Skip to main content
ISO logo

ISO Standard 45001 vs the National Audit Tool

ISO logo

ISO Standard 45001 vs the National Audit Tool

Self Insurance, ISO45001

ISO Standard 45001 vs the National Audit Tool

Self-insurers are about to experience a significant update in health and safety management obligations. 

Changes are afoot across self-insurance schemes in Victoria and the ACT as the National Audit Tool is replaced by ISO Standard 45001. With other schemes likely to eventually follow suit, what does the change to ISO45001 mean for self-insurers and how they manage health and safety? 

The introduction of ISO45001 was a major evolution for those using the now superseded AS/NZS 4801 as the basis for its health and safety management system.  For self-insurers, the changes between ISO45001 and the current version of the National Audit Tool is less evolutionary, but there are still significant changes that self-insurers will need to fully appreciate as they transition between the two standards. 

Some changes will be welcomed by self-insurers, including the reduction in mandatory system documentation and the ability to choose how to control some hazards, rather than mandatory controls directed by the National Audit Tool. Nevertheless, some of the changes will require self-insurers to revise their management systems to ensure they meet the requirements when the transition periods begin. Some of the key changes worthy of consideration are below.

Organisational Context

Organisations choosing to meet the requirements of ISO45001 must assess the context that their organisation operates in so the overall system can be designed to work well within it. Factors to consider include:

  • Internal and external issues that may impact the management system.
  • Whether workers have specific needs of the management system.
  • Whether there are specific needs from other interested parties, beyond workers, that the system will need to accommodate.
  • What parts of the organisation will the management system apply to (the scope of the system).


The National Audit Tool required pretty much everything to be documented, including policies, management system procedures and operational procedures like safe work practices. In contrast, ISO45001 provides far greater flexibility for organisations to document system components they see fit to. While ISO45001 does define various elements that must be documented (such as the OHS Policy, risk management methodology etc) it also allows an organisation to determine what documentation is necessary for the effectiveness of management system.  

General vs Prescriptive Criteria

While the number of audit criteria in ISO45001 (40 criteria) is greater than the superseded AS/NZS4801 (25 criteria), it is substantially lower than the National Audit Tool that has nearly 110 criteria that self-insurers must meet. While the reduction is partly due to consolidating multiple narrow criteria into single, but broader, ones, the introduction of ISO45001 also reduces the prescriptive way that the National Audit Tool mandated operational risk controls such as access controls, hazardous chemicals and plant and equipment amongst others. 

This doesn’t mean that self-insurers no longer have to manage these same hazards if they present an unacceptable risk, but organisations can now define how they want to manage them within the constraints of legal requirements and effective risk management. 


Regardless of which management system standard is being used, demonstrating consultation in accordance with legislative and system requirements has always been a challenge for large organisations with centralised support functions assisting decentralised operations. 

ISO45001 introduces a range of additional consultation requirements that extend beyond those prescribed by general legislative requirements or the National Audit Tool. Where previously consultation was mandated by the NAT during Policy development, assessment of training needs, risk assessments and incident investigations, ISO45001 also requires organisations to consult during the assessment of needs and expectations, developing roles and responsibilities, determining how to achieve legal requirements, developing of objectives and plans, procurement decisions, inspection and audit programs and how to continually improve.  Self-insurers will also see need to seek agreement from workers about how consultation across all of these elements occurs.

This has the potential to make the transition to ISO45001 quite challenging to organisations that already struggle to demonstrate effective consultation. 

Legal Compliance 

While efforts to identify and keep up to date with legal requirements will be familiar to self-insurers, ISO45001 also introduces obligations to evaluate compliance to these requirements. Organisations should consider whether their existing assurance activities are effectively evaluating compliance to legal obligations and adjust accordingly. 


While management systems have traditionally been designed to create consistencies in operational processes, ISO45001 recognises that the success of the management system is linked to the ability of senior management to develop, lead and promote a culture within the organisation that supports what the management system is designed to achieve. As a result, those in senior leadership positions will now have to demonstrate how they do so.

Continuous Improvement

While the National Audit Tool adopted a continual improvement framework of Plan, Do, Check, Act, in practice criteria were relatively silent, with only minor continual improvement obligations to consider. ISO45001 engages more directly and forcefully through specific criteria around risks and opportunities and continuous improvement. 

Where organisations could previously aim for only iterative changes or improvements, ISO45001 introduces obligations to demonstrate continuous improvement through strategic evaluation of risks and opportunities.  

What next?

If you’re a self-insurer in Victoria or the ACT its going to be necessary to review your existing health and safety management system to ensure it can support the additional obligations outlined in ISO45001, including the above and various other potential impacts. If you need additional expertise or just additional resources to review your management system, contact Verus today. Verus has a range of self-insurance and ISO45001 specialists that can advise and support your organisation as your transition to ISO45001.