What Is a WISP and Why Every Accounting Firm Needs One
A Written Information Security Plan (WISP) is a formal, documented policy that defines how your accounting firm collects, stores, accesses, and protects client data. Under IRS Publication 4557 and the Federal Trade Commission's (FTC) Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, every tax preparer and accounting firm handling client financial data must maintain a written security plan — regardless of firm size or annual return volume.
Accounting firms are high-value targets. A single client tax file contains a Social Security number, bank account details, income history, and often business financials spanning multiple years. The professional services sector saw a 30% increase in ransomware incidents between 2023 and 2025, according to the Verizon 2025 Data Breach Investigations Report (DBIR). IRS data shows that tax professionals reported over 1,000 data theft incidents in the 2024 filing season alone — a figure that excludes unreported breaches.
Despite clear legal mandates and well-documented threat patterns, many firms still operate without an IRS-compliant WISP — or they maintain a generic document that has not been reviewed since it was first created. This guide walks through real accounting firm WISP template examples with annotated section breakdowns, a complete list of required components, and a practical implementation framework so your firm is protected and compliant in 2026.
Accounting Firm Cybersecurity: By The Numbers
Increase targeting professional services firms, 2023–2025 (Verizon DBIR)
IRS-reported data theft incidents during the 2024 filing season
Global average cost of a data breach in 2024 (IBM Cost of Data Breach Report)
The Legal Basis for the WISP Requirement
Three overlapping legal frameworks require accounting firms to maintain a WISP. Understanding each one shapes how your document must be structured.
IRS Publication 4557 and the FTC Safeguards Rule
IRS Publication 4557, titled Safeguarding Taxpayer Data, is the IRS's primary guidance document for tax professionals. It explicitly states that all tax preparers must create and maintain a WISP that identifies risks to client data and describes controls to mitigate those risks. The Publication references the FTC Safeguards Rule — the implementing regulation for GLBA — as the statutory authority.
Under the updated FTC Safeguards Rule (effective June 2023), any "financial institution" subject to GLBA — a category that includes tax return preparers — must implement a written information security program. Key mandates include:
- Designating a qualified individual responsible for overseeing the security program
- Conducting and documenting a written risk assessment
- Implementing access controls and encryption for all customer financial data
- Providing security awareness training for all staff with access to client data
- Testing and monitoring the effectiveness of implemented security controls
- Establishing an incident response plan with defined notification timelines
- Requiring service providers to maintain appropriate data safeguards contractually
NIST SP 800-171 as a Structural Framework
While NIST Special Publication 800-171 is technically written for contractors handling Controlled Unclassified Information (CUI), its 110 security requirements serve as an excellent structural framework for an accounting firm WISP. Many IRS-recommended WISP templates align closely with NIST SP 800-171 control families, including access control, audit and accountability, incident response, and system and communications protection. Aligning your WISP to this framework also positions your firm well if enterprise clients begin requesting proof of security program maturity.
State-Level Obligations
Beyond federal requirements, many states impose additional obligations. Massachusetts 201 CMR 17.00, New York's SHIELD Act, and California's CCPA all require financial service providers — including CPAs and enrolled agents — to maintain written security programs. Your WISP must account for the states where your clients reside, not just where your firm is domiciled. A compliant accounting firm WISP template addresses this by including a jurisdiction checklist in an appendix.
IRS Enforcement Is Active — Do Not Wait for an Incident
The IRS actively refers non-compliant tax professionals to the FTC for Safeguards Rule violations. FTC penalties for GLBA non-compliance can reach $100,000 per violation, with individual officers facing fines up to $10,000. Firms without a WISP also risk PTIN suspension, which effectively halts tax practice operations. A documented, firm-specific WISP is your first line of defense against regulatory action.
Required Sections in Every Accounting Firm WISP
The IRS and FTC do not prescribe a specific page format, but they do specify what a WISP must address. The sections below represent the required baseline for any accounting firm WISP template. Each section must reflect your specific firm — not generic placeholder language.
