How to Build an OHS Management System for ISO 45001

CertBetter

Team CertBetter

13 min read
ExploreISO StandardsGetting CertifiedManagement Systems
How to Build an OHS Management System for ISO 45001

Why Building a Proper OHS Management System Matters

If you are thinking about ISO 45001 certification, the first thing to understand is that the standard is not asking you to create a pile of documents. It is asking you to build a functioning occupational health and safety management system, one that actually protects your workers, reduces incidents, and demonstrates that safety is managed in a structured, accountable way.

A lot of businesses get this wrong. They spend weeks writing policies and procedures, tick the boxes for the audit, and then wonder why their injury rates do not improve. That is because they built a document system, not a management system. This guide will walk you through how to build an OHS management system that is genuinely effective and audit ready for ISO 45001.

If you are new to the standard, it helps to start with the basics. Our beginner's guide to ISO 45001 covers the core concepts before you dive into implementation.

Understanding What ISO 45001 Actually Requires

ISO 45001 follows the High Level Structure used by most modern ISO management system standards. That means it shares the same framework as ISO 9001 and ISO 14001, with ten clauses covering context, leadership, planning, support, operation, performance evaluation, and improvement.

The standard applies to any organisation, regardless of size or industry. A mining company in Western Australia and a small accounting firm in Brisbane are both eligible. What changes is the complexity of the hazards and the depth of controls required, not the structure of the system itself.

The key things ISO 45001 requires you to demonstrate are:

  • You understand the context of your organisation and what affects your OHS performance
  • Leadership is visibly committed to worker health and safety
  • Workers participate in the development and operation of the system
  • Hazards are identified and risks are assessed and controlled
  • Legal and other requirements are identified and met
  • Objectives are set and performance is monitored
  • Incidents, nonconformities, and near misses are investigated and corrected
  • The system is continually improved

Now let us go through how to actually build this, step by step.

Audit Workshop
Self-paced online ISO standard courses, Foundation to Lead Auditor
ISO 45001:2018 Lead Auditor Training Course
Limited time
ISO 45001:2018 Lead Auditor Training Course
USD 129USD 789
ISO 14001:2026 Lead Auditor Training Course
Limited time
ISO 14001:2026 Lead Auditor Training Course
USD 129USD 789
ISO 9001:2015 Lead Auditor Training Course
Limited time
ISO 9001:2015 Lead Auditor Training Course
USD 129USD 789
View all ISO courses
Exemplar Global logo
Audit Workshop is an Exemplar Global Recognised Training Provider

Step 1: Establish the Context of Your Organisation

Clause 4 of ISO 45001 requires you to understand the internal and external factors that affect your OHS management system. This is not just a formality. It shapes everything else in your system.

Internal Factors to Consider

Think about the nature of your work, the types of hazards present, the size and structure of your workforce, your existing safety culture, and any past incidents or near misses. Also consider your organisational values, how decisions get made, and what resources you have available.

External Factors to Consider

These include applicable legislation such as the Work Health and Safety Act in your jurisdiction, industry codes of practice, client requirements, and community expectations. In Australia, WHS legislation varies by state and territory, so you need to identify which laws apply to your specific operations.

Interested Parties

ISO 45001 places significant emphasis on identifying the needs and expectations of workers and other interested parties. Workers are not just a resource. They are active participants in the system. Other interested parties might include contractors, clients, regulators, unions, and insurers. Document who they are and what they expect from your OHS system.

Step 2: Define the Scope of Your OHS Management System

Your scope statement defines the boundaries of your system. It needs to be specific enough to be meaningful but realistic about what your organisation actually controls.

For example, if you operate a construction company across multiple sites in New South Wales, your scope might cover all construction and project management activities delivered by your employed workforce. If you use subcontractors extensively, you need to think carefully about how much influence you have over their activities and whether they fall within or outside your scope.

A well defined scope also helps your certification body understand what they are auditing. Vague scope statements cause problems at audit time. Be specific about the activities, locations, and workers covered.

For guidance on how to define this properly, our article on determining the scope of management systems provides practical examples you can adapt for ISO 45001.

