Reading time: 11 minutes
ISO 45001 checklist: digital training audit for industrial companies
An ISO 45001 audit requires verifiable evidence of competence (Clause 7.2) and document control (Clause 7.5): training records with date, content, duration, and outcome — not just a signature on an attendance sheet.
The surveillance audit arrives. The auditor asks for safety training records from the last 12 months. Your safety manager opens three shared folders, searches two spreadsheets, and finds a signed PDF with no date. That's not evidence of competence. That's a problem.
**ISO 45001 certifications have grown 3,224% since 2018 globally.**¹ More certified companies means more surveillance audits, higher scrutiny, and more non-conformities detected. According to Smithers, among the top reasons for non-conformities in ISO 45001 audits are lack of documentation (#1) and lack of training (#3).²
In Spain, the Labour Inspectorate planned over 624,000 actions for 2024.³ In the Basque Country alone, 52.77% of all inspection actions focused on occupational risk prevention (PRL).³ Penalties for very serious prevention violations, at maximum degree, can reach 983,736 euros under current LISOS legislation.³
This article gives you a practical checklist to prepare the training evidence required by both ISO 45001 and Spanish PRL regulations, using digital records an auditor can verify in minutes.
ISO 45001 has two key clauses that directly affect how you document training:
The organization must:
Point 4 is where most companies fail. "Retain documented evidence" doesn't mean having a PDF in a folder. It means having records that prove the person received specific training, on a specific date, covering identifiable content, and achieved a verifiable level of competence.⁴
An auditor won't accept "attended training" as proof of competence. They look for exams, assessments, follow-up monitoring that demonstrates competence was actually achieved.⁴
The management system must control:
This applies to all training records: programs, content, attendance, duration, outcomes. The auditor will verify that you can demonstrate who received what training, when, with what content, and with what result.⁴
This checklist covers the records an auditor will expect to see. For each element, we indicate which clause applies and how a digital record solves it better than paper.
| Element | Clause | What the auditor expects | Digital evidence |
|---|---|---|---|
| Worker identification | 7.2 | Name, position, start date | LMS profile with history |
| Training received | 7.2 | List of completed courses/modules | SCORM/xAPI record with timestamps |
| Date of each training | 7.2, 7.5 | Exact completion date | Automatic LMS timestamp |
| Training content | 7.2 | What was taught (syllabus, procedure) | Link to versioned module |
| Duration | 7.5 | Time spent | Actual watch time (not theoretical duration) |
| Assessment result | 7.2 | Score, pass/fail |
| Element | Clause | What the auditor expects | Digital evidence |
|---|---|---|---|
| Document identification | 7.5 | Title, code, version | Slug + version number in platform |
| Approval date | 7.5 | Who approved and when | System approval log |
| Revision history | 7.5 | Changes between versions | Automatic changelog |
| Controlled distribution | 7.5 | Who has access | Role/plant-based permissions in LMS |
| Protection against misuse | 7.5 | Authenticated access | Login + user-level permissions |
| Retention and disposition | 7.5 | How long records are kept |
| Element | Clause | What the auditor expects | Digital evidence |
|---|---|---|---|
| Pre-training assessment | 7.2 | Worker's baseline level | Registered pre-training quiz |
| Post-training assessment | 7.2 | Competence acquired | Post-training score with timestamp |
| Spaced assessment | 7.2 | Retention at 30-60-90 days | Scheduled assessments in LMS |
| Evidence of application | 7.2 | Transfer to the job | Documented manager check-in |
| Re-training after changes | 7.2, 7.5 | Updated competence | Record of consuming updated version |
The difference between "training delivered" and "competence demonstrated" is what separates companies that pass audits from those that receive non-conformities. When documenting doesn't mean understanding, attendance records aren't enough.
Management system auditors agree on one thing: filing cabinets are disappearing. Platforms, screenshots, and digital records dominate audits.⁵ The ISO/IEC 27006-1:2024 standard even removed the requirement for accreditation body approval when remote auditing exceeds 30% of planned on-site time.⁵
Paper records have three structural problems for an audit:
They aren't searchable. When the auditor asks for confined space training records from the last 18 months for the Zaragoza plant, you need to find them in minutes. With paper, that can take hours.
They aren't independently verifiable. A signed attendance sheet proves someone signed, not that someone learned. An xAPI record proves what they consumed, how long they spent, what assessment they completed, and with what result.
They don't scale to multi-plant. If you have 4 plants with paper records, the auditor has to trust that each plant maintains the same level of document rigour. A centralized digital system guarantees uniformity.
According to EU-OSHA's ESENER 2024 survey, only 40% of European workplaces received a labour inspection in 2024, down from 43.2% in 2019.⁶ Fewer inspections doesn't mean less scrutiny: when they come, documentary evidence must be ready. Digital records don't eliminate regulatory complexity, but they make it manageable.
