- In the home office, the employee is responsible for the physical security of their workspace. The organization must define the rules and make compliance verifiable.
- A lockable room or at least a lockable cabinet for company hardware and documents is the minimum requirement.
- Screen lock, privacy filter, and separating personal and professional use are fundamental technical measures.
- Confidential documents must not be disposed of in household waste. Employees need a solution for secure destruction.
- A home office agreement governs mutual obligations and creates the basis for verifying compliance with security measures.
The office moves home — and so does the risk
Since the pandemic, home office is no longer an exception for many organizations but the norm. What started as an emergency measure has become a permanent fixture of working life. From an information security perspective, this brings a fundamental challenge: in the office, you control the physical environment. In the employee's home office, you do not.
In the office, there is access control, lockable cabinets, document shredders, a stable network infrastructure, and clear rules. In the home office, there is the kitchen table, the family, visiting friends, the tradesperson, and the parcel delivery driver. Confidential phone calls take place within earshot of the partner. The company laptop sits next to the children's toys. And the personnel file is on the coffee table because the desk is too full.
This is not an argument against home office. It is meant to make clear that physical security in the home office does not happen by itself but must be consciously designed.
What the standards require
ISO 27001:2022 covers telework and remote working in control A.6.7 (Remote Working). The control requires that security measures be implemented when personnel work outside the organization's premises, to protect access to, processing of, and storage of information outside the business premises. Physical security is explicitly mentioned.
Additionally, A.7.9 (Security of Assets Off-Premises) requires that assets outside the business premises be protected, taking into account the different risks of working outside the premises.
BSI IT-Grundschutz dedicates module INF.9 (Mobile Workspace) and OPS.1.2.4 (Telework) to the topic. Both modules contain detailed requirements for physical security at the home workspace.
DSGVO (GDPR) requires appropriate technical and organizational measures regardless of where data processing takes place. Personal data must be protected in the home office just as it is in the office.
The workspace: Setup and requirements
The ideal home office workspace
A separate, lockable room is the best prerequisite for a secure home office workspace. The door can be closed for confidential conversations. The room can be locked when leaving, so family members, roommates, or visitors have no access to company hardware and documents. And you have a clear spatial separation between work and personal life.
The reality in many households is different: not everyone has a separate study. Many work at the kitchen table, in the living room or bedroom, or in a corner of the hallway. This is not ideal but also not a disqualifier for secure work if the following minimum requirements are met.
Minimum requirements
Lockable cabinet or lockable drawer: If no separate room is available, the employee needs at minimum a lockable storage option for company hardware (laptop, external hard drive, USB sticks), company documents in paper form, and company ID or access cards.
Visual privacy: The screen must be positioned so that other persons in the room cannot read its content. For workstations by a window (ground floor!) or in shared rooms, a privacy filter is recommended — it restricts the viewing angle so only the person directly in front of the screen can see the content.
Telephone confidentiality: Confidential phone calls and video conferences should only be conducted when it is ensured that no unauthorized persons can overhear. This means: close the door, use headphones, and if that is not possible, reschedule the call.
Tidy workspace: The Clean Desk Policy also applies in the home office. At the end of the workday, confidential documents are locked away and the screen is locked — the Clean Desk Policy applies here as well.
Protecting hardware
Theft protection
In the office, hardware is protected by access control and potentially Kensington locks. In the home office, protection against burglary theft is significantly lower. Recommended measures include full-disk encryption on all company laptops and external data carriers so no data leaks in case of theft. The laptop should be stored in a lockable cabinet or at least out of sight during longer absences (vacation, weekends). Hardware should not be left in the car, not even "just for a moment." The serial numbers of all devices in the home office must be documented so you can make a precise loss report in case of damage.
Separating personal and professional use
Company hardware should not be used privately and private hardware not for business purposes, unless there is an explicit BYOD policy (Bring Your Own Device) with appropriate technical measures such as container solutions, MDM (Mobile Device Management), or virtual desktops.
The company laptop is not a toy for the children. No family Netflix. No downloading games. Any personal use increases the risk of malware infection and complicates the response in case of a security incident.
Network security
The home Wi-Fi network is generally less secure than the corporate network. Basic requirements for the home network include WPA3 encryption (at minimum WPA2) with a strong password, a current router with up-to-date firmware, and a separate Wi-Fi network for guests and IoT devices so the company laptop is not on the same network as the smart light bulb and the robot vacuum. VPN use for accessing corporate resources should be mandatory, not optional. And public Wi-Fi networks (cafes, hotels, trains) should only be used via VPN.
Documents and data
Minimization principle
In the home office, only the documents needed for current work should be present. Complete client files, entire personnel folders, or extensive contract portfolios do not belong permanently in the home. Digital work reduces the risk: when documents stay on the company server and are only accessed via VPN, no physical copies need to be transported home.
Transporting documents
When physical documents must be transported between the office and home office, carry them in a locked bag — not loose in a backpack. Confidential documents should not be read on public transport, at least not without a privacy filter. And the transport should be documented: which documents were taken and when they were returned.
