ISO 45001:2018 Self-Assessment
Evaluate your Occupational Health and Safety Management System against ISO 45001:2018 requirements. Rate each clause item from 0 (Not Started) to 5 (Optimal) and track your readiness with live scoring.
0
Not Started
1
Awareness
2
Developing
3
Established
4
Advanced
5
Optimal
Assessment Summary
0
Total Score
out of 150
0.0
Average
per item
0
Items Rated
of 30
0%
Complete
Not Started
Clause 4
Context of the Organisation
0%
▼
4.1 Understanding the Organisation and Its Context
The organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of the OH&S management system. This includes understanding the needs of workers and other interested parties.
Evidence Checklist
- Documented analysis of external issues (legal, regulatory, economic, social, technological, competitive)
- Documented analysis of internal issues (culture, governance, resources, workforce demographics)
- SWOT or PESTLE analysis reviewed at defined intervals
- Context review outputs referenced in OH&S planning documents
Audit Questions
- How does the organisation identify and monitor external and internal issues relevant to OH&S?
- How is this context information used to inform the OH&S management system?
- How frequently is the context review updated and who is responsible?
Fully Compliant Looks Like: A documented context analysis process exists and is actively maintained. External factors (legal changes, market pressures) and internal factors (staff turnover, safety culture) are identified and reviewed at least annually. The outputs directly inform risk assessment and OH&S planning.
Common Gaps: No documented context analysis; context review is a one-off exercise not regularly updated; failure to link context findings to OH&S risk assessment or objectives.
4.2 Understanding the Needs and Expectations of Workers and Other Interested Parties
The organisation shall determine the needs and expectations of workers and other interested parties that are relevant to the OH&S management system, including applicable legal and other requirements.
Evidence Checklist
- Register of interested parties and their relevant needs/expectations
- Documented engagement with workers (surveys, meetings, consultation records)
- Communication records with regulators, contractors, and other parties
- List of applicable legal and other requirements derived from interested party analysis
Audit Questions
- Who are the interested parties relevant to the OH&S system?
- What methods are used to capture and review their needs and expectations?
- How are these needs reflected in the OH&S management system design?
Fully Compliant Looks Like: A maintained register of interested parties (workers, contractors, regulators, neighbours, unions) and their relevant needs. Evidence shows systematic engagement with workers and periodic updates. Stakeholder input is clearly linked to OH&S objectives and risk controls.
Common Gaps: Interested party register is incomplete or not updated; worker consultation is informal and undocumented; no clear link between stakeholder needs and OH&S system planning.
4.3 Scope of the OH&S Management System
The organisation shall establish the boundaries and applicability of the OH&S management system to determine its scope. The scope shall be documented and made available to interested parties.
Evidence Checklist
- Documented scope statement for the OH&S management system
- Scope considers context (4.1) and interested parties (4.2)
- Geographic boundaries, organisational units, and activities covered are defined
- Scope statement is communicated and available to stakeholders
Audit Questions
- What is the scope of the OH&S management system and how was it determined?
- Does the scope exclude any activities or locations and is the rationale justified?
- How is the scope communicated to workers and other interested parties?
Fully Compliant Looks Like: A clear, documented scope statement that defines which sites, functions, and activities are covered. The scope is consistent with the context analysis and considers the needs of interested parties. It is maintained as documented information and readily accessible.
Common Gaps: Scope is vague or missing; exclusions are made without justification; scope not aligned with context analysis; scope document is not communicated or available to workers.
4.4 OH&S Management System and Its Processes
The organisation shall establish, implement, maintain, and continually improve an OH&S management system including the processes needed and their interactions, in accordance with the requirements of ISO 45001.
Evidence Checklist
- OH&S management system manual or process map showing system interactions
- Defined processes for hazard identification, risk assessment, operational control, emergency response, etc.
- Documented procedures or process descriptions for each required element
- Evidence of process interaction and integration with business processes
Audit Questions
- How does the organisation ensure all required OH&S processes are established and maintained?
- How are the interactions between different OH&S processes managed?
- How does the organisation ensure the OH&S system is integrated with business processes?
