Clause-by-clause explanation of

ISO 45001:2018

Copyright ©2019 Advisera Expert Solutions Ltd. All rights reserved.

Copyright © 2019 Advisera Expert Solutions Ltd. All rights reserved. 1
Table of Contents

Introduction .......................................................................................................................................................................3
1. Process and process approach .................................................................................................................................3
2. Process approach impact...........................................................................................................................................4
3. The Plan-Do-Check-Act cycle ....................................................................................................................................4
4. Context of the organization ......................................................................................................................................5
5. Leadership......................................................................................................................................................................6
6. Planning ..........................................................................................................................................................................7
7. Support ...........................................................................................................................................................................9
8. Operation .....................................................................................................................................................................11
9. Performance evaluation ..........................................................................................................................................12
10. Improvement............................................................................................................................................................13
Conclusion ........................................................................................................................................................................14
Sample of documentation templates .......................................................................................................................14
References ........................................................................................................................................................................14

Copyright © 2019 Advisera Expert Solutions Ltd. All rights reserved. 2

Introduction
Occupational health & safety systems are often regarded by modern business leaders as systems that
provide the means to meet occupational health & safety compliance and regulatory legislation. However,
this outlook can prevent a properly constructed Occupational Health & Safety (OH&S) Management
System from reaching its full potential, which provides financial, economic, and reputational benefits as
well as the obvious occupational health & safety benefits. Whether standing alone or integrated with
another management system, such as ISO 9001 (quality) or ISO 14001 (environmental), the clauses of the
ISO 45001:2018 standard provide guidance and direction on how an organization should manage and
mitigate its occupational health & safety risks. Understanding how to use the standard intelligently can
bring many benefits to an organization of any size.

This handbook is designed to help employees involved in establishing and maintaining an OH&S
Management System within their respective organizations. Each clause will be explained in the same
order, with identical clause numbers, as the ISO 45001:2018 international standard clauses themselves,
and links to supplementary learning materials will also be provided in the text to help the reader.

Tip: For more information on specific aspects of ISO 45001, see this webpage: ISO 45001 Webinars.

1. Process and process approach

1.1 Terms and definitions
Process: This can be defined as a series of activities and actions that can be repeated consistently to
produce a transformation from a series of inputs into a defined output.

Process approach: Occupational health & safety systems, similarly to other management systems, use a
combination of sequences and interactions to produce a desired output. When all activities and actions
are managed, together with consideration towards each other and the end result, this method is known
as the “process approach.” A process approach will also specify the responsibilities of process owners,
rather than providing generic responsibilities. Therefore, when a company has an OH&S Management
System that is considered to be an active and fluid system, taking into account all variables and their
effects on the objectives – this is considered a process approach.

Inputs: These are a collection of elements that may be required to feed a process, for example resources,
raw materials, and machinery.

Outputs: These are the results of a process, whether desirable or undesirable outputs, such as wastage
or pollution. It should be noted that an output is not always a final element, but may only be the input
into the next process in a chain.

Copyright © 2019 Advisera Expert Solutions Ltd. All rights reserved. 3

2. Process approach impact
Using the process approach is a critical part of compliance and certification according to the ISO
45001:2018 standard, but it does not guarantee occupational health & safety or financial benefit in
isolation. However, a process-based Occupational Health & Safety Management System is a useful tool
that provides continuity through operations, creating a link between policies, requirements,
performance, objectives, and actions, and thereby reducing negative impacts to occupational health &
safety.

The process approach, therefore, becomes the most effective method of managing and mitigating
occupational health & safety hazards and risks, given that it allows for a more analytical and systemic view
of process interactions and their effects, rather than focusing on more local problems that arise within
the process. The management of the OH&S Management System by a system that has been developed
with a full understanding of the relationship of the interacting processes and their effects will yield more
short- and long-term benefits to the organization seeking to implement and maintain ISO 45001:2018.

