
ISO 45001 and Competency Records: Documenting Safety Skills
Why ISO 45001 Makes Competency Records a Front-Line Requirement
Picture the week before a surveillance audit. Someone pulls up the folder where safety training records live — a shared drive full of dated spreadsheets, scanned certificates in one person's inbox, and a handwritten sign-in sheet from last year's lockout/tagout refresher. The auditor is arriving Thursday. Nobody is quite sure whether the three employees hired since the last review have completed hazard-communication training, or whether the forklift certifications that were "expiring soon" six months ago have actually been renewed.
This is not a hypothetical. It is the practical reality for many small and mid-sized operations that have adopted ISO 45001 in good faith but have not yet built a systematic way to track what safety competence each employee holds, at what proficiency level, and whether that competence is current.
ISO 45001 — the international standard for occupational health and safety management systems — treats competence not as a nice-to-have but as a structural requirement. The standard requires organizations to determine what competence workers need to perform their roles safely, ensure that competence through education, training, or experience, and — critically — retain documented information as evidence that they have done so. (DeGrandson Global, 2026.) Those three words — documented information as evidence — are the source of the auditor's expectation and the organization's obligation.
This article explains what "competency records" means under ISO 45001, what auditors look for, and how a structured skills matrix and certification log turns that obligation from a last-minute scramble into a routine that works every day of the year.
What ISO 45001 Actually Requires on Competence
ISO 45001 shares the same high-level structure (Annex SL) as ISO 9001 and other modern ISO management system standards. (DeGrandson Global, 2026.) That means its competence clause — Clause 7.2 — uses language identical in structure to ISO 9001's Clause 7.2: determine the necessary competence, take action to acquire it, and retain documented evidence.
For a safety management system, this requirement has additional weight. The standard also asks organizations to make workers aware of the hazards and risks relevant to their roles, and of the consequences of not conforming to requirements — obligations that sit in closely related clauses on awareness and communication. All of these requirements point back to the same practical question: can you show an auditor, for each worker in a safety-critical role, exactly what training or experience qualifies them, and when that qualification was verified or last renewed?
Three categories of documented information matter most in practice:
1. Role-level competence requirements. For each position that carries safety responsibility — forklift operator, confined-space entrant, first-aid responder, machine operator, chemical handler — the organization should define what competence is required and at what level. This is the "determine necessary competence" step. Without it, there is no baseline against which to measure whether employees are adequately trained.
2. Individual competence records. For each worker in a covered role, the organization needs evidence of how the required competence was achieved: a training completion record, a certificate, a record of demonstrated experience, a supervisor sign-off, or a combination. These records need to be retrievable — not buried in a folder that one person maintains manually.
3. Currency and renewal evidence. Many safety competencies — forklift operator certification, first-aid and CPR cards, hazardous-materials handling, confined-space rescue — carry formal expiry dates set by regulation, the certifying body, or the organization's own standard. Documented information must show not just that competence was once acquired but that it remains current.
Confirm the exact clause numbers, specific wording, and any applicable jurisdiction-specific requirements with the published ISO 45001:2018 standard and qualified counsel, because requirements vary by industry and context and the standard is the authoritative reference.
The Gap Between "We Do Training" and "We Have Evidence"
Most organizations in the 50–500-employee range do train their people. The gap is almost never effort — it is traceability.
A training course gets delivered. Sign-in sheets get filed. A certificate PDF arrives by email and sits in someone's downloads folder. A renewal date gets noted on a sticky note or entered into a cell in a spreadsheet that three people can edit but nobody formally owns. Six months later, when an auditor or an internal reviewer asks "show me evidence that your confined-space entrants are currently competent," the answer involves a search, not a report.
This traceability gap has a direct compliance cost. ISO 45001 auditors are not simply looking for evidence that training happened — they are looking for a system that ensures competence is maintained. A well-maintained spreadsheet can satisfy this requirement; the problem is that spreadsheets degrade. Without version control, expiry alerts, or access controls, they accumulate stale data and missing entries. The "last updated" date in the tab often reveals more than the data itself.
The standard's documentation requirement is also an ongoing obligation, not a point-in-time one. Each time a new worker is onboarded into a safety-critical role, each time a certification expires and is renewed, each time a role's hazard profile changes — the records must be updated. A system that requires manual effort to stay current will, over time, drift out of date.
Building a Safety Competency Matrix That Auditors Can Verify
A safety competency matrix — sometimes called a cross-training matrix in manufacturing contexts — is a structured grid that maps each employee (rows) against the safety skills and certifications relevant to their role (columns), with a proficiency or completion indicator at each intersection. Done well, it is the single document that answers an auditor's core question: who is qualified to do what, and how do we know?