Step 3: Secure Leadership Commitment and Assign Accountability

This is where many OHS management systems fall apart. Senior leaders sign off on the policy and then hand everything to the safety manager and walk away. ISO 45001 Clause 5 requires genuine leadership commitment, not just a signature on a document.

In practical terms, this means:

  • Top management actively participates in safety reviews and discussions
  • OHS objectives are integrated into business planning, not treated as a separate activity
  • Resources, both time and money, are allocated to OHS activities
  • Leaders are visible on the floor or on site, not just in meeting rooms
  • Accountability for safety outcomes is assigned at every level of the organisation

The OHS Policy

Your OHS policy is a mandatory document under the standard. It needs to commit to providing safe and healthy working conditions, meeting legal requirements, eliminating hazards and reducing OHS risks, and continually improving the system. It must be communicated to all workers and reviewed regularly.

Writing a policy that actually passes audit is more involved than most people expect. Our detailed guide on how to write an ISO 45001 OHS policy that passes audit walks you through exactly what auditors look for.

Worker Participation

One of the most distinctive features of ISO 45001 compared to its predecessor OHSAS 18001 is the strong emphasis on worker participation and consultation. Workers must be involved in hazard identification, risk assessment, incident investigation, and the development of controls. This is not optional. Auditors will ask workers directly whether they feel their input is sought and acted upon.

For practical strategies on this, see our article on how to get worker participation in ISO 45001 implementation.

Step 4: Identify Hazards and Assess OHS Risks

Clause 6 of ISO 45001 covers planning, and the centrepiece of this clause is hazard identification and risk assessment. This is the technical heart of your OHS management system.

Hazard Identification

You need a systematic process for identifying all hazards associated with your operations. This includes physical hazards like machinery and working at heights, chemical hazards, biological hazards, ergonomic hazards, and psychosocial hazards such as workplace violence, fatigue, and excessive workload.

Do not overlook psychosocial risks. ISO 45003 provides specific guidance on managing psychosocial risks in the workplace and is a useful companion to ISO 45001 implementation.

Hazard identification should involve workers at every level. The person operating the forklift knows more about the risks in that role than the safety manager sitting in the office.

Risk Assessment

Once hazards are identified, you need to assess the likelihood and severity of harm. There is no single prescribed method in ISO 45001. You can use a risk matrix, a bowtie analysis, or another approach that suits your context. What matters is that the assessment is documented, consistent, and used to prioritise controls.

The Hierarchy of Controls

ISO 45001 expects you to apply the hierarchy of controls when determining how to manage identified risks. In order of preference:

  1. Elimination of the hazard
  2. Substitution with something less hazardous
  3. Engineering controls
  4. Administrative controls
  5. Personal protective equipment

Many organisations jump straight to PPE because it is cheap and easy. Auditors know this and will probe whether you have genuinely considered higher order controls before reaching for the hard hats and hi-vis vests.

Legal and Other Requirements

You must also identify all applicable legal requirements and other requirements relevant to your OHS hazards. In Australia, this means mapping your activities against the relevant WHS Act and Regulations, Safe Work Australia codes of practice, and any industry specific standards. This register needs to be maintained and reviewed as laws change.

Step 5: Set OHS Objectives and Plan to Achieve Them

Objectives give your system direction. They should be measurable, realistic, and linked to your significant OHS risks. Common examples include reducing the lost time injury frequency rate by a specific percentage, completing a defined number of safety inspections per month, or achieving a certain rate of near miss reporting.

For each objective, document who is responsible, what resources are needed, what the timeline is, and how progress will be measured. Objectives that sit in a document and are never reviewed are a red flag for auditors. They want to see evidence that you are actively tracking progress and taking action when you fall behind.

Step 6: Build Your Operational Controls

Clause 8 covers operational planning and control. This is where your hazard controls are turned into actual procedures, work instructions, safe work method statements, and permit systems.

Safe Work Method Statements and Procedures

For high risk activities, you need documented safe work method statements or equivalent procedures. These should describe the task, the hazards involved, the controls in place, and the steps to be followed. They need to be written in plain language that workers can actually understand and follow.

Management of Change

When your operations change, whether that is new equipment, new processes, new chemicals, or changes to the workforce, your OHS system needs to keep pace. ISO 45001 requires a management of change process to ensure that new hazards introduced by change are identified and controlled before the change is implemented, not after an incident occurs.