Firm Identification and Designated Security Coordinator
Your WISP must identify your firm by legal name and designate a specific individual — not just a job title — as the Information Security Coordinator (ISC). This person is accountable for maintaining the WISP, coordinating training, and managing incident response. For solo practitioners, the ISC is typically the preparer. For larger firms, it is usually a managing partner with direct authority over IT decisions. Name a backup designee as well.
Inventory of Data and Systems
You cannot protect what you have not identified. Your WISP must document every system where client data lives: tax software (Drake, Lacerte, UltraTax CS, ProSeries), cloud storage, email platforms, local servers, backup drives, and mobile devices. For each system, identify who has access, under what conditions, and from which locations. This inventory becomes the foundation for your risk assessment and directly feeds your access control policies.
Written Risk Assessment
The FTC Safeguards Rule explicitly requires a written risk assessment — not a verbal one, not a checklist. Your assessment must identify reasonably foreseeable internal and external threats, evaluate likelihood and impact, document existing controls, and assign mitigation tasks with owners and deadlines. Threats specific to accounting firms include phishing campaigns targeting tax professionals, ransomware delivered through email attachments, credential stuffing against tax software portals, and physical theft of laptops during tax season travel. Each identified risk needs a risk score, not just a description.
Access Controls and Authentication
This section defines who can access client data and under what conditions. At minimum, your WISP must specify unique user accounts for each employee (no shared logins), strong password policies, and mandatory multi-factor authentication (MFA) for all systems that access taxpayer data. MFA is an IRS Security Six requirement and must be reflected explicitly in this section. Role-based access control (RBAC) — where employees can only view the client records relevant to their job function — should also be documented here.
Data Encryption Standards
All taxpayer data must be encrypted both in transit and at rest. Your WISP should name the specific encryption tools in use: full-disk encryption (BitLocker for Windows, FileVault for macOS) on all laptops and workstations, AES-256 for stored data, and TLS 1.3 for data in transit. It must also specify that client documents are shared only through an encrypted file-transfer portal — never through unencrypted email. Review the detailed requirements in our guide on tax document encryption requirements and cite those standards directly in your WISP.
Employee Security Training
Your WISP must document your security awareness training program: frequency (at minimum annually, with additional sessions after incidents), topics covered, delivery method, and how you verify and record completion. Required topics include phishing identification, password hygiene, safe data handling, clean desk procedures, and incident reporting. Training records belong in a WISP appendix and must be available upon regulatory request. See our resource on security awareness training for tax firms for a structured curriculum you can adapt directly.
Incident Response Procedure
When a breach occurs, your firm needs a documented response sequence. The IRS requires notification to its Stakeholder Liaison within 24 to 48 hours of discovering a data theft. Your WISP must specify exact timelines, designate who makes each notification call, and outline the steps for containing the breach, preserving evidence, and restoring operations.
Service Provider and Vendor Oversight
If your firm uses third-party vendors — tax software platforms, cloud backup services, document management systems, or outsourced IT support — your WISP must document how you vet those vendors' security practices and what contractual data protection provisions you require. This is the section most commonly omitted from generic accounting firm WISP templates, and its absence is a primary finding in FTC enforcement reviews. Reference your cloud service providers' security certifications (SOC 2 Type II, ISO 27001:2022) directly in this section.
