Open-plan offices have become a trend in recent years. The idea is to promote collaboration, flexibility, and communication. And there is no doubt that this setup has benefits:
-
collaboration becomes easier, since you can quickly ask the colleague next to you
-
knowledge sharing happens naturally and informally
-
it builds team spirit and a sense of community
-
communication flows faster, and problems can often be solved on the spot
For many departments this can work well. But for an IT department, an open-plan office is directly risky.
The risks of open spaces
IT staff handle information that is critical to the business: system configurations, logs, network diagrams, and security incidents. When these tasks are carried out in an open office environment, the risk of unauthorized access increases significantly.
This is particularly important for functions such as the CISO or the Security Operations Center (SOC), where staff may be dealing with ongoing incidents, threat intelligence, or forensic data. Such information should never be visible or overheard in an environment where guests, contractors, or even other employees without clearance can pass by.
The classic example is “shoulder surfing” – someone glancing at sensitive content on a screen. Equally problematic is the risk that confidential conversations are overheard.
Another often overlooked risk is sound leakage: in open-plan offices, a customer on the phone may also hear conversations from nearby desks, unless very advanced headsets with strong noise isolation are used. This means sensitive discussions between colleagues can unintentionally be shared with external parties.
ISO 27001:2022 – why open-plan is a problem
ISO 27001:2022 highlights several controls that all point to the same issue: sensitive information must be protected from unauthorized access. Open-plan offices make this nearly impossible.
-
Physical security perimeters
-
Physical entry controls
-
Clear desk and clear screen
-
Information security in supplier relationships
Real-life scenarios show how quickly security can fail in relation to these controls:
-
a visitor waiting for a meeting can easily photograph notes, diagrams, or printouts left on a desk
-
a contractor or job candidate passing by may glimpse a screen just as someone opens an attachment, without realizing the first page contains confidential information
-
when an IT employee locks their computer to get a coffee or use the restroom, they may leave documents on their desk – one quick smartphone photo is enough to capture that information permanently
-
suppliers or service providers moving through the office may unintentionally gain visibility into data they should never have access to
It is also worth noting that other standards and frameworks – such as GDPR, NIS2, NIST, CIS Controls, and NSM grunnprinsipper (Norway) – point in the same direction, emphasizing the need for physical protection of sensitive information and controlled access to workplaces.
Other departments should also reconsider
It is not only IT that should think twice about open-plan setups. Departments handling sensitive information face similar risks, for example:
-
HR – managing personal data, employment contracts, and health-related information
-
Legal/Compliance – working with confidential documents and internal investigations
-
Finance – handling accounting, banking, and budget data
-
Executive/Strategy – discussing mergers, strategic plans, or other confidential information
-
Research & Development – working on products, designs, or innovations that may be patented or involve intellectual property
-
Customer support – handling customer records, tickets, and sometimes payment details
-
Project teams for mergers & acquisitions – where leaks can have major financial consequences
All these functions risk exposing information if their workspaces are too open and accessible.
Real-world observations
When walking the streets of Oslo or Bergen, I often see offices on the ground floor with large windows facing the street. It is surprising how easy it is to see what people are working on. With today’s smartphone cameras, it takes no effort to take pictures or record video from the sidewalk – or even from a hotel room across the street.
The question is: do these companies think about security at all? It is frighteningly easy for outsiders to gain insight into customer data, accounting systems, or even online banking screens.
Conclusion
Open-plan offices can bring real benefits such as collaboration, flexibility, and stronger team dynamics. But for departments dealing with sensitive information – especially IT – the risks outweigh the benefits.
An IT department should therefore never sit in an open-plan office if guests, contractors, or even passersby can gain visibility. The same applies to HR, Legal, Finance, R&D, Customer Support, and Executive functions.
Physical segregation is not only common sense – it is a requirement for ISO 27001 compliance and a cornerstone of a strong security culture.