Tax pros used to worry about missing a deduction, but in 2025 the bigger worry is proving they actually follow a real security plan.
Every tax professional renewing a PTIN for 2025 is asked to confirm that their firm has a Written Information Security Plan in place.
That single certification has pushed thousands of CPA firms to revisit two documents that appear similar at first glance, IRS Publication 4557 and IRS Publication 5708. They are not interchangeable. One defines the obligations for safeguarding taxpayer data. The other provides the structure that regulators expect to see when a firm documents how those obligations are met.
A Written Information Security Plan (WISP) is a legal requirement for tax professionals under the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. Insurers, banks and software vendors have followed the same path and ask for written proof during renewals, lending reviews and onboarding checks. In short, the environment shifted from “have good security practices” to “show the plan, show the controls and show the evidence”.
Publication 4557 explains the security principles, controls and expectations that apply to anyone who handles taxpayer data. Publication 5708 takes those expectations and turns them into a structured WISP template with governance, risk assessment, safeguard definitions, vendor oversight and incident response sections.
The 2024 revision of 5708 goes further. It sets explicit expectations for multi factor authentication, backup testing, documentation of exceptions, service provider reviews and continuous plan updates. These details now define what a defensible WISP looks like for small and mid sized CPA firms.
This article breaks down the difference between the two publications, what changed in the latest release of 5708 and the specific types of evidence a firm needs to produce during an IRS inquiry, bank review or cyber insurance renewal.
Table of Contents Show
Why WISP is suddenly on every tax professional’s radar
From “good practice” to an explicit legal obligation
For many years, tax professionals viewed a Written Information Security Plan as something only larger firms needed. That changed once the FTC Safeguards Rule made it clear that any business handling taxpayer financial information is considered a financial institution under the Gramm-Leach-Bliley Act. That definition includes solo preparers, small CPA firms and seasonal tax shops.
The rule requires every covered entity to maintain a documented security program, designate a qualified individual and implement the administrative, technical and physical safeguards described in the regulation. IRS guidance now states directly that tax professionals are required by law to have a WISP and to keep it current.
If you are looking for more information regarding IRS WISP compliance, you can schedule a consultation with us at Verito and we would be happy to walk you through.
Quick overview of IRS Pub.5708 vs. 4557
| Category | IRS Publication 4557 | IRS Publication 5708 |
|---|---|---|
| Who it applies to | All tax professionals and firms that receive, store or transmit taxpayer information. | Tax and accounting practices that need to create or update a Written Information Security Plan (WISP). |
| Core purpose | Explains security responsibilities for handling taxpayer data and outlines safeguards every firm must implement. | Provides a complete WISP template aligned with GLBA and the FTC Safeguards Rule. |
| Focus areas | Protecting confidentiality, integrity and availability of taxpayer data. | Governance, system inventory, risk assessments and documented safeguards. |
| Key components | Security Six: firewall protection, anti malware tools, MFA, strong passwords, secure backups, encryption. | Administrative, technical and physical safeguards that must be documented in the WISP. |
| Additional content | Checklists to help firms evaluate their controls and identify compliance gaps. | Sections on incident response, breach handling, vendor oversight and ongoing monitoring. |
| Overall role | High level standard describing what must be protected and the baseline expectations for firms. | Detailed structure showing how to document, maintain and update a compliant WISP over time. |
Publication 4557 tells firms what a secure tax practice must achieve. On the other hand, Publication 5708 gives firms the IRS endorsed format for documenting how those protections work day to day so they can produce written proof when asked.
What changed in Publication 5708 and how it connects back to 4557
- Tax professionals are required by law to maintain a Written Information Security Plan. Earlier IRS communications suggested the need for a security plan, but the 2024 revision makes the legal connection to GLBA and the FTC Safeguards
- The PTIN renewal process now includes an attestation that the preparer understands and meets these legal obligations.
- Multi factor authentication is now described as a required control for systems that handle or access taxpayer data.
- The updated Publication 5708 template requires firms to explicitly document where encryption is applied and how it is enforced.
- Publication 5708 now expects firms to document their backup strategy, retention period, restore procedures and testing results. The WISP must show how the firm verifies that backups actually recover data. This aligns with Publication 4557’s requirement to maintain availability of taxpayer information, but Publication 5708 translates it into a written standard with evidence expectations.
