Welcome to our ISO 45001 FAQ's

If you have any questions, please email the ISO 45001 secretariat:  sally.swingewood@bsigroup.com


We aim to respond to questions within 28 days. You could also contact your national standards body (NSB) with your questions.

Many NSBs have a “mirror” committee which provides input to, and is represented on, ISO/TC 283 and the experts in your own country might be able to offer answers that take local context into account.


Clarifications on the intent of ISO 45001


4. Context of the organization (inc. needs & expectations; scope)

5. Leadership & worker participation

6. Planning

7. Support

8. Operation

9. Performance evaluation (inc. Procurement)

10. Improvement

Clause 4.1, 4.2, 4.3 The scope of the OH&S management system

Return to Top

Q: Can an organization with two or more sites choose to limit its scope to a single site?
A: Yes. It can include any or all sites, depending on what the organization deems appropriate.

If the OH&S management system covers only part of the organization, there must be a level of top management that has authority over what is included in the scope of the management system.
If the scope of the OH&S management system is limited to specific sites it should still include all activities or functions related to operations at that site.
It is possible for an organization to establish an OH&S management system with a limited scope – say one site – initially and over time widen that scope to the whole organization.


Q: Does the scope of ISO 45001:2018 include the image of the organization?

A:  Clause 4.1 of ISO 45001:2018 states: “The organization shall determine external… issues… relevant to its purpose and that affect its ability to achieve the intended outcomes of its OH&S management system”.   Clause 4.2 of ISO 45001:2018 states: “The organization shall determine the needs and expectations (ie requirements) of workers and other interested parties.”

Clause 5 Leadership

Return to Top


Clause 6 Planning

Return to Top


Clause 7 Support

Return to Top


Clause 8 Operation

Return to Top


Clause 8.1.4 Procurement

Q:  When an organization outsources part of its function or process to an external organization for implementation, is the external organization also to be treated as a contractor?
A :  Yes, effectively the external organization is providing a service to the organization and the requirements of and are both applicable. The definitions in the standard for contractor (3.7) and outsource (3.29) clarify these relationships


Q: Suppose there is a factory whose products have to undergo a heat treatment process, but there is no related heat treatment facilities and technology in this factory, so the heat treatment process is outsourced to an external heat treatment plant. This heat treatment plant is an independent company and is located far away from this factory. What impacts does this outsourced heat treatment process have on the OH&S performance of the organization?
A: The intended outcomes of the OH&S management system are to prevent injury and ill health to workers and to provide safe and healthy workplaces - (See 3.11 Note 1 to entry).

When a process is outsourced OH&S risks to the organization’s own workers can still arise from related activities, for example: packaging, loading and transportation of products to and from the premises of the organization providing the outsourced process. 

Clause requires that ‘outsourced functions and processes are controlled’ and that the degree of control ‘is defined within the OH&S management system’. It’s up to the organization to consider what is acceptable to them, to define how OH&S risks are controlled when an external provider is working on its behalf, and then ensure that these requirements are met.


Q: Is it correct to state that there is no need to consider the activities associated with an outsourced process that take place on the premises of the outsourced organization?

A: The above statement is incorrect. Clause of ISO 45001:2018 states:

“The organization shall ensure that outsourced functions and processes are controlled.”

And that the “type and degree of control… shall be defined within the OH&S management system”.


Q:  What is the difference between a contractor and an outsourcer? To outsource seems to be the same as using a contractor.  Or, a contractor may include outsourcing to another external organization.

A:  This is correct.  If a function or process is performed by an external organization on behalf of the organization, it has been outsourced. The external organization performing the function or process is providing a service and therefore is also a contractor.

However, if the service provided by the contractor is not part of the organization’s ‘function or process’ it is not ‘outsourced’.


The definitions in ISO 45001:2018 are:


3.7 Contractor

External organization providing services to the organization in accordance with agreed specifications, terms and conditions

Note 1 to entry: Services may include construction activities amongst others



Outsource (verb)

Make an arrangement where an external organization performs part of an organization’s function or process

Note 1: an external organization is outside the scope of the management system, although the outsourced function or process is within the scope



Q:  If an outsourcer is the same as a contractor, or it can be treated as a contractor, then why ISO 45001:2018 uses two clauses & to specify the requirements? Why doesn’t ISO 45001:2018 integrate these two clauses & into one clause?

