How to Handle Contractor Safety Under ISO 45001

CertBetter

Team CertBetter

12 min read
How to Handle Contractor Safety Under ISO 45001

Why Contractor Safety Is One of the Hardest Parts of ISO 45001

If you have ever sat through an ISO 45001 audit and watched an auditor flip through your contractor records, you will know the feeling. Contractor safety is consistently one of the top areas where businesses get caught out. Not because they do not care about safety, but because the relationship between a principal contractor and their subcontractors creates genuine complexity that a lot of businesses have not thought through properly.

ISO 45001 does not let you draw a line around your own employees and call it done. The standard explicitly requires you to manage the health and safety of workers, and that term covers contractors, subcontractors, labour hire staff, and anyone else who performs work under your control or on your behalf. If someone gets hurt on your site and they happen to be a contractor, that is still your problem under ISO 45001, and it will absolutely be your problem under Australian work health and safety legislation too.

This article walks you through exactly what ISO 45001 requires when it comes to contractors, how to build practical systems that actually work, and what auditors are looking for when they review your contractor management process. If you are just starting out with the standard, it is worth reading our beginner's guide to ISO 45001 first to get the foundations in place before diving into contractor-specific requirements.

What ISO 45001 Actually Says About Contractors

The standard addresses contractors in several places, and understanding where they sit within the framework helps you build a coherent approach rather than a patchwork of disconnected procedures.

Clause 8.1.4: Procurement and Contractors

This is the primary clause dealing with contractors. Clause 8.1.4.2 specifically addresses contractors and requires your organisation to coordinate with contractors to identify hazards and assess and control the OH&S risks arising from their activities. It also requires you to define criteria for selecting contractors from an OH&S perspective, and to monitor compliance with your OH&S requirements throughout the engagement.

What this means in practice is that contractor safety cannot be an afterthought. It needs to be part of how you select, onboard, and monitor contractors from day one.

Clause 4.2: Interested Parties

Contractors are interested parties under ISO 45001. Their needs and expectations around safety need to be considered when you are setting up your OH&S management system. This is not just about protecting them. It is also about understanding that contractors have their own safety obligations and systems, and your approach needs to be compatible with theirs.

Clause 5.4: Consultation and Participation of Workers

This clause extends consultation and participation rights to contractors and their workers. If you are making decisions that affect the safety of contractors on your site, you need mechanisms to involve them. A toolbox talk that only includes your direct employees is not enough if contractors are also present and exposed to the same hazards.

Clause 6.1: Risks and Opportunities

When you conduct your hazard identification and risk assessment, contractors need to be included. The activities they perform, the areas they work in, and the interactions between their work and your own operations all need to be part of the picture. Many businesses do a solid job of identifying hazards for their own staff and then treat contractor activities as a separate, less rigorous exercise. That gap will show up in an audit.

The ISO 45001 standard itself makes clear that the scope of your OH&S management system determines who is covered, and if contractors work under your control, they are in scope.

Building a Contractor Safety Management Process That Works

A lot of businesses have contractor safety documentation that looks fine on paper but falls apart in practice. The goal here is to build something that genuinely reduces risk, not just something that satisfies an auditor for a day.

Step 1: Define What a Contractor Is in Your Context

Start by being clear about who counts as a contractor in your organisation. This sounds obvious but it causes real confusion. Labour hire workers placed through an agency, specialist subcontractors brought in for a project, maintenance technicians from an external firm, cleaning staff, IT support providers who come on site, all of these may fall under your contractor safety obligations depending on the level of control you exercise over their work.

Write a clear definition in your contractor management procedure and list the categories of contractors your business engages. This becomes the foundation for everything else.

Step 2: Apply Safety Criteria to Contractor Selection

ISO 45001 requires you to define OH&S criteria for selecting contractors. This means safety capability needs to be part of how you choose who you work with, not just cost and availability.

In practice, this could include reviewing a contractor's own safety management system, checking their incident history, verifying relevant licences and tickets, reviewing their safe work method statements for the type of work they will perform, and checking that they hold adequate insurance including workers compensation and public liability.

Build a contractor pre-qualification checklist and use it consistently. Keep records of the assessment for every contractor you engage. An auditor will ask to see evidence that you applied your selection criteria, not just that the criteria exist in a document somewhere.

Step 3: Conduct a Site-Specific Induction

Every contractor who comes onto your site or into your controlled work environment needs a site induction that covers the specific hazards they will encounter, your emergency procedures, your reporting requirements, and any site rules they need to follow. Generic safety awareness training from their own employer does not substitute for this.

