If you have started researching ISO 45001 certification, you’ve probably come across timelines that range anywhere from three months to two years. That spread isn’t wrong. It reflects genuine variation depending on your organisation’s size, complexity, and how much of a safety management foundation already exists. But it isn’t particularly useful if you’re trying to plan a realistic implementation for 2026.
This article breaks down what the certification process actually involves, what drives the timeline in each phase, and what Australian businesses should expect based on where they’re starting from.
What Is ISO 45001 and Why Does the Timeline Matter?
ISO 45001:2018 is the international standard for occupational health and safety (OHS) management systems. It replaced AS/NZS 4801 as the recognised OHS management standard in Australia and is now the benchmark for organisations that need to demonstrate formal safety management credentials whether for tender prequalification, enterprise supplier panel approvals, or regulatory positioning.
The timeline matters because many businesses pursue ISO 45001 with a specific deadline in mind: a tender closes in six months, a major client has set a 12-month compliance requirement, or the business is scaling and wants certification in place before taking on higher-risk contracts. Underestimating the time required means either rushing the implementation (which creates a system that passes the audit but doesn’t function in practice) or missing the deadline entirely.
Getting the timeline right from the start is a planning issue, not just a project management one.
The Five Phases of ISO 45001 Certification
Regardless of organisation size, the path to ISO 45001 certification moves through five distinct phases. The time spent in each phase is what varies.
Phase 1: Gap Analysis (2 to 4 Weeks)
Before you can build or improve your OHS management system, you need an honest assessment of where you currently stand against the requirements of ISO 45001.
A gap analysis maps your existing safety processes, documentation, and practices against each clause of the standard. It identifies what you already have that can be formalised or adapted, what’s missing entirely, and what exists on paper but isn’t embedded in practice.
For businesses that already hold AS/NZS 4801 certification or have a reasonably mature safety management system, the gap analysis is often the most encouraging part of the process. A significant proportion of what ISO 45001 requires may already exist in some form. For businesses starting from a limited base, the gap analysis is where the true scope of the project becomes clear.
Two to four weeks is realistic for most organisations. Larger, more complex operations with multiple sites or business units may take longer.
Phase 2: System Development and Documentation (6 to 16 Weeks)
This is typically the longest phase, and the one most subject to variation.
ISO 45001 requires your organisation to develop and implement a documented OHS management system that addresses the standard’s requirements. This includes but is not limited to:
– An OHS policy signed off by top management that reflects the organisation’s commitment to worker consultation and participation
– A process for identifying hazards and assessing risks across your operations (Clause 6.1)
– A register of legal and other OHS compliance obligations applicable to your operations under Australian law — including the Work Health and Safety Act 2011 (Commonwealth) and the relevant state or territory equivalent
– Documented operational controls for significant risks
– Emergency preparedness and response procedures
– Competency and training frameworks for roles with OHS responsibilities
– Internal audit procedures and a scheduled audit program
– Management review processes
– Incident investigation and nonconformity management procedures
The time required depends heavily on how much of this already exists in a form that meets the standard’s intent, how much needs to be written from scratch, and critically, how quickly your internal team can review, approve, and implement what’s developed.
A common cause of timeline blowout in this phase is the gap between documentation completion and actual implementation. The standard doesn’t just require that procedures exist but it requires that they’re operational and that people are following them. Getting your workforce familiar with new or revised procedures before the Stage 2 audit takes time that can’t be compressed.
For a small to medium business (10 to 100 employees, single site, moderate risk profile): 6 to 10 weeks.
For a larger or higher-complexity organisation (100+ employees, multiple sites, high-risk operations): 12 to 16 weeks or more.
Phase 3: Internal Audit (2 to 4 Weeks)
Before you can apply for external certification, ISO 45001 requires you to have completed at least one full internal audit of your OHS management system.
The internal audit assesses whether your system conforms to the requirements of the standard and is effectively implemented. It needs to be conducted by someone with the competence to audit against ISO 45001 either a trained internal auditor within your organisation or an external consultant conducting the audit on your behalf.
Any nonconformities identified during the internal audit need to be investigated and corrected before your Stage 1 external audit. This correction process needs to be documented, including root cause analysis and verification of effectiveness — all requirements of Clause 10.2.
Allow two to four weeks for the internal audit process, including the close-out of any nonconformities. If significant gaps are identified, this phase may extend while corrections are implemented.
Phase 4: Management Review (1 to 2 Weeks)
ISO 45001 requires top management to review the OHS management system at planned intervals to ensure it remains suitable, adequate, and effective. You need at least one completed management review on record before your certification audit.
The management review must consider specific inputs defined in Clause 9.3 of the standard: the status of actions from previous reviews, changes in internal and external issues relevant to the OHS management system, OHS performance data including trends in incidents and nonconformities, audit results, worker consultation and participation outcomes, and opportunities for continual improvement.
This isn’t a formality. The certification auditor will review the management review records and assess whether top management is genuinely engaged with the system and not just whether the meeting happened.
A week to two weeks is sufficient to schedule, conduct, and document a management review, assuming the performance data from your monitoring and measurement activities is already being collected.
Phase 5: External Certification Audit (Stage 1 and Stage 2)
The external certification audit is conducted by a Conformity Assessment Body (CAB) accredited by JAS-ANZ — the Joint Accreditation System of Australia and New Zealand. In Australia, your ISO 45001 certificate is only internationally recognised if issued by a JAS-ANZ accredited CAB.