Accounting Firm WISP Compliance Checklist
- Designate a named Information Security Coordinator (ISC) with a named backup
- Complete and document a written inventory of all systems storing taxpayer data
- Conduct and document a formal written risk assessment with likelihood and impact scores
- Implement and document role-based access controls and unique user accounts
- Enable multi-factor authentication (MFA) on all systems accessing taxpayer data
- Document full-disk encryption on all firm laptops, desktops, and portable drives
- Establish an encrypted client portal for document sharing — prohibit unencrypted email transfers
- Document annual security awareness training with completion records in WISP appendix
- Write an incident response procedure with exact IRS notification timelines (24–48 hours)
- Add a vendor management section naming all third-party service providers and their security certifications
- Address physical security: locked cabinets, clean desk policy, secure shredding
- Include a jurisdiction appendix covering state-level obligations for your client base
- Schedule annual WISP review every November before peak filing season
Accounting Firm WISP Template Examples: Annotated Section Breakdowns
Reviewing real accounting firm WISP template examples reveals a consistent gap between weak, compliance-theater documents and plans that would survive a regulatory review. The comparisons below show what separates the two — and what regulators actually expect to see.
Designating the Information Security Coordinator
Weak template language: "The firm will designate a person responsible for information security."
Strong template language: "Jane Smith, Managing Partner, is designated as the Information Security Coordinator (ISC) for [Firm Name]. The ISC is responsible for maintaining this WISP, coordinating annual security reviews, overseeing employee training, and managing the firm's response to any data security incidents. In the ISC's absence, John Doe, Senior Tax Manager, serves as backup coordinator. The ISC's direct cell number for after-hours incident reporting is documented in Appendix A."
The difference is specificity. Generic language creates ambiguity about accountability. Effective accounting firm WISP templates name individuals, define backup responsibilities, and document contact information in an accessible appendix.
Risk Assessment Entry
Weak template language: "The firm recognizes that phishing emails represent a risk to client data."
Strong template language: "Threat: Phishing email targeting staff login credentials for tax software portals. Likelihood: High (3/5). Impact: High (4/5). Risk Score: 12/25 — Elevated. Existing controls: Annual phishing awareness training, email filtering with anti-spam gateway. Planned mitigations: Quarterly phishing simulations beginning Q1 2026, deployment of DMARC/DKIM/SPF email authentication by March 2026. Control owner: ISC. Next review: December 2026."
A risk entry that does not assign likelihood, impact, and control ownership is not a risk assessment — it is a list of concerns. Regulators expect the former.
Access Control Policy Language
Weak template language: "Employees should use strong passwords and not share login credentials."
Strong template language: "Each employee is assigned a unique user account with the minimum permissions required for their job function (principle of least privilege). Shared accounts are prohibited. Passwords must be a minimum of 14 characters and must not be reused across firm systems. All accounts with access to taxpayer data must authenticate using MFA via Microsoft Authenticator. Privileged accounts (administrative access) require hardware security key authentication. Account access is reviewed quarterly and immediately revoked upon employee separation."
The strong version references specific tools, sets measurable standards, and ties the policy to concrete operational processes. Vague language fails audits and gives staff no operational guidance.
Encryption Standards
Weak template language: "Client data is encrypted when stored and transmitted."
Strong template language: "All devices used to store or access taxpayer data — including laptops, desktops, and USB drives — are protected with full-disk encryption using AES-256 (BitLocker for Windows, FileVault for macOS). All data transmitted externally is encrypted in transit using TLS 1.3 or higher. Client documents are shared exclusively through SmartVault (encrypted file-transfer portal). Email transmission of taxpayer data without encryption is prohibited. Encryption key management is the responsibility of the ISC, with backup keys stored in the firm's physical fireproof safe documented in Appendix B."
How to Build Your Accounting Firm WISP: Step-by-Step
Inventory All Systems and Data Flows
List every platform, device, and application that touches taxpayer data — tax software, cloud storage, email, mobile devices, and backup systems. Assign a data classification level to each.
Designate Your Information Security Coordinator
Name a specific individual (not just a title) as ISC and a named backup. Document their contact information in the WISP appendix for after-hours incident response.
Conduct a Written Risk Assessment
For each identified threat, assign a likelihood score (1–5), impact score (1–5), and a risk score. Document existing controls and assign mitigation tasks with owners and deadlines.
Draft Each Required Policy Section
Write access control, encryption, training, incident response, vendor management, and physical security sections using your actual systems, tools, and staff names — not generic placeholders.
