Writing and Implementing an OH&S Policy Under ISO 45001

ISO 45001 Clause 5.2

The OH&S policy - top management's public commitment, with five required elements.

ISO 45001 Clause 5.2 - OH&S Policy

ISO 45001:2018 Clause 5.2 requires top management to establish, implement and maintain an OH&S policy. The policy is the visible public commitment of top management to occupational health and safety. It is one of the few outputs of the standard that must exist as documented information and be available to interested parties.

The standard sets out specific commitments the policy must include. It must commit to providing safe and healthy working conditions for the prevention of work-related injury and ill health, be appropriate to the purpose, size and context of the organisation and the specific nature of its OH&S risks and opportunities, provide a framework for setting OH&S objectives, commit to fulfilling legal requirements and other requirements, commit to eliminating hazards and reducing OH&S risks, commit to continual improvement, and commit to consultation and participation of workers.

The policy must also be available as documented information, communicated within the organisation, made available to interested parties as appropriate, and remain relevant and appropriate over time.

What an Effective OH&S Policy Looks Like

An effective OH&S policy is short, specific to the organisation and signed by the most senior person in it. A typical policy is one or two pages. Longer policies tend to drift into procedural detail that belongs elsewhere in the management system.

The policy should be tailored to the activities and context of the organisation. A construction company's policy will reference work at height, machinery and site safety in language that reflects the actual work. A consultancy's policy will reference workplace ergonomics, lone working and travel safety. Generic policies that could apply to any organisation are usually a sign that the policy has been copied without thought.

The policy is not a one-off document. It is reviewed at management review and updated when circumstances change - new activities, organisational change, significant accidents that highlight gaps. Most organisations review the policy annually as a minimum.

For organisations setting up an OH&S management system, the easiest approach is to start from a template that already covers the seven required commitments, then tailor it to the specific business. The risk with writing from scratch is missing one of the required elements. Auditors will check each one.

Keep the policy short. One page is enough for most organisations, two for larger ones. The policy is a statement of commitment, not a procedure. Any procedural content belongs in the IMS Manual or in specific procedures, not in the policy.

I check the policy contains the seven commitments the standard requires, that it is signed by top management, that it is appropriate to the business, and that workers are aware of it. I will often ask workers about the policy during the audit. I do not expect them to recite it, but they should know it exists and have a sense of what it commits to.

Practical Compliance Guidance

The OH&S policy is held as a separate document. The IMS1 Manual references the policy and explains where it is held, how it is reviewed and how it is communicated.

The following alphaZ documents support compliance with ISO 45001:2018 Clause 5.2.

alphaZ document	How to use it
ISO 45001 Toolkit	The full set of documents needed for ISO 45001 compliance, including the OH&S policy template and supporting documents.
P-3 Health and Safety Policy	The OH&S policy template covering the seven commitments required by ISO 45001:2018 Clause 5.2. Tailor to the specific organisation and have it signed by top management.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does the OH&S policy have to be signed?

ISO 45001 does not specifically require a signature, but signing by top management is normal practice and demonstrates the leadership commitment that Clause 5.1 requires. In the UK, the Health and Safety at Work etc. Act 1974 requires employers with five or more employees to have a written health and safety policy, and signing it is the conventional way of confirming top management ownership.

Can the OH&S policy be combined with quality and environmental policies?

Yes. Many organisations running an integrated management system have a single combined policy covering ISO 9001, ISO 14001 and ISO 45001 commitments. This is acceptable provided all the commitments required by each standard are clearly present. The alternative is three separate policies which can also work but creates more documents to maintain.

How is the policy communicated to workers?

Common methods include displaying the policy at workplaces, including it in induction training, posting it on the company intranet, providing it to new starters with their contract, and referring to it in toolbox talks. The standard requires the policy to be communicated within the organisation - the method is not prescribed but the auditor will expect to see workers are aware of it.

Should the policy be made publicly available?

The standard requires the policy to be made available to interested parties as appropriate. Many certified organisations publish their policy on their website. This is not strictly required but is good practice and addresses requests from clients and supply chain partners.

UK Legislation

The following UK legislation places the requirement to have a written health and safety policy. Organisations outside the UK should identify equivalent legislation in their jurisdiction.

Further Resources