A Written Information Security Plan, or WISP, is the formal document that explains how your firm protects taxpayer and client information<\/strong> across people, processes, technology, and vendors. With IRS Publication 5708, updates to the FTC Safeguards Rule, and tighter cyber insurance questionnaires, a vague one-page policy is now a liability, not a shield.<\/p>\n\n\n\n The good news is that you do not have to start from a blank page.<\/p>\n\n\n\n The most widely used WISP templates for accounting firms in 2026 are IRS Publication 5708 (the official free baseline), Financial Cents and TaxDome (free, practice-management-aligned starting points), Bellator Cyber’s WISPBuilder (a paid automated option), and VeritShield WISP by Verito (a managed service that builds a custom, audit-ready plan in five business days).<\/p>\n\n\n\n There are credible WISP templates, IRS-provided examples, and vendor-supported security plans that you can adapt to your firm. The challenge is choosing a template that actually fits an accounting practice, then tailoring it so that it matches your real systems, staff, and risk, instead of promising controls you do not have.<\/p>\n\n\n\n This article breaks down what a WISP means specifically for CPA and tax firms in 2026. You will see how IRS Publication 5708 structures a compliant WISP, how to evaluate the most useful WISP templates and tools on the market, and how to convert any template into a practical security plan that stands up to PTIN attestation, cyber insurance reviews, and client due diligence.<\/p>\n\n\n\n Whether you are a solo practitioner or a 50-person multi-office firm, the goal is to come up with a WISP that is credible on paper and backed by real technical and operational safeguards.<\/p>\n\n\n\n If you handle U.S. taxpayer or sensitive client financial data in any meaningful way, you should assume you need a Written Information Security Plan. In practice, that covers:<\/p>\n\n\n\n The IRS has already put this expectation in front of you: when you renew your PTIN, you are asked about your written data security plan. Behind that question sits IRS Publication 4557 and Publication 5708, which spell out the expectation that tax professionals maintain a written information security plan that fits their size and risk profile.<\/p>\n\n\n\n On the regulatory side, the FTC Safeguards Rule treats many accounting and tax practices as financial institutions for purposes of information security. That rule requires a written information security program that looks very similar to what the IRS calls a WISP, including risk assessment, safeguards, testing, and oversight of service providers.<\/p>\n\n\n\n If you store or process:<\/p>\n\n\n\n you are within scope of these expectations, whether you are one person or fifty.<\/p>\n\n\n\n The risk is no longer theoretical. Small and mid-sized firms are now regular targets:<\/p>\n\n\n\n Even if you never experience a major incident, you are now being asked to prove that your WISP exists and that it is real. Three specific pressure points have made a credible WISP non-negotiable for firms that want to keep their PTIN, renew their cyber coverage, and serve business clients with their own due diligence requirements:<\/p>\n\n\n\n You may be asked to describe how you protect taxpayer data or to show your written plan during an inquiry or security readiness review.<\/p>\n\n\n\n Carriers frequently ask if you have a written information security program, when it was last updated, who owns it, and whether specific safeguards such as MFA, backups, and endpoint protection are in place.<\/p>\n\n\n\n Business clients, especially those with their own security and compliance requirements, are more likely to ask how you protect their data and may request copies or summaries of your policies.<\/p>\n\n\n\n If your firm lacks a WISP, or has a generic document that does not match reality, you are exposed on several fronts. The exposure falls into four categories, each of which can independently threaten a firm’s license, coverage, operations, or reputation.<\/p>\n\n\n\n Failing to safeguard taxpayer data can trigger IRS referrals, potential state-level enforcement, and issues under the FTC Safeguards Rule<\/strong><\/a>.<\/p>\n\n\n\n Discrepancies between what your WISP claims and what is actually in place can create problems during cyber insurance underwriting or when you file a claim.<\/p>\n\n\n\n Without a real plan, incident response is improvised, downtime<\/strong><\/a> lasts longer<\/strong>, and staff do not know what to do when something goes wrong.<\/p>\n\n\n\n A breach involving tax data or payroll information can quickly lead to lost clients, negative reviews, and referrals drying up, especially in smaller communities where firms rely heavily on trust.<\/p>\n\n\n\n In 2026, having no WISP, or having one that exists only to satisfy a checkbox, is a strategic risk<\/strong> for any accounting firm that wants to keep its PTIN, qualify for insurance, and remain a trusted advisor.