Documents to maintain (keep current)
- Scope of the OH&S management system (clause 4.3).
- OH&S policy (5.2) and responsibilities and authorities for relevant roles (5.3).
- Risks and opportunities and the processes needed to address them (6.1.1), including your methodology and criteria for hazard identification and risk assessment (6.1.2). The methodology requirement is specific to 45001; auditors ask for it by name.
- Legal and other requirements (6.1.3), your legal register in practice.
- OH&S objectives and plans to achieve them (6.2.2).
- Emergency preparedness and response process (8.2).
- Whatever else you determine necessary for the system to be effective (7.5), sized to your hazards and complexity.
Records to retain (evidence)
- Competence evidence (7.2) and relevant communications (7.4).
- That operational processes ran as planned (8.1); emergency drill and response records flow from 8.2.
- Monitoring and measurement results, and calibration or verification of equipment where used (9.1.1).
- Compliance evaluation results (9.1.2): evidence you actually checked yourself against your legal register.
- Internal audit program and results (9.2), management review outputs (9.3).
- Incidents and nonconformities, the actions taken, and the effectiveness of those actions (10.2). For OH&S this includes near-miss reports; an incident log with zero near misses reads as underreporting, not safety.
Right-sizing without gambling
The phrase "to the extent necessary" cuts both ways in OH&S. A three-person design studio legitimately runs a lean system. But where hazards are serious, "necessary" grows with them: permit-to-work records, isolation verifications, lifting plans, and exposure monitoring exist because their absence puts bodies, not just certificates, at risk. When deciding whether to document something, the auditor's question is a good proxy: if this control failed tonight on the night shift, would the record you kept help explain and prevent, or would you be reconstructing from memory in front of a regulator.