- Publication 5708 now requires firms to maintain a documented incident response plan that includes detection, escalation, containment and communication steps. The plan must describe how the firm would respond to a data breach, when it would contact its IRS Stakeholder Liaison and which state agencies it may need to notify.
- The WISP must describe how the firm evaluates service providers, the criteria used during selection and how contract terms reflect security expectations.
- Firms must show periodic reviews of provider performance, especially when the provider processes or stores taxpayer information. This matches the FTC Safeguards Rule’s requirement for service provider monitoring.
- Publication 5708 formalizes the expectation that the WISP is reviewed regularly. The template requires firms to document how testing results, incidents and changes in technology influence updates to the plan.
The relationship between the two IRS publications becomes clearer here. Publication 4557 explains why these controls matter and what they protect. Publication 5708 defines how a firm writes them down, tests them, maintains them and proves they exist.
4557 vs 5708, when to use which and how they fit together
IRS Publication 4557 and IRS Publication 5708 support the same goal, which is protecting taxpayer data, but they serve different functions in a compliance program. The easiest way to understand their relationship is to separate the framework from the documentation.
Publication 4557
- Publication 4557 is the framework.
- It defines the obligations that apply to any tax professional who handles taxpayer information.
- It explains the security principles that should guide a firm’s decisions, outlines the Security Six, and gives examples of policies, controls and best practices.
- It is a reference document that tells firms what a reasonable and responsible security program must address.
Publication 5708
- Publication 5708 is the documentation standard.
- It provides the structure and template for a Written Information Security Plan that aligns with the Gramm-Leach-Bliley Act and the FTC Safeguards Rule.
- It includes governance, the qualified individual role, risk assessment, safeguard definitions, service provider oversight, incident response and review cycles.
- It is the format regulators and due diligence teams expect to see when a firm explains how its security program works.
The following table summarizes these differences:
| Dimension | Publication 4557 | Publication 5708 |
|---|---|---|
| Scope | Safeguarding taxpayer data across all parts of the firm | Documenting a complete Written Information Security Plan |
| Purpose | Define obligations, risks and expected safeguards | Provide a fillable and auditable WISP template |
| Document type | Guidance, checklists and examples | Structured plan with required sections and evidence fields |
| Audience | All tax professionals and staff | Firms that need to create, update or defend their WISP |
| Main use | Train staff and understand expectations | Produce the written plan required by GLBA and the Safeguards Rule |
| Evidence role | Explains what needs to be protected | Defines how protection is documented, tested and reviewed |
Publication 4557 sets the principles, scope and expectations. Publication 5708 shows the IRS-endorsed way to write them down and prove they are in place.
For a CPA firm, the practical takeaway
CPA firms cannot choose between Publication 4557 and Publication 5708. The two documents work as a pair. Publication 4557 remains the foundation for understanding obligations and building a security program that protects taxpayer data. Publication 5708 provides the structure for documenting governance, safeguards and testing so that the firm has a defensible Written Information Security Plan.
A modern and defensible approach follows a clear sequence.
- Use Publication 4557 as the reference for what the security program must cover.
- Use Publication 5708 to build the WISP that matches those obligations and to align that plan with the FTC Safeguards Rule.
- Then connect each section of the WISP to real systems and logs so that the plan is not just words on paper.
How CPAs actually prove compliance, what auditors and partners will ask for
Regulators, lenders and cyber insurers expect proof that a WISP is active, current and tied to real safeguards. Publication 5708 makes this clear. A defensible evidence set falls into seven categories.
1. The Written Information Security Plan
- Must be current, version-controlled and approved by the qualified individual.
- Should reference Publications 4557 and 5708, define scope, roles and all safeguards.
- Missing dates, reviews, or version history signals non compliance.
2. Risk assessments and system inventories
- Maintain annual risk assessments covering systems, data types, threats, likelihood and chosen safeguards.
- Document exceptions and compensating controls.
- System inventories must show where taxpayer data lives, which tools process it and who has access.
3. Technical controls and configuration evidence
- Provide screenshots or reports showing active MFA, encryption, endpoint protection and current patching.
- Include logs that show access monitoring and alert review.
- These items prove the controls described in the WISP actually operate.
