ISO 45001 Training Requirements: What the Standard Actually Says

A manufacturing client I was working with had a training matrix that would make any ISO 9001 auditor smile. Job roles mapped to required training, completion dates tracked, refresher schedules documented. It was thorough, it was maintained, and it covered their quality management system beautifully.

Then we started their ISO 45001 Gap Analysis. When I asked about OH&S training needs, the Quality Manager pulled up the same matrix and said, "It's all in here." It wasn't. The matrix covered equipment operation, quality procedures, and job-specific technical skills. What it didn't cover was hazard recognition for their specific processes, emergency response roles, or even basic awareness of the company's OH&S policy. They had a training system - it just wasn't designed for safety.

This is one of the most common gaps I see when companies expand from ISO 9001 to ISO 45001. They assume the existing training infrastructure will carry them. Sometimes it does. More often, there are significant holes that only become visible when you look at the requirements with fresh eyes.

Competence vs. Awareness - Two Different Requirements

ISO 45001 separates training into two distinct requirements, and understanding the difference matters for how you build your program.

Clause 7.2 - Competence asks: Can this person do their job safely? Competence means the worker has the education, training, or experience necessary to perform work that affects OH&S performance. This is about ability - do they have the skills and knowledge to do the work without creating unacceptable risk?

Clause 7.3 - Awareness asks: Does this person understand the safety management system around them? Awareness means workers know the OH&S policy, understand how their work contributes to (or detracts from) the system's effectiveness, know the implications of not conforming with requirements, and are aware of relevant incidents and investigation outcomes.

The practical difference: competence training makes someone capable. Awareness training makes someone informed. You need both, and they serve different purposes.

Most companies invest heavily in competence training - equipment operation, lockout/tagout procedures, working at heights certification, forklift licenses. These are tangible, often regulatory, and easy to track. Where the gap usually lives is in awareness. Workers who are perfectly competent at their jobs may have no idea what the company's OH&S objectives are, what happened in last month's incident investigation, or even that an OH&S policy exists.

What Competence Training Actually Looks Like

ISO 45001 doesn't prescribe specific training courses or curricula. What it requires is that you:

• Determine the necessary competence for workers who affect OH&S performance
• Ensure workers are competent based on education, training, or experience
• Take actions to acquire the necessary competence where gaps exist
• Retain documented evidence of competence

The first step - determining what's necessary - is where most of the work happens. You need to look at each role and ask: what does this person need to know or be able to do to perform their work safely? The answer is different for a machine operator, a maintenance technician, a supervisor, and an office administrator.

For an industrial services company I worked with, the competence requirements varied dramatically by role:

• Field workers needed task-specific hazard assessment skills, equipment certifications, and site-specific safety training for each customer location they worked at
• Supervisors needed all of that plus incident investigation skills, the ability to conduct workplace inspections, and knowledge of regulatory reporting requirements
• The HSE Director needed competence in management system auditing, regulatory compliance interpretation, and safety program management

The training matrix should reflect these differences. A flat "everyone takes the same safety course annually" approach technically fails Clause 7.2 because it doesn't demonstrate that you've determined role-specific competence needs.

One practical approach that works well: start with your hazard register. Every significant hazard you've identified should trace back to competence requirements for the workers exposed to it. If you've identified silica dust as a hazard in your manufacturing process, the workers in that area need competence in dust control measures, proper PPE use and fit testing, and recognition of exposure symptoms. The link from hazard to competence to training to evidence creates a clear audit trail.

What Awareness Training Actually Looks Like

Awareness is where most organizations have the biggest gap - and it's also the easiest to close, once you realize it's there.

Clause 7.3 requires that workers are aware of:

• The OH&S policy and objectives
• Their contribution to the effectiveness of the OH&S management system
• The implications of not conforming with OH&S management system requirements
• Incidents and outcomes of investigations relevant to them
• Hazards, risks, and actions determined that are relevant to them
• The ability to remove themselves from work situations they believe present an imminent danger (and the protection from reprisal for doing so)

That last point - the right to refuse unsafe work - is particularly important under ISO 45001 and often gets overlooked in training programs. Workers need to know they have this right, know how to exercise it, and trust that they won't face consequences for doing so.