Align to the IRS Security Six
Map each of the six baseline controls (anti-virus, firewall, MFA, drive encryption, backup, phishing training) to specific policy sections, named tools, and named owners.
Review for State-Level Requirements
Add a jurisdiction appendix covering any state-specific obligations (MA 201 CMR 17.00, NY SHIELD Act, CA CCPA) applicable to your client base.
Sign, Date, and Schedule Annual Review
Have the ISC and firm principal sign the finalized WISP. Set a recurring November calendar event for annual review. Store the signed document in a secure, accessible location.
Common WISP Mistakes Accounting Firms Make
After reviewing dozens of WISPs from CPA firms and tax practices across the country, several patterns of failure appear with striking consistency. Avoid these mistakes when using any accounting firm WISP template example as your starting point.
Submitting an Unadapted Generic Template
The IRS provides a sample WISP through its IRS Publication 5708 guidance page, and many firms download that document and file it unchanged. A template with placeholder firm names, generic risk descriptions, and no reference to your actual systems is not a compliant WISP — it is a form. Regulators and auditors identify unadapted templates quickly. Your plan must reflect your specific firm, your real systems, and your actual staff by name.
Treating the WISP as a Filing Cabinet Artifact
A WISP written in 2022 and never reviewed does not reflect your current systems, staff, or operating environment. If your firm adopted new tax software, moved to cloud storage, hired remote employees, or changed IT vendors since the plan was last updated, your document is materially inaccurate. The FTC Safeguards Rule requires periodic review and, specifically, a review after any security incident. Build annual WISP review into your firm's pre-season calendar as a standing obligation.
Skipping the Vendor Management Section
If your firm uses a cloud-based tax platform, a document management system, or a third-party IT provider, data flows through vendor systems that are outside your direct control. Your WISP must document how you vet vendors' security practices, what contractual provisions you require, and how you monitor ongoing compliance. Reference your cloud service providers' security certifications (SOC 2 Type II, ISO 27001:2022) directly in this section. This is the section most frequently omitted — and most frequently cited in FTC enforcement reviews.
Vague Incident Response Timelines
Many WISPs describe incident response in imprecise terms: "The firm will notify affected parties in a timely manner." The IRS requires notification to its Stakeholder Liaison within 24 to 48 hours of discovering a data theft. "Timely" is not a timeline. Your incident response section must specify exact hours and designate by name who initiates the IRS notification call. For a deeper look at building out this section, our ransomware protection guide for tax practices covers containment and notification workflows in detail.
Ignoring Physical Security
A complete WISP addresses both digital and physical security. Locked file cabinets for paper client documents, visitor access controls, clean desk policies requiring that screens be locked when workstations are unattended, and secure shredding procedures for printed tax documents are all required controls. Physical security is routinely skipped in template examples focused exclusively on software and network tools — and it is a consistent finding in IRS compliance reviews.
Structuring Your WISP Around the IRS Security Six
The IRS Security Six are the six baseline security measures every tax professional must implement. Your WISP should explicitly reference each by name, document the specific tools your firm uses to satisfy each requirement, and assign a named owner for each control. This approach aligns your accounting firm WISP directly with IRS WISP requirements and makes compliance verification straightforward during an IRS review.
Here is how each of the Security Six maps to a WISP policy section:
- Anti-virus software: Name the specific endpoint protection product deployed on all firm workstations and laptops, how it is updated, and who monitors alerts. Reference your device inventory as supporting documentation. Our guide on antivirus for tax professionals covers the right product categories to reference.
- Firewalls: Document the firewall protecting your office network and any remote access gateway. Reference configuration standards and your annual review schedule. Our guide on firewall setup for tax offices provides the technical baseline.
- Multi-factor authentication: Specify which systems require MFA, which MFA method is applied (authenticator app is preferred over SMS), and who manages account provisioning and deprovisioning.