Contractor and Supplier Management

If you use contractors or outsource activities, you need to extend your OHS controls to cover them. This does not mean you are responsible for their entire safety program, but you do need to ensure that the work performed on your behalf or at your premises is done safely. Contractor induction, site rules, and verification of competence are all relevant here.

Emergency Preparedness and Response

You must have documented emergency procedures and test them through drills. This includes identifying potential emergencies, establishing response procedures, assigning roles and responsibilities, and communicating procedures to all relevant people including contractors and visitors.

Step 7: Monitor, Measure, and Evaluate Performance

Clause 9 covers performance evaluation. You cannot manage what you do not measure. Your system needs a combination of leading and lagging indicators to give you a complete picture of OHS performance.

Leading and Lagging Indicators

Lagging indicators are things that have already happened, such as injury rates, lost time injuries, and workers compensation claims. Leading indicators are proactive measures such as safety inspection completion rates, near miss reports submitted, toolbox talk attendance, and corrective actions closed on time.

A system that only tracks lagging indicators is essentially waiting for something to go wrong before it responds. Build a dashboard that includes both types of measures and review them regularly at management level.

Internal Audits

ISO 45001 requires a program of internal audits to verify that your system is functioning as intended. These audits need to be conducted by competent people who are objective and impartial. That does not necessarily mean external auditors. It can be trained internal staff, provided they are not auditing their own work.

For practical guidance on running internal audits that genuinely add value, our article on how to run ISO internal audits that actually find problems is worth reading before you start.

Management Review

Top management must conduct regular reviews of the OHS management system. This is not a rubber stamp exercise. The review needs to consider audit results, incident data, objective progress, worker feedback, changes in legal requirements, and opportunities for improvement. Decisions and actions from the review must be documented and followed up.

Step 8: Manage Incidents, Nonconformities, and Corrective Actions

When something goes wrong, whether it is an injury, a near miss, a nonconformity identified in an audit, or a complaint from a worker, your system must respond in a structured way.

This means investigating what happened, identifying the root cause, implementing corrective actions to prevent recurrence, and verifying that those actions were effective. The investigation process should involve affected workers and should look beyond the immediate cause to understand the underlying system failures that allowed the incident to occur.

Near miss reporting is particularly important and often underutilised. Organisations with strong near miss reporting cultures tend to have far fewer serious incidents because they catch and fix problems before someone gets hurt. If your workers are not reporting near misses, ask yourself whether the reporting process is too cumbersome or whether there is a fear of blame.

Step 9: Drive Continual Improvement

Clause 10 of ISO 45001 requires continual improvement of the OHS management system. This goes beyond just fixing problems when they arise. It means actively looking for opportunities to improve, whether that is adopting better technology, improving training, refining risk controls, or strengthening worker participation.

Improvement opportunities can come from internal audits, management reviews, worker suggestions, incident investigations, benchmarking against industry peers, or changes in legislation. The key is having a mechanism to capture these opportunities and act on them in a timely way.

Documentation Requirements for ISO 45001

ISO 45001 requires specific documented information to be maintained and retained. The mandatory documents include your OHS policy, scope, hazard identification and risk assessment records, legal requirements register, OHS objectives, operational controls, emergency procedures, internal audit program and results, management review records, and corrective action records.

Beyond the mandatory items, document what you need to ensure consistent operation of your system. More documentation is not always better. Focus on what adds value and what workers will actually use. Overly complex documentation that nobody reads is worse than simple, practical procedures that people follow every day.

Understanding how to manage controlled documents properly is an important part of this. Our guide on what controlled documents are and how to implement them covers the practical side of document control in a management system context.

Getting Ready for Certification

Once your system is built and has been operating for at least three months, you should be ready to approach a certification body for your Stage 1 and Stage 2 audits. The Stage 1 audit is a document review and readiness assessment. The Stage 2 is the main certification audit where the auditor verifies that your system is implemented and effective.

Choosing the right certification body matters. You want a body that is accredited by a recognised accreditation body such as JAS-ANZ in Australia, has auditors with genuine industry experience in your sector, and can provide a realistic timeline and clear audit process. A cheap certification body with no relevant industry knowledge is not a bargain.