The checklist above looks demanding, but most elements are generated automatically if your training content is in the right format.
Automatic records via SCORM/xAPI: every time an operator consumes a training module distributed through an LMS with SCORM or xAPI traceability, the system automatically records: who, what content, which version, when, for how long, with what assessment result. That covers Blocks 1 and 3 of the checklist with zero manual intervention.
Native version control: when training content lives in a Knowledge Infrastructure platform (not as loose PDFs in folders), every update generates a new version with an automatic changelog. That covers Block 2 without anyone maintaining a manual revision log.
Controlled distribution without local copies: content isn't downloaded or printed. It lives at a single access point with role and plant-based permissions. Nobody can operate with an outdated version because the outdated version no longer exists.
A concrete example: platforms like Vidext export training modules compatible with SCORM 1.2, SCORM 2004, and xAPI. Each module includes version control, automatic translation into 40+ languages, and granular consumption analytics. When the auditor asks for evidence, you don't search through folders — you filter by worker, by plant, by period, and export a report.
For companies operating across multiple sites, the logic is the same as we describe in how to standardize SOPs in multi-plant companies: one master module, traceable distribution, automatic evidence.
We've identified the most common mistakes that lead to non-conformities during ISO 45001 audits related to training:
Confusing attendance with competence. Having a signed sheet showing someone "attended" training doesn't demonstrate they acquired competence. Clause 7.2 requires evidence of competence, not presence.
Not linking training to identified risks. The auditor will cross-reference your risk assessment with your training records. If you've identified work at height as a critical risk but can't demonstrate specific training in that risk for affected personnel, that's a non-conformity.
Having content without version control. If the safety SOP changed in March but operators were trained on the January version and there's no record of re-training, that's a Clause 7.5 non-conformity.
Not being able to demonstrate re-training after changes. When a procedure changes, affected workers must receive updated training. If you can't demonstrate who consumed the new version, the auditor will assume they're still operating under the previous one.
Fragmented records by plant. If each site maintains records in different formats (one in Excel, another on paper, another in a different LMS), the auditor will question the system's integrity. Clause 7.5 requires a document control system, not five different systems.
Preparing for an ISO 45001 audit shouldn't be a two-week emergency project before the scheduled date. If your training system generates auditable evidence continuously, the audit is simply a filter on data that already exists.
The checklist in this article covers the three blocks an auditor will review: per-worker records, document control for training materials, and evidence of real competence. With digital records automatically generated by SCORM/xAPI, Blocks 1 and 3 are solved without manual intervention. With a Knowledge Infrastructure platform with native version control, Block 2 is too.
The question isn't whether you'll have an audit. It's whether when it comes, your evidence will be ready in minutes or in days.
If you want to see how a training system that generates auditable evidence natively works, book a demo with Vidext.
An ISO 45001 auditor will review: training records per worker (what they received, when, with what result), evidence of competence (assessments, not just attendance), version control of training materials, and the link between identified risks and training delivered. All of this must comply with Clauses 7.2 and 7.5.
It depends. An Excel file may be accepted if it includes the required information (worker, date, content, result) and is part of a document control system with controlled access and versioning. But it lacks automatic traceability and is prone to manual errors. Records generated by SCORM/xAPI are more reliable and harder to challenge.
A minor non-conformity is an isolated failure that doesn't compromise system effectiveness (example: a training record missing a date). A major non-conformity indicates a systemic failure (example: no process exists to evaluate worker competence). Major non-conformities can result in suspension or loss of certification.
Surveillance audits are conducted annually after initial certification. The full cycle is three years: initial certification (year 1), surveillance (years 2 and 3), and recertification (year 4). Internal audits should be conducted at least once a year as preparation.
Clause 7.2 distinguishes between training (the process) and competence (the outcome). To demonstrate competence you need: assessments with recorded results, evidence of on-the-job application (supervisor feedback), and in some cases, spaced assessments that demonstrate retention over time. An attendance record only proves presence.
¹ A Look at the 2024 ISO Survey: ISO 45001 Certifications Worldwide - simpleQuE ² Top 5 Non-Conformities of ISO 45001 - Smithers ³ Actuaciones de la Inspección de Trabajo 2024 - Prevencionar / OEITSS ⁴ ISO 45001 Clause 7.2 Competence Requirements - Auditor Training Online ⁵ The 12 Things ISO Management System Auditors Learned This Year - The Auditor Online ⁶ ESENER 2024 Survey on Workplace Risks - EU-OSHA / ETUI
@ 2026 Vidext Inc.
Newsletter
Discover all news and updates from Vidext
@ 2026 Vidext Inc.
| Score recorded in xAPI |
| Content version | 7.5 | Which SOP version was trained on | Module version control |
| Platform retention policy |