The induction needs to be documented. Record who attended, when, what was covered, and get a signature or acknowledgement from the contractor. If you use an electronic induction system, make sure it captures this evidence automatically.

For contractors who visit frequently, you still need to refresh the induction periodically and whenever site conditions or hazards change significantly. A contractor who was inducted two years ago and has not been back since needs a fresh induction, not just a wave through the gate.

Step 4: Coordinate Hazard Identification and Risk Assessment

This is where a lot of businesses get it wrong. They complete their own hazard identification process and then ask the contractor to submit a Safe Work Method Statement (SWMS) without actually reviewing it or checking whether it accounts for the interaction between the contractor's work and the surrounding environment.

You need to actively coordinate with contractors on hazard identification. Before work begins, sit down with the contractor and go through the specific tasks they will perform, the hazards those tasks create, and how those hazards interact with your existing operations. A contractor bringing in hot works to an area near flammable materials is a classic example where the interaction between their work and your site creates a hazard that neither party's independent risk assessment would fully capture.

Review and sign off on SWMS documents before work starts. If a SWMS is inadequate, send it back. Do not accept a document that lists controls you know will not be followed or that fails to identify obvious hazards.

Step 5: Communicate Your OH&S Requirements Clearly

Contractors need to know what your OH&S requirements are before they start work. This includes your incident reporting obligations, your permit to work system if you have one, your requirements around personal protective equipment, your rules around working at heights, confined spaces, or other high-risk work, and your emergency response procedures.

Put this in writing. A contractor safety requirements document or a section in your contractor agreement that spells out your expectations is far better than a verbal briefing that nobody can verify later. Make it clear that compliance with your OH&S requirements is a condition of the engagement.

Step 6: Monitor Contractor Safety Performance On Site

Defining requirements and conducting an induction is not enough. You need to monitor whether contractors are actually following safe work practices while they are on site. This does not mean standing over them every minute, but it does mean regular checks, particularly for high-risk work.

Assign someone with clear responsibility for contractor oversight. That person should conduct periodic inspections, be present during critical phases of high-risk work, and be the point of contact for any safety concerns the contractor raises. If you observe a contractor not following safe work procedures, you need to stop the work, address the issue, and document what happened and what corrective action was taken.

Keep records of your monitoring activities. An auditor will want to see evidence that oversight actually happened, not just that a procedure says it should happen.

Step 7: Manage Incidents and Near Misses Involving Contractors

Your incident reporting and investigation process needs to cover contractors. If a contractor is injured on your site or experiences a near miss, that needs to go through your incident management system the same way an employee incident would. The investigation needs to identify root causes and implement corrective actions that address both your own systems and any failures in the contractor's work practices.

Under Australian work health and safety legislation, you also have specific notification obligations to the relevant regulator when a notifiable incident involves a contractor on your site. Make sure your incident procedure covers this clearly. The Safe Work Australia guidance on incident notification is a useful reference for understanding when notification is required and what the process involves.

What Auditors Look for in Contractor Safety

When an ISO 45001 auditor reviews your contractor safety arrangements, they are looking for evidence that your system is real and operational, not just documented. Here is what typically comes up.

The Pre-Qualification Records

Auditors will ask to see your contractor register and will sample a selection of contractors to check that pre-qualification was completed. They will look for evidence that you actually reviewed safety documentation, not just that you asked for it. A folder full of contractor certificates with no evidence of review does not satisfy the requirement.

Induction Records

They will check that inductions were completed before contractors started work and that the records are current. Missing induction records for contractors currently on site is a common nonconformance finding.

SWMS Review and Approval

For high-risk construction work and other hazardous activities, auditors will want to see that SWMS documents were reviewed, that they were adequate, and that they were approved before work commenced. A SWMS sitting in a drawer that nobody has read will not pass.

Evidence of Monitoring

Auditors look for inspection records, toolbox talk attendance sheets that include contractors, and any documented observations or interventions relating to contractor safety. If your monitoring records show that everything was always perfect and no issues were ever identified, that is actually a red flag. A functioning system finds and corrects problems.

Incident Records

They will check whether any contractor incidents occurred during the audit period and whether they were investigated and closed out properly. An incident that was not reported or investigated is a serious finding.

Common Mistakes to Avoid

After years of auditing and consulting in this space, the same mistakes come up repeatedly. Here are the ones most worth avoiding.