3. The Plan-Do-Check-Act cycle

The “Plan-Do-Check-Act” cycle (PDCA) is critical to the operation of the Occupational Health & Safety
Management System as specified by ISO 45001:2018, in terms of achievement against set objectives and
continual improvement. It can be described as follows:

Plan: the establishment of objectives, and the processes that may deliver them, in harmony with the
Occupational Health & Safety Policy established by the organization

Do: the implementation of the planned processes

Check: the monitoring and measuring of results versus the Occupational Health & Safety Policy, including
all commitments, objectives, and criteria, and the reporting of them

Act: the consequent actions taken to ensure continual improvement

It should be noted that the PDCA cycle is a recognized management system methodology that is used
across various business management systems, but its use is both compulsory and highly beneficial within
ISO 45001:2018. The standard is written so that the sections of the ISO 45001:2018 standard easily fit into
this PDCA cycle.

Copyright © 2019 Advisera Expert Solutions Ltd. All rights reserved. 4

4. Context of the organization
4.1 Understanding the organization and its context
This clause is found in all ISO management system standards, and it requires the organization to
determine all internal and external issues that may be relevant to the achievement of the objectives of
the OH&S Management System itself. This includes all elements which are, and may be capable of,
affecting these objectives and outcomes in the future.

Tip: For more information on this topic, see the article Defining the context of the organization according
to ISO 45001.

4.2 Understanding the needs and expectations of interested parties

The standard now requires the organization to assess who the interested parties are in terms of its OH&S
Management System, what their needs and expectations may be, and consequently, if any of these should
become compliance obligations.

Tip: For more information on this topic, see the article Determining interested parties according to ISO
45001.

4.3 Determining the scope of the OH&S Management System

The scope and boundaries of the OH&S Management System must now be thoroughly examined and
defined considering the aforementioned interested parties and their needs, plus resulting compliance
obligations. Also requiring consideration are the OH&S Management System functions and physical
boundaries, and all products, services, and activities, including the organization’s ability to exert control
on external factors, with the results of the whole definition included in the OH&S Management System
and kept critically as “documented information.”

Tip: For more information on this topic, see the article How to determine scope of the OH&SMS.

4.4 OH&S Management System

The standard indicates that an OH&S Management System should be established to achieve the desired
outcomes by using interacting processes to deliver continual improvement. The ultimate objective is to
improve the organization’s occupational health & safety performance.

Copyright © 2019 Advisera Expert Solutions Ltd. All rights reserved. 5

5. Leadership
5.1 Leadership and commitment
This clause reminds the user that the organization and top management retain responsibility for the
performance of all internal and external performance factors at all times. It therefore makes perfect sense
that the Occupational Health & Safety Policy and objectives are aligned with each other, and with the
strategic policies and overall direction of the business, including integration with other business systems,
where applicable. Provision must be made for resources to ensure that the OH&S Management System
can be operated efficiently, and top management must ensure that the people with responsibility within
the OH&S Management System have the correct support, training, and guidance to complete their tasks
effectively. Communication is also critical from a leadership perspective, and communication methods
and frequencies must be defined and established for both internal and external interested parties. In
summary, it is the responsibility of the leadership of the organization to show an enhanced level of
leadership, involvement, and co-operation in the operation of the OH&S Management System.

5.2 Occupational Health & Safety Policy

Top management has the responsibility to establish the previously mentioned Occupational Health &
Safety Policy, which is appropriate for the organization in terms of the size, scope, activities, and
ambitions of the organization, and provides a formal framework for setting objectives. Obviously, the
policy should include a commitment to eliminate hazards and reduce risks, to prevent workplace injury,
and to consult with workers. Meeting compliance and regulatory factors is clearly another key element,
and a method of capturing and recording this must be established. Finally, and vitally, the Occupational
Health & Safety Policy must provide a commitment to the continual improvement of the OH&S
Management System and its results. Critically, the Occupational Health & Safety Policy must be
maintained as documented information, be communicated within the organization, and be available to
all interested parties, as appropriate.
Tip: For more information on this topic, please see the article How to write an OH&S Policy.

5.3 Organizational Roles, responsibilities, and authorities

The standard states that it is the responsibility of top management to ensure that roles, responsibilities,
and authorities are delegated and communicated effectively. The responsibility shall also be assigned to
ensure that the OH&S Management System meets the terms of the 45001:2018 standard itself, and that
the performance of the OH&S Management System can be reported accurately to top management.

