The organization’s OH&S management system shall include:
a) documented information required by this document;
b) documented information determined by the organization as being necessary for the effectiveness of the OH&S management system.
NOTE The extent of documented information for an OH&S management system can differ from one organization to another due to:
— the size of organization and its type of activities, processes, products and services;
— the need to demonstrate fulfilment of legal requirements and other requirements;
— the complexity of processes and their interactions;
— the competence of workers.
7.5.2 Creating and updating
When creating and updating documented information, the organization shall ensure appropriate:
a) identification and description (e.g. a title, date, author or reference number);
b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic);
c) review and approval for suitability and adequacy.
7.5.3 Control of documented information
Documented information required by the OH&S management system and by this document shall be controlled to ensure:
a) it is available and suitable for use, where and when it is needed;
b) it is adequately protected (e.g. from loss of confidentiality, improper use or loss of integrity).
For the control of documented information, the organization shall address the following activities, as applicable:
— distribution, access, retrieval and use;
— storage and preservation, including preservation of legibility;
— control of changes (e.g. version control);
— retention and disposition.
Documented information of external origin determined by the organization to be necessary for the planning and operation of the OH&S management system shall be identified, as appropriate, and controlled.
NOTE 1 Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.
NOTE 2 Access to relevant documented information includes access by workers, and, where they exist, workers’ representatives.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains
It is important to keep the complexity of the documented information at the minimum level possible to ensure effectiveness, efficiency and simplicity at the same time. This should include documented information regarding planning to address legal requirements and other requirements and on evaluations of the effectiveness of these actions. The actions described in 7.5.3 are particularly aimed at preventing unintended use of obsolete documented information. Examples of confidential information include personal and medical information.
1) The organization’s OH&S management system shall include documented information required by this document
As per ISO 45001:2018, an organization’s Occupational Health and Safety (OH&S) Management System must include documented information to demonstrate compliance with the standard’s requirements. Documented information serves as evidence that the organization has established and effectively implemented its OH&S management system. Here are the key types of documented information required by ISO 45001:
Mandatory Documented Information:
- OH&S Policy (Clause 5.2): Clause 5.2 of ISO 45001 requires the organization to establish, document, and maintain an Occupational Health and Safety (OH&S) policy. The policy should include the organization’s commitment to OH&S, compliance with legal requirements, and a framework for setting OH&S objectives.
- OH&S Objectives and Targets (Clause 6.2):Clause 6.2 requires documented information specifying OH&S objectives and targets that are measurable, relevant, and consistent with the OH&S policy.
- Scope of the OH&S Management System (Clause 4.3): Clause 4.3 specifies that the organization shall determine the boundaries and applicability of its OH&S management system. This determination should be documented to define the scope of the system.
- Roles, Responsibilities, and Authorities (Clause 5.3): Clause 5.3 requires documented information that specifies the roles, responsibilities, and authorities related to OH&S within the organization to ensure clarity and accountability.
- Communication Procedures (Clause 7.4): Clause 7.4 requires the organization to document procedures for internal and external communication related to OH&S. These procedures should outline how OH&S information is to be communicated and by whom.
- Operational Planning and Control Procedures (Clause 8.1): Clause 8.1 requires documented information that defines the criteria for determining the need for operational controls and the method for their application.
- Emergency Preparedness and Response Procedures (Clause 8.2): Clause 8.2 requires documented information that outlines procedures for emergency preparedness and response, including emergency plans, evacuation procedures, and communication protocols.
- Risk Assessments and Hazard Identification Records (Clause 6.1.2): Clause 6.1.2 requires records of risk assessments and hazard identification activities, including information on identified hazards, their associated risks, and risk mitigation measures.
- Incident and Nonconformity Records (Clause 10.2): Clause 10.2 requires records of OH&S incidents, near-misses, accidents, and nonconformities, including their investigation, actions taken, and follow-up.
- Records of OH&S Performance Evaluation (Clause 9.1): Clause 9.1 requires records of OH&S performance evaluations, including monitoring and measurement results, audits, and management reviews.
- Training and Competence Records (Clause 7.2): Clause 7.2 requires records of OH&S training and competence assessments, including details of training programs, attendance, content, duration, and outcomes.
- Records of Consultation and Participation (Clause 5.4): Clause 5.4 requires records of worker consultation, participation, and feedback related to OH&S, including minutes of safety meetings and feedback on OH&S matters.
- External Communication Records (Clause 7.4): Clause 7.4 requires records of external communication related to OH&S, such as communication with regulatory authorities or external stakeholders.
- Records of Changes in the OH&S Management System (Clause 4.4): Clause 4.4 requires records of any changes made to the OH&S management system, including the reasons for changes, actions taken, and their potential consequences.
These documents and records are essential for demonstrating conformity with ISO 45001:2018 requirements and for effective implementation, maintenance, and continual improvement of an OH&S management system. Proper documentation and record-keeping help ensure transparency, accountability, and the ability to track and monitor OH&S performance.
