Quick answer: A well-maintained WHS document set covers the majority of the evidence an ISO 45001 auditor needs. The remaining gaps are mostly in the planning and evaluation clauses — context, interested parties, documented objectives, internal audit, and management review — rather than in day-to-day operations.
Last reviewed: June 2026 by the BlueSafe Technical Team.
This guide is general information only. It does not constitute legal or certification advice. Verify your readiness and certification position with a JAS-ANZ accredited certification body and qualified WHS advice where needed.
At a glance
| WHS document | Primary ISO 45001 clause |
|---|---|
| WHS policy | Clause 5.2 – OH&S policy |
| Hazard identification and risk assessments | Clause 6.1 – Actions to address risks and opportunities |
| Safe Work Method Statements (SWMS) | Clause 8.1 – Operational planning and control |
| Hazard and chemical registers | Clause 6.1, Clause 8.1 |
| Training records and competency evidence | Clause 7.2 – Competence |
| Incident records and investigation reports | Clause 10.2 – Incident, nonconformity, and corrective action |
| Consultation and participation records | Clause 5.4 – Consultation and participation of workers |
| Internal audit records | Clause 9.2 – Internal audit |
| Management review minutes | Clause 9.3 – Management review |
Why this matters
Businesses that have been operating a genuine WHS management system for some time often have far more ISO 45001-ready evidence than they realise. The standard is built around the same obligations Australian WHS law already expects organisations to manage. A good WHS document set is not a starting point for ISO 45001 — in many cases it is most of the way there.
Understanding exactly how each document maps to the standard helps businesses identify what they already have, what needs strengthening, and where the remaining gaps sit.
See also: WHS Management System vs ISO 45001 — What Is the Difference?
How each WHS document maps to ISO 45001
WHS policy — Clause 5.2
A documented WHS policy is a direct requirement under ISO 45001 Clause 5.2. The standard sets specific content expectations: the policy must commit to providing safe and healthy working conditions, to eliminating hazards and reducing OH&S risks, to fulfilling legal and other requirements, and to continual improvement.
Most Australian WHS policies already contain these commitments in some form. The audit check is whether the policy is current, signed by top management, communicated to workers, and available to relevant interested parties.
Hazard identification and risk assessments — Clause 6.1
Clause 6.1 is one of the most evidence-intensive parts of the standard. It requires the organisation to establish, implement, and maintain processes to identify hazards on an ongoing basis, assess the associated risks, and determine appropriate controls.
A comprehensive set of risk assessments — particularly ones that follow a systematic methodology, reference the hierarchy of controls, and are reviewed after incidents or changes — will satisfy a large portion of this clause. Auditors want to see that the process is active and consistent, not just that risk assessment templates exist.
Safe Work Method Statements — Clause 8.1
SWMS address Clause 8.1, which covers operational planning and control. The standard requires documented information to control processes, especially where the absence of those controls could lead to deviations from the OH&S policy or failure to meet legal obligations.
High-risk construction work SWMS are the most common example, but the principle extends to any work where documented step-by-step control of hazards is necessary. SWMS that are task-specific, reviewed with workers before work begins, and updated when conditions change demonstrate exactly the kind of operational discipline Clause 8.1 is looking for.
Hazard and chemical registers — Clauses 6.1 and 8.1
Registers support both hazard identification and operational control. A maintained chemical register with current Safety Data Sheets, for example, directly evidences that the organisation has identified hazardous substances, assessed the risks, and put controls in place. Plant and equipment registers support similar evidence requirements around inspection, maintenance, and control.
The key audit question is whether the registers are live documents rather than static lists. Registers that are regularly reviewed and updated carry far more weight than those last touched at induction.
Training records and competency evidence — Clause 7.2
Clause 7.2 requires the organisation to determine the necessary competence for workers performing tasks that affect OH&S performance, ensure workers are competent, and retain documented evidence of that competence.
Training records, induction records, licences, certificates of competency, and toolbox talk sign-off sheets all feed directly into this clause. The audit focus is on whether the training was relevant to the actual hazards involved and whether the evidence is complete enough to demonstrate the worker was genuinely competent before performing the work.
Incident records and investigation reports — Clause 10.2
Clause 10.2 covers incidents, nonconformities, and corrective actions. It requires organisations to report and investigate incidents in a timely way, determine root causes, take corrective action, and review the effectiveness of that action.
A well-maintained incident register backed by thorough investigation reports — ones that go beyond immediate cause to identify contributing factors and produce genuine preventive actions — is strong evidence for this clause. The standard is not looking for zero incidents. It is looking for a disciplined response to incidents when they do occur.
Consultation and participation records — Clause 5.4
Clause 5.4 is one of the areas where ISO 45001 places stronger emphasis than many businesses expect. The standard requires genuine consultation with, and participation of, workers across a wide range of OH&S activities, including hazard identification, risk assessment, and determining controls.
Records of toolbox talks, safety committee meetings, pre-start meetings, SWMS sign-offs, and formal consultations with health and safety representatives all contribute evidence here. The auditor is looking for evidence that consultation actually happened and that worker input was considered, not just that consultation was scheduled.
