ISO 45001 Pre-Assessment
Checklist & Audit Guide

The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its OH&S management system.

The organization shall determine:
• a) the other interested parties, in addition to workers, that are relevant to the OH&S management system;
• b) the relevant needs and expectations (i.e. requirements) of workers and other interested parties;
• c) which of these needs and expectations are, or could become, legal requirements and other requirements.

The organization shall determine the boundaries and applicability of the OH&S management system to establish its scope.

When determining this scope, the organization shall:
• a) consider the external and internal issues referred to in 4.1;
• b) take into account the requirements referred to in 4.2;
• c) take into account the planned or performed work-related activities.

The OH&S management system shall include the activities, products and services within the organization’s control or influence that can impact the organization’s OH&S performance.

The scope shall be available as documented information.

The organization shall establish, implement, maintain and continually improve an OH&S management system, including the processes needed and their interactions,in accordance with the requirements of this document.

Top management shall demonstrate leadership and commitment with respect to the OH&S management system by:

• a) taking overall responsibility and accountability for the prevention of work- related injury and ill health, as well as the provision of safe and healthy workplaces and activities;
• b) ensuring that the OH&S policy and related OH&S objectives are established and are compatible with the strategic direction of the organization;
• c) ensuring the integration of the OH&S management system requirements into the organization’s business processes;
• d) ensuring that the resources needed to establish, implement, maintain and improve the OH&S management system are available;
• e) communicating the importance of effective OH&S management and of conforming to the OH&S management system requirements;
• f) ensuring that the OH&S management system achieves its intended outcome(s);
• g) directing and supporting persons to contribute to the effectiveness of the OH&S management system;
• h) ensuring and promoting continual improvement;
• i) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility;
• j) developing, leading and promoting a culture in the organization that supports the intended outcomes of the OH&S management system;
• k) protecting workers from reprisals when reporting incidents, hazards, risks and opportunities;
• l) ensuring the organization establishes and implements a process(es) for consultation and participation of workers (see 5.4);
• m) supporting the establishment and functioning of health and safety committees,[see 5.4 e) 1)].

NOTE Reference to “business” in this document can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence.

Top management shall establish, implement and maintain an OH&S policy that:
• a) includes a commitment to provide safe and healthy working conditions for the prevention of work-related injury and ill health and is appropriate to the purpose,size and context of the organization and to the specific nature of its OH&S risks and OH&S opportunities;
• b) provides a framework for setting the OH&S objectives;
• c) includes a commitment to fulfil legal requirements and other requirements;
• d) includes a commitment to eliminate hazards and reduce OH&S risks (see 8.1.2);
• e) includes a commitment to continual improvement of the OH&S management system;
• f) includes a commitment to consultation and participation of workers, and, where they exist, workers’ representatives.

The OH&S policy shall:
• — be available as documented information;
• — be communicated within the organization;
• — be available to interested parties, as appropriate;
• — be relevant and appropriate

Top management shall ensure that the responsibilities and authorities for relevant roles within the OH&S management system are assigned and communicated at all levels within the organization and maintained as documented information. Workers at each level of the organization shall assume responsibility for those aspects of the OH&S management system over which they have control.

NOTE While responsibility and authority can be assigned, ultimately top management is still accountable for the functioning of the OH&S management system.

Top management shall assign the responsibility and authority for:
• a) ensuring that the OH&S management system conforms to the requirements of this document;
• b) reporting on the performance of the OH&S management system to top management.

The organization shall establish, implement and maintain a process(es) for consultation and participation of workers at all applicable levels and functions, and, where they exist, workers’ representatives, in the development, planning, implementation, performance evaluation and actions for improvement of the OH&S management system. The organization shall:

