In Part 1 What is Information Architecture and Why Do You Need It of this blog series, I explained what information architecture is and (hopefully) provided some basic pointers and underlying principles of why an organisation should think about developing one.
Here I want to expand on the subject and cover how to go about creating an information architecture for Microsoft 365 (and particularly SharePoint Online).
As a starting point, it is important to remind ourselves information architecture should provide a flexible yet intuitive plan for such elements as data locations, applications, features, functionality, business processes and activities (based on business requirements).
The remainder of this blog will aim to provide some suggested insights into how to approach this.
BUSINESS FOCUS
One of the key things to remember is an information architecture (though initially often created by IT or by a limited set of stakeholders) must incorporate the needs of the entire business.
This cannot be stressed enough as many organisations forget and, as a result, user adoption and usability suffer.
The people involved in the exercise will ideally have some expertise or experience in the following disciplines:
- Setting out clear goals and outcomes
- Guiding and defining use cases
- Facilitating communication and feedback
- Some Microsoft 365 and SharePoint Online experience
Note: This activity shouldn’t involve asking business stakeholders which SharePoint features they require, it is much deeper and requires some planning and thinking around work modelling and building consensus regarding requirements (e.g., use cases).
Some further considerations are provided as follows:
WHAT IS THE GOAL? THINKING SHORT AND LONG TERM…
Understanding and being clear about the goal of information architecture is an absolute must if you are to be able to define one which is fit for purpose, understandable and adaptable.
For this blog (and in general), the goal is to document your organisation’s current taxonomy (some organisational lingo) and incorporate data and security policy as well.
The desired outcome from this is a design incorporating a series of statements and concepts (typically captured in a document or set of documents) to assist you in making decisions, setting and enforcing policies and enabling you to configure your SharePoint and Microsoft 365 environment accordingly.
See below for an example of what this could look like:
WHY DO ORGANISATIONS OFTEN FIND THIS DIFFICULT AND WHY DOES IT GET OVERLOOKED?
The definition of an Information Architecture requires a range of skill sets which are mostly very different from the typical IT skills of technical infrastructure and application specialists. It requires an understanding of such areas as library science, facilitation and domain (e.g., Local Government, Not for Profit, Housing etc.) knowledge.
When you consider the types of information created daily by varying worker types, understanding how information is created, stored and shared is critical as this will drive classification requirements.
Leveraging classification helps to drive organisational initiatives and aids in reducing security related incidents, however the outcome from such an undertaking depends on how your organisation views the value of its information, how well it complies with regulatory guidelines (or needs to), how well it passes audits successfully and its ability to leverage its information assets.
The complexity of the undertaking is compounded when you introduce cloud technologies because now the organisation has numerous ways and locations for storing data on a service which is outside the organisational firewall boundary – and this also introduces additional considerations including data protection risks.
SO HOW DO YOU GET STARTED?
To make this as simple and straightforward as possible (given the challenges I’ve already outlined above), I have set out 5 simple steps which I have and continue to use to help organisations begin to define an initial information architecture for SharePoint and Microsoft 365.
It is safe to assume several workshops will be required to discuss these topics and progress these steps, each requiring some initial planning and agreement over objectives and topics.
STEP 1
Bring a team together consisting of people with the requisite skill sets or business understanding e.g., information architecture, technical infrastructure, project coordination, communications and business representation.
If your organisation is smaller this team may only consist of an Office 365 Administrator, Project Sponsor and a couple of representatives from each business area.
If your organisation is larger or more complex, the team might consist of the following roles:
- SharePoint SME or Microsoft 365 Product Manager
- Records Manager
- Compliance Officer
- Security Officer
- Plus, several representatives from each business or functional area or service management team (operations teams and or service providers)
STEP 2
Review your organisation’s security policy and understand how it applies to creating, using, protecting and disposing of information – location, tagging, permissions and data ownership.
This information can be collected from a couple of sources such as the Security team (who should be able to provide data security guidelines and or policy documents and control plans). Auditor reports may also be useful (if they are made available) as they provide insight regarding how your environment scores from an Auditors perspective and more importantly, highlight area of improvement to be included in your architecture.
