Accounting Firm WISP Template Examples & Guide 2026

What Is a WISP and Why Every Accounting Firm Needs One

A Written Information Security Plan (WISP) is a formal, documented policy that defines how your accounting firm collects, stores, accesses, and protects client data. It is not optional. Under IRS Publication 4557 and the Federal Trade Commission's (FTC) Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, every tax preparer and accounting firm handling client financial data must maintain a written security plan — regardless of firm size or annual return volume.

Accounting firms are high-value targets. A single client tax file contains a Social Security number, bank account details, income history, and often business financials spanning multiple years. The professional services sector, which includes accounting and CPA firms, saw a 30% increase in ransomware incidents between 2023 and 2025, according to the Verizon 2025 Data Breach Investigations Report (DBIR).

Despite clear legal mandates and well-documented threat patterns, many firms still operate without an IRS-compliant WISP — or they maintain a generic document that has not been reviewed since it was first created. This guide walks through real accounting firm WISP template examples with annotated section breakdowns, a complete list of required components, and a practical implementation framework so your firm is protected and compliant heading into 2026.

The Legal Basis for the WISP Requirement

Three overlapping legal frameworks require accounting firms to maintain a WISP. Understanding each one shapes how your document must be structured.

IRS Publication 4557 and the FTC Safeguards Rule

IRS Publication 4557, titled Safeguarding Taxpayer Data, is the IRS's primary guidance document for tax professionals. It explicitly states that all tax preparers must create and maintain a WISP that identifies risks to client data and describes controls to mitigate those risks. The Publication references the FTC Safeguards Rule — the implementing regulation for GLBA — as the statutory authority.

Under the updated FTC Safeguards Rule (effective June 2023), any "financial institution" subject to GLBA — a category that includes tax return preparers — must implement a written information security program. Key mandates include:

• Designating a qualified individual responsible for overseeing the security program
• Conducting and documenting a written risk assessment
• Implementing access controls and encryption for all customer financial data
• Providing security awareness training for all staff with access to client data
• Testing and monitoring the effectiveness of implemented security controls
• Establishing an incident response plan with defined notification timelines
• Requiring service providers to maintain appropriate data safeguards contractually

NIST SP 800-171 as a Structural Framework

While NIST Special Publication 800-171 is technically written for contractors handling Controlled Unclassified Information (CUI), its 110 security requirements serve as an excellent structural framework for an accounting firm WISP. Many IRS-recommended WISP templates align closely with NIST SP 800-171 control families, including access control, audit and accountability, incident response, and system and communications protection. Aligning your WISP to NIST SP 800-171 also positions your firm well if enterprise clients begin requesting proof of security program maturity.

State-Level Obligations

Beyond federal requirements, many states impose additional obligations. Massachusetts 201 CMR 17.00, New York's SHIELD Act, and California's CCPA all require financial service providers — including CPAs and enrolled agents — to maintain written security programs. Your WISP must account for the states where your clients reside, not just where your firm is domiciled. A compliant accounting firm WISP template addresses this by including a jurisdiction checklist in an appendix.

Required Sections in Every Accounting Firm WISP

The IRS and FTC do not prescribe a specific page format, but they do specify what a WISP must address. The sections below represent the required baseline for any accounting firm WISP template. Each section must reflect your specific firm — not generic placeholder language.

Firm Identification and Designated Security Coordinator

Your WISP must identify your firm by legal name and designate a specific individual — not just a job title — as the Information Security Coordinator (ISC). This person is accountable for maintaining the WISP, coordinating training, and managing incident response. For solo practitioners, the ISC is typically the preparer. For larger firms, it is usually a managing partner with direct authority over IT decisions. Name a backup designee as well.

Inventory of Data and Systems

You cannot protect what you have not identified. Your WISP must document every system where client data lives: tax software (Drake, Lacerte, UltraTax CS, ProSeries), cloud storage, email platforms, local servers, backup drives, and mobile devices. For each system, identify who has access, under what conditions, and from which locations. This inventory becomes the foundation for your risk assessment and directly feeds your access control policies.

Written Risk Assessment

The FTC Safeguards Rule explicitly requires a written risk assessment — not a verbal one, not a checklist. Your assessment must identify reasonably foreseeable internal and external threats, evaluate likelihood and impact, document existing controls, and assign mitigation tasks with owners and deadlines. Threats specific to accounting firms include phishing campaigns targeting tax professionals, ransomware delivered through email attachments, credential stuffing against tax software portals, and physical theft of laptops during tax season travel. Each identified risk needs a risk score, not just a description.

Access Controls and Authentication

This section defines who can access client data and under what conditions. At minimum, your WISP must specify unique user accounts for each employee (no shared logins), strong password policies, and mandatory multi-factor authentication (MFA) for all systems that access taxpayer data. MFA for tax professionals is an IRS Security Six requirement and must be reflected explicitly in this section. Role-based access control (RBAC) — where employees can only view the client records relevant to their job function — should also be documented.