2) The organization’s OH&S management system shall include documented information determined by the organization as being necessary for the effectiveness of the OH&S management system
ISO 45001:2018 acknowledges that an organization’s Occupational Health and Safety (OH&S) Management System should include documented information that the organization determines as necessary for the effectiveness of the system. This means that while the standard provides certain requirements for documented information, the organization has the flexibility to identify additional documents and records that are essential for the successful implementation, maintenance, and continual improvement of its OH&S management system. Here’s how the organization can determine the necessary documented information:
- Context Analysis:Consider the organization’s internal and external context, including its size, activities, complexity, and OH&S risks and opportunities. Identify the specific documentation needed to address these factors.
- Compliance Requirements: Review applicable legal and regulatory requirements related to OH&S. Determine the documents and records necessary to demonstrate compliance with these obligations.
- OH&S Objectives and Risks: Assess the organization’s OH&S objectives, targets, and associated risks. Identify the documented information required to plan, monitor, and achieve these objectives while managing risks effectively.
- Process Documentation: Analyze the organization’s OH&S processes, including hazard identification, risk assessment, incident management, and performance monitoring. Document these processes as needed to ensure consistency and effectiveness.
- Communication and Training: Evaluate the communication needs within the organization, both internally and externally. Determine the documentation required to support effective communication and training related to OH&S.
- Emergency Preparedness: Consider the organization’s emergency preparedness and response procedures. Ensure that the necessary documentation is in place to manage OH&S emergencies effectively.
- Monitoring and Measurement: Identify the documented information required for monitoring, measurement, and evaluation of OH&S performance, including data collection methods, indicators, and criteria.
- Management Reviews: Ensure that records and reports are available to support management reviews of the OH&S management system’s performance and the identification of opportunities for improvement.
- Change Control: Establish procedures for managing changes in the OH&S management system. Document the processes involved, including the assessment of potential impacts and necessary approvals.
- Continuous Improvement: Document processes related to continual improvement, such as corrective and preventive actions. Ensure that records are kept to track improvements made.
- Worker Participation and Consultation: Document mechanisms for worker participation, consultation, and feedback on OH&S matters. Keep records of worker input and actions taken in response.
- External Communication: Determine the documented information needed for external communication related to OH&S, such as reporting to regulatory authorities or stakeholders.
- Audit and Evaluation: Document the processes for conducting internal and external OH&S audits and evaluations. Keep records of audit findings and corrective actions.
- Customized Procedures: Develop specific OH&S procedures and work instructions tailored to the organization’s unique processes and activities.
- Risk-Based Approach: Apply a risk-based approach to determine the level of documentation required for different OH&S aspects and processes. Focus on high-risk areas.
By taking these steps, the organization can identify and document the necessary information to ensure the effectiveness of its OH&S management system while tailoring it to its unique circumstances and needs. This approach allows for flexibility and customization while complying with the fundamental principles of ISO 45001:2018.
3) The extent of documented information for an OH&S management system can differ from one organization to another due to the size of organization and its type of activities, processes, products and services; the need to demonstrate fulfillment of legal requirements and other requirements; the complexity of processes and their interactions; the competence of workers.
The extent of documented information for an Occupational Health and Safety (OH&S) Management System can vary significantly from one organization to another based on several factors. ISO 45001:2018 recognizes this flexibility and allows organizations to tailor their documentation to suit their specific needs and circumstances. The factors that influence the extent of documented information include:
- Size and Type of Organization: The size and complexity of an organization can influence the volume and complexity of documented information. Smaller organizations may have simpler systems with fewer documents, while larger organizations may require more extensive documentation.
- Activities, Processes, Products, and Services: The nature of an organization’s activities, processes, products, and services can impact the amount and type of documented information needed. Organizations with diverse or high-risk activities may require more comprehensive documentation.
- Legal and Other Requirements: Organizations must consider the legal and regulatory requirements applicable to their industry and location. Compliance with these requirements often necessitates specific documented information, such as permits, licenses, or regulatory reports.
- Complexity of Processes and Interactions: Complex processes and a high degree of interaction between processes can require more detailed documentation to ensure effective control and management of OH&S risks.
- Competence of Workers: The competence of workers and their familiarity with OH&S practices can influence the level of detail needed in documented procedures and instructions. Highly skilled and experienced workers may require less detailed documentation.
- OH&S Risks and Hazards: The nature and severity of OH&S risks and hazards faced by the organization can impact the need for documented information. High-risk environments may necessitate more comprehensive documentation to ensure safety.
- Organizational Culture: An organization’s culture and values regarding safety and risk management can influence the extent of documented information. A safety-conscious culture may result in more detailed safety procedures and records.
- Regulatory Expectations: Some regulatory authorities may have specific expectations regarding documented information in certain industries or sectors. Organizations must align their documentation with these expectations.
- Continuous Improvement Approach: Organizations that prioritize a culture of continuous improvement may document processes and procedures with an emphasis on flexibility and adaptability, allowing for ongoing optimization.
- Stakeholder Expectations: Stakeholders, including customers, suppliers, and industry associations, may have specific expectations regarding documented information. Meeting these expectations may require additional documentation.
It’s important for organizations to conduct a thorough assessment of their needs, risks, and objectives when determining the extent of documented information required for their OH&S management system. The goal is to strike a balance between ensuring compliance, managing risks, and maintaining efficiency while considering the organization’s unique context and requirements. The documentation should support effective OH&S management without unnecessary bureaucracy.
