ISO 45001:2018 is the international standard for occupational health and safety management. It replaces OHSAS 18001 and aligns with Spain’s Act 31/1995 on Occupational Risk Prevention.

ISO 45001: Complete Guide to Occupational Health and Safety

ISO 45001 is the international standard for occupational health and safety (OHS) management. Published in 2018 as the successor to OHSAS 18001, it provides a framework for preventing work-related injuries and illnesses, improving working conditions and demonstrating a genuine commitment to worker wellbeing. In Spain, where workplace accident rates remain a significant problem, ISO 45001 certification is increasingly required in tenders and by major industrial clients.

If you already have ISO 9001 or ISO 14001, the most efficient approach is to integrate ISO 45001 into a single system: see my guide to the Integrated Management System ISO 9001 + 14001 + 45001 + 27001.

What are the differences between ISO 45001 and Spanish ORP legislation?

It is important to understand that ISO 45001 does not replace compliance with Act 31/1995 on Occupational Risk Prevention (ORP) and its implementing regulations. Spanish legislation sets the minimum mandatory requirements; ISO 45001 provides a broader, more systematic management framework that goes beyond legal compliance.

The main differences are:

• ISO 45001 requires active worker participation in OHS management (not just legal consultation).
• It requires a risk- and opportunity-based approach that goes beyond the legally required risk assessment.
• It integrates OHS into the organisation’s strategy with top management commitment.
• It includes management of the supply chain and contractors.

Table: comparison of Act 31/1995 ORP vs ISO 45001

ISO 45001 is complementary, not a substitute: you still need to comply with Act 31/1995. But the ISO certificate becomes objective proof before clients and public administration that your preventive system is not just paperwork.

What are the fundamental requirements of ISO 45001?

Context and leadership

Management must assume ultimate responsibility for protecting workers’ health and safety, ensure necessary resources, integrate OHS requirements into business processes and promote a proactive safety culture. It is not enough to sign the policy: management must appear in audits and personally review accident rate indicators.

Hazard identification and risk assessment

ISO 45001 requires a continuous hazard identification process that considers:

• Routine and non-routine activities.
• Emergency situations.
• People accessing the workplace (including contractors and visitors).
• Human and social factors (stress, fatigue, harassment).
• Changes in processes, equipment or facilities.

Risk assessment must be proportionate to the level of hazard and consider both the probability and severity of potential consequences. Review frequency depends on risk: annual minimum for stable processes, immediate when there are changes or following an incident.

Worker participation

This is one of ISO 45001’s most distinctive requirements. Participation is not limited to legal consultation through safety representatives: workers must actively participate in hazard identification, incident investigation, development of OHS policies and objectives, and improvement proposals. In practice this is realised through operational safety committees (not just formal ones), preventive suggestion boxes, training at all levels and recognition of participation.

Planning and operational control

The organisation must plan actions to address identified risks and opportunities, set measurable OHS objectives and implement effective operational controls following the hierarchy of controls:

1. Elimination of the hazard.
2. Substitution with something less hazardous.
3. Engineering controls (barriers, ventilation, ergonomics).
4. Administrative controls (procedures, training, rotation).
5. Personal Protective Equipment (PPE).

PPE is the last resort, not the first. A mature OHS system tries first to eliminate the hazard and leaves PPE as a complement.

Performance evaluation and improvement

ISO 45001 requires monitoring and measuring OHS performance, evaluating compliance with legal requirements, conducting internal audits, investigating incidents (including near-misses) and carrying out management reviews. Typical indicators are: incidence rate, severity rate, number of near-misses reported, preventive training hours and % compliance with the preventive plan.

How much does ISO 45001 certification cost and in what timeframe?

ISO 45001 certification costs are similar to ISO 14001. For an industrial SME (small and medium-sized enterprise), the total first-year cost is between €5,000 and €12,000 if implemented alone (20–50 employees), and can reach €18,000 for medium-sized industrial firms (>100 employees) with higher-risk installations. If you already have ISO 9001, the incremental cost is significantly reduced due to high-level structure synergies: a company with ISO 9001 in place can add ISO 45001 with a typical incremental cost of €3,000–7,000. The initial external audit adds €2,000–4,000 depending on size and certifier.