Data Encryption Standards

All taxpayer data must be encrypted both in transit and at rest. Your WISP should name the specific encryption tools in use: full-disk encryption (BitLocker for Windows, FileVault for macOS) on all laptops and workstations, AES-256 for stored data, and TLS 1.3 for data in transit. It must also specify that client documents are shared only through an encrypted file-transfer portal — never through unencrypted email. Review the detailed requirements in our guide on tax document encryption requirements and cite those standards directly in your WISP.

Employee Security Training

Your WISP must document your security awareness training program: frequency (at minimum annually, with additional sessions after incidents), topics covered, delivery method, and how you verify and record completion. Required topics include phishing identification, password hygiene, safe data handling, clean desk procedures, and incident reporting. Training records belong in a WISP appendix and must be available upon regulatory request.

Incident Response Procedure

When a breach occurs, your firm needs a documented response sequence. The IRS requires notification to its Stakeholder Liaison within 24 to 48 hours of discovering a data theft. Your WISP must specify exact timelines, designate who makes each notification call, and outline the steps for containing the breach, preserving evidence, and restoring operations. A separate cybersecurity incident response plan template can supplement this section with tactical runbooks.

Service Provider and Vendor Oversight

If your firm uses third-party vendors — tax software platforms, cloud backup services, document management systems, or outsourced IT support — your WISP must document how you vet those vendors' security practices and what contractual data protection provisions you require. This is the section most commonly omitted from generic accounting firm WISP templates, and its absence is a primary finding in FTC enforcement reviews.

Accounting Firm WISP Template Examples: Annotated Section Breakdowns

Reviewing real accounting firm WISP template examples reveals a consistent gap between weak, compliance-theater documents and plans that would actually survive a regulatory review. The comparisons below show what separates the two.

Designating the Information Security Coordinator

Weak template language: "The firm will designate a person responsible for information security."

Strong template language: "Jane Smith, Managing Partner, is designated as the Information Security Coordinator (ISC) for [Firm Name]. The ISC is responsible for maintaining this WISP, coordinating annual security reviews, overseeing employee training, and managing the firm's response to any data security incidents. In the ISC's absence, John Doe, Senior Tax Manager, serves as backup coordinator. The ISC's direct cell number for after-hours incident reporting is documented in Appendix A."

The difference is specificity. Generic language creates ambiguity about accountability. Effective accounting firm WISP templates name individuals, define backup responsibilities, and document contact information in an accessible appendix.

Risk Assessment Entry

Weak template language: "The firm recognizes that phishing emails represent a risk to client data."

Strong template language: "Threat: Phishing email targeting staff login credentials for tax software portals. Likelihood: High (3/5). Impact: High (4/5). Risk Score: 12/25 — Elevated. Existing controls: Annual phishing awareness training, email filtering with anti-spam gateway. Planned mitigations: Quarterly phishing simulations beginning Q1 2026, deployment of DMARC/DKIM/SPF email authentication by March 2026. Control owner: ISC. Next review: December 2026."

A risk entry that does not assign likelihood, impact, and control ownership is not a risk assessment — it is a list of concerns. Regulators expect the former.

Access Control Policy Language

Weak template language: "Employees should use strong passwords and not share login credentials."

Strong template language: "Each employee is assigned a unique user account with the minimum permissions required for their job function (principle of least privilege). Shared accounts are prohibited. Passwords must be a minimum of 14 characters and must not be reused across firm systems. All accounts with access to taxpayer data must authenticate using MFA via Microsoft Authenticator. Privileged accounts (administrative access) require hardware security key authentication. Account access is reviewed quarterly and immediately revoked upon employee separation."

The strong version references specific tools, sets measurable standards, and ties the policy to concrete operational processes. Vague language fails audits and gives staff no operational guidance.

Encryption Standards

Weak template language: "Client data is encrypted when stored and transmitted."

Strong template language: "All devices used to store or access taxpayer data — including laptops, desktops, and USB drives — are protected with full-disk encryption using AES-256 (BitLocker for Windows, FileVault for macOS). All data transmitted externally is encrypted in transit using TLS 1.3 or higher. Client documents are shared exclusively through SmartVault (encrypted file-transfer portal). Email transmission of taxpayer data without encryption is prohibited. Encryption key management is the responsibility of the ISC, with backup keys stored in the firm's physical fireproof safe documented in Appendix B."

Common WISP Mistakes Accounting Firms Make

After reviewing dozens of WISPs from CPA firms and tax practices across the country, several patterns of failure appear with striking consistency. Avoid these mistakes when using any accounting firm WISP template example as your starting point.

Submitting an Unadapted Generic Template

The IRS provides a sample WISP through its WISP requirements guidance page, and many firms download that document and file it unchanged. A template with placeholder firm names, generic risk descriptions, and no reference to your actual systems is not a compliant WISP — it is a form. Regulators and auditors identify unadapted templates quickly. Your plan must reflect your specific firm, your real systems, and your actual staff by name.

