decision-making tool, not just a compliance checkbox. Document why you chose the controls you did.
• Make your legal register a living document. Assign someone to monitor legislative changes and set a review frequency that matches the pace of change in your industry.
• Set SMART objectives. Specific, measurable, achievable, relevant, and time-bound. If you cannot measure it, it is not an objective, it is a wish.
• Integrate change management into your operational processes. Do not wait for someone to remember to do a Clause 6.3 assessment. Build it into your change request or project initiation process.
• Involve workers at every stage. The standard requires it, and it produces better outcomes. Workers closest to the hazards often identify risks that management misses entirely.

Getting Help With ISO 45001 Planning

Clause 6 is where the real work of ISO 45001 happens. Getting it right means your system will be grounded in actual risk rather than paper compliance. Getting it wrong means your system looks good on paper but fails to protect workers, and that will show up in your audit findings and, more importantly, in your incident rates.

If you are working through ISO 45001 implementation and want to make sure your Clause 6 planning is audit-ready, it is worth getting input from an experienced consultant who knows the standard and understands your industry. CertBetter connects businesses with verified ISO consultants and accredited certification bodies across Australia and globally. You submit one form, receive up to three competing quotes, and the service is completely free. It is a straightforward way to find the right support without spending hours searching and comparing providers on your own.