Audit and review records — Clauses 9.2 and 9.3
Internal audit records and management review minutes address the performance evaluation section of the standard. These are discussed in more detail below under common gaps, since they are the area where most businesses need to build rather than simply document what already exists.
A strong WHS system is most of the way there
The document types above cover the operational heart of ISO 45001. Businesses with mature WHS systems often have:
- a current policy signed by leadership
- systematic risk assessments across their operations
- SWMS for higher-risk tasks
- maintained registers
- training records tied to specific roles and hazards
- an active incident register with investigation records
- evidence of worker consultation
When that evidence base exists and is maintained, the operational clauses of ISO 45001 — Clauses 6.1, 7.2, 8.1, 10.2, and 5.4 — are largely covered. The certification work shifts from building an operations system to formalising the planning and evaluation wrapper around it.
See also: ISO 45001 and Australian WHS Law — How They Fit Together
Where the gaps typically sit
For most businesses coming from a solid WHS base, the remaining gaps fall into five areas.
1. Context of the organisation — Clause 4
Clause 4 requires a formal analysis of the organisation's internal and external context and a clear definition of the scope of the OH&S management system. Most WHS systems have an implied scope but not a documented one in the format the standard expects.
The fix is usually straightforward: a context document that identifies key internal factors (size, hazard profile, workers, activities), external factors (industry, regulators, clients, supply chain), and the agreed scope statement.
2. Interested parties — Clause 4.2
Related to context, Clause 4.2 requires the organisation to identify the workers and other interested parties that are relevant to the OH&S management system and to understand their needs and expectations. Regulators, clients, contractors, unions, and emergency services all typically feature.
This is a document most WHS systems do not have in any explicit form. It does not need to be complex, but it needs to exist.
3. Documented OH&S objectives — Clause 6.2
Clause 6.2 requires documented OH&S objectives that are consistent with the policy, measurable, monitored, communicated, and updated as appropriate. The standard wants to see targets, timelines, and assigned accountability — not just a general commitment to continuous improvement.
Many WHS systems operate on good intentions without formally documented objectives. Adding a simple objectives register with specific targets, owners, and review dates closes this gap.
4. Internal audit programme — Clause 9.2
An internal audit programme requires scheduled audits conducted at planned intervals, competent auditors (preferably independent of the area being audited), and documented results. Many smaller businesses conduct ad hoc inspections but do not have a systematic internal audit programme in the sense Clause 9.2 requires.
Building the programme is less about adding new paperwork and more about formalising the cadence, scope, and reporting of audits that may already be happening in some form.
5. Management review — Clause 9.3
Clause 9.3 requires top management to review the OH&S management system at planned intervals. The review must consider specific inputs — audit results, incidents, consultation outcomes, risk and opportunity assessments — and must produce documented outputs including decisions on continual improvement.
Leadership engagement in safety is common. Documented management reviews with the specific inputs and outputs the standard requires are less common. The gap is usually one of formalisation rather than substance.
Putting it together
The practical takeaway is that certification readiness is not binary. A business with a genuine, maintained WHS document set has already built the operational core of an ISO 45001 system. The work to close the gap is mostly additive — context documents, an interested-parties register, documented objectives, an internal audit schedule, and structured management reviews — rather than a rebuild of the system from scratch.
The value of going through this process is not just a certificate. It is a more complete system that treats safety management as a discipline with planning, evaluation, and leadership accountability built in, rather than a collection of documents that sit in a folder.
Related guides
- ISO 45001 and Australian WHS Law — How They Fit Together
- WHS Management System vs ISO 45001 — What Is the Difference?
- ISO 45001 in Australia — Complete Guide to OH&S Management System Certification
Frequently asked questions
Do WHS documents count as evidence for ISO 45001?
Yes. Documents such as risk assessments, SWMS, training records, incident reports, and consultation records directly satisfy evidence requirements across multiple ISO 45001 clauses. Auditors draw on these documents throughout both the Stage 1 document review and the Stage 2 implementation audit.
What ISO 45001 clauses do risk assessments and SWMS cover?
Risk assessments primarily address Clause 6.1 — hazard identification, risk assessment, and determination of controls. SWMS address Clause 8.1 — operational planning and control. Both document types also contribute supporting evidence to Clause 5.4 (worker consultation) where workers are involved in developing them.
What gaps remain after building a solid WHS document set?
The most common gaps are a formal context-of-the-organisation analysis (Clause 4), an interested-parties register (Clause 4.2), documented safety objectives with targets and timelines (Clause 6.2), a structured internal audit programme (Clause 9.2), and a formal management review process (Clause 9.3). These are planning and evaluation requirements that day-to-day WHS documents do not typically address on their own.
Can a business achieve ISO 45001 certification using its existing WHS system?
Many businesses are most of the way there. The existing document base usually covers operational clauses well — policy, hazard identification, controls, training, incidents, and consultation. The certification work is typically in adding the planning and evaluation elements the standard requires formally, not in rebuilding the operational system.
This article is general information only and does not constitute legal or certification advice. Certification requirements may vary depending on your industry, scope, and the certification body you engage. Always seek qualified WHS and certification advice for your specific situation.