5.4 Consultation and participation of workers

When it comes to the health & safety of workers, it is vital that these same workers are consulted about
the OH&S Management System and participate in implementing the processes necessary to secure a safe
workplace. To this end, the organization needs to determine the processes necessary to consult with
workers at all levels of the organization in all aspects of development, planning, implementation,
performance evaluation, and improvement actions of the OH&S Management System.
Tip: For more information on this topic, see the article How to meet participation and consultation
requirements in ISO 45001.

Copyright © 2019 Advisera Expert Solutions Ltd. All rights reserved. 6

6. Planning
6.1 Actions to address risks and opportunities
6.1.1 General
This clause replaced “preventive action” in the previous OHSAS 18001 standard. The current standard
states that the organization should establish, implement, and maintain the processes needed to address
the requirements of the whole of the planning section itself. When planning the OH&S Management
System, considerations need to be made regarding the context of the organization (section 4.1) and the
needs and expectations of interested parties (section 4.2), as well as the scope of the OH&S Management
System.

Risk and opportunity must be considered with respect to these elements, as well as legal and regulatory
issues, and the organization’s Occupational Health & Safety hazards themselves. This outcome needs to
ensure that the OH&S Management System can meet its intended outcomes and objectives, that any
external factors that may affect performance are avoided, and that continual improvement can be
achieved.

In terms of emergency situations, the organization is required to determine any situations that may occur
and have a resulting occupational health & safety risk. Again, it is vital that documented information is
retained concerning the risks and opportunities considered and addressed in the planning phase in order
to satisfy the terms of the clause.

Tip: For additional information on this topic, click on the article What are the new requirements for risks
and opportunities according to ISO 45001?

6.1.2 Hazard identification and assessment of risks and opportunities

ISO 45001:2018 asks organizations to consider, in a proactive manner, all occupational health & safety
hazards within the organization’s control. Changes or planned future changes to services also have to be
taken into account, as do any abnormal situations that may arise that are reasonable for the organization
to predict – for example, if you are about to launch a new product that needs radically new production
processes or materials. Again, the organization needs to maintain documented information on this clause
and its elements, and communication to the appropriate levels with effective frequency needs to be
planned and undertaken. In terms of documented information, if you ensure that all actual and associated
risks, the criteria you use to define them, and your significant occupational health & safety risks are
documented, then you will satisfy the terms of this clause.

Tip: For more information on this topic, see the article How to identify and classify OH&S hazards.

6.1.3 Determination of legal and other requirements

This is a relatively straightforward, but obviously vital part of the ISO 45001:2018 standard. The
organization must decide what legal and other requirements are related to its occupational health &
safety hazards and how to best access them, decide how they apply to the organization, and take them

Copyright © 2019 Advisera Expert Solutions Ltd. All rights reserved. 7

into consideration when establishing, operating, and delivering continual improvement through the
OH&S Management System. Documented evidence needs to be recorded for these obligations, also.

Tip: For more information on this topic, see the article How to identify and comply with legal requirements
in ISO 45001.

6.1.4 Planning actions

In this clause, the standard states that the organization shall plan to take actions to address its
occupational health & safety hazards, risks and opportunities, and compliance obligations, all of which
we have discussed above. These also need to be implemented into the organization’s OH&S Management
System and associated business processes. The task of evaluating the effectiveness of these actions also
must be considered, with technological, financial, and operational considerations all taken into account.

6.2 Occupational health & safety objectives and planning to achieve them
6.2.1 Occupational health & safety objectives
The standard advises that occupational health & safety objectives should be established at appropriate
levels and intervals, having considered the identified occupational health & safety hazards, risks and
opportunities, and compliance obligations. The characteristics of the set objectives are important, too:
they need to be consistent with the organization’s Occupational Health & Safety Policy, measurable where
possible, able to be monitored, communicated effectively, and be such that they can be updated when
circumstances require. Once more, it is mandatory that documented information is kept outlining this
process and its outputs.

Tip: For more information on this topic, see the article How to define ISO 45001 objectives and plans.

6.2.2 Planning to achieve occupational health & safety objectives

The standard advises on the elements that need to be determined to ensure that objectives can be
achieved. This can be thought of in terms of what needs to be done, when it needs to be done by, what
resources are required to achieve it, who is responsible for the objectives being achieved, how results are
to be measured and progress ensured, and consideration on how these objectives can be implemented
within existing business systems.

