Overview
A gap assessment is the starting point for every ISO 45001 certification engagement. It evaluates the organization’s current occupational health and safety practices against ISO 45001:2018 requirements (clauses 4-10), producing a structured findings register with maturity ratings and a prioritized remediation roadmap. Without a gap assessment, organizations cannot know where they stand, what to prioritize, or how to allocate resources for certification.
This skill scans the workspace for mandatory OHSMS documented information, rates each clause area on a 0-5 maturity scale using OH&S-specific indicators, validates clause-level content coverage through keyword analysis, and builds a four-phase remediation roadmap from Foundation through Validation.
What It Covers
- Mandatory artifact detection – scans for OH&S policy, scope statement, hazard register, risk assessment, legal register, emergency plan, competence records, operational controls, audit results, management review, and incident investigation records
- Clause-by-clause assessment – evaluates every sub-clause from 4.1 (context of the organization) through 10.3 (continual improvement)
- Maturity rating (0-5) – rates each clause area using OH&S-specific evidence indicators, from Level 0 (no awareness) to Level 5 (optimized, industry-leading)
- Content coverage validation – keyword analysis to verify whether required OH&S topics are substantively addressed in workspace documents
- Findings register – structured list of gaps with severity, clause reference, and recommended remediation actions
- Four-phase remediation roadmap – Phase 1 (Foundation: scope, policy, roles), Phase 2 (Core: hazards, risks, legal, objectives), Phase 3 (Operational: controls, emergency, competence), Phase 4 (Validation: audit, review, improvement)
Example Conversation
You: We want to run a gap assessment for SafeBuild Construction. We’ve been doing safety management for years but never had a formal system. We have some documentation – a safety policy, some risk assessments, and training records – but it’s inconsistent.
Agent: That’s a common starting point for construction companies. Let me begin by scanning your workspace for existing documentation and then work through each clause area. First, do you have an organization profile from the Organization Profile skill?
You: Yes, we completed that already. The organization-profile.json is in the workspace.
Agent: I’ll reference it for context. Let me start with the mandatory artifact scan.
mandatory_artifact_detector_ohsresults:
Artifact Clause Status OH&S Policy 5.2 FOUND OHSMS Scope Statement 4.3 FOUND Hazard Register / Risk Assessment 6.1.2 MISSING Legal Register 6.1.3 MISSING OH&S Objectives 6.2 MISSING Emergency Plan 8.2 FOUND Competence Records 7.2 FOUND Operational Controls / SOPs 8.1 MISSING Management of Change 8.1.3 MISSING Contractor Management 8.1.4 MISSING Monitoring & Measurement 9.1 MISSING Internal Audit Results 9.2 MISSING Management Review 9.3 MISSING Incident Investigation Records 10.2 MISSING You have 5 of 15 expected artifacts. The core planning documents (clauses 6.x) and the entire check-act cycle (clauses 9.x and 10.x) are missing. Let me now assess each clause area in detail. Starting with Clause 4 – what documentation do you have for understanding your organization’s context?
You: The organization profile covers that. For interested parties, we know who they are but haven’t documented it formally beyond what’s in the profile. We don’t have a formal process for reviewing context changes.
Agent: I’ll rate Clause 4 accordingly. Now for Clause 6 – hazard identification and risk assessment. You mentioned you have some risk assessments. How are they structured? Are they activity-based, site-based, or task-based? How often are they reviewed?
You: We have generic risk assessments for main activities – working at heights, excavation, crane operations. They were written about 3 years ago by a consultant. We also do daily pre-start checklists on site, but those aren’t linked to the risk assessments.
Agent: Three-year-old generic risk assessments from a consultant are a common finding. They’re likely not specific to your current sites, don’t reflect changes in work methods, and won’t satisfy Clause 6.1.2 which requires a systematic, ongoing process. The pre-start checklists are a good practice but need to be connected to the formal hazard identification process.