Disposal in the home office
Confidential documents must not be disposed of in household waste — secure disposal is mandatory. There are three options: a personal document shredder in the home office (at least security level P-3), bringing documents to the office for destruction there, or a locked collection container that is brought to the office at the next in-person visit and destroyed there. For occasional home office work, the second or third option is sufficient. For permanent home office arrangements, investing in a personal shredder makes sense — the cost should be borne by the organization.
Video conferences: The underestimated risk
Video conferences in the home office bring specific risks that do not occur, or barely occur, in the office.
Background: What does the camera see? A whiteboard with confidential notes? A screen with open documents? Sticky notes with passwords? Children running into the frame, revealing that you are not alone? Use virtual backgrounds or ensure the camera frame does not show sensitive information.
Eavesdropping: Who is in the same room or next door? Thin walls and open doors let through more than you think. Use headphones so at least the conversation partners cannot be heard through the speaker. Close the door and inform housemates that you are in a confidential call.
Screen sharing: When sharing the screen, private notifications, email subject lines, or open tabs can accidentally become visible. Activate "Do Not Disturb" mode and always share only the specific window, not the entire screen.
The home office agreement
The foundation for all measures is a written home office agreement between the organization and the employee. This agreement governs mutual obligations and creates the basis for the organization to require and verify compliance with security measures.
Contents of the agreement
Workspace requirements: Description of minimum requirements for the home workspace as described above.
Hardware and software: Which devices are provided by the organization? Which personal devices may be used? Which software must be installed (VPN, antivirus, full-disk encryption)?
Handling documents: Rules for transporting, storing, and destroying company documents in the home office.
Data protection: Obligation to comply with GDPR and organizational data protection policies.
Right of inspection: The organization's right to verify compliance with security measures. This right of inspection must be proportionate and agreed upon with the employee. A spontaneous home visit by the ISO is in most cases neither legally permissible nor practical. Instead, you can work with a self-assessment via checklist (e.g., quarterly), photo documentation of the workspace (voluntary), and remote checks of technical measures (full-disk encryption active, VPN configured, operating system up to date).
Incident reporting obligation: Obligation to immediately report security incidents in the home office (theft, loss, unauthorized access, malware).
Liability and insurance: Who is liable for damage to or loss of company property in the home office? Is company hardware covered by the employee's household insurance, or does the organization have its own insurance?
Training and awareness
The best rules are useless if employees do not know them or do not understand why they matter. Integrate physical security in the home office into your security awareness training.
Use concrete scenarios: Not "Protect confidential information" but "When you go to the bakery in the morning, lock the laptop away, even if you're only gone five minutes. In five minutes, someone can plug in a USB stick and copy data."
Show empathy: Many employees perceive security requirements in the home office as distrust. Explain that it is not about control but about protecting everyone involved — including the employee themselves.
Offer practical help: Recommend specific products (lockable cabinets, privacy filters, document shredders) and cover the costs or offer a subsidy. An employee who must pay 30 euros for a privacy filter out of pocket will probably not buy one.
Checklist: Physical security in the home office
The following checklist can be used as a basis for employee self-assessment.
Workspace: Separate study or lockable area available? Lockable cabinet or drawer for hardware and documents? Screen positioned so third parties cannot read along? Privacy filter if needed (window, open environment)?
Hardware: Full-disk encryption active? Screen lock configured (maximum 5 minutes)? Hardware locked away or secured when absent? No personal use of company hardware?
Network: Wi-Fi with WPA2/WPA3 and strong password? Router firmware up to date? VPN configured for accessing corporate resources?
Documents: No confidential documents permanently in the home office? Confidential documents locked away at the end of the workday? Disposal option for confidential documents available (shredder or bring to office)?
Behavior: Screen locked when leaving the workstation? Confidential calls only without eavesdroppers? No company documents in household waste? Security incidents reported immediately?
Monitoring and evidence
In an internal or external audit, you must be able to demonstrate that you have identified the risks of home office work and taken appropriate measures. This does not mean you must personally inspect every home office workspace. It means that you have a documented home office policy that addresses the risks, that employees have verifiably received and understood the policy (signature or electronic confirmation), that you regularly (e.g., annually) verify compliance (self-assessment, remote checks), and that violations and incidents are documented and addressed.
The combination of a clear policy, regular training, technical controls (full-disk encryption, mandatory VPN), and documented self-assessment is sufficient and proportionate in most audits. In ISMS Lite, home office policy, self-assessment checklists, and training records can be managed in one place and verifiably distributed to employees.
From stopgap to professional remote workspace
Physical security in the home office is not an unsolvable problem, but it requires conscious design. Most measures are simple and inexpensive: buy a lockable cabinet, apply a privacy filter, update the router, lock the screen. The real challenge lies in sharpening employee awareness and embedding the measures in daily routines.
As an organization, you bear the responsibility to define the rules, provide the infrastructure, and verify compliance. You can and should not burden employees with sole responsibility but support them with clear guidelines, concrete assistance, and appropriate equipment. Then the home office does not become a security gap but a professional workspace that meets the same standards as the office.
Further reading
- Secure remote work: Securing home office and mobile work
- Clean Desk Policy: Why the tidy desk belongs in your ISMS
- Secure disposal: How to properly destroy hard drives, documents, and hardware
- Mobile device policy and BYOD: Smartphones and tablets in the enterprise
- Building and maintaining a security awareness program