- Drive encryption: Name the encryption tool on every firm device. For Windows laptops, this is typically BitLocker; for macOS devices, FileVault. Document key storage location and the recovery procedure if a device is lost.
- Backup and recovery: Define backup schedule, storage location (offsite or cloud), and your recovery time objective (RTO). The ransomware protection guide covers recommended backup architectures for firms of all sizes.
- Phishing awareness training: Document training frequency, delivery method, and quarterly phishing simulation results. Include a log of completion dates in your WISP appendix.
A WISP that addresses each of the Security Six by name — rather than describing controls in abstract terms — gives you a defensible, auditable document that maps directly to what the IRS expects to see during a compliance review.
Bottom Line
An accounting firm WISP is only as strong as its specificity. Generic templates with placeholder language, missing vendor sections, or absent risk scores are treated as non-compliant by IRS and FTC reviewers. Every section must reference your actual systems, your named staff, and your real operational procedures — not what a hypothetical firm might do.
Operationalizing Your WISP: From Document to Practice
A WISP is a living document, not a filing cabinet artifact. Both the FTC Safeguards Rule and IRS guidance require that your security program be implemented, not merely written. Here is how to operationalize the key sections of your accounting firm WISP after the document is complete.
Build Access Controls Into Your Systems
Rather than relying on policy reminders, embed access control into your technology stack. Configure tax software and cloud storage to require MFA at every login. Use group policy or mobile device management (MDM) to enforce password complexity and automatic screen-lock timeouts on all firm devices. Set up automated account deprovisioning workflows so that when an employee's termination is processed in HR, their system access is revoked at the same time — not days later. Our WISP implementation guide covers configuration specifics for common tax software platforms.
Document Every Training Event
The IRS expects training records on request. Use a learning management system (LMS) or even a signed paper attendance sheet to document who completed training, what topics were covered, and the date. For phishing simulations, document click rates and the remediation steps taken with employees who failed the test. These records belong in your WISP appendix and should be updated after every training event. During an IRS review, training records are among the first supporting documents requested.
Remote Work Requires Explicit Policy
If any staff access taxpayer data outside the office — including seasonal employees working from home — your WISP must address remote security explicitly. Require all remote access to firm systems to occur through a firm-managed virtual private network (VPN). Personal devices used for work must meet the same security standards as firm-owned devices: full-disk encryption, MFA, and current patch levels. Our guide on how to choose a VPN covers recommended configurations you can reference directly in your policy section.
Use a Secure Client Portal for Document Exchange
Every accounting firm WISP should document the specific platform used for client document exchange. Exchanging tax documents through standard email — even with a PDF password — does not meet the encryption requirements of the FTC Safeguards Rule. A dedicated secure client portal for tax practices provides end-to-end encryption, access logging, and audit trails your WISP can reference directly. Platforms offering SOC 2 Type II certification are preferred and should be named in your vendor management section.
Treat Annual Review as a Billable Deadline
Schedule your WISP annual review as a recurring calendar event every November — before peak tax season. Use the review session to verify that all staff names, system inventories, and vendor lists are current; that any incidents from the prior year have been documented and addressed; and that new IRS or FTC guidance has been incorporated. Each completed review should produce a new signed version of the WISP with a dated revision history entry on the cover page. Also review your firm's overall cybersecurity posture at the same time to catch gaps that the WISP review may surface.
Get a Free Accounting Firm WISP Template
Download Bellator Cyber Guard's IRS-compliant WISP template built specifically for tax preparers, CPAs, and accounting firms. Pre-populated with the right sections — no blank placeholders.
Related Tax Security Resources
A WISP does not exist in isolation. The following resources address the specific technical controls your WISP will reference — use them to build out the supporting documentation that regulators expect to see alongside the plan itself.
- PTIN and WISP requirements for tax preparers — how your PTIN status connects to WISP compliance obligations
- IRS WISP example walkthrough — annotated breakdown of the IRS's own sample document and its limitations
- FTC Safