ISO 45003 Deep Dive: Applying the Standard in Practice

Dr. Georgi Toma | Director, HeartBrain Works | Honorary Research Fellow, University of Auckland

Introduction

ISO 45003 has been available since 2021. Most WHS professionals are aware of it. Fewer have worked through what it means for the systems they already run.

This article draws on a recent HeartBrain Works session that mapped the standard onto Australian regulatory obligations and used a detailed organisational scenario to show what embedding ISO 45003 actually looks like. Not a theoretical walkthrough — a practical account of how an existing WHS system absorbs the standard without starting from scratch.

What ISO 45003 Is — and What It Is Not

ISO 45003 is a guidance document, not a certifiable standard. ISO 45001 is the certifiable standard. The law, whether the WHS Act, the OHS Act, or the jurisdiction-specific codes of practice, is the must. ISO 45003 is the how.

When organisations talk about "certifying" against ISO 45003, what that means in practice is demonstrating that the guidance is embedded in their ISO 45001 system and that psychosocial risk is being managed in line with applicable regulations. It is not a separate credential. It is evidence the work is being done and documented.

The standard follows the same architecture as ISO 45001: context of the organisation, leadership and worker participation, planning, support, operation, performance evaluation, and improvement. For organisations already certified to 45001, this means threading psychosocial risk through the clauses you already operate, not building a parallel system.

Where the Work Sits: Clauses 6 and 8

Two clauses carry the heaviest practical weight.

Clause 6 is planning - identifying and assessing psychosocial hazards, and assessing opportunities alongside risk. Clause 8 is operation - designing and implementing controls. Leadership involvement, worker participation, documented information, monitoring, and improvement all wrap around these two, but Clauses 6 and 8 are where the substantive work happens.

One feature of the standard is easily overlooked, yet it warrants attention. When the framework turns to the core of the process — identifying and assessing the conditions present in a workplace — it does not confine itself to what is going wrong. It directs organisations to consider opportunities as well. The wording is deliberate: the relevant clause addresses risks and opportunities together, as a single undertaking.

The standard does not employ the term "protective factors," but the underlying intent is the same. It encourages organisations to recognise what is already working — the conditions that help people cope, and indeed thrive — and to regard these as deserving of attention in their own right, not merely the hazards. That thinking extends to how findings are acted upon: the provisions dealing with controls are concerned explicitly with both eliminating harm and promoting wellbeing. The two are addressed in concert. Reducing what diminishes people and reinforcing what sustains them are treated as one task, rather than two.

The Three Categories of Psychosocial Hazards

ISO 45003 organises psychosocial hazards under three categories, which mirror and in some areas extend the hazard lists in the Australian codes of practice.

Aspects of how work is organised covers the structural and systemic factors that shape people's daily experience of work: job demands, workload, pace, time pressure, scheduling, job control and autonomy, role clarity and conflict, change management, remote and isolated work, and job security. Most appear in some form across Australian jurisdiction codes. Job insecurity is present in the ISO standard and the Commonwealth Code of Practice but is not consistently included at the jurisdiction level.

Social factors at work addresses the relational and cultural dimensions of the workplace: organisational culture, leadership quality, managerial and collegial support, interpersonal relationships including conflict, bullying, harassment and occupational violence, recognition and reward, professional development, civility and respect, and work-life balance.

Work environment, equipment, and hazardous tasks recognises that physical conditions carry psychological dimensions. Noisy, cramped, or poorly lit environments affect mental state. Unreliable equipment generates frustration and anxiety. Inherently hazardous tasks carry psychological load. Psychosocial and physical risk are not separate domains.

One practical point: hazard lists in the codes of practice are indicative, not exhaustive. If hazards are present that are not on the list, the duty to identify and address them still applies.

Meet Company X (our anonymised example)

Company X is a mid-size engineering consultancy, approximately 450 staff across structural, civil, and environmental teams, plus project managers and a bids team, operating across all Australian jurisdictions and already certified to ISO 45001.

The pressures will be familiar. Tendered projects carry intense deadline cycles. Utilisation targets create persistent pressure. After-hours client contact is normalised. There has recently been a psychosocial complaint in the bids team. These are the conditions the engineering sector consistently links to burnout and turnover.

Despite the 45001 certification, the psychosocial side of the system is thin. Hazards are not in the risk register. Controls default to EAP and resilience training. There is no psychosocial risk policy. A high-level risk assessment was initiated by the WHS lead but not completed, one person is responsible for health and safety across 450 staff, and there has not been time. Staff have not been consulted.

Against Clause 6.1.2, identifying and assessing psychosocial hazards and opportunities, Company X is sitting between absent and ad hoc. Something has been started, but it is incomplete, and the workforce has not been involved.

Where should Company X start?

