Access Denied
← All frameworks

Policy

The integrated policy framework

Align accessibility, security and governance so they support each other rather than compete for attention. Turns disconnected policies into a coherent, human-centred system that protects people, data and reputation equally.

↓ Download as PDFPreview the PDF

Who it's for

Heads of governance, policy owners, and anyone who has discovered the security policy and the accessibility policy contradict each other.

When to use it

During a policy refresh, after a merger, or when you realise nobody has read the policies in three years.

Why policies fail

Policies fail when they are written by one team for one audience and assume everyone else will fall in line. Security policy that ignores accessibility produces controls people can't use. Accessibility policy that ignores security produces well-intentioned exemptions that become attack paths.

What integration looks like

  • Shared definitions — "reasonable adjustment" and "compensating control" should not be in separate documents.
  • Joint exception process — one route for both, with both teams involved.
  • Consistent escalation — the same person can answer both kinds of question.
  • Human-readable language — written for the person who has to follow it, not the lawyer who drafted it.

In practice

How to run it

  1. 1

    Audit the current policy estate for contradictions between security and accessibility positions.

  2. 2

    Pick the top three contradictions. Convene the policy owners. Resolve them in writing.

  3. 3

    Rewrite the affected sections in plain language. Test on real readers.

  4. 4

    Publish, communicate, and put a review date in the diary you actually keep.

← Previous

Security-accessibility metrics framework

Next →

Accessibility–security maturity model

Want the full story?

The frameworks are most powerful alongside the case studies, research, and playbooks in the book.

Buy Access Denied →