Awareness training doesn't need to be a formal classroom event. In fact, some of the most effective approaches I've seen are ongoing and embedded in daily operations:

• Weekly safety toolbox talks covering policy reminders and recent incident lessons
• Posting OH&S objectives in work areas and discussing progress at regular intervals
• Sharing investigation outcomes (anonymized where appropriate) through team meetings or safety bulletins
• Including OH&S system awareness in new employee orientations
• Annual policy review as part of the Management Review communication cycle

One company I worked with used their existing weekly safety update - a brief standing meeting that was already part of their routine - to communicate annual objectives at the start of each year and provide monthly progress updates. No new meetings, no additional burden, just intentional content injected into an existing communication channel.

The Training Matrix - Your Central Evidence

Whether you use a spreadsheet, a database, or purpose-built software, you need a training matrix that connects roles to requirements to evidence. For ISO 45001, this matrix should capture:

• Role/position - who needs the training
• Competence requirement - what they need to know or be able to do (linked to hazards and OH&S responsibilities)
• Training method - formal course, on-the-job, mentoring, self-study, or experience-based
• Evidence - certificate, completion record, supervisor sign-off, demonstrated ability
• Frequency - one-time, annual refresher, triggered by change
• Status - current, due for renewal, overdue

The mistake I see most often: companies have a training matrix that covers quality and technical skills, then bolt OH&S requirements onto it as an afterthought. The result is a matrix that technically has safety items in it but doesn't reflect a systematic determination of OH&S competence needs. Auditors can tell the difference.

If your organization already has ISO 9001, you have the infrastructure. The matrix exists, the tracking process works, the culture of maintaining records is there. What you need to do is go through it with an OH&S lens and ask: for each role, have we actually determined what safety competencies are required? Not what courses are available - what's actually needed based on the hazards these people face and the OH&S responsibilities they carry.

OSHA and Regulatory Training - The Overlap

If you're a US manufacturer, your OSHA training requirements already cover a significant chunk of what ISO 45001 asks for. Hazard communication training, lockout/tagout procedures, PPE training, confined space entry, fall protection - these are regulatory requirements you're already meeting. The overlap with ISO 45001 is substantial.

OSHA-mandated training programs typically require documented training records, new employee orientation covering workplace hazards, and ongoing training related to specific operations and chemicals. These requirements map closely to ISO 45001 Clauses 7.2 and 7.3. The gap is usually in the system-level awareness components - OSHA training focuses on task-specific safety compliance, while ISO 45001 also asks whether workers understand the management system itself, the OH&S policy, and how their work contributes to overall safety performance.

OSHA provides a regulatory floor - the minimum training you must provide. ISO 45001 builds on top of that by requiring you to think systematically about competence needs based on your specific hazards, not just regulatory checklists. A company handling silica, for example, needs OSHA silica training as a baseline, but ISO 45001 asks whether workers are also competent in the broader controls, monitoring procedures, and emergency response related to that exposure.

The practical takeaway: if you're already complying with regulatory training requirements, you likely have a good chunk of the Clause 7.2 competence side covered. The gaps are almost always in Clause 7.3 awareness and in the systematic determination of role-specific needs beyond what regulations mandate.

Common Pitfalls

A few patterns I see repeatedly during 45001 implementations:

Over-training without tracking. Companies that send everyone through every available safety course but can't demonstrate that the training was determined based on actual competence needs. More training isn't better training if it's not targeted.

Confusing attendance with competence. Signing a sheet that says you attended a training session doesn't demonstrate competence. For high-risk tasks, you may need practical assessments, observed demonstrations, or supervised work periods before a worker is deemed competent.

Ignoring temporary and contractor safety management. If contractors or temporary workers perform work within your scope, their competence requirements exist too. You don't need to train them yourself, but you do need to verify that they meet the competence requirements for the work they're doing.

Forgetting about changes. When processes change, equipment changes, or new hazards are introduced, the competence requirements change too. A training matrix that was current in January may have gaps by March if you've modified a process or brought in new materials.

Getting Started

If you're building or revising your training program for ISO 45001, here's a practical sequence:

• Start with your hazard register and identify what competencies each hazard demands
• Map those competencies to roles
• Compare against your current training matrix to find the gaps
• Address awareness requirements as a separate track - don't try to fold them into technical training
• Set up a review trigger for any time processes, equipment, or hazards change

The standard isn't asking you to overhaul everything. It's asking you to think systematically about who needs to know what, prove they know it, and keep it current. If you already have a solid training culture, ISO 45001 is mostly about filling in the documentation gaps and adding the awareness dimension.

If you're working through your ISO 45001 training requirements and need help identifying the gaps between your existing program and what the standard actually requires, we offer a free initial consultation to help you map out what needs to change.