

If your organisation uses Microsoft 365, SharePoint is probably already home to most of your company documents, policies included. For a number of small and mid-sized businesses, that’s where it stays: SharePoint is what they have, it does the job well enough day-to-day, staff know where to look for policies, and the question of whether SharePoint is actually sufficient for proper policy management never comes up.
But the landscape has changed. ISO certification – ISO 9001,ISO 27001 – is increasingly a condition of winning or retaining business. Enterprise customers are auditing their supply chains, including their smaller suppliers, and asking for evidence of policy governance before they’ll sign a contract or renew a new one. Regulators are raising the bar too – the SRA, CQC,ICO, and FCA are all expecting organisations to evidence their policy management in ways that would have felt disproportionate a decade ago.
What that means in practice is that SharePoint – which was a perfectly reasonable answer to “where do we keep our policies?” – is now being asked to do something it wasn’t built for.
This post walks through exactly what SharePoint can and can’t do for policy management.
SharePoint is a reasonable starting point for many organisations — particularly small to mid-sized businesses with a low volume of policies who don't face external audits or inspections from customers, regulators, or certification bodies. Here's what it genuinely does well:
SharePoint gives you a central, secure place to store policies, organised into sites and folders. You can control who can edit documents and who gets read-only access which is useful for making sure policies aren’t accidentally changed by people who shouldn’t be editing them. However, there are limits to how granular access control gets without IT involvement, more on that below.
If your team already lives in Teams, Outlook, and uses Office 365 tools like Microsoft Word and Excel, SharePoint sits inside that same environment. Staff can access policies without logging into a separate system.
Most people have used SharePoint before, or work in it daily. That means when you upload policies there, staff are likely to find and open them without the need for training. Compared to introducing a new platform, the adoption barrier is low.
If you’re already paying for Microsoft 365, storing policies in SharePoint adds nothing further to your bill. Microsoft 365 Business Basic starts at £4.90 per user per month, Business Standard at £.940 per user per month. At those tiers, SharePoint is included.
The caveat is that Microsoft 365 is a layered product, and the compliance-related features relevant to policy management sit behind higher licence tiers. Microsoft Purview – Microsoft’s compliance management suite, which includes audit logging and data retention – requires Microsoft 365 E3,which starts at around £28.10 per user per month. This is a significant step up.
So, while SharePoint itself is effectively free if you’re already in the Microsoft ecosystem, the features that make it more useful for governance and compliance come at an additional cost that isn’t always obvious upfront.
SharePoint is a document storage tool. It does that job well. But storing a policy and managing a policy are not the same thing. Policy management means ensuring a policy is up-to-date, compliant with regulations or standards, version history is captured and recorded, and staff are aware of the latest version of a policy – not just the version that was in circulation when they went through their onboarding.
Here’s specifically what SharePoint can’t do natively:
Uploading a policy to SharePoint creates no record that anyone has read it. SharePoint can tell you a file exists, when it was uploaded to a folder or site, and who has permission to view it – nothing more. When an auditor, inspector, employment tribunal, or insurer asks for evidence that staff – or a particular staff member – has read a policy, you don’t have an answer if you’re only using SharePoint.
There’s no mechanism to send a policy to specific people, require them to confirm they’ve read and agreed to it, and record that confirmation with an immutable timestamp linked to the specific version of a policy. If you’re using SharePoint, that process has to be built manually – usually with a combination of email chasers, calendar reminders, and a spreadsheet – or bought separately.
Word documents show when a file was saved and by whom. That’s it. There’s no record of what the content of V2 was, or what changed between V2 and V3 of a policy. This is a compliance gap for both ISO 9001 and ISO 27001 which share the same document control requirement under Clause 7.5 — not just that documents are versioned, but that changes are identified and the reasons for changes are documented. For staff being asked to re-read an updated policy with no indication of what’s different and what they need to pay attention to, it’s also just poor practice.
Most standards require policies to be reviewed at least annually. SharePoint has no way to schedule that, remind the document owner, or record that the annual review happened. In practice, this means review cycles typically live in a spreadsheet with a calendar reminder – and quietly lapse when the person responsible is busy, or leaves the company.
