How to Verify a Company Has ISO 45001 Certification

Why Verifying ISO 45001 Certification Actually Matters

ISO 45001 is the international standard for occupational health and safety management systems. When a company claims to hold this certification, it signals that their workplace safety processes have been independently audited and meet a globally recognised benchmark. That matters enormously when you are selecting a contractor for a high-risk worksite, tendering for government contracts, or choosing a supply chain partner where worker safety is a serious concern.

The problem is that fake and expired ISO certificates are more common than most people realise. Some businesses display old certificates that lapsed years ago. Others present certificates issued by unaccredited bodies that carry no real weight. A small number are outright fraudulent. If you are relying on a supplier or contractor to hold valid ISO 45001 certification and they do not, the consequences can range from failed tender bids to serious legal exposure if a workplace incident occurs.

This guide walks you through exactly how to verify ISO 45001 certification, what to look for on the certificate itself, which databases to check, and the warning signs that something is not right. If you have ever wondered whether a certificate is genuine, this article gives you a clear process to follow.

What a Legitimate ISO 45001 Certificate Looks Like

Before you go searching databases, start with the certificate document itself. A genuine ISO 45001 certificate issued by an accredited certification body will contain specific information. Knowing what to look for takes about two minutes and can immediately flag obvious problems.

Key Details That Must Appear on the Certificate

• The name of the certified organisation. This should exactly match the legal entity you are dealing with. A certificate issued to a parent company does not automatically cover a subsidiary or a different trading name.
• The scope of certification. ISO 45001 certificates always include a defined scope, describing the activities, locations, and sometimes the number of employees covered. A company that operates across five sites but only has one site in the scope is only certified for that one site.
• The certification body name and logo. This is the organisation that conducted the audit and issued the certificate. You will need this name to verify accreditation separately.
• An accreditation body logo. Legitimate certificates almost always display the logo of an accreditation body such as JASANZ, UKAS, DAkkS, or another IAF member accreditation body. This logo confirms the certification body itself has been assessed and approved.
• Certificate number. Every certificate has a unique identifier. You will use this to look up the certificate in an online registry.
• Issue date and expiry date. ISO 45001 certificates are valid for three years, with surveillance audits conducted annually. If the certificate has expired, the certification is no longer valid regardless of what the company tells you.
• The standard version. It should reference ISO 45001:2018, which is the current version of the standard.

If any of these elements are missing or vague, treat that as a red flag and dig further before accepting the certificate at face value. Our article on how to spot fake ISO certificates goes deeper on the specific visual and content cues that separate genuine documents from fraudulent ones.

Step by Step: How to Verify ISO 45001 Certification Online

The most reliable way to verify any ISO certification is to check the certification body's own public registry or the accreditation body's database. Here is how to do it systematically.

Step 1: Identify the Certification Body

The certification body name will appear on the certificate. Common examples include BSI, Bureau Veritas, SGS, Lloyd's Register, SAI Global, LRQA, and Intertek. Write down the exact name as it appears on the document.

Step 2: Check the Certification Body's Online Registry

Most accredited certification bodies maintain a public register of their certified clients. Search for the certification body's website, navigate to their certificate search or client register, and enter the company name or certificate number. You are looking to confirm three things: the company is listed, the scope matches what they have claimed, and the certificate is currently active.

Some registries are more user-friendly than others. BSI, for example, has a straightforward online search tool. Others require you to submit a request by email. If the certification body has no public registry at all and cannot verify a certificate when you contact them directly, that is a significant concern.

Step 3: Verify the Certification Body Is Accredited

This step is one that many people skip, and it is arguably the most important. A certificate is only meaningful if it was issued by a certification body that has been accredited by a recognised accreditation body. Accreditation confirms the certification body follows the correct auditing processes under ISO 17021.

For businesses in Australia, check the JASANZ register of accreditation to confirm the certification body holds current accreditation for ISO 45001. For UK businesses, use UKAS. For European businesses, check the relevant national accreditation body. All of these bodies are members of the IAF, which means their accreditations are mutually recognised internationally.

If the certification body is not listed on any recognised accreditation body's register, the ISO 45001 certificate they issued is essentially worthless from a procurement and legal standpoint. This is how many fake or low-quality certificates slip through. The company may genuinely have paid for and received a certificate, but from a body that was never properly accredited to issue it.

Step 4: Cross-Reference the Scope Against Your Requirements

Even a genuine, accredited certificate may not cover what you need it to cover. Read the scope statement carefully. If you are engaging a contractor to perform excavation work and their ISO 45001 certificate scope only covers office-based administrative activities, that certificate is not relevant to the work they will be doing for you.

The scope must align with the actual activities, locations, and risk profile relevant to your engagement. Do not assume a certificate covers everything the company does. Ask for clarification in writing if the scope statement is ambiguous.

Step 5: Confirm the Certificate Is Currently Valid

Check the expiry date on the certificate and confirm today's date falls within the valid period. Also check whether the company has completed their most recent surveillance audit. ISO 45001 requires annual surveillance audits during the three-year certification cycle. A company can technically hold a certificate that has not been suspended yet, but if they missed their last surveillance audit, their certification status may be under review.

You can ask the company directly for their most recent audit report or surveillance audit completion letter. A legitimate certified company should have no hesitation providing this. Reluctance to share basic audit documentation is worth noting.

Using the IAF CertSearch Database

The IAF operates a global certificate search tool called IAF CertSearch, which aggregates certificate data from participating accredited certification bodies worldwide. It is a useful cross-reference tool, particularly when you are dealing with international suppliers or when the certification body is not one you recognise.

