ISO Standards · From the Auditor's Desk

ISO 9001 vs ISO 45001: what's the difference?

One manages quality. The other manages health and safety. They share an identical structural backbone, which is exactly why so many UK SMEs run both — and why the differences matter. A plain-English breakdown from the auditor's side of the table.

Jason Misters · IRCA® Registered Principal Auditor · 22 June 2026

ISO 9001 and ISO 45001 are two of the most widely held management-system certifications in the UK, and businesses regularly ask me which one they need — or assume the two are variations on a theme. They're not. They manage fundamentally different things. But because both are built on the same modern template, they fit together far more neatly than most people expect, which is why so many SMEs end up holding both and running them as a single system.

This guide explains what each standard is for, the shared backbone they have in common, where they genuinely diverge, and how a smaller business can run both without doubling its paperwork. References are to the well-established Annex SL clause structure (clauses 4 to 10) common to both standards — work from your own legally-obtained copies of ISO 9001:2015 and ISO 45001:2018 for the exact requirements.

What each standard is for

ISO 9001 — Quality management

The international standard for a quality management system. Its purpose is consistently meeting customer and applicable regulatory requirements, and enhancing customer satisfaction. It's about doing work right, repeatably, and improving how you do it. Its centre of gravity is the customer and the quality of your product or service.

ISO 45001 — Occupational health & safety

The international standard for an occupational health and safety management system. Its purpose is providing safe and healthy workplaces, preventing work-related injury and ill health, and proactively improving H&S performance. Its centre of gravity is the worker and the hazards they're exposed to.

In one sentence: ISO 9001 protects the quality of what you deliver to customers; ISO 45001 protects the people who deliver it. Different objects of concern, different reasons to certify.

The shared backbone: Annex SL

Here's the part that makes integration possible. Every modern ISO management-system standard — 9001, 45001, 14001 (environment), 27001 (information security) and others — is built on a common high-level structure called Annex SL. That means all of them share the same ten-clause skeleton, and clauses 4 to 10 line up requirement-for-requirement at the structural level:

  • Clause 4 — Context of the organisation: understand your internal/external issues, interested parties, and scope.
  • Clause 5 — Leadership: top-management commitment, policy, roles and responsibilities.
  • Clause 6 — Planning: address risks and opportunities, set objectives, plan change.
  • Clause 7 — Support: resources, competence, awareness, communication, documented information.
  • Clause 8 — Operation: plan and control the operational processes that deliver the outcome.
  • Clause 9 — Performance evaluation: monitor, measure, audit internally, review at management level.
  • Clause 10 — Improvement: handle nonconformity, take corrective action, continually improve.

Because the clause structure is identical, the machinery of both systems is the same: both need a policy, both need objectives, both need competence records, both need document control, both need internal audits, both need management review, and both need a nonconformity-and-corrective-action process. You build that machinery once and feed two standards through it. This shared structure is the entire reason an integrated management system is practical rather than a theoretical ideal.

The clause numbers being identical across 9001 and 45001 isn't a coincidence — it's a deliberate design choice so that an organisation can run several standards on one set of processes. The businesses that don't realise this end up maintaining two parallel systems that should have been one.

Where they genuinely differ

Shared structure doesn't mean identical content. Inside that common skeleton, each standard fills the clauses with its own concerns. The real differences are in what each clause asks you to manage:

  ISO 9001 (Quality) ISO 45001 (Health & Safety)
Primary focus Customer satisfaction and consistent, conforming product/service Worker safety and prevention of work-related injury and ill health
What "risk" means Risks and opportunities to the quality system and to meeting requirements Hazard identification and OH&S risk assessment — physical harm to people is central
Distinctive requirement Strong customer-focus thread: requirements review, customer satisfaction monitoring, control of nonconforming output Worker consultation and participation (Clause 5.4) — workers must have a genuine voice; plus legal compliance and emergency preparedness
Operation (Clause 8) Design, production and service provision; control of externally provided processes Operational controls to eliminate hazards and reduce risk; management of change; emergency preparedness and response
Legal dimension Applicable statutory and regulatory requirements for the product/service Heavier emphasis on legal and other H&S requirements — UK H&S law is a constant backdrop

Two differences are worth dwelling on. First, worker consultation and participation (Clause 5.4) is a defining feature of ISO 45001 that has no direct equivalent in ISO 9001. The standard insists that the people exposed to the risks help shape the system that manages them — that's a cultural requirement, not just a documentary one. Second, the customer-focus thread runs through ISO 9001 in a way it doesn't through 45001: requirements review before commitment, monitoring customer satisfaction, and controlling nonconforming output are quality-specific concerns.

How SMEs run both as one integrated system

Because of the shared Annex SL backbone, a smaller business holding both standards should not run two separate systems. The efficient model is a single integrated management system (IMS) where the common machinery is shared and only the standard-specific content is kept distinct:

  • One context analysis, one set of interested parties (Clause 4) covering both quality and H&S issues.
  • A combined or aligned policy and one leadership/responsibility structure (Clause 5) — with 45001's worker-participation arrangements bolted on where they apply.
  • One risk-and-objectives process (Clause 6) that handles quality risks and OH&S hazards in the same framework, even if the registers themselves are separate.
  • Shared support functions (Clause 7): one competence/training system, one document control system, one communication approach.
  • One internal audit programme and one management review (Clause 9) covering both standards in the same cycle — you audit and review the integrated system, not each standard in isolation.
  • One nonconformity and corrective-action process (Clause 10) feeding both.

Run this way, the second standard adds far less overhead than the first, because most of the system already exists. The certification body can often audit both in a combined visit, and the business gets a single coherent way of working rather than two competing bureaucracies. The only parts that stay genuinely separate are the standard-specific ones: the quality-specific operational controls and customer-satisfaction work for 9001, and the hazard registers, operational H&S controls, emergency preparedness and worker-consultation arrangements for 45001.

Keeping an integrated system in one place

The practical challenge with an IMS isn't understanding the theory — it's keeping the shared machinery genuinely shared rather than letting it fragment into two systems by accident. That's where integrated management system software earns its place: PICMS maps your evidence to the Annex SL clauses across every standard you hold at once, so a single document control system, audit programme, risk and hazard framework, management review and CAPA process feed 9001 and 45001 together. Its AI evidence-to-clause mapping shows you, for each clause, what you hold against each standard — which is exactly how you spot where the two systems are drifting apart.

To be clear about what software does and doesn't do: PICMS doesn't make you certified to either standard — that comes from an accredited certification body auditing your system. What it does is help you demonstrate alignment to both, keep the evidence audit-ready, and run them as one integrated system rather than two overlapping ones.

Jason Misters — IRCA® Registered Principal Auditor

Lead auditor and ISO consultant. Founder of Training Assurance Consultancy and PICMS. Writes from years of hands-on experience implementing and auditing integrated management systems in UK businesses. Verifiable on the CQI-IRCA register.

Run 9001 and 45001 as one system.

PICMS maps your evidence to the shared Annex SL clauses across every standard you hold, so one document control system, audit programme and management review feed both — and you can see where they're aligned at a glance.

Explore IMS Software Start Free Trial