4) When creating and updating documented information, the organization shall ensure appropriate identification and description (e.g. a title, date, author or reference number).
When creating and updating documented information within the Occupational Health and Safety (OH&S) Management System, organizations should ensure appropriate identification and description. This includes adding essential details to documents and records to facilitate proper management, traceability, and understanding. Here are some key elements that organizations should consider including in their documented information:
- Title: A clear and concise title that accurately reflects the content and purpose of the document or record.
- Date: The date when the document was created, revised, or reviewed. This helps ensure that users are working with the most current information.
- Author: The name or identification of the person or department responsible for creating or updating the document. This can be helpful for questions or clarifications.
- Reference Number: A unique reference number or identifier for the document or record. Reference numbers can aid in document control, version management, and retrieval.
- Version Number/Revision: If applicable, indicate the document’s version number or revision level. This helps users identify the latest version and track changes.
- Page Numbers: For multi-page documents, page numbers should be included to maintain the document’s integrity and order.
- Document Control Information: Information related to document control, such as approval signatures, review dates, and the distribution list, should be included as needed.
- Purpose/Scope: A brief description of the document’s purpose and scope, outlining what the document covers and its intended use.
- Content Summary: An overview or summary of the document’s content can help users quickly understand its key points and relevance.
- Applicable Legislation or Standards: If the document relates to legal or regulatory compliance or industry standards, reference the relevant laws, regulations, or standards.
- Key Responsibilities: In procedures or work instructions, identify key responsibilities and roles related to the tasks outlined in the document.
- Attachments or Appendices: If the document includes additional information, attachments, or appendices, clearly indicate and reference these.
- Effective Date: For policies or procedures with specific effective dates, ensure that this date is prominently displayed.
- Review/Revision History: Maintain a history of changes, including who made the changes, the reason for the changes, and the dates of revisions.
- Electronic Document Metadata: In electronic document management systems, metadata such as file properties (author, date created, date modified) can be valuable for tracking and managing documents.
Properly identifying and describing documented information enhances document control, retrieval, and understanding. It helps ensure that users have access to accurate and up-to-date information, which is essential for effective OH&S management and compliance with ISO 45001:2018 requirements.
5) When creating and updating documented information, the organization shall ensure appropriate format (e.g. language, software version, graphics) and media (e.g. paper, electronic)
ISO 45001:2018 requires organizations to ensure the appropriate format and media when creating and updating documented information within their Occupational Health and Safety (OH&S) Management System. Here are key considerations for ensuring the right format, language, software version, graphics, and media:
- Language: Ensure that the documented information is available in the language(s) understood by the users who need to access and use it. In a multicultural or multinational organization, this may involve providing documents in multiple languages.
- Software Version: If electronic documents are used, specify the software version or platform required to access and view them. Compatibility with commonly used software is essential to ensure accessibility.
- Graphics and Visual Elements: Use clear and easily understandable graphics, charts, diagrams, and images to enhance understanding, especially when conveying complex information or instructions.
- Accessibility: Ensure that documented information is accessible to all relevant users, including those with disabilities. This may involve providing documents in accessible formats or using assistive technologies.
- Consistency: Maintain a consistent format and style across related documents to facilitate navigation and understanding. Consistency in terminology, font, and layout can improve user experience.
- Media: Consider the appropriate media for storing and distributing documented information. This can include paper-based formats, electronic formats (PDF, Word, etc.), intranet or cloud-based platforms, and mobile applications.
- Version Control: Implement a version control system to ensure that users access the most current and relevant information. Clearly mark the document’s version and revision details.
- Backups and Data Security: If using electronic formats, regularly back up documented information to prevent data loss. Implement security measures to protect sensitive information.
- Training and Familiarity: Ensure that users are trained in using the chosen format and media effectively. Familiarity with the tools and technologies used to access and manipulate documented information is crucial.
- Accessibility on Mobile Devices: Given the prevalence of mobile devices, consider optimizing electronic documents and systems for mobile access, making it easier for employees to access information while on the go.
- Retention and Archiving: Define and implement retention and archiving procedures for both electronic and paper-based documented information to meet legal and organizational requirements.
- Usability Testing: Conduct usability testing to ensure that the chosen format and media align with user needs and preferences. Collect feedback and make necessary adjustments.
- Feedback Mechanism: Establish a feedback mechanism for users to report issues with the format, language, or accessibility of documented information. Address user concerns promptly.
- Continuous Improvement: Continuously assess and improve the format and media of documented information based on user feedback and evolving technology.
By considering these factors, organizations can ensure that their OH&S documented information is not only compliant with ISO 45001:2018 requirements but is also user-friendly, accessible, and effective in conveying critical OH&S information and instructions to employees and stakeholders.
