ReadSafety.com

ISO 45001 Questions, Answered

What documents are required by ISO 45001?

Quick answer

ISO 45001 requires you to maintain: the OH&S management system scope, the OH&S policy, roles and responsibilities, hazard identification methodology and results, legal and other requirements, objectives, and emergency response processes. You must retain records proving competence, communications, monitoring, compliance evaluation, incidents, audits, management reviews, and corrective actions.

Documents to maintain (keep current)

  • Scope of the OH&S management system (clause 4.3).
  • OH&S policy (5.2) and responsibilities and authorities for relevant roles (5.3).
  • Risks and opportunities and the processes needed to address them (6.1.1), including your methodology and criteria for hazard identification and risk assessment (6.1.2). The methodology requirement is specific to 45001; auditors ask for it by name.
  • Legal and other requirements (6.1.3), your legal register in practice.
  • OH&S objectives and plans to achieve them (6.2.2).
  • Emergency preparedness and response process (8.2).
  • Whatever else you determine necessary for the system to be effective (7.5), sized to your hazards and complexity.

Records to retain (evidence)

  • Competence evidence (7.2) and relevant communications (7.4).
  • That operational processes ran as planned (8.1); emergency drill and response records flow from 8.2.
  • Monitoring and measurement results, and calibration or verification of equipment where used (9.1.1).
  • Compliance evaluation results (9.1.2): evidence you actually checked yourself against your legal register.
  • Internal audit program and results (9.2), management review outputs (9.3).
  • Incidents and nonconformities, the actions taken, and the effectiveness of those actions (10.2). For OH&S this includes near-miss reports; an incident log with zero near misses reads as underreporting, not safety.
Key factLike all modern ISO management standards, ISO 45001 requires no manual and no prescribed procedure set. But unlike ISO 9001, it explicitly requires documenting your risk assessment methodology and your legal requirements. Those two are non-negotiable and are checked in every Stage 1.

Right-sizing without gambling

The phrase "to the extent necessary" cuts both ways in OH&S. A three-person design studio legitimately runs a lean system. But where hazards are serious, "necessary" grows with them: permit-to-work records, isolation verifications, lifting plans, and exposure monitoring exist because their absence puts bodies, not just certificates, at risk. When deciding whether to document something, the auditor's question is a good proxy: if this control failed tonight on the night shift, would the record you kept help explain and prevent, or would you be reconstructing from memory in front of a regulator.

Ready to take the next step?

USQC - United Safety Quality Council is an ASC-accredited certification body providing third-party ISO 45001 certification audits, internal and supplier audit services, and auditor training. Since 2015, USQC has automated audit planning, reporting, and decision support, cutting audit man-days that other certification bodies bill for and placing USQC pricing in the lower quartile, with highly experienced lead auditors on every audit.

Talk to USQC