ISO 45001 Explained: A UK Employer’s Guide

ISO 45001 is the most-searched H&S management standard in the UK and the most-misunderstood. It’s not law; complying with it doesn’t replace legal duties. But for organisations bidding for public-sector or large-private-sector contracts, holding ISO 45001 certification has gone from “nice to have” to “required for shortlist” in the last five years. For organisations that already have a working H&S management system, ISO 45001 is mostly a structuring exercise. For organisations that don’t, it forces the management system into existence.

This guide explains what ISO 45001 actually requires, how it relates to UK H&S law, what the certification process looks like in practice, and where most organisations come unstuck. It’s written for the people who’ll have to make ISO 45001 work in their organisations — H&S managers, operations directors, quality managers — not for auditors.

What is ISO 45001?

ISO 45001 is the international standard for occupational health and safety management systems (OH&S MS). It was published in March 2018 by the International Organization for Standardization, replacing the British Standards Institution’s OHSAS 18001 specification that the international community had used informally as a de facto standard for 19 years.

The full title is ISO 45001:2018 Occupational health and safety management systems — Requirements with guidance for use. The 2018 in the title refers to the publication year, not a revision year — it’s still the current edition.

The standard is built on Annex SL, the high-level structure ISO uses for all its management-system standards. ISO 9001 (quality), ISO 14001 (environment), and ISO 45001 (H&S) all share the same 10-clause structure, the same vocabulary, and the same Plan-Do-Check-Act cycle. This makes it easier for organisations holding multiple ISO certifications to integrate them — a single management-system manual can satisfy all three standards if it’s structured correctly.

ISO 45001 is not a legal requirement

UK organisations are not legally required to hold ISO 45001 certification. UK H&S law is set by HSWA 1974 and the regulations made under it — primarily MHSWR 1999, which requires every employer to have “appropriate arrangements” for managing health and safety (Regulation 5). ISO 45001 is one way of evidencing those arrangements, but it isn’t the only way. Equally rigorous H&S management systems can be built using HSE’s own HSG65 framework, or through bespoke arrangements proportionate to the organisation’s risk profile.

The HSE’s published position is that ISO 45001 may help organisations demonstrate compliance with H&S law, but it goes beyond what the law requires in some respects. Smaller organisations with less formal management processes may find ISO 45001 difficult to adopt proportionately — and the HSE has cautioned against adopting it just because a customer or contracting body has asked for it, without considering whether it’s right for the organisation’s size and risk profile.

That said: ISO 45001 certification is increasingly demanded as a pre-qualification for tenders in construction, manufacturing, oil and gas, and major-infrastructure procurement. For organisations bidding into those markets, the practical answer to “is it required?” is “for our customers, yes.”

The 10 clauses of ISO 45001

ISO 45001 follows the standard Annex SL 10-clause structure. Clauses 1–3 are introductory (scope, references, definitions). The actual requirements sit in clauses 4–10.

Clause 5 — Leadership and worker participation

Clause 5 is the clause that catches more organisations than any other in Stage 2 audit. ISO 45001 distinguishes itself from OHSAS 18001 partly through the explicit emphasis on leadership and worker participation. Top management is required to take accountability for the effectiveness of the OH&S MS — not just to delegate it to an H&S manager. Workers must be actively consulted and able to participate in the development, implementation and continual improvement of the system, with non-managerial workers consulted on specific topics including hazard identification, incident investigation, and effectiveness of preventive measures.

An H&S management system that exists on paper but isn’t visibly led from the top, or that has worker representation only as a notional formality, will fail Clause 5 even if every other element of the system is in place.

Clause 6.1.2 — Hazard identification and assessment of risks

The standard requires a process for ongoing and proactive hazard identification — not a one-off exercise. Hazards must be identified taking into account routine and non-routine activities, all people with access to the workplace (including contractors and visitors), human factors, changes in work or processes, and historical incidents.

For UK organisations, this clause maps closely to MHSWR Regulation 3 (the duty to carry out a “suitable and sufficient” risk assessment). An organisation already meeting MHSWR Regulation 3 with a sound assessment regime will typically meet Clause 6.1.2 without significant additional work. For more on the underlying assessment framework, see our 5 Steps to Risk Assessment guide.

Clause 8.1.2 — Hierarchy of controls

Clause 8.1.2 sets out a five-layer hierarchy of control for risk reduction: eliminate the hazard; substitute with less hazardous processes, operations, materials or equipment; use engineering controls and reorganisation of work; use administrative controls including training; use adequate personal protective equipment.

This is the same hierarchy that derives from MHSWR Schedule 1 — see our Hierarchy of Control guide for the detail. ISO 45001 codifies what UK practice already requires under MHSWR.

The Plan-Do-Check-Act cycle

ISO 45001 is structured around the Plan-Do-Check-Act (PDCA) management cycle:

• Plan (clauses 4 & 6): understand context, identify hazards and risks, set objectives, plan how to achieve them.
• Do (clauses 7 & 8): provide resources, build competence, manage operations.
• Check (clause 9): monitor, measure, audit, review.
• Act (clause 10): correct nonconformities, prevent recurrence, drive continual improvement.

PDCA is also the structure of HSE’s HSG65 framework. The two are compatible — an organisation with a mature HSG65-based system already has most of the elements ISO 45001 requires; structuring those elements to match the ISO clause numbering is mostly a documentation exercise.

ISO 45001 and the UK regulatory framework

For more on the regulation that ISO 45001 most closely mirrors, see our MHSWR 1999 guide.