6) When creating and updating documented information, the organization shall ensure appropriate review and approval for suitability and adequacy
ISO 45001:2018 requires organizations to ensure the review and approval of their documented information, especially in the context of their Occupational Health and Safety (OH&S) Management System. This review and approval process is critical to verify the suitability and adequacy of documented information to meet the organization’s OH&S objectives and compliance requirements. Here’s how organizations typically carry out this process:
- Documented Information Preparation: Before the review and approval process begins, individuals responsible for creating or updating documented information should ensure that it is accurate, complete, and aligned with the organization’s OH&S policies and objectives.
- Identification of Appropriate Personnel: Determine the relevant individuals or roles responsible for reviewing and approving the documented information. This may include subject matter experts, department managers, supervisors, and senior management.
- Review for Suitability: During the review process, the identified personnel should assess whether the documented information meets its intended purpose. They should evaluate whether it effectively communicates OH&S requirements, controls, and processes.
- Review for Adequacy: The review should also consider whether the documented information is sufficient to meet legal and regulatory requirements, industry standards, and the organization’s own OH&S policies and objectives.
- Compliance Check: Ensure that the documented information aligns with relevant legal and regulatory requirements. This may involve consulting legal counsel or compliance experts when necessary.
- Review for Clarity and Understanding: Assess the clarity and comprehensibility of the documented information. It should be easily understood by its intended audience, including workers, supervisors, and other stakeholders.
- Approval Process: Once the review is complete, the identified personnel should formally approve the documented information. This approval signifies that the document has been assessed and deemed suitable and adequate for its intended purpose.
- Record Keeping: Maintain records of the review and approval process, including the names of reviewers, approval dates, and any comments or suggested revisions. These records serve as evidence of compliance.
- Distribution and Communication: After approval, distribute and communicate the documented information to the relevant parties within the organization. Ensure that it is accessible to those who need it to perform their roles effectively.
- Regular Review and Update: Implement a process for periodic review and update of documented information to ensure its continued suitability and adequacy. OH&S requirements, regulations, and organizational needs may change over time.
- Feedback Mechanism: Establish a mechanism for users and stakeholders to provide feedback on the usability and effectiveness of documented information. Use this feedback to drive improvements.
- Continuous Improvement: Continuously assess and enhance the review and approval process itself to ensure that it remains efficient and effective in maintaining the quality of documented information.
By adhering to a robust review and approval process, organizations can ensure that their OH&S documented information remains accurate, up to date, and aligned with their OH&S management system’s objectives, while also meeting legal and regulatory requirements. This process helps promote safety and compliance within the organization.
7) Documented information required by the OH&S management system and by this document shall be controlled
Controlling the documented information required by the Occupational Health and Safety (OH&S) Management System is crucial to ensure its accuracy, availability, and integrity. Here are steps and measures organizations can take to effectively control their OH&S documented information:
- Document Control Procedure: Develop and implement a documented procedure for document control. This procedure should outline the steps to be followed for the creation, approval, distribution, access, storage, retrieval, and disposal of documented information.
- Identification and Classification: Clearly identify and classify different types of documented information within the OH&S management system. This may include policies, procedures, work instructions, records, and forms.
- Unique Document Identification: Assign a unique identifier (e.g., document number or code) to each document. This identifier helps track and manage documents throughout their lifecycle.
- Document Review and Approval: Define a process for reviewing and approving documents before they are released or updated. Ensure that authorized personnel review and approve documents for suitability and adequacy.
- Revision Control: Implement a version control system to manage revisions of documents. Ensure that changes are tracked, documented, and communicated to relevant personnel.
- Access Control: Restrict access to documented information based on roles and responsibilities. Define who can view, edit, and approve documents. Ensure that access controls are regularly reviewed and updated.
- Distribution: Establish procedures for distributing documents to the appropriate personnel. Ensure that employees have access to the most current versions of documents.
- Document Retention: Determine retention periods for different types of documents in compliance with legal requirements and organizational needs. Develop a document retention schedule.
- Secure Storage: Safeguard physical documents in secure storage areas to prevent damage, loss, or unauthorized access. For electronic documents, use secure servers or document management systems.
- Backup and Recovery: Regularly back up electronic documents to prevent data loss. Implement disaster recovery measures to ensure document availability in case of system failures.
- Training and Awareness: Train employees on document control procedures and the importance of following them. Foster awareness of the organization’s commitment to document control.
- Audit and Monitoring: Conduct periodic audits and reviews of document control processes to identify and address non-conformities or areas for improvement.
- Documented Information Security: Protect documented information from unauthorized access, tampering, or destruction. Use encryption, access controls, and security policies to safeguard electronic documents.
- Change Management: Implement a change management process to assess and document the impact of changes to documents, ensuring that changes are properly reviewed and approved.
- Documented Information Retrieval: Ensure that documented information is easily retrievable when needed. Use clear naming conventions, file structures, and metadata for electronic documents.
- Disposal and Destruction: Establish procedures for the secure disposal or destruction of obsolete documents to prevent their inadvertent use.
- Continuous Improvement: Continuously monitor and improve the document control process based on feedback, audits, and changing organizational needs.
By implementing these measures, organizations can establish effective control over their OH&S documented information, which is essential for ensuring compliance, promoting safety, and facilitating the smooth operation of the OH&S management system.
