This toolkit provides step-by-step guidance for implementing the requirements of ISO 45001 Occupational Health and Safety Management Systems. It explains the main clauses of the Standard and provides links to key information and templates on the website.

What is an occupational health and safety management system?

An occupational health and safety management system (OHSMS) is a set of processes and practices that provide a framework for managing the risks to health and safety at work. It aims to prevent work-related injury and ill health and continually improve the organisation’s health and safety performance.

ISO 45001 is not a compliance system — it is a management system (although compliance is a required element of it). It should be part of the whole business strategy. ISO 45001 is applicable to all organisations and businesses, regardless of size and type. It is the successor to BS OHSAS 18001.

Why have an OHSMS?

All business activities, products and services can create health and safety risks. The business benefits of adopting an OHSMS include improved health and safety performance and productivity, and reduced risks and liabilities. In turn, this can lead to a happier workforce, reduced costs and improved reputation.

Implementing an OHSMS demonstrates a high level of commitment to both manage and minimise health and safety risk within the organisation and a willingness to act responsibly by anticipating and responding to the concerns and expectations of the workforce, regulators, investors and other stakeholders.

How to implement your OHSMS

1. Set the scope

Determine the scope of the OHSMS, ie what is to be included in it and which locations or sites, etc. It can include the whole of the organisation, or selected departments or functions.

2. Establish the context of the organisation

Understanding the context in which your organisation operates helps to identify the key health and safety issues. ISO 45001 sees these issues as being a core part of the strategic planning process, so that your OHSMS contributes to the overall business goals of your organisation.

Issues relevant to the context of your organisation can be classified under three headings.

  1. Changing expectations on occupational health and safety, internal or external. These might include technological and market changes, or changes in ethical policies or business direction. Perhaps undertake a SWOT (strengths, weaknesses, opportunities and threats) exercise.

  2. External issues: legal, regulatory, economic, political or cultural. A PESTLE (political, economic, social, technological, legal and environmental) exercise could help here.

  3. Internal issues: activities, products and services, strategic direction, culture and capabilities that may affect current and future occupational health and safety performance.

3. Focus on leadership

Managers at the highest level in your organisation have ultimate responsibility for ensuring the effective implementation and maintenance of the OHSMS.

They must ensure that the occupational health and safety policy and underlying objectives are compatible with the context of the organisation. Leadership involves:

  • ensuring that the resources needed for the OHSMS are available

  • directing and encouraging staff to contribute to the effectiveness of the management system and promoting continual improvement (compared to BS 18001, ISO 45001 has a much greater emphasis on workforce consultation and participation; it is a leadership responsibility to ensure this is achieved)

  • supporting other management roles as applies to responsibility for the OHSMS.

4. Set your health and safety policy

A health and safety policy should incorporate a set of principles and objectives to:

  • provide safe and healthy working conditions for the prevention of injury and ill health

  • fulfil legal and other requirements

  • eliminate hazards and reduce health and safety risks

  • commit to worker consultation and participation.

See our template health and safety policy. This can be adapted to your organisation.

5. Clarify roles and responsibilities

Staff involved in health and safety should have a clear understanding of their roles, responsibilities and level of authority. Consider who will have overall responsibility for the implementation and maintenance of the OHSMS, and for reporting to top management on progress. You could start with the Responsibilities of Directors and Senior Managers.

6. Consider risks and opportunities

ISO 45001 requires that risks and opportunities should be incorporated in the planning process by the following means.

  • Hazard identification, including considering the design of the work area and the vicinity around it; hazards could relate to occupational health as much as safety.

  • Determining legal and other requirements.

  • Identifying the risks and opportunities that impact on the OHSMS; in some complex organisations the leadership team may need to decide upon the priorities due to cost considerations.

The Managing Organisational Risks and Opportunities: Example is a very useful starting point.

7. Understand your compliance obligations

ISO 45001 certification requires organisations to comply with health and safety legislation. This requires up-to-date knowledge of the regulations relating to your organisation’s process, an understanding of how compliant the organisation is, and a means of continually monitoring for any changes.

