AboutBlogBusiness First AIFounder FreedomBook a conversation

Where to store SOPs so staff can find and trust them

May 25, 2026
Person at a desk reviewing a printed document alongside an open laptop in a naturally lit office
TL;DR

Choosing where to store SOPs is less a software decision and more a governance one. For owner-managed businesses with 5 to 50 staff, the practical contest is usually between your productivity suite (Microsoft 365 or Google Workspace) and a dedicated knowledge or project tool such as Notion or ClickUp. Either can work, provided three disciplines are in place: a named library owner, review dates on every procedure, and a clear approval workflow for changes.

Key takeaways

- Storing SOPs inside your productivity suite (Microsoft 365 or Google Workspace) is the natural choice if your team already works there daily, provided you invest time in folder structure, naming conventions, and review disciplines. - Dedicated knowledge tools such as Notion and ClickUp work best when procedures need to live inside workflows, appearing as task checklists at the moment work is created rather than requiring staff to search for them separately. - The platform choice matters less than governance: every SOP library needs a named owner, clear review dates, and an approval workflow for changes, regardless of where the documents live. - Storing SOPs in the wrong place or leaving them unfindable carries real costs: the ICO fined British Airways £20 million and Marriott International £18.4 million in cases where inadequate process oversight contributed to data protection failures. - Before enabling AI search features in Microsoft 365 or Google Workspace, check your permissions: sensitive procedures including HR documents and incident response plans may be surfaced to staff who should not see them if access controls are not set deliberately.

You discover that the person you hired three months ago has been following an onboarding procedure that was superseded a year ago. The updated version sits in a Teams channel they were never added to. Nobody told them. Nobody thought to.

This is the SOP storage problem in its most recognisable form: a document that exists somewhere, just not somewhere the right person thought to look, or trusted once they found it. Choosing the right home for your procedures is partly a software decision and mostly a governance one.

What are your realistic options for SOP storage?

For owner-managed businesses with 5 to 50 staff, the realistic options are your existing productivity suite (Microsoft 365 or Google Workspace), a dedicated knowledge or project tool such as Notion, ClickUp, or Monday.com, a formal quality management system for regulated sectors, or a basic shared drive. For service businesses in this size band, the practical question usually comes down to the first two.

Basic shared drives and file servers are where many firms still store their procedures. They are also the option most likely to generate the version confusion described above. The folder labelled “SOPs” fills quickly with files named “Onboarding_v3_FINAL_revised.docx” and nobody can confirm which is live. Collaboris, a UK SharePoint consultancy, identifies centralised storage with clear naming conventions as the first discipline, because fragmented storage is the root cause of staff reverting to informal methods.

Quality management systems occupy a different category. They suit firms operating under formal regulatory frameworks: MHRA oversight, UKAS accreditation, ISO 13485. The implementation overhead and licence cost is disproportionate for a professional services firm without that kind of regulatory exposure. If your sector requires formal document control with audit trails and training records, the QMS path is worth evaluating on its own terms. Otherwise, the contest is between your productivity suite and a knowledge tool.

When does your productivity suite work best as an SOP home?

If your team already relies on Microsoft 365 or Google Workspace for the bulk of its daily work, that suite is often the natural home for SOPs. SharePoint and Google Shared Drives give you role-based permissions, version history, and audit trails at no extra licence cost. Staff can reach procedures from within Teams or Google Docs. The risk is that poor folder structure quickly erodes that convenience.

Both Microsoft and Google provide multi-factor authentication, encryption at rest and in transit, and compliance certifications including ISO 27001 and SOC 2. The NCSC recommends assessing SaaS providers for identity and access management and data residency options, and both platforms meet the bar for typical owner-managed business use cases.

Three disciplines make or break the approach. First, a clear top-level folder hierarchy by function: Operations, HR, Finance, Quality, IT. Second, a named owner for the SOP library who enforces naming conventions and review dates. Third, a lightweight approval step before any document is overwritten, even if that step is a shared review in a Teams channel rather than a formal workflow.