• a) provide mechanisms, time, training and resources necessary for consultation and participation;
  NOTE 1 Worker representation can be a mechanism for consultation and participation.
• b) provide timely access to clear, understandable and relevant information about the OH&S management system;
• c) determine and remove obstacles or barriers to participation and minimize those that cannot be removed;
  NOTE 2 Obstacles and barriers can include failure to respond to worker inputs or suggestions, language or literacy barriers, reprisals or threats of reprisals and policies or practices that discourage or penalize worker participation.
• d) emphasize the consultation of non-managerial workers on the following:
  1) determining the needs and expectations of interested parties (see 4.2);
  2) establishing the OH&S policy (see 5.2);
  3) assigning organizational roles, responsibilities and authorities, as applicable (see 5.3);
  4) determining how to fulfil legal requirements and other requirements (see 6.1.3);
  5) establishing OH&S objectives and planning to achieve them (see 6.2);
  6) determining applicable controls for outsourcing, procurement and contractors (see 8.1.4);
  7) determining what needs to be monitored, measured and evaluated (see 9.1);
  8) planning, establishing, implementing and maintaining an audit programme(s) (see 9.2.2);
  9) ensuring continual improvement (see 10.3);
• e) emphasize the participation of non-managerial workers in the following:
  1) determining the mechanisms for their consultation and participation;
  2) identifying hazards and assessing risks and opportunities (see 6.1.1 and 6.1.2);
  3) determining actions to eliminate hazards and reduce OH&S risks (see 6.1.4);
  4) determining competence requirements, training needs, training and evaluating training (see 7.2);
  5) determining what needs to be communicated and how this will be done (see 7.4);
  6) determining control measures and their effective implementation and use (see 8.1, 8.1.3 and 8.2);
  7) investigating incidents and nonconformities and determining corrective actions (see 10.2).
  

  NOTE 3 Emphasizing the consultation and participation of non-managerial workers is intended to apply to persons carrying out the work activities, but is not intended to exclude, for example, managers who are impacted by work activities or other factors in the organization.

  NOTE 4 It is recognized that the provision of training at no cost to workers and the provision of training during working hours, where possible, can remove significant barriers to worker participation.

When planning for the OH&S management system, the organization shall consider the issues referred to in 4.1 (context), the requirements referred to in 4.2 (interested parties) and 4.3 (the scope of its OH&S management system) and determine the risks and opportunities that need to be addressed to:

• a) give assurance that the OH&S management system can achieve its intended outcome(s);
• b) prevent, or reduce, undesired effects;
• c) achieve continual improvement.
  

  When determining the risks and opportunities for the OH&S management system and its intended outcomes that need to be addressed, the organization shall take into account:

  — hazards (see 6.1.2.1);
  — OH&S risks and other risks (see 6.1.2.2);
  — OH&S opportunities and other opportunities (see 6.1.2.3);
  — legal requirements and other requirements (see 6.1.3).
  

  The organization, in its planning process(es), shall determine and assess the risks and opportunities that are relevant to the intended outcomes of the OH&S management system associated with changes in the organization, its processes or the OH&S management system. In the case of planned changes, permanent or temporary, this assessment shall be undertaken before the change is implemented (see 8.1.3).

  The organization shall maintain documented information on:
  — risks and opportunities;
  — the process(es) and actions needed to determine and address its risks and opportunities (see 6.1.2 to 6.1.4) to the extent necessary to have confidence that they are carried out as planned.

The organization shall establish, implement and maintain a process(es) for hazard identification that is ongoing and proactive. The process(es) shall take into account, but not be limited to:

• a) how work is organized, social factors (including workload, work hours, victimization, harassment and bullying), leadership and the culture in the organization;
• b) routine and non-routine activities and situations, including hazards arising from:
  1) infrastructure, equipment, materials, substances and the physical conditions of the workplace;
  2) product and service design, research, development, testing, production, assembly, construction, service delivery, maintenance and disposal;
  3) human factors;
  4) how the work is performed;
• c) past relevant incidents, internal or external to the organization, including emergencies, and their causes;
• d) potential emergency situations;
• e) people, including consideration of:
  1) those with access to the workplace and their activities, including workers, contractors, visitors and other persons;
  2) those in the vicinity of the workplace who can be affected by the activities of the organization;
  3) workers at a location not under the direct control of the organization;
• f) other issues, including consideration of:
  1) the design of work areas, processes, installations, machinery/equipment, operating procedures and work organization, including their adaptation to the needs and capabilities of the workers involved;
  2) situations occurring in the vicinity of the workplace caused by work-related activities under the control of the organization;
  3) situations not controlled by the organization and occurring in the vicinity of the workplace that can cause injury and ill health to persons in the workplace;
• g) actual or proposed changes in organization, operations, processes, activities and the OH&S management system (see 8.1.3);
• h) changes in knowledge of, and information about, hazards.

