ISO 45001 gap analysis in Australia: what to expect

If certification is on your radar, this is almost always where it starts. Here's what a gap analysis actually involves, what it asks of you, and how to read what it finds.

ISO 45001 is the international standard for occupational health and safety management systems. Plenty of Australian organisations pursue it — sometimes because a client or tender demands it, sometimes because the board wants assurance, sometimes because it's simply good discipline. Whatever the reason, the sensible first move is rarely "go for certification." It's "find out how far off we are." That's what a gap analysis is for.

What a gap analysis actually is

A gap analysis measures your current OHS management system against the requirements of ISO 45001, clause by clause. It produces a clear picture of three things: where you already conform, where the gaps are, and what closing those gaps will take. Think of it as a map drawn before the journey, rather than a verdict delivered at the end of one.

It is not certification, and it's not an audit in the formal sense. Certification is issued by accredited certification bodies, and there are good reasons to keep that function separate from the advisory work of preparing for it. A gap analysis sits before all of that — it's the diagnostic that tells you whether you're months or quarters away.

How it works in practice

A typical gap analysis moves through the standard's structure: context of the organisation, leadership and worker participation, planning, support, operation, performance evaluation, and improvement. For each, the analysis looks at two things — whether you have the required arrangement in place, and whether you can demonstrate it with real evidence.

That second part is where most organisations are surprised. It's common to have a policy that ticks the clause but no evidence the policy does anything. ISO 45001 cares a great deal about demonstrated effectiveness, not just documented intent, and a gap analysis worth its fee will hold you to that same line.

The gap is rarely the documents. It's usually the evidence that the documents are doing their job.

Reading the findings

Good findings are risk-ranked. Not every gap matters equally, and a list that treats a missing signature the same as an absent risk-management process is worse than useless — it buries the things that matter under the things that don't. What you want is a prioritised view: the gaps that carry real consequence, the ones that are quick wins, and the ones that will take sustained effort.

You should also expect the findings in two registers: a clause-by-clause matrix for the people who'll do the work, and a concise summary for the people who'll fund and sponsor it. Leaders rarely need the matrix; they need to know the size of the task and where the exposure sits.

What the analysis asks of you

• Access to evidence. Documents, records, and ideally a look at how the system runs on site — not just the manual.
• Honest conversations. The analysis is only as good as the candour it's met with. Defending the system wastes the exercise.
• Time from the right people. A few hours with those who actually operate the system is worth more than a stack of policies.

From gap analysis to certification

Once the gaps are mapped, the path is usually clear: close the high-priority gaps, embed the changes long enough to generate evidence, run an internal audit to confirm the system holds, then engage a certification body. The gap analysis is what makes that sequence efficient — it stops you spending money on a certification attempt you're not ready for, and it stops you over-building a system in areas that were already fine.