ISO 45003 explained: managing psychosocial risk at work
ISO 45003 is the international standard for managing psychological health and safety at work. It gives employers a practical way to identify psychosocial hazards, assess the risk they create, and put controls in place.
By Dr Kirath Sidhu, registered occupational health doctor. Reviewed 7 July 2026.
It is guidance, not a certificate. You cannot be certified to ISO 45003 the way you can to ISO 45001. It sits alongside your legal duty to protect staff from work-related stress, and it gives you a recognised method for meeting that duty. This guide explains what it covers, what good control looks like, and where to start.
What ISO 45003 is, and what it is not
ISO 45003 was published in 2021 as guidance for managing psychosocial risk within an occupational health and safety management system. It describes the hazards to look for, how to assess them, and the kinds of controls that work.
It is a standard for the organisation, not the individual. It looks at how work is designed and managed, not at diagnosing any employee.
It is guidance, not certification. There is no pass or fail audit for ISO 45003 on its own. It is often used to show that an employer has taken reasonably practicable steps.
It complements your local duty. In the UK the duty comes from the Health and Safety at Work Act. In Australia it comes from work health and safety law. ISO 45003 is the method that helps you meet whichever duty applies to you.
The psychosocial areas to assess
ISO 45003 groups psychosocial hazards into how work is organised, the social factors at work, and the work environment. In practice, these are the areas to look at.
Workload and job demands. Too much or too little work, time pressure, and how demands are monitored.
Job control. How much say people have over how their work is done.
Manager and peer support. Whether managers are equipped to recognise and support psychosocial risk.
Role clarity. Whether people know what they are accountable for.
Workplace relationships. Including the prevention and resolution of bullying and harassment.
Change management. Whether major changes are assessed for their psychosocial impact.
Recognition and fairness. Whether recognition and decisions are consistent and seen as fair.
Work environment and exposure. Including remote, isolated, frontline and trauma-exposed work.
Governance and process. Whether you assess psychosocial risk on a set cycle, with a confidential channel to raise concerns. This is the backbone a regulator looks for first.
What good control looks like
ISO 45003 is less about a single survey and more about a process you can repeat and evidence. Good practice looks like this: assess psychosocial risk at work-unit level so no individual is identified, act on the highest risks first, and review on a cycle so you can show whether the controls worked. A one-off survey that sits in a drawer does not meet the intent. A documented cycle does.
How it connects to your legal duty
United Kingdom. Employers must assess and manage work-related stress under the Health and Safety at Work Act and the Management Regulations. The HSE Working Minds campaign has made this an enforcement priority.
Australia. Managing psychosocial hazards is now a legal duty in every state and territory, with Victoria commencing on 1 December 2025. The free government People at Work survey closes on 2 October 2026, so employers need another way to assess and evidence their controls.
United States. There is no federal mandate, but the exposure is real through the OSHA General Duty Clause, rising mental-health compensation claims, and human-capital disclosure. ISO 45003 is the benchmark employers adopt ahead of regulation.
Where to start
See where your organisation stands against ISO 45003 and your local duty in about two minutes. No sign-up, and nothing about any individual employee.
No. ISO 45003 is guidance. What is mandatory is your local duty to manage psychosocial risk, which exists under UK health and safety law, Australian work health and safety law, and equivalents elsewhere. ISO 45003 is a recognised way to meet that duty.
Can you be certified to ISO 45003?
Not on its own. Unlike ISO 45001, ISO 45003 is a guidance standard with no pass or fail audit. Some bodies verify alignment with it, usually alongside an ISO 45001 audit.
Who should run a psychosocial risk assessment?
The duty sits with the employer. Many providers can run a survey. The question is who reads the results. A registered occupational health doctor can read the pattern clinically and sign off a defensible report, which a software-only survey cannot.
How often should we reassess?
On a set cycle, and after any significant change. An annual cycle is common, so you can show whether the controls you put in place actually moved the risk.
KS
Dr Kirath Sidhu is a registered occupational health doctor and the founder of Polarisk, which delivers physician-signed psychosocial-risk compliance assessments. Polarisk assessments are read and signed by a registered occupational health doctor in your jurisdiction.