The Short Answer Most Businesses Get Wrong
When businesses ask how often ISO 45001 surveillance audits are conducted, the most common answer they receive is “once a year.” That is technically correct in most cases, but it misses a lot of important detail that can catch you off guard if you are not prepared.
On this page
ISO 45001 certification runs on a three-year cycle. Within that cycle, your certification body will conduct at least two surveillance audits, typically one in year one and one in year two after your initial certification. At the end of year three, you go through a recertification audit to renew your certificate for another three years. That is the standard structure, but there are variables that affect exactly when those audits happen, how long they take, and what gets covered.
This article walks you through the full audit cycle for ISO 45001, what surveillance audits actually involve, what can change the frequency, and how to stay genuinely prepared rather than just scrambling before each visit.
Understanding the ISO 45001 Certification Cycle
Before getting into surveillance audits specifically, it helps to understand the full three-year certification cycle so you know where surveillance fits.
Stage 1 Audit (Documentation Review)
This is the first formal step toward certification. Your auditor reviews your documented management system to confirm it meets the requirements of ISO 45001. They are checking whether your system is ready for a full assessment, not whether everything is perfect. Think of it as a readiness check.
Stage 2 Audit (Initial Certification Audit)
This is the main certification audit. The auditor visits your site or conducts a remote assessment and evaluates whether your occupational health and safety management system (OHSMS) is actually implemented and effective. If you pass, you receive your ISO 45001 certificate, which is valid for three years.
Surveillance Audits (Year 1 and Year 2)
These are the ongoing checks that happen after you are certified. They confirm you are maintaining your system and continuing to meet the standard. Most certification bodies conduct these annually, roughly 12 months after your initial certification and again at the 24-month mark.
Recertification Audit (Year 3)
At the end of your three-year cycle, you go through a recertification audit. This is more comprehensive than a surveillance audit and covers your entire system again. If successful, your certificate is renewed for another three years and the cycle starts again.
For a broader look at how this cycle compares across different ISO standards, the article on how often ISO certification audits are conducted covers the general framework well.
What Happens During an ISO 45001 Surveillance Audit?
Surveillance audits are not a full repeat of your Stage 2 assessment. They are targeted. The auditor focuses on specific areas of your system to confirm ongoing compliance rather than re-auditing everything from scratch.
What Is Typically Covered
While the exact scope varies between certification bodies and is influenced by your previous audit findings, most ISO 45001 surveillance audits will cover some combination of the following:
- Internal audit results and whether nonconformities have been closed out properly
- Management review records, including evidence that leadership is actively engaged
- Corrective actions raised since your last audit and the evidence supporting them
- Legal and regulatory compliance, including any changes to WHS legislation that affect your operations
- Incident investigation records, including near misses and how they were handled
- Hazard identification and risk assessment updates
- Worker consultation and participation processes
- Objectives and targets, and whether you are making measurable progress
- Changes to your organisation that could affect the management system, such as new sites, new activities, or significant personnel changes
The auditor will also follow up on any nonconformities or observations raised at your previous audit to confirm they have been addressed with effective corrective actions.
How Long Does a Surveillance Audit Take?
Surveillance audits are shorter than your initial Stage 2 audit. The actual duration depends on the size of your organisation, the number of employees, the complexity of your operations, and whether you have multiple sites. For a small business with fewer than 20 employees, a surveillance audit might be completed in half a day to a full day. For a larger organisation with complex operations or multiple locations, it could take two to three days.
Your certification body will calculate the audit duration based on guidance from ISO 17021-1, which sets the requirements for certification bodies conducting management system audits. This is worth knowing because if your certification body is significantly underquoting on audit days, that is a red flag worth investigating.
Can Surveillance Audits Happen More Frequently Than Once a Year?
Yes. The standard expectation is annual surveillance audits, but certification bodies have the authority to increase the frequency under certain circumstances. This is not common, but it does happen.
Situations That Can Trigger More Frequent Audits
If your organisation has had a serious safety incident or fatality, your certification body may require an unplanned or additional audit. This is particularly relevant in high-risk industries such as construction, mining, manufacturing, and logistics.
Major nonconformities that are not closed out in a timely manner can also trigger additional oversight. If you received a major nonconformity at your last audit and the corrective action evidence was weak, do not be surprised if your certification body schedules an additional visit to verify the fix.
Significant changes to your organisation can also prompt a special audit. If you acquire a new site, take on a new high-risk activity, or undergo a significant restructure, your certification body needs to assess whether your management system still covers those changes adequately.
Complaints from regulators or workers, or evidence of systemic failures in your safety system, can also lead to additional scrutiny. The certification body has an obligation to maintain the integrity of the certification they have issued.
What Happens If You Miss a Surveillance Audit?
Missing a scheduled surveillance audit is a serious matter. Your certification body will attempt to reschedule, but if the audit cannot be conducted within an acceptable timeframe, your certificate may be suspended. If the situation is not resolved, the certificate can be withdrawn entirely.
A suspended certificate means you cannot legitimately claim ISO 45001 certification during that period. If you are using your certificate to meet tender requirements or contractual obligations, this creates an immediate problem. Clients and procurement teams do check certification status, and a suspended certificate will show up when they verify your credentials.