Tip: Click here to see an example of an OH&S objectives template.

Copyright © 2019 Advisera Expert Solutions Ltd. All rights reserved. 8

7. Support
7.1 Resources
Simply put, the standard advises the organization that the resources required to achieve the stated
objectives and show continual improvement must be made available.

7.2 Competence
Employee competence must meet the terms of the ISO 45001:2018 standard by ensuring that the people
given responsibility for OH&S Management System tasks are capable and confident. Related to this, it
stands to reason that the experience, training, and/or education of the individual must be of the required
standard, and that any necessary training is identified and delivered – with measurable actions taken
externally or internally to ensure that this level of competence exists. Predictably, this process and its
outputs need to be recorded as documented information for the OH&S Management System.

7.3 Awareness
Awareness is closely related to competence in the standard. Employees must be made aware of the
Occupational Health & Safety Policy and its contents, any current and future impacts that may affect their
tasks, what their personal performance means to the OH&S Management System and its objectives,
including the positives or improved performance, and what the implications of poor performance may be
to the OH&S Management System. Additionally, the standard demands that workers be aware that they
can remove themselves from work situations that they consider to be a danger to their life or health.

7.4 Communication
7.4.1 General
Processes for internal and external communication need to be established and recorded as documented
information within the OH&S Management System. The key elements that need to be decided, actioned,
and recorded are what needs to be communicated, how it should be done, who needs to receive the
communication, and at what intervals it should be done. It should be noted here that any communication
outputs should be consistent with related information and content generated by the OH&S Management
System for the sake of consistency.

Tip: For more information on communication, see the article Case study: Health & safety communication
compliant with OHSAS 18001.

7.4.2 Internal communication

The standard advises the organization that information should be communicated at various levels and
with various frequencies as deemed suitable, and that the organization must ensure that the nature and
frequency of communication allows continual improvement to result from the communication process
itself.

Copyright © 2019 Advisera Expert Solutions Ltd. All rights reserved. 9

7.4.3 External communication
Once again, the organization is advised by the standard to ensure that communication relevant to the
OH&S Management System takes place as per the established process, with the goal of ensuring that
compliance obligations and objectives are met.

Tip: Click here to see an example of a Record of external communication.

7.5 Documented information

7.5.1 General
“Documented information,” which you will have seen mentioned several times during this guide, refers
to the documents and records that are necessary for the OH&S Management System. The requirements
are designed to allow each organization to have the ability to shape documented information to their
own requirements in general, with the exception of the mandatory components mentioned specifically
in the standard and, therefore, this guide. The ISO 45001:2018 standard advises us that the OH&S
Management System should include all documented information that it declares mandatory, and
anything viewed as critical to the OH&S Management System and its operation. It should also be noted
that the amount of documented information that an organization requires would differ according to the
size, operating sector, and complexity of compliance obligations faced by the business.

For more information on this topic, please see the article: New approach to ISO 45001 documentation.

7.5.2 Creating and updating

The standard advises that documentation created by the OH&S Management System needs to include
appropriate identification, description, and format so that it is can be easily understood what the
documented information is for. There is also a need to review and approve the documented information
for suitability and accuracy before release.

For more information, please take a look at this useful handbook: Managing ISO Documentation: A Plain
English Guide.

7.5.3 Control of documented information

The standard advises that documentation created by the OH&S Management System should be available
and fit for purpose where and when needed, reasonably protected against damage or loss of integrity
and identity, and that the processes of distribution, retention, access, retrieval, preservation and storage,
control, and disposition are adequately provided for. It should be noted that documented information
from external sources should be similarly controlled and handled, and that viewing and editing access
levels should be carefully considered and controlled.

To learn more about this topic, please see the article: List of mandatory documents according to ISO 45001.

You can use this free ISO online tool for handling your documentation, i.e., using it as a document
management system (DMS).

