ISO 45001·9 min read

ISO 45001: The Occupational Health & Safety Standard, Explained

ISO 45001 is the international standard for occupational health and safety management systems (OHSMS). Unlike the cybersecurity frameworks in this library, ISO 45001 doesn't target CISOs. Its buyer is the COO, the Head of Operations, or the VP of EHS at any organization where a workforce spends time in physical environments — manufacturing, construction, energy, logistics, healthcare delivery, field services.

This is the ISO 45001 pillar guide: what the standard actually is, who buys it and why, how it structures a program, and how it fits alongside ISO 9001 and ISO 14001 for an integrated management-system approach.


What ISO 45001 actually is

ISO 45001:2018 was published to replace the older OHSAS 18001 standard and to give occupational health and safety a management-system framework that mirrors ISO 9001 and ISO 14001. It follows the same Annex-SL "high-level structure" — 10 clauses, executive accountability, Plan-Do-Check-Act — which is why organizations running any ISO management system integrate ISO 45001 rather than treat it as a standalone.

What ISO 45001 covers:

  • Worker consultation and participation — a defining feature of the standard, distinct from other management systems
  • Hazard identification and risk assessment for occupational health and safety
  • Legal and other requirements — a register of applicable OH&S law and voluntary commitments
  • Operational controls — the procedures that keep the workforce safe day to day
  • Emergency preparedness and response
  • Incident investigation and corrective action
  • Performance monitoring and internal audit
  • Management review at planned intervals

The scope is workforce-facing. Where cybersecurity frameworks protect data, ISO 45001 protects people.


Who buys ISO 45001

Three buyer profiles show up most often:

Enterprise supply-chain procurement. Large industrials, retailers, and global brands run supplier codes of conduct that include workforce-safety expectations. ISO 45001 shows up in RFPs and tender scoring — a certified supplier gets points, an uncertified one doesn't. This is the biggest driver.

Regulated-industry contractors. Construction firms bidding on infrastructure work, energy service companies, logistics providers moving hazmat. Their industry regulators either name ISO 45001 as an accepted management-system framework or reward it in tender processes.

ESG-driven procurement. Increasing rapidly. Companies with public ESG commitments push OH&S expectations down through their supply chain. Suppliers that can demonstrate an ISO 45001 program score higher in ESG questionnaires and slot cleanly into the buyer's own reporting.

Who doesn't need ISO 45001: pure SaaS teams with office-only workforces. The occupational hazards are limited, and no realistic enterprise buyer will demand ISO 45001 of a software vendor. If you're a SaaS operator reading this, ISO 45001 is a "watch this space" — relevant to your customers, less relevant to you.


The Plan-Do-Check-Act structure of ISO 45001

Like every ISO management-system standard, ISO 45001 organizes into 10 clauses under a Plan-Do-Check-Act loop:

Plan (Clauses 4-6). Context of the organization, leadership commitment, worker participation, planning to address risks and opportunities, legal register.

Do (Clauses 7-8). Resources, competence, awareness, communication, documented information, operational planning and control, emergency preparedness.

Check (Clause 9). Monitoring, measurement, internal audit, management review.

Act (Clause 10). Incident investigation, nonconformity handling, continual improvement.

The signature feature — the one auditors probe hardest — is worker consultation and participation. ISO 45001 requires that workers (or their representatives) participate in developing the OHSMS, identifying hazards, and reviewing incidents. This is not a paper requirement; auditors look for evidence of genuine participation.

The ISO 45001 service page walks how ShieldKey builds each element for a first-time program.


The safety-driven procurement gates

Understanding why ISO 45001 shows up in a procurement questionnaire helps prioritize which parts of the standard to invest in first:

Supplier scorecards. Large industrial buyers use scorecards that include an OH&S certification field. Some make it a gate ("must be ISO 45001 certified to bid"); most make it a scoring criterion (5-15 points out of 100). Either way, certified suppliers win contested bids.

Tender documents. Government infrastructure tenders, oil & gas contracts, large construction packages often specify ISO 45001 or equivalent. Meeting the "or equivalent" test means proving your program is at parity — usually more work than just getting certified.

