Most ISO 45001 hazard registers look complete until an auditor asks one question: “Show me the contractor hazards.” The register covers production lines, office ergonomics, warehouse traffic. It does not cover the electrical contractor rewiring a panel during a weekend shutdown, the cleaning crew working with chemical agents after hours, or the construction subcontractor operating a crane above the loading bay. Clause 6.1.2.1 of ISO 45001:2018 requires all of these. Organisations that certify without closing this ISO 45001 hazard identification scope gap are carrying a nonconformity risk that compounds at every surveillance cycle. The confirmed ISO 45001 revision β targeting 2027, with supply chain responsibility as a named focus β will make it worse.
What ISO 45001 Clause 6.1.2.1 Actually Requires
ISO 45001:2018 Clause 6.1.2.1 sets out a hazard identification process that must be ongoing and proactive. Routine production activities are the floor, not the ceiling. The clause requires the process to account for routine and non-routine activities and situations, persons with access to the workplace including contractors and visitors, and workers at locations not under the organisation’s direct control. It also requires identification to cover actual or proposed changes in organisation, operations, and processes β every time a new contractor starts work or an existing contractor changes scope, the hazard identification process should trigger.
The sub-clause structure lists these categories as mandatory inputs. An organisation whose hazard register contains only routine employee activities has implemented part of Clause 6.1.2.1 and left the rest undocumented. That’s not a gap. That’s a nonconformity waiting for an auditor to find it.
Clause reference reflects mapped standard requirement. Verify against current edition before audit use.
Where Organisations Fail on Hazard Identification
Weak hazard identification is the most commonly cited first-audit failure across ISO 45001 certifications. It shows up the same way every time. Training providers and consultancies consistently document it as the primary root cause of Stage 2 nonconformities β hazard registers exist on paper but don’t reflect operational reality, risk matrices are populated but not applied in practice, and entire categories of work activity are absent from the register.
The contractor gap is the sharpest version of this problem. Organisations maintain complete contractor management files under Clause 8.1.4 β insurance certificates, induction records, method statements, PPE requirements. That file satisfies procurement reviewers. It may pass a documentation review at Stage 1. But it does not satisfy Clause 6.1.2.1 unless the hazards arising from contractor activities are captured in the master hazard register with evidence of joint identification.
Clause 8.1.4.2 requires the organisation to coordinate with contractors to identify hazards arising from contractor activities that impact the organisation, the organisation’s activities that impact contractor workers, and contractor activities that impact other interested parties. That coordination should produce hazard entries. Those entries belong in the Clause 6.1.2.1 register. When contractor coordination stays in the procurement file and never feeds the risk register, the auditor sees a structural gap between two clauses that should be connected. Most organisations don’t realise the gap exists until a Stage 2 auditor traces the thread.
Stage 2 audit checklists from certification bodies confirm this probe directly: auditors ask whether procurement coordination under 8.1.4.2 has produced identified hazards and whether those hazards appear in the organisation’s risk assessment under 6.1.2.1. A contractor induction record does not answer that question.
Clause reference reflects mapped standard requirement. Verify against current edition before audit use.
Clause 5.4 creates a second problem. ISO 45001:2018 defines “worker” to include persons performing work under the organisation’s control β which covers contracted workers on-site. Clause 5.4 requires worker participation in identifying hazards and assessing risks. If contracted workers are excluded from hazard identification, the same gap can produce a linked observation: those workers weren’t consulted in the process governing their safety. One scope omission, two clause exposures.
What Audit-Defensible Evidence Looks Like
Closing this gap doesn’t require a new management system. It requires connecting two processes that already exist but operate in isolation.
The contractor hazard identification linkage needs joint hazard identification records β documented coordination sessions with contractor representatives, dated, with attendees listed, hazards identified, and resulting actions. Those sessions produce register entries. The master risk register needs updated entries that trace back to contractor coordination with a notation like “source: contractor coordination [date].” Without that traceability, the coordination happened but the register doesn’t show it.
Participation evidence under Clause 5.4 closes the loop. Contracted workers or their representatives need to have contributed to hazard identification for activities affecting them. Toolbox talk sign-offs, pre-task briefing records, joint site walkdown documentation β auditors accept process evidence. They don’t accept the assertion that contractors “were consulted” without a dated record.
The register itself needs a scope statement that explicitly names the Clause 6.1.2.1 categories it covers: routine and non-routine activities, contractor and visitor hazards, off-site workers, and change-triggered identification. Without that scope statement, an auditor cannot verify coverage. An absent scope statement on a core process is itself an audit finding.
Practical Steps
- Audit your existing hazard register against Clause 6.1.2.1 sub-clause categories. For each of the mandatory inputs β non-routine activities, contractor and visitor hazards, workers not under direct control, change-triggered identification β confirm whether entries exist. Flag absent categories. This scope gap matrix is the evidence item that shows your auditor you understand the extent of any gaps.
- Establish the 8.1.4.2-to-6.1.2.1 linkage for every active contractor type. For each contractor category β maintenance, construction, cleaning, logistics β document a joint hazard identification session with date, attendees, hazards identified, and resulting register entries. Cross-reference the coordination record and the register update.
- Capture participation evidence under Clause 5.4. Document that contracted workers or their representatives participated in hazard identification for activities affecting them. Names, dates, roles, outputs. If individual names aren’t available, document the consultation mechanism β toolbox talks with sign-off, pre-task briefings, joint walkdowns. Auditors accept process evidence. They don’t accept assertions without records.
- Build a change trigger into the hazard identification procedure. When a new contractor starts work or an existing contractor changes scope, the procedure should require a hazard identification review. This satisfies the sub-clause (g) requirement for identification to cover actual or proposed changes.
Key Takeaway
Organisations certifying now with a hazard register that excludes contractor activities aren’t just carrying a Stage 2 risk under Clause 6.1.2.1. They’re building a scope gap that will widen when the revised ISO 45001 arrives β TC 283 has confirmed the revision with a 2027 target and named supply chain responsibility as a focus area. The fix is structural, not documentary: connect contractor coordination under 8.1.4.2 to your master hazard register, document participation under Clause 5.4, and make the register’s scope statement explicit. Do it before your next audit, not during the transition period.
Frequently Asked Questions
Q: What is the most common ISO 45001 first-audit nonconformity? A: Incomplete hazard identification under Clause 6.1.2.1, particularly the omission of contractor and non-routine activities from the hazard register.
Q: Do contractor induction records satisfy Clause 6.1.2.1? A: No. Induction records fulfil procurement requirements under Clause 8.1.4 but do not demonstrate that contractor hazards were identified and entered into the master hazard register.
Q: What evidence do auditors expect for contractor hazard identification? A: Joint hazard identification records with dates, attendees, hazards identified, and traceable entries in the master risk register sourced from contractor coordination sessions.
Q: Does ISO 45001 require contractor workers to participate in hazard identification? A: Yes. Clause 5.4 requires participation of workers performing work under the organisation’s control, which includes contracted workers on-site.
Q: Will the ISO 45001 revision make contractor scope gaps worse? A: The confirmed revision targeting 2027 names supply chain responsibility as a focus area, which is expected to expand contractor-related requirements beyond current scope.
About AEC International
AEC International provides ISO certification, training, and consultancy services at the intersection of occupational health and safety, risk management, and operational compliance. We support organisations across industries in achieving and maintaining ISO certification β from gap analysis and implementation through audit preparation and continual improvement.
Learn more: www.aec.llc