8) The organization should ensure that Documented Information is available and suitable for use, where and when it is needed
Ensuring that documented information is available and suitable for use when and where it is needed is essential for the effective functioning of an Occupational Health and Safety (OH&S) Management System. Here are some key steps organizations can take to achieve this:
- Store documented information in a centralized location, whether in physical or electronic form, to ensure easy access by relevant personnel. Use well-organized document repositories or document management systems.
- Implement access controls to ensure that only authorized personnel can access specific documents. Define and manage user roles and permissions accordingly.
- If the organization operates in multiple locations, ensure that relevant OH&S documented information is accessible at each location where it is needed. This may involve local copies or secure remote access.
- Consider the mobility of workers and provide options for accessing critical OH&S information on mobile devices, such as smartphones or tablets, to support field operations and emergencies.
- Use effective search and retrieval tools to help users quickly locate specific documents. Implement metadata tagging, keywords, and an intuitive search interface.
- Establish clear communication channels to inform employees and relevant stakeholders about the availability of documented information. Ensure they know where to find it and how to access it.
- Train employees on how to access and use documented information effectively. This includes training on document management systems and navigation.
- Keep documented information up to date to ensure that users are always working with the most current and relevant information. Implement revision and version control processes.
- Distribute documented information to the appropriate personnel, departments, and teams based on their roles and responsibilities within the OH&S management system.
- Implement notification systems or alerts to inform relevant individuals when critical documents are updated or when new documents are published.
- Ensure that OH&S documents, particularly those related to emergency response, are readily available during emergency situations. Establish redundancy for critical documents.
- Plan for remote access to documented information in case of unexpected events or disruptions, such as natural disasters or system failures.
- Encourage users to provide feedback on the usability and accessibility of documented information. Use this feedback to make improvements.
- Conduct regular audits or reviews of the accessibility and suitability of documented information. Address any issues or barriers identified during these assessments.
- Ensure that accessibility and availability of documented information meet any legal or regulatory requirements specific to your industry or region.
By following these practices, organizations can ensure that OH&S documented information is not only compliant with ISO 45001:2018 requirements but is also readily available and suitable for use by those who need it, contributing to improved safety and OH&S performance.
8) The organization should ensure that Documented Information is adequately protected (e.g. from loss of confidentiality, improper use or loss of integrity).
Protecting the confidentiality, integrity, and proper use of documented information is crucial for the security and effectiveness of an Occupational Health and Safety (OH&S) Management System. Organizations should implement robust information security measures to safeguard their OH&S documented information. Here are key steps to ensure the protection of documented information:
- Implement access controls to restrict access to documented information. Assign access rights based on roles and responsibilities, ensuring that only authorized personnel can view or modify specific documents.
- Require strong user authentication methods, such as usernames and passwords or multi-factor authentication, to verify the identity of individuals accessing electronic documents.
- Use encryption to protect electronic documents, especially when transmitted over networks or stored on portable devices. Encryption helps prevent unauthorized access or data breaches.
- Classify documents based on sensitivity and the level of protection they require. Apply appropriate security measures based on the document’s classification.
- Clearly mark and label sensitive documents to indicate their confidentiality and handling requirements. Use standardized markings, if applicable.
- Store physical documents in secure, locked cabinets or rooms to prevent unauthorized access. For electronic documents, use secure servers and data centers with access controls.
- Regularly back up electronic documents and ensure that backup copies are stored securely. Implement data recovery procedures in case of data loss or system failures.
- When sharing OH&S documented information with external parties, ensure that appropriate confidentiality agreements and security measures are in place to protect the information.
- Implement monitoring and logging mechanisms to track access and changes to documented information. Regularly review logs for unusual or unauthorized activities.
- Train employees and users on information security best practices and their roles in protecting OH&S documented information. Foster a culture of security awareness.
- Develop an incident response plan that outlines procedures for handling security incidents or breaches related to documented information. This includes reporting, investigation, and mitigation steps.
- Ensure physical security measures are in place to protect documents stored in paper form. This includes secure storage areas and controlled access.
- Implement secure remote access protocols and VPNs to protect OH&S information when accessed from remote locations or through mobile devices.
- Assess the security practices of third-party vendors and service providers who handle OH&S information to ensure they meet security standards.
- Conduct regular security audits and assessments of your information security measures to identify vulnerabilities and weaknesses. Take corrective actions as needed.
- Ensure that information security practices align with legal and regulatory requirements specific to your industry or region.
By diligently implementing these security measures and practices, organizations can help protect the confidentiality, integrity, and proper use of their OH&S documented information, reducing the risk of data breaches, unauthorized access, and data loss.
9) For the control of documented information, the organization shall address distribution, access, retrieval and use
Controlling the distribution, access, retrieval, and use of documented information is a critical aspect of managing an effective Occupational Health and Safety (OH&S) Management System. Here are steps and considerations for organizations to control these aspects:
- Classify documented information based on its sensitivity and importance to OH&S. Use categories such as “confidential,” “internal use only,” or “public” to guide distribution decisions.
- Maintain distribution lists that specify who should have access to particular types of documented information. Regularly review and update these lists as needed.
- Define approved distribution channels and methods for sending and sharing documented information. Ensure that these methods align with security requirements.