Fully Compliant Looks Like: A coherent OH&S management system with clearly defined and interconnected processes. Process interactions are understood, documented, and managed. The system is integrated into day-to-day operations, not treated as a standalone compliance exercise.
Common Gaps: Processes exist in silos with no defined interactions; documentation is fragmented or missing; system is treated as a paper exercise not embedded in operations; no process ownership assigned.
Clause 5
Leadership and Worker Participation
0%
▼
5.1 Leadership and Commitment
Top management shall demonstrate leadership and commitment with respect to the OH&S management system by taking accountability for its effectiveness, ensuring policy and objectives are established, integrating OH&S into business processes, and providing necessary resources.
Evidence Checklist
- Top management signed OH&S policy statement
- Management review meeting minutes with attendance and decisions
- Resource allocation records (budget, staffing, training for OH&S)
- Evidence of leadership engagement in incident reviews and safety communications
Audit Questions
- How does top management demonstrate visible leadership for OH&S?
- How does management ensure OH&S requirements are integrated into business processes?
- What resources has top management provided for the OH&S system?
Fully Compliant Looks Like: Top management actively champions OH&S through visible leadership, adequate resourcing, and active participation in management reviews and incident investigations. OH&S is a standing agenda item at board/executive meetings. Managers at all levels are held accountable for OH&S performance.
Common Gaps: Leadership commitment is rhetorical only, with no evidence of resource allocation; management reviews are irregular or token; OH&S seen as a safety manager responsibility, not leadership ownership.
5.2 OH&S Policy
Top management shall establish, implement, and maintain an OH&S policy that is appropriate, includes a commitment to provide safe work conditions, includes commitments to eliminate hazards and reduce risks, and is communicated to all workers and interested parties.
Evidence Checklist
- Current, dated OH&S policy signed by top management
- Policy includes commitment to consultation and worker participation
- Policy is communicated and accessible (posters, intranet, induction materials)
- Policy reviewed periodically for continuing suitability
Audit Questions
- How was the OH&S policy developed and who was consulted?
- How is the policy communicated to workers, contractors, and visitors?
- How is the policy reviewed and updated?
Fully Compliant Looks Like: A well-communicated OH&S policy that is visible throughout the organisation. It includes specific commitments to hazard elimination, worker participation, and continual improvement. It is reviewed at least annually and updated to reflect changing organisational context.
Common Gaps: Policy is a generic template, not tailored to the organisation; policy is not visible or known to workers; no evidence of periodic review; policy does not include commitment to worker consultation.
5.3 Organisational Roles, Responsibilities and Authorities
Top management shall ensure that responsibilities and authorities for roles relevant to the OH&S system are assigned and communicated at all levels. All workers shall be accountable for their own OH&S performance.
Evidence Checklist
- Organisational structure showing OH&S roles and reporting lines
- Job descriptions with OH&S responsibilities documented
- Records of role assignments for OH&S committee, incident investigators, emergency response
- Evidence of communication of responsibilities to all workers
Audit Questions
- How are OH&S roles and responsibilities defined and communicated?
- How does top management ensure workers understand their individual OH&S accountabilities?
- How are OH&S performance criteria included in job performance evaluations?
Fully Compliant Looks Like: Everyone in the organisation understands their OH&S responsibilities. Role descriptions clearly define OH&S accountabilities at each level. A safety committee or equivalent structure is in place with defined terms of reference. Management and worker responsibilities are well-documented and communicated.
Common Gaps: Responsibilities are only documented for the safety manager, not for all roles; workers are unaware of their specific OH&S duties; no formal safety committee or defined roles; accountability is not enforced.
5.4 Consultation and Participation of Workers
The organisation shall establish, implement, and maintain processes for consultation and participation of workers at all levels. This includes mechanisms for reporting hazards, contributing to risk assessments, participating in incident investigations, and involvement in OH&S decision-making.
Evidence Checklist
- Formal consultation process documentation (committee terms of reference, meeting schedules)
- Records of worker participation in hazard identification and risk assessment
- Minutes from OH&S committee meetings showing worker input
- Evidence of feedback mechanisms (suggestion boxes, safety talks, surveys)
Audit Questions
- How are workers consulted on OH&S matters that affect them?
- How are barriers to participation (language, shift work, literacy) addressed?