<\/p>\n\n\n\n Before you choose a template, it helps to strip the jargon out and look at what a Written Information Security Plan<\/strong><\/a> actually contains for an accounting or tax practice.<\/p>\n\n\n\n For a CPA or tax firm, a WISP is not a theoretical security framework. It is a written description of:<\/p>\n\n\n\n Regulators use different wording. The IRS talks about safeguarding taxpayer data, while the FTC refers to a written information security program under the Safeguards Rule. In practice, they expect the same thing: a documented, risk-based approach to protecting client information that you can explain, maintain, and prove if asked.<\/p>\n\n\n\n For an accounting firm, a workable WISP usually breaks down into four main components.<\/p>\n\n\n\n A WISP starts with a risk assessment that is specific to your practice. That means identifying:<\/p>\n\n\n\n This does not need to be a long report, but it needs to be honest and written down. Every other part of the WISP is supposed to follow from this risk picture.<\/p>\n\n\n\n These are the policies and procedures that govern how people in the firm handle client information. For an accounting practice, that typically includes:<\/p>\n\n\n\n These items tend to feel like paperwork, but they are exactly what IRS Publication 5708 and the FTC Safeguards Rule expect to see referenced in a written plan.<\/p>\n\n\n\n Technical safeguards are the controls that actually make it harder for an attacker to get in, move around, or do damage. In an accounting firm, a WISP should describe at least:<\/p>\n\n\n\n This is where the gap between a Word template and reality often shows up. The WISP must reflect what your hosting provider, IT partner, and internal team actually do today.<\/p>\n\n\n\n For many firms, physical safeguards are an afterthought, but they still matter, even in a cloud-heavy environment. A credible WISP for an accounting firm typically covers:<\/p>\n\n\n\n If you use a cloud hosting provider<\/strong><\/a> or data center, the WISP should note that physical data center security is provided by that vendor, and ideally reference their SOC report<\/strong> or security documentation, rather than implying the firm handles those controls directly.<\/p>\n\n\n\n Most WISP templates, including the IRS Publication 5708 sample, are organized around these pillars. What they cannot do for you is decide:<\/p>\n\n\n\n If you keep this structure in mind, you can evaluate any WISP template by asking a simple question: Does it help you document risks and safeguards in each of these areas in a way that matches how your firm actually operates, or does it push you toward generic, copy-pasted language that will be impossible to defend during an audit or insurance review?<\/p>\n\n\n\n For tax and accounting firms, the IRS provides a three-part playbook for your WISP:<\/p>\n\n\n\n Explains the safeguards tax professionals are expected to have in place. It covers administrative, technical, and physical controls and points firms to a written data security plan as a core expectation.<\/p>\n\n\n\n It is a detailed WISP template. It is a 28-page document prepared by the Security Summit specifically to help, in their words, \u201cparticularly smaller practices\u201d<\/em> build a WISP that satisfies legal requirements.<\/p>\n\n\n\n It is a companion guide that walks through how to build and maintain a WISP and reiterates that federal law, enforced by the FTC, requires professional tax preparers to maintain a written data security plan.<\/p>\n\n\n\n Publication 4557 tells you what<\/strong> safeguards you should have. Publication 5708 shows you how to document <\/strong>those safeguards in a WISP. Publication 5709 explains how to create and maintain <\/strong>that WISP over time in line with the FTC Safeguards Rule.<\/p>\n\n\n\n From a compliance perspective, Publication 5708 is the reference point if you are asked whether your WISP is complete and structured correctly.<\/p>\n\n\n\n IRS Publication 5708<\/strong><\/a> is not a short brochure. It is a complete sample WISP with instructions. At a high level it covers:<\/p>\n\n\n\n It ties your WISP directly to GLBA and the FTC Safeguards Rule, and states clearly that tax and accounting professionals are treated as financial institutions for data security purposes. It also lists core obligations such as designating a qualified individual, performing risk assessments, implementing safeguards, overseeing service providers, and reviewing the program regularly.<\/p>\n\n\n\n The document explains that there is no one size fits all WISP. Your plan must be appropriate for your size, activities, and the sensitivity of data. A sole practitioner can use a shorter plan than a 40 person firm, but both must cover risk assessment plus administrative, technical, and physical safeguards and treat the WISP as a living document. Publication 5708 gives a bare essentials outline that mirrors the four pillars you already saw: objectives and scope, assignment of responsibility, risk assessment, documentation of safeguards, and supporting records. It spells out where to define your qualified individual, list data types and risks, record hardware and user access, and describe safeguards and monitoring procedures.