How to identify and comply with legal requirements in ISO 45001
Updated 2018-12-04 according to ISO 45001
Compliance with legal and other requirements is one of the most important requirements in ISO 45001, because the lives and health of people are at stake. The ISO 45001 standard provides a good framework for identifying and monitoring compliance with all local legislation regarding occupational health and safety. The first step is to clarify what legal compliance is. Compliance with legal requirements means full implementation of applicable occupational health and safety legislation, and it occurs when requirements are met and desired changes are achieved.
The standard mentions legal requirements in several places, indicating that they must be considered through the whole Plan-Do-Check-Act (PDCA) cycle of the occupational health and safety management system (OH&SMS), from developing the OH&S Policy and defining OH&S Objectives, to management review.
The first document that mentions consideration of legal requirements is the OH&S Policy. The standard clearly demands the inclusion of at least a commitment to comply with applicable legal requirements, and with other requirements to which the organization subscribes that relate to its OH&S hazards when writing the policy. (See also How to write an OH&S Policy).
Procedure for identification of legal and other requirements
The next step is in clause 6.1.3 – Determining legal requirements and other requirements, where the standard requires you to establish a process for identifying and accessing the legal and other OH&S requirements that are applicable to the organization. The organization may find occupational health and safety regulations on the website of government agencies in charge, or via other specialized services. In a wide list of regulations, you should choose only those that are applicable to your business.
Although the standard does not explicitly require you to document this procedure, its purpose is to ensure that applicable legal and other requirements are taken into account during establishing, implementing, and maintaining the OH&S management system. As far as documentation requirements are concerned, you need to create a list of legal and other requirements and keep it up to date.
In clause 6.2, ISO 45001 states that when an organization establishes OH&S Objectives and planning to achieve them, it should take into account applicable requirements which include legal requirements.
The organization should plan how to comply with legal requirements. If you find during identification of applicable legal requirements that you are only partially in compliance with a specific applicable regulation, or you have completely ignored it, now is the time to set it as a target.
In the implementation phase, the organization should have instruments in place for dealing with legal requirements (e.g., sufficient documents to demonstrate compliance, responsibilities and authorities for compliance-related requirements, compliance-related communication process, training and awareness of the compliance-related processes).
Of course, you will need to do a periodic evaluation of compliance with legal and other requirements, because even if your organization is in compliance today, you cannot be sure that it will be in compliance in six months or a year. This is a mandatory activity and there must be a record kept as evidence.
Where a non-compliance with legal requirements is discovered, the organization is required to take immediate corrective action, which may include actions to immediately inform the authorities depending on the specific legal requirements and magnitude of the non-compliance. As in any case of nonconformity, the procedure for corrective actions must be followed.
Clause 9.3 requires the review of the occupational health and safety management system by top management, through the management review process, about results of the evaluation of compliance and possible changes in legal requirements. This is to ensure that top management is aware of the risks of potential or actual non-compliance, and has taken appropriate steps to meet the commitment to legal compliance. Results of evaluation of compliance with legal and other requirements are one of the mandatory inputs in the management review.
Taken together, these provisions mean that an organization implementing ISO 45001 should systematically identify and manage its compliance obligations by including the elements listed above within its occupational health and safety management system.
There have been many examples of organizations that have reached and maintained their legal compliance as a result of implementing and maintaining an OH&S management system that conforms to the standard – while certification of an OH&S management system against the requirements of ISO 45001 is not a guarantee of legal compliance, it is a proven and efficient tool to achieve and maintain such legal compliance. Applying this systematic approach to the requirement of compliance with legal and other requirements will prevent your organization from unintentional violation of legislation, and possibly prevent ill health and injuries in the work place.
Use this free ISO 45001 Gap Analysis Tool to find out your level of compliance with ISO 45001.