What is an SOP?
A Standard Operating Procedure (SOP) defines how we operate — the procedures your team follows to meet the requirements set by your Policies. SOPs are the second tier of BFF’s controlled documents:
| Tier | Answers | Example |
|---|---|---|
| Policy | What we require and why | Information Security Policy |
| SOP | How we operate to meet it | Access Review Procedure |
| Work Instruction | Exactly how to execute | Revoke a Departing User’s Access |
| Training | How people learn it | Security Onboarding |
Keep the “what and why” in Policies, and the step-by-step “exactly how” in Work Instructions — SOPs are the operating procedures in between.
Creating an SOP
- Navigate to SOPs in the sidebar (under the Docs group)
- Click “New SOP”
- Fill in the fields:
- Title — a clear, descriptive name
- Content — the procedure itself
- External URL (optional) — link out if the source of truth lives elsewhere
- Save — new SOPs start in Draft status
The Lifecycle
| Status | Meaning |
|---|---|
| Draft | Being written or revised — not yet in force |
| In Review | Submitted and awaiting approval |
| Published | The current, in-force version |
| Archived | Retired; history preserved |
From a Draft, click “Submit for Review” to route it for approval (or “Publish” directly). An SOP In Review shows an “Approve & Publish” button for the approver. Publishing bumps the version number and snapshots it in Version History.
Editing a Published SOP
Any edit to a published SOP takes it back to Draft — you’ll provide a Change Summary, and the revision goes back through review before it can be published again. Publishing the new version triggers Change Impact Analysis: owners of linked documents are alerted, assignees of linked tasks are notified, and stale Required Reading acknowledgements are flagged for re-acknowledgement.
Who Governs an SOP
There’s no per-document “Permissions” field — governance comes from document role assignments. Click “Manage Roles” on the SOP to assign an Owner, Author, Reviewer, Approver, and Readers. These roles are independent of company permissions: a regular member can own or approve a specific SOP. See Document Roles and Lifecycle in the Document Control section.
Best Practices
- Write SOPs in clear, concise language
- Keep governing rules in the Policy tier and execution detail in Work Instructions
- Use Links to connect each SOP to the Policy it implements and the Work Instructions that execute it
- Assign a clear Owner before publishing — that’s who gets change-impact alerts
Tip: Use Assign Reading to make a published SOP required reading for the team — readers e-sign against the current version, and you get a completion report.