ISO/IEC 42001 by industry

ISO/IEC 42001 for HR & recruitment

AI now screens CVs, ranks candidates, targets job ads and scores employee performance. Under the EU AI Act these are high-risk uses — and among the most scrutinised for bias. ISO/IEC 42001 gives HR and talent teams the management system to use hiring AI responsibly and prove it to candidates, works councils and regulators.

Why this is high-risk

EU AI Act — Annex III, high-risk

Hiring and worker-management AI is explicitly regulated

The EU AI Act classifies AI used for recruitment and selection (targeted job ads, filtering applications, evaluating candidates) and for employment decisions (promotion, termination, task allocation, performance monitoring) as high-risk under Annex III. On top of that: GDPR Article 22 limits solely-automated decisions with significant effects, and bias-audit rules for automated hiring tools are spreading (e.g. New York City's Local Law 144). As a deployer of a hiring tool you carry obligations too — human oversight, monitoring and following the provider's instructions.

The risks

Where hiring AI goes wrong

Each of these is a discrimination complaint, a regulator question or a reputational hit waiting to happen:

Hidden and proxy discrimination

Models trained on historical hiring data learn historical bias; neutral-looking features (postcode, career gaps, name) become proxies for protected characteristics.

Unexplainable rejections

Candidates filtered out by a score no one can explain — a direct problem under GDPR and the AI Act's transparency duties.

Fully automated screening

Auto-rejection with no human review can breach GDPR Article 22 and the human-oversight expectations of the standard.

CV-parsing and ranking errors

Parsing mistakes and brittle ranking logic silently drop qualified applicants.

Opaque vendor tools

Most HR AI is bought, not built — yet accountability for its outcomes stays with you.

Worker monitoring overreach

Performance and productivity monitoring AI raises fairness, privacy and works-council issues.

How ISO/IEC 42001 covers it

The controls and templates that matter most here

The toolkit maps each hiring-AI risk to a specific Annex A control and a ready-made document:

Annex A controlToolkit documentWhy it matters
A.5 — Impact assessmentAI Impact Assessment (RISK-TPL-01)Assess the effect on candidates and employees before a tool goes live — the core evidence a regulator will ask for.
A.7.4 — Bias & fairnessBias and Fairness Assessment Record (DATA-TPL-05)Structured, documented evaluation of whether outcomes disadvantage protected groups, with ongoing drift monitoring.
A.9.3 — Human oversightHuman Oversight Plan (USE-PLN-01)Guarantee a human reviews and can override hiring decisions — the answer to GDPR Article 22.
A.8.2 — TransparencyAI Transparency Notice (INF-TPL-01)Tell candidates when and how AI is used in the process, in plain language.
A.2 — AI policy & prohibited useAI Policy + Acceptable Use Policy (GOV-POL-01 / USE-POL-01)Define what you will not automate (e.g. no fully automated rejection) and set the rules for HR tool use.
A.10 — Third-party AIVendor AI Questionnaire + Third-Party Register (TPR-TPL-01 / TPR-REG-01)Due-diligence your ATS/hiring-AI vendors and record where responsibility sits.

How to get there

From hiring-AI exposure to a defensible system

  1. 1

    Inventory every AI tool touching recruitment and HR (including the unofficial ones) in the AI System Register.

  2. 2

    Run an impact assessment and a bias & fairness assessment on each high-stakes tool.

  3. 3

    Put human oversight, transparency notices and a clear prohibited-use line in place.

  4. 4

    Set monitoring for drift and adverse impact, and review at a fixed cadence.

Questions

HR & recruitment — quick answers

We only use a third-party ATS with AI features — are we still on the hook?

Yes. As the deployer you carry obligations for human oversight, transparency and monitoring, and accountability for outcomes stays with you even though you didn't build the model. ISO 42001 gives you the vendor due-diligence and oversight controls to manage exactly that.

Does this mean we can't automate screening at all?

No — it means automated screening needs a documented impact and bias assessment, meaningful human review, candidate transparency, and a line you won't cross (e.g. no fully automated rejection). The standard makes responsible automation defensible.

How does this relate to the EU AI Act timeline?

Recruitment and worker-management AI are Annex III high-risk; those obligations now apply from 2 December 2027 after the 2026 Digital Omnibus, while transparency duties arrive earlier. The requirements didn't shrink — building the system now is the calm route.

Make your hiring AI defensible

The toolkit ships the impact assessment, bias & fairness record, human-oversight plan, transparency notice and vendor questionnaire — ready to tailor to your recruitment stack.