Why Your OH&S Policy Is the First Thing Auditors Look At
When a certification auditor walks into your business for an ISO 45001 audit, your Occupational Health and Safety policy is one of the very first documents they will request. It is not just a formality. The policy sets the tone for your entire management system and tells the auditor whether your leadership team genuinely understands what they have committed to.
On this page
A weak or generic OH&S policy creates doubt. It signals to the auditor that the system may have been built around paperwork rather than real safety outcomes. A strong policy, on the other hand, gives the auditor confidence that your organisation knows what it is doing and that the system is likely to hold up under scrutiny.
If you are preparing for certification or heading into a surveillance audit, this guide will walk you through exactly what your OH&S policy needs to contain, what auditors are looking for, and the common mistakes that cause businesses to get pulled up on non-conformances.
What Clause 5.2 of ISO 45001 Actually Requires
The OH&S policy requirement sits in Clause 5.2 of ISO 45001. The standard is quite specific about what the policy must include, and auditors check against each of these requirements directly. There is no room to be vague here.
According to Clause 5.2, the OH&S policy must:
- Be appropriate to the purpose and context of the organisation
- Provide a framework for setting OH&S objectives
- Include a commitment to satisfy legal and other requirements
- Include a commitment to the elimination of hazards and reduction of OH&S risks
- Include a commitment to continual improvement of the OH&S management system
- Include a commitment to consultation and participation of workers
The policy also needs to be available as documented information, communicated within the organisation, available to interested parties where appropriate, and relevant and applicable to the organisation.
That last point is where many businesses fall short. A policy copied from a template that references hazards, industries, or commitments irrelevant to your business will raise immediate questions from an auditor. Relevance is not optional.
Get 3 ISO Quotes. 24 Hours Response
Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.
Trusted by 400+ businesses like yours
What Makes an OH&S Policy Genuinely Audit-Ready
It Reflects Your Actual Business Context
Your policy must be appropriate to the nature and scale of your operations and the OH&S risks your workers face. A construction company with workers operating at heights, using heavy machinery, and working in confined spaces has a very different risk profile to a marketing agency or a food processing facility.
If your policy reads as though it could apply to any business in any industry, that is a problem. Auditors want to see that leadership has thought about the specific hazards relevant to their workplace and has made commitments that reflect those realities.
For example, a manufacturing business might reference specific commitments around machinery safety, noise exposure, and manual handling. A healthcare organisation might reference infection control and psychological safety. The language does not need to be exhaustive, but it needs to be credible and contextual.
It Contains All Six Required Commitments
This sounds obvious, but you would be surprised how many policies miss one or two of the required commitments. The most commonly omitted one is the commitment to worker consultation and participation. Businesses often include the commitments around legal compliance and continual improvement, but forget that ISO 45001 places significant emphasis on worker involvement in the OH&S management system.
Go through the Clause 5.2 list item by item and confirm each commitment is explicitly stated in your policy. Do not assume that a general statement about “engaging our workforce” is sufficient. The commitment to consultation and participation needs to be clear and unambiguous.
It Is Signed and Dated by Top Management
The policy must be authorised by top management. In practice, this means it should be signed by the CEO, Managing Director, or equivalent senior leader. A signature from a safety manager or operations manager alone is not sufficient unless that person genuinely holds the highest decision-making authority in the organisation.
The date matters too. An undated policy or a policy that has not been reviewed in several years will prompt questions about whether leadership is actively engaged with the OH&S system. Most auditors expect to see evidence that the policy has been reviewed at planned intervals, typically annually or following significant changes to the business.
It Is Written in Plain, Accessible Language
Your policy needs to be communicated to all workers, including those who may have limited English literacy, low levels of formal education, or who work in roles where reading long documents is not practical. Writing a policy filled with legal jargon and complex sentence structures defeats the purpose.
Plain language does not mean dumbing things down. It means being clear, direct, and specific. Workers should be able to read the policy and understand what their organisation has committed to doing to protect them. If your frontline workers cannot understand the policy, that is a problem both practically and from an audit perspective.
How to Structure Your ISO 45001 OH&S Policy
There is no single prescribed format, but a logical structure helps both readability and audit verification. Here is a structure that works consistently well in practice.
Opening Statement of Intent
Start with a brief statement about who the organisation is, what it does, and the overall commitment to the health, safety, and wellbeing of workers and other affected parties. This sets the context and immediately signals that the policy is specific to your organisation, not a generic template.
Core Commitments Section
This is the heart of the policy. List each of the required commitments clearly. You can use bullet points or short paragraphs. The key is that each commitment is explicit and traceable back to the Clause 5.2 requirements. Some businesses choose to number these commitments to make it easier for auditors to cross-reference.
A practical tip here: write each commitment as an active statement of what the organisation will do, not what it hopes to achieve. “We will consult with workers on matters affecting their health and safety” is stronger than “We aim to involve workers where possible.”
Reference to Objectives and Continual Improvement
Your policy should explicitly state that OH&S objectives will be established and reviewed. This connects the policy to the broader management system and demonstrates that it is a living document rather than a statement of intent that sits in a filing cabinet.
Signature Block and Review Information
Include the name and title of the authorising person, their signature, the date of issue, and the document version number. Also include a statement about when the policy will next be reviewed. This is basic document control, but it is checked consistently during audits.