- How does the organisation ensure non-managerial workers are represented?
Fully Compliant Looks Like: Workers actively participate in OH&S through multiple channels (elected representatives, safety committees, direct consultation). Barriers to participation are identified and addressed. Workers are involved in hazard identification, incident investigation, and decisions about their own safety. Feedback is acknowledged and acted upon.
Common Gaps: Consultation is token or management-driven only; no elected worker representatives; participation limited to specific groups, excluding night shift or contract workers; feedback loops are broken (workers report but hear nothing back).
Clause 6
Planning
0%
▼
6.1.1 Actions to Address Risks and Opportunities - General
When planning for the OH&S system, the organisation shall determine the risks and opportunities that need to be addressed to give assurance that the system can achieve its intended outcomes, prevent undesired effects, and achieve continual improvement.
Evidence Checklist
- Risk and opportunity identification process documentation
- Risk register covering OH&S risks AND opportunities for improvement
- Evidence that risks/opportunities consider context (4.1) and interested parties (4.2)
- Actions planned to address identified risks and opportunities
Audit Questions
- How does the organisation identify risks and opportunities for the OH&S system?
- How does the organisation prioritise which risks and opportunities to address?
- How are planned actions integrated into OH&S processes and evaluated for effectiveness?
Fully Compliant Looks Like: A systematic process for identifying and evaluating both risks (threats to system outcomes) and opportunities (potential improvements). The risk register is comprehensive, linked to context analysis, and reviewed regularly. Specific actions are planned and tracked for each significant risk and opportunity.
Common Gaps: Only hazards are considered, not risks to the system itself; opportunities are ignored; risk register is static and not reviewed; no action plans linked to risks and opportunities.
6.1.2 Hazard Identification and Assessment of Risks and Opportunities
The organisation shall establish and maintain a process for ongoing hazard identification from work activities, equipment, materials, ergonomic factors, and psychosocial factors. The process shall consider routine and non-routine situations, emergency situations, and the behaviour and capabilities of workers.
Evidence Checklist
- Hazard identification methodology (task-based, area-based, or process-based)
- Risk assessment matrix with defined criteria for likelihood and severity
- Completed risk assessments for all work areas, tasks, and activities
- Evidence of periodic review and update of risk assessments
Audit Questions
- What methodology is used for hazard identification and does it cover all work activities?
- How are psychosocial and ergonomic hazards addressed in the process?
- How does the organisation ensure risk assessments are reviewed and remain valid?
Fully Compliant Looks Like: A comprehensive, ongoing hazard identification process covering all activities (routine and non-routine). Physical, chemical, biological, ergonomic, and psychosocial hazards are included. Risk assessments use a consistent methodology, are documented, and are reviewed when conditions change. Workers participate in the process.
Common Gaps: Hazard identification is a one-off exercise not updated; psychosocial risks are not assessed; risk assessments are copied from templates without site-specific evaluation; non-routine activities and contractors are excluded.
6.1.3 Legal Requirements and Other Requirements
The organisation shall establish and maintain a process to identify, access, and evaluate legal requirements and other requirements related to the OH&S management system. These requirements shall be taken into account when establishing, implementing, maintaining, and continually improving the system.
Evidence Checklist
- Legal register or legal requirements database covering applicable OHS legislation
- Process for monitoring changes to legal and other requirements
- Evidence of periodic legal compliance evaluation
- Documentation showing how legal requirements are incorporated into procedures
Audit Questions
- How does the organisation identify applicable legal requirements for OH&S?
- How are changes in legal requirements tracked and communicated?
- How does the organisation evaluate compliance with applicable legal requirements?
Fully Compliant Looks Like: A current legal register covering all applicable OHS legislation, regulations, codes of practice, and permits. A systematic process tracks legal changes and assesses their impact. Compliance is evaluated at planned intervals and results are documented and acted upon.
Common Gaps: Legal register is outdated or incomplete; no process for monitoring legal changes; legal compliance evaluation is informal or undocumented; industry-specific regulations are missed.
6.1.4 Planning to Take Action
The organisation shall plan to take actions to address identified risks and opportunities, including legal requirements. The planning shall consider the hierarchy of controls and how to integrate these actions into the OH&S management system processes. Effectiveness of actions shall be evaluated.
Evidence Checklist
- Action plans linked to hazard identification and risk assessment outputs
- Documented application of the hierarchy of controls in action planning
- Records of action implementation with completion dates
- Effectiveness evaluation records for actions taken
Audit Questions
- How does the organisation plan actions to address risks using the hierarchy of controls?
- How is the effectiveness of actions evaluated?
- How are these actions integrated into operational processes?
Fully Compliant Looks Like: There is a clear process for translating risk assessment outputs into action plans that follow the hierarchy of controls (elimination first, then substitution, engineering controls, administrative controls, PPE). Actions have owners, deadlines, and completion status. Effectiveness is verified through inspection, testing, or review.
Common Gaps: Action plans default to administrative controls or PPE rather than elimination; actions are not tracked to completion; no effectiveness verification after implementation; planning does not integrate with operational processes.
6.2.1 OH&S Objectives
The organisation shall establish OH&S objectives at relevant functions and levels. Objectives shall be consistent with the OH&S policy, measurable (or verifiable), take into account legal requirements and the results of risk assessment, and be monitored and communicated.
Evidence Checklist
- Documented OH&S objectives with measurable targets
- Objectives are linked to risk assessment findings and legal requirements
- Evidence of periodic monitoring and review of objective progress
- Communication records showing objectives are shared with workers
Audit Questions
- How are OH&S objectives established and who is involved?
- How are objectives monitored and progress tracked?
- How does the organisation ensure objectives are consistent with the OH&S policy?
Fully Compliant Looks Like: SMART OH&S objectives exist at appropriate levels (strategic, operational, individual). They are clearly linked to identified risks, legal requirements, and the policy commitment. Progress is tracked through regular reviews and reported to management. Objectives are communicated to relevant workers.
Common Gaps: Objectives are too vague to measure; objectives are not linked to risk assessment findings; no monitoring or tracking of progress; objectives are set by management without worker input; objectives are not communicated.
6.2.2 Planning to Achieve OH&S Objectives
When planning to achieve OH&S objectives, the organisation shall determine what will be done, what resources will be required, who will be responsible, when it will be completed, and how results will be evaluated, including indicators for monitoring progress.
Evidence Checklist
- Action plans for each OH&S objective with defined tasks, resources, owners, and timelines
- KPIs or performance indicators linked to each objective
- Progress tracking reports or dashboards
- Evidence of resource allocation to achieve objectives
Audit Questions
- How does the organisation plan the actions needed to achieve each OH&S objective?
- How are resources for achieving objectives determined and allocated?
- How is progress measured and reported?
Fully Compliant Looks Like: Each objective has a detailed action plan with clear tasks, assigned owners, dedicated resources, and realistic timelines. Progress is measured using defined KPIs and reported at regular intervals. Plans are adjusted when progress deviates from targets.
Common Gaps: Objectives exist but no action plans to achieve them; no resources allocated; owners are not assigned or not held accountable; no progress monitoring or reporting; plans not updated when circumstances change.
Clause 7
Support
0%
▼
7.1 Resources
The organisation shall determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the OH&S management system, including human resources, financial resources, infrastructure, and technology.
Evidence Checklist
- OH&S budget allocation and expenditure records
- Staffing levels for OH&S roles (qualified safety professionals)
- Infrastructure resources (PPE, monitoring equipment, safety systems)
- Resource needs assessment linked to planning outputs
Audit Questions
- How does the organisation determine the resources needed for the OH&S system?
- What human, financial, and infrastructure resources are provided for OH&S?
- How does top management ensure resource constraints do not compromise OH&S?
Fully Compliant Looks Like: Adequate resources (people, budget, equipment, technology) are consistently provided to operate and improve the OH&S system. Resource needs are assessed during planning cycles and justified to management. There is no evidence that OH&S performance suffers from resource constraints.
Common Gaps: Insufficient budget for safety initiatives; understaffed safety function; outdated or inadequate monitoring equipment; resource allocation not linked to risk assessment priorities; reactive rather than planned resourcing.