Note: In general, auditors dislike the distributed permission controls within platforms such as SharePoint and the lack of ongoing data scanning and policy enforcement (they prefer everything to be described under a ‘control plan’ – more on this later) and often view SharePoint as a ‘black hole’.
This is an area where more focused tools and applications can really help.
In particular, Insentra recommends the Torsion Information Security suite, which provides a powerful, intuitive and comprehensive set of user tools and applications to (amongst other things) enable users to make it easy to prove they’re in control of exactly who has access to sensitive data, and everyone’s access to a document is appropriate.
STEP 3
Review your organisation’s data policy and get a clear understanding of how the policy applies to retaining information, tagging and classification.
This information can be collected from the Records Management team (who should be able to provide data protection and retention guidelines and or policy documents and control plans).
STEP 4
Work with representatives from key business areas to understand the data, content, documents, applications, and people etc. they work with to get their jobs done.
This exercise should be conducted with several key business areas and departments initially and then refined as an ongoing activity by working with department SMEs across the remainder of the business.
For example, when thinking about corporate information the following questions come to mind:
- What information does the business collect and how is it used?
- How much of it is stored and where?
- Why is it kept?
- Who has access to it and why?
- For how long do they need access?
Here are some more focused questions to help, it is worth keeping in mind, it may be necessary to enlist the skills/ services of someone who has done this successfully before:
- What are all the different types of data and how are they classified?
- Do data owners exist for each data type or aggregated data collection?
- How is data obtained? From whom? Why?
- What are the associated business processes and or tasks?
- What format is the data in? Applications? Documents? Staff contact details.
- How is data shared? With whom? Why?
- What are the associated business processes and or tasks?
- What are the business information availability requirements? Why?
- What confidentiality, integrity and availability requirements apply?
- What is the legal environment surrounding the organisation’s industry and the data it uses?
What issues has the organisation experienced in the past?
STEP 5
Create a draft baseline information architecture design
When you have completed steps one through four (as at least a first pass exercise), the information architecture for the SharePoint and/or Microsoft 365 environment(s) should be documented to include the environments’ purpose (e.g., OneDrive for Business for peer-to-peer sharing and collaboration, SharePoint sites for internal team document management, Microsoft Teams for internal and external team collaboration or business partner collaboration etc.) – per the example provided above.
The initial design should include logical structures for each type of data, activity and location and should detail the purposes and audiences for each specific area.
DON’T FORGET GOVERNANCE!
Every information architecture definition should incorporate requirements for a baseline governance framework, detailing the information architecture maintenance roles and activities including the following:
- Data owners
- Provisioning
- Exception handling
- Breach management
- Security monitoring (site security and data scanning)
It should also reference how any enforcement of governance policies and reporting will be handled so the organisation has a clear understanding and agreement about how the environment will be governed (in order to effectively steer and enforce the agreed Information Architecture).
This should also highlight any unresolved risks (where feasible) which have not been addressed and assign ownership of these risks to an executive sponsor whose mandate is to comply with data policies and maintain the end-user experience.
IN SUMMARY
It’s important to note an Information Architecture will evolve over time, refining it is very much an iterative process. As they say, you can’t boil the ocean and if you try, it will be a frustrating and unsuccessful experience. Hence the need for a diverse team and securing executive sponsorship is critical. Most of the organisations I have worked with often start with the technical implementation of SharePoint and Microsoft 365 and lose sight of the user experience from an information and content perspective until much later.
This can still work, however, there is additional effort involved in unpicking what has already been deployed.
And finally….
What’s the use of a highly available, flexible environment if the content is hard to find and is of little or no relevance to the business?
This will be covered in Information Architecture – Part 3: Supporting User Adoption of this series: “How to use Information Architecture to support user adoption in Microsoft 365 and SharePoint”.
For more information Governance in Microsoft Teams, check out our Microsoft FastTrack services.
