ISO 45001 Timeline for a 50 Person Company

CertBetter

Team CertBetter

14 min read
ISO 45001 Timeline for a 50 Person Company

How Long Does ISO 45001 Actually Take for a 50 Person Business?

If you run a business with around 50 employees and someone has asked you to get ISO 45001 certified, the first question you probably have is: how long is this going to take? It is a fair question, and unfortunately most of the answers you will find online are vague to the point of being useless. “Three to twelve months” is technically accurate but tells you almost nothing.

This article gives you a realistic, stage by stage ISO 45001 timeline built specifically around a 50 person company. Not a multinational. Not a sole trader. A mid-sized business with real operational complexity, limited internal resources, and a management team that has other things to worry about.

The short answer is that most 50 person businesses take between six and ten months to achieve ISO 45001 certification from a standing start. Some do it in four months with strong consultant support and a motivated team. Others drag it out past twelve months due to competing priorities, staff turnover, or underestimating what is actually involved. Understanding the stages will help you plan more accurately and avoid the most common delays.

Why Company Size Actually Matters for ISO 45001 Timelines

ISO 45001 is the international standard for occupational health and safety management systems. It applies to any organisation regardless of size or industry, but the practical demands of implementation scale with the complexity of your operations, the number of workers involved, and the variety of hazards you need to manage.

A 50 person company sits in an interesting middle ground. You are large enough that you cannot cut corners or rely on informal safety practices. You have enough staff that worker consultation, competency assessment, and role-specific training take real time. But you are also small enough that you probably do not have a dedicated WHS manager, which means implementation work falls on someone who already has a full-time job.

That last point is the biggest driver of timeline blowouts in businesses of this size. The person responsible for the ISO 45001 project, whether that is an operations manager, HR lead, or the business owner themselves, is typically juggling it alongside their normal responsibilities. This is normal, and it is something a good consultant will factor into the project plan from the start.

If you want to understand the full scope of what the standard requires before diving into timelines, the ISO 45001 beginner's guide is a good starting point.

The Six Stages of ISO 45001 Certification and How Long Each Takes

Stage 1: Gap Analysis and Initial Assessment (Weeks 1 to 3)

Before you can build anything, you need to know where you currently stand. A gap analysis compares your existing health and safety practices against the requirements of ISO 45001 and identifies what is missing, what needs to be formalised, and what is already in decent shape.

For a 50 person business, a thorough gap analysis typically takes two to three weeks. If you are working with a consultant, they will usually conduct site visits, interview key staff, review existing documentation, and produce a written report that maps out the gaps and prioritises the work ahead.

What the gap analysis commonly uncovers in businesses of this size includes an absence of a formal hazard identification and risk assessment process, inconsistent incident reporting practices, no documented emergency response procedures, incomplete contractor management records, and a lack of any structured worker consultation mechanism. None of these are unusual findings. They are simply the starting point.

The output of this stage is a project plan with realistic milestones. Do not skip the gap analysis or rush it. A poorly scoped project is the single biggest cause of timeline blowouts later on.

Stage 2: Documentation Development (Weeks 4 to 10)

This is usually the most time-consuming stage for a 50 person business. ISO 45001 requires a range of documented information, and while the standard gives you flexibility in how you document things, you still need to cover the key requirements.

The core documents you need to develop include an OH and S policy, a hazard register and risk assessment process, safe work method statements or job safety analyses for higher-risk tasks, emergency response plans, incident and near-miss reporting procedures, a legal compliance register, a worker consultation and participation process, objectives and targets, and a management review process.

That is a significant body of work. For a business where one person is driving the project part-time, eight weeks is a realistic estimate for getting these documents drafted, reviewed, and approved. If you have a consultant doing the heavy lifting on document templates, you can compress this to five or six weeks, but someone internally still needs to review everything, customise it to your actual operations, and get sign-off from senior management.

A common mistake at this stage is treating documentation as a box-ticking exercise. Auditors are experienced at spotting generic templates that have not been adapted to the business. Your hazard register needs to reflect your actual workplace hazards. Your emergency procedures need to match your actual site layout. Generic documents that do not reflect reality will create problems at audit.

Stage 3: Implementation and Embedding (Weeks 8 to 18)

Documentation alone does not get you certified. You need to demonstrate that your OH and S management system is actually operating. This means the processes you have documented need to be running in practice for a period of time before you go to audit.

For a 50 person business, the implementation stage typically runs alongside the tail end of documentation development and continues for around two to three months. During this period you are rolling out the new processes across the business, training staff on their responsibilities, running hazard identification activities, conducting toolbox talks, recording incidents and near-misses, and building up the evidence base that shows the system is functioning.

Worker participation is a specific requirement of ISO 45001 that catches many businesses off guard. The standard is explicit that workers must be involved in the development and review of the OH and S management system, not just told about it after the fact. For a 50 person company, this might mean forming a WHS committee, running consultation sessions, or establishing a process for workers to raise hazards and contribute to risk assessments. This takes time to set up and even more time to demonstrate it is working consistently.

