ISO 9001 & ISO 45001 Audit Preparation Ireland

ISO Standards and Irish Legislation

ISO 9001:2015 (Quality Management Systems - Requirements) is the international standard for quality management systems. It provides a framework for organisations to consistently provide products and services that meet customer and regulatory requirements. ISO 9001 certification demonstrates an organisation's commitment to quality and continuous improvement.

ISO 45001:2018 (Occupational Health and Safety Management Systems - Requirements with Guidance for Use) is the international standard for occupational health and safety management systems. It provides a framework for managing OH&S risks and opportunities, preventing work-related injury and ill health, and providing safe and healthy workplaces.

ISO 45001 implementation in Ireland must consider the Safety, Health and Welfare at Work Act 2005 and associated regulations, which set the statutory framework for workplace health and safety. A properly implemented ISO 45001 system will ensure compliance with these legislative requirements.

Both standards follow the High Level Structure (HLS) common to all ISO management system standards, making it straightforward to integrate ISO 9001 and ISO 45001 into a single integrated management system. Phoenix STS has extensive experience developing integrated management systems.

All Phoenix STS ISO audit preparation services are covered by professional indemnity (PI) insurance, ensuring our clients receive expert, insured consultancy support throughout their certification journey.

Preparing for ISO 9001:2015 Certification

Achieving ISO 9001:2015 certification requires more than assembling a folder of procedures. The standard is built around a quality management system (QMS) that must be genuinely embedded in how the organisation operates - not a parallel paper system that exists only for audit purposes. Preparation should begin with an honest assessment of current practice and a willingness to address gaps rather than disguise them.

A gap analysis against the ISO 9001:2015 clauses is the logical starting point. This involves comparing existing processes, documentation, and practices against the requirements of each clause. Common gaps include the absence of a formal quality policy, unclear process ownership, inadequate records of management review, and a failure to systematically identify and address risks and opportunities.

Documentation requirements under ISO 9001:2015 are less prescriptive than earlier versions of the standard. There is no mandatory requirement for a quality manual, although many organisations find it useful to maintain one. The standard requires documented information for the quality policy, quality objectives, scope of the QMS, and any processes where the absence of documentation could lead to inconsistency. Procedures, work instructions, forms, and records should be proportionate to the size and complexity of the organisation.

Management commitment is addressed in Clause 5 and is one of the areas most frequently flagged during audits. Top management must demonstrate leadership by establishing the quality policy, assigning roles and responsibilities, ensuring adequate resources, and actively participating in management review. Auditors look for evidence that senior leaders are genuinely engaged with the QMS, not merely delegating it to a quality manager.

Risk-based thinking, introduced formally in the 2015 revision through Clause 6, requires the organisation to identify risks and opportunities that could affect the QMS and plan actions to address them. This does not require a formal risk management framework - it requires evidence that the organisation considers risk when planning processes, making decisions, and responding to changes. Operational planning and control under Clause 8 covers the processes needed to deliver products and services, including criteria for those processes and controls to ensure they are carried out as planned.

Performance evaluation under Clause 9 requires monitoring, measurement, analysis, and evaluation of the QMS. This includes customer satisfaction monitoring, internal audits, and management review. The internal audit programme must be planned, conducted by trained auditors, and followed up with corrective actions where non-conformities are identified. Finally, Clause 10 addresses continual improvement - the organisation must demonstrate that it uses audit findings, data analysis, and management review outputs to drive ongoing improvement in the QMS.

Preparing for ISO 45001:2018 Certification

ISO 45001:2018 establishes the requirements for an occupational health and safety (OH&S) management system. For Irish organisations, preparation for this standard involves aligning existing safety management practices with the standard's framework while ensuring ongoing compliance with domestic legislation, principally the Safety, Health and Welfare at Work Act 2005 and the Safety, Health and Welfare at Work (General Application) Regulations 2007.

Worker participation and consultation, addressed in Clause 5.4, is a distinguishing feature of ISO 45001. The standard requires that workers at all levels are consulted on OH&S matters and have opportunities to participate in the management system. In an Irish context, this aligns with the requirements of the 2005 Act regarding safety consultation and safety representatives. Auditors will look for evidence that consultation is genuine and ongoing, not limited to an annual survey or occasional toolbox talks.