If you are in a situation where you cannot meet a scheduled audit date, contact your certification body as early as possible. Most are willing to work with you on rescheduling if you communicate proactively rather than going silent.
How to Stay Genuinely Prepared Between Surveillance Audits
The businesses that struggle most with surveillance audits are the ones that treat ISO 45001 as a once-a-year event rather than an ongoing system. If you only look at your management system when the auditor is coming, you are going to find gaps every single time.
Run Your Internal Audits on Schedule
ISO 45001 requires you to conduct internal audits at planned intervals. These are not optional and they are not just a box-ticking exercise. A well-run internal audit program gives you visibility into how your system is actually performing and lets you catch problems before the external auditor does. If you are not sure how to make internal audits genuinely useful rather than just compliant, the article on how to run ISO internal audits that actually find problems is worth reading.
Keep Your Corrective Action Register Current
Every nonconformity, near miss, and incident should flow through a corrective action process. The register needs to show not just that you identified a problem, but that you investigated the root cause, implemented a fix, and verified the fix was effective. Auditors look for evidence of this loop closing properly. An open corrective action with no update for six months is a red flag.
Document Management Review Meetings
Your management review is one of the areas auditors consistently check. Leadership needs to be genuinely involved, not just signing off on a document someone else prepared. Keep minutes that show real discussion of performance data, incidents, objectives, and system improvements. Generic minutes that could apply to any organisation will attract scrutiny.
Stay Across Legislative Changes
ISO 45001 requires you to identify and comply with applicable legal requirements. In Australia, WHS legislation is state-based and does change. If your business operates across multiple states, you need to be tracking requirements in each jurisdiction. A legal compliance register that was last updated two years ago is not going to impress an auditor, and more importantly, it represents a genuine risk to your business and your workers.
Track Your OHS Objectives
You should have measurable objectives linked to your safety performance. At each surveillance audit, the auditor will want to see whether you are making progress. If you set a target to reduce lost-time injuries by 20 percent and you have not tracked the data or reviewed progress in your management review, that is a gap. Objectives need to be monitored, not just documented.
Surveillance Audits in High-Risk Industries
If your business operates in construction, mining, manufacturing, utilities, or any other high-hazard sector, surveillance audits carry additional weight. Auditors in these industries tend to spend more time on the operational controls, competency records, and incident investigation processes because the consequences of failure are more severe.
For construction businesses specifically, the combination of changing worksites, subcontractors, and varying risk profiles makes the management system harder to maintain consistently. The article on ISO 45001 certification for construction companies covers some of the specific challenges worth being aware of.
If you are in a high-risk industry, do not wait for the auditor to identify gaps in your operational controls. Walk your worksites regularly, review your safe work method statements, check that competency records are current for high-risk work, and make sure your subcontractor management process is actually working rather than just documented.
Multi-Site Businesses and Surveillance Audit Scope
If your ISO 45001 certificate covers multiple sites, the surveillance audit program becomes more complex. Not every site will be visited at every surveillance audit. Certification bodies use sampling approaches to determine which sites are audited and when, but higher-risk sites will generally receive more frequent attention.
It is important to understand which sites are covered under your certificate and how your certification body plans to sample them across the three-year cycle. If you have a site that has not been audited in two years and something goes wrong there, the question of whether your management system was actually being maintained at that location becomes very uncomfortable very quickly.
Ask your certification body for their multi-site audit plan so you know what to expect and can ensure all sites are maintaining the system, not just the ones that get visited most often.
The Difference Between Surveillance and Recertification
It is worth being clear on this because some businesses treat their year three recertification as just another surveillance audit and get caught short.
A recertification audit is more thorough. It covers your entire management system again, similar in scope to your original Stage 2 audit. The auditor is not just sampling a few areas. They are reassessing whether your system as a whole continues to meet the requirements of ISO 45001 and whether it has been effectively maintained across the full three-year period.
You should start preparing for your recertification audit at least three to four months in advance. Review your full internal audit program results from the past three years, confirm all corrective actions are closed, update your legal compliance register, and make sure your management review documentation covers the required inputs and outputs.
Do not assume that because you passed your last two surveillance audits, the recertification will be straightforward. Auditors look at the full picture across the cycle, and gaps that were tolerated at surveillance level may be treated more seriously at recertification.
Getting the Right Support for Your Audit Cycle
Managing an ISO 45001 audit cycle effectively requires ongoing effort, not just a sprint before each audit. If your business does not have dedicated internal resources to maintain the system, working with an experienced ISO consultant on an ongoing basis can make a significant difference.
The challenge is finding a consultant who genuinely understands occupational health and safety management systems and has practical experience in your industry, rather than someone who helped you get certified and then disappeared. The article on why finding a trustworthy ISO consultant is still so hard is an honest look at the problems businesses face in this area.
If you are approaching a surveillance audit or recertification and want to make sure your system is in good shape, CertBetter can connect you with verified ISO consultants who specialise in ISO 45001. You submit one form, receive up to three competing quotes from vetted providers, and can compare them properly before making a decision. The service is completely free for businesses seeking help.