- When electronically distributing sensitive information, use secure methods such as encrypted email or secure file transfer protocols (SFTP) to protect the data during transmission.
- Establish a mechanism for confirming that recipients have received and acknowledged important OH&S information.
- Assign access rights to documented information based on individuals’ roles and responsibilities within the organization. Ensure that access is on a need-to-know basis.
- Implement strong user authentication methods to verify the identity of individuals accessing electronic documents. This may include usernames, passwords, or multi-factor authentication.
- Define and enforce access permissions that specify what actions users can perform with the documented information (e.g., view-only, edit, download).
- Maintain access logs that record who accessed specific documents, when, and for what purpose. Regularly review these logs for unusual or unauthorized access.
- Use efficient search and retrieval tools to facilitate quick and accurate access to documented information. Implement metadata tagging, keywords, and intuitive search interfaces.
- Create and maintain indexes or catalogs of documented information to improve the efficiency of retrieval.
- Train employees and users on the proper use of documented information, including compliance with security and confidentiality policies.
- Establish and communicate clear policies and guidelines for the use of OH&S documented information. Ensure that employees understand the consequences of non-compliance.
- Ensure that users access and use the most current versions of documents by enforcing version control practices.
- When documents are printed or saved locally, ensure that they are stored securely and not left in open or accessible areas.
- Assign document ownership responsibilities to specific individuals or departments to oversee proper use and updates.
- Conduct regular audits and reviews to assess the effectiveness of distribution, access, retrieval, and use controls. Make improvements as needed.
- Develop an incident response plan that outlines procedures for addressing any unauthorized access or misuse of documented information.
By implementing these controls, organizations can maintain the confidentiality, integrity, and appropriate use of their OH&S documented information, while also ensuring that it is readily accessible to authorized personnel when needed for safe and compliant operations.
10) For the control of documented information, the organization shall address storage and preservation, including preservation of legibility
Controlling the storage and preservation of documented information, including the preservation of legibility, is crucial to maintain the integrity and accessibility of information within an Occupational Health and Safety (OH&S) Management System. Here are steps and considerations for organizations to effectively control the storage and preservation of documented information:
- Determine suitable storage locations for both physical (paper-based) and electronic documents. These locations should protect documents from environmental factors such as moisture, heat, and physical damage.
- Store physical documents in secure, climate-controlled environments. Use labeled, organized storage systems, such as filing cabinets or shelves, to facilitate easy retrieval.
- Implement electronic document management systems (DMS) or digital repositories that ensure secure and organized storage of electronic documents. Use redundant storage solutions for data resilience.
- Apply access controls to restrict physical and electronic document access to authorized personnel only.
- Regularly back up electronic documents to prevent data loss in the event of system failures or data corruption.
Preservation of Legibility:
- Protect documents from physical damage, wear, and tear that could affect their legibility. Use appropriate document sleeves, covers, or protective measures.
- Conduct regular inspections of physical documents to identify any deterioration or damage. Address issues promptly to prevent further degradation.
- Consider digitizing paper documents to ensure their long-term preservation and legibility. Use high-quality scanning equipment and file formats that maintain document quality.
- Choose electronic document formats that are widely supported and unlikely to become obsolete over time. Avoid proprietary or uncommon formats.
- Preserve metadata (document creation date, author, revision history, etc.) along with the document to maintain context and authenticity.
- Develop and adhere to a document retention policy that specifies the retention periods for different types of documents. Ensure compliance with legal requirements.
- Establish procedures for the secure and authorized destruction of documents that have reached the end of their retention period. This includes both physical and electronic documents.
- Implement access controls to prevent unauthorized alterations, deletions, or tampering with documents.
- Ensure that electronic documents are protected from data breaches and cyber threats through robust security measures, including encryption and access restrictions.
Training and Awareness:
- Train employees on the importance of document preservation, including legibility, and their roles in ensuring proper storage and protection.
- Assign responsibility for the preservation of legibility and overall document storage to a specific individual or department.
- Conduct regular audits of document storage and preservation practices to identify any shortcomings and opportunities for improvement.
By implementing these controls and preservation measures, organizations can ensure that their OH&S documented information remains legible, secure, and accessible over time. This contributes to the effectiveness of the OH&S Management System and helps meet compliance requirements.
11) For the control of documented information, the organization shall address control of changes (e.g. version control)
Control of changes, including version control, is essential for managing the lifecycle of documented information within an Occupational Health and Safety (OH&S) Management System. This control ensures that documents remain accurate, up to date, and aligned with organizational requirements. Here’s how organizations can effectively control changes and versions of documented information:
- Develop a documented change control procedure that outlines the steps to be followed when changes to documented information are proposed, reviewed, approved, and implemented.
- Assign a unique version identifier or code to each document. This identifier should clearly indicate the document’s version, revision, or date.
- Establish a formal process for submitting change requests. Anyone who identifies the need for a change in documented information should follow this process.
- Define roles and responsibilities for reviewing and approving changes. This may involve subject matter experts, document owners, department heads, or other relevant personnel.
- Assess the potential impact of proposed changes, including their effect on safety, compliance, and other relevant factors. This assessment helps prioritize and make informed decisions.
