ISO 45001 cost for a Spanish SME in 2026: real prices

·

The first question any managing director asks when someone mentions ISO 45001 is always the same: «How much is this going to cost me?». It is the right question, but the honest answer is that it depends on four or five variables that have nothing to do with headcount. In this article we break down the real market price ranges — consultancy plus certification audit — using 2025 and 2026 data, explain what pushes the price up or down, and clarify what each line item should include so there are no surprises mid-project.

What is ISO 45001 and why are more clients and procurement bodies demanding it?

ISO 45001:2018 is the international reference standard for occupational health and safety management systems (OHS). It definitively replaced OHSAS 18001 in September 2021 and is now required — directly or indirectly — by large industrial clients, public tender specifications for works and services, and insurers who tie liability premiums to its implementation.

In Spain, the standard complements — and does not replace — Law 31/1995 on the Prevention of Occupational Risks and its regulatory development (Royal Decree 39/1997 on Prevention Services). Having ISO 45001 in place does not exempt a company from its statutory OHS obligations, but it demonstrates that the management system goes beyond minimum compliance: it incorporates leadership, worker participation, change management and documented continuous improvement.

Price ranges in the Spanish market in 2026

The prices that move in the Spanish market for complete projects — initial diagnosis, documentation, training, support through the audit and assistance during the certification audit — fall within the following indicative ranges, by company type:

Company profile Employees Sites / facilities Consultancy range (€) Certification audit range (€) Typical timeline
Service SME (advisory, distribution, simple logistics) 10 - 30 1 3,500 - 6,000 1,500 - 2,500 4 - 6 months
Industrial or construction company (medium risk) 30 - 80 1 - 2 6,000 - 12,000 2,500 - 4,000 6 - 9 months
Industrial company with high-risk activities (working at height, chemicals, machinery) 50 - 150 2 - 4 10,000 - 20,000 3,500 - 6,000 9 - 14 months
Company with an already established in-house prevention service any any 2,000 - 5,000 (gap analysis and documentation) 1,500 - 4,000 3 - 6 months

Reference sources for these ranges: rates published by accredited certification bodies such as AENOR, Bureau Veritas and SGS on their public portals (2024-2025), and pricing surveys from bodies such as AENOR Forum and ACCA España.

These ranges are indicative market figures and correspond to full-scope projects. They are not the fee schedule of any specific consultancy. The final price depends on the variables described below.

The five factors that move the price the most

1. The risk level of the activities

Implementing ISO 45001 in an IT consultancy is not the same as doing so in an industrial joinery, a demolition company or an electrical contractor working at height. The greater the complexity of the risks — falls, confined spaces, exposure to chemical agents, operation of heavy machinery — the larger the volume of documentation required (risk matrices, operating procedures, specific emergency plans) and the more consultancy hours are needed. This factor alone can double the budget between a low-risk and a high-risk profile.

2. The number of work sites

Each additional work site means a separate diagnostic visit, potentially different risk profiles and, during the certification audit, additional auditor days. The fees charged by ENAC-accredited certification bodies (ENAC being the Spanish National Accreditation Entity) are calculated using tables based on headcount per location. With two or more sites, the certification cost can grow by between 40% and 80% compared with a single site.

3. The starting point: do you already have OHSAS 18001 or structured OHS in place?

A company that previously held OHSAS 18001 — even though the transition period closed in September 2021 — or that has an in-house prevention service with up-to-date documentation starts with a significant advantage. In that case the project is reduced to a gap analysis, adapting documents to the new standard's requirements (leadership, organisational context, interested parties) and preparing for the audit. The cost can be half that of a ground-up implementation.

4. Integration with other standards

If the company wants to integrate ISO 45001 with an already-certified ISO 9001 or ISO 14001 system, the projects do not add up linearly: they share the High Level Structure (HLS), management reviews, internal audits and most of the context documentation. An integrated consultancy project typically costs between 20% and 35% less than three independent projects. At Summum we have been supporting SMEs in these integrated projects since 2007, and it is one of the most effective cost levers we offer our clients.