Treating the SWMS as a Tick-Box Exercise

Asking for a SWMS and filing it without review is one of the most common contractor safety failures. The SWMS is a working document that should reflect the actual hazards and controls for the specific task on your specific site. A generic SWMS template that the contractor uses for every job is not adequate for high-risk work.

Forgetting Short-Duration or Repeat Contractors

Businesses often have robust processes for major project contractors but forget about the maintenance technician who comes in every month or the cleaning contractor who works on site every night. These workers are just as much your responsibility under ISO 45001, and they need to be in your contractor management system.

No Clear Ownership of Contractor Oversight

If nobody is clearly responsible for monitoring contractor safety, it does not get done consistently. Assign a named person or role for each contractor engagement and make sure they know what they are expected to do.

Contractor Agreements That Do Not Reference Safety Requirements

Your commercial contracts with contractors should reference your OH&S requirements and make compliance a condition of the engagement. If safety obligations are not in the contract, enforcing them becomes much harder.

If you are working toward ISO 45001 certification and want to understand the broader benefits the standard delivers, our article on the top 10 benefits of ISO 45001 gives a good overview of what a well-implemented system achieves. And if you are specifically in the construction sector, the ISO 45001 certification guide for construction companies covers the additional complexity that comes with managing safety across multiple sites and subcontractor tiers.

Integrating Contractor Safety With Your Broader OH&S System

Contractor safety should not live in a separate silo. It needs to connect with your hazard register, your risk assessment process, your training records, your incident management system, and your internal audit program. When you run internal audits, include contractor safety as a specific audit topic. When you conduct management reviews, report on contractor safety performance as part of your overall OH&S performance data.

If you are implementing ISO 45001 for the first time and finding the contractor requirements complex to navigate, working with an experienced consultant can save a significant amount of time and prevent costly mistakes. CertBetter connects businesses with verified ISO consultants who have real experience in OH&S management systems. You submit one form, receive up to three competing quotes from vetted providers, and the service is completely free. It is a straightforward way to find someone who can help you build a contractor safety system that actually works rather than one that just looks good on paper.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

Frequently Asked Questions

ISO 45001 does not specifically mandate that you conduct formal audits of your contractors, but it does require you to monitor their compliance with your OH&S requirements. In practice, this means regular inspections, reviewing their work practices on site, and verifying that the controls in their safe work method statements are actually being followed. For high-risk contractors or long-term engagements, a more structured review of their safety management practices is good practice and may be expected by an auditor reviewing your system.

Under ISO 45001, the term worker is broad and includes all persons who perform work under the organisation's control. This covers employees, contractors, subcontractors, labour hire staff, volunteers, and others. The distinction matters because it means your OH&S obligations extend beyond your direct employees to anyone performing work that you direct or control, regardless of their employment relationship with you or another organisation.

Yes. Clause 6.1 of ISO 45001 requires hazard identification to consider all workers and their activities, including contractors. You need to assess the hazards created by contractor activities, the hazards contractors are exposed to in your work environment, and any interactions between contractor work and your own operations that create additional risk. Excluding contractors from hazard identification is a common audit finding.

You need to retain evidence of contractor pre-qualification assessments, site induction records including dates and signatures, reviewed and approved safe work method statements, monitoring and inspection records, toolbox talk attendance records that include contractors, and any incident reports or corrective actions involving contractors. These records demonstrate that your contractor safety system is operational, not just documented, and they are the primary evidence an auditor will review.

No. A contractor holding their own ISO 45001 certification is a positive indicator of their safety capability and is a valid factor in your pre-qualification assessment, but it does not remove your obligation to manage contractor safety on your site. You still need to induct them into your site-specific hazards, coordinate on risk assessment, communicate your OH&S requirements, and monitor their compliance. Their certification covers their own management system, not their compliance with your site-specific requirements.

Your contractor agreement should make compliance with your OH&S requirements a condition of the engagement. If a contractor refuses to follow your safety requirements, you have the right and the obligation to stop the work until the issue is resolved. Document the incident, issue a formal notice, and if the contractor continues to be non-compliant, terminating the engagement may be necessary. Allowing a contractor to work unsafely because it is inconvenient to stop them is both a safety failure and a significant liability under Australian work health and safety law.

Dilawar Laghari

Hi! I am Dilawar Laghari, founder of CertBetter.

I created CertBetter to help anyone compare ISO certification providers for free.

Contractor Safety Under ISO 45001: Complete Guide - CertBetter