The Building Safety Act 2022 is more than three years on from Royal Assent. The occupied higher-risk building regime has been live for over two years. Safety case reports are being called in and submitted as part of the Building Assessment Certificate (BAC) process, and Principal Accountable Persons are, to varying degrees of preparedness, getting to grips with their obligations.
The Building Safety Regulator is now established as a standalone body and the centre of a rapidly evolving regulatory framework. The direction of travel is clear: building safety is becoming more structured, more accountable and more professionalised.
And yet something fundamental is still missing.
Not legislation, not guidance, not even enforcement (though that conversation is undoubtedly coming). What is missing is a recognised management framework for building safety: a system that organisations can implement, audit, certify against and continuously improve.
We already have such frameworks for quality, environmental management and information security. Building safety has no direct equivalent.
In short, we need an ISO 75001 for Building Safety Management.
How Does ISO 9001 Work?
For those outside the quality management world, ISO 9001 is the international standard for Quality Management Systems. Published by the International Organisation for Standardisation (ISO) and adopted globally across virtually every industry sector, it does not prescribe what an organisation produces or how it produces it. Instead, it establishes a framework for how an organisation manages the processes that affect quality, and holds it accountable for continually improving those processes over time.
At its core, ISO 9001 operates on a simple Plan-Do-Check-Act cycle. You document your processes, implement them, measure performance against them, identify failures and correct them systematically. Independent auditors then assess whether the system is operating as documented.
The result is not perfection. It is a demonstrable, auditable commitment to getting better. Sound familiar?
Critically, ISO 9001 does not hand organisations a template. The standard defines the requirements of a management system, but each organisation develops its own policies, procedures, competence frameworks and performance measures. The resulting system reflects the organisation’s people, activities, supply chain and risk profile. That point matters because it helps explain both why ISO 75001 is needed and why the organisations that build it first will hold a significant advantage over those that follow.
But Doesn’t A Safety Standard Already Exist?
ISO already publishes a safety management standard: ISO 45001, the international standard for Occupational Health and Safety Management Systems. It shares ISO 9001’s DNA: the same Plan-Do-Check-Act discipline, the same documented-system-and-audit logic, and the same emphasis on continual improvement. So why not simply apply it to building safety?
Because ISO 45001 addresses a fundamentally different challenge. It exists to protect workers from the hazards of a workplace: injury and ill-health arising from what an organisation does. Building safety under the BSA concerns the safety of those who occupy a building (residents, visitors, site-staff) from risks arising from the building itself, most notably the spread of fire and structural failure, managed across the operational life of the asset.
It also introduces its own architecture of accountability, built around the Accountable Person roles. It demands a golden thread of building information, a living safety case, mandatory occurrence reporting and SKEB-based competence. None of that maps directly onto an occupational health and safety management standard.
So the gap is real. But it is also addressable.
Modern ISO management standards already share a common structure. ISO 9001 for quality, ISO 14001 for environmental management, ISO 27001 for information security and ISO 45001 for occupational health and safety are all built around the Annex SL framework. They are deliberately designed to interlock.
A Building Safety Management System standard built on that same foundation would not sit awkwardly alongside an organisation’s existing certifications. It would sit beside them, integrating with the management systems many organisations already operate, auditable by the same certification bodies and governed by the same underlying principles.
While it would not replace the Building Safety Act or the Building Safety Regulator, it would provide a recognised framework through which organisations could implement, monitor, audit, and continually improve their approach to building safety.
The architecture is not difficult to envisage. Much of it already exists within the standards that surround it.
The Structural Overlap Is Not Superficial
The parallels between what ISO 9001 demands of a quality-managed organisation and what the Building Safety Act demands of a Principal Accountable Person are not loose analogies. They are functional equivalences that point toward something the sector has not yet fully recognised.
Non-conformance and Mandatory Occurrence Reporting
ISO 9001 requires the systematic management of non-conformances: instances where a process, activity or outcome falls short of the required standard. When this occurs, the organisation must identify the issue, contain it, investigate the root cause, implement corrective action and document evidence that the problem has been addressed and recurrence prevented.
Under a proposed ISO 75001 framework, the closest equivalent would be the mandatory occurrence reporting regime already embedded within the Building Safety Act. Serious incidents, near misses, structural failures and fire safety events must be reported to the Building Safety Regulator, investigated appropriately and followed by corrective action and documented learning.
