What is the primary objective of ISO 45001?

ISO 45001:2018 specifies requirements for an occupational health and safety management system (OHSMS) to enable organizations to provide safe and healthy workplaces by preventing work-related injury and ill health, and proactively improving OH&S performance. It follows the Plan-Do-Check-Act (PDCA) cycle across Clauses 4–10, embedding OH&S into business processes via context analysis, leadership accountability, risk-based planning, operational controls, performance evaluation, and continual improvement.

Who is legally or professionally required to comply with ISO 45001?

No organization is legally required to comply with ISO 45001, as it is a voluntary international standard applicable to any size or sector. It is professionally relevant for high-risk industries like construction, manufacturing, oil & gas, and healthcare, where top management, EHS officers, operations managers, procurement, and workers must demonstrate leadership commitment (Clause 5), worker participation (Clause 5.4), and risk controls (Clause 8) to achieve certification and integrate with business strategy.

Does ISO 45001 require an external audit or third-party certification?

ISO 45001 does not require external audit or third-party certification, which remains voluntary. Organizations may pursue certification via accredited bodies through Stage 1 (documentation review) and Stage 2 (effectiveness audit), followed by annual surveillance and triennial recertification, to validate OHSMS conformity to Clauses 4–10, but internal audits (Clause 9.2) and management reviews (Clause 9.3) suffice for self-implementation.

How often should an assessment for ISO 45001 be performed?

ISO 45001 requires organizations to determine the frequency of performance assessments based on risks, processes, and effectiveness needs, with no fixed intervals specified. Internal audits (Clause 9.2) are typically planned annually or risk-based (e.g., high-risk areas more frequently), monitoring/measurement (Clause 9.1) occurs continuously via KPIs, and management reviews (Clause 9.3) are conducted at planned intervals, often annually, to evaluate suitability, adequacy, and effectiveness.

What are the consequences of non-compliance with ISO 45001?

Non-compliance with ISO 45001 carries no direct penalties from the standard itself, as it is voluntary, but results in certification denial, suspension, or withdrawal if pursued. Operationally, it risks regulatory fines, legal liabilities, higher insurance premiums, reputational damage, increased incidents, production disruptions, and failure to meet contractual or supply-chain requirements, undermining PDCA-driven continual improvement (Clause 10).

An ISO 45001 be mapped to other international frameworks?

Yes, ISO 45001 aligns with other management system standards via its High-Level Structure (Annex SL), facilitating integrated management systems. Clauses 4–10 map directly for shared processes like context analysis (Clause 4), leadership (Clause 5), planning (Clause 6), support (Clause 7), audits (Clause 9), and improvement (Clause 10), enabling unified documentation, audits, and reviews without diluting OH&S-specific requirements like worker participation and hierarchy of controls.

What is the first step to begin implementing ISO 45001?

The first step to implement ISO 45001 is to understand the organization's context and conduct a gap analysis against Clauses 4–10 (Clause 4.1–4.4). Secure top management commitment (Clause 5.1), define OHSMS scope, identify interested parties including workers, and assess current practices via hazard identification, legal requirements, and baseline KPIs to produce a prioritized roadmap for PDCA alignment.

What is the primary objective of ISO 28000?

ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) for supply chain security. The 2022 edition provides a risk-based framework to identify, assess, and treat security risks across people, assets, goods, infrastructure, and information in supply chains, using a PDCA cycle aligned with the High Level Structure for integration.

Who is legally or professionally required to comply with ISO 28000?

No organizations are legally required to comply with ISO 28000, as it is a voluntary international standard. Professionally, it applies to any size or type—logistics, manufacturing, retail, pharmaceuticals, energy, ports, 3PL/4PL providers—facing supply chain risks, often driven by contracts, customs programs like C-TPAT, tenders, or insurance demands.

Does ISO 28000 require an external audit or third-party certification?

ISO 28000 does not require external audit or third-party certification; conformity can be verified internally or externally. Certification by accredited bodies (per ISO 28003) involves Stage 1 (documentation) and Stage 2 (implementation) audits, followed by annual surveillance, providing market-recognized assurance.

How often should an assessment for ISO 28000 be performed?

ISO 28000 requires risk assessments to be maintained continuously, with reviews at planned intervals or upon changes. Internal audits occur per a risk-based program (typically annually), management reviews at planned intervals (at least yearly), and full reassessments triggered by context changes, incidents, or strategic shifts.

What are the consequences of non-compliance with ISO 28000?

Non-compliance with ISO 28000 carries no direct legal penalties, as it is voluntary. Indirect consequences include supply chain disruptions from theft/sabotage, contract losses, higher insurance premiums, denied market access, reputational damage, and regulatory scrutiny in high-risk sectors.

An ISO 28000 be mapped to other international frameworks?

Yes, ISO 28000:2022 aligns with the High Level Structure, enabling mapping to frameworks like ISO 9001, ISO 14001, ISO 22301, and ISO/IEC 27001. Common mappings cover context, leadership, planning, support, operation, performance evaluation, and improvement for integrated management systems and combined audits.

What is the first step to begin implementing ISO 28000?

The first step is executive commitment, scoping the SMS, and conducting a gap analysis. Secure leadership sponsorship, map supply chain context/interdependencies, review existing processes against clauses 4-10, and produce a prioritized risk register and project charter.

