Contractor Safety Management Under ISO 45001

An industrial services company I work with has field crews deployed across multiple customer sites at any given time. These workers might be 500 miles from the home office, operating under the client's site rules, using a mix of the client's equipment and their own. When something goes wrong, who's responsible? Whose emergency procedures apply? Whose incident form do they fill out?

If you've spent any time implementing ISO 45001, you know that contractor and outsourced worker safety is one of those topics that sounds straightforward in the standard and gets complicated fast in practice. Clause 8.1.4 is only a few paragraphs long, but the questions it raises can keep your implementation team busy for weeks.

What the Standard Actually Says

ISO 45001 Clause 8.1.4 addresses outsourcing specifically, and Clause 8.2 covers procurement. But the broader contractor safety obligation shows up throughout the standard - in your scope determination (Clause 4.3), your risk assessment (Clause 6.1), your operational controls (Clause 8.1), and your emergency preparedness (Clause 8.2).

The core requirement is this: you need to ensure that outsourced functions and processes, and work performed by contractors, are controlled within your OH&S management system. That doesn't mean you need to run the contractor's safety program for them. It means you need to determine what controls are necessary, communicate them, and verify they're being followed.

There are three practical buckets here:

• Pre-qualification - what you verify before a contractor sets foot on your site (or you set foot on theirs)
• On-site controls - what happens while the work is underway
• Communication - how safety requirements flow between organizations

Most companies already do some version of all three. The ISO 45001 gap is usually in the formality and consistency of the process - not in whether it exists at all.

The Pre-Qualification Piece

Pre-qualification is where most organizations start, and it's often where they stop. Collecting insurance certificates and safety records before awarding a contract is standard practice in most industries. ISO 45001 doesn't prescribe exactly what you need to collect, but the intent is clear: you should have a reasonable basis for confidence that the contractor can work safely.

In practice, this usually means:

• Current insurance and workers' compensation documentation
• Safety record (TRIR, EMR, or equivalent metrics for your jurisdiction)
• Evidence of a safety program or management system (doesn't need to be ISO-certified)
• Relevant training records for the specific work being performed
• Any industry-specific certifications or qualifications

The mistake I see most often is treating pre-qualification as a one-time checkbox. A contractor passes screening in 2023 and stays on the approved list indefinitely. ISO 45001 expects you to re-evaluate periodically - which doesn't have to mean annually, but it does have to mean something more than "we checked once."

For companies in the industrial services space, there's an added layer. When your workers are the ones going to client sites, you're on both sides of the contractor relationship. You're pre-qualifying your subcontractors while simultaneously being pre-qualified by your clients. That dual exposure is worth thinking through when you're building your controls.

On-Site Controls - Where It Gets Real

Pre-qualification tells you the contractor can work safely in general. On-site controls tell you they're working safely right now, on this project, in this specific environment.

This is where the real consulting conversations happen. One company I worked with had field crews rotating through customer sites on projects lasting anywhere from a few days to several months. Their field workers were completing daily hazard assessments using their own company's FLHA (Field Level Hazard Assessment) tool, but they were also subject to whatever site-specific safety requirements the host client imposed. Sometimes those overlapped. Sometimes they contradicted each other.

The practical approach that worked for them was layered controls:

• Company-level controls applied everywhere, regardless of site. These covered their own equipment, their own procedures, their own PPE requirements, and their own incident reporting.
• Site-specific controls were documented per project. When a crew mobilized to a new site, the supervisor conducted a site orientation covering the client's requirements, emergency procedures, and any hazards unique to that location.
• Gap analysis between the two happened informally but consistently. If a client site had stricter requirements, those governed. If the client site had weaker requirements than the company's own standards, the company's standards still applied.

This layered approach also addresses one of the trickiest audit questions: how do you verify compliance when you can't physically be at every site? The answer isn't that you need to be everywhere - it's that you need a system of reporting, inspection, and communication that gives you reasonable confidence. Weekly site inspections documented in your system, supervisor reports, and regular communication all contribute to that picture.

