Why Contractor Safety Is One of the Hardest Parts of ISO 45001
If you have ever sat through an ISO 45001 audit and watched an auditor flip through your contractor records, you will know the feeling. Contractor safety is consistently one of the top areas where businesses get caught out. Not because they do not care about safety, but because the relationship between a principal contractor and their subcontractors creates genuine complexity that a lot of businesses have not thought through properly.
On this page
ISO 45001 does not let you draw a line around your own employees and call it done. The standard explicitly requires you to manage the health and safety of workers, and that term covers contractors, subcontractors, labour hire staff, and anyone else who performs work under your control or on your behalf. If someone gets hurt on your site and they happen to be a contractor, that is still your problem under ISO 45001, and it will absolutely be your problem under Australian work health and safety legislation too.
This article walks you through exactly what ISO 45001 requires when it comes to contractors, how to build practical systems that actually work, and what auditors are looking for when they review your contractor management process. If you are just starting out with the standard, it is worth reading our beginner's guide to ISO 45001 first to get the foundations in place before diving into contractor-specific requirements.
What ISO 45001 Actually Says About Contractors
The standard addresses contractors in several places, and understanding where they sit within the framework helps you build a coherent approach rather than a patchwork of disconnected procedures.
Clause 8.1.4: Procurement and Contractors
This is the primary clause dealing with contractors. Clause 8.1.4.2 specifically addresses contractors and requires your organisation to coordinate with contractors to identify hazards and assess and control the OH&S risks arising from their activities. It also requires you to define criteria for selecting contractors from an OH&S perspective, and to monitor compliance with your OH&S requirements throughout the engagement.
What this means in practice is that contractor safety cannot be an afterthought. It needs to be part of how you select, onboard, and monitor contractors from day one.
Clause 4.2: Interested Parties
Contractors are interested parties under ISO 45001. Their needs and expectations around safety need to be considered when you are setting up your OH&S management system. This is not just about protecting them. It is also about understanding that contractors have their own safety obligations and systems, and your approach needs to be compatible with theirs.
Clause 5.4: Consultation and Participation of Workers
This clause extends consultation and participation rights to contractors and their workers. If you are making decisions that affect the safety of contractors on your site, you need mechanisms to involve them. A toolbox talk that only includes your direct employees is not enough if contractors are also present and exposed to the same hazards.
Clause 6.1: Risks and Opportunities
When you conduct your hazard identification and risk assessment, contractors need to be included. The activities they perform, the areas they work in, and the interactions between their work and your own operations all need to be part of the picture. Many businesses do a solid job of identifying hazards for their own staff and then treat contractor activities as a separate, less rigorous exercise. That gap will show up in an audit.
The ISO 45001 standard itself makes clear that the scope of your OH&S management system determines who is covered, and if contractors work under your control, they are in scope.
Building a Contractor Safety Management Process That Works
A lot of businesses have contractor safety documentation that looks fine on paper but falls apart in practice. The goal here is to build something that genuinely reduces risk, not just something that satisfies an auditor for a day.
Step 1: Define What a Contractor Is in Your Context
Start by being clear about who counts as a contractor in your organisation. This sounds obvious but it causes real confusion. Labour hire workers placed through an agency, specialist subcontractors brought in for a project, maintenance technicians from an external firm, cleaning staff, IT support providers who come on site, all of these may fall under your contractor safety obligations depending on the level of control you exercise over their work.
Write a clear definition in your contractor management procedure and list the categories of contractors your business engages. This becomes the foundation for everything else.
Step 2: Apply Safety Criteria to Contractor Selection
ISO 45001 requires you to define OH&S criteria for selecting contractors. This means safety capability needs to be part of how you choose who you work with, not just cost and availability.
In practice, this could include reviewing a contractor's own safety management system, checking their incident history, verifying relevant licences and tickets, reviewing their safe work method statements for the type of work they will perform, and checking that they hold adequate insurance including workers compensation and public liability.
Build a contractor pre-qualification checklist and use it consistently. Keep records of the assessment for every contractor you engage. An auditor will ask to see evidence that you applied your selection criteria, not just that the criteria exist in a document somewhere.
Step 3: Conduct a Site-Specific Induction
Every contractor who comes onto your site or into your controlled work environment needs a site induction that covers the specific hazards they will encounter, your emergency procedures, your reporting requirements, and any site rules they need to follow. Generic safety awareness training from their own employer does not substitute for this.
The induction needs to be documented. Record who attended, when, what was covered, and get a signature or acknowledgement from the contractor. If you use an electronic induction system, make sure it captures this evidence automatically.
For contractors who visit frequently, you still need to refresh the induction periodically and whenever site conditions or hazards change significantly. A contractor who was inducted two years ago and has not been back since needs a fresh induction, not just a wave through the gate.
Step 4: Coordinate Hazard Identification and Risk Assessment
This is where a lot of businesses get it wrong. They complete their own hazard identification process and then ask the contractor to submit a Safe Work Method Statement (SWMS) without actually reviewing it or checking whether it accounts for the interaction between the contractor's work and the surrounding environment.
You need to actively coordinate with contractors on hazard identification. Before work begins, sit down with the contractor and go through the specific tasks they will perform, the hazards those tasks create, and how those hazards interact with your existing operations. A contractor bringing in hot works to an area near flammable materials is a classic example where the interaction between their work and your site creates a hazard that neither party's independent risk assessment would fully capture.