One newer consideration: both Microsoft Copilot and Google Gemini can now search across documents in your suite. That can make SOPs easier to find. It also means sensitive procedures, including incident response plans and HR content, may surface in AI results if permissions are not set deliberately. The NCSC’s guidance on generative AI in organisations is clear that sensitive material fed into general-purpose AI tools can be exposed unless configurations are explicitly locked down. Check your access settings before enabling AI search features across the whole organisation.

When does a dedicated knowledge tool earn its place?

The argument for Notion, ClickUp, or Monday.com shifts when procedures need to live inside the work itself. If a client onboarding SOP should appear as a checklist the moment someone creates a new project, embedding it in a project tool means it arrives at the right time rather than requiring a team member to remember to look for it.

This is the central advantage described in guidance from Slack and MaintainX: SOPs can become task templates. Create a new client onboarding project and the checklist appears. Complete a step and the procedure logs as done. For teams running repeatable client delivery cycles or operational checklists, the integration of procedure and execution is more useful than any feature comparison suggests.

The disadvantages are worth naming clearly. Many of these platforms are US-based, which creates UK GDPR obligations around international data transfers. Before committing, check where the provider’s primary data centres are located and what transfer mechanisms are in use. Some tools also have weaker granular access controls than enterprise document management systems, which matters when SOPs contain sensitive HR or security content.

The bigger risk is tool sprawl. If procedures drift across Google Drive, Notion, and ClickUp because different teams have different preferences, staff face a harder problem than the original one. They are no longer uncertain about where the document might be. They have stopped looking altogether.

What does it cost to store SOPs in the wrong place?

The cost of a poorly stored procedure library accumulates before anyone notices. New starters follow outdated steps, pricing gets quoted inconsistently across the team, and security procedures sit unused because staff cannot find them when something goes wrong. The ICO’s enforcement record illustrates where this trajectory ends for firms that delay addressing it.

The ICO fined British Airways £20 million in 2020 after a breach that exposed personal data of approximately 400,000 customers. The investigation found poor security arrangements and inadequate access controls. Marriott International was fined £18.4 million for similar failures. Both involved large organisations, but the ICO’s analysis applies to smaller firms equally: inadequate technical and organisational measures includes failing to ensure that staff know and can follow security procedures.

For regulated firms, the FCA has taken enforcement action against financial services companies specifically for inadequate systems and controls, including policies and procedures that staff did not follow, often because they could not find them or did not trust that what they found was current.

Cyber insurance underwriters have added detailed questions about documented security procedures and incident response plans to their proposal forms. Firms without findable, current procedures face higher premiums or disputed claims when an incident occurs.

What should you ask before committing to a tool?

Before choosing a platform, start with governance rather than features. A tool can have excellent version control and search capability, but if no one is named as the library owner, if SOPs carry no review dates, and if there is no approval workflow for changes, the platform is unlikely to change what staff actually do.

The questions worth asking are grouped below by what actually matters.

On ownership and review: Who is the named owner of the SOP library by role, not by name? Does each procedure have a review date and a subject-matter owner? How will changes be approved and recorded?

On findability: Can a new hire find the relevant SOP in under sixty seconds without asking a colleague? Does the tool support full-text search across document titles and body content? Can you cross-link related procedures?

On security and data protection: Where is the data stored, and what certifications does the provider hold? Can you restrict sensitive SOPs to named groups? Do any AI features index SOP content, and can you control whether they do?

On exit: Can you export all SOPs and their version history if you move to a different tool?

One final point worth raising with your team. The ICO’s guidance on cloud computing is clear that you remain accountable as the data controller for information stored in any SaaS platform, and that supplier contracts must reflect adequate security guarantees. If your SOPs contain personal data, including staff names, customer data-handling instructions, or incident logs, the platform’s data protection credentials matter as much as its search interface.

If you want to think through how this fits into how your business runs, Book a conversation.