A legal register is one way of doing this. If your subscription includes it, our simple Legal Register Tool can be found at the top of the Home Page or as a drop-down option under your login name. You can also find relevant legislation by work activity or subject area; remember that each Croner-i topic has a List of Relevant Legislation at the end of its In Depth section.

8. Set health and safety objectives and actions

The risks and opportunities facing the organisation should inform your health and safety objectives. These might include opportunities to eliminate hazards, to adapt work or working practices, or to better monitor health risks.

The objectives and other actions of an OHSMS should follow the health and safety policy and flow directly into day-to-day operational controls. As with other management standards, ISO 45001 can be integrated with the Plan-Do-Check-Act cycle.

9. Provide support and COMMUNICATE

Implementing and maintaining an OHSMS that delivers continual occupational health and safety performance improvement will draw on your organisation’s staff. The other resources needed, eg financial, technological, human or material, will depend on your organisation’s activities and processes and the aims set out in the health and safety policy.

Communicate clearly with employees and stakeholders to raise staff awareness of health and safety issues and provide training to improve competence levels where required. Clauses 7.4.1, 7.4.2, 7.4.3 and 8.1.4 of ISO 45001 should be read in detail as these outline the processes expected in terms of the types and methods of communication and consultation, whether with the workforce, contractors or other interested parties.

10. Document information

It is important to create and maintain documented information to record and monitor progress and to demonstrate improvements in health and safety performance. Put in place systems to control the organisation’s documents.

See the Document Managementand Records and Record Keeping topics

11. Control operations

Establishing operational control ensures that OHSMS activities or projects function properly and that any identified risks to safety or occupational health are managed. Consider these Safe Systems of Work or Permits to Work forms.

If your organisation outsources any processes or uses contractors, then the health and safety objectives should consider how far their activities need to be taken into account. This will be proportionate to their contribution to the organisation’s risks and opportunities. The idea that contractors are solely responsible for their own health and safety is not one recognised by ISO 45001 nor, indeed, the law.

Depending on the nature of your organisation’s activities and processes, you will need to prepare plans for emergency situations. This will be proportionate to the risk, ie if your organisation is a small office then the level of planning and provision for emergencies will be very different to that of an oil refinery. This will involve periodically testing and reviewing planned response actions and providing relevant training where required, with documentation. See your Emergency Management Resources for useful forms and a training presentation.

12. Evaluate performance

Monitoring, measuring and analysis provides information on the health and safety aspects and impacts relating to your organisation’s activities and processes. Some of these processes may be subject to legal or regulatory requirements, eg noise and vibration. Results from monitoring and measuring should be documented.

Keeping accident and near miss records would be another example of key records for an OHSMS and the process for analyzing them; for example, an objective to reduce near misses by 20% over a 12-month period can be analysed and reported upon to leadership.

Other internal auditing helps determine whether your OHSMS meets the certifiable requirements of the international standard. Your organisation will need to establish and implement a safety audit programme, including the frequency, methods, responsibilities, planning requirements and report on findings.

13. Focus on improvement

Continual improvement is a requirement of ISO 45001 certification.

A regular management review is an opportunity to review your OHSMS progress and any operational changes that may be required following the checking, monitoring, auditing and corrective action process to ensure continual improvement of the OHSMS and general health and safety performance, including reviewing the risks and opportunities.

14. Finally, self-declaration or certification?

Your organisation can self-declare that it has fulfilled the specific requirements of its OHSMS and is accountable for its attestation. It can also seek conformation of its self-declaration by customers and other third parties. ISO/IEC 17050-1 is a useful ISO document often used by suppliers for undertaking self-declaration.

Certification is an independent assessment process, carried out by independent accredited organisations. Using an accredited professional certification body ensures your OHSMS is fit for purpose and conforms to the requirements of ISO 45001.

Useful Q&As

Last reviewed 13 March 2023