The implementation timeframe is 4 to 9 months, reducible to 3–6 months if a prior ISO management system is in place and management is involved from day one.

How does ISO 45001 integrate with ISO 9001 and ISO 14001?

Integrating ISO 45001 with ISO 9001 and ISO 14001 into an integrated management system (IMS) is the most efficient strategy for organisations needing all three certifications. The shared high-level structure allows unifying the management policy, common procedures (document control, internal audit, management review, non-conformities), risk analysis (with quality, environmental and safety perspectives) and staff training.

Real case: plastics transformation industry in Burgos

A plastics injection company with 52 employees in Burgos certified ISO 45001 driven by a tender from a German client who required it. They already had ISO 9001 in place with their legal preventive system in order.

We implemented in 5 months by adding to the existing structure: revision of the risk assessment with an external ORP specialist, creation of a near-miss notification channel (Forms plus a 15-minute weekly meeting), revision of the integrated policy to include OHS, and specific training for middle managers in the hierarchy of controls.

Results after one year: significant increase in near-misses reported (not because there were more, but because they were now notified), real reduction in lost-time accidents compared to the historical average, and winning the German client contract that motivated the project. Incremental cost vs having only ISO 9001: €5,800 consultancy plus €2,500 additional external audit.

FAQ on ISO 45001

Is ISO 45001 mandatory?

Not by law. The legal obligation is to comply with Act 31/1995 ORP and its implementing regulations. ISO 45001 is voluntary, but increasingly required in tenders (especially public works and industrial services) and by major industrial clients who include it as a supplier qualification criterion.

Does ISO 45001 replace the prevention service?

No. You still need an in-house or external prevention service in accordance with legislation. ISO 45001 is the management system that organises your preventive approach, not the technical service that carries out assessments and health surveillance. Both coexist.

How much does ISO 45001 certification cost?

For an industrial SME of 20–50 employees: €5,000–12,000 if implemented alone; €3,000–7,000 additional if you already have ISO 9001 or 14001. The initial external audit is approximately €2,000–4,000 depending on size and certifier.

What about contractors and visitors?

ISO 45001 extends scope to contractors working on your premises and visitors with access to operational areas. This requires preventive qualification of contractors, mandatory safety induction and visitor records with basic instructions. It is one of the most audited points.

How is system success measured?

Reactive indicators (lost-time accidents, severity rate) and proactive indicators (near-miss reports, safety observations, % plan compliance, training hours). A mature system has high proactive indicators and low reactive ones.

Is OHSAS 18001 still valid?

No. OHSAS 18001 was formally withdrawn. Every company certified under OHSAS had to migrate to ISO 45001 before March 2021. If your system still says OHSAS, it is out of date and not certifiable.

Mini-glossary

• OHS: Occupational Health and Safety.
• ORP: Occupational Risk Prevention (Act 31/1995).
• Hazard: source with potential to cause harm.
• Risk: combination of probability and severity of potential harm.
• Hierarchy of controls: preferred order of preventive measures.
• Near-miss: incident without damage that could have caused it.
• PPE: Personal Protective Equipment.
• Prevention service: legal structure (in-house or external) for ORP management.

Checklist: 10 steps to implement ISO 45001

1. Diagnose the current state of your existing legal preventive system.
2. Identify what your ORP is missing to reach ISO 45001.
3. Commit management with an integrated policy and resources.
4. Create or strengthen the safety committee with genuine representation.
5. Enable near-miss notification channels.
6. Review the risk assessment incorporating human and social factors.
7. Apply the hierarchy of controls before PPE.
8. Qualify contractors and provide visitor inductions.
9. Conduct a specific OHS internal audit before the external one.
10. Audit safety culture, not just records.

Need to implement ISO 45001 in your company or integrate it with your existing management system? Let’s talk for a no-obligation diagnostic.

Sources

• ISO · Official Catalogue
• AENOR · ISO standards in Spain
• ENAC · Entidad Nacional de Acreditación
• BOE · technical standards referenced in legislation