Standards Comparison

ISO 45001 vs ISO 28000

ISO 45001

Voluntary

2018

International standard for occupational health and safety management

ISO 28000

Voluntary

2022

International standard for supply chain security management systems

Quick Verdict

ISO 45001 provides occupational health & safety management for all organizations, preventing workplace injuries via risk controls and worker participation. ISO 28000 delivers supply chain security management, protecting assets and resilience through risk assessment and controls. Companies adopt them for compliance, risk reduction, and certification.

Occupational Health & Safety

ISO 45001

ISO 45001:2018 Occupational Health and Safety Management Systems

Cost

€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Top management accountability with worker participation
Hierarchy of controls prioritizing hazard elimination
Annex SL structure for IMS integration
Risk-based planning addressing opportunities
Explicit contractor and change management controls

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain security management system
PDCA cycle with leadership commitment requirements
Supplier interdependency and third-party controls
Operational security plans and incident response
Integration with ISO 27001 and 22301 standards

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 45001 Details

What It Is

ISO 45001:2018 is the international standard for Occupational Health and Safety Management Systems (OHSMS). It provides a framework to prevent work-related injuries and ill health, improve OH&S performance, using a risk-based approach aligned with Annex SL (High-Level Structure) and PDCA cycle.

Key Components

Clauses 4-10: context, leadership/worker participation, planning, support, operation, performance evaluation, improvement.
Emphasizes hierarchy of controls, worker consultation, contractor management.
Built on risk/opportunities identification, legal compliance, continual improvement.
Supports certification via accredited bodies.

Why Organizations Use It

Reduces incidents, costs, insurance premiums.
Enhances resilience, reputation, talent retention.
Meets stakeholder/supply-chain expectations; integrates with ISO 9001/14001.
Drives proactive risk management, culture shift.

Implementation Overview

Phased: gap analysis, policy/objectives, controls, audits, certification.
Scalable for all sizes/sectors; 6-12 months typical.
Involves training, audits, management reviews.

ISO 28000 Details

What It Is

ISO 28000:2022 — Security and resilience — Security management systems — Requirements is an international management system standard specifying requirements for establishing, implementing, maintaining, and improving a security management system (SMS) focused on supply chain security. It uses a risk-based approach aligned with PDCA (Plan-Do-Check-Act) and ISO High Level Structure for integration with other standards.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, performance evaluation, improvement.
Emphasizes risk assessment, operational controls (physical, personnel, procedural), supplier governance.
Built on ISO 31000 risk principles; supports certification per ISO 28003.

Why Organizations Use It

Mitigates theft, sabotage, disruptions; reduces incident costs, insurance premiums.
Meets contractual, regulatory drivers (e.g., C-TPAT equivalents); enables market access, trade facilitation.
Builds stakeholder trust, competitive edge in logistics, manufacturing, pharma.

Implementation Overview

Phased: gap analysis, risk assessment, controls deployment, audits.
Scalable for SMEs to multinationals; industries like logistics, retail.
Optional third-party certification with surveillance audits. (178 words)

Key Differences

Aspect	ISO 45001	ISO 28000
Scope	Occupational health & safety management	Supply chain security management
Industry	All sectors, high-risk industries emphasized	Logistics, manufacturing, supply chain focused
Nature	Voluntary management system standard	Voluntary management system standard
Testing	Internal audits, management reviews	Internal audits, risk assessments
Penalties	No legal penalties, certification loss	No legal penalties, certification loss

Scope

ISO 45001

Occupational health & safety management

ISO 28000

Supply chain security management

Industry

ISO 45001

All sectors, high-risk industries emphasized

ISO 28000

Logistics, manufacturing, supply chain focused

Nature

ISO 45001

Voluntary management system standard

ISO 28000

Voluntary management system standard

Testing

ISO 45001

Internal audits, management reviews

ISO 28000

Internal audits, risk assessments

Penalties

ISO 45001

No legal penalties, certification loss

ISO 28000

No legal penalties, certification loss

Frequently Asked Questions

Common questions about ISO 45001 and ISO 28000

ISO 45001 FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

Asset-Backed Issuers and SEC Cybersecurity Rules: Applicability, Disclosures, and Compliance Roadmap

How SEC cybersecurity rules apply to asset-backed issuers (ABS): Form 10-D disclosures, ABS-EE risk management, Inline XBRL tagging, exemptions. Roadmap for tru

From Reactive Gatekeeper to Proactive Strategist: How Compliance Software Reshapes the Compliance Professional's Day

Discover how compliance software automates monitoring, delivers real-time insights, and transforms compliance pros from reactive gatekeepers to proactive strate

The 2026 Cyber Essentials Hybrid Audit Checklist: Gathering Unassailable Proof Across M365, AWS, and Azure

Build an evidence vault that passes Cyber Essentials Plus audits in 2026. Practical guidance on firewalls, secure configuration, and malware protection across M

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how ISO 45001 and ISO 28000 compare against other standards

Other ISO 45001 Comparisons

Other ISO 28000 Comparisons

Quick Verdict

Key Components

Clauses 4-10: context, leadership/worker participation, planning, support, operation, performance evaluation, improvement.

Emphasizes hierarchy of controls, worker consultation, contractor management.

Built on risk/opportunities identification, legal compliance, continual improvement.

Supports certification via accredited bodies.

What It Is

Aspect

ISO 45001

ISO 28000

Scope

Occupational health & safety management

Supply chain security management

Industry

All sectors, high-risk industries emphasized

Logistics, manufacturing, supply chain focused

Nature

Voluntary management system standard

Testing

Internal audits, management reviews

Internal audits, risk assessments

Penalties

No legal penalties, certification loss