Identifying Legal and Other Requirements Under ISO 45001

ISO 45001 Clause 6.1.3

Determine and stay current with applicable legal and other OH&S requirements.

ISO 45001 Clause 6.1.3 - Determination of Legal Requirements and Other Requirements

ISO 45001:2018 Clause 6.1.3 requires the organisation to establish, implement and maintain a process to determine and have access to up-to-date legal requirements and other requirements that apply to its hazards, OH&S risks and OH&S management system. The organisation must also determine how those requirements apply, what needs to be communicated, and take them into account when establishing, implementing, maintaining and improving the system.

Documented information on legal and other requirements must be maintained and kept current. In practice this is almost always a legal register - a working document that lists each applicable piece of legislation, what it requires, how the organisation complies with it, and a relevance category.

What Counts as a Legal or Other Requirement

Legal requirements are the parts of statute, regulation, approved codes of practice and case law that apply to the organisation's activities. In the UK, the foundation is the Health and Safety at Work etc. Act 1974. Built on top of that are general regulations such as the Management of Health and Safety at Work Regulations 1999, the Workplace (Health, Safety and Welfare) Regulations 1992, and topic-specific regulations covering manual handling, work at height, control of substances hazardous to health, lifting operations, electrical safety, fire safety and many more.

Other requirements are obligations the organisation has accepted that are not legislation. These include client contractual safety requirements, accreditation scheme rules (CHAS, SafeContractor, Constructionline), industry codes of practice, insurer requirements, and any internal commitments made in the OH&S policy.

Keeping the Legal Register Current

UK health and safety legislation changes regularly - regulations are amended, new statutory instruments are issued, and post-Brexit retained EU law continues to be revisited. The legal register cannot sit untouched for a year. Most organisations review the register at a defined frequency (quarterly or six-monthly is common) and update whenever a known change is published. The HSE website, professional body alerts and legal update services are typical sources.

The output is then communicated through the organisation. Managers need to know what applies to their area, workers need awareness of obligations that affect their day-to-day activities, and the legal register feeds the evaluation of compliance under Clause 9.1.2.

The standard does not prescribe a format for the legal register, but a simple table works for most organisations. List the legislation, summarise what it requires, note how the organisation complies, mark a relevance category, and date it. The point is that someone unfamiliar with the business should be able to look at the register and understand the legal landscape the organisation is working within.

I keep our legal register live. When the HSE publishes a new regulation or amendment that affects us, I update the register and circulate the changes to the relevant managers. That way nobody is surprised when something has changed and we have evidence at audit that we knew about it.

I check the legal register has been kept current and that the organisation can talk about how each applicable requirement is being met. A register that has not been updated for two years is a finding. So is a register that lists requirements without saying how compliance is achieved.

Practical Compliance Guidance

The IMS1 Manual references the legal register as the central evidence of compliance with this clause. The register itself is the working document.

The following alphaZ documents support compliance with ISO 45001:2018 Clause 6.1.3.

alphaZ document	How to use it
ISO 45001 Toolkit	The full set of documents needed to build an OH&S management system that meets ISO 45001:2018.
ER9 Legal Register	Lists applicable UK legislation by category, with description, compliance status and relevance. Use as the working legal register and update as legislation changes.
F-IMS27 Legal Register	An alternative legal register format. Use either ER9 or F-IMS27 to record applicable legal and other requirements.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How often should the legal register be reviewed?

The standard does not specify a frequency. Most organisations review the register at least every six months, with ad hoc updates whenever known legislative changes are published. The frequency should be proportionate to the volume of legislation that applies and the rate of change in the relevant areas.

Does the legal register need to list every UK H&S regulation?

No. The register lists applicable legislation - the regulations that apply to the organisation's activities, hazards and people. Office-based businesses do not need to list construction regulations they do not work under. Manufacturing sites do not need to list every offshore regulation. Relevance is the test.

What about non-legal requirements?

The clause is explicit that other requirements - contractual safety obligations, accreditation scheme rules, industry codes - sit alongside legal requirements in the same process. Many organisations have a separate section in the register for these, or a second register that links to the first.

UK Legislation

The following UK legislation forms the foundation of the legal register for most UK-based organisations. Organisations outside the UK should identify equivalent legislation in their jurisdiction.

Further Resources