The organization shall establish, implement and maintain a process(es) to:

• a) assess OH&S risks from the identified hazards, while taking into account the effectiveness of existing controls;
• b) determine and assess the other risks related to the establishment, implementation, operation and maintenance of the OH&S management system.

The organization’s methodology(ies) and criteria for the assessment of OH&S risks shall be defined with respect to their scope, nature and timing to ensure they are proactive rather than reactive and are used in a systematic way. Documented information shall be maintained and retained on the methodology(ies) and criteria.

The organization shall establish, implement and maintain a process(es) to assess:
• a) OH&S opportunities to enhance OH&S performance, while taking into account planned changes to the organization, its policies, its processes or its activities and:
  1) opportunities to adapt work, work organization and work environment to workers;
  2) opportunities to eliminate hazards and reduce OH&S risks;
• b) other opportunities for improving the OH&S management system. NOTE OH&S risks and OH&S opportunities can result in other risks and other opportunities for the organization.

The organization shall establish, implement and maintain a process(es) to:
• a) determine and have access to up-to-date legal requirements and other requirements that are applicable to its hazards, OH&S risks and OH&S management system;
• b) determine how these legal requirements and other requirements apply to the organization and what needs to be communicated;
• c) take these legal requirements and other requirements into account when establishing, implementing, maintaining and continually improving its OH&S management system.

The organization shall maintain and retain documented information on its legal requirements and other requirements and shall ensure that it is updated to reflect any changes.
NOTE Legal requirements and other requirements can result in risks and opportunities for the organization.

The organization shall plan:
• a) actions to:
  1) address these risks and opportunities (see 6.1.2.2 and 6.1.2.3);
  2) address legal requirements and other requirements (see 6.1.3);
  3) prepare for and respond to emergency situations (see 8.2);
• b) how to:
  1) integrate and implement the actions into its OH&S management system processes or other business processes;
  2) evaluate the effectiveness of these actions.

The organization shall take into account the hierarchy of controls (see 8.1.2) and outputs from the OH&S management system when planning to take action. When planning its actions, the organization shall consider best practices, technological options and financial, operational and business requirements.

The organization shall establish OH&S objectives at relevant functions and levels in order to maintain and continually improve the OH&S management system and OH&S performance (see 10.3).

The OH&S objectives shall:
• a) be consistent with the OH&S policy;
• b) be measurable (if practicable) or capable of performance evaluation;
• c) take into account:
  1) applicable requirements;
  2) the results of the assessment of risks and opportunities (see 6.1.2.2 and 6.1.2.3);
  3) the results of consultation with workers (see 5.4) and, where they exist, workers’ representatives;
• d) be monitored;
• e) be communicated;
• f) be updated as appropriate.

When planning how to achieve its OH&S objectives, the organization shall determine:
• a) what will be done;
• b) what resources will be required;
• c) who will be responsible;
• d) when it will be completed;
• e) how the results will be evaluated, including indicators for monitoring;
• f) how the actions to achieve OH&S objectives will be integrated into the organization’s business processes.

The organization shall maintain and retain documented information on the OH&S objectives and plans to achieve them.

The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the OH&S management system.

The organization shall:
• a) determine the necessary competence of workers that affects or can affect its OH&S performance;
• b) ensure that workers are competent (including the ability to identify hazards) on the basis of appropriate education, training or experience;
• c) where applicable, take actions to acquire and maintain the necessary competence, and evaluate the effectiveness of the actions taken;
• d) retain appropriate documented information as evidence of competence. NOTE Applicable actions can include, for example, the provision of training to, the mentoring of, or the re-assignment of currently employed persons, or the hiring or contracting of competent persons.