Getting genuine worker buy-in is also a practical challenge. Staff who see the ISO project as something management is doing to them, rather than with them, tend to disengage quickly. The guide to worker participation in ISO 45001 covers practical approaches to making this work in a business of your size.

Stage 4: Internal Audit (Weeks 14 to 20)

Before you book your external certification audit, you need to run at least one internal audit of your OH and S management system. This is a requirement of the standard, not an optional preparation step.

An internal audit checks whether your system is conforming to the requirements of ISO 45001 and whether it is being implemented effectively. For a 50 person business, a full internal audit typically takes one to two days of audit time plus time for reporting and follow-up.

The internal auditor needs to be competent and independent from the areas being audited. This is where many small businesses hit a practical constraint. If you only have one person managing the ISO project, they cannot audit themselves. Options include training another staff member to conduct the audit, using a consultant to run the internal audit on your behalf, or bringing in a freelance auditor for a day.

The internal audit will almost certainly find nonconformities and areas for improvement. That is the point. You want to find and fix problems before the external auditor does. Allow two to four weeks after the internal audit to address findings before proceeding to the Stage 1 external audit.

If you want a practical guide to running internal audits that actually add value rather than just producing paperwork, the article on running ISO internal audits that find real problems is worth reading before you start.

Stage 5: Management Review (Weeks 16 to 22)

ISO 45001 requires a management review before certification. This is a formal meeting where senior management reviews the performance of the OH and S management system, considers inputs including audit results, incident data, legal compliance status, and worker consultation feedback, and makes decisions about resources and improvements.

For a 50 person business, the management review is typically a one to two hour meeting with the leadership team. The key is that it needs to be documented properly, with minutes that capture the inputs reviewed, the outputs decided, and the actions assigned. A management review that consists of the owner nodding along while someone reads out a document does not satisfy the standard.

Schedule the management review after you have at least a few months of system operation data to review. Running it too early, before you have incident records, audit results, and consultation outputs to discuss, means you have nothing meaningful to put on the table.

Stage 6: External Certification Audit (Weeks 20 to 28)

The external certification audit is conducted by an accredited certification body and happens in two stages. The Stage 1 audit, sometimes called a document review or readiness audit, is typically a one day assessment where the auditor reviews your documentation, confirms your scope, and determines whether you are ready to proceed to Stage 2. The Stage 2 audit is the full on-site certification audit where the auditor verifies that your system is implemented and effective.

For a 50 person business, the Stage 2 audit typically runs for one and a half to two days. The auditor will interview staff at various levels, observe work practices, review records, and test whether the system is genuinely embedded rather than existing only on paper.

There is usually a gap of two to six weeks between Stage 1 and Stage 2 to allow you to address any issues raised in the Stage 1 report. After Stage 2, if there are minor nonconformities, you typically have thirty to ninety days to close them out before the certificate is issued. Major nonconformities require a follow-up visit before certification can proceed.

Choosing the right certification body matters more than many businesses realise. The guide to selecting the best ISO certification body covers what to look for, including accreditation status, industry experience, and audit day pricing.

Realistic Timeline Summary for a 50 Person Business

Putting all of this together, here is a realistic month by month timeline for a 50 person company pursuing ISO 45001 certification with part-time internal resource and consultant support.

  • Month 1: Gap analysis, project scoping, and initial planning
  • Months 2 and 3: Documentation development, policy drafting, and procedure writing
  • Months 3 to 5: Implementation, staff training, worker consultation setup, and evidence collection
  • Month 5: Internal audit and management review
  • Month 6: Corrective actions from internal audit, final preparation
  • Months 6 to 8: Stage 1 and Stage 2 external certification audits
  • Month 8 to 9: Close out of any nonconformities and certificate issued

This puts the total timeline at around seven to nine months for a typical 50 person business. Businesses that move faster, usually those with a dedicated internal resource and strong leadership commitment, can complete the process in four to six months. Businesses that treat it as a background project with no dedicated time tend to take twelve months or more.

What Slows Down ISO 45001 Certification for Mid-Sized Businesses

Leadership Disengagement

ISO 45001 has stronger leadership requirements than many other management system standards. Senior management needs to be visibly involved, not just sign off on a policy and disappear. If the leadership team sees ISO 45001 as an administrative exercise delegated entirely to one person, the system will struggle to get traction and the auditor will notice.

Underestimating the Worker Consultation Requirement

This is the requirement that most commonly surprises businesses during their first ISO 45001 audit. The standard requires genuine, two-way consultation with workers. Not a newsletter. Not a policy posted on the noticeboard. A structured process where workers can raise hazards, contribute to risk assessments, and provide feedback on the system. Setting this up properly takes time, and demonstrating it is working consistently takes even more time.