The mechanism is strikingly similar. The subject matter is building safety rather than product quality, but the underlying management discipline remains the same.
Performance Monitoring, Supplier Management and the Safety Case
ISO 9001 requires organisations to monitor and measure the performance of their management system and to hold their supply chain accountable for the quality of what they contribute. Supplier selection, ongoing evaluation, and performance data are not optional; they are core requirements, evidenced through audit.
The Building Safety Act demands a similar level of rigour. A Principal Accountable Person must maintain accurate and up-to-date records relating to the building – its construction, its systems, its known risks, and the competence and performance of those contributing to its safety management. Who assessed the external wall? Which contractor maintains the fire suppression system? Who manages the evacuation procedures?
The answers to those questions, and the evidence supporting them, form part of the safety case. In functional terms, the safety case demonstrates that the systems, controls and management arrangements relied upon to manage building safety risks are in place and operating effectively. The subject matter is different, but the evidential burden is remarkably similar.
Competence, SKEB and People Management
ISO 9001 requires organisations to determine the competence necessary for people performing work that affects quality, ensure those people possess that competence, and retain documented evidence of it. Training records, role-based competence frameworks and ongoing professional development are standard audit requirements.
The Building Safety Act introduces a comparable framework through the concept of Skills, Knowledge, Experience and Behaviours (SKEB), which underpins the competence obligations placed on Accountable Persons and those they appoint. A well-constructed ISO 75001 framework would define SKEB requirements for every role with building safety responsibilities, from the Principal Accountable Person at board level to the building manager on site and the contractors supporting the safety regime. That competence framework, documented, evidenced and auditable, is the direct equivalent of ISO 9001’s requirement to define, manage and demonstrate competence across the organisation.
Internal Audit and the Living Safety Case
ISO 9001 mandates internal audit: a periodic, structured review of whether the management system is functioning as intended. Those audits must be carried out by people with the competence and independence to assess performance objectively and report their findings honestly. Audit findings feed into management review. Management review drives improvement. The cycle is continuous and evidenced.
The Building Safety Act does not treat building safety as a one-time exercise, and neither should the industry. The safety case must be maintained as a living body of evidence, evolving as the building changes, risks emerge, and regulatory expectations develop. The disciplines required to achieve this are noticeably familiar. Internal audit under ISO 9001 and the ongoing review of a building’s safety case both exist to answer the same fundamental question: does the system still work, and can we demonstrate that it does?
It is worth being clear about what a safety case report is not. It is not a vast, one-time document produced at enormous cost and then left to gather dust. A safety case report is a point-in-time summary of the evidence demonstrating that a Building Safety Management System exists, is operational and is working as intended. The BSMS is the infrastructure. The safety case is the underlying body of evidence. The safety case report is how that evidence is presented when the Building Safety Regulator asks to see it.
What Would ‘ISO 75001’ Look Like?
The answer is probably more familiar than many people realise. Much of the underlying architecture already exists within the Building Safety Act itself. Competence, mandatory occurrence reporting, safety cases, contractor oversight, performance monitoring and continual review are already embedded within the higher-risk building regime.
The challenge is not identifying the component parts. It is bringing them together within a coherent, auditable management framework.
Its core requirements would be immediately recognisable to anyone who has implemented ISO 9001:
- A documented management system: policies, processes and procedures for managing building safety, maintained, reviewed and continually improved on a defined cycle, reflecting the organisation implementing it.
- A mandatory occurrence reporting framework: structured reporting, investigation and corrective action processes for safety-relevant events, with clear escalation thresholds, defined responsibilities and documented evidence requirements.
- A SKEB competence framework: defined Skills, Knowledge, Experience and Behaviours requirements for every role with building safety responsibilities, from the Principal Accountable Person at board level to the building manager on site and the contractors supporting the safety regime. Those requirements would be documented, evidenced and auditable, ensuring that competence can be demonstrated consistently across both the organisation and its supply chain.
- A supplier and contractor management framework: requirements for how Principal Accountable Persons and their managing agents assess, appoint, monitor, and hold accountable the organisations they rely on to maintain building safety. Currently one of the most inconsistently managed areas in the market.
- A performance monitoring and management review cycle: regular, structured assessment of whether the system is achieving its objectives, with senior leadership review and documented action on findings.
- And critically, third-party certification: independent assessment against the standard, providing objective evidence that a Building Safety Management System has been implemented and is operating as intended. Such certification could provide confidence to PAPs, residents, insurers, lenders and regulators alike.
