Labs Support
EN SV

Occupational health and safety policy, what to include and why it is only one part of ISO 45001

An OHS policy is required by ISO 45001 clause 5.2, but certification requires far more than a policy alone. Here is what the policy must contain, and what the rest of the OH&S management system must do.

Patrik Björklund
Co-Founder, AmpliFlow
ISO 45001 Occupational health and safety Policy
Occupational health and safety policy, what to include and why it is only one part of ISO 45001

An occupational health and safety policy is one required part of ISO 45001:2018. It is not the whole requirement. If your company has a policy on paper but no clear hazard identification, no worker participation, no objectives, no follow-up, and no corrective action process, you do not have an OH&S management system. You have a document.

That distinction matters. Many companies ask for a “policy” when what they really need is a working structure for occupational health and safety. ISO 45001:2018 clause 5.2 sets the requirements for the policy. The rest of the standard sets requirements for planning, operation, competence, communication, monitoring, audits, management review, incident handling, and continual improvement.

What ISO 45001 actually requires

ISO 45001:2018 does require an OH&S policy. Top management must establish, implement, and maintain it. But the standard also requires the organization to establish, implement, maintain, and continually improve an OH&S management system, including the processes needed and their interactions.

That means certification is never about the policy alone.

The policy gives direction. The management system turns that direction into daily work.

What the policy must include according to clause 5.2

The policy must come from top management, and it must include six commitments.

1. Safe and healthy working conditions

The policy must commit to providing safe and healthy working conditions for the prevention of work-related injury and ill health. It also has to fit the organization’s purpose, size, context, and specific OH&S risks and OH&S opportunities.

2. A framework for objectives

The policy must provide a framework for setting OH&S objectives. It is not enough to say that safety matters. The policy has to help shape what the company will improve, measure, and follow up.

3. Fulfil legal requirements and other requirements

The policy must include a commitment to fulfil legal requirements and other requirements. Which laws apply depends on the country, sector, and activities. The exact legal set differs between organizations, so the policy should not pretend that one country’s rules are universal.

4. Eliminate hazards and reduce OH&S risks

The policy must include a commitment to eliminate hazards and reduce OH&S risks. This links directly to operational control and to the hierarchy of controls in clause 8.1.2.

5. Continual improvement

The policy must include a commitment to continual improvement of the OH&S management system. The standard does not accept a static safety program.

6. Consultation and participation of workers

The policy must include a commitment to consultation and participation of workers and, where they exist, workers’ representatives. This is a central part of ISO 45001:2018, not a side note.

The policy must also be managed correctly. It must be available as documented information, communicated within the organization, available to interested parties as appropriate, and kept relevant and appropriate.

What a policy does not solve on its own

This is where many article drafts go wrong. They make it sound as if the main task is to write a better policy. It is not.

You can write a perfect policy and still fail ISO 45001:2018 if the rest of the system is weak.

For example:

  • A policy can say that you will reduce risks, but clause 6 requires a real process for hazard identification, risk assessment, opportunities, and legal requirements.
  • A policy can say that workers will participate, but clause 5.4 requires actual processes, time, training, resources, and removal of barriers to participation.
  • A policy can say that you will improve, but clauses 9 and 10 require monitoring, compliance evaluation, audits, management review, incident investigation, corrective action, and evidence of continual improvement.
  • A policy can say that you will provide safe conditions, but clause 8 requires operational controls, management of change, contractor controls, procurement controls, and emergency preparedness.

The policy matters. It just does not work alone.

The rest of the ISO 45001 system, in plain language

If you want the short version of ISO 45001:2018, think of it like this.

Clause 4: context and scope

You need to understand what affects your OH&S work. That includes internal and external issues, the needs and expectations of workers and other interested parties, and the boundaries of the OH&S management system.

Clause 5: leadership and participation

Top management has to lead the work, not delegate it away. The organization also needs clear responsibilities and real worker consultation and participation.