- Clearly document changes made to the content, including additions, deletions, and revisions. Ensure that the reason for each change is well-documented.
- Implement a version control system that tracks the history of document changes. This system should indicate the current version and show the progression of changes.
- Maintain metadata or information about each document’s changes, including who made the changes, when they were made, and the reason for the changes.
- Keep records of the review and approval process, including the names of reviewers and approvers, dates of review, and any comments or feedback provided.
- Distribute updated versions of documents to the relevant personnel. Ensure that obsolete versions are removed or clearly marked as such.
- Train employees and users on how to identify, access, and use the most current versions of documented information. Foster awareness of the importance of version control.
- Implement retrieval mechanisms that allow users to access previous versions of documents when necessary for reference or historical purposes.
- Notify relevant personnel when changes are made to critical documents, especially those related to OH&S policies, procedures, or controls.
- Continuously assess and improve the change control process based on feedback, audits, and evolving organizational needs.
By following these practices, organizations can maintain effective control over changes and versions of documented information in their OH&S Management System. This ensures that information remains accurate, up to date, and compliant with OH&S requirements, contributing to a safer and more efficient workplace.
12) For the control of documented information, the organization shall address control of retention and disposition.
Controlling the retention and disposition of documented information is essential for maintaining the integrity of an Occupational Health and Safety (OH&S) Management System, ensuring compliance with legal requirements, and efficiently managing organizational records. Here are steps and considerations for organizations to effectively control the retention and disposition of documented information:
- Develop a clear and comprehensive document retention policy that specifies the retention periods for various types of documented information, taking into account legal, regulatory, and operational requirements.
- Classify documented information based on its sensitivity, importance, and legal requirements. This classification helps determine appropriate retention periods and disposal methods.
- Assign responsibility for managing the retention and disposition of documented information to authorized personnel or departments within the organization.
- Maintain a centralized record or database that lists each document type and its associated retention period. Ensure that this record is readily accessible for reference.
- Conduct periodic reviews of documented information to identify documents that have reached their retention end date and are eligible for disposition.
- Ensure that the organization’s document retention practices comply with applicable legal and regulatory requirements related to OH&S and other areas.
- During the retention period, securely store physical documents and electronic records in accordance with their classification. This includes maintaining proper access controls and protection against damage or loss.
- Develop documented procedures for the authorized disposition of documents. This should include guidelines for secure disposal, deletion, shredding, or archiving, depending on the document type.
- Maintain records of document disposition actions, including what was disposed of, when, and by whom. This documentation helps demonstrate compliance with retention policies.
- Implement secure and environmentally responsible disposal methods for physical documents, such as shredding or recycling, to protect sensitive information.
- Ensure the secure deletion and disposal of electronic documents, including the removal of all copies, backups, and references to the document.
- When disposing of electronic documents, consider the impact on data backups and archival systems. Ensure that documents are removed from all relevant systems.
- Identify and preserve key records that may be needed for legal or historical purposes, even if they have reached their retention end date. Ensure they are appropriately archived.
- Train employees and relevant personnel on the organization’s document retention and disposition policies and procedures. Foster awareness of the importance of compliance.
- Conduct regular audits and monitoring of the document retention and disposition process to identify and address non-compliance or inefficiencies.
- Continuously assess and improve the document retention and disposition process based on feedback, audits, and evolving organizational needs.
Effective control over the retention and disposition of documented information helps organizations manage their information assets efficiently, reduce risks associated with data breaches or legal non-compliance, and maintain compliance with OH&S and other regulatory requirements
12) Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.
“Access” in the context of documented information can encompass various levels of permission and authority. It can imply:
- Some individuals or roles may have permission to view the documented information but not the authority to make changes or edits. They can access the information for reference or understanding but cannot modify it.
- Other individuals or roles may have both permission and authority to view the documented information and make changes or edits to it. This level of access is typically granted to those responsible for updating or maintaining the information.
- In some cases, access may be further restricted based on the specific content of the documented information. For example, sensitive or confidential documents may have limited access, even within a group of authorized users.
- Access permissions and authorities can be based on roles and responsibilities within the organization. Different roles may have different levels of access, depending on their need for the information.
- Access control systems can be designed to grant different levels of access to different parts or sections of a document. For instance, one user might have view-only access to a document but full edit access to a specific section within it.
- Some documents may be set to “read-only” mode, allowing users to view the content but preventing any changes or edits.
- Document management systems may maintain a history of who accessed the document and when, providing an audit trail for accountability.
- In collaborative environments, document locking mechanisms can be used to prevent simultaneous editing by multiple users. This helps maintain document integrity.
The specific access levels and permissions assigned to individuals or roles should be determined based on the organization’s needs, document content, security requirements, and operational processes. Access control is a critical component of information security and governance, ensuring that documented information is appropriately protected and used in accordance with organizational policies and requirements.
13) Access to relevant documented information includes access by workers, and, where they exist, workers’ representatives.