None of these concepts will be unfamiliar to organisations already operating within the Building Safety Act regime. Competence management, mandatory occurrence reporting, safety cases, contractor oversight and performance monitoring are all activities that responsible organisations are already undertaking. An ISO-style standard would not create these disciplines. It would provide a common framework through which they could be integrated, measured, audited and continually improved.
The Property Management Opportunity, and Why First Movers Win
Here is where the ISO 9001 analogy becomes commercially significant in a way the sector has not yet grasped.
When an organisation implements ISO 9001, it builds something unique. A quality management system tailored to its specific structure, its processes, its people, and its clients. That system is not transferable in its raw form. But the infrastructure — the documented frameworks, the audit processes, the competence matrices, the supplier evaluation tools — are entirely replicable across the organisation’s portfolio of activity.
The best-managed professional services firms understood this early. A national facilities management company that builds a robust, certified QMS doesn’t rebuild it for every new contract. It deploys the same infrastructure, adapted to context, across its entire client base. The QMS becomes a competitive asset, something the client is buying alongside the people and the expertise.
ISO 75001 would work identically. And the implications for managing agents are significant.
A best-in-class property manager who invests now in building a certified Building Safety Management System has created something genuinely valuable: a replicable, auditable, regulator-facing framework that can be deployed across every building in their portfolio. Every new instruction brings the BSMS with it. Every Principal Accountable Person client gains access to an independently certified safety management infrastructure from day one.
The commercial implications are significant. In a market where Principal Accountable Persons face genuine regulatory anxiety about their BSR obligations, safety case preparation, mandatory occurrence reporting, and SKEB competence demonstration, a managing agent who arrives with a certified BSMS is offering something more than compliance support. They are offering a structured, auditable and independently assessed approach to managing building safety.
When the BSR requests a safety case report, it is not a crisis. It is a call-off from a system that has been running all along.
But the deeper point is this: the managing agents that build this infrastructure first may gain more than a competitive advantage. They may help define what good building safety management looks like in practice. In a compliance-driven market, the organisation that establishes the standard shapes the expectations that every competitor must subsequently meet. First-mover advantage in this context is not temporary. It is structural.
The window to be that organisation is open now. It will not stay open indefinitely.
Why This Matters Beyond Compliance
The concept is not as theoretical as it might first appear.
Increasingly, insurers are interested not only in the risks a building contains, but in how those risks are managed. Competence, governance, record-keeping, contractor oversight and risk management processes all contribute to the quality of a building’s safety regime. While the market is still evolving, it is not difficult to envisage a future in which organisations are expected to demonstrate not only that they are compliant, but that they have a structured and auditable system for maintaining compliance over time.
Lenders and investors may ultimately ask similar questions. When assessing long-term risk, the quality of a building’s management arrangements can be just as important as the quality of its physical construction. A building with strong governance, robust information management and demonstrable competence may present a very different risk profile to an identical building managed less effectively.
Regulators, too, are increasingly focused on systems rather than individual documents. The Building Safety Act is built around ongoing duties, continuous oversight and demonstrable accountability. The direction of travel is clear: building safety is becoming a management discipline in its own right.
Indeed, with the Building Safety Regulator established as a standalone body, and a future Single Construction Regulator under discussion, the environment has never been more receptive to a structured approach of this kind.
The question is not whether a standardised framework for building safety management would be useful. The Building Safety Act has already provided much of the architecture. Competence, mandatory occurrence reporting, safety cases, contractor oversight and continuous review are all now embedded within the regulatory landscape.
What remains is the recognition that these are not isolated compliance activities. Together, they form the foundations of a Building Safety Management System.
Whether the industry eventually calls it ISO 75001 or something else is almost beside the point. The architecture is already there.
The organisations that recognise this first will not simply be responding to regulation. They will be helping to shape the standards by which the rest of the industry is judged.
In a sector undergoing its biggest transformation for a generation, that is a position worth occupying.
Download the full white paper to share with your team: ‘ISO 75001’ The Missing Standard in Building Safety
Ant Attree FCCA is Group Managing Director of The DALA Consulting Group Ltd, a professional services group operating in the UK built environment and building safety sector. DALA Fire & Risk provides fire engineering consultancy and building safety advisory services across the UK residential sector.
To discuss the ideas raised in this paper, contact Ant at ant@thedala.group.