Building one that holds up in an audit requires four components working together:
Define the skill and certification inventory first. Before you can track who has what, you need a defined list of what matters. For ISO 45001, this means identifying every safety-critical competency relevant to your operation: equipment certifications, hazard-specific training, emergency-response roles, regulatory training requirements. Group them by role or work area so the matrix is navigable. (If you are also working toward ISO 9001, the competence requirements under that standard's Clause 7.2 are structurally identical — the same record-keeping approach serves both. See our ISO 9001 competency requirements guide for the parallel framework.) If you operate OSHA-regulated equipment or processes, your skill inventory should align with the specific training requirements for those activities — see our OSHA certification tracking guide for detail on how those requirements intersect.
Record proficiency or completion at the individual level. For safety competencies, the most common indicator is binary: qualified or not qualified. For skills that admit graduated mastery — operating a piece of equipment at a basic versus advanced level, for example — a simple 1–5 proficiency scale makes the record more informative and helps identify who is a candidate for additional training. Either approach works for audit evidence; what matters is that the indicator is defined, consistently applied, and tied to an underlying evidence record (a certificate, a training completion date, a supervisor assessment).
Capture expiry dates and build alerts around them. This is the step that prevents the "expired cert discovered at audit" scenario. Every certification with a formal renewal requirement should have its expiry date recorded alongside the qualification record. Alerts — ideally automated, at meaningful intervals before the expiry date — give the responsible HR or safety manager enough runway to schedule renewal before currency lapses. Our certification tracking guide covers the mechanics of setting up an expiry-alert workflow in detail.
Keep the records retrievable, not just filed. An auditor cannot verify a record they cannot find. The matrix and its underlying evidence need to be organized so that a search by employee, by role, by certification type, or by expiry date returns a usable result in minutes — not an afternoon of inbox archaeology.
For manufacturing teams, a cross-training matrix built on this foundation also becomes the operational tool that answers the daily question: if a certified operator is absent, who else is qualified to cover? See our cross-training matrix guide and skills matrix for manufacturing for how to extend the same record to operational coverage planning.
From Spreadsheet to System: What Changes
The competency matrix concept is not new. Most organizations attempting ISO 45001 certification already have some version of it — usually a spreadsheet. The question is whether the spreadsheet is doing enough of the work, or whether it is creating the traceability gap described above.
The structural limitations of a spreadsheet for this purpose are practical, not theoretical. There is no automated expiry alert. There is no audit trail showing who changed a record and when. There is no role-level gap report that compares required versus current competence across the team. There is no controlled way to share a view with a department manager for review without giving them edit access to the whole file. These limitations are manageable for a small team with a dedicated administrator — they become a meaningful compliance risk as headcount grows, team structure changes, and the number of tracked certifications increases.
A purpose-built skills inventory and certification tracking system addresses each of these gaps. Skills Inventory Manager pre-loads a taxonomy of 270+ skills drawn from the O*NET database — used and adapted under CC BY 4.0 (onetcenter.org) — giving you a structured starting point on Day 1 rather than a blank grid. You add your organization's safety-specific certifications, map role requirements, record individual proficiency and completion, and set expiry dates. Automated alerts at 90, 30, and 7 days before expiry mean renewals surface on a calendar, not in an audit finding. The matrix is always current, retrievable by filter, and exportable as a branded PDF — the kind of document you hand an auditor with confidence rather than apology.
Flat-rate pricing means the cost of the system does not grow as you add employees within your tier — a meaningful difference from per-seat tools when you are tracking safety competence across a full workforce. Explore the full feature set at /features.
Audit Readiness as an Everyday Condition
The goal of a well-maintained competency record system is not to pass the next audit — it is to make audit readiness a byproduct of normal operations. When the matrix is current, when expiry alerts are working, and when role requirements are defined and matched against individual records, the auditor's question has a same-day answer.
That shift — from audit-prep scramble to always-current system — is what Clause 7.2's documentation requirement is pointing toward. The standard is asking for evidence of a functioning system, not evidence of a filing effort that happened once.
If your current approach to safety competency records is a spreadsheet or a folder of scanned certificates, the right time to build something more systematic is before the next audit notice arrives — not after.
Start a 14-day free trial of Skills Inventory Manager and build your safety competency matrix from a structured foundation. No per-seat fees, no cold-start data entry, and the O*NET-based taxonomy gives you a usable starting point on Day 1.