7.2 Competence
The organisation shall determine the necessary competence of workers that affects or can affect its OH&S performance. The organisation shall ensure these workers are competent based on appropriate education, training, or experience, and take actions to acquire the necessary competence.
Evidence Checklist
- Competence matrix or skills register for OH&S roles
- Training records for each worker with OH&S responsibilities
- Evidence of competence evaluation (tests, observations, certifications)
- Training needs analysis linked to risk assessment and role requirements
Audit Questions
- How does the organisation identify the competence needs for OH&S roles?
- How is competence evaluated and verified (not just training attendance)?
- How are competence gaps identified and addressed?
Fully Compliant Looks Like: A competence management system ensures all workers in OH&S-critical roles are demonstrably competent. Training needs are systematically identified, delivered, and evaluated for effectiveness. Competence is verified through assessment, not just attendance. Records are maintained and reviewed regularly.
Common Gaps: Training is provided but competence is not verified; no competence matrix to identify gaps; refresher training is not tracked; only regulatory training is considered, not role-specific competence; records are incomplete or out of date.
7.3 Awareness
The organisation shall ensure that workers are aware of the OH&S policy, their contribution to its effectiveness, the implications of not conforming with OH&S requirements, and their ability to remove themselves from situations they believe present an imminent and serious danger.
Evidence Checklist
- Induction and ongoing awareness training materials
- Records of worker awareness verification (quizzes, interviews, acknowledgements)
- Posters, communications, and toolbox talks covering key OH&S messages
- Evidence that workers know their right to stop unsafe work
Audit Questions
- How does the organisation ensure workers are aware of the OH&S policy?
- How do workers demonstrate understanding of their role in OH&S?
- How are workers informed of their right to remove themselves from dangerous situations?
Fully Compliant Looks Like: Workers at all levels can articulate the OH&S policy, their individual responsibilities, and the key hazards in their work area. They know they have the right and responsibility to stop work if unsafe. Awareness is verified through multiple methods and reinforced regularly.
Common Gaps: Awareness is assumed from training attendance, not verified; workers cannot recall policy or key safety messages; the right to stop unsafe work is not communicated or culturally accepted; awareness activities are one-off at induction only.
7.4 Communication
The organisation shall establish processes for internal and external communication relevant to the OH&S management system, including what to communicate, when, to whom, how, and by whom. It shall ensure that information is accessible and understandable.
Evidence Checklist
- Communication plan or matrix defining OH&S communication flows
- Evidence of internal communications (safety alerts, newsletters, intranet updates)
- Evidence of external communications (regulatory reports, stakeholder responses)
- Feedback mechanisms allowing workers to raise OH&S concerns
Audit Questions
- What are the internal and external communication processes for OH&S?
- How does the organisation ensure OH&S communications are understood by recipients?
- How are language, literacy, and accessibility barriers addressed?
Fully Compliant Looks Like: A structured communication process ensures the right OH&S information reaches the right people at the right time. Communications are tailored to the audience (considering language, literacy, and accessibility). Two-way communication channels exist for workers to raise concerns and receive feedback.
Common Gaps: No formal communication plan; communications are ad hoc and inconsistent; only one-way broadcasting with no feedback mechanism; language or literacy barriers are not considered; external communication requirements (e.g., to regulators) are not defined.
7.5 Documented Information
The organisation shall control documented information required by ISO 45001 and determined as necessary for the effectiveness of the OH&S system. This includes creation, identification, format, review, approval, distribution, access, retrieval, use, storage, preservation, retention, and disposition.
Evidence Checklist
- Documented information register or document control procedure
- Document numbering, version control, and approval records
- Evidence of document review and update cycles
- Records of distribution and retrieval of obsolete documents
Audit Questions
- How does the organisation control documented information (approval, distribution, updates)?
- How is the retention and disposition of documents managed?
- How do workers access current versions of required documents?
Fully Compliant Looks Like: All OH&S documentation is effectively controlled with clear procedures for creation, review, approval, and update. Version control is maintained, obsolete documents are removed, and current versions are readily accessible to those who need them. Documented information is legible, identifiable, and properly maintained.
Common Gaps: No document control procedure; different versions of the same document exist in circulation; obsolete documents not removed; uncontrolled copies in use; documents are inaccessible or not available where needed; no retention schedule.
