Latest
Policy Management
December 15, 2025
8 minute read

SharePoint for Policy Management: What It Can and Can’t Do

Imogen Eden
CEO at Dayspring Software

If your organisation uses Microsoft 365, SharePoint is probably already home to most of your company documents, policies included. For a number of small and mid-sized businesses, that’s where it stays: SharePoint is what they have, it does the job well enough day-to-day, staff know where to look for policies, and the question of whether SharePoint is actually sufficient for proper policy management never comes up.

But the landscape has changed. ISO certification – ISO 9001,ISO 27001 – is increasingly a condition of winning or retaining business. Enterprise customers are auditing their supply chains, including their smaller suppliers, and asking for evidence of policy governance before they’ll sign a contract or renew a new one. Regulators are raising the bar too – the SRA, CQC,ICO, and FCA are all expecting organisations to evidence their policy management in ways that would have felt disproportionate a decade ago.

What that means in practice is that SharePoint – which was a perfectly reasonable answer to “where do we keep our policies?” – is now being asked to do something it wasn’t built for.

This post walks through exactly what SharePoint can and can’t do for policy management.

What SharePoint Does Well

SharePoint is a reasonable starting point for many organisations — particularly small to mid-sized businesses with a low volume of policies who don't face external audits or inspections from customers, regulators, or certification bodies. Here's what it genuinely does well:

1. Document Storage

SharePoint gives you a central, secure place to store policies, organised into sites and folders. You can control who can edit documents and who gets read-only access which is useful for making sure policies aren’t accidentally changed by people who shouldn’t be editing them. However, there are limits to how granular access control gets without IT involvement, more on that below.

2. Integration with the Microsoft Ecosystem

If your team already lives in Teams, Outlook, and uses Office 365 tools like Microsoft Word and Excel, SharePoint sits inside that same environment. Staff can access policies without logging into a separate system.

3. Familiarity

Most people have used SharePoint before, or work in it daily. That means when you upload policies there, staff are likely to find and open them without the need for training. Compared to introducing a new platform, the adoption barrier is low.

4. Cost

If you’re already paying for Microsoft 365, storing policies in SharePoint adds nothing further to your bill. Microsoft 365 Business Basic starts at £4.90 per user per month, Business Standard at £.940 per user per month. At those tiers, SharePoint is included.

The caveat is that Microsoft 365 is a layered product, and the compliance-related features relevant to policy management sit behind higher licence tiers. Microsoft Purview – Microsoft’s compliance management suite, which includes audit logging and data retention – requires Microsoft 365 E3,which starts at around £28.10 per user per month. This is a significant step up.

So, while SharePoint itself is effectively free if you’re already in the Microsoft ecosystem, the features that make it more useful for governance and compliance come at an additional cost that isn’t always obvious upfront.

Where SharePoint Stops Working Well for Policy Management

SharePoint is a document storage tool. It does that job well. But storing a policy and managing a policy are not the same thing. Policy management means ensuring a policy is up-to-date, compliant with regulations or standards, version history is captured and recorded, and staff are aware of the latest version of a policy – not just the version that was in circulation when they went through their onboarding.

Here’s specifically what SharePoint can’t do natively:

1. SharePoint Can’t Prove Staff Read and Agreed to a Policy

Uploading a policy to SharePoint creates no record that anyone has read it. SharePoint can tell you a file exists, when it was uploaded to a folder or site, and who has permission to view it – nothing more. When an auditor, inspector, employment tribunal, or insurer asks for evidence that staff – or a particular staff member – has read a policy, you don’t have an answer if you’re only using SharePoint.

2. SharePoint Has No Staff Acknowledgement & Policy Distribution Workflow

There’s no mechanism to send a policy to specific people, require them to confirm they’ve read and agreed to it, and record that confirmation with an immutable timestamp linked to the specific version of a policy. If you’re using SharePoint, that process has to be built manually – usually with a combination of email chasers, calendar reminders, and a spreadsheet – or bought separately.

