Many Australian businesses assume that if they’re certified to ISO 45001, they’ve “covered” their legal WHS obligations.
Others assume that if they comply with the WHS Act, there’s no need to worry about ISO certification.
Both assumptions are wrong.
Understanding the difference between ISO 45001 and Australia’s WHS legislation — and how they intersect — is critical to avoiding compliance gaps, wasted effort, and audit findings.
The Legal Foundation: The WHS Act
Australia’s work health and safety laws are built around the model Work Health and Safety Act 2011, adopted (with variations) across most states and territories.
The WHS Act:
- Is law
- Imposes mandatory duties
- Creates enforceable obligations
- Carries penalties for non-compliance
It establishes the primary duty of care for a PCBU (Person Conducting a Business or Undertaking) and requires risks to be eliminated or minimised so far as is reasonably practicable.
Regulators such as SafeWork NSW and WorkSafe Victoria enforce compliance.
Failure to comply can result in improvement notices, prohibition notices, fines, or prosecution.
The International Standard: ISO 45001
ISO 45001 is an international management system standard published by International Organisation for Standardisation.
It is:
- Voluntary (unless contractually required)
- A framework for managing OH&S risks
- Audited by certification bodies
- Focused on systems and continual improvement
It does not replace or override legal obligations.
The Core Difference
WHS Act = What you must do (legal duties)
ISO 45001 = How you can structure your system to manage those duties
One is law.
The other is a management framework.
Confusing the two is where businesses go wrong.
What Businesses Commonly Get Wrong
-
“We’re ISO Certified, So We’re Legally Compliant”
ISO 45001 requires organisations to identify and comply with applicable legal requirements — but certification does not guarantee legal compliance.
Auditors assess whether you have a system to manage compliance. Regulators assess whether you are actually compliant.
An organisation can pass an ISO audit yet still breach the WHS Act.
Certification bodies do not enforce legislation — regulators do.
-
Treating ISO as a Paper Exercise
Some businesses implement ISO 45001 purely for:
- Tender eligibility
- Prequalification
- Client expectations
They build extensive documentation but fail to ensure controls are embedded operationally.
ISO 45001 emphasises:
- Leadership commitment
- Worker consultation
- Risk-based thinking
- Continual improvement
If documentation exists without real implementation, both ISO auditors and regulators will identify the gap.
-
Ignoring Officer Due Diligence
The WHS Act imposes personal duties on officers (e.g. directors and senior executives).
ISO 45001 requires leadership involvement — but it does not create personal criminal liability.
Some businesses mistakenly believe board-level review for ISO purposes automatically satisfies WHS due diligence.
Due diligence under the Act requires officers to:
- Acquire knowledge of WHS matters
- Understand operations and risks
- Ensure resources are provided
- Verify controls are implemented
That verification element is where many organisations fall short.
-
Confusing Risk-Based Thinking with “Reasonably Practicable”
ISO 45001 uses risk-based thinking to manage OH&S risks.
The WHS Act uses the legal test of “so far as is reasonably practicable.”
These concepts overlap — but they are not identical.
The legal test considers:
- Likelihood of hazard or risk occurring
- Degree of harm
- What the person knows (or should reasonably know)
- Availability and suitability of controls
- Cost relative to risk
If risk assessments don’t reflect this reasoning, legal defensibility may be weak — even if ISO processes exist.
-
Over-Documenting to Satisfy ISO
ISO 45001 does not require excessive paperwork.
Yet many organisations create:
- 100+ page manuals
- Multiple redundant forms
- Complex approval pathways
The WHS Act does not require elaborate documentation either — it requires effective risk management and control.
Over-complication often creates implementation gaps.
-
Failing to Integrate Psychosocial Risk Management
Australian regulators are increasingly focused on psychosocial hazards (e.g. bullying, workload, fatigue).
While ISO 45001 covers psychological health risks in scope, many organisations:
- Focus heavily on physical safety
- Fail to systematically assess psychosocial risks
- Lack documented controls
Regulators are far more likely to issue notices for these failures than ISO auditors are to withdraw certification.
Where ISO 45001 Adds Value
When implemented properly, ISO 45001 strengthens WHS compliance by:
- Creating structured governance
- Formalising consultation mechanisms
- Improving documentation control
- Embedding continual improvement
- Driving leadership accountability
In mature organisations, ISO becomes a tool to demonstrate WHS compliance — not a substitute for it.
A Practical Comparison
| WHS Act | ISO 45001 |
| Mandatory law | Voluntary standard |
| Enforced by regulators | Audited by certification bodies |
| Breaches can lead to prosecution | Nonconformities affect certification |
| Focus on duties and risk control | Focus on systems and improvement |
| Personal liability for officers | Organisational certification only |
The Smart Approach
Australian businesses should:
- Treat the WHS Act as the baseline requirement
- Use ISO 45001 as a structured framework
- Ensure risk management aligns with the “reasonably practicable” test
- Embed leadership accountability beyond symbolic review
- Focus on implementation, not paperwork
Final Thoughts
ISO 45001 and the WHS Act are not competitors.
They operate at different levels:
- The WHS Act defines your legal duty.
- ISO 45001 provides a management system to help meet that duty.
Businesses get into trouble when they mistake certification for compliance — or treat compliance as a tick-box exercise.
In Australia, the safest position is this:
Build a WHS system that genuinely manages risk and meets legislative duties.
Then use ISO 45001 to strengthen, structure, and continuously improve it.
Get in touch with us today and see how Sherm Software and Safety for Life can help.
Our Audit Readiness Guide explains how businesses can design systems that withstand multiple audit regimes simultaneously.