Clause 8
Operation
0%
▼
8.1.1 Operational Planning and Control
The organisation shall plan, implement, control, and maintain the processes needed to meet OH&S requirements and to implement the actions determined in Clause 6. This includes establishing criteria for processes and implementing control measures in accordance with the hierarchy of controls.
Evidence Checklist
- Operational procedures for critical tasks with OH&S risks
- Work instructions, permits to work, and safe systems of work
- Evidence that operational controls are implemented and followed
- Monitoring and measurement of operational control effectiveness
Audit Questions
- How does the organisation establish operational controls for OH&S risks?
- How are operational control procedures communicated to workers?
- How is the effectiveness of operational controls monitored?
Fully Compliant Looks Like: Operational processes with significant OH&S risks are identified and controlled through documented procedures, permits, or safe systems of work. Controls are based on the hierarchy of controls. Workers are trained and supervised. Effectiveness is verified through inspections, audits, and performance monitoring.
Common Gaps: No documented operational controls for high-risk tasks; procedures exist but are not followed or enforced; controls rely on behaviour rather than engineering; no monitoring of control effectiveness; permits to work system is not properly managed.
8.1.2 Eliminating Hazards and Reducing OH&S Risks (Hierarchy of Controls)
The organisation shall establish and maintain a process for elimination of hazards and reduction of OH&S risks using the hierarchy of controls: elimination, substitution, engineering controls, administrative controls, and personal protective equipment.
Evidence Checklist
- Hierarchy of controls applied in risk assessment and action planning
- Evidence of elimination or substitution projects
- Engineering control verification records (e.g., ventilation, guarding)
- PPE assessment and issuing records (where higher controls not feasible)
Audit Questions
- How is the hierarchy of controls applied when determining risk reduction measures?
- What evidence exists that elimination and substitution are considered before lower-level controls?
- How does the organisation maintain the effectiveness of engineering controls?
Fully Compliant Looks Like: The hierarchy of controls is systematically applied in all risk control decisions. Elimination is considered first, followed by substitution and engineering controls. Administrative controls and PPE are used only where higher controls are not practicable. Engineering controls are maintained and verified. Decisions are documented.
Common Gaps: Defaulting to PPE without considering elimination; no documentation showing hierarchy consideration; engineering controls not maintained; administrative controls relied upon without verification of compliance; hierarchy not applied in procurement or change management.
8.1.3 Management of Change
The organisation shall establish and maintain a process for the planning and implementation of changes that impact OH&S performance. This includes changes to products, services, processes, legal requirements, organisational structure, and external context.
Evidence Checklist
- Management of change procedure or policy
- Change request records with OH&S impact assessments
- Evidence of worker consultation before changes are implemented
- Post-change review records to verify control effectiveness
Audit Questions
- How does the organisation identify and manage changes that affect OH&S?
- How are workers consulted before changes are implemented?
- How is the effectiveness of change-related risk controls verified after implementation?
Fully Compliant Looks Like: A formal management of change process ensures all temporary and permanent changes are assessed for OH&S impact before implementation. Risk assessments are updated, controls are put in place, and workers are consulted and trained. Post-change reviews confirm effectiveness.
Common Gaps: No formal change management process; changes are implemented without OH&S assessment; temporary changes are not managed; workers are not informed or consulted about changes that affect their safety; post-change reviews are not conducted.
8.1.4 Procurement and Contractors
The organisation shall establish and maintain controls for procurement of goods and services, including contractor activities, to ensure that outsourced processes and purchased products/services do not adversely affect OH&S performance. Contractor OH&S requirements shall be defined and evaluated.
Evidence Checklist
- Procurement procedure incorporating OH&S criteria
- Contractor pre-qualification and selection process with OH&S requirements
- Contractor OH&S performance monitoring records
- Evidence of OH&S requirements communicated to suppliers and contractors
Audit Questions
- How does the organisation ensure procured goods and services do not introduce OH&S risks?
- How are contractors evaluated and monitored for OH&S performance?
- How are OH&S requirements communicated to contractors before work begins?
