Why ISO 45001 Takes Longer Than Most Businesses Expect
If your ISO 45001 certification is dragging on and you are not sure why, you are not alone. Delays in the ISO 45001 certification process are one of the most common frustrations I hear from businesses across Australia. Some organisations spend six months doing what should take three. Others hit the twelve month mark and still have not booked their Stage 2 audit. The certificate feels perpetually out of reach.
On this page
The honest truth is that most delays are predictable and preventable. They tend to fall into the same categories, regardless of industry or business size. Once you know what to look for, you can address the blockers before they cost you more time and money.
This article walks through the most common reasons ISO 45001 certifications stall, what each one actually looks like in practice, and what you can do about it right now.
Blocker 1: Leadership Is Not Genuinely Involved
ISO 45001 places significant weight on top management commitment. Clause 5.1 of the standard requires leadership to demonstrate active participation in the occupational health and safety management system, not just sign off on a policy document and hand the project to someone else.
In practice, what this often looks like is a business owner or senior manager who says they support the certification effort but never attends meetings, never reviews objectives, and never communicates the importance of the system to staff. The project then sits with a single internal coordinator who has no authority to make decisions, allocate resources, or get buy in from department heads.
This creates a bottleneck at almost every step. Procedures cannot be finalised without sign off. Risk assessments stall because the people who need to provide input are too busy and nobody above them is pushing for it. Internal audits get deprioritised because there is no visible mandate from above.
The fix here is straightforward but requires honesty. Leadership needs to treat ISO 45001 as a business project, not a compliance task delegated to one person. That means regular check ins, visible communication to staff, and genuine decision making authority given to whoever is running the implementation.
Get 3 ISO Quotes. 24 Hours Response
Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.
Trusted by 400+ businesses like yours
Blocker 2: Hazard Identification and Risk Assessment Is Incomplete
The risk assessment process is where most ISO 45001 implementations genuinely slow down. Clause 6.1 requires organisations to identify hazards, assess occupational health and safety risks, and determine controls. For businesses with multiple work areas, shift workers, subcontractors, or complex physical environments, this is not a quick exercise.
The most common mistake is treating hazard identification as a desktop exercise. Someone sits in an office, lists the obvious hazards they can think of, and calls it done. When the consultant or auditor reviews the register, it is clearly incomplete. Hazards from manual handling, psychological risks, contractor activities, or emergency scenarios have been missed entirely.
Redoing a risk assessment from scratch adds weeks to the timeline. In some cases it adds months, particularly when the business needs to consult workers across multiple sites or shifts before the register can be considered thorough.
If you want to avoid this blocker, get the hazard identification process right the first time. Walk the work areas physically. Talk to frontline workers, not just supervisors. Include hazards from routine and non routine tasks, maintenance activities, emergencies, and the activities of contractors and visitors. The ISO 45001 standard itself provides clear guidance on what needs to be considered in the hazard identification process.
You might also find it useful to read our beginner's guide to implementing ISO 45001 for a structured walkthrough of how this process fits into the broader system.
Blocker 3: Documentation Is Either Overwhelming or Inadequate
Documentation problems come in two flavours and both cause delays.
Too Much Documentation
Some businesses, particularly those advised by consultants who work from generic templates, end up with dozens of procedures that do not reflect how the business actually operates. Staff do not follow them because they do not recognise their own work in the documents. Auditors quickly identify the gap between what is written and what is done. The whole system needs to be revised before the certification audit can proceed.
Too Little Documentation
Other businesses go the opposite direction and assume that because ISO 45001 does not prescribe specific documented procedures in the same way older standards did, they barely need any documentation at all. This is also incorrect. The standard does require certain documented information, including the scope, the OHS policy, objectives, legal and other requirements, hazard identification and risk assessment results, competence records, monitoring and measurement results, and records of corrective actions, among others.
When documentation is missing or incomplete ahead of the Stage 1 audit, the auditor will flag it and the business will need time to address the gaps before Stage 2 can proceed. That gap between Stage 1 and Stage 2 is where many certifications sit idle for months.
The right approach is to document what you actually do, at a level of detail that ensures consistent outcomes. If a procedure is so vague that two different workers would interpret it in two different ways, it needs more detail. If it is so prescriptive that nobody reads it, it needs to be simplified.
Blocker 4: Legal and Regulatory Compliance Is Not Mapped
ISO 45001 requires organisations to identify and have access to the legal requirements and other requirements that apply to their OHS hazards. In Australia, this means Work Health and Safety legislation at the state or territory level, codes of practice, Australian Standards referenced in regulations, and any industry specific requirements.
Many businesses underestimate how long it takes to build a proper legal register. They assume they know what applies to them, but when they actually sit down to document it, gaps appear. A construction company might have missed specific requirements around working at heights. A food manufacturer might not have fully mapped manual handling regulations. A transport business might have overlooked fatigue management requirements.
When the legal register is incomplete or inaccurate, the risk assessment is also likely to be incomplete, because the two are closely linked. Fixing one often means revisiting the other. This back and forth adds significant time to the implementation.
If your business operates across multiple states, this becomes even more complex. WHS legislation is not fully harmonised across all Australian jurisdictions, so what applies in Queensland may differ from what applies in Western Australia. This needs to be mapped carefully.