Clause 6: planning

You need a method for identifying hazards, assessing OH&S risks, assessing opportunities, determining legal and other requirements, and setting objectives with plans to achieve them.

Clause 7: support

You need resources, competence, awareness, communication, and controlled documented information. A policy that nobody knows, understands, or can access does not help much.

Clause 8: operation

You need operational planning and control. That includes eliminating hazards and reducing risks using the hierarchy of controls, managing change, controlling contractors and outsourced work, and preparing for emergencies.

Clause 9: performance evaluation

You need to monitor and measure what matters, evaluate compliance, run internal audits, and carry out management review.

Clause 10: improvement

You need to handle incidents and nonconformities, find root causes, take corrective action, and improve the system over time.

That is why the standard has to be read as a system. The policy is one visible piece of a much larger structure.

A useful checklist for the policy itself

Use this when you review the policy text.

  • It commits to safe and healthy working conditions for the prevention of work-related injury and ill health
  • It is appropriate to the organization’s purpose, size, context, and specific OH&S risks and OH&S opportunities
  • It provides a framework for OH&S objectives
  • It commits to fulfil legal requirements and other requirements
  • It commits to eliminate hazards and reduce OH&S risks
  • It commits to continual improvement of the OH&S management system
  • It commits to consultation and participation of workers and, where they exist, workers’ representatives
  • It is controlled as documented information
  • It is communicated internally
  • It is available to interested parties as appropriate
  • It is still relevant and appropriate

A more useful checklist for certification readiness

Use this when you review whether you actually have a working OH&S management system.

  • We know which hazards, OH&S risks, and OH&S opportunities matter in our operations
  • We know which legal requirements and other requirements apply to us, and we keep that information current
  • We have OH&S objectives and plans to achieve them
  • Workers participate in planning, reporting, investigation, and improvement
  • Roles, responsibilities, and authorities are clear
  • The right people have the right competence and training
  • We control operational risks, changes, contractors, procurement, and outsourced work
  • We are prepared for emergencies and test that preparedness
  • We monitor performance and evaluate compliance
  • We run internal audits and management reviews
  • We investigate incidents and nonconformities, then take corrective action
  • We can show evidence of continual improvement

If several of these boxes are empty, the policy is not your main gap.

What auditors usually look for

Auditors do not just read the policy and move on. They test whether the policy is connected to the rest of the system.

They will typically ask questions like:

  • How was this policy established, and who was involved?
  • How do workers know about it?
  • Which objectives come from it?
  • Which hazards and risks does it relate to?
  • How do you know legal requirements are being fulfilled?
  • How do incidents, audits, and management review feed into improvement?

If the answers live in different spreadsheets, inboxes, and shared drives, the policy may be correct while the system is still weak.

In AmpliFlow, the policy is only one controlled piece of the system. You can publish it with version control and approvals, then connect it to objectives, risks, incidents, audits, and management review.

That matters because ISO 45001:2018 is built around connected processes, not standalone documents. A good tool does not just store the policy. It helps you prove how the policy is used.

The practical conclusion

Yes, you need an occupational health and safety policy for ISO 45001:2018.

No, a policy is not enough.

If your current focus is “we need a policy”, the better question is usually this: do we have a working OH&S management system that makes the policy real?

That is the difference between passing around a document and running occupational health and safety work in a way that stands up in practice and in an audit.

Want to see what that looks like in a real system? Read our guide to ISO 45001 or book a demo to see how AmpliFlow supports policy, risk work, worker participation, follow-up, and continual improvement in one place.

Related articles

The more afraid of AI people are, the more they use it

The more afraid of AI people are, the more they use it

 AI agents and management systems: hype, reality, and what we actually built

AI agents and management systems: hype, reality, and what we actually built

 AI Doesn't Give People More Time - It Gives Them More to Do

AI Doesn't Give People More Time - It Gives Them More to Do