Access to relevant documented information, including access by workers and, where they exist, workers’ representatives, is a fundamental aspect of effective Occupational Health and Safety (OH&S) Management. It promotes transparency, involvement, and collaboration within the organization. Here’s how access to documented information should be extended to workers and their representatives:
- Worker Access: Ensure that workers, regardless of their roles or levels within the organization, have access to relevant documented information related to OH&S. This information may include OH&S policies, procedures, hazard assessments, emergency response plans, and more.
- Access Training: Provide training and guidance to workers on how to access and use relevant documented information. Ensure that workers are aware of their rights to access this information and understand its importance for their safety.
- Accessibility: Make documented information easily accessible to workers. This includes providing access to digital documents through user-friendly interfaces or physical documents in locations where workers can readily review them.
- Workers’ Representatives: Where workers’ representatives, such as safety committees or unions, exist within the organization, ensure that they also have access to OH&S documented information. These representatives play a vital role in advocating for worker safety.
- Collaborative Involvement: Encourage workers and their representatives to actively participate in OH&S processes and initiatives. Their insights and feedback can contribute to hazard identification, risk assessments, and improvement efforts.
- Consultation and Communication: Establish mechanisms for ongoing consultation and communication with workers and their representatives regarding OH&S matters. This includes seeking their input on safety policies, procedures, and performance.
- Feedback Mechanism: Create a feedback mechanism that allows workers and their representatives to provide comments, suggestions, or concerns related to OH&S documented information. Act on this feedback to drive improvements.
- Confidentiality and Privacy: Ensure that sensitive or confidential information is appropriately protected when shared with workers or their representatives. This may involve anonymizing certain data while still sharing relevant safety insights.
- Training and Capacity Building: Offer training and capacity-building programs to workers and their representatives to enhance their understanding of OH&S principles, regulations, and practices.
- Conflict Resolution: Establish a process for resolving disputes or conflicts that may arise between workers or their representatives and management regarding OH&S matters. Encourage open dialogue and collaboration.
- Legal Compliance: Ensure that providing access to workers and their representatives aligns with legal requirements and regulations in your jurisdiction.
- Record Keeping: Maintain records of communication, consultation, and collaboration with workers and their representatives. These records can serve as evidence of compliance and transparency.
- Continuous Improvement: Continuously seek ways to improve the involvement of workers and their representatives in OH&S processes and information access. Adapt to changing needs and circumstances.
By granting workers and their representatives access to relevant documented information and fostering their active involvement in OH&S initiatives, organizations can enhance their safety culture, identify hazards more effectively, and drive continual improvement in occupational health and safety performance. This collaborative approach is aligned with the principles of ISO 45001 and other OH&S management standards
Example of Procedure of Control of documented information
Objective: This procedure ensures the effective control of documented information relevant to the OH&S Management System, in compliance with ISO 45001:2018 requirements.
- Document Owner: The individual or department responsible for creating, updating, and maintaining documented information.
- Document Controller: The designated person responsible for overseeing document control activities.
- Authorized Users: Individuals or roles with approved access to specific documented information.
- Document Creation:
- The Document Owner identifies the need for new documented information or revisions to existing documents.
- The Document Owner creates or updates the document according to established templates and formats.
- Document Review and Approval:
- The Document Owner submits the document for review to relevant stakeholders, including subject matter experts, managers, and other authorized personnel.
- Reviewers assess the document for accuracy, completeness, and compliance with OH&S requirements.
- Reviewers provide feedback and recommendations for revisions if necessary.
- The Document Owner incorporates feedback and revises the document accordingly.
- The Document Owner submits the final document for approval to the designated approver or authority.
- The approver reviews the document and, if satisfied, grants approval.
- Version Control:
- The Document Controller assigns a unique version identifier to the document (e.g., document number, revision date, or version code).
- The Document Controller updates the document status to indicate its approved status and version.
- Document Distribution:
- The Document Controller maintains a distribution list for each document, specifying authorized users and their access levels (view-only, edit, etc.).
- The Document Controller distributes the document to authorized users through secure channels, ensuring confidentiality where necessary.
- Access Control:
- Authorized users are granted access based on their roles and responsibilities.
- The Document Controller maintains access controls to prevent unauthorized access or changes to documents.
- Document Retrieval:
- Authorized users can retrieve documents as needed through designated repositories or systems.
- The Document Controller ensures that retrieval mechanisms are efficient and user-friendly.
- Document Storage and Preservation:
- The Document Controller oversees the secure storage and preservation of both physical and electronic documents.
- Preservation measures are applied to ensure document legibility and integrity throughout their retention period.
- Document Disposition:
- When documents reach their retention end date, the Document Controller initiates the disposal process in accordance with the organization’s document retention policy.
- The disposal process may involve secure deletion, shredding of physical documents, or archiving for historical purposes, depending on the document type.
- Document Control Records: The Document Controller maintains records of document creation, review, approval, distribution, access, retrieval, and disposition activities.
- Document Change Control: Changes to documents are managed through the established change control process, including the submission of change requests, review, and approval.
- Training and Awareness: The Document Controller ensures that relevant personnel are trained on document control procedures and their responsibilities.
- Review and Improvement: The Document Controller conducts periodic reviews of the document control process to identify opportunities for improvement and ensures ongoing compliance with ISO 45001 requirements.