One manages quality. The other manages health and safety. They share an identical structural backbone, which is exactly why so many UK SMEs run both — and why the differences matter. A plain-English breakdown from the auditor's side of the table.
ISO 9001 and ISO 45001 are two of the most widely held management-system certifications in the UK, and businesses regularly ask me which one they need — or assume the two are variations on a theme. They're not. They manage fundamentally different things. But because both are built on the same modern template, they fit together far more neatly than most people expect, which is why so many SMEs end up holding both and running them as a single system.
This guide explains what each standard is for, the shared backbone they have in common, where they genuinely diverge, and how a smaller business can run both without doubling its paperwork. References are to the well-established Annex SL clause structure (clauses 4 to 10) common to both standards — work from your own legally-obtained copies of ISO 9001:2015 and ISO 45001:2018 for the exact requirements.
The international standard for a quality management system. Its purpose is consistently meeting customer and applicable regulatory requirements, and enhancing customer satisfaction. It's about doing work right, repeatably, and improving how you do it. Its centre of gravity is the customer and the quality of your product or service.
The international standard for an occupational health and safety management system. Its purpose is providing safe and healthy workplaces, preventing work-related injury and ill health, and proactively improving H&S performance. Its centre of gravity is the worker and the hazards they're exposed to.
In one sentence: ISO 9001 protects the quality of what you deliver to customers; ISO 45001 protects the people who deliver it. Different objects of concern, different reasons to certify.
Here's the part that makes integration possible. Every modern ISO management-system standard — 9001, 45001, 14001 (environment), 27001 (information security) and others — is built on a common high-level structure called Annex SL. That means all of them share the same ten-clause skeleton, and clauses 4 to 10 line up requirement-for-requirement at the structural level:
Because the clause structure is identical, the machinery of both systems is the same: both need a policy, both need objectives, both need competence records, both need document control, both need internal audits, both need management review, and both need a nonconformity-and-corrective-action process. You build that machinery once and feed two standards through it. This shared structure is the entire reason an integrated management system is practical rather than a theoretical ideal.
Shared structure doesn't mean identical content. Inside that common skeleton, each standard fills the clauses with its own concerns. The real differences are in what each clause asks you to manage:
| ISO 9001 (Quality) | ISO 45001 (Health & Safety) | |
|---|---|---|
| Primary focus | Customer satisfaction and consistent, conforming product/service | Worker safety and prevention of work-related injury and ill health |
| What "risk" means | Risks and opportunities to the quality system and to meeting requirements | Hazard identification and OH&S risk assessment — physical harm to people is central |
| Distinctive requirement | Strong customer-focus thread: requirements review, customer satisfaction monitoring, control of nonconforming output | Worker consultation and participation (Clause 5.4) — workers must have a genuine voice; plus legal compliance and emergency preparedness |
| Operation (Clause 8) | Design, production and service provision; control of externally provided processes | Operational controls to eliminate hazards and reduce risk; management of change; emergency preparedness and response |
| Legal dimension | Applicable statutory and regulatory requirements for the product/service | Heavier emphasis on legal and other H&S requirements — UK H&S law is a constant backdrop |
Two differences are worth dwelling on. First, worker consultation and participation (Clause 5.4) is a defining feature of ISO 45001 that has no direct equivalent in ISO 9001. The standard insists that the people exposed to the risks help shape the system that manages them — that's a cultural requirement, not just a documentary one. Second, the customer-focus thread runs through ISO 9001 in a way it doesn't through 45001: requirements review before commitment, monitoring customer satisfaction, and controlling nonconforming output are quality-specific concerns.
Because of the shared Annex SL backbone, a smaller business holding both standards should not run two separate systems. The efficient model is a single integrated management system (IMS) where the common machinery is shared and only the standard-specific content is kept distinct:
Run this way, the second standard adds far less overhead than the first, because most of the system already exists. The certification body can often audit both in a combined visit, and the business gets a single coherent way of working rather than two competing bureaucracies. The only parts that stay genuinely separate are the standard-specific ones: the quality-specific operational controls and customer-satisfaction work for 9001, and the hazard registers, operational H&S controls, emergency preparedness and worker-consultation arrangements for 45001.
The practical challenge with an IMS isn't understanding the theory — it's keeping the shared machinery genuinely shared rather than letting it fragment into two systems by accident. That's where integrated management system software earns its place: PICMS maps your evidence to the Annex SL clauses across every standard you hold at once, so a single document control system, audit programme, risk and hazard framework, management review and CAPA process feed 9001 and 45001 together. Its AI evidence-to-clause mapping shows you, for each clause, what you hold against each standard — which is exactly how you spot where the two systems are drifting apart.
To be clear about what software does and doesn't do: PICMS doesn't make you certified to either standard — that comes from an accredited certification body auditing your system. What it does is help you demonstrate alignment to both, keep the evidence audit-ready, and run them as one integrated system rather than two overlapping ones.
PICMS maps your evidence to the shared Annex SL clauses across every standard you hold, so one document control system, audit programme and management review feed both — and you can see where they're aligned at a glance.