Welcome to our ISO 45001 FAQ page
If you have any questions, please email the ISO 45001 secretariat: email@example.com.
We aim to respond to questions within 28 days. You could also contact your national standards body (NSB) with your questions.
Many NSBs have a “mirror” committee which provides input to, and is represented on, ISO/TC 283 and the experts in your own country might be able to offer answers that take local context into account.
Clarifications on the intent of ISO 45001
Clause 4.1, 4.2, 4.3 The scope of the OH&S management system
Q: Can an organization with two or more sites choose to limit its scope to a single site?
A: Yes. It can include any or all sites, depending on what the organization deems appropriate.
If the OH&S management system covers only part of the organization, there must be a level of top management that has authority over what is included in the scope of the management system.
If the scope of the OH&S management system is limited to specific sites it should still include all activities or functions related to operations at that site.
It is possible for an organization to establish an OH&S management system with a limited scope – say one site – initially and over time widen that scope to the whole organization.
Q: Does the scope of ISO 45001:2018 include the image of the organization?
A: Clause 4.1 of ISO 45001:2018 states: “The organization shall determine external… issues… relevant to its purpose and that affect its ability to achieve the intended outcomes of its OH&S management system”. Clause 4.2 of ISO 45001:2018 states: “The organization shall determine the needs and expectations (ie requirements) of workers and other interested parties.”
Clause 8.1.4 Procurement
Q: When an organization outsources part of its function or process to an external organization for implementation, is the external organization also to be treated as a contractor?
A : Yes, effectively the external organization is providing a service to the organization and the requirements of 188.8.131.52 and 184.108.40.206 are both applicable. The definitions in the standard for contractor (3.7) and outsource (3.29) clarify these relationships
Q: Suppose there is a factory whose products have to undergo a heat treatment process, but there is no related heat treatment facilities and technology in this factory, so the heat treatment process is outsourced to an external heat treatment plant. This heat treatment plant is an independent company and is located far away from this factory. What impacts does this outsourced heat treatment process have on the OH&S performance of the organization?
A: The intended outcomes of the OH&S management system are to prevent injury and ill health to workers and to provide safe and healthy workplaces - (See 3.11 Note 1 to entry).
When a process is outsourced OH&S risks to the organization’s own workers can still arise from related activities, for example: packaging, loading and transportation of products to and from the premises of the organization providing the outsourced process.
Clause 220.127.116.11 requires that ‘outsourced functions and processes are controlled’ and that the degree of control ‘is defined within the OH&S management system’. It’s up to the organization to consider what is acceptable to them, to define how OH&S risks are controlled when an external provider is working on its behalf, and then ensure that these requirements are met.
Q: Is it correct to state that there is no need to consider the activities associated with an outsourced process that take place on the premises of the outsourced organization?
A: The above statement is incorrect. Clause 18.104.22.168 of ISO 45001:2018 states:
“The organization shall ensure that outsourced functions and processes are controlled.”
And that the “type and degree of control… shall be defined within the OH&S management system”.
Q: What is the difference between a contractor and an outsourcer? To outsource seems to be the same as using a contractor. Or, a contractor may include outsourcing to another external organization.
A: This is correct. If a function or process is performed by an external organization on behalf of the organization, it has been outsourced. The external organization performing the function or process is providing a service and therefore is also a contractor.
However, if the service provided by the contractor is not part of the organization’s ‘function or process’ it is not ‘outsourced’.
The definitions in ISO 45001:2018 are:
External organization providing services to the organization in accordance with agreed specifications, terms and conditions
Note 1 to entry: Services may include construction activities amongst others
Make an arrangement where an external organization performs part of an organization’s function or process
Note 1: an external organization is outside the scope of the management system, although the outsourced function or process is within the scope
Q: If an outsourcer is the same as a contractor, or it can be treated as a contractor, then why ISO 45001:2018 uses two clauses 22.214.171.124 & 126.96.36.199 to specify the requirements? Why doesn’t ISO 45001:2018 integrate these two clauses 188.8.131.52 & 184.108.40.206 into one clause?
A: ‘Outsource’ is a commonly defined term in all ISO management system standards. ISO 45001:2018 has added the term ‘contractor’ as this is often used in an OH&S context, often for services that need to be provided in the organization’s own workplace (See ISO 45001:2018 A.220.127.116.11.).
Different parts of the world have differing understanding of these two terms, so it is very important that the technical definitions in ISO 45001:2018 are understood and used, rather than local understanding of the terms. Based on the definitions, any organization to which functions or processes are outsourced is a contractor
Q: A supplier is definitely not an outsourcer or a contractor, but it seems not to be addressed in the requirements of 8.1.4. Examples of suppliers include raw material suppliers, part suppliers, assembly suppliers, chemical suppliers, device suppliers, equipment suppliers, among others. Could you tell us which clause mentions the requirement of suppliers?
A: The requirements for suppliers are stated in clause 18.104.22.168 which states:
“The organization shall establish, implement and maintain a process(s) to control the procurement of products and services in order to ensure their conformity to its OH&S management system.”
There is further guidance provided in A.22.214.171.124, including:
“The organization should verify that equipment, installations and materials are safe for use by workers by ensuring
- Equipment is delivered according to specification and is tested to ensure it works as intended
- Materials are delivered according to their specifications…”