Last Updated on December 24, 2025 by Melissa Lazaro

Understanding ISO 45001 Clauses 8, 9 & 10

Here’s what I’ve noticed after years of ISO 45001 audits:
Most systems look good on paper by the time they reach Clause 7.

Clauses 8 to 10 are where that paper system is tested against reality.

This is where auditors stop asking what you planned and start asking:

• How is safety controlled day to day?
• How do you know it’s working?
• What do you do when it doesn’t?

If Clauses 8–10 are weak, everything before them starts to unravel.

In this article, I’ll walk through operations, performance evaluation, and improvement in plain language—focusing on what actually gets tested during audits.

ISO 45001 Clause 8 – Operation: Operational Planning & Control

Clause 8 is about execution.

You’ve identified hazards.
You’ve assessed risks.
Now you need to control them in real work conditions.

Clause 8 requires you to:

• Implement planned controls
• Manage routine and non-routine work
• Control outsourced processes and contractors
• Ensure operations remain aligned with risk assessments

Auditors don’t just review procedures here.
They walk the site and compare what’s written with what’s happening.

Pro tip:
If workers are improvising controls, planning isn’t strong enough.

Common mistake:
Controls exist in documents but not in daily practice. Auditors usually find this during site observations.

Strong operational control is obvious. You don’t have to explain it—it’s visible.

ISO 45001 Clause 8.1 – Hierarchy of Controls & Management of Change

Clause 8.1 focuses on how controls are selected and maintained.

ISO 45001 expects you to apply the hierarchy of controls:

1. Eliminate the hazard
2. Substitute
3. Engineer the risk out
4. Use administrative controls
5. Rely on PPE as a last resort

It also requires you to manage change—planned or unplanned.

Pro tip:
Most serious incidents happen after changes. Equipment upgrades, staffing changes, new processes—these all need reassessment.

Common mistake:
Introducing change without updating risk assessments or controls. Auditors see this often and treat it seriously.

Effective systems treat change as a risk trigger, not an inconvenience.

ISO 45001 Clause 8.2 – Emergency Preparedness & Response

Clause 8.2 asks a practical question:
If something goes wrong, are you ready?

You’re expected to:

• Identify potential emergency situations
• Plan appropriate responses
• Train relevant personnel
• Periodically test and review plans

Auditors usually ask:

• What emergencies have you identified?
• When was the last drill?
• What changed after the last test?

Pro tip:
One realistic drill is better than five theoretical plans.

Common mistake:
Emergency plans that exist only in manuals. If they haven’t been tested, auditors will question their effectiveness.

Preparedness isn’t about predicting everything—it’s about being able to respond.

ISO 45001 Clause 9 – Performance Evaluation

Clause 9 is where you prove the system works.

It requires you to:

• Monitor and measure OH&S performance
• Evaluate compliance
• Analyze results and act on them

Auditors are less interested in how much data you collect—and more interested in whether you use it.

Pro tip:
Measure things that tell you whether risks are actually controlled.

Common mistake:
Tracking activity instead of effectiveness. Counting training sessions doesn’t prove safer work.

Good performance evaluation supports decision-making, not reporting.

ISO 45001 Clause 9.1 – Monitoring, Measurement, Analysis & Evaluation

Clause 9.1 adds structure to performance monitoring.

You must define:

• What is monitored
• How it’s measured
• How often
• Who is responsible
• How results are evaluated

Data should support action.

Pro tip:
If no decisions come from the data, you’re measuring the wrong things.

Common mistake:
Collecting data because the standard “expects it.” Auditors often ask how data influences improvements.

In strong systems, performance data tells a story—and management can explain it.

ISO 45001 Clause 9.2 & 9.3 – Internal Audit & Management Review

Internal audits and management reviews are system health checks.

Clause 9.2 requires internal audits to:

• Be planned based on risk
• Evaluate system effectiveness
• Identify improvement opportunities

Clause 9.3 ensures top management reviews:

• Performance trends
• Incidents and nonconformities
• Audit results
• Resource needs

Pro tip:
Audits and reviews should challenge the system, not protect it.

Common mistake:
Treating audits as a formality. Auditors can tell when findings are watered down.

Management review is where leadership involvement becomes visible—or absent.

ISO 45001 Clause 10 – Improvement & Corrective Action

Clause 10 is about learning.

You’re expected to:

• Respond to incidents and nonconformities
• Investigate root causes
• Implement corrective actions
• Drive continual improvement

Auditors often trace incidents through corrective action records to see if problems were truly resolved.

Pro tip:
If the same issues keep recurring, improvement isn’t working.

Common mistake:
Correcting symptoms instead of causes. Quick fixes don’t survive audits—or reality.

Strong corrective action changes systems, not just behavior.

Linking Clauses 8–10 – From Operation to Continual Improvement

Clauses 8, 9, and 10 are a loop.

Operations create results.
Performance evaluation measures those results.
Improvement uses the findings to strengthen controls.

Auditors expect to see this connection clearly.

Pro tip:
Be ready to explain one issue from operation, through monitoring, to corrective action.

Common mistake:
Treating each clause separately. When links are missing, system effectiveness is questioned.

In effective systems, improvement feels continuous—not forced.

FAQs – ISO 45001 Operation, Performance & Improvement

How detailed do operational controls need to be?
They should match the level of risk. High-risk activities need stronger, clearer controls.

How often must performance be monitored and reviewed?
As often as needed to manage risk. There’s no fixed rule—just effectiveness.

Can weak corrective action lead to major nonconformities?
Yes. Repeat findings are one of the fastest ways to escalate audit severity.

Conclusion – Making ISO 45001 Work in Practice

Clauses 8–10 are where ISO 45001 proves its value.

When they work well:

• Risks stay controlled
• Incidents reduce
• Audits feel structured and fair
• Improvement becomes part of daily work

When they’re weak, problems surface quickly—often after something goes wrong.

If there’s one takeaway, it’s this:
A safety management system isn’t defined by what you plan. It’s defined by what you do, measure, and improve.

Next step:
Trace one real issue through operation, monitoring, and corrective action. If the links aren’t clear, that’s your improvement opportunity.