Health and safety compliance is non-negotiable for UK businesses — but compliance and certification are two different things. ISO 45001 is the international standard for occupational health and safety management, and an increasing number of UK businesses are being asked to hold it as a condition of winning contracts.

This guide explains what ISO 45001 actually involves, who it's most relevant for, and what the certification process looks like in practice. No consultant-speak — just the information you need to make a sensible decision.

What is ISO 45001?

ISO 45001 is an internationally recognised standard that sets out the requirements for an Occupational Health and Safety Management System (OHSMS). It was published by the International Organisation for Standardisation (ISO) in 2018 and replaced the previous OHSAS 18001 standard.

The goal of ISO 45001 is to help organisations reduce workplace injuries, ill health, and fatalities by building a structured, proactive approach to managing health and safety risks. Rather than simply reacting to incidents, it asks businesses to identify hazards, assess risks, and put controls in place before things go wrong.

Importantly, ISO 45001 uses the same High Level Structure (HLS) as ISO 9001 and ISO 14001. If you already hold either of those standards, you'll find a lot of familiar territory — the same Plan-Do-Check-Act logic, the same emphasis on leadership and continual improvement, and the same approach to documented information.

💡 Integrated management systems

If your business already holds ISO 9001 or ISO 14001, adding ISO 45001 is significantly more straightforward. Many of the documentation, internal audit, and management review requirements overlap, meaning you won't be starting from scratch.

ISO 45001 vs OHSAS 18001

If you've worked in health and safety for a while, you'll remember OHSAS 18001 — the British Standard that many businesses held before ISO 45001 came along. The two standards cover similar ground, but ISO 45001 goes further in several important ways.

  • Worker participation: ISO 45001 places much greater emphasis on involving workers — not just managers — in identifying hazards and improving the system. This is a genuine requirement, not just a box-tick.
  • Context of the organisation: Like other modern ISO standards, ISO 45001 requires you to understand your internal and external context — what factors could affect your ability to deliver safe working conditions.
  • Supply chain and contractors: ISO 45001 explicitly addresses health and safety risks that extend beyond your direct employees, including contractors, visitors, and outsourced activities.
  • Leadership accountability: Senior leaders are expected to demonstrate active commitment to the OHSMS, not just delegate it to an H&S manager and walk away.

OHSAS 18001 was formally withdrawn in 2021. If your business still references OHSAS 18001 in tenders or documentation, it's worth updating — certification bodies no longer certify to the old standard.

What does ISO 45001 require?

ISO 45001 is built around ten clauses, following the same High Level Structure as other ISO management system standards. The practical requirements break down into several core areas:

Hazard identification and risk assessment

You need a documented process for identifying health and safety hazards across all your activities, and for assessing the level of risk each hazard presents. This isn't a one-off exercise — it needs to be reviewed regularly and whenever significant changes occur.

Legal and regulatory compliance

ISO 45001 requires you to identify all applicable health and safety legislation — including the Health and Safety at Work Act 1974, COSHH regulations, RIDDOR, and any sector-specific requirements — and demonstrate that you're meeting those obligations. Note that ISO 45001 certification doesn't replace legal compliance; it works alongside it.

Objectives and performance monitoring

You must set measurable health and safety objectives and track progress against them. Typical examples include reducing reportable incidents, improving near-miss reporting rates, or completing a programme of risk assessments by a specific date.

Internal audit and management review

Like other ISO standards, ISO 45001 requires regular internal audits to check the system is working as intended, and periodic management reviews to consider performance data and make decisions about improvements.

Incident investigation

When things do go wrong — accidents, near misses, dangerous occurrences — ISO 45001 requires a structured process for investigating root causes and implementing corrective actions, not just recording what happened.

⚠️ Don't confuse documentation with management

A common mistake businesses make when implementing ISO 45001 is producing lots of paperwork but not actually changing how health and safety is managed day-to-day. Certification auditors are trained to spot the difference. Your system needs to be lived, not just documented.

Who needs ISO 45001?

ISO 45001 is relevant to any organisation, regardless of size or sector. That said, certain types of UK business are most likely to benefit from — or be required to achieve — certification.

  • Construction and civil engineering: Many main contractors now require ISO 45001 (or OHSAS 18001 historically) from subcontractors as a prequalification requirement.
  • Manufacturing: Businesses operating heavy machinery, chemicals, or complex production environments often pursue ISO 45001 both for risk management and to satisfy client or insurer requirements.
  • Facilities management and maintenance: Companies working on client premises are increasingly expected to demonstrate formal H&S management.
  • Public sector suppliers: Framework agreements and government contracts frequently list ISO 45001 (or equivalent) as a selection criterion.
  • Logistics and warehousing: With high rates of workplace injury in the sector, ISO 45001 is increasingly common as both a risk management tool and a commercial differentiator.

ISO 45001 isn't just about avoiding incidents — it's about demonstrating to clients, insurers, and your own workforce that you take health and safety seriously at a structural level.

Smaller businesses sometimes assume ISO 45001 is only for large organisations. In reality, the standard scales well — the level of documented complexity expected from a 15-person engineering firm is very different from what's expected of a 500-person manufacturer. What matters is that your system is proportionate and effective for your context.

How long does certification take?

For most UK SMEs implementing ISO 45001 from scratch, the process typically takes between four and twelve months. Where you fall in that range depends on several factors:

  • How mature your existing health and safety arrangements are
  • The complexity and risk profile of your operations
  • Whether you have dedicated internal resource to drive the project
  • Whether you're implementing ISO 45001 alongside other standards

The formal certification process itself involves two stages: a Stage 1 audit (a documentation review to check your system is ready) followed by a Stage 2 audit (an on-site assessment of whether the system is implemented and working). After initial certification, you'll have annual surveillance audits and a full recertification audit every three years.

Choosing a certification body

To achieve recognised ISO 45001 certification in the UK, you need to be certified by a UKAS-accredited certification body. UKAS (the United Kingdom Accreditation Service) is the national accreditation body, and their accreditation is what gives your certificate credibility with clients and procurement teams.

Well-known UKAS-accredited bodies operating in the UK include BSI, Bureau Veritas, Lloyd's Register, SGS, and NQA, among others. It's worth getting quotes from more than one, as audit day rates and the overall approach to certification can vary significantly.

When comparing certification bodies, consider:

  • Whether they have auditors with relevant sector experience
  • Their approach to remote versus on-site auditing
  • The clarity and transparency of their contract terms
  • Turnaround times for scheduling audits
💡 Check the UKAS directory

You can verify whether a certification body is UKAS-accredited for ISO 45001 by searching the directory at ukas.com. Always check before committing — not all bodies offering "ISO certification" hold full UKAS accreditation.

Take the free readiness assessment

If you're considering ISO 45001 certification and want to understand where your business currently stands, ISOKnow's free readiness assessment is a good place to start. It takes around five minutes and gives you a clear picture of how prepared your organisation is — and where the gaps are likely to be.

Whether you're at the very beginning of your ISO journey or already have health and safety processes in place that you want to formalise, the assessment will help you think through what's involved before you commit to anything.

Visit isoknow.co.uk to take the free ISO readiness assessment today.