Workers shall be made aware of:
• a) the OH&S policy and OH&S objectives;
• b) their contribution to the effectiveness of the OH&S management system, including the benefits of improved OH&S performance;
• c) the implications and potential consequences of not conforming to the OH&S management system requirements;
• d) incidents and the outcomes of investigations that are relevant to them;
• e) hazards, OH&S risks and actions determined that are relevant to them;
• f) the ability to remove themselves from work situations that they consider present an imminent and serious danger to their life or health, as well as the arrangements for protecting them from undue consequences for doing so

The organization shall establish, implement and maintain the process(es) needed for the internal and external communications relevant to the OH&S management system, including determining:

• a) on what it will communicate;
• b) when to communicate;
• c) with whom to communicate:
  1) internally among the various levels and functions of the organization;
  2) among contractors and visitors to the workplace;
  3) among other interested parties;
  
• d) how to communicate. The organization shall take into account diversity aspects (e.g. gender, language, culture, literacy, disability) when considering its communication needs.
  The organization shall ensure that the views of external interested parties are considered in establishing its communication process(es).
  When establishing its communication process(es), the organization shall:
  — take into account its legal requirements and other requirements;
  — ensure that OH&S information to be communicated is consistent with information generated within the OH&S management system, and is reliable. The organization shall respond to relevant communications on its OH&S management system.
  The organization shall retain documented information as evidence of its communications, as appropriate.

The organization shall:
• a) internally communicate information relevant to the OH&S management system among the various levels and functions of the organization, including changes to the OH&S management system, as appropriate;

The organization shall externally communicate information relevant to the OH&S management system, as established by the organization’s communication process(es) and taking into account its legal requirements and other requirements.

The organization’s OH&S management system shall include:

• a) documented information required by this document;
• b) documented information determined by the organization as being necessary for the effectiveness of the OH&S management system.
• NOTE The extent of documented information for an OH&S management system can differ from one organization to another due to:
  — the size of organization and its type of activities, processes, products and services;
  — the need to demonstrate fulfilment of legal requirements and other requirements;
  — the complexity of processes and their interactions;
  — the competence of workers.

When creating and updating documented information, the organization shall ensure appropriate:
• a) identification and description (e.g. a title, date, author or reference number);
• b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic);
• c) review and approval for suitability and adequacy.

Documented information required by the OH&S management system and by this document shall be controlled to ensure:
• a) it is available and suitable for use, where and when it is needed;
• b) it is adequately protected (e.g. from loss of confidentiality, improper use or loss of integrity).
• For the control of documented information, the organization shall address the following activities, as applicable:
  — distribution, access, retrieval and use;
  — storage and preservation, including preservation of legibility;
  — control of changes (e.g. version control);
  — retention and disposition.
• Documented information of external origin determined by the organization to be necessary for the planning and operation of the OH&S management system shall be identified, as appropriate, and controlled.
• NOTE 1 Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.
• NOTE 2 Access to relevant documented information includes access by workers, and, where they exist, workers’ representatives.

The organization shall plan, implement, control and maintain the processes needed to meet requirements of the OH&S management system, and to implement the actions determined in Clause 6, by:

• a) establishing criteria for the processes;
• b) implementing control of the processes in accordance with the criteria;
• c) maintaining and retaining documented information to the extent necessary to have confidence that the processes have been carried out as planned;
• d) adapting work to workers.

At multi-employer workplaces, the organization shall coordinate the relevant parts of the OH&S management system with the other organizations

The organization shall establish, implement and maintain a process(es) for the elimination of hazards and reduction of OH&S risks using the following hierarchy of controls:

• a) eliminate the hazard;
• b) substitute with less hazardous processes, operations, materials or equipment;
• c) use engineering controls and reorganization of work;
• d) use administrative controls, including training;
• e) use adequate personal protective equipment.

NOTE In many countries, legal requirements and other requirements include the requirement that personal protective equipment (PPE) is provided at no cost to workers.