5. The client's own internal commitment

A company that assigns an OHS manager with real time available for the project — even if that is the OHS technician from the outsourced prevention service, working in coordination — advances much faster and with fewer billed consultancy hours. If the company needs the consultant to manage almost everything because there are no internal resources, the budget rises. This is not a criticism; it is a planning variable that must be fixed from the outset.

Line items that a serious consultancy proposal must include

When comparing proposals, verify that each offer includes these line items. If any are missing, the «cheapest» price may not be the cheapest when the whole project is considered:

If you would like to see how we structure this process step by step, visit our page on ISO 45001 consultancy for SMEs, where we detail the scope, phases and deliverables of our service.

The certification audit cost: how it is calculated

The certification audit is carried out by ENAC-accredited bodies (AENOR, Bureau Veritas, SGS, Lloyd's Register, TÜV Rheinland, among others). Its price is not set by the consultancy: it is quoted directly by the certification body. The factors that determine that cost are:

ISO 45001 integrated with ISO 9001 and ISO 14001: the real saving

Most industrial SMEs that approach ISO 45001 already have — or are simultaneously implementing — ISO 9001 (quality) and ISO 14001 (environment). All three standards share the High Level Structure (Annex SL / HLS) of ISO: the same chapters 4 to 10, the same logic of context, leadership, planning, support, operation, performance evaluation and improvement. This makes it possible to share:

The result is that an integrated three-standard project typically costs between 20% and 35% less than three independent projects, and the documentary maintenance burden for the company is reduced significantly. At Summum we recommend planning the integration from the design stage of the system, not as a later add-on.

Real timelines: how long are we talking about?

A well-managed project in an SME with fewer than 50 employees and medium risk takes between 5 and 8 months from kick-off to certificate. The timeline extends when:

The timeline shortens when the company has structured OHS in place, an in-house prevention technician and management engaged from day one. In those cases we have seen projects close in three and a half months.

Can an SME fund or offset the cost?

Yes, with some caveats. ISO 45001 implementation consultancy is not among the categories directly funded by the Kit Digital scheme, but it can be included in process-improvement projects funded through ICO credit lines or regional industrial competitiveness grants. In Castilla y León, the Regional Agency for Innovation, Financing and Business Internationalisation (ADE) has published competitiveness-improvement calls that have included certification projects in the past.

The training associated with the project — ISO 45001 awareness sessions, internal auditor training — is eligible for FUNDAE funding if processed as a planned training action. This can represent a return of between €300 and €1,200 depending on the number of participants and the company's wage bill.

Consult our ISO 45001 implementation page for details on which support schemes are currently in force when you read this article.

Frequently asked questions

Is ISO 45001 mandatory for Spanish SMEs?

It is not a direct legal obligation. The standard is voluntary. However, a growing number of large industrial clients, construction companies that subcontract, and public procurement specifications for works and services require it as a qualification criterion. In sectors such as automotive, industrial construction and logistics, supply-chain pressure makes it practically mandatory to retain certain contracts.

Can I integrate ISO 45001 with my statutory OHS risk assessment?

Yes, and it is the most efficient approach. The standard complements the regulatory risk assessment required by Royal Decree 39/1997 but adds management requirements that go further: active worker participation, context and interested-party management, and performance evaluation with measurable indicators. A well-executed implementation integrates both layers into a single management system, avoiding duplicated documentation.

What is the difference between contracting an external prevention service (SPA) and contracting an ISO 45001 consultancy?

They are complementary services, not substitutes. The SPA covers the statutory OHS obligations (health surveillance, regulatory risk assessment, basic training, coordination of business activities). The ISO 45001 consultancy builds on that foundation a certifiable management system that goes beyond minimum legal compliance: documented leadership, continuous improvement, integration with business strategy. Many SMEs work with their SPA for statutory compliance and with a consultancy such as Summum for standard implementation.

What happens if non-conformities are found during the certification audit?

It is common for minor non-conformities to appear during the stage 2 audit. The certification body sets a deadline — typically 90 days — for the company to present evidence of corrective actions. If non-conformities are major (a systematic failure to meet a requirement of the standard), the certificate is suspended until they are resolved. Good preparation — with a prior internal audit and gap review — significantly reduces this risk.