Let me rate all clause areas now using batch mode.
maturity_rating_tool_ohs– batch results:
Clause Area Maturity Key Finding 4.1 Context of the organization 2 Profile exists but no review process 4.2 Interested parties 2 Identified but not formally managed 5.1 Leadership and commitment 2 Commitment exists but not systematic 5.2 OH&S policy 3 Policy exists, needs commitment review 5.3 Roles and responsibilities 1 HSE manager defined, others informal 6.1 Hazard identification and risk assessment 1 Outdated generic assessments 6.1.3 Legal requirements 0 No legal register 6.2 OH&S objectives 0 No formal objectives 7.2 Competence 2 Training records exist, no matrix 7.4 Communication 1 Toolbox talks, no formal procedure 8.1 Operational controls 1 Pre-start checklists only 8.2 Emergency preparedness 2 Plan exists, drills inconsistent 9.1 Monitoring and measurement 0 No systematic monitoring 9.2 Internal audit 0 No audit program 9.3 Management review 0 No formal reviews 10.2 Incident investigation 1 Ad hoc, no root cause analysis Overall average maturity: 1.1 out of 5. This is typical for a construction company that has been managing safety informally. The remediation roadmap will prioritize the foundation items first.
Running the remaining validation tools and building the roadmap…
clause_requirements_engine_ohs– 23 clause areas assessed, 9 with substantive coverage, 14 with gaps.
remediation_prioritizer_ohs– four-phase roadmap produced. Phase 1 targets are achievable within 8-10 weeks.Gap assessment report and findings JSON saved to
output/.
Sample Output Excerpt
The skill produces a comprehensive gap assessment report and a machine-readable findings JSON. Here is a representative excerpt from the gap assessment report.
ISO 45001:2018 Gap Assessment Report
Organization: SafeBuild Construction Pty Ltd Assessment date: 2026-03-31 | Assessor: Agent-assisted Scope: All commercial construction activities across 3 sites and head office
Executive Summary
SafeBuild Construction’s current OH&S practices achieve an average maturity of 1.1 out of 5.0 against ISO 45001:2018 requirements. The organization has foundational elements in place (OH&S policy, emergency plan, training records) but lacks the systematic framework required for certification. Key gaps include: no formal hazard identification and risk assessment process, no legal register, no OH&S objectives, no internal audit program, and no management review process.
Stage 1 audit readiness: 33% (5 of 15 mandatory artifacts present)
Remediation Roadmap
Phase 1 – Foundation (Weeks 1-8)
| Priority | Action | Clause | Owner | Target |
|---|---|---|---|---|
| 1 | Formalize OHSMS scope and boundaries | 4.3 | HSE Manager | Week 2 |
| 2 | Review and update OH&S policy for six mandatory commitments | 5.2 | CEO + HSE Manager | Week 3 |
| 3 | Define OH&S roles, responsibilities, and authorities | 5.3 | HSE Manager | Week 4 |
| 4 | Establish worker consultation and participation process | 5.4 | HSE Manager + Safety Committee | Week 6 |
Phase 2 – Core (Weeks 5-14)
| Priority | Action | Clause | Owner | Target |
|---|---|---|---|---|
| 5 | Develop systematic hazard identification and risk assessment process | 6.1.2 | HSE Manager | Week 8 |
| 6 | Build legal and other requirements register | 6.1.3 | HSE Manager + Legal | Week 9 |
| 7 | Set measurable OH&S objectives with action plans | 6.2 | CEO + HSE Manager | Week 10 |
Phase 3 – Operational (Weeks 10-20)
| Priority | Action | Clause | Owner | Target |
|---|---|---|---|---|
| 8 | Build competence matrix and training plan | 7.2 | HSE Manager + HR | Week 12 |
| 9 | Create communication and consultation procedure | 7.4 | HSE Manager | Week 13 |
| 10 | Develop operational control procedures (SOPs, permits) | 8.1 | HSE Manager + Site Managers | Week 16 |
| 11 | Update emergency preparedness plan with drill schedule | 8.2 | HSE Manager | Week 17 |
Phase 4 – Validation (Weeks 18-26)
| Priority | Action | Clause | Owner | Target |
|---|---|---|---|---|
| 12 | Establish monitoring and measurement program | 9.1 | HSE Manager | Week 20 |
| 13 | Design and conduct internal audit program | 9.2 | HSE Manager + External Auditor | Week 22 |
| 14 | Conduct first management review | 9.3 | CEO + HSE Manager | Week 24 |
| 15 | Implement incident investigation and corrective action process | 10.2 | HSE Manager | Week 18 |
Extension Tools
mandatory_artifact_detector_ohs
Scans the workspace for expected ISO 45001:2018 mandatory documented information. Reports found and missing artifacts with clause references.