<\/p>\n\n\n\n The bulk of the document is a sample WISP for \u201c[Your Firm Name]\u201d with filled out sections and model language, plus attachments such as record retention policies, rules of behavior, incident procedures, acknowledgement forms, hardware inventory, authorized users and a glossary.<\/p>\n\n\n\n For an accounting firm, 5708 is essentially the official reference you align with, even if you choose a different template or a managed WISP service.<\/p>\n\n\n\n When you use Publication 5708, treat it as a framework, not a form.<\/p>\n\n\n\n Make sure your WISP covers the same elements as 5708: objectives and scope, a qualified individual, risk assessment, safeguards, vendor oversight, incident response, and supporting records. Do not assume the sample wording fits your firm as written.<\/p>\n\n\n\n If you are a three person practice, you still need all sections, but you can keep them short and focused on a small set of systems and roles. If you are a larger firm, expand sections on users, offices, vendors, and incident procedures instead of leaving the template language untouched.<\/p>\n\n\n\n The sample WISP describes regular training, device encryption, defined incident procedures and vendor oversight. If you do not actually do something that the sample text claims, either implement that control or edit the wording. Do not leave in language that overstates your maturity.<\/p>\n\n\n\n Complete the hardware inventory, authorized user list and other tables with real devices, systems and staff. Example values in 5708 are only placeholders.<\/p>\n\n\n\n Any move to new hosting, new portals, or new security tools should trigger a quick review of the WISP so it stays aligned with your stack, rather than drifting away from reality.<\/p>\n\n\n\n Once you know what your WISP must contain, the next step is choosing where to start. Below is a comparison of WISP template providers and services<\/strong> that are widely used by tax and accounting firms.<\/p>\n\n\n\nKey Takeaways<\/strong><\/span><\/h2>\n\n\n\n
\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
\n\n\n\nWho Actually Needs a WISP in 2026 and What is at Stake<\/strong><\/span><\/h2>\n\n\n\n
\n
\n
Why the WISP has Become a Must-have<\/strong><\/span><\/h3>\n\n\n\n
\n
![\"\"](\"https:\/\/verito.com\/blog\/wp-content\/uploads\/2026\/04\/Why-the-WISP-has-Become-a-Must-have-1024x375.jpg\")
<\/figure>\n\n\n\n1. PTIN renewal and IRS security outreach<\/strong><\/span><\/h4>\n\n\n\n
2. Cyber insurance applications and renewals<\/strong><\/span><\/h4>\n\n\n\n
3. Client due diligence<\/strong><\/span><\/h4>\n\n\n\n
What is at Stake for an Accounting Firm<\/strong><\/span><\/h3>\n\n\n\n
Regulatory Risk<\/strong><\/span><\/h4>\n\n\n\n
Insurance Risk<\/strong><\/span><\/h4>\n\n\n\n
Operational Risk<\/strong><\/span><\/h4>\n\n\n\n
Reputational Risk<\/strong><\/span><\/h4>\n\n\n\n
WISP Basics for CPAs, Enrolled Agents, and Tax Preparers<\/strong><\/span><\/h2>\n\n\n\n
What a WISP Really is in an Accounting Context<\/strong><\/span><\/h3>\n\n\n\n
\n
The Four Pillars of a WISP<\/strong><\/span><\/h3>\n\n\n\n
![\"\"](\"https:\/\/verito.com\/blog\/wp-content\/uploads\/2026\/04\/The-Four-Pillars-of-a-WISP-1024x410.jpg\")
<\/figure>\n\n\n\n1. Risk Assessment Focused on Tax and Client Data<\/strong><\/span><\/h4>\n\n\n\n
\n
2. Administrative Safeguards<\/strong><\/span><\/h4>\n\n\n\n
\n
3. Technical Safeguards<\/strong><\/span><\/h4>\n\n\n\n
\n
<\/li>\n\n\n\n4. Physical Safeguards<\/strong><\/span><\/h4>\n\n\n\n
\n
Why This Structure Matters When You Pick a Template<\/strong><\/span><\/h3>\n\n\n\n
\n
How IRS Publication 5708 Shapes Your WISP<\/strong><\/span><\/h2>\n\n\n\n
1. Publication 4557<\/strong><\/span><\/h3>\n\n\n\n
2. Publication 5708<\/strong><\/span><\/h3>\n\n\n\n
3. Publication 5709<\/strong><\/span><\/h3>\n\n\n\n
![\"\"](\"https:\/\/verito.com\/blog\/wp-content\/uploads\/2026\/04\/From-a-compliance-perspective-Publication-5708-is-the-reference-point-if-you-are-asked-whether-your-WISP-is-complete-and-structured-correctly-1024x358.jpg\")
<\/figure>\n\n\n\nInside Publication 5708: What it Actually Contains<\/strong><\/span><\/h3>\n\n\n\n
1. Requirements and Scope<\/strong><\/span><\/h4>\n\n\n\n
2. Getting Started and Proportionality<\/strong><\/span><\/h4>\n\n\n\n
<\/p>\n\n\n\n3. Structured WISP Outline<\/strong><\/span><\/h4>\n\n\n\n
4. Sample WISP with Attachments<\/strong><\/span><\/h4>\n\n\n\n
How to Use Publication 5708 Without Copy-pasting Trouble<\/strong><\/span><\/h3>\n\n\n\n
1. Use it as a checklist<\/strong><\/span><\/h4>\n\n\n\n
2. Scale detail to your size<\/strong><\/span><\/h4>\n\n\n\n
3. Align every claim with real safeguards<\/strong><\/span><\/h4>\n\n\n\n
4. Fill attachments from your real environment<\/strong><\/span><\/h4>\n\n\n\n
5. Review it when your environment changes<\/strong><\/span><\/h4>\n\n\n\n
Top WISP Templates and Security Plan Resources for Accounting Firms<\/strong><\/span><\/h2>\n\n\n\n
Comparison of Leading WISP Template Providers<\/strong><\/span><\/h3>\n\n\n\n