Fully Compliant Looks Like: Procurement processes include OH&S criteria for selecting and evaluating suppliers. Contractors are pre-qualified based on OH&S performance, provided with site-specific safety requirements, and monitored during work. contractor incidents are recorded and reviewed. Worker consultation occurs on contractor-related risks.
Common Gaps: No OH&S criteria in procurement; contractors not pre-qualified for safety; contractor induction is inadequate; no monitoring of contractor OH&S performance; no communication of hazards between organisation and contractors.
8.2 Emergency Preparedness and Response
The organisation shall establish and maintain processes needed to prepare for and respond to potential emergency situations. This includes developing emergency plans, providing training, conducting periodic exercises, and evaluating post-exercise responses to improve preparedness.
Evidence Checklist
- Emergency response plans for identified scenarios (fire, chemical spill, medical emergency, etc.)
- Training records for emergency response teams and general workforce
- Exercise/drill schedules and post-exercise evaluation reports
- Emergency equipment inspection and maintenance records
Audit Questions
- How does the organisation identify potential emergency situations?
- How are emergency drills planned, conducted, and evaluated for improvement?
- How does the organisation ensure emergency equipment is maintained and accessible?
Fully Compliant Looks Like: Comprehensive emergency plans are in place for all credible scenarios and are readily accessible. Drills are conducted regularly, with participation from relevant stakeholders. Post-exercise evaluations identify improvement actions, which are tracked to closure. Emergency equipment is inspected and maintained. Worker training is current.
Common Gaps: Emergency plans are generic and not site-specific; drills are not conducted or are too infrequent; no post-exercise evaluation or improvement actions; emergency equipment not inspected regularly; workers not trained on emergency procedures.
Clause 9
Performance Evaluation
0%
▼
9.1 Monitoring, Measurement, Analysis and Performance Evaluation
The organisation shall determine what needs to be monitored and measured, including leading and lagging indicators. Methods for monitoring, measurement, analysis, and performance evaluation shall be defined to ensure valid results. Performance shall be evaluated and reported to management.
Evidence Checklist
- OH&S performance indicators (leading and lagging)
- Calibration and maintenance records for monitoring equipment
- Performance monitoring reports and trend analysis
- Evidence of performance data being reported to management
Audit Questions
- What leading and lagging indicators does the organisation use to monitor OH&S performance?
- How is the accuracy and validity of monitoring data ensured?
- How are monitoring results analysed and communicated to management?
Fully Compliant Looks Like: A balanced set of leading indicators (e.g., near-miss reports, training completion, hazard inspections) and lagging indicators (e.g., injury rates, lost time, incidents) are monitored. Monitoring equipment is calibrated. Data is analysed for trends and reported to management review. Performance evaluations drive improvement actions.
Common Gaps: Only lagging indicators are used (reactive); monitoring equipment not calibrated; data is collected but not analysed for trends; performance reports are not shared with management; no defined criteria for when to take corrective action based on monitoring.
9.1.2 Evaluation of Compliance
The organisation shall establish and maintain processes for evaluating compliance with legal requirements and other requirements. The organisation shall maintain knowledge and understanding of its compliance status. Compliance evaluations shall be conducted at planned intervals.
Evidence Checklist
- Compliance evaluation procedure defining frequency and methodology
- Compliance evaluation reports or checklists with dates
- Records of actions taken to address non-compliance
- Evidence of compliance status knowledge by management
Audit Questions
- How does the organisation evaluate compliance with legal and other requirements?
- What is the frequency of compliance evaluations?
- How does the organisation respond to identified non-compliance?
Fully Compliant Looks Like: A systematic compliance evaluation process is in place with defined frequency, scope, and methodology. Evaluations are conducted by competent personnel. Results are documented, non-compliances are actioned, and compliance status is reported to management. The process covers all applicable legal and other requirements.
Common Gaps: No formal compliance evaluation process; evaluations are ad hoc or reactive to incidents; non-compliances are identified but not tracked to resolution; compliance status is not reported to management; evaluation does not cover all applicable requirements.
9.2 Internal Audit
The organisation shall conduct internal audits at planned intervals to determine whether the OH&S management system conforms to the organisation's own requirements and the requirements of ISO 45001, and is effectively implemented and maintained.
