ISO 45001 vs OSHA: What EHS Teams Need to Know

ISO 45001 vs OSHA: What EHS Teams Need to Know

If you run a small business: You are not required to be certified to ISO 45001 — and most small businesses never will be. What matters for you is OSHA compliance. This article explains the difference between the two so you understand what applies to your business and what does not. If you just need to know what OSHA requires, read our article on OSHA incident investigation requirements instead.

For EHS professionals operating in the United States, the relationship between ISO 45001 and OSHA is a source of persistent confusion. Both address occupational health and safety. Both have something to say about incident investigation. But they are fundamentally different instruments — one is a voluntary international management system standard, the other is a regulatory enforcement framework — and conflating them leads to compliance gaps, wasted effort, and misaligned expectations.

What OSHA is and what it does

The Occupational Safety and Health Act of 1970 established OSHA as a federal regulatory agency with authority to set and enforce workplace safety and health standards. OSHA compliance is a legal obligation for most US employers — not a choice. Failure to comply with applicable OSHA standards exposes employers to citations, penalties, and in serious cases, criminal prosecution.

OSHA operates through a combination of specific standards and the General Duty Clause — a broad obligation to provide a workplace free from recognized serious hazards. OSHA does not prescribe a management system. It sets minimum performance requirements and enforces compliance.

What ISO 45001 is and what it does

ISO 45001:2018 is an international standard that specifies requirements for an occupational health and safety management system. Certification to ISO 45001 is voluntary — no US law requires it. Organizations pursue certification to demonstrate safety management maturity to clients or insurers, to align with international supply chain requirements, or to satisfy contractual requirements in certain industries.

ISO 45001 does not replace OSHA compliance. An organization can be certified to ISO 45001 and still violate OSHA standards. Certification demonstrates that a management system is in place — it does not guarantee that every specific regulatory requirement is met.

Key differences in how they approach incident investigation

OSHA's investigation requirements are largely implicit for general industry employers — flowing from the General Duty Clause and recordkeeping obligations. The exception is the Process Safety Management standard, which contains explicit investigation requirements for covered processes.

ISO 45001 Clause 10.2 sets explicit requirements for how certified organizations must respond to incidents. These include evaluating the need for corrective action to eliminate root causes, implementing appropriate corrective actions, reviewing their effectiveness, and retaining documented information as evidence. ISO 45001 also requires that relevant information about corrective actions be communicated to workers and worker representatives — going beyond what OSHA mandates for most employers.

Where they genuinely overlap

Despite their structural differences, OSHA requirements and ISO 45001 requirements overlap significantly in practice around incident investigation. Both expect employers to investigate incidents thoroughly, identify root causes rather than stopping at immediate causes, implement corrective actions that address those causes, and retain documentation of the process. An investigation program built to ISO 45001's Clause 10.2 requirements will, in most cases, substantially exceed OSHA's implicit investigation expectations.

Where they diverge

OSHA sets specific technical requirements — permissible exposure limits, machine guarding specifications, fall protection requirements, confined space entry procedures — that ISO 45001 does not address. ISO 45001 requires that legal and other requirements be identified and complied with, but it delegates the substance of those requirements to the applicable law.

ISO 45001 also places significantly greater emphasis on worker participation than OSHA does. Clause 5.4 requires active consultation with workers on the development and continual improvement of the OH&S management system.

ISO 45001 tells organizations how to manage safety. OSHA tells them what specific things they must do. Both are necessary — and neither is sufficient without the other.

Building an investigation program that satisfies both

For most US EHS teams, the practical question is how to build an investigation program that meets OSHA's requirements, satisfies ISO 45001 certification obligations where applicable, and represents genuine best practice. The answer is to build to the higher standard on each dimension. Where ISO 45001 sets a more explicit requirement — as it does on root cause analysis documentation and worker communication — build to that requirement. Where OSHA sets specific technical requirements that ISO 45001 does not address, ensure those are met explicitly.

Organizations that build their investigation program around ISO 45001 Clause 10.2 requirements will, in most cases, produce investigation records that are more defensible in regulatory and legal proceedings than those built only to meet OSHA's implicit expectations.