If you are unsure where to start when comparing providers, CertBetter makes this process straightforward. You submit one form, and you receive up to three competing quotes from vetted ISO consultants and accredited certification bodies. It costs nothing to use and saves you hours of research and back and forth emails. Whether you need help building your system or just need a certification body to conduct the audit, CertBetter connects you with providers who have been assessed for quality and transparency.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

Frequently Asked Questions

The timeline depends on the size of your organisation, the complexity of your hazards, and how much of a safety foundation you already have in place. A small business with straightforward operations might be ready for certification in three to six months. A larger organisation with complex, high risk operations could take twelve months or more. The minimum recommended operating period before a certification audit is typically three months, so auditors have evidence of the system functioning over time rather than just on paper.

You do not legally need a consultant, but many organisations find the process significantly faster and less painful with experienced help. A good ISO 45001 consultant brings knowledge of the standard requirements, awareness of common audit pitfalls, and the ability to tailor the system to your specific industry context. If your internal team has no prior experience with management systems or the standard, professional guidance is usually worth the investment. The risk of building a system that does not meet the standard requirements is that you fail the audit and have to redo significant work.

ISO 45001 certification is not legally mandatory in Australia. Compliance with the relevant Work Health and Safety legislation in your state or territory is the legal requirement. However, ISO 45001 certification is increasingly required by major clients, government procurement processes, and principal contractors in industries like construction, mining, and utilities. Even where it is not mandated, the structured approach to OHS management that ISO 45001 requires tends to produce measurable improvements in safety outcomes.

OHSAS 18001 was the previous international OHS management system standard that ISO 45001 replaced in 2018. ISO 45001 introduced several significant changes, including a much stronger emphasis on worker participation and consultation, the requirement to consider the organisational context and interested parties, greater integration with strategic business planning through the High Level Structure framework, and an explicit focus on both eliminating hazards and reducing OHS risks. Organisations that were certified to OHSAS 18001 were required to transition to ISO 45001, and that transition period has now closed.

Yes, absolutely. ISO 45001 is designed to be applicable to organisations of any size. For a small business, the system will naturally be simpler and less bureaucratic than for a large corporation. The key is proportionality. Your hazard identification, risk controls, and documentation should reflect the actual complexity of your operations, not be copied from a large enterprise template. Many small businesses in high risk industries such as construction, electrical work, and healthcare have achieved ISO 45001 certification and found it valuable for winning contracts and managing their safety obligations more effectively.

The total cost of ISO 45001 certification in Australia varies depending on the size of your organisation, the number of sites, the complexity of your operations, and whether you use a consultant to help build the system. Certification body audit fees for a small business might start from around $3,000 to $5,000 for the initial certification audit, while consulting fees to build the system can range from a few thousand dollars for template based support to $20,000 or more for full implementation assistance. For a detailed breakdown of real market prices, our article on ISO 45001 certification cost in Australia covers what you can expect to pay based on data from over fifty providers.

Dilawar Laghari

Hi! I am Dilawar Laghari, founder of CertBetter.

I created CertBetter to help anyone compare ISO certification providers for free.

Related Articles

How Often Are ISO 45001 Surveillance Audits Conducted?
Getting Certified

How Often Are ISO 45001 Surveillance Audits Conducted?

15 June 2026

How Artificial Intelligence Is Changing the ISO Certification Process
Getting Certified

How Artificial Intelligence Is Changing the ISO Certification Process

9 May 2026

What Training Do Staff Need for ISO 22301 Certification?
Getting Certified

What Training Do Staff Need for ISO 22301 Certification?

3 Apr 2026

ISO 9001 Maintenance Without a Quality Manager: A Practical Guide for Canadian Distributors
Getting Certified

ISO 9001 Maintenance Without a Quality Manager: A Practical Guide for Canadian Distributors

11 Mar 2026

Browse by Topic

ISO Standards385 articlesGetting Certified292 articlesManagement Systems184 articlesCompliance & Risk112 articlesIndustry News31 articles
How to Build an OHS Management System for ISO 45001 - CertBetter