ISO 45001 vs ISO 31000: How They Work Together

ISO 45001 and ISO 31000 are both international standards that relate to risk and safety. They’re often mentioned in the same breath, and organisations in mining, construction, and heavy industry frequently need to demonstrate alignment with both.

But they’re not the same standard, they don’t serve the same purpose, and applying one without understanding the other creates gaps in your risk and safety framework. This guide explains what each standard does, how they differ, and how to make them work together in practice.

What ISO 45001 Requires From Your Organisation

ISO 45001:2018 is the international standard for Occupational Health and Safety (OH&S) Management Systems. It replaced OHSAS 18001 as the global benchmark for workplace safety management.

ISO 45001 specifies the requirements for an OH&S management system — the structure, processes, and controls an organisation needs to prevent work-related injuries and ill health, and to promote safe and healthy workplaces.

It’s built on the Plan-Do-Check-Act (PDCA) cycle and follows the High-Level Structure (HLS) that ISO uses across its management system standards, which makes it compatible with ISO 9001 (quality) and ISO 14001 (environmental management).

Key elements of ISO 45001:

Leadership and worker participation — top management commitment and worker involvement in OH&S
Hazard identification and risk assessment — identifying workplace hazards and assessing the associated risks
Legal and regulatory compliance — understanding and meeting applicable OH&S legislation
Operational controls — controls for high-risk activities and processes
Incident investigation — structured response to incidents to prevent recurrence
Performance evaluation — monitoring, measurement, audit, and management review
Continual improvement — ongoing enhancement of OH&S performance

ISO 45001 certification is audited by a third-party certification body. Organisations that are certified demonstrate to clients, regulators, and workers that their safety management system meets the international standard.

What ISO 31000 Provides as a Framework

ISO 31000:2018 is the international standard for Risk Management. It provides principles and guidelines for managing any type of risk — not just safety risk.

ISO 31000 is explicitly designed to apply across all organisations, all sectors, and all types of risk: strategic, operational, financial, compliance, reputational, safety, environmental, and more. It’s a framework standard, not a prescriptive management system standard.

Where ISO 45001 tells you what your OH&S management system must contain, ISO 31000 provides principles and a process for thinking about and managing risk — regardless of the type of risk or the sector.

Key principles of ISO 31000:

Integrated — risk management should be embedded in all organisational activities, not siloed in a risk department
Structured and comprehensive — a consistent, thorough approach produces comparable and reliable results
Customised — the framework should be proportionate to the context and objectives of the organisation
Inclusive — involving stakeholders, including workers, in the risk management process
Dynamic — risk management responds to changing internal and external contexts
Best available information — decisions are based on the best available data, with appropriate uncertainty acknowledged
Human and cultural factors — recognising the role of culture and behaviour in risk

ISO 31000 also describes the risk management process: establishing context, identifying risks, analysing risks, evaluating risks, treating risks, communicating and consulting, and monitoring and reviewing. This process is the foundation of a well-structured risk register.

Unlike ISO 45001, ISO 31000 is not a certifiable standard. You can’t get “ISO 31000 certified.” It’s a reference standard — a framework that informs how you approach risk management, rather than a set of auditable requirements.

How the Two Standards Differ

	ISO 45001	ISO 31000
Focus	Occupational health and safety	All types of risk
Type	Management system standard (certifiable)	Framework and principles (not certifiable)
Scope	Worker safety and health	Strategic, operational, financial, safety, environmental, and all other risk types
Requirement or guidance?	Requirements (shall)	Guidance (should)
Audience	OH&S managers, HSEQ leaders	Risk managers, board, executives, operational leaders
Output	A management system with defined elements	A risk management framework and process
Certification	Third-party certification available	No certification

The most important distinction: ISO 45001 is about managing the system that protects worker safety. ISO 31000 is about the process of managing risk — any risk, including but not limited to safety risk.

How They Relate to Each Other

ISO 45001 and ISO 31000 are complementary, not competing. ISO 45001 explicitly references ISO 31000 in its approach to hazard identification and risk assessment. The risk assessment process required by ISO 45001 is aligned with the ISO 31000 risk management process.

Think of it this way:

ISO 31000 gives you the intellectual framework — how to think about risk, how to assess it, how to treat it, how to communicate and review.

ISO 45001 applies that framework specifically to OH&S risk and wraps it in a management system with requirements for leadership, worker participation, compliance obligations, operational controls, performance evaluation, and continual improvement.

An organisation that has a well-implemented ISO 31000 framework will find that the risk assessment elements of ISO 45001 align naturally with what they’re already doing. The ISO 45001 management system then provides the organisational structure — the policies, roles, procedures, and review mechanisms — that ensures the risk management process is consistently applied across the OH&S domain.