| Artifact | Clause | Category |
|---|---|---|
| OH&S Policy | 5.2 | Mandatory |
| OHSMS Scope Statement | 4.3 | Mandatory |
| Hazard Register / Risk Assessment | 6.1.2 | Mandatory |
| Legal and Other Requirements Register | 6.1.3 | Mandatory |
| OH&S Objectives and Plans | 6.2 | Mandatory |
| Emergency Preparedness and Response Plan | 8.2 | Mandatory |
| Competence Records | 7.2 | Mandatory |
| Communication Procedure | 7.4 | Recommended |
| Operational Controls / SOPs | 8.1 | Mandatory |
| Management of Change Procedure | 8.1.3 | Recommended |
| Contractor Management Procedure | 8.1.4 | Recommended |
| Monitoring and Measurement Results | 9.1 | Mandatory |
| Internal Audit Program and Results | 9.2 | Mandatory |
| Management Review Results | 9.3 | Mandatory |
| Incident Investigation Records | 10.2 | Mandatory |
maturity_rating_tool_ohs
Rates clause maturity on a 0-5 scale using OH&S-specific evidence indicators. Supports batch mode to rate all clauses in a single call.
| Level | Rating | Description |
|---|---|---|
| 0 | Non-existent | No awareness or process for this requirement |
| 1 | Initial | Ad hoc, reactive, individual-dependent |
| 2 | Repeatable | Basic procedures exist but inconsistently followed |
| 3 | Defined | Documented, standardized, communicated |
| 4 | Managed | Measured, monitored, corrective actions taken |
| 5 | Optimized | Continual improvement, proactive, industry-leading |
clause_requirements_engine_ohs
Validates workspace documents against ISO 45001 clause 4-10 content requirements using keyword analysis. For each sub-clause, checks whether required OH&S topics are substantively addressed.
- Input: Path to the workspace root directory
- Output: Clause-by-clause content validation report with coverage status for each sub-clause from 4.1 through 10.3
remediation_prioritizer_ohs
Builds a prioritized remediation roadmap from gap assessment findings, grouped into four phases.
| Phase | Focus | Clauses |
|---|---|---|
| Phase 1 – Foundation | Scope, policy, roles, worker consultation | 4.x, 5.x |
| Phase 2 – Core | Hazard identification, risk assessment, legal register, objectives | 6.x |
| Phase 3 – Operational | Controls, emergency preparedness, competence, management of change | 7.x, 8.x |
| Phase 4 – Validation | Monitoring, internal audit, management review, incident investigation, continual improvement | 9.x, 10.x |
Getting Started
Start by activating the ISO 45001 Gap Assessment skill. The agent will scan your workspace for existing documentation and then work through each clause area systematically.
Have this information ready:
- Any existing OH&S policies, procedures, or safe work method statements
- Prior audit reports, inspection reports, or consultant assessments
- Incident and injury records for the last 2-3 years
- Existing risk assessments or hazard registers
- Training records and induction materials
- Emergency preparedness plans and drill records
- Management meeting minutes where safety was discussed
- Any existing certifications (ISO 9001, ISO 14001) that may share management system elements
If you completed the Organization Profile skill first, the agent will automatically reference organization-profile.json for organizational context. This is recommended but not required – the gap assessment can proceed with information gathered through conversation.
The agent runs all four validation tools automatically: artifact detection, maturity rating, clause requirements validation, and remediation prioritization. The final deliverables include a markdown gap assessment report and a machine-readable findings JSON that other OHSMS skills can reference.