3. SharePoint Doesn’t Record What Changed Between Versions

Word documents show when a file was saved and by whom. That’s it. There’s no record of what the content of V2 was, or what changed between V2 and V3 of a policy. This is a compliance gap for both ISO 9001 and ISO 27001 which share the same document control requirement under Clause 7.5 — not just that documents are versioned, but that changes are identified and the reasons for changes are documented. For staff being asked to re-read an updated policy with no indication of what’s different and what they need to pay attention to, it’s also just poor practice.

4. SharePoint Has No Policy Review Cycle or Reminder System

Most standards require policies to be reviewed at least annually. SharePoint has no way to schedule that, remind the document owner, or record that the annual review happened. In practice, this means review cycles typically live in a spreadsheet with a calendar reminder – and quietly lapse when the person responsible is busy, or leaves the company.

5. Document-Level Access Control is Complicated

With SharePoint, it's pretty straightforward to control access at site and folder level. But, restricting access to individual documents within a folder requires breaking permission inheritance which, without IT support, usually doesn’t get done properly.

6. Information Classification Labels Require Manual Workarounds or Higher Licence Tiers

ISO 27001 and good policy management practice both expect documents to be classified, e.g. Public, Internal, Sensitive, Confidential. In SharePoint, on Business Basic or Business Standard, the only practical way to do this is by appending labels to folder names and file names manually “Data Protection Policy – INTERNAL”, etc. It’s entirely dependent on whoever creates or moves the file or folder remembering to do it consistently and in line with the company’s Information Classification Policy. Proper sensitivity labels in SharePoint require at minimum Microsoft 365 Business Premium(£16.60/user/month) for manual labelling, or E5 (around £54.80/user/month) for automatic labelling. For most SMBs on Microsoft Basic or Standard, that’s a significant jump in costs for a feature that a purpose-built policy management tool includes as standard.

The net result is this: if you want to use SharePoint for policy management rather than document storage, you have three options:

  1. You can run manual processes: spreadsheets tracking versions, review dates and staff acknowledgements; emails distributing policies and chasing acknowledgements; calendar reminders reminding policy owners of annual review deadlines. Organisations that go down this route typically spend hundreds of hours each year on admin busywork that a purpose-built tool would handle automatically, and produce more robust, audit-ready evidence for.
  2. You can build and maintain customisations: Power Automate workflows for annual review reminders, Power Apps for acknowledgement tracking, custom metadata schemas for version control. This requires IT resource to build and maintain customisations, and consistently train the team on maintaining it so it’s not dependent on a single person.
  3. You can layer in additional tools and add on licences: You can purchase additional, higher tier Microsoft licences, third-party plugins, and compliance add-ons. At which point you’re paying for and managing multiple tools to do a job that one lightweight, dedicated tool would do on its on.

The question is: if you’re going to invest that time, money, and complexity into remoulding SharePoint from a DMS  – why not just use a dedicated policy management tool?

When SharePoint Works for Policy Management – And When It Doesn’t

SharePoint Works for Teams Who:

  • Don’t face external audits or regulatory inspections.
  • Are a small team (fewer than 10 staff) who have a few company policies to manage.
  • Are a large team with a dedicated IT function to build and maintain custom workflows on top of SharePoint.
  • Are a large team with a dedicated compliance team with lots of hours available to run manual tracking processes alongside SharePoint.
  • Have the budget to significantly increase the cost of their Microsoft licence estate, add customisations, and layer in third-party tools.

SharePoint Doesn’t Work for Teams Who:

  • Face regulatory inspections or oversight – SRA, CQC, FCA, ICO or Ofsted – and need to demonstrate that policies are up-to-date and formally communicated to staff.
  • Are suppliers to large enterprises and need to respond to vendor due diligence questionnaires and RFI questions with copies of their policies and information and evidence detailing their policy management process.
  • Are pursuing or maintaining ISO 9001, ISO 27001, or similar certifications to win or retain contracts and need to demonstrate document control at the annual audits.
  • Need, or want, to prove staff have read and agreed to specific versions of policies.
  • Hold cyber insurance or professional indemnity insurance – both increasingly require evidence of policy management, staff awareness, and documented policy review cycles as a condition of coverage or a claim.
  • Do not have a dedicated IT function to build and maintain custom SharePoint workflows and integrations.
  • Do not have a dedicated compliance team with the bandwidth for managing manual tracking processes across Office 365 tools and SharePoint.