Review and sign off on SWMS documents before work starts. If a SWMS is inadequate, send it back. Do not accept a document that lists controls you know will not be followed or that fails to identify obvious hazards.
Step 5: Communicate Your OH&S Requirements Clearly
Contractors need to know what your OH&S requirements are before they start work. This includes your incident reporting obligations, your permit to work system if you have one, your requirements around personal protective equipment, your rules around working at heights, confined spaces, or other high-risk work, and your emergency response procedures.
Put this in writing. A contractor safety requirements document or a section in your contractor agreement that spells out your expectations is far better than a verbal briefing that nobody can verify later. Make it clear that compliance with your OH&S requirements is a condition of the engagement.
Step 6: Monitor Contractor Safety Performance On Site
Defining requirements and conducting an induction is not enough. You need to monitor whether contractors are actually following safe work practices while they are on site. This does not mean standing over them every minute, but it does mean regular checks, particularly for high-risk work.
Assign someone with clear responsibility for contractor oversight. That person should conduct periodic inspections, be present during critical phases of high-risk work, and be the point of contact for any safety concerns the contractor raises. If you observe a contractor not following safe work procedures, you need to stop the work, address the issue, and document what happened and what corrective action was taken.
Keep records of your monitoring activities. An auditor will want to see evidence that oversight actually happened, not just that a procedure says it should happen.
Step 7: Manage Incidents and Near Misses Involving Contractors
Your incident reporting and investigation process needs to cover contractors. If a contractor is injured on your site or experiences a near miss, that needs to go through your incident management system the same way an employee incident would. The investigation needs to identify root causes and implement corrective actions that address both your own systems and any failures in the contractor's work practices.
Under Australian work health and safety legislation, you also have specific notification obligations to the relevant regulator when a notifiable incident involves a contractor on your site. Make sure your incident procedure covers this clearly. The Safe Work Australia guidance on incident notification is a useful reference for understanding when notification is required and what the process involves.
What Auditors Look for in Contractor Safety
When an ISO 45001 auditor reviews your contractor safety arrangements, they are looking for evidence that your system is real and operational, not just documented. Here is what typically comes up.
The Pre-Qualification Records
Auditors will ask to see your contractor register and will sample a selection of contractors to check that pre-qualification was completed. They will look for evidence that you actually reviewed safety documentation, not just that you asked for it. A folder full of contractor certificates with no evidence of review does not satisfy the requirement.
Induction Records
They will check that inductions were completed before contractors started work and that the records are current. Missing induction records for contractors currently on site is a common nonconformance finding.
SWMS Review and Approval
For high-risk construction work and other hazardous activities, auditors will want to see that SWMS documents were reviewed, that they were adequate, and that they were approved before work commenced. A SWMS sitting in a drawer that nobody has read will not pass.
Evidence of Monitoring
Auditors look for inspection records, toolbox talk attendance sheets that include contractors, and any documented observations or interventions relating to contractor safety. If your monitoring records show that everything was always perfect and no issues were ever identified, that is actually a red flag. A functioning system finds and corrects problems.
Incident Records
They will check whether any contractor incidents occurred during the audit period and whether they were investigated and closed out properly. An incident that was not reported or investigated is a serious finding.
Common Mistakes to Avoid
After years of auditing and consulting in this space, the same mistakes come up repeatedly. Here are the ones most worth avoiding.
Treating the SWMS as a Tick-Box Exercise
Asking for a SWMS and filing it without review is one of the most common contractor safety failures. The SWMS is a working document that should reflect the actual hazards and controls for the specific task on your specific site. A generic SWMS template that the contractor uses for every job is not adequate for high-risk work.
Forgetting Short-Duration or Repeat Contractors
Businesses often have robust processes for major project contractors but forget about the maintenance technician who comes in every month or the cleaning contractor who works on site every night. These workers are just as much your responsibility under ISO 45001, and they need to be in your contractor management system.
No Clear Ownership of Contractor Oversight
If nobody is clearly responsible for monitoring contractor safety, it does not get done consistently. Assign a named person or role for each contractor engagement and make sure they know what they are expected to do.
Contractor Agreements That Do Not Reference Safety Requirements
Your commercial contracts with contractors should reference your OH&S requirements and make compliance a condition of the engagement. If safety obligations are not in the contract, enforcing them becomes much harder.
If you are working toward ISO 45001 certification and want to understand the broader benefits the standard delivers, our article on the top 10 benefits of ISO 45001 gives a good overview of what a well-implemented system achieves. And if you are specifically in the construction sector, the ISO 45001 certification guide for construction companies covers the additional complexity that comes with managing safety across multiple sites and subcontractor tiers.
Integrating Contractor Safety With Your Broader OH&S System
Contractor safety should not live in a separate silo. It needs to connect with your hazard register, your risk assessment process, your training records, your incident management system, and your internal audit program. When you run internal audits, include contractor safety as a specific audit topic. When you conduct management reviews, report on contractor safety performance as part of your overall OH&S performance data.
If you are implementing ISO 45001 for the first time and finding the contractor requirements complex to navigate, working with an experienced consultant can save a significant amount of time and prevent costly mistakes. CertBetter connects businesses with verified ISO consultants who have real experience in OH&S management systems. You submit one form, receive up to three competing quotes from vetted providers, and the service is completely free. It is a straightforward way to find someone who can help you build a contractor safety system that actually works rather than one that just looks good on paper.




