Why ISO 45001 Audits Go Deep on Contractor Control
Facility management companies depend heavily on subcontracted maintenance, specialist trades, short duration works, and client controlled premises. That means a large part of the safety risk sits in contractor interfaces, not only in direct employees.
ISO 45001 pushes those interfaces into the center of the system. Auditors want to see whether the business can control who comes on site, what work they are allowed to do, what permits are needed, and how unsafe work is stopped.
Permit to Work Is Not Just Client Paperwork
In many FM environments, permits are treated as documents issued by the client and collected by the contractor. That approach is weak. For ISO 45001, permit to work is also evidence that the company understands high risk work and verifies that the right conditions exist before work begins.
Typical permit controlled activities include:
- Hot work.
- Electrical isolation.
- Roof access.
- Confined space activity.
- High risk contractor works in occupied buildings.
What Auditors Usually Sample
| OH&S topic | Evidence they may request |
|---|---|
| Contractor onboarding | Competence checks, insurance, induction, approval records |
| High risk work | Permit packs, RAMS, isolations, sign off |
| Site coordination | Access controls, client communication, escalation rules |
| Learning | Incident reports, permit breaches, corrective action follow up |
The best evidence often comes from one live work example rather than ten policy documents.
A Better Control Model
1. Approve contractors by task category
Do not treat all suppliers the same. A reactive plumber, roofing team, electrical contractor, and cleaning supplier require different prequalification depth.
2. Define when permits are mandatory
Teams should not guess. Permit triggers need to be simple, visible, and easy to escalate when work scope changes.
3. Review work at the site interface
A strong OH&S system checks not only whether the contractor is competent, but whether the local site conditions make the task safe that day.
4. Feed permit failures into improvement
Late permits, missing isolations, unapproved scope changes, and weak closeout all belong in corrective action review.
Where FM Safety Systems Usually Break
- Contractor approvals are renewed administratively but not challenged operationally.
- Permit rules differ across sites with no central learning loop.
- Incident reviews focus on immediate causes and miss governance weaknesses.
Those issues matter because they point to systemic OH&S control, not one-off mistakes.
Related Reading
- ISO 9001 for Facility Management Companies: Certification Guide for Multi Service Operations
- ISO 45001 Explained: Occupational Health and Safety Management in 2025
- ISO 9001 vs ISO 14001 vs ISO 45001: Which Standard Do You Need in 2025?
- ISO Certification Cost in 2025: What Small Businesses Should Expect
Conclusion
Facility management teams become far more audit ready when contractor control and permit to work are treated as core OH&S processes, not scattered site admin. A clear approval model, live permit discipline, and strong follow up make ISO 45001 far easier to defend. isofy can help teams review permits, inductions, incidents, and actions before the audit team samples complex contracts.