Hazard identification and risk assessment under Clause 6.1.2 must be systematic and cover routine and non-routine activities, all persons who have access to the workplace, and the design of work areas and processes. The methodology should be consistent and documented, with risk assessments reviewed following incidents, changes in legislation, or changes to work processes. For Irish organisations, risk assessments must also satisfy the requirements of the General Application Regulations, which specify particular hazards that must be assessed - including manual handling, display screen equipment, and work at height.

Legal and regulatory compliance, addressed in Clause 6.1.3, requires the organisation to maintain a register of applicable legal requirements and evaluate compliance at planned intervals. In Ireland, this register must include the 2005 Act, the General Application Regulations, sector-specific regulations (such as the Chemical Agents Regulations or Construction Regulations where applicable), and relevant codes of practice published by the Health and Safety Authority.

Operational controls and emergency preparedness under Clause 8 require the organisation to establish processes to eliminate hazards, reduce OH&S risks, and prepare for emergency situations. This includes developing emergency response procedures, testing those procedures through drills, and ensuring that workers know what to do in an emergency. Incident investigation and corrective action under Clause 10 requires a structured approach to investigating incidents and near-misses, identifying root causes, and implementing actions to prevent recurrence.

Integration with existing safety management systems is a practical consideration for many organisations. ISO 45001 shares the High Level Structure (Annex SL) with ISO 9001 and ISO 14001, making it straightforward to develop an integrated management system. For organisations already certified to ISO 9001, the transition to an integrated QMS and OH&S management system is a natural progression that reduces duplication and improves efficiency.

The Audit Process - What to Expect

Understanding the certification audit process removes much of the anxiety that organisations feel when approaching their first audit. The process is structured, predictable, and designed to assess whether the management system conforms to the standard's requirements and is effectively implemented.

The Stage 1 audit is a documentation review. The certification body reviews the organisation's management system documentation to assess whether it addresses all the requirements of the standard. This includes the scope statement, policy, objectives, risk assessments, procedures, and records of management review. The Stage 1 audit may be conducted off-site or on-site, and its purpose is to confirm that the organisation is ready for the Stage 2 audit. Any gaps identified at Stage 1 must be addressed before Stage 2 proceeds.

The Stage 2 audit is the on-site assessment. Auditors visit the organisation's premises, interview staff at all levels, review records and evidence, and observe processes in operation. The audit covers every clause of the standard and assesses both conformity (does the system meet the requirements?) and effectiveness (does the system actually work in practice?). The Stage 2 audit typically lasts between one and three days, depending on the size and complexity of the organisation.

Non-conformities identified during the audit are categorised as major, minor, or observations. A major non-conformity indicates a significant failure to meet a requirement of the standard - for example, the absence of a required process or evidence that a critical process is not being followed. A minor non-conformity is a less significant departure that does not affect the overall effectiveness of the management system. Observations are areas for improvement that do not constitute non-conformities. Major non-conformities must be resolved before certification can be granted. Minor non-conformities require a corrective action plan with agreed timelines.

Following successful certification, the organisation enters a three-year certification cycle. Surveillance audits are conducted annually (typically at months 12 and 24) to verify that the management system continues to operate effectively. These are shorter than the initial certification audit and focus on specific areas rather than covering every clause. At the end of the three-year cycle, a full recertification audit is conducted, which is similar in scope to the original Stage 2 audit.

Common pitfalls during audits include inadequate records of management review, failure to close out corrective actions from previous audits, inconsistency between documented procedures and actual practice, and lack of evidence of continual improvement. The role of top management during the audit is particularly important - auditors will interview senior leaders to assess their understanding of and commitment to the management system. Preparing key personnel for these interviews is an essential part of audit readiness.

Phoenix STS provides audit preparation support for organisations seeking ISO 9001 and ISO 45001 certification. We conduct gap analyses, develop documentation, deliver internal auditor training, and support organisations through the certification process. Contact us to discuss your certification objectives.

ISO Audit Preparation Services Across Ireland

Phoenix STS delivers ISO 9001 and ISO 45001 audit preparation services to organisations across all 26 counties in Ireland. From our midlands base, our experienced consultants provide practical, hands-on support for organisations of all sizes pursuing ISO certification.

Whether you are a manufacturing company in Cork, a construction firm in Dublin, a healthcare organisation in Galway, or a professional services firm in Limerick, Phoenix STS provides expert ISO preparation support tailored to your industry and organisation. Our pricing includes all travel costs regardless of location.