The organization shall establish a process(es) for the implementation and control of planned temporary and permanent changes that impact OH&S performance, including:

• a) new products, services and processes, or changes to existing products, services and processes, including:
  — workplace locations and surroundings;
  — work organization;
  — working conditions;
  — equipment;
  — work force;
• b) changes to legal requirements and other requirements;
• c) changes in knowledge or information about hazards and OH&S risks;
• d) developments in knowledge and technology.

The organization shall review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.
NOTE Changes can result in risks and opportunities.

The organization shall establish, implement and maintain a process(es) to control the procurement of products and services in order to ensure their conformity to its OH&S management system.

The organization shall coordinate its procurement process(es) with its contractors, in order to identify hazards and to assess and control the OH&S risks arising from:

• a) the contractors’ activities and operations that impact the organization;
• b) the organization’s activities and operations that impact the contractors’ workers;
• c) the contractors’ activities and operations that impact other interested parties in the workplace.

The organization shall ensure that the requirements of its OH&S management system are met by contractors and their workers. The organization’s procurement process(es) shall define and apply occupational health and safety criteria for the selection of contractors.
NOTE It can be helpful to include the occupational health and safety criteria for the selection of contractors in the contractual documents.

The organization shall ensure that outsourced functions and processes are controlled. The organization shall ensure that its outsourcing arrangements are consistent with legal requirements and other requirements and with achieving the intended outcomes of the OH&S management system. The type and degree of control to be applied to these functions and processes shall be defined within the OH&S management system.
NOTE Coordination with external providers can assist an organization to address any impact that outsourcing has on its OH&S performance.

The organization shall establish, implement and maintain a process(es) needed to prepare for and respond to potential emergency situations, as identified in 6.1.2.1, including:

• a) establishing a planned response to emergency situations, including the provision of first aid;
• b) providing training for the planned response;
• c) periodically testing and exercising the planned response capability;
• e) communicating and providing relevant information to all workers on their duties and responsibilities;
• f) communicating relevant information to contractors, visitors, emergency response services, government authorities and, as appropriate, the local community;
• g) taking into account the needs and capabilities of all relevant interested parties and ensuring their involvement, as appropriate, in the development of the planned response.
• The organization shall maintain and retain documented information on the process(es) and on the plans for responding to potential emergency situations.

The organization shall establish, implement and maintain a process(es) for monitoring, measurement, analysis and performance evaluation. The organization shall determine:

• a) what needs to be monitored and measured, including:
  1) the extent to which legal requirements and other requirements are fulfilled;
  2) its activities and operations related to identified hazards, risks and opportunities;
  3) progress towards achievement of the organization’s OH&S objectives;
  4) effectiveness of operational and other controls;
• b) the methods for monitoring, measurement, analysis and performance evaluation, as applicable, to ensure valid results;
• c) the criteria against which the organization will evaluate its OH&S performance;
• d) when the monitoring and measuring shall be performed;
• e) when the results from monitoring and measurement shall be analysed, evaluated and communicated.

The organization shall evaluate the OH&S performance and determine the effectiveness of the OH&S management system.
The organization shall ensure that monitoring and measuring equipment is calibrated or verified as applicable, and is used and maintained as appropriate.

NOTE There can be legal requirements or other requirements (e.g. national or international standards) concerning the calibration or verification of monitoring and measuring equipment.
The organization shall retain appropriate documented information:
— as evidence of the results of monitoring, measurement, analysis and performance evaluation;
— on the maintenance, calibration or verification of measuring equipment.

The organization shall establish, implement and maintain a process(es) for evaluating compliance with legal requirements and other requirements (see 6.1.3).
The organization shall:

• a) determine the frequency and method(s) for the evaluation of compliance;
• b) evaluate compliance and take action if needed (see 10.2);
• c) maintain knowledge and understanding of its compliance status with legal requirements and other requirements;
• d) retain documented information of the compliance evaluation result(s).

The organization shall conduct internal audits at planned intervals to provide information on whether the OH&S management system:

• a) conforms to:
  1) the organization’s own requirements for its OH&S management system, including the OH&S policy and OH&S objectives;
  2) the requirements of this document;
• b) is effectively implemented and maintained.