Copyright © 2019 Advisera Expert Solutions Ltd. All rights reserved. 10

8. Operation
8.1 Operational control and planning
While the standard acknowledges that operational control will greatly depend on the size, nature,
compliance obligations, and occupational health & safety hazards of an organization, the scope is given
to the individual organization to plan and ensure the desired results are achieved. The methods suggested
by the standard are that processes should be designed in such a way that consistency is guaranteed and
error eliminated, technology is used to improve control, and it is ensured that personnel are trained and
competent. Processes should be performed in an agreed and prescribed manner; those processes should
be measurable, and the documented information should match the requirements to ensure operational
control.
An essential part of operational control lies in eliminating hazards and reducing OH&S risks. This can be
carried out through a hierarchy of controls, from elimination of the hazard to the use of personal
protective equipment. Change in the OH&S Management System also needs to be managed in order to
maintain the integrity of the OH&S performance. Procurement, including contractors and outsourcing of
functions and processes, must also be considered and controlled. Appropriate measures must be taken
to define and control the competency of outsourced service suppliers, including their effect on the OH&S
Management System processes. As ever, opportunities for improvement must always be considered and
identified.
The standard also recognizes that the degree of control the organization has over an outsourced product
or service can vary from absolute, if taking place onsite, to very little, if the activity takes place remotely.
However, it is suggested that there are factors that, nonetheless, should be considered. As expected,
compliance obligations should be considered and controlled, all direct and associated occupational health
& safety risks should be evaluated and controlled, as should risks and opportunities associated with the
provision of the service itself.
Tip: For more information on this topic, see the article How to implement operational control in ISO
45001.

8.2 Emergency preparedness and response

Emergency preparedness and response is a key element in the mitigation of occupational health & safety
risk. The standard informs us that it is the responsibility of the organization to be prepared, and a number
of elements should be considered and planned for. Actions to mitigate incidents must be developed, as
well as internal and external communication methods and appropriate methods for emergency response.
Consideration of varying types of occupational health & safety incidents needs to be made, as do root
cause analysis and corrective action procedures to respond to incidents after they occur. Regular
emergency response testing and relevant training need to be considered and undertaken, and assembly
routes and evacuation procedures defined and communicated. Lists of key personnel and emergency
agencies (think clean-up agencies, local emergency services, and local occupational health & safety offices
or agencies) should be established and made available, and it is often good practice to form partnerships
with similar neighboring organizations with whom you can share mutual services and provide help in the
event of an occupational health & safety incident.
Tip: For more information on this topic, see the article How to be prepared for a health and safety
incident.

Copyright © 2019 Advisera Expert Solutions Ltd. All rights reserved. 11

9. Performance evaluation
9.1 Monitoring, measuring, analysis, and evaluation
9.1.1 General
The organization not only has to measure occupational health & safety progress, but it should also
consider its significant hazards, compliance obligations, and operational controls when tackling this
clause. The methods established should have considerations to ensure that the monitoring and measuring
periods are aligned with the needs of the OH&S Management System for data and results; that the results
are accurate, consistent, and can be reproduced; and that the results can be used to identify trends. It
should also be noted that the results should be reported to the personnel with the authority and
responsibility to initiate action on the basis of the outputs themselves.

Tip: For more information on this topic, see the article What is the purpose and structure of the Health &
Safety hazard evaluation record?

9.1.2 Evaluation of compliance

The standard recognizes that evaluation requirements will vary from organization to organization based
on factors such as size, compliance obligations, sector worked in, past history and performance, and so
on, but suggests that regular evaluation is always required. If the result of a compliance evaluation reveals
that a legal requirement is unfulfilled, the organization needs to assess what action is appropriate,
possibly up to contacting a regulatory body and agreeing on a course of action for repair. This agreement
will now see this obligation become a legal requirement. Where a non-compliance is identified by the
OH&S Management System and corrected, it does not automatically become a non-conformity.

Tip: For more practical assistance with compliance evaluation, see this template for a Compliance
Evaluation Record.

9.2 Internal Audit

9.2.1 General
Internal audits and auditors should be independent and have no conflict of interest over the audit subject,
the standard reminds us, and it should be noted that non-conformities should be subject to corrective
action. When considering the results of previous audits, the results of previous internal and external
audits and any previous non-conformities and resulting actions to repair them should be taken into
account.

TIP: For more information on this topic, see the article How to perform internal audits in ISO 45001.

