Guide · Compliance

The legal & compliance obligations register, explained

If you are working towards ISO 14001 or ISO 45001, one of the first things an auditor will ask to see is your compliance obligations register — the living list of the laws, regulations and other requirements that apply to your business. Here is what it is, what goes in it, and how to build one without a consultant.

What is a compliance obligations register?

A compliance obligations register (often still called a "legal register") is a single, controlled list of the legal and other requirements your organisation must meet. For each one it records what the requirement is, where it comes from, how it applies to you, and how you keep on top of it. It turns "we think we comply with the law" into evidence you can put in front of an auditor, a client or a regulator.

Under ISO 14001:2015 and ISO 45001:2018, clause 6.1.3 requires you to determine the compliance obligations relevant to your environmental aspects and your work health & safety risks, have access to them, take them into account in your management system, and evaluate your compliance. ISO 9001:2015 (clause 8.2.2) requires you to determine the statutory and regulatory requirements applicable to your products and services. A register is the practical way to satisfy all three.

What goes in the register

A good register has a row per obligation and, at minimum, these columns:

  • Requirement — the Act, Regulation, licence condition or code of practice, including its year and jurisdiction.
  • Source / regulator — who administers it (for example SafeWork NSW, the EPA, WorkSafe New Zealand).
  • Jurisdiction — Commonwealth, the state or territory, or New Zealand.
  • How it applies to us — one plain-English line on what this actually means for your business.
  • How we comply — the control, procedure or record that keeps you compliant.
  • Compliance status & last evaluated — so you can show you check, not just list.

Examples that apply to almost every Australian & NZ business

Start with the cross-cutting obligations that apply to essentially everyone, then add the ones specific to your industry and activities. A few of the common ones:

AreaAustraliaNew Zealand
Work health & safetyWork Health and Safety Act & Regulations (harmonised states); Occupational Health and Safety Act 2004 & OHS Regulations 2017 in VictoriaHealth and Safety at Work Act 2015
Workers compensationState schemes (e.g. Workers Compensation Act 1987 NSW; WorkCover QLD)Accident Compensation Act 2001 (ACC)
EnvironmentState protection Acts (e.g. Protection of the Environment Operations Act 1997 NSW; Environment Protection Act 2017 VIC)Resource Management Act 1991
EmploymentFair Work Act 2009Employment Relations Act 2000; Holidays Act 2003
PrivacyPrivacy Act 1988 (Cth)Privacy Act 2020

On top of these, your industry adds its own: licensing and permits, dangerous goods and hazardous chemicals, electrical or plumbing regulations, food safety, transport and fatigue rules, and so on. The register is only useful when it reflects your work, in your states — a generic template is the thing auditors most often pick apart.

Let AI build your register in minutes

Writing this from scratch is where most businesses stall. BigTick reads your business profile and where you operate, then drafts the specific Acts, regulations and codes that apply — each with a plain-English "what this means for us" summary and a link to the source. You review, edit and approve. It is the compliance register ISO expects, built for your business rather than copied from a template.

How to build one, step by step

  1. Scope it. List what your business does, where it operates (which states / regions), and the standards you are targeting.
  2. Start with the universal obligations. WHS, workers comp, environment, employment and privacy for each jurisdiction you work in.
  3. Add the industry-specific ones. Licences, permits, codes of practice and any client or contractual commitments.
  4. Say how each applies and how you comply. One line each — this is what turns a list of laws into a management tool.
  5. Evaluate compliance and set a review cycle. Record the status, the date, and when you will check again.
  6. Report it at management review. Compliance status is a required input to your clause 9.3 management review.

Keeping it current

A register is only worth anything if it is alive. Laws change, you take on new activities and new sites, and obligations lapse. Set a review cadence (at least annually), review it whenever something material changes, and keep the evaluation dates visible so an auditor can see you are actually managing it — not just holding a document.

Get your compliance register done this week

Sign up, answer a few questions about your business, and BigTick drafts your legal & compliance obligations register — and the rest of your ISO 9001, 14001 & 45001 management system — tailored to you and ready to review.

Start a free trial

Frequently asked questions

Is a legal register mandatory for ISO certification?

For ISO 14001 and ISO 45001 it is effectively mandatory: clause 6.1.3 requires you to determine and have access to your compliance obligations, evaluate compliance, and keep documented information. A register is how almost every organisation demonstrates that. ISO 9001 (clause 8.2.2) requires you to determine applicable statutory and regulatory requirements, which a register also satisfies.

What's the difference between a legal register and a compliance obligations register?

They are the same thing in practice. "Legal register" is the older term for the list of laws that apply to you; ISO 14001:2015 and ISO 45001:2018 use the broader term "compliance obligations", which also covers regulations, licence and permit conditions, codes of practice, and commitments you take on voluntarily.

How often should the register be reviewed?

At least annually, and whenever something changes — a new activity or site, new equipment, or a change in the law. Many organisations evaluate compliance against each obligation on a set cycle and report the results at management review.

Related guides

This guide is general information about management-system requirements, not legal advice. Confirm the current obligations that apply to your business with the relevant regulator.