As Ontario mandates public-sector equivalency, safety experts outside the province question audit integrity, data transparency, and who gets to set risk tolerance
Ontario’s decision to recognize ISO 45001 and the Certificate of Recognition (COR) as equivalent for public-sector procurement is stirring a fresh round of debate among Canada’s occupational health and safety (OHS) leaders. While some hail the move as overdue progress toward fairness and modernization, others warn that the policy—part of the province’s Working for Workers Seven Act—may sacrifice clarity and audit reliability in pursuit of expediency.
“It’s a political move,” says Ben Snyman, CEO of Calgary-based AuditSoft Inc. “It sounds like they want to open the bidding process and build faster, but they’re missing key differences between these two systems. This isn’t just about fairness. It’s about risk.”
Snyman knows both systems intimately. A longtime COR software provider and co-founder of an ANAB-accredited ISO certifying body, he straddles both standards. Yet he maintains that while the intent behind ISO 45001 and COR may align, the audit methodologies diverge dramatically, with serious implications for consistency and accountability.
“The standards are the same. It’s the way they’re audited—and the data you get—that’s different,” Snyman says. “With COR, the audit protocol is fixed and the data is measurable. With ISO, it’s loose, subjective. It all depends on the auditor”.
Beyond paperwork
Wayne Pardy, HSEQ Manager at Quality Plus Inc. in St. John’s, Newfoundland and Labrador, agrees the conversation goes deeper than compliance. A career auditor and author of multiple books on safety systems, Pardy views the equivalency as a well-intentioned but potentially misunderstood gesture.
“ISO is a strategic management system. COR is a compliance audit. They’re not the same,” he says. “But they don’t need to be mutually exclusive either.”
Pardy has used both systems and sees a place for each, especially in construction-heavy provinces like Ontario. In his previous role with a major contractor, he integrated ISO 45001 into the company’s management framework—while simultaneously maintaining COR certification to meet procurement requirements.
“They can coexist,” he says. “But that requires understanding what each system is for, and what it isn’t.”
Risk by policy
Ontario’s plan, first revealed by Canadian Occupational Safety, mandates that all public entities, including municipalities, must treat ISO 45001 and COR as equivalent for prequalification purposes. Labour Minister David Piccini argues the change removes barriers that prevent ISO-certified contractors from accessing public bids, thereby boosting competition and speeding up infrastructure timelines.
Snyman pushes back.
“This isn’t just a procurement issue—it’s a risk management issue,” he says. “Organizations should be able to set their own risk tolerance. The government shouldn’t force a municipality to accept a system if they don’t trust its audit process”.
He uses a blunt analogy: asking municipalities to accept an ISO certificate without standardized audit criteria is like asking a client to hire a lawyer who never passed the bar exam.
“You can’t compare audits that weren’t conducted the same way. That’s the problem,” he says. “If you want to make it fair, then everyone needs to write the same test.”
What's in a standard?
ISO 45001, particularly in its Canadian adaptation (CSA Z45001), is designed as a high-level management framework. It focuses on continuous improvement, worker participation, and leadership accountability. The CSA version embeds Canadian principles such as the internal responsibility system, the right to refuse unsafe work, and formal roles for joint health and safety committees—features Pardy says reflect “real Canadian values” around workplace safety.
COR, by contrast, is a provincial certification program administered by safety associations like the IHSA in Ontario or Energy Safety Canada in Alberta. It’s most commonly used in the construction sector and follows a strictly defined audit protocol. Every question, every metric, is standardized.
“With COR, you can actually compare contractors based on consistent evidence,” Snyman says. “That’s powerful for decision-making. You don’t get that with ISO.”
Caution in the comments
Despite the technical distinctions, Pardy urges moderation. He cautions against framing the debate as ISO vs. COR, or choosing one over the other for ideological reasons.
“Any system can be a ‘check-the-box’ process if it’s applied without integrity,” he says. “The issue isn’t the standard—it’s how people use it, and whether auditors are trained and committed to doing the job properly”.
Both men express concern that the province’s decision is rooted more in politics than safety science. Snyman, particularly, fears a “race to the bottom”—where lower audit oversight leads to cost savings but also to increased risk, poorer data, and eventually, serious incidents.
Looking ahead
The Working for Workers Seven Act is still being implemented, industry associations have so far offered muted reactions, and the full scope of ISO-COR equivalency remains to be tested. Municipalities may welcome the clarity—or quietly worry about diluted oversight.
Meanwhile, Ontario outsiders like Snyman and Pardy continue to watch with interest—and a measure of concern.
“Data is the currency of risk,” says Snyman. “And if your audits aren’t generating comparable data, then you’re gambling with taxpayer dollars and worker lives.”