What a Purpose-Built Policy Management Tool Gives You:

The shift from SharePoint to a dedicated policy management platform isn’t an increase in complexity – it’s a reduction of it.

A purpose-built policy management tool like Dayspring Software is built around the jobs SharePoint can’t do without custom configuration or hours of manual admin. The things that would consume weeks of your team's time are handled:

  • Policy Distribution & Staff Acknowledgement Tracking: Distribution, automated chaser emails, and timestamped acknowledgement records for each version of a policy run automatically, without anyone chasing replies over email or needing to update a spreadsheet or cobble together screenshots in a SharePoint folder.
  • Version History: Out-of-the-box, user-friendly workflows ensure that “change notes” (i.e. what changed between the previous and the new version of a policy) are captured and automatically added to the policy’s exportable version history report, and shown to staff for additional context when they’re asked to re-read and re-acknowledge the policy.
  • Annual Policy Review Cycles: For every policy, you can enable or disable annual review with a toggle rather than a Power Automate build. When annual review is due, the policy owner is reminded and chased automatically and guided through an easy-to-follow policy review workflow.

The Bottom Line

SharePoint is good for document storage.  If you’re already on Microsoft 365, it’s a perfectly reasonable place to keep your policies – particularly for a small team who don’t face external audits or regulatory inspections, or receive vendor questionnaires asking for copies of policies and proof of policy management.  

But, document storage and policy management are different jobs. If you need to prove you’re your policies are up-to-date, reviewed on a schedule, that changes between versions are recorded and explained, and that the right people have read them – SharePoint is a foundation to build on, not a finished system. And building on it costs significant time, money, or both.

For organisations under audit, inspection, or certification pressure, the question isn’t whether SharePoint is a good product. The question is whether it’s the right tool for them to use for policy management specifically. And the answer comes down to what auditors actually ask:

  • Who owns this policy?
  • What was it last reviewed, and when will it next be updated?
  • What changed between the previous version and this version, and why?
  • Can you demonstrate that your staff know about this policy?

SharePoint doesn’t have good answers to any of those questions without layering significant work on top of it. A purpose-built tool like Dayspring does.

Want to see what purpose-built policy management looks like for a small team? Dayspring is built specifically for SMBs – no implementation time, no hidden costs, no compliance or IT expertise required. Start a 30-day free trial, or book a demo.

Frequently Asked Questions (FAQs)

Can SharePoint be used for ISO 9001 and ISO 27001 document control?

Partially. Word files stored in SharePoint record when a document was saved and by whom, and you can restrict access at site level —both of which address some requirements under ISO 9001 Clause 7.5 and ISO 27001Clause 7.5. But both standards also require that changes between versions are identified and the reasons for changes are documented — and SharePoint doesn't capture that. There's also no native review cycle, no automated reminders, and no way to produce an audit-ready evidence pack without building something custom on top.

In practice, most UK organisations trying to use SharePoint for ISO certification end up maintaining manual spreadsheets to track versions and review dates, chasing acknowledgements over email, and reconstructing change history before each audit. It's possible, but it's a significant ongoing administrative burden — and it's exactly the kind of fragile, person-dependent process that auditors notice.

Does SharePoint track which staff have read and agreed to policies?

No. SharePoint can show that someone had access to a document, but it cannot record that a specific person read and agreed to a specific version of a policy – or indeed any policy at all.

 

What’s the difference between SharePoint version history and document version control?

SharePoint's version history records when a file was saved and by whom. That's it. True document version control — as required by ISO 9001 and ISO 27001 — additionally captures what specifically changed between versions, why it changed, and who approved the change.

 

What should I use instead of SharePoint for policy management?

Purpose-built policy management tools are designed for the specific evidence requirements that SharePoint can’t meet natively. For small to mid-sized organisations, Dayspring Software covers staff acknowledgement tracking, version control with change notes, scheduled annual review cycles, and audit-ready reporting – with no implementation period or costs, and an interface suitable for non-technical users.