Written Information Security Plan: The Complete Guide for Tax Professionals
If you file tax returns electronically, the IRS requires you to have a WISP. This guide covers who needs one, what it must include, and how to build it.
Updated for 2026IRS Pub 4557 + 5708FTC Safeguards Rule
The Regulatory Framework Behind Your WISP
IRS Publication 4557: Safeguarding Taxpayer Data
Pub 4557 requires administrative, technical, and physical safeguards plus a designated Qualified Individual. Non-compliance can mean disciplinary action and loss of your PTIN.
Read our complete IRS Pub 4557 guideIRS Publication 5708: Creating Your WISP
The practical companion to 4557. It provides a sample WISP framework covering nine key areas, from risk assessment to breach response, designed for small to mid-size practices.
FTC Safeguards Rule (16 CFR Part 314)
Applies to all financial institutions under GLBA, including tax preparers. Requires a Qualified Individual, periodic risk assessments, encryption, MFA, and a documented incident response plan. Maximum penalty: $100,000 per violation.
Read our complete FTC Safeguards Rule guideGLBA Overlap and Why It Matters
The Gramm-Leach-Bliley Act gives the FTC authority to enforce the Safeguards Rule. Your WISP must satisfy both IRS and FTC requirements. Build one unified plan that maps controls to both standards.
Every tax preparer who handles client data is required to have a WISP.
IRS Publication 4557, Section 4
Who Must Have a WISP?
Federal law requires a documented security program from any organization that handles consumer financial data. That includes you.
Tax and Accounting Firms
If you hold a PTIN and e-file, you need a WISP. No exceptions for firm size, seasonal status, or return volume. The IRS tied WISP attestation to PTIN renewal, so skipping it means you cannot file federal returns.
GLBA and FTC Covered Entities
Tax preparers are classified as financial institutions under GLBA. The revised Safeguards Rule demands a designated security officer, documented risk assessments, and an incident response plan. Fines run up to $100,000 per violation.
Full FTC Safeguards Rule breakdownCyber Insurance Requirements
Most carriers will not quote a cyber liability policy without a WISP. After a breach, insurers audit your security program before paying claims. No documented WISP means denied claims, even if you had coverage.
Six Essential Components of an IRS-Compliant WISP
IRS Pub 4557 and the FTC Safeguards Rule require these six elements. Each must be documented, implemented, and reviewed annually.
Risk Assessment
Identify every way client data could be compromised. The FTC requires this assessment updated whenever you change technology or processes, not just once a year.
Data Inventory and Classification
Map every system, device, and location holding taxpayer data. Tag each by sensitivity level so you know what needs encryption and what needs physical locks.
Access Control Policies
Document who can access what and how. MFA is mandatory under the FTC Safeguards Rule for any system storing client information. Include offboarding procedures for departing staff.
Incident Response Plan
Define who leads the response, who contacts affected clients, who notifies regulators, and who handles the post-mortem. Write it down before you need it.
Vendor Management
Anyone touching client data must meet your security standards. The FTC requires documented vendor oversight. Get their security policies in writing and review annually.
Employee Training
68% of breaches involve a human element. Train everyone before they touch client data, including seasonal hires. Refresh annually. Keep signed acknowledgments on file.
How to Build Your WISP: A 7-Step Implementation Guide
You do not need an IT degree. Follow these seven steps to create a WISP that satisfies IRS Pub 4557, Pub 5708, and the FTC Safeguards Rule.
Phase 1: Prepare
Designate a Qualified Individual (QI)
The FTC requires someone with authority to make security decisions and allocate budget. In most small firms, that is the owner. Document who the QI is and what happens if they leave.
Inventory All Data and Systems
List every device, cloud app, and location holding client data. Note what data lives there, who has access, and what security is in place. Update it whenever you add or retire a system.
Conduct a Risk Assessment
For each item in your inventory, ask: what could go wrong? Rate each risk by likelihood and impact. Fix the high-likelihood, high-impact items first. Repeat at least annually.
Phase 2: Build
Write Your Security Policies
Turn risk assessment findings into concrete rules: password length, MFA requirements, encryption standards, visitor procedures. Specific, measurable policies survive audits. Vague ones do not.
Train All Staff
Cover phishing recognition, data handling, physical security, and incident reporting. Include seasonal hires. Get signed acknowledgments. The IRS will ask for them.
Phase 3: Maintain
Test Your Controls
Verify encryption is active, restore a backup, send a simulated phishing email. Document what you tested, what passed, what failed, and how you fixed it.
Schedule Annual Reviews
Block time at least once a year to review your entire WISP. Also review after any security incident, staffing change, or new technology. Document who participated and what changed.
Five WISP Mistakes That Put Your Firm at Risk
Ignoring Physical Security
Locked offices, visitor sign-in, clean desk policy. If someone can photograph a client's return off your desk, your digital encryption does not matter.
Skipping Vendor Risk Assessment
Your IT company, cloud host, and shredding service all touch client data. The FTC requires documented vendor oversight. Get their security policies in writing.
No Documented Incident Response Plan
When a breach happens at 11 PM on a Friday during tax season, you need a checklist, not a brainstorming session.
Treating the WISP as a One-Time Project
Your risk landscape shifts every time you install software or hire staff. Both the IRS and FTC require periodic reviews.
Solo Practitioners Assuming They Are Exempt
One PTIN, one return, one client: you still need a WISP. The IRS does not scale the requirement to firm size.
The Business Case for a Professional WISP
Cyber Insurance Eligibility
Most carriers require a WISP before issuing a cyber liability quote. After a breach, they audit your security program before paying claims. No documented WISP means denied claims.
Competitive Differentiation
When a prospect asks how you protect their data, a documented WISP with specific controls, training records, and an incident response plan wins business over vague reassurances.
Client Trust and Retention
You hold Social Security numbers, bank accounts, and income records. Clients are starting to ask what you do to protect that data. A formal WISP gives you a concrete answer.
Penalty Avoidance
The FTC can fine up to $100,000 per violation. The IRS can pull your PTIN. A breach without a documented WISP also opens you to civil suits. Compare that to a few days of DIY work or $999 for a professionally built plan.
Generic template with blanks to fill
No guidance on your specific firm
Risk of missing critical requirements
No updates when regulations change
Custom-built for your firm's size and software
Expert analysis of your specific risks
Covers every IRS and FTC requirement
Annual updates included at no extra cost
Drag to compare
Free Template vs. VeritShield WISP
Both options help you meet IRS requirements. One gives you a starting framework. The other delivers a complete, audit-ready plan built by compliance specialists.
Get VeritShield WISP ($999)WISP Frequently Asked Questions
Answers to the most common questions about Written Information Security Plans for tax and accounting firms.
Protect Your Firm With an Audit-Ready WISP
Download our free template to start building your WISP, or let our compliance specialists deliver a fully customized, audit-ready plan.
IRS Pub 4557 Compliant • FTC Safeguards Rule Aligned • 100% Satisfaction Guarantee