SharePoint Policies - Planning



This is the section of your Governance Plan where the rubber really meets the road.  For obvious reasons, careful planning and consideration should go into your policies. You may need more policies than identified here.

Customization Policy

The first bullet in this section should describe what your org considers a customization.  It should describe the entire process from start to finish, particularly of how customizations shall be requested, approved, implemented, and all associated roles. 

Typically, customizations are considered to be any third-party SharePoint add-ons or custom code (solutions, features, controls, etc.) which are not native to SharePoint.  In-browser configuration, SharePoint Designer configuration, and everything else is considered configuration changes or native SharePoint functionality.

It is unlikely that your users will know exactly what to consider a "customization."  Your policy needs to account for requests which may end up being "configuration changes" and not customizations.  Your Customization Policy should include the following questions as part of your change management:

  • How do users request customizations?  Online form with workflow?  Email?  Both?

  • What role is responsible for reviewing customization requests?

  • What is an acceptable time lapse until the user receives a response?

  • If it is determined that a request is actually a configuration change, what role approves this change?
  • What role is responsible for funding customization efforts?

  • What role is responsible for funding configuration efforts?

  • How are customization requests tracked and communicated?

  • Is the customization localized to a single Site, or is the customization useful across the org?

  • What role is responsible to capture, clarify, and confirm the actual business objectives?

  • How are customizations tested prior to being deployed on the Production servers?

Detractor Policy

Due to the social nature of the SharePoint My Sites, many orgs are paralyzed with fear when thinking of it.  This is unfortunate because the concepts born out of social networking actually enhance and facilitate collaboration.  We have found that adding a Detractors Policy to the Governance Plan instantly relaxes often unjustified concerns about social features.

The Detractors Policy of your Governance Plan can be a simple table with the following column headings:

  • What type of Detractor?
         Example:  Legitimate complainer.

  • Why they make trouble. 
         Example:  Needs help with or wants to warn others.

  • How to recognize Detractor?
         Example:  Raises legitimate issue and may use
         strong language but seems open to reason.

  • What is the corrective action?
         Example:  Solve problem, provide education,
         or explain policies.  Explain publicly or add to
         FAQ if possible.

    You will be surprised how quickly fears related to the What-Ifs go away when they are written down and accounted for!  More on What-Ifs later.

Site Provisioning Policy

How are new Sites requested?  Who can request a new Site?  What Workflow is required?  What role approves the request?  Where does the new Site get created?  What about unused Sites? When are Sites archived? Deleted?

Site Management and Security Model Policy

What roles are responsible for which Sites?  What permissions are associated with which roles?  What are the Farm Service Accounts being used and the associated passwords?  Who are the Site Collection Administrators? Who are the Site Administrators? Who provides backups to Administrators? 

Retention Policy

How long do we keep content?  What do we do with content we consider old?  Archive it?  Remove it? Permanently delete it?  Request the Author to update it? 

Create New Retention Policy

Specify Document Retention Action


Do not overlook training.  Your Governance Plan should detail initial training, ongoing training, and training levels that are audience specific.  Training for administrators is different than training for business users.  Training for chapter leaders is different than for volunteers. 

Determine each of the different groups to receive training and the level of training required.  Determine the type of training required for each group as well.  IT Pros and technical administrators are usually fine with written training.  Volunteers and members usually find webinar or video-based training more effective.

Don't stop with training at launch.  Ensure your org supports ongoing training options for new hires, community leaders, business users, executives, and members. 

Your training can be onsite, offsite, video, online, live webinar, recorded webinar, three days, or three-minute snippets that describe specific actions and activities.  Regardless of the type of training that works for your org, you need to have a plan for it.  Your Training Plan is a part of your Governance Plan.


Do not neglect your SharePoint Governance Plan.  It will not end well.  This process does not need to take a long time to complete, but it is vitally important.  Your SharePoint Governance Plan should, at a minimum, include the following sections:

Your Business Objectives define the high level objectives which the solution is expected to satisfy.  Your Technical Requirements define the technical components of the solution, including integration points with external Line of Business (LOB) systems like your AMS, CRM, and all other non-SharePoint data sources.

Your Deployment Team Roles define who is responsible for what. Your SharePoint Topology defines your SharePoint network and server farm architecture, including number of servers, server roles, specifications, and other relevant information.

Your Governance Plan Policies define your business rules which describe how you handle events such as procuring new Sites. 

  • Your Customization Policy specifies the rules on how third-party products and custom components are identified, tested, and ultimately deployed to the production environment.
  • Your Detractors Policy provides guidance in undesirable situations such as members saying less than flattering things about your org or solution(s) undertaken.
  • Your Site Management and Security Policy specifies ongoing Site and Subsite management and the responsible roles.
  • Your Retention Policy defines how long content remains until considered unnecessary, and what to do with it.
  • Finally, your Training Plan outlines your official launch, as well as the conduct of ongoing and refresher training with respect to the diverse audiences and their existing workloads.