Sources

- ICO (2020). ICO fines British Airways £20m for data breach. Shows costs of inadequate access controls and process oversight in an enforcement context directly cited in this post. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2020/10/ico-fines-british-airways-20m-for-data-breach/ - ICO (2020). ICO fines Marriott International £18.4m for data security failures. Failure to implement appropriate security measures and access controls following an acquisition; cited for proportionate applicability to smaller firms. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2020/10/ico-fines-marriott-international-inc-184m-for-failing-to-keep-customers-personal-data-secure/ - ICO. UK GDPR guidance on data protection law. Confirms controller accountability for data stored in SaaS platforms and international transfer obligations. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-law-explained/ - ICO. International transfers guidance. Relevant to US-based knowledge tool providers and the transfer mechanisms required under UK GDPR. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/ - NCSC. Cloud security guidance for UK businesses. Covers SaaS provider assessment criteria including identity and access management, logging, and data residency options. https://www.ncsc.gov.uk/collection/cloud-security - NCSC (2023). Generative AI: what you need to know. Guidance on risks of sensitive content being exposed through AI indexing features without correct permission configuration. https://www.ncsc.gov.uk/blog-post/genai-security-guidance-what-you-need-to-know - FCA. Systems and controls requirements for authorised firms. Firms must maintain adequate policies, procedures, and evidence that staff follow them; enforcement cited in this post. https://www.fca.org.uk/firms/systems-and-controls - Penn State Extension. Standard Operating Procedures: A Writing Guide. Governance principles including ownership, review cycles, and version control as the foundation of any SOP system. https://extension.psu.edu/standard-operating-procedures-a-writing-guide/ - Zampieri et al. (2020). Ten Simple Rules for writing reproducible and reusable research. PMC peer-reviewed guidance on SOP structure, ownership, change control, and version discipline. https://pmc.ncbi.nlm.nih.gov/articles/PMC7470745/ - Collaboris (n.d.). SOP best practices for SharePoint: centralised storage, clear naming conventions, and review disciplines as the first line of defence against version confusion. https://www.collaboris.com/sop-best-practices/

Frequently asked questions

What is the best tool to store SOPs in a small business?

The best tool is whichever platform your team already uses daily, provided it has clear ownership, version control, and review dates built into the process. For owner-managed businesses with staff in Microsoft 365 or Google Workspace, SharePoint or Google Shared Drives work well without additional cost. Notion or ClickUp are worth considering when procedures need to be embedded inside project workflows so they appear automatically rather than requiring a separate search.

Do UK GDPR rules apply to where we store our SOPs?

Yes, if your SOPs contain personal data including staff names, customer data-handling instructions, or incident logs, UK GDPR applies to the platform you use to store them. You must ensure the provider offers appropriate security, access controls, and clear data-processing terms. The ICO's guidance on cloud computing confirms that as the data controller, you remain accountable for data held in any third-party SaaS platform, and your supplier contracts must reflect that.

What happens if staff cannot find the right SOP when they need it?

When staff cannot find a procedure, they either ask a colleague, guess, or continue with whatever they remember from their last read. All three routes introduce inconsistency. Version confusion in poorly named shared drives is one of the most common causes of process failure in owner-managed businesses. The ICO's enforcement record shows a more serious version of the same outcome where the missing or unfindable procedures involve data-handling or security policies.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

A person at a laptop in a small office, reviewing a folder structure on screen

Best-practice folder and sharing structure for Google Drive

The five-drive Google Drive structure every UK services firm needs: Shared Drives by function, consistent naming, and compliant access control.

two business professionals reviewing documents together at a desk in a naturally lit office

Australian data sovereignty explained for UK business owners

Australian data sovereignty law applies to UK businesses that handle personal data from Australian clients. Here is what it covers, where you will encounter it, and what to do first.

A person sitting at a desk with a laptop open in a tidy office, with neatly arranged papers and a coffee cup nearby

A straightforward way to organise Google Drive at work

A practical folder structure and setup guide for owner-managed UK services firms getting Google Drive properly under control.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd