How to Build a Policy Register: Step-by-Step Guide

An inspector asks: "How many policies does your organisation have?" If the answer involves opening a shared drive and counting files, you do not have a policy register. You have a collection of documents with no central record of what exists, who owns each one, or when they are due for review.

A policy register fixes that. It is the single source of truth for every policy your organisation holds — and building one takes less time than you might expect.

What Is a Policy Register?

A policy register is a structured record of every policy in your organisation. For each policy, it captures:

• Policy name — the official title
• Category — safeguarding, health and safety, governance, data protection, HR, clinical, finance, or operational
• Owner — the person responsible for reviewing and maintaining the policy
• Approver — who formally approves the policy (governing body, trustees, practice partners)
• Current version — version number and date
• Review frequency — how often the policy should be reviewed (6 months, 12 months, 24 months, or 3 years)
• Last reviewed date — when the policy was last formally reviewed
• Next review date — calculated from last reviewed + frequency
• Status — current, due soon (within 90 days), or overdue
• Location — where the policy document is stored

The register is not the policies themselves — it is the index that tracks them. Think of it as the table of contents for your governance.

Why You Need One

For inspections

CQC, Ofsted, and internal auditors will ask about your policy governance. A register lets you answer confidently: "We have 85 policies. 78 are current. 5 are due for review this quarter. 2 are overdue and under active review. Here is the full list."

That answer, with evidence behind it, demonstrates well-led governance. "I think we have most of them up to date" does not.

For handovers

When a school business manager, practice manager, or governance officer leaves, the policy register ensures their successor knows exactly what exists and what needs attention. Without it, institutional knowledge walks out the door.

For efficiency

Checking 100+ policy documents individually to find review dates takes hours. A register puts every deadline in one place. Combined with automated reminders, it removes the manual tracking entirely.

Step 1: Audit Your Existing Policies

Before building the register, you need to know what you have. Go through every location where policies might be stored:

• Shared drives and document management systems
• SharePoint libraries
• The school/practice website
• Email attachments (policies that were approved via email and never filed properly)
• Physical filing cabinets
• Personal folders belonging to the previous policy owner

For each policy you find, record:

• Name
• Date (from the document — look in the footer, header, or metadata)
• Location

Expect duplicates. You will likely find two or three versions of the same policy in different locations. Note them all — you will deduplicate in the next step.

Step 2: Deduplicate and Identify the Current Version

For each policy with multiple versions, identify which is current:

• The most recently dated version is usually current — but check that it was formally approved
• If you find a newer draft that was never approved, the last approved version is still current
• Mark superseded versions for archiving (do not delete them — you may need them for audit purposes)

Step 3: Set Up Your Register Structure

You can build a policy register in a spreadsheet, but an interactive template is faster. Our free Policy Register Template lets you build the register in your browser and export it as CSV.

If you prefer a spreadsheet, create columns for:

Policy Name	Category	Owner	Approved By	Version	Review Freq.	Last Reviewed	Next Review	Status	Location	Notes

Category options to use:

• Safeguarding
• Health & Safety
• Data Protection
• HR & Employment
• Governance
• Clinical / Care (for GP practices)
• Finance
• Operations

Step 4: Populate the Register

Work through your audited policy list and add each current policy to the register. For each one:

1. Assign a category — this lets you filter the register when preparing for a specific inspection or audit
2. Assign an owner — the person accountable for reviewing and updating the policy. For schools, this is often the head teacher (safeguarding), school business manager (finance, HR), or SENCO (SEND). For GP practices, it is often the practice manager or a named clinical lead.
3. Record the approver — who formally signs off the policy. For schools: governing body. For charities: board of trustees. For GP practices: partners or practice manager.
4. Set the review frequency — see our guide to review frequencies by regulator for specific guidance. As a starting point:
   • Safeguarding: 12 months (some schools review termly)
   • Health and safety: 12 months
   • Data protection: 12 months
   • Clinical policies: 12 months
   • Governance/strategic: 24-36 months
   • Operational: 18-24 months
5. Calculate the next review date — last reviewed date plus the review frequency. Our Policy Review Schedule Generator does this automatically and exports to your calendar.
6. Assess the status — current (next review is more than 90 days away), due soon (within 90 days), or overdue (past the review date)

Step 5: Identify Gaps

With the register populated, you can now see what is missing. Cross-reference against regulatory requirements:

• Schools: Use our Ofsted Statutory Policies Checklist to identify any missing statutory policies
• GP practices: Check against CQC policy requirements and Regulation 17 — safeguarding, IPC, medicines management, information governance, complaints, health and safety
• Charities: Check safeguarding (mandatory if working with children/vulnerable adults), data protection, health and safety, conflicts of interest, reserves
• Councils: Standing orders, financial regulations, risk management, data protection, complaints

Any gap is a priority — create the missing policy and add it to the register.

Step 6: Maintain the Register

A policy register is only useful if it is maintained. Build these habits:

After every policy review: Update the version, last reviewed date, and next review date in the register. This should take 30 seconds.

Monthly check: Scan the register for policies due within 90 days. Chase the policy owner if they have not started the review.

After staff changes: When a policy owner leaves, reassign their policies immediately. Do not wait until the next review date — by then, nobody will remember who was responsible.

After regulatory changes: When CQC, Ofsted, DfE, or the Charity Commission publish new guidance, check which policies are affected and bring forward their review dates.

When to Move Beyond a Spreadsheet

A spreadsheet register works for small portfolios (under 30 policies) with a single person managing them. You will outgrow it when:

• You have 50+ policies and reminders are getting missed
• Multiple people own policies and coordination is difficult
• You need approval workflow (who approved what, when)
• Inspection prep requires generating compliance reports
• You manage multiple sites with shared policies

At that point, a purpose-built policy management system — with automated reminders, approval workflow, compliance dashboard, and audit trail — saves more time than it costs. See our guide to choosing policy management software for what to look for.

PolicyBoard is designed to replace the spreadsheet register with automated tracking for UK schools, GP practices, charities, and councils. Join the waitlist to be notified when it launches.

This guide covers general principles of policy register management. It is not legal advice. Always check the specific requirements of your regulator.