If you want to understand more about how controlled documents work within a management system, the article on what controlled documents are and how to implement them covers this in detail.
Common Mistakes That Lead to Non-Conformances
Copying a Template Without Customisation
This is the single most common issue. Businesses download a free OH&S policy template, change the company name, and submit it as their policy. Auditors see this constantly and they can spot it immediately. The language is generic, the commitments are vague, and there is no reference to the actual hazards or context of the business.
Templates can be a useful starting point, but they must be substantially rewritten to reflect your specific organisation. If you are considering using templates as part of a broader DIY approach, it is worth understanding when templates work and when they do not before you invest time in that path.
Policies That Are Too Long and Too Complex
Some businesses go the other direction and produce a five-page policy document that covers every conceivable safety topic in exhaustive detail. This creates problems too. The policy becomes difficult to communicate, workers do not read it, and the core commitments get buried in unnecessary content.
A well-written OH&S policy should be one to two pages at most. Save the detailed procedures and processes for your supporting documentation. The policy is a statement of intent and commitment, not an operational manual.
No Evidence of Communication to Workers
Having a great policy document is only half the job. ISO 45001 requires that the policy be communicated within the organisation. Auditors will ask workers whether they are aware of the policy and what it means. If workers have never seen or heard of the OH&S policy, that is a non-conformance regardless of how well-written the document is.
Keep records of how and when the policy was communicated. This could include toolbox talk records, induction training sign-off sheets, email distribution records, or evidence that the policy is displayed in the workplace. The communication method should be appropriate to your workforce.
Objectives Are Not Connected to the Policy
The policy must provide a framework for setting OH&S objectives. If your objectives have no logical connection to the commitments in your policy, auditors will flag this as a gap. For example, if your policy commits to reducing OH&S risks through hazard elimination, your objectives should include measurable targets related to hazard identification and risk reduction.
This connection between policy and objectives is part of what makes the management system coherent. Auditors look for this alignment across multiple clauses, not just Clause 5.2.
Practical Example: Before and After
To make this concrete, here is a simplified example of the difference between a weak policy statement and a strong one.
Weak version:
We are committed to providing a safe workplace for all employees and will comply with all relevant laws and regulations.
Stronger version:
ABC Fabrications is committed to providing a safe and healthy workplace for all workers, contractors, and visitors at our manufacturing facility in Brisbane. We will eliminate hazards and reduce OH&S risks through systematic identification, assessment, and control processes. We will meet and, where practicable, exceed our legal and regulatory obligations. We will consult with our workers and their representatives on matters that affect their health and safety. We will set and review OH&S objectives annually to drive continual improvement. Top management takes personal accountability for the performance of this OH&S management system.
The stronger version is specific to the organisation, covers the required commitments, and uses active language that demonstrates genuine intent. It is also concise and readable.
How the Policy Connects to the Rest of Your ISO 45001 System
Your OH&S policy does not exist in isolation. It connects to multiple other elements of your management system, and auditors will trace these connections during the audit.
The policy commitments to legal compliance connect to your legal register and compliance evaluation process. The commitment to worker consultation connects to your consultation and participation procedures and the records that demonstrate these processes are operating. The commitment to continual improvement connects to your management review process, internal audit program, and corrective action records.
If you are preparing for your first ISO 45001 certification, understanding the full scope of what ISO 45001 delivers will help you see how the policy fits into the bigger picture. The policy is the anchor point for the entire system, not just a standalone document.
It is also worth noting that psychosocial risks are increasingly being scrutinised during ISO 45001 audits. If your policy makes no reference to worker wellbeing beyond physical safety, auditors may probe whether your system adequately addresses mental health and psychosocial hazards, which are now firmly within scope of an effective OH&S management system.
Keeping the Policy Current
A policy that was written three years ago and has not been touched since is a red flag. ISO 45001 requires that the policy be appropriate to the context of the organisation, and contexts change. New hazards emerge, the business grows, operations change, legislation is updated.
Build a formal review of the OH&S policy into your annual management review cycle. Document the review even when no changes are made. A simple record noting that the policy was reviewed on a specific date, by whom, and the outcome of that review is sufficient. This demonstrates that the policy is actively managed rather than filed and forgotten.
The guide to checking whether your ISO management system is actually working covers how to assess the health of your system between audits, which includes reviewing whether foundational documents like your policy remain current and effective.
Getting Help When You Need It
Writing an ISO 45001 OH&S policy that genuinely satisfies the standard is not difficult once you understand what is required. But getting the nuances right, particularly around context, commitment language, and connection to the broader system, is where many businesses benefit from experienced guidance.
If you are unsure whether your policy will hold up under audit scrutiny, or if you are starting from scratch and want to get it right the first time, working with a qualified ISO 45001 consultant can save you significant time and the cost of rework after a failed audit. The ISO 45001:2018 standard itself provides the definitive requirements, and it is worth reading Clause 5.2 directly alongside this guide.
CertBetter connects businesses with verified ISO 45001 consultants and accredited certification bodies across Australia and globally. You submit one form and receive up to three competing quotes from vetted providers, completely free. Whether you need help writing your OH&S policy, building your full management system, or finding the right certification body, CertBetter makes it straightforward to find qualified help without the guesswork.