Blocker 5: Worker Consultation and Participation Is Treated as a Formality
One of the distinguishing features of ISO 45001 compared to its predecessor OHSAS 18001 is the strong emphasis on worker consultation and participation. Clause 5.4 requires organisations to establish processes for workers at all levels to participate in the development and review of the OHS management system, including hazard identification, risk assessment, and the determination of controls.
Many businesses treat this as a box ticking exercise. They hold one toolbox talk, record attendance, and consider consultation done. Auditors see through this immediately. When workers are interviewed during the certification audit and cannot describe how they contributed to the system or how they raise safety concerns, it is a major finding.
Addressing this finding after the audit means going back and genuinely building consultation into your processes, which takes time. The better approach is to build real consultation mechanisms from the start. This does not have to be complicated. It can mean regular safety meetings where workers have a genuine voice, a simple process for reporting hazards, and evidence that the feedback workers provide is actually acted on.
For context on how OHSAS 18001 differed from ISO 45001 and why these changes matter, our article on what is OHSAS 18001 and why it changed to ISO 45001 is worth reading.
Blocker 6: Internal Audits Are Not Completed Before the Certification Audit
This is one of the most common reasons Stage 2 audits get pushed back. The certification body requires evidence that the management system has been operating for a period of time and that internal audits have been completed. If you arrive at Stage 2 without a completed internal audit cycle, the certification audit cannot proceed.
Internal audits are often left until the last minute because they feel like a lot of work and because the system is still being developed. But a partially implemented system that has been audited internally is in a much better position than a fully documented system that has never been tested.
Start your internal audit program early, even if the system is not yet complete. Audit the areas that are ready. Use the findings to drive improvement before the certification auditor arrives. This is exactly what the standard intends, and it demonstrates to the auditor that the system is genuinely operational rather than freshly assembled for the occasion.
Our guide on how to run ISO internal audits that actually find problems covers the practical steps in detail.
Blocker 7: Management Review Has Not Been Conducted
Similar to internal audits, management review is a mandatory input into the certification audit. Clause 9.3 requires top management to review the OHS management system at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.
Many businesses either skip the management review entirely or conduct it so superficially that it does not meet the standard's requirements. A management review is not a ten minute conversation. It needs to cover specific inputs including audit results, performance against objectives, changes in legal requirements, and opportunities for improvement. The outputs need to be recorded.
If the management review has not been conducted before the Stage 2 audit, or if the records are inadequate, the auditor will raise a nonconformity. Addressing it means scheduling and conducting the review, which adds time before the certificate can be issued.
Blocker 8: Choosing the Wrong Consultant or Certification Body
The people you engage to support your ISO 45001 journey have a significant impact on how long it takes. A consultant who does not have genuine OHS experience, or who provides generic templates without understanding your industry, will slow you down rather than speed you up. You will spend time correcting their work or explaining your business to them from scratch.
Similarly, choosing a certification body that has a long audit scheduling backlog, poor communication, or limited experience with your industry can add months to your timeline. Some businesses book their Stage 1 audit only to find the next available Stage 2 slot is four months away. Others receive audit reports with findings that are vague or poorly explained, making it difficult to close out nonconformities efficiently.
Before you engage anyone, check their credentials, ask for references from businesses in your industry, and get a clear project timeline in writing. Our article on how to select the best ISO consultant for certification covers the key questions to ask before you commit.
You should also understand the difference between a consultant and a certification body, and what each one actually does. These are two separate engagements with different purposes, and confusing them is a common mistake that leads to wasted time and money.
Blocker 9: Corrective Actions From Stage 1 Are Not Closed Properly
The Stage 1 audit is designed to assess your readiness for certification. It will typically identify gaps that need to be addressed before Stage 2. These might be minor, such as a missing procedure, or more significant, such as an incomplete risk assessment or lack of legal compliance documentation.
The problem many businesses run into is that they close corrective actions superficially. They update a document to address the finding on paper without actually changing the underlying practice. When the Stage 2 auditor looks for evidence that the corrective action was effective, they find nothing. This results in new nonconformities at Stage 2, which pushes the certificate out further.
Close corrective actions properly. For each finding, identify the root cause, implement a genuine fix, and collect evidence that the fix is working. If the gap was a missing procedure, the evidence is not just the new document. It is also records showing the procedure is being followed in practice.
How Long Should ISO 45001 Certification Actually Take?
For a small to medium business with a single site and a reasonably well organised existing safety system, ISO 45001 certification should take between three and six months from the start of implementation to the issue of the certificate. For larger organisations, multi site businesses, or those starting from scratch with no existing safety management framework, nine to twelve months is more realistic.
If your implementation is heading past these timeframes, it is worth doing an honest assessment of which of the blockers above are at play. In most cases, the delay is not random. It traces back to one or two specific issues that can be addressed with focused effort.
For a broader look at what the certification process involves from start to finish, our article on 7 steps to achieve ISO certification gives a clear overview that applies across most management system standards.
Getting the Right Support Makes a Real Difference
One of the fastest ways to cut through the common blockers is to work with people who have done this before and know where the delays typically come from. A good consultant will flag risks early, keep the project moving, and prepare you properly for each audit stage. A responsive certification body will give you clear feedback and reasonable scheduling.
If you are struggling to find the right consultant or certification body for your ISO 45001 project, CertBetter can help. You submit one form and receive up to three competing quotes from verified providers who have been assessed for credentials and industry experience. The service is free for businesses, and it removes the guesswork from finding someone you can actually trust with your certification journey.
