ISO 45001 - Occupational Health & Safety -

ISO 45001:2018 is an international standard that defines the requirements for an occupational health and safety management system. Its predecessor, OHSAS 18001, has been withdrawn after more than 20 years of succesful service.
The certification of an occupational health & safety management system represents a credible evidence that the organization has established and implemented effective controls to prevent work related injuries and ill health and that it is constantly looking to improve its occupational and health & safety performance.
RIGCERT is accredited for the certification of occupational health & safety management systems according to ISO 45001:2018. Our accreditation certificate is available here.

ISO 45001 defines the requirements that must be met in order for an organization to establish an occupational health and safety (OH&S) management system that can be audited and certified to prove its conformity with the standard. Below we explain the requirements of ISO 45001:2018 with the important mention that the requirements of the standard have to be understood and implemented taking into consideration the specifics of each organization, its OH&S hazards and risks.


The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of the OH&S management system. This requirement is similar to what we find in the 2015 versions of ISO 9001 or ISO 14001 so an organization that implements an integrated management system can perform this identification once, and answer the requirements of several standards. Parties that have an interest in the occupational health and safety management system of the organization (in addition to the company’s workers) shall be identified along with their relevant needs and expectations. Here are some examples of interested parties (apart from workers) applicable to most organizations: authorities, customers, partners, suppliers, local community, NGOs, etc.
The organization must define the scope of its occupational health & safety management system which includes activities, products and services within the organization’s control or influence that can impact its OH&S performance. The scope of the OH&S management system shall be maintained as documented information.


Top management is required to demonstrate leadership and commitment with respect to the OH&S management system by: taking responsibility and accountability for the prevention of work-related injuries and ill health, providing the needed resources, protecting workers from reprisals for reporting hazards or incidents, developing a culture that values health and safety, etc. An occupational health and safety policy must be established by top management and communicated within the organization. Top management shall define roles, responsibilities and authorities for personnel and ensure that they are communicated and understood in the organization.
Also top management shall ensure that workers are consulted and participate in OH&S related decisions that have an impact on their day-to-day activities.


The organization shall develop a process to identify occupational health & safety related hazards by taking into consideration aspects like: how work is organized, social factors, routine and non-routine activities, past incidents, potential emergency situations or the people involved.
Occupational health and safety risks as well as other risks (that refer to the establishment and implementation of management system) must be assessed according to a methodology that provides a systematic approach. In many countries there is legislation asking for the assessment of OH&S risks and the organization can use this assessment in order to answer the requirement of the standard.
ISO 45001 asks for an assessment of opportunities to enhance the OH&S performance and the management system of the organization. Legal and other requirements (i.e. requirements that can be derived from contracts, from participation in voluntary OH&S intitatives, requirements of customers, etc) applicable to the OH&S hazards and risks shall be identified and maintained up to date. The organization is required to establish OH&S objectives, plan and monitor their achievement.


Resources needed for the establishment, implementation, maintenance and continual improvement of the OH&S management system must be determined and made available by the organization.
The standard asks to determine the necessary competence for workers that may affect the OH&S performance and ensure that workers are competent. Whenever needed, the company must act to acquire and maintain needed competence (i.e. through training, recruitment, mentoring or other methods). Awareness is an important aspect in occupational health and safety and the organization must ensure that its workers are aware of aspects like: the OH&S policy, their contribution to the OH&S performance, hazards and risks that are relevant to them, OH&S incidents and their investigation and the ability to remove themselves from work situations that they consider to present an imminent and serious danger to their life or health. Effective communication processes on OH&S matters are required by ISO 45001 and the organization must take into consideration here aspects like: gender, language, culture, literacy or disability of its people. Communication obligations (e.g. with local authorities) must be fulfiled and the organization needs to answer to OH&S related communication from outside. The OH&S management system must be supported by documented information. The extent of the documentation differs depending on the structure and size of the organization, on its activities, its OH&S hazards and risks, its products and services. ISO 45001 requires to establish and follow rules for creating and updating documented information (defining a format for the documents, the media – paper and/ or electronic, controls for the review and approval of documents). Controls of documented information must be implemented, specifically to address: access, distribution, retrieval, use, storage, preservation, control of changes, retention and disposition. The controls refer to both documents elaborated inside the organization and documents of external origin (e.g. documents from clients, external suppliers, etc.).


ISO 45001:2018 asks the organization to address OH&S hazards and risks using the following hierarchy of controls: elimination, substitution, engineering controls, administrative controls and provision of adequate personal protective equipment. Changes in the organization can bring new OH&S hazards or can modify the levels of risks; so ISO 45001 requires the organization to control planned changes and ensure that adverse impacts are mitigated, while in the case of unintended changes the standard asks for a review of consequences and actions as required. The procurement process must be controlled to ensure that products and services purchased conform to requirements and do not bring new OH&S hazards and risks. The organization must coordinate with contractors to ensure that they meet OH&S requirements. Outsourcing arrangements shall be controlled in terms of OH&S aspects. The company needs to implement processes to prepare for and respond to emergency situations. ISO 45001 requires that the organization is capable to respond in time and provide first aid in case on an emergency situation. The arrangements for emergency situations shall be tested periodically and improved as required.


ISO 45001:2018 asks the organization to have processes for measuring, monitoring, analysis and evaluation of its OH&S performance. The requirement is to decide what needs to be measured and monitored, to establish the methods, to define criteria and specify when measuring and monitoring will be performed. If equipment is required for monitoring and measuring, then it needs to be calibrated/ verified according to specifications. The organization has to evaluate its compliance with OH&S legislation and other requirements applicable and retain documented information as evidence of this process. At planned intervals the standard asks to perform internal audits of the OH&S management system, to ensure that it conforms to requirements, it is effectively implemented and maintained. Top management shall review periodically the occupational health & safety management system to ensure its continuing suitability, adequacy and effectivenes.


The organization shall determine and implement opportunities to improve its OH&S performance and the OH&S management system. When incidents or nonconformities are identified the organization shall: react in a timely manner to control the situation and deal with the consequences; evaluate the need for corrective actions to eliminate the root cause of the incident or nonconformity; implement corrective actions and evaluate their effectiveness. Lastly, the standard asks that the organization acts to improve continually the suitability, adequacy and effectiveness of its OH&S management system.

In very short those are the requirements of ISO 45001:2018. The standard is generic and those requirements must be adapted to the specifics of each organization, to its activities and processes, its OH&S hazards and risks.

The certification of the OH&S management system helps the organizaton prove its commitment and arrangements to safeguard the health and safety of its employees and of other persons that can be present in the workplace (e.g. contractors, visitors, etc).

The OH&S management system can be implemented individually or it can be part of an integrated management system that responds to the requirements of more than one standard.

If you're interested in more information about the requirements for an occupational health and safety you can check our online course below.
For certification purposes please contact us by e-mail at


asked questions

It is a set of elements (policies, processes and procedures) used by an organization to fulfil its objectives and perform its tasks. A management system can address a single discipline (e.g. quality management system or information security management system) or several disciplines at the same time, in what is referred to as an integrated management system. It is the choice of the organization what type of management system it chooses to implement and certify.

For every discipline there are specific standards that define the requirements for a management system (e.g. ISO 9001, ISO 14001 or ISO/IEC 27001). An organization wishing to obtain the certification of its management system has to demonstrate during an initial certification audit that it fulfils the requirements of the specific standards used as reference for certification.

Regardless of the discipline all management systems generally require organizations to define roles, responsibilities and authorities for personnel, document policies, establish objectives and actions to achieve them, demonstrate operation in controlled conditions, monitor, measure, analyze and evaluate performance and act to continually improve the system.

A management system can be implemented by the organization using internal resources or with the help of external consultants . The management system needs to be maintained and continually improved.

To be useful, a management system should become an integral part of the organization’s activities and not a set of requirements separated from operational routine.

The support from top management is vital for the success of a management system in the organization.

Certification is an attestation from a third party (usually called registrar or certification body) that the management system implemented by an organization fulfills the requirements of applicable standard(s).

So, in fact, not the organization is the subject of certification but its management system.

The certification process begins with the application sent by the organization looking to obtain certification. It has to be a written application and its useful to the certification body for understanding what is required and to plan the resources needed to provide the certification services.

A contract for the certification is signed.

The certification audit is done to evaluate how the requirements of the standard(s)/ reference documents are implemented. The audit team is made of one or several members and the audit duration depends on a series of factors like the standards for certification involved, the size of the organization, its activities. locations, etc.

In case the conclusions of the audit are positive and there are no other elements that may affect the certification, the certification body issues the conformity certificate(s).

The document General rules for the certification of management systems contains detailed information about how the certification process works, what are the requirements for obtaining and maintaining certifications.

Management system certifications are valid for 3 years, with the condition that successful yearly surveillance audits are performed (in the first and second year after certification). Surveillance audits are meant to evaluate if the management system certified continues to respect applicable requirements.

The certification program is the document that specifies the planning of surveillance audits and it is communicated to the organization at certification date.

In the third year the recertification audit takes place and the organization enters another 3-year certification cycle in similar conditions as the previous.

In case surveillance audits are not performed as scheduled the certification may be suspended. During suspension the certification is temporarily invalid. If during suspension the situation is not corrected the certification is withdrawn.

Appeals refer to decisions of RIGCERT with regards to a certain certification (e.g. not granting, suspending, withdrawal, etc) while complaints may refer to a series of aspects like: the personnel working on behalf of RIGCERT, activities of the organizations certified by RIGCERT, activities of third parties connected to RIGCERT, etc.

Appeals and complaints should be sent at and are treated confidentially.

RIGCERT personnel involved in the review and decision regarding a certain appeal or complaint have not been involved in the case being reviewed.

The review can include actions like performing special audits, request of information from the parties involved and is concluded with a formal decision communicated to the appellant and/ or complainant.

Detailed information on the appeals and complaints handling process are available in the document General rules for the certification of management systems.

do you

Want to work with us

Complete the form below with your personal information and we will contat you as soon as possible.