Evidence Checklist
- Internal audit programme defining scope, frequency, and auditors
- Audit reports with findings, non-conformities, and observations
- Evidence of auditor competence and independence
- Corrective action records linked to audit findings
Audit Questions
- How is the internal audit programme planned and scheduled?
- How does the organisation ensure auditors are competent and impartial?
- How are audit results reported and corrective actions tracked?
Fully Compliant Looks Like: A risk-based internal audit programme covers all OH&S processes within a defined cycle. Audits are conducted by competent, independent auditors. Reports clearly identify conformities and non-conformities. Corrective actions are assigned, tracked, and verified for effectiveness. Audit results are input to management review.
Common Gaps: Audit programme does not cover all processes or sites; auditors are not independent; findings do not result in effective corrective actions; audit frequency is too low; no verification of corrective action effectiveness; management does not review audit results.
9.3 Management Review
Top management shall review the OH&S management system at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. The review shall consider inputs including audit results, performance evaluation, legal requirements, and consultation outcomes.
Evidence Checklist
- Management review meeting schedule and agenda
- Minutes or records of management review with attendance
- Evidence that all required inputs are reviewed
- Decisions and actions from management review with assigned owners
Audit Questions
- What inputs are considered in the management review process?
- What decisions and actions result from management review?
- How does management review drive continual improvement?
Fully Compliant Looks Like: Management reviews are conducted at planned intervals (typically annually or more frequently) with comprehensive inputs including audit results, performance data, incident analysis, legal changes, and worker feedback. Top management actively participates. Decisions and action items are clearly documented, assigned, and tracked to completion.
Common Gaps: Management review is a tick-box meeting with no meaningful decisions; required inputs are missing or incomplete; no action items or follow-up from reviews; management review does not address system adequacy or improvement opportunities.
Clause 10
Improvement
0%
▼
10.1 Incident Investigation and Corrective Action
The organisation shall establish and maintain processes for reporting, investigating, and taking corrective action for incidents, non-conformities, and near-misses. Investigations shall be conducted in a timely manner, identify root causes, and determine corrective actions to prevent recurrence.
Evidence Checklist
- Incident reporting and investigation procedure
- Incident reports with root cause analysis (e.g., 5 Whys, fishbone)
- Corrective action register with tracking to closure
- Evidence of near-miss reporting culture (reports, trends, analysis)
Audit Questions
- How are incidents, near-misses, and non-conformities reported and investigated?
- How does the organisation identify root causes rather than surface causes?
- How does the organisation verify the effectiveness of corrective actions?
Fully Compliant Looks Like: All incidents and near-misses are reported, investigated promptly using root cause analysis methods. Corrective actions address root causes and are verified for effectiveness. Trends are analysed to identify systemic issues. A positive reporting culture exists with no blame culture preventing incident reporting.
Common Gaps: Near-misses are not reported; investigations focus on blame rather than root cause; corrective actions do not address root causes; effectiveness of corrective actions is not verified; no trend analysis; reporting is seen as punitive.
10.2 Continual Improvement
The organisation shall continually improve the suitability, adequacy, and effectiveness of the OH&S management system. This includes enhancing OH&S performance, promoting a culture that supports the OH&S system, and communicating relevant results to workers.
Evidence Checklist
- Evidence of improvement actions from management review, audits, and incident investigations
- Trend analysis showing improving OH&S performance over time
- Records of worker suggestions and implemented improvements
- Evidence of benchmarking or learning from industry best practices
Audit Questions
- How does the organisation demonstrate continual improvement of the OH&S system?
- How are improvement opportunities identified and prioritised?
- How does the organisation promote a culture that supports OH&S improvement?
Fully Compliant Looks Like: Continual improvement is embedded in the organisation's culture, not just a compliance exercise. Improvement opportunities are proactively identified through multiple sources (audits, incidents, worker feedback, trend analysis). Actions are prioritised, implemented, and evaluated. Positive trends in OH&S performance are evident over time.
Common Gaps: Improvement is reactive only (after incidents); no systematic process for identifying improvement opportunities; improvement actions are not tracked or evaluated; no evidence of positive performance trends; improvement culture not established beyond compliance requirements.