Three entry points are all legitimate: risk assessment and consultation, a psychosocial risk policy, or securing leadership support. None is wrong. In practice, it might be useful if leadership support comes first. One WHS professional cannot complete a risk assessment, consult 450 staff, design controls, update policy, and maintain the system. Securing leadership opens the door to resources and makes undertaking all the steps in the process manageable.

Once leadership support is confirmed, the policy provides a quick visible win. The risk assessment and consultation process follows, a larger body of work.

What the Risk Assessment Revealed

Five risk factors came back as critical: quantitative demands and workload, work pace, work-life balance, role conflict, and emotional demands. High-priority risks included change management, cognitive demands, autonomy and job control, and reward and recognition. A further set of factors, organisational justice, role clarity, quality of leadership, support from line managers, vertical trust, and incivility, rated moderate.

The HBW tool also surfaced protective factors: what opportunities exist, what is already working well. Sense of community at work and support from colleagues were both exceptional. Meaning of work and possibilities for professional development were strong. A strong collegial culture and meaningful work are significant assets. Control design that ignores them leaves resources on the table.

How ISO 45003 Slots into the 45001 System

For Company X, the next step was mapping ISO 45003 onto the existing 45001 framework, not a rewrite, but a series of targeted additions that give psychosocial risk the same systematic treatment physical risk already receives.

Clause 5.2 — OH&S Policy. Company X amended its existing OHS policy to include explicit reference to psychosocial risk rather than creating a standalone document. As a side note, you could have a separate policy if that fits your context better. Either approach can work. The key outcome is that psychosocial risk is formally named and committed to at the policy level.

Clause 6.1.2 — Hazard Identification. The HBW Live Risk Register automatically populated with identified psychosocial risks, affected staff groups, root causes, recommended controls, and review dates, integrated via API into Company X's existing WHS platform. Psychosocial risk data sits alongside physical risk data in a single system.

Clause 8.1 — Operational Planning and Control. Company X selected from a set of control recommendations mapped across the hierarchy of controls, based on practicability and budget. The risk register tracks chosen controls, assigned owners, and review dates. Controls are explicitly located within the hierarchy — so it is clear whether the organisation is addressing root causes or relying on individual-level responses to manage a systemic problem.

Clause 9 — Performance Evaluation. Monitoring runs across two streams: ongoing operational data, turnover, leave, and workers' compensation, and the annual deployment of the HBW risk assessment tool to test whether controls are working and surface emerging issues. Performance evaluation is not a once-a-year checkbox.

Clause 10 — Improvement. Incidents and near-misses feed directly into the improvement cycle alongside annual audit findings. Both are documented and generate corrective action where required. The system identifies risk, implements controls, and learns.

Going Beyond the Survey: Proactive Hazard Identification

The HBW validated tool plus structured qualitative consultation, is the primary mechanism for the annual audit. But identifying psychosocial hazards between cycles requires a functioning system around line managers.

Are one-on-ones mandated? Do managers follow a consistent protocol, one that gives them the language to identify psychosocial signals when they appear? Have managers been trained on the specific hazards most likely in their team, and what those hazards require them to do?

Workers also need multiple reporting channels, not just one manager who may be part of the problem. The survey provides population-level data. The qualitative component adds the specificity numbers alone cannot carry. The reporting infrastructure provides a continuous signal between cycles. The yearly review integrates all of it.

Psychosocial risk data is not less valid than physical risk data. With a validated tool and rigorous methodology, the findings are objective, defensible, and specific enough to drive real control decisions.

Conclusion

ISO 45003 is not a separate project. For organisations that already hold ISO 45001 certification, it is an extension of the system they already operate. The additions are specific, the integration points are clear, and the result is a WHS system that treats psychological health with the same rigour it applies to physical safety.

For organisations that do not yet hold 45001 certification, the standard can still be applied, the clause structure provides a practical framework for building psychosocial risk management from the ground up, even without the 45001 scaffolding underneath it.

The case for alignment is not only regulatory. Demonstrating compliance with ISO 45003, especially across multiple jurisdictions, is increasingly a differentiator: in tendering, in recruitment, and in the signal it sends to workers about how seriously an organisation takes their psychological health. In a labour market where retention is a persistent challenge in professional services, engineering, and many other sectors, that signal matters.

If you would like support navigating any of these priorities, we are here to help. Get in touch with us! 

About HeartBrain Works 

We have supported high-profile clients including Myer, RMIT University, Uber, Hitachi Energy, Clough Group, MEC Mining, and Environment Canterbury to create mentally healthy workplaces. We offer a validated psychosocial risk tool and support to meet compliance, training for leaders and staff, and the scientifically validated Wellbeing Protocol. 

About the Healthy Work Community of Practice 

The Healthy Work Community of Practice is a professional community for health and safety professionals. Members access quarterly knowledge-sharing sessions, a psychosocial risk controls library, real-world case studies, regulatory alerts, practical toolkits, a job board, research summaries, and ongoing training and workshops. Intake opens three times per year. To learn more, visit https://www.heartbrainworks.org/Healthy-Work-CoP