With SharePoint, it's pretty straightforward to control access at site and folder level. But, restricting access to individual documents within a folder requires breaking permission inheritance which, without IT support, usually doesn’t get done properly.
ISO 27001 and good policy management practice both expect documents to be classified, e.g. Public, Internal, Sensitive, Confidential. In SharePoint, on Business Basic or Business Standard, the only practical way to do this is by appending labels to folder names and file names manually “Data Protection Policy – INTERNAL”, etc. It’s entirely dependent on whoever creates or moves the file or folder remembering to do it consistently and in line with the company’s Information Classification Policy. Proper sensitivity labels in SharePoint require at minimum Microsoft 365 Business Premium(£16.60/user/month) for manual labelling, or E5 (around £54.80/user/month) for automatic labelling. For most SMBs on Microsoft Basic or Standard, that’s a significant jump in costs for a feature that a purpose-built policy management tool includes as standard.
The net result is this: if you want to use SharePoint for policy management rather than document storage, you have three options:
The question is: if you’re going to invest that time, money, and complexity into remoulding SharePoint from a DMS – why not just use a dedicated policy management tool?
The shift from SharePoint to a dedicated policy management platform isn’t an increase in complexity – it’s a reduction of it.
A purpose-built policy management tool like Dayspring Software is built around the jobs SharePoint can’t do without custom configuration or hours of manual admin. The things that would consume weeks of your team's time are handled:
SharePoint is good for document storage. If you’re already on Microsoft 365, it’s a perfectly reasonable place to keep your policies – particularly for a small team who don’t face external audits or regulatory inspections, or receive vendor questionnaires asking for copies of policies and proof of policy management.
But, document storage and policy management are different jobs. If you need to prove you’re your policies are up-to-date, reviewed on a schedule, that changes between versions are recorded and explained, and that the right people have read them – SharePoint is a foundation to build on, not a finished system. And building on it costs significant time, money, or both.
For organisations under audit, inspection, or certification pressure, the question isn’t whether SharePoint is a good product. The question is whether it’s the right tool for them to use for policy management specifically. And the answer comes down to what auditors actually ask:
SharePoint doesn’t have good answers to any of those questions without layering significant work on top of it. A purpose-built tool like Dayspring does.
Want to see what purpose-built policy management looks like for a small team? Dayspring is built specifically for SMBs – no implementation time, no hidden costs, no compliance or IT expertise required. Start a 30-day free trial, or book a demo.
Can SharePoint be used for ISO 9001 and ISO 27001 document control?
Partially. Word files stored in SharePoint record when a document was saved and by whom, and you can restrict access at site level —both of which address some requirements under ISO 9001 Clause 7.5 and ISO 27001Clause 7.5. But both standards also require that changes between versions are identified and the reasons for changes are documented — and SharePoint doesn't capture that. There's also no native review cycle, no automated reminders, and no way to produce an audit-ready evidence pack without building something custom on top.
In practice, most UK organisations trying to use SharePoint for ISO certification end up maintaining manual spreadsheets to track versions and review dates, chasing acknowledgements over email, and reconstructing change history before each audit. It's possible, but it's a significant ongoing administrative burden — and it's exactly the kind of fragile, person-dependent process that auditors notice.
Does SharePoint track which staff have read and agreed to policies?
No. SharePoint can show that someone had access to a document, but it cannot record that a specific person read and agreed to a specific version of a policy – or indeed any policy at all.
What’s the difference between SharePoint version history and document version control?
SharePoint's version history records when a file was saved and by whom. That's it. True document version control — as required by ISO 9001 and ISO 27001 — additionally captures what specifically changed between versions, why it changed, and who approved the change.
What should I use instead of SharePoint for policy management?
Purpose-built policy management tools are designed for the specific evidence requirements that SharePoint can’t meet natively. For small to mid-sized organisations, Dayspring Software covers staff acknowledgement tracking, version control with change notes, scheduled annual review cycles, and audit-ready reporting – with no implementation period or costs, and an interface suitable for non-technical users.
Get the latest articles, insights, and updates delivered straight to your inbox.