Contractor and Visitor Management Gaps

For many 50 person businesses, contractors represent a significant portion of the workforce or at least a regular presence on site. ISO 45001 requires you to manage the OH and S risks associated with contractors, which means induction processes, competency verification, and coordination of work activities. If your contractor management is currently informal, formalising it takes time and often requires buy-in from the contractors themselves.

Scope Creep and Over-Documentation

Some businesses, particularly those working with less experienced consultants, end up building a system that is far more complex than necessary. A 50 person business does not need a 200-page safety management system. Overly complex documentation is harder to implement, harder to maintain, and harder to explain to an auditor. Keep the scope and documentation proportionate to your actual risk profile and operational complexity.

How Much Does ISO 45001 Certification Cost for a 50 Person Business?

Timeline and cost are closely related because the more time your consultant spends on the project, the more it costs. For a 50 person business in Australia, the total cost of achieving ISO 45001 certification typically ranges from around $8,000 to $20,000 depending on the consultant you use, the certification body you choose, and how much internal work your team can absorb.

The ISO 45001 certification cost guide for Australia breaks down what you can expect to pay across consulting, audit fees, and ongoing surveillance costs, with real pricing data from over 50 providers.

Getting multiple quotes before committing is always worth doing. Prices vary significantly between providers, and the cheapest option is rarely the best value. A consultant who charges less but takes twice as long, or produces documentation that does not survive audit, costs you more in the long run.

Should You Use a Consultant for ISO 45001 at This Size?

For a 50 person business, the honest answer is almost certainly yes, at least for the initial certification. The standard is detailed, the documentation requirements are substantial, and the gap between what businesses think they have in place and what ISO 45001 actually requires is usually larger than expected.

A good consultant will compress your timeline significantly, help you avoid common pitfalls, and give you a much better chance of passing the Stage 2 audit without major nonconformities. They will also help you build a system that is proportionate to your business, rather than an over-engineered monster that nobody actually uses.

That said, not all consultants are equal. Some have deep WHS expertise. Others are generalists who apply the same template to every client regardless of industry. For a business with significant physical hazards, you want someone who understands your industry and has practical safety experience, not just ISO knowledge.

If you are trying to find and compare qualified ISO 45001 consultants without spending weeks making calls and chasing quotes, CertBetter makes that process straightforward. You submit one form describing your business and what you need, and you receive up to three competing quotes from vetted consultants and certification bodies. It is free for businesses to use, and it saves you the time and uncertainty of sourcing providers on your own.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

Frequently Asked Questions

Most 50 person businesses take between six and ten months to achieve ISO 45001 certification from a standing start. Businesses with dedicated internal resources and strong consultant support can complete the process in four to six months. Those treating it as a background project alongside other priorities often take twelve months or more. The biggest variables are how much internal time you can dedicate to the project and how quickly you can demonstrate that your system is operating in practice, not just documented on paper.

You are not required to use a consultant, but for a 50 person business attempting ISO 45001 for the first time, having experienced support significantly improves your chances of passing the audit without major issues and reduces the total time the project takes. A consultant can handle document development, guide your implementation, run your internal audit, and prepare your team for the external audit. The cost is usually offset by the time saved and the reduced risk of costly delays or failed audits.

The Stage 1 audit is a document review and readiness check, usually conducted off-site or in a brief on-site visit. The auditor reviews your documentation, confirms your scope, and assesses whether you are ready to proceed to the full certification audit. The Stage 2 audit is the full on-site assessment where the auditor verifies that your system is implemented, operating, and effective. For a 50 person business, Stage 2 typically runs for one and a half to two days and involves interviews with staff, observation of work practices, and review of records.

The number of audit days is determined by the certification body based on factors including employee numbers, number of sites, and the complexity of your operations and hazards. For a single-site 50 person business, the Stage 2 audit typically runs for one and a half to two days. High-risk industries such as construction, manufacturing, or mining may attract additional audit time. The ISO 45001 standard itself does not specify audit duration, as this is governed by the certification body's procedures in line with IAF guidance.

The most common causes of timeline blowouts for 50 person businesses include leadership disengagement from the project, underestimating the worker consultation requirement, gaps in contractor management that take time to formalise, and the internal project lead not having enough dedicated time to drive the work forward. Businesses that assign ISO 45001 to someone as a side task on top of their existing role almost always take longer than those who carve out dedicated time for the project each week.

Yes, and for most businesses the ongoing maintenance burden is lower than the initial implementation effort. After certification, you are required to conduct annual surveillance audits, run ongoing internal audits, hold management reviews, maintain your hazard register and incident records, and continue your worker consultation processes. The key is building these activities into your regular business rhythm rather than treating them as separate compliance tasks. Businesses that integrate ISO 45001 into how they actually manage safety find it sustainable. Those that treat it as a separate compliance layer tend to struggle at surveillance audits.

Dilawar Laghari

Hi! I am Dilawar Laghari, founder of CertBetter.

I created CertBetter to help anyone compare ISO certification providers for free.

ISO 45001 Timeline for a 50 Person Company - CertBetter