The certification process has two stages:
Stage 1 — Documentation Review: The auditor reviews your OHS management system documentation to assess readiness for the Stage 2 audit. This is typically conducted off-site or in a brief on-site visit. The auditor will identify any areas where the system isn’t sufficiently developed to proceed and issue findings that must be addressed before Stage
Stage 2 — On-Site Audit: The auditor conducts a full on-site assessment of your OHS management system in operation. This involves interviews with workers and management, observation of work activities, review of records, and verification that the system is implemented as documented. The duration of the Stage 2 audit depends on your organisation’s size and complexity for a small business, a single day may be sufficient; larger or higher-risk organisations should expect two to three days or more.
Following Stage 2, the auditor raises any nonconformities. Major nonconformities must be resolved before certification is granted. Minor nonconformities are typically closed out within a defined timeframe after certification is issued.
Allow four to eight weeks from engaging your certification body to completing the Stage 2 audit, including scheduling lead time, the Stage 1 audit, close-out of any Stage 1 findings, and the Stage 2 audit itself. Scheduling availability at JAS-ANZ accredited CABs can add to this — particularly in Q1 and Q4 when demand is higher.
Realistic Total Timelines for 2026
Pulling the phases together, here are realistic end-to-end timelines based on starting position:
Starting from scratch (limited or no formal OHS management system):
Total time: 6 to 12 months
This is the full implementation scenario. The system development phase will be substantial, internal audit preparation requires a functioning system to audit against, and time needs to be built in for the workforce to become familiar with new procedures before the Stage 2 audit. Attempting to compress this below six months typically produces a system that is documented but not genuinely operational — and experienced ISO 45001 auditors will identify this quickly.
Existing safety management system, not yet formally structured to ISO 45001:
Total time: 3 to 6 months
This is the most common scenario for Australian businesses that have been operating in higher-risk industries for some years. A safety management system exists — policies, procedures, incident reporting, toolbox talks, risk registers — but it hasn’t been structured to meet the specific requirements of ISO 45001. The gap analysis will identify what needs to be formalised or added, and the implementation effort is proportional to the size of those gaps.
Former AS/NZS 4801 certified or existing ISO 45001 system requiring recertification:
Total time: 6 to 12 weeks
Organisations transitioning from AS/NZS 4801 or updating an existing ISO 45001 system for recertification are working from a solid foundation. The main tasks are addressing any gaps between the old standard and the current requirements of ISO 45001:2018, updating documentation, completing the internal audit cycle, and scheduling the external audit.
What Can Slow the Timeline Down?
Understanding the common causes of delay helps you plan around them.
Top management availability and engagement is the most frequent cause of timeline extension. ISO 45001 places explicit requirements on top management — the OHS policy must be issued under their authority, the management review requires their participation, and the Stage 2 auditor will expect to speak with them. When leadership is difficult to engage during implementation, everything downstream slows.
Worker consultation and participation requirements are more substantive in ISO 45001 than in many other management system standards. Clause 5.4 specifically requires that workers are consulted and able to participate in the development and review of OHS policies, hazard identification processes, and management of incidents and nonconformities. Demonstrating this to the auditor requires documented evidence of meeting records, consultation logs, or similar. If worker engagement hasn’t been built into the implementation from the start, it becomes a significant gap to address before audit.
Scheduling with your certification body can add four to six weeks to your timeline if you haven’t engaged them early. JAS-ANZ accredited CABs book out, and waiting until your system is fully developed before making contact means waiting in a queue. Engage your certification body early — Stage 1 can often be scheduled while you’re finalising system documentation.
Multiple sites significantly increase audit duration and preparation time. If your organisation operates across multiple locations, the auditor may need to visit more than one site, and each site needs to demonstrate the system is implemented — not just the head office.
A Note on Choosing a Certification Body
Not all certification bodies operating in Australia are JAS-ANZ accredited for ISO 45001. Before engaging one, verify their accreditation status directly on the JAS-ANZ register at jas-anz.org. Accreditation scope matters and a body may be accredited for ISO 9001 but not for ISO 45001.
If you are also pursuing ISO 9001 or ISO 14001, a combined audit with a single CAB covering all three standards is worth considering. The High Level Structure shared across all three standards means a combined audit is typically more efficient than three separate engagements, and most major JAS-ANZ accredited CABs offer integrated auditing.
What to Have Ready Before Your Stage 2 Audit
Regardless of timeline, these are the key items your certification auditor will expect to find in place at Stage 2:
– A documented OHS policy, signed by top management and communicated to all workers
– A completed hazard identification and risk assessment for your operations
– A current compliance obligations register covering applicable WHS legislation and other requirements
– Documented operational controls for your significant risks
– Training and competency records for roles with OHS responsibilities
– At least one completed internal audit with nonconformities documented and closed out
– At least one completed management review with records
– An incident investigation procedure and evidence it has been applied
– Evidence of worker consultation and participation in OHS processes
If these aren’t in place and functioning and not just documented — the Stage 2 audit will produce major nonconformities, and certification will be deferred.
For most Australian businesses in 2026, a realistic ISO 45001 certification timeline sits between three and nine months depending on starting position. The variables that matter most are the maturity of your existing safety management system, the complexity and risk profile of your operations, top management engagement during implementation, and how early you engage your certification body.
The businesses that achieve certification efficiently are those that treat implementation as a genuine operational improvement project — not a documentation exercise timed around the audit. The standard is designed to produce a safety management system that reduces workplace harm. When implementation reflects that intent, certification follows as a natural outcome.