Treating the WISP as a Filing Cabinet Artifact

A WISP written in 2022 and never reviewed does not reflect your current systems, staff, or operating environment. If your firm adopted new tax software, moved to cloud storage, hired remote employees, or changed IT vendors since the plan was last updated, your document is materially inaccurate. The FTC Safeguards Rule requires periodic review and, specifically, a review after any security incident. Build annual WISP review into your firm's pre-season calendar as a standing obligation.

Skipping the Vendor Management Section

This is the section most frequently omitted from generic accounting firm WISP templates. If your firm uses a cloud-based tax platform, a document management system, or a third-party IT provider, data flows through vendor systems that are outside your direct control. Your WISP must document how you vet vendors' security practices, what contractual provisions you require, and how you monitor ongoing compliance. Reference your cloud service providers' security certifications (SOC 2 Type II, ISO 27001:2022) directly in this section.

Vague Incident Response Timelines

Many WISPs describe incident response in imprecise terms: "The firm will notify affected parties in a timely manner." The IRS requires notification to its Stakeholder Liaison within 24 to 48 hours of discovering a data theft. "Timely" is not a timeline. Your incident response section must specify exact hours and designate by name who initiates the IRS notification call.

Ignoring Physical Security

A complete WISP addresses both digital and physical security. Locked file cabinets for paper client documents, visitor access controls, clean desk policies requiring that screens be locked when workstations are unattended, and secure shredding procedures for printed tax documents are all required controls. Physical security is routinely skipped in template examples focused exclusively on software and network tools — and it is a consistent finding in IRS compliance reviews.

Structuring Your WISP Around the IRS Security Six

The IRS Security Six are the six baseline security measures every tax professional must implement. Your WISP should explicitly reference each of the Security Six by name, document the specific tools your firm uses to satisfy each requirement, and assign a named owner for each control. This approach aligns your accounting firm WISP directly with IRS Publication 4557 and makes compliance verification straightforward during an IRS review.

Here is how each of the Security Six maps to a WISP policy section:

1. Anti-virus software: Name the specific endpoint protection product deployed on all firm workstations and laptops, how it is updated, and who monitors alerts. Reference your device inventory as supporting documentation.
2. Firewalls: Document the firewall protecting your office network and any remote access gateway. Reference configuration standards and your annual review schedule. Our guide on firewall setup for tax offices provides the technical baseline.
3. Multi-factor authentication: Specify which systems require MFA, which MFA method is applied (authenticator app is preferred over SMS), and who manages account provisioning and deprovisioning. Reference the MFA requirements for tax professionals directly.
4. Drive encryption: Name the encryption tool on every firm device. For Windows laptops, this is typically BitLocker; for macOS devices, FileVault. Document key storage location and the recovery procedure if a device is lost.
5. Backup and recovery: Define backup schedule, storage location (offsite or cloud), and your recovery time objective (RTO). Our guide on tax data backup planning covers recommended architectures for firms of all sizes.
6. Phishing awareness training: Document training frequency, delivery method, and quarterly phishing simulation results. Include a log of completion dates in your WISP appendix.

A WISP that addresses each of the Security Six by name — rather than describing controls in abstract terms — gives you a defensible, auditable document that maps directly to what the IRS expects to see during a compliance review.

Operationalizing Your WISP: From Document to Practice

A WISP is a living document, not a filing cabinet artifact. Both the FTC Safeguards Rule and IRS guidance require that your security program be implemented, not merely written. Here is how to operationalize the key sections of your accounting firm WISP after the document is complete.

Build Access Controls Into Your Systems

Rather than relying on policy reminders, embed access control into your technology stack. Configure tax software and cloud storage to require MFA at every login. Use group policy or mobile device management (MDM) to enforce password complexity and automatic screen-lock timeouts on all firm devices. Set up automated account deprovisioning workflows so that when an employee's termination is processed in HR, their system access is revoked at the same time — not days later. See our guide on business network security for professional firms for configuration references.

Document Every Training Event

The IRS expects training records on request. Use a learning management system (LMS) or even a signed paper attendance sheet to document who completed training, what topics were covered, and the date. For phishing simulations, document click rates and the remediation steps taken with employees who failed the test. These records belong in your WISP appendix and should be updated after every training event. During an IRS review, training records are among the first supporting documents requested.

Remote Work Requires Explicit Policy

If any staff access taxpayer data outside the office — including seasonal employees working from home — your WISP must address remote security explicitly. Require all remote access to firm systems to occur through a firm-managed virtual private network (VPN). Personal devices used for work must meet the same security standards as firm-owned devices: full-disk encryption, MFA, and current patch levels. Review our guide on VPN requirements for tax professionals for recommended configurations you can reference directly in your policy section.

Treat Annual Review as a Billable Deadline

Schedule your WISP annual review as a recurring calendar event every November — before peak tax season. Use the review session to verify that all staff names, system inventories, and vendor lists are current; that any incidents from the prior year have been documented and addressed; and that new IRS or FTC guidance has been incorporated. Each completed review should produce a new signed version of the WISP with a dated revision history entry in the cover page.