Where They Complement Each Other in Practice

Hazard Identification and Risk Assessment

ISO 45001 requires hazard identification and risk assessment (Clause 6.1). The standard doesn’t prescribe a specific method — it requires that hazards be identified and risks be assessed. ISO 31000’s risk assessment process (identify, analyse, evaluate) is a natural framework for meeting this requirement.

In practice, organisations implementing ISO 45001 often use ISO 31000-aligned processes for their risk assessments: structured context-setting, systematic hazard identification, likelihood and consequence analysis, risk evaluation against defined criteria, and treatment selection. Risk assessment methods like HAZOP, HAZID, FMEA, and WRAC all sit within this ISO 31000 process framework.

Risk Criteria

ISO 45001 requires that OH&S risk criteria be established (Clause 6.1.2.2). ISO 31000 provides the conceptual framework for what risk criteria are and how they should be set — including the relationship between risk criteria, risk appetite, and risk tolerance.

An organisation with a clear ISO 31000-aligned risk appetite and tolerance framework has a ready-made basis for the risk criteria that ISO 45001 requires for its OH&S risk assessments.

Monitoring and Review

Both standards require that risks and controls be monitored and reviewed. ISO 45001 makes this explicit through performance measurement, internal audit, and management review. ISO 31000 frames it as the monitoring and review component of the risk management process.

The control effectiveness monitoring approach you use for your critical safety controls serves both standards simultaneously — it’s how ISO 45001’s operational control requirements are maintained, and it’s the monitoring and review element of ISO 31000’s risk management process.

Incident Investigation

ISO 45001 has explicit requirements for incident investigation (Clause 10.2) — determining root causes, taking corrective action, and communicating findings. ISO 31000 doesn’t have incident investigation requirements (it’s not a safety standard), but the risk management process it describes — particularly the review and update of risk assessments in response to new information — is what a good incident investigation feeds into.

When your investigation findings update your bowtie diagrams, risk register, and control effectiveness data, you’re fulfilling both the continual improvement requirements of ISO 45001 and the dynamic monitoring requirement of ISO 31000.

Building a Framework That Satisfies Both

The most effective approach is to build your risk management framework on ISO 31000 principles, and implement your OH&S management system (ISO 45001) as the domain-specific application of that framework to safety risk.

Practical steps:

Establish your risk framework using ISO 31000 — context, risk criteria, process, communication and consultation, and monitoring and review. This is your organisation-wide approach to risk, covering all risk types.
Map your OH&S risk processes to the framework — your hazard identification, risk assessment, and control management processes should sit within the broader ISO 31000 process, not operate in parallel to it.
Build your safety management system on this foundation — the policies, roles, procedures, competency requirements, audit program, and management review that ISO 45001 requires are the governance layer around the risk management process.
Connect your risk data — when incidents, near-misses, and control effectiveness data feed back into your risk register and control framework, you’re maintaining the dynamic, responsive risk management that both standards require.
Avoid duplication — a common mistake is running a “risk register” for ISO 31000 and a separate “hazard register” for ISO 45001. These are the same thing. One integrated system, connected to controls, incidents, and verification data, satisfies both standards and serves the people doing the actual work.

The Role of Safety Management Systems

It’s worth noting the relationship between these standards and a safety management system (SMS) more broadly. An ISO 45001-aligned OH&S management system is a type of safety management system — but SMS is a broader concept that includes elements like critical control management, bowtie analysis, and emergency management that may not be explicitly required by ISO 45001 but are expected by industry frameworks (ICMM, AMSANZ) and regulators in high-hazard industries.

For mining, construction, and energy organisations, ISO 45001 compliance is typically the floor, not the ceiling. The additional rigour of critical control management, bowtie analysis, and multi-level verification sits on top of what ISO 45001 requires — and is what separates organisations that are genuinely managing risk from those that are managing compliance.

Making Both Standards Work Without Doubling the Work

The practical challenge for organisations in high-hazard industries is that implementing and maintaining two standards can create duplication, confusion, and administrative overhead. The solution is integration, not separation.

A single, connected risk management system that:

Captures hazards, risks, and controls in one register
Links controls to bowtie diagrams and critical control frameworks
Connects incidents and near-misses back to risks and controls
Tracks verification and control effectiveness
Provides audit trails and management reports

…satisfies the monitoring, review, and continual improvement requirements of both ISO 45001 and ISO 31000 simultaneously, without requiring separate systems for each.

RiskSight’s risk management software is built on this integrated model — ISO 31000 risk register, bowtie analysis, critical control management, and incident investigation in one connected platform. Start your 30-day free trial with demo data included.