4. Backup and disaster recovery logs
- Document how backups are created, stored and tested.
- Include job status, retention schedules and restore test results.
- Untested backups are considered unreliable, which creates a compliance gap.
5. Training and awareness records
- Keep logs of staff attendance and materials used for security training.
- Training should cover phishing, password hygiene, data handling and incident reporting.
- Records must show ongoing education rather than one time sessions.
6. Vendor management documentation
- Maintain signed agreements with required security terms, due diligence questionnaires, provider reports and annual review notes.
- This demonstrates oversight of any service provider that processes or stores taxpayer data.
7. Incident and testing logs
- Keep records of incidents, tabletop exercises, audit trails and post incident reviews.
- Updates to the WISP after incidents should be documented, showing continuous improvement.
Translating evidence into a defensible narrative
When an auditor or reviewer asks, “How do you comply with IRS Publication 4557 and Publication 5708,” they expect more than a verbal explanation. They expect a clear mapping that connects the written plan to functioning controls. The most effective approach is simple and repeatable.
Start with the specific section of the WISP that addresses the control in question.
For example, if asked about multi factor authentication:
- Show the documented requirement in the WISP
- Then present the system or tool that implements the control.
- Finally, produce the supporting evidence, such as MFA configuration screenshots or user authentication logs.
This three step pattern applies to every aspect of a compliance review. It proves that the firm has a plan, that the plan is implemented and that the controls operate as intended.
VeritShield WISP helps firms maintain this structure by linking each IRS and FTC requirement to a corresponding control, system and evidence record. This removes the guesswork that often undermines audit readiness and keeps documentation aligned with the IRS template.
How Verito fits, from WISP template to an audit ready environment
VeritShield WISP and the IRS aligned WISP template
Publication 5708 gives firms a complete WISP template, but most struggle to fill it out accurately, tailor it to their systems and keep it updated. VeritShield WISP closes this gap by providing a ready to use IRS aligned template that follows the structure of Publication 5708 and the safeguards outlined in Publication 4557.
Firms that need guided support can use VeritShield’s structured process to build a tailored WISP in days.
The service documents governance roles, system inventories, safeguard definitions, vendor oversight and testing procedures in a format that aligns with FTC Safeguards Rule expectations. This gives firms a practical starting point, especially those concerned about PTIN attestation or creating a formal WISP for the first time. The result is a written plan that reflects real operations and is designed to be reviewed and updated on a predictable schedule.
Infrastructure and managed IT that match what the WISP promises
A WISP only holds up if the controls it describes actually function. Many firms struggle to generate the evidence that auditors and due diligence teams expect. Verito solves this by providing an environment where each safeguard in the WISP maps directly to a technical control.
a) VeritSpace private servers
VeritSpace delivers dedicated private servers built on SOC 2 certified and GLBA aligned infrastructure. This supports core technical expectations across both IRS publications, including isolation of taxpayer data, encryption in storage and transit and reliable uptime. Because the environment is managed, firms can easily export configuration reports that match the controls documented in the WISP.
b) VeritGuard managed IT and security
VeritGuard provides endpoint protection, monitoring, patching, MFA configuration and backup testing. These services align with the Security Six in Publication 4557 and the safeguard requirements in Publication 5708. Activity is logged and reviewed, giving firms defensible evidence of updates, alerts handled and restore tests completed.
c) VeritComplete all in one bundle
Some firms prefer a single provider for hosting, IT management and WISP support. VeritComplete offers this combined model, reducing vendor fragmentation and helping firms maintain consistent controls across technical, administrative and documentation domains.
Every safeguard in the WISP must map to a system, a control and a piece of evidence. By placing workloads, security tools and documentation in one environment, firms can maintain that mapping without building it from scratch.
From IRS PDFs to a working, audit ready WISP
A Written Information Security Plan is now a legal requirement for tax professionals, and it is tied directly to the obligations that PTIN holders certify during renewal. Publication 4557 explains what must be protected. Publication 5708 provides the IRS endorsed structure for documenting those protections. Both are necessary, and neither is sufficient without real safeguards and verifiable evidence.
Using these publications without a structured approach creates gaps that become visible during audits, lender reviews or cyber insurance renewals. A defensible WISP requires governance, documented controls, current system inventories, updated vendor records, tested backups and regular reviews. Firms that rely only on templates or outdated documents often struggle to produce the proof that regulators now expect.