A: ‘Outsource’ is a commonly defined term in all ISO management system standards. ISO 45001:2018 has added the term ‘contractor’ as this is often used in an OH&S context, often for services that need to be provided in the organization’s own workplace (See ISO 45001:2018 A.


Different parts of the world have differing understanding of these two terms, so it is very important that the technical definitions in ISO 45001:2018 are understood and used, rather than local understanding of the terms. Based on the definitions, any organization to which functions or processes are outsourced is a contractor


Q: A supplier is definitely not an outsourcer or a contractor, but it seems not to be addressed in the requirements of 8.1.4. Examples of suppliers include raw material suppliers, part suppliers, assembly suppliers, chemical suppliers, device suppliers, equipment suppliers, among others. Could you tell us which clause mentions the requirement of suppliers?

A:  The requirements for suppliers are stated in clause which states:

“The organization shall establish, implement and maintain a process(s) to control the procurement of products and services in order to ensure their conformity to its OH&S management system.”


There is further guidance provided in A., including:


“The organization should verify that equipment, installations and materials are safe for use by workers by ensuring

  1. Equipment is delivered according to specification and is tested to ensure it works as intended


  1. Materials are delivered according to their specifications…”


Clause 9 Performance Evaluation

Return to Top


Clause 10 Improvement

Return to Top


Clause 10.2  Incident, nonconformity and corrective action

Q:  In clause 10.2 a) 2) there is a requirement to “deal with the consequences”.

Can you please provide an example?

A: Consider an incident such as a small fire in the workplace:


10.2 a) 1) could include sounding the alarm, evacuating the affected area, and the controlling and extinguishing of the fire. 


10.2 a) 2) could include actions needed once the fire was extinguished, such as inspecting the workplace, determining whether, when and how the affected area can be returned to use, repairing damaged equipment, making alternative production arrangements etc.


In the case of a nonconformity, for example where it has been identified that confined space work has been taking place without a permit to work being in place:


10.2 a) 1) could refer to halting any current or imminent activity and removing any workers in an inadequately controlled confined space. 


10.2 a) 2) could refer to arranging for the work to resume under correctly issued permit conditions and dealing with any injuries or ill health suffered by workers who were in the inadequately controlled confined space.     


Q: In clause 10.2 b) 3) there is a requirement for “determining if similar incidents have occurred, if nonconformities exist, or if they could potentially occur”.

Can you please provide an example?

A: Consider again the incident where there has been a small fire in the workplace:


10.2 b) 3) could include determining if improper storage of combustible materials contributed to the small fire and that this factor was common to other previous incidents. This would need to be addressed to prevent a recurrence of a similar situation.


In the case of a nonconformity, for example where it has been identified that confined space work has been taking place without a permit to work being in place:


This could imply checking whether other permit to work systems, such as that for working at height, or high voltage work, are being correctly applied. Or, if the non-conformity related to confined space work undertaken by a particular contractor, checking whether other contractors undertaking confined space work are operating the permit system correctly.

Q: In clause 10.2, c) there is a requirement to “review existing assessments of OH&S risks and other risks, as appropriate (see 6.1)”.

Is the review required here review of the risk and opportunity, or review of the hazards identification, risk assessment & control (HIRAC), or both?

A: The requirement is to review existing assessments of OH&S risks and other risks


The investigation process should consider:

  • was the hazard identified during planning activities (clause 6)? If not, why not?
  • if the hazard was identified, were controls implemented to address the associated risks
  • were the controls adequate, understood and correctly implemented? (Clause 8)
  • were any risks missed or not assessed correctly?


Consider again the incident where there has been a small fire in the workplace:


10.2 c) could include determining if existing assessments of fire risk correctly estimated the likelihood and potential severity of a fire.


In the example regarding working in a confined space without a permit:


10.2 c) could include determining whether relevant existing assessments recognise the need for permits for work for particular activities, and if the use of permits is regularly monitored and appropriate action taken.


Return to Top