To use it, go to the IAF CertSearch platform and enter the company name, certificate number, or certification body. Not every certification body participates in CertSearch, so a missing result does not automatically mean a certificate is fake. But if a certificate is listed there with matching details, it adds a strong layer of confirmation.

For Australian government tenders and procurement, verifying through JASANZ and the certification body's own registry is generally sufficient. If you are dealing with international suppliers, IAF CertSearch is worth adding to your process.

Red Flags That Should Prompt Further Investigation

After reviewing hundreds of ISO certificates over the years, certain patterns consistently indicate something is wrong. Here are the ones to watch for specifically with ISO 45001 claims.

The Certificate Was Issued by an Unrecognised Body

If you search the certification body name and cannot find any accreditation listing on JASANZ, UKAS, or another IAF member body, investigate further before accepting the certificate. There are organisations operating that issue ISO certificates without proper accreditation. Some are based overseas and market aggressively to businesses that want a certificate quickly and cheaply. The certificate looks real. It has logos, signatures, and official-looking formatting. But it carries no independent assurance of anything.

The Scope Is Unusually Broad or Vague

A scope statement like “all activities of the organisation” with no further detail is a warning sign. Legitimate ISO 45001 scopes are specific. They describe the types of work, the locations, and often the relevant hazards or industries covered. Vague scopes sometimes indicate the audit was not conducted with proper rigour.

The Certificate Cannot Be Found in Any Registry

If you search the certification body's registry, the IAF CertSearch database, and contact the certification body directly, and the certificate still cannot be verified, do not accept it. Ask the company to provide written confirmation from their certification body. If they cannot or will not do this, the certificate is almost certainly not legitimate.

The Expiry Date Has Passed

This sounds obvious, but expired certificates are surprisingly common in supplier prequalification submissions. Some companies simply resubmit the same document year after year without renewing. Always check the date, and if a certificate is within a few months of expiry, ask for confirmation that recertification is underway.

The Standard Version Is Outdated

ISO 45001:2018 replaced OHSAS 18001 in 2021. Any certificate still referencing OHSAS 18001 is no longer valid as a current certification. Companies had a transition period to migrate, and that period has long closed. An OHSAS 18001 certificate is now a historical document, not evidence of current certification.

For more context on what makes a certification body trustworthy, our article on red flags when choosing an ISO certification partner covers the key indicators of a credible provider.

Asking the Company Directly: What to Request

Sometimes the most direct approach is simply to ask the company for supporting documentation. This is entirely reasonable in a procurement or tendering context. Here is what to request.

A Copy of the Current Certificate

Ask for the full certificate document, not a logo or a badge on their website. The full document will contain all the details you need to verify independently.

The Certification Body Contact Details

Ask for the name and contact details of their certification body so you can verify directly. A company with a legitimate certificate will provide this without hesitation.

The Most Recent Surveillance Audit Completion Confirmation

This confirms the company has maintained their certification through the required annual audits, not just obtained it and let it drift. You do not need the full audit report. A letter or confirmation from the certification body confirming the surveillance audit was completed and the certificate remains active is sufficient.

The Scope Document

Ask for the full scope statement in writing. Compare it to the activities they will be performing for you. If there is a mismatch, address it before signing any contracts.

ISO 45001 Verification in Procurement and Tendering Contexts

If you are using ISO 45001 certification as a prequalification requirement for contractors or suppliers, build verification into your process formally rather than treating it as a one-time check. Certificates expire, scopes change, and certification bodies occasionally suspend certificates following failed surveillance audits.

A practical approach is to set a policy requiring certified suppliers to provide updated certificate evidence annually, and to require notification within 30 days if their certification status changes. This is standard practice in industries like construction, mining, oil and gas, and utilities where contractor safety management is a critical risk area.

For businesses pursuing their own ISO 45001 certification as part of meeting tender requirements, understanding the full cost and process involved is important. Our detailed breakdown of ISO 45001 certification costs in Australia covers what you can realistically expect to pay and what drives price variation between providers.

If you work in construction specifically, ISO 45001 is often required alongside ISO 9001 and ISO 14001 as part of integrated prequalification requirements. Our ISO certification guide for construction businesses explains how these standards work together in that sector.

What to Do If You Discover a Certificate Is Fake or Invalid

If you have verified that a certificate is fraudulent or that the certification body is unaccredited, you have a few options depending on the context.

In a tendering context, report the discrepancy to the procurement authority and document your verification process in writing. Do not simply reject the tender quietly without noting the reason, particularly if public funds are involved.

In a supply chain context, raise the issue directly with the supplier and give them an opportunity to explain or provide corrected documentation. If they cannot substantiate the claim, treat it as a material misrepresentation and review your contractual obligations accordingly.

If you believe a certification body has issued certificates improperly, you can report this to the relevant accreditation body. JASANZ in Australia and UKAS in the UK both have formal complaints processes for issues involving accredited certification bodies.

Getting ISO 45001 Certified Yourself

If this article has prompted you to think about your own ISO 45001 certification, either because you want to meet a client requirement or because you genuinely want to improve your safety management system, the first step is understanding what the process involves and getting realistic quotes from credible providers.

The certification journey involves a gap analysis, system implementation, and then a two-stage audit process with an accredited certification body. The timeline from starting to receiving your certificate typically runs between three and twelve months depending on the size of your organisation and how mature your existing safety systems are.

CertBetter makes it straightforward to connect with verified ISO consultants and accredited certification bodies. Submit one form and receive up to three competing quotes from vetted providers who have been assessed for their credentials and track record. The service is completely free for businesses seeking certification. If you are ready to get started or just want to understand what is involved before committing, CertBetter is a good place to begin.