The organization shall:

• a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, consultation, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits;
• b) define the audit criteria and scope for each audit;
• c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;
• d) ensure that the results of the audits are reported to relevant managers; ensure that relevant audit results are reported to workers, and, where they exist, workers’ representatives, and other relevant interested parties;
• e) take action to address nonconformities and continually improve its OH&S performance (see Clause 10);
• f) retain documented information as evidence of the implementation of the audit programme and the audit results.

NOTE For more information on auditing and the competence of auditors, see ISO 19011.

Top management shall review the organization’s OH&S management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of:

• a) the status of actions from previous management reviews;
• b) changes in external and internal issues that are relevant to the OH&S management system, including:
  1) the needs and expectations of interested parties;
  2) legal requirements and other requirements;
  3) risks and opportunities;
• c) the extent to which the OH&S policy and the OH&S objectives have been met;
• d) information on the OH&S performance, including trends in:
  1) incidents, nonconformities, corrective actions and continual improvement;
  2) monitoring and measurement results;
  3) results of evaluation of compliance with legal requirements and other requirements;
  4) audit results;
  5) consultation and participation of workers;
  6) risks and opportunities;
• e) adequacy of resources for maintaining an effective OH&S management system;
• f) relevant communication(s) with interested parties;
• g) opportunities for continual improvement. The outputs of the management review shall include decisions related to:
  — the continuing suitability, adequacy and effectiveness of the OH&S management system in achieving its intended outcomes;
  — continual improvement opportunities;
  — any need for changes to the OH&S management system;
  — resources needed;
  — actions, if needed;
  — opportunities to improve integration of the OH&S management system with other business processes;
  — any implications for the strategic direction of the organization.
  Top management shall communicate the relevant outputs of management reviews to workers, and, where they exist, workers’ representatives (see 7.4). The organization shall retain documented information as evidence of the results of management reviews.

The organization shall determine opportunities for improvement (see Clause 9) and implement necessary actions to achieve the intended outcomes of its OH&S management system.

The organization shall establish, implement and maintain a process(es), including reporting, investigating and taking action, to determine and manage incidents and nonconformities.
When an incident or a nonconformity occurs, the organization shall:

• a) react in a timely manner to the incident or nonconformity and, as applicable:
  1) take action to control and correct it;
  2) deal with the consequences;
• b) evaluate, with the participation of workers (see 5.4) and the involvement of other relevant interested parties, the need for corrective action to eliminate the root cause(s) of the incident or nonconformity, in order that it does not recur or occur elsewhere, by:
  1) investigating the incident or reviewing the nonconformity;
  2) determining the cause(s) of the incident or nonconformity;
  3) determining if similar incidents have occurred, if nonconformities exist, or if they could potentially occur;
• c) review existing assessments of OH&S risks and other risks, as appropriate (see 6.1);
• d) determine and implement any action needed, including corrective action, in accordance with the hierarchy of controls (see 8.1.2) and the management of change (see 8.1.3);
• e) assess OH&S risks that relate to new or changed hazards, prior to taking action;
• f) review the effectiveness of any action taken, including corrective action;
• g) make changes to the OH&S management system, if necessary.

Corrective actions shall be appropriate to the effects or potential effects of the incidents or nonconformities encountered.
The organization shall retain documented information as evidence of:
— the nature of the incidents or nonconformities and any subsequent actions taken;
— the results of any action and corrective action, including their effectiveness. The organization shall communicate this documented information to relevant workers, and, where they exist, workers’ representatives, and other relevant interested parties.
NOTE The reporting and investigation of incidents without undue delay can enable hazards to be eliminated and associated OH&S risks to be minimized as soon as possible.

The organization shall continually improve the suitability, adequacy and effectiveness of the OH&S management system, by:

• a) enhancing OH&S performance;
• b) promoting a culture that supports an OH&S management system;
• c) promoting the participation of workers in implementing actions for the continual improvement of the OH&S management system;
• d) communicating the relevant results of continual improvement to workers, and, where they exist, workers’ representatives;
• e) maintaining and retaining documented information as evidence of continual improvement.