The Emergency Preparedness Challenge

One area that gets overlooked in contractor safety discussions is emergency preparedness. ISO 45001 Clause 8.2 requires that you plan for emergency situations - but what does that look like when your workers aren't in your building?

That industrial services company I mentioned earlier faced exactly this challenge. They had emergency response procedures, they conducted drills at their home facility, but their field workers couldn't participate in those drills because they weren't physically present. They were at customer sites, potentially hundreds of miles away, operating under the customer's emergency procedures.

The solution wasn't to pretend the home office drill covered everyone. It was to acknowledge the gap and address it differently:

• Field workers received training on the company's emergency procedures during onboarding and annual refreshers
• Site-specific emergency procedures were reviewed as part of every project mobilization
• Supervisors were responsible for confirming that their crews knew the host site's emergency exits, muster points, and communication protocols
• The company maintained their own emergency communication chain that operated independently of any client site's procedures

This is one of those areas where the standard's intent is more important than the standard's literal text. You're not going to have every field worker participate in the home office fire drill. But you are going to make sure they know what to do when something goes wrong, wherever they happen to be working.

Communication - The Part Everyone Underestimates

Clause 7.4 requires you to determine the internal and external communications necessary for your OH&S management system. When contractors are involved, this isn't just about sending them a safety handbook and having them sign an acknowledgment form.

Effective contractor safety communication is bidirectional:

• You to them: Your safety requirements, site-specific hazards, PPE requirements, incident reporting procedures, emergency procedures, and any changes to any of the above
• Them to you: Incident reports (including near misses), hazard observations, safety concerns, changes in their workforce or capabilities, and feedback on your requirements

The second direction is where most systems break down. Companies are good at pushing requirements outward. They're less good at creating mechanisms for contractors to communicate back - especially when the contractor's workers are the ones deployed to your customer's site, not the other way around.

One practical mechanism: include contractor safety performance as a standing item in your Management Review. Not just "did anyone get hurt" but "what are the contractors telling us about conditions, and are we listening?"

Scope Considerations

Here's something that catches organizations off guard during implementation: your decisions about certification scope directly affect how you handle contractor safety. If your scope covers multiple locations or business units, you need clarity on which contractors fall inside the boundary and which don't.

One company I worked with initially planned to certify their entire operation across multiple entities and countries. When they stepped back and narrowed the scope to their Canadian operations only, it fundamentally changed the contractor safety picture. US-based subcontractors who would have been in scope were now outside it. Field workers deployed from the Canadian entity to US customer sites were still in scope (they're your workers), but the regulatory framework they operated under was different.

Getting the scope right early saves significant rework later. And for companies with complex organizational structures - parent companies, subsidiaries, divisions operating semi-independently - the contractor boundary question is one of the first things your auditor will probe.

Making It Practical

If you're implementing ISO 45001 and contractor safety feels overwhelming, start with three questions:

• Who are your contractors? Not just the big subcontractors, but anyone performing work that's within your scope. Cleaning services, equipment maintenance, delivery drivers who enter restricted areas - they all count.
• What can go wrong? Map the hazards that your contractors are exposed to (or create) within your operations. This drives your pre-qualification requirements and on-site controls.
• How does information flow? Trace the communication path from a safety issue at a contractor's work site to your Management Review table. If there are gaps, that's your priority.

You don't need a 50-page contractor safety program. You need a process that covers pre-qualification, on-site controls, and communication - and evidence that you're actually using it.

Getting Started

Contractor safety under ISO 45001 isn't about creating a bureaucratic layer on top of work that's already happening. In most cases, companies are already managing contractor safety through some combination of insurance requirements, site orientations, and common sense. The standard asks you to make it systematic - which mostly means documenting what you do and closing the gaps where things fall through.

If you're working through your ISO 45001 implementation and contractor management is one of the knots you haven't untangled yet, we offer a free initial consultation to help you figure out where you stand and what actually needs to change.