9.2.2 Internal audit program

The 45001:2018 standard refers us to ISO 19011 for the internal audit program, but when you are
establishing your program there are several rules you can subscribe to in order to ensure that your
program is effective. Base your internal audit frequency on what is reasonable for your organization in

Copyright © 2019 Advisera Expert Solutions Ltd. All rights reserved. 12

terms of size, sector you operate in, compliance obligations, and risk to the health and safety of workers.
Decide what is reasonable for you, whether that is bi-annually, quarterly, or whatever you deem suitable.
Keep in mind that this schedule can be changed, preferably through management review and leadership
guidance, in the event of changes that necessitate extra internal audit activity.

Tip: Please click ISO 45001 Internal Audit Toolkit to learn more details about the internal audit process.

9.3 Management Review

It should be noted that, contrary to popular belief, the management review does not have to be done all
at once; it can be a series of high-level or board meetings with topics tackled individually, although it
should be on a strategic and top management level. Complaints from interested parties should be
reviewed by top management, with resultant improvement opportunities identified. It should be
remembered that the management review generally is the one function that must be carried out
accurately and diligently to ensure that the function of the OH&S Management System and all resulting
elements can follow suit. It goes without saying that all details and data from the management review
must be documented and recorded to ensure that the OH&S Management System can follow the specific
requirements and general strategic direction for the organization detailed there.

Tip: For more information on this topic, see the article How to perform the initial management review in
ISO 45001.

10. Improvement
10.1 General
Outputs from management reviews, internal audits, and compliance and performance evaluations should
all be used to form the basis for improvement actions. Improvement examples could include corrective
action, reorganization, innovation, and continual improvement programs.

10.2 Nonconformity and corrective action

Prevention of incidents and elimination of hazards is a key facet of the OH&S Management System, and
this is specifically addressed in the definition of organizational context (4.1) and assessing risks and
opportunities (6.1). Taking action to correct and control problems when they occur, and then to
investigate and take corrective action for the root causes of these problems when it is necessary, are
critical to prevent recurrence of process nonconformity.

Tip: For more information on this topic, see the article: Using corrective actions to eliminate
nonconformities and drive health & safety improvements.

Tip: Click here to see a template for the Procedure for the management of nonconformities and corrective
actions to help you with this process.

Copyright © 2019 Advisera Expert Solutions Ltd. All rights reserved. 13

10.3 Continual improvement
Through all of the actions to improve the overall OH&S Management System, the organization can achieve
enhanced OH&S performance and promote a culture that supports worker participation in making the
OH&S Management System better.

Conclusion
ISO 45001:2018 provides organizations with guidance to mitigate occupational health & safety risks and
reduce impacts within the organization. The ultimate goal of ISO 45001:2018 implementation is to
improve occupational health & safety performance; but, delivering on all of the clauses of the standard
and truly understanding them can benefit your organization in many ways. Accreditation and compliance
can bring reputational, motivational, and financial benefits to your organization through improved
efficiency and reductions in injuries, along with improvements in your procurement chain. All of these
elements are closely related to your organization’s ability to deliver satisfaction to your customers, and
fulfill the expectations and wishes of your stakeholders, while protecting the health & safety of your
workers. Bearing all of this in mind, can your organization afford not to have ISO 45001:2018?

Why not use a gap analysis tool to assess where your organization and its OH&S Management System
stand against formal requirements? Try this free online ISO 45001 Gap Analysis Tool.

Sample of documentation templates

You can also download a free preview of the ISO 45001 Documentation Toolkit. This will allow you to see
samples of policies and procedures used in the implementation of ISO 45001:2018.

References
45001Academy

International Organization for Standardization

Copyright © 2019 Advisera Expert Solutions Ltd. All rights reserved. 14

 Advisera Expert Solutions Ltd Email: support@advisera.com
for electronic business and business consulting U.S. (international): +1 (646) 759 9933
Zavizanska 12, 10000 Zagreb United Kingdom (international): +44 1502 449001
Croatia, European Union Toll-Free (U.S. and Canada): 1-888-553-2256
Toll-Free (United Kingdom): 0800 808 5485
Australia: +61 3 4000 0020

Copyright © 2019 Advisera Expert Solutions Ltd. All rights reserved. 15