If your firm needs help building or updating a WISP, Verito provides two practical paths. You can start by downloading a free IRS compliant WISP template or work with VeritShield WISP experts who can produce a tailored plan that aligns with Publications 4557 and 5708. Firms that also need infrastructure or IT support can schedule a security and compliance consult to understand how hosting, endpoint protection and managed backup fit into the overall WISP evidence structure.
Download a free IRS compliant WISP template or talk to VeritShield WISP experts.
FAQ
1. Is IRS Publication 5708 mandatory or just guidance?
Publication 5708 itself is guidance, but the requirement to maintain a Written Information Security Plan is mandatory under the Gramm Leach Bliley Act and the FTC Safeguards Rule. The IRS endorses Publication 5708 as the template tax professionals should use to document their WISP. During PTIN renewal, preparers attest that they understand and meet this requirement, which means a functioning WISP must already exist.
2. Do I still need Publication 4557 if I follow Publication 5708?
Yes. Publication 4557 remains the core IRS document for safeguarding taxpayer data. It defines the expectations, risks and safeguards that apply to any tax professional. Publication 5708 does not replace Publication 4557. Instead, it provides the structure for writing a WISP that aligns with both the IRS framework and the Safeguards Rule.
3. What happens if my firm does not have a WISP when someone asks for proof?
A firm that cannot produce a current WISP faces several issues. The PTIN attestation becomes difficult to defend, and lenders or cyber insurers may delay approvals or adjust terms because the firm cannot demonstrate compliance. Clients may also view the absence of a WISP as a red flag in due diligence reviews. Most importantly, regulators expect a documented plan. Without one, the firm has a material compliance gap.
4. How often should I review and update my WISP?
A WISP should be reviewed at least once per year and whenever there are significant changes to systems, staff, vendors or threat conditions. It must also be updated after incidents or testing results that highlight necessary improvements. A plan that remains unchanged for several years fails the continuous improvement standard emphasized in Publication 5708.
5. Can a one or two person firm use the IRS WISP template as is?
Yes. Small firms can use the Publication 5708 template, but they must complete it accurately and update it regularly. Roles such as the qualified individual can be assigned to an owner or partner, but the responsibilities remain the same. A template is only compliant once it reflects actual systems, safeguards and review processes.
6. Does using a cloud provider by itself make me compliant with 4557 and 5708?
No. A cloud provider contributes to the technical safeguards, but it does not replace governance, risk assessments, vendor oversight or training responsibilities. A firm still needs a complete WISP, documented evidence of controls and a clear review cycle. Cloud services should support the plan, not serve as the plan itself.
7. Is a signed WISP enough, or do I need logs and technical evidence too?
A signed WISP is not enough. Regulators and insurers expect evidence that safeguards operate. This includes MFA reports, encryption settings, backup test results, training logs and vendor documentation. Without supporting records, the WISP becomes a policy statement rather than a defensible compliance document.
tl;dr
- Publication 4557 sets the rules for safeguarding taxpayer data. It explains what a security program must include and where tax professionals face risk.
- Publication 5708 provides the IRS endorsed WISP template. It defines how a firm documents its governance, controls, testing and vendor oversight.
- A WISP is a legal requirement under GLBA and the FTC Safeguards Rule. PTIN renewal now includes an attestation that a WISP exists.
- The 2024 version of Publication 5708 expanded requirements for MFA, encryption, backup testing, incident response, service provider oversight and ongoing reviews.
- Regulators and insurers expect proof that controls exist and function. That includes logs, MFA reports, encryption settings, restore test records, training logs, vendor contracts and incident response documentation.
- A modern security posture uses Publication 4557 as the framework for what must be protected and Publication 5708 as the structure for documenting that protection.
- Without evidence, a WISP will not withstand an audit. In 2025, if it is not written, current, reviewed and supported by system logs, it is difficult to defend as compliant.
- Verito’s SOC 2 aligned environment and VeritShield WISP service help firms produce the technical controls, documentation and audit ready evidence that match the expectations in both publications.
Disclaimer: This guide is for educational purposes only. It is not tax, legal, or payroll advice. Employees and employers should consult a qualified tax professional for decisions regarding withholding or tax filing.
