A water safety policy is the short, top-level document where your organisation states its commitment to controlling Legionella, names who is accountable, and points to the detailed arrangements that do the real work. It is not the risk assessment, and it is not the scheme of control.

Confusing those three is the most common reason a “policy” ends up as either a vague paragraph that proves nothing or a thirty-page technical manual nobody reads. The checklist below sets out the sections a good policy actually contains, and the worked example after it shows how they read once filled in for a real organisation.

Policy, risk assessment, scheme of control: which document is which

Think of three tiers, each with a different job.

The policy sits at the top. It is brief — often a page or two. It says we take this seriously, here is who is responsible, and here is how we manage it. It is signed by someone senior enough to carry the commitment.

The risk assessment sits beneath it. It finds the risk: it surveys your water systems, identifies where Legionella could grow and spread, and judges how serious that is [1].

The written scheme of control sits beside the assessment. It is the technical how-to — the specific control measures, who carries them out, how often, and what “in control” looks like for your building [1]. If your risk assessment finds a foreseeable risk worth managing, this is the document that says what you do about it day to day. We cover building one in written scheme of control template and worked example, and the habits that quietly hollow one out in documenting a written scheme of control.

The policy does not repeat the scheme. It references it. A reader of the policy should understand who is in charge and how the system is governed; a reader of the scheme should understand exactly which tap gets flushed on which day. Keep those jobs separate and both documents get shorter and clearer.

One honest point on the law. ACoP L8 does not name a standalone “water safety policy” as a mandatory document. What the law does require is that you appoint a competent person, assess the risk, prevent or control it, keep records and review them [1][2]. A water safety policy is simply the cleanest way to state those management arrangements and show, at a glance, that someone owns them.

What a good water safety policy contains

Use this as a presence check. Run it against your current policy and tick what is genuinely there, with real names and real cross-references — not aspirational language.

  • Policy statement and commitment. A short declaration that the organisation will manage the risk of Legionella and other waterborne hazards, signed and dated by a named senior post-holder.
  • Scope and premises covered. Which sites, buildings and water systems the policy applies to — and, if relevant, what it deliberately excludes (e.g. tenant-controlled systems).
  • Legal and guidance framework. The duties and guidance you are working to: the Health and Safety at Work Act, COSHH, and ACoP L8 / HSG274, plus any sector guidance such as HTM 04-01 for healthcare [1][3].
  • Roles and responsibilities, with named post-holders. The duty holder, the appointed responsible person and deputy, the water safety group if you have one, and the competent contractors used — named by post, not just by title.
  • How risk is assessed and controlled. A one-paragraph summary that points to the current risk assessment and scheme of control, states the review cycle, and confirms control measures follow recognised guidance — without reproducing the technical detail.
  • Record-keeping and the logbook. Where monitoring results, inspections, remedial actions and certificates are kept, who maintains them, and how long records are retained.
  • Training and competence. How the responsible person and anyone carrying out monitoring are trained and kept current, and how contractor competence is verified.
  • Review and version control. When the policy is reviewed, the events that trigger an out-of-cycle review (a change of premises, occupancy, key personnel, or a water-related incident), and a visible version/date.
  • Authorisation and sign-off. The signature, name, role and date — the line that turns a draft into a live policy.

The checklist is the payload. The value is in filling each box with something specific to your organisation, which is what the example shows.

A worked example outline you can adapt

The following is an illustrative, composite outline — not a real organisation’s policy and not legal boilerplate to copy blindly. Treat it as a shape to populate, then have it reviewed by a competent person.

1. Policy statement. “[Organisation] is committed to managing the risk of Legionella and other waterborne pathogens across its premises, in line with the Health and Safety at Work Act 1974, COSHH and ACoP L8. We will assess our water systems, control identified risks, keep records and review our arrangements regularly.”

2. Scope. All water systems at the [Head Office] and [two regional sites], including hot and cold water services, point-of-use water heaters and any cooling or humidification equipment. Excludes systems within demised tenant areas, where the tenant is the duty holder.

3. Framework. HSWA 1974; COSHH Regulation 8; HSE ACoP L8 and HSG274 [1][3]. [For a hospital or care setting, add HTM 04-01 and the water safety plan reference.]

4. Roles. Duty holder: [Chief Operating Officer]. Responsible person: [Facilities Manager] (deputy: [Estates Officer]). Water safety group: [chaired by the COO, where the organisation is large or higher-risk]. Monitoring: [in-house FM team]. Specialist tasks: [LCA-registered contractor].

5. Risk and control. Risk is assessed by a competent person and recorded; controls follow the current scheme of control and HSE guidance; the assessment is reviewed at least every two years or sooner on significant change. [Cross-reference document IDs, do not restate the scheme here.]

6. Records. All monitoring, inspections, remedial actions and contractor certificates are held in the water safety logbook, maintained by the responsible person and retained for the period set in our retention schedule.

7. Training. The responsible person holds current Legionella management training; staff carrying out monitoring are briefed and competence-checked; contractor competence is verified before appointment.

8. Review. Reviewed annually and on any change of premises, occupancy, responsible person, or after a water-related incident. Version 1.2, [date].

9. Sign-off. Signed [name], [Chief Operating Officer], [date].

That outline reads in well under two pages, yet a reader can see who owns the risk and where the detail lives. For larger or higher-risk estates, the governance the policy refers to often runs through a Water Safety Group and a fuller Water Safety Plan, particularly in healthcare, where a plan-led approach is the expected framework [4].

The bits most policies get thin

Three sections are reliably underdone. Named post-holders is the first — policies that say “the responsible person” without naming the post leave nobody actually accountable when staff change. Review triggers is the second; a policy with an annual review date but no event triggers sails through a site acquisition or a key resignation without anyone revisiting it. The third is the link to records — a policy that asserts records are kept, but cannot point to where, is the version that unravels on a close read.

In my view, fix those three and your policy already does its job better than most: someone owns it, it gets revisited when reality changes, and it can prove the controls behind it are real.

A caveat worth stating plainly. This template and example are a structure to populate through a competent, site-specific risk assessment — not a finished compliance document, and not legal, medical or engineering advice. The roles, scope, frequencies and control measures in your version must reflect your own organisation and your own assessment, drawn up with a competent person where the systems are complex.

FAQ

ACoP L8 does not name a standalone “water safety policy” as a mandatory document. What the law does require is that you manage the risk: appoint a competent responsible person, carry out a risk assessment, prevent or control identified risks, keep records and review them [1][2]. A water safety policy is the clearest way to capture and evidence those management arrangements, which is why most organisations choose to have one even though the duty is framed around the underlying actions rather than the document title.

How long should a Legionella policy be?

Short — usually one to three pages. The policy states commitment, accountability and how the system is governed, then points to the risk assessment and scheme of control for the detail. If it runs to twenty pages, the technical content has crept up from the scheme of control and should be moved back down a tier so each document stays readable.

Who should sign the water safety policy?

Someone senior enough to carry the organisation’s commitment and authorise the resources behind it — typically the duty holder, such as a director, chief executive or chief operating officer, rather than the responsible person who runs the day-to-day control. The signature and date are what make the policy live; an unsigned draft commits no one.

Sources

[1] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems — Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [2] HSE, “Legionnaires’ disease — what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm [3] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm [4] BSI, “BS 8680:2020 — Water quality. Water safety plans. Code of practice”. https://knowledge.bsigroup.com/products/water-quality-water-safety-plans-code-of-practice