The certification process

Certification is voluntary. An organisation can implement ISO 45001 without seeking certification — the standard is publicly available; it can be used as an internal framework. Most organisations seeking certification do so because customers, insurers or supply-chain qualification bodies require the certificate.

The certification process has six broad stages:

Stage 0 — Implementation (3–12 months)

Before any external audit, the organisation builds its OH&S MS to meet the standard. Typical activities: gap analysis against the 10 clauses, design of management-system documentation, allocation of roles, implementation of any missing processes (often: worker consultation arrangements; documented hazard identification process; management-review cadence). Duration depends on starting point. An organisation with a mature HSG65 system might complete this in 3–6 months. An organisation starting from minimal documentation typically takes 9–12 months.

Stage 1 — Documentation review

The certification body conducts a Stage 1 audit, typically on-site. They review the management-system documentation, the scope of the OH&S MS, the legal-register, the risk-assessment records, and the management-review records. The output is a Stage 1 audit report identifying any “areas of concern” that need to be resolved before Stage 2.

Stage 2 — Implementation audit

The Stage 2 audit, typically 4–8 weeks after Stage 1, verifies that the management system is being applied in practice — not just documented. The auditor walks the site, interviews workers, observes operations, and tests sample records. The output is a Stage 2 audit report with any major or minor nonconformities. Major nonconformities have to be closed before certification can be granted; minor nonconformities can be closed in agreed timescales.

Certification granted

Once Stage 2 is closed out, the certification body issues a certificate valid for three years. The certificate must be issued by a UKAS-accredited certification body — UKAS is the United Kingdom Accreditation Service, the body that accredits certification bodies in the UK. A certificate from a non-UKAS-accredited body has limited recognition value in UK procurement.

Surveillance audits

Annual surveillance visits sample part of the management system to verify ongoing compliance. Surveillance audits are shorter than Stage 2 — typically half a day to two days depending on organisation size and risk profile.

Recertification

Every three years, a full recertification audit replaces the surveillance visit. The structure is similar to Stage 2.

What it costs and what it takes

Costs vary widely. Indicative ranges for a UK SME with a single site and 50–200 employees:

• External certification body fees: typically £2,000–£6,000 for initial Stage 1 + Stage 2, plus £1,500–£3,000 per year for surveillance.
• Internal time: the largest cost, often understated. Implementation typically requires 0.5 to 1 FTE of management time across 6–12 months.
• External consultancy support: optional, varying from light-touch (gap analysis and pre-audit review) at £2,000–£5,000 to full implementation support at £15,000–£40,000.

The biggest single failure point in costing is underestimating internal time. Documentation can be written; worker consultation, training, internal audits and management review have to be done by the organisation’s own people. Where the H&S manager is the main resource and is also doing day-job work, implementation drifts.

This is the most common reason organisations bring in external support — not because the H&S team can’t run the implementation, but because they don’t have the bandwidth to run it alongside the day job and meet a certification deadline. KeyOstas offers ISO 45001 consultancy across the full implementation lifecycle: gap analysis, management system design, internal auditor training, pre-audit review, Stage 1 and Stage 2 preparation, and post-certification surveillance support. Engagements range from a one-off gap analysis through to acting as your retained competent person under MHSWR Regulation 7 throughout the certification cycle. Call us on +44 (0) 3300 569534 to scope a piece of work.

Common compliance failures

Five recurring failure points from work with UK organisations:

1. Documentation without operation

The management-system manual is full; the procedures it describes don’t actually happen. Stage 2 audit picks this up immediately — auditors interview workers and ask “show me how this works in practice.”

2. Worker participation as box-tick

A safety committee that meets quarterly with the same agenda each time, with workers attending but not contributing. Clause 5.4 requires meaningful worker participation, including consultation on specific topics. Auditors look for evidence that workers are influencing the system, not just being informed about it.

3. Legal register out of date

Clause 6.1.3 requires the organisation to determine and have access to legal and other requirements. A legal register that hasn’t been reviewed since the system was first set up — and therefore doesn’t reflect (for example) the 2022 PPE amendment, the 2018 GDPR alignment, or the post-Brexit retained-EU-law changes — fails audit.

4. Internal audit treated as compliance theatre

Internal audits that find nothing are treated suspiciously by external auditors. A mature management system should generate findings; what matters is whether they’re addressed. Internal audits that always find no issues, or that find the same issues year after year without resolution, signal an immature system.

5. Management review as agenda item, not decision forum

Clause 9.3 requires top management review at planned intervals. Reviews that are presented to management as updates, with no decisions taken and no actions assigned, fail the spirit of the clause. The output of management review is supposed to be decisions on resourcing, priorities, and continual improvement — the auditor asks for the meeting minutes and the actions arising.

When ISO 45001 is right for an organisation — and when it isn’t

ISO 45001 is right when:

• The organisation has customers or contracts that require it.
• The organisation already has a maturing H&S management system that would benefit from external structuring and validation.
• The organisation is integrating with ISO 9001 or 14001 — combined certification is straightforward and produces operational efficiencies.
• The organisation operates internationally and needs a recognised standard for harmonising H&S across multiple jurisdictions.

ISO 45001 is the wrong answer when:

• The organisation is small with simple processes — the documentation overhead may not pay back.
• The H&S system is being built from minimal — getting MHSWR compliance right comes first; ISO 45001 layers on top.
• The driver is “we should probably get certified” rather than a specific commercial requirement — the cost rarely justifies the benefit without an external pull.