Customer ESG reporting. Enterprise buyers report on supplier ESG performance. ISO 45001 gives them a clean line item for OH&S coverage across the supply chain. Not having it forces them to explain gaps in their own reporting.

Insurance underwriting. Some workers' compensation insurers and general liability underwriters offer premium reductions for ISO 45001 certified organizations, particularly in high-risk industries.


How ISO 45001 integrates with ISO 9001 and ISO 14001

The IMS story is where ISO 45001 pays for itself in ongoing cost. All three standards share the Annex-SL structure — same 10 clauses, same expectations for leadership, resources, documented information, audit, review. An organization running any two of them typically integrates rather than duplicates:

  • One policy document covering quality, environment, and OH&S (or three tightly integrated policies with shared context)
  • One risk assessment methodology applied to three risk lenses
  • One internal audit programme covering all three standards
  • One management review cycle
  • One certification-body relationship with a combined audit calendar

The Combinations page walks the QHSE bundle (ISO 9001 + ISO 14001 + ISO 45001) as one of the named IMS combinations we run. The Unified Framework page explains how a single ISMS/OHSMS/EMS/QMS document library works in practice.

For an organization already certified to ISO 9001, adding ISO 45001 typically runs 4-6 months instead of the 8-12 months required for a standalone first-time program.


What ISO 45001 certification actually costs

For a mid-sized organization with no existing ISO certifications:

  • Program build: 4-6 months of program-manager effort plus operational staff time
  • Certification-body fees: $20k-60k for Stage 1 + Stage 2, depending on organization size and site count
  • Annual surveillance audit: $10k-25k
  • Recertification (year 3): comparable to initial Stage 2

Internal effort in year one: 400-800 hours across a program manager, an EHS lead, and operational contributors. Higher in industries with more complex hazards.

For an organization adding ISO 45001 to an existing ISO 9001 or ISO 14001 program: cut those numbers by 40-60%.


When to sequence ISO 45001 into your compliance stack

For a company with an operational workforce and enterprise supply-chain exposure:

  • If ISO 9001 already: add ISO 45001 as an IMS extension. Fastest, cheapest, and the QMS foundation supports the OHSMS structure immediately.
  • If no ISO management system yet: ISO 9001 first (broader business benefit, more procurement recognition), ISO 45001 second (specific safety-driven gates).
  • If a specific contract requires ISO 45001 now: run standalone, then loop back for ISO 9001 and ISO 14001 to complete the QHSE bundle.

The SaaS Compliance Stack covers sequencing for cybersecurity frameworks; ISO 45001 sits in a different lane — same logic, different priorities. If you want to see how any three ISO management systems overlap in controls, the Overlap Explorer supports mixing management-system standards.


Related reading


Frequently Asked Questions

Is ISO 45001 required by law? Not by direct regulation. Country-level regulators (OSHA, HSE, EU-OSHA) enforce workplace safety; ISO 45001 is a voluntary international standard that demonstrates compliance with them.

What's the difference between ISO 45001 and OSHA compliance? OSHA compliance is meeting US federal safety law — a legal minimum. ISO 45001 is a management-system standard for planning, executing, monitoring, and improving OH&S.

Do office-only companies need ISO 45001? Usually not. ISO 45001 shows up where workforce faces physical hazards — manufacturing, construction, energy, logistics, healthcare delivery.

How does ISO 45001 relate to ISO 9001 and ISO 14001? Same Annex-SL structure, same shape. Organizations often run all three as one Integrated Management System — the QHSE package.

What size company gets ISO 45001 certified? Around 100 employees with meaningful field or facility work, or when a specific enterprise contract requires it.

How long does ISO 45001 certification take? Typically 8-12 months for a first-time program. Faster if you already run ISO 9001 or ISO 14001.


Building an ISO 45001 program?

ShieldKey builds ISO 45001 OHSMS programs standalone or integrated with existing ISO 9001 and ISO 14001 systems. If a customer contract, tender, or ESG procurement rule is pulling ISO 45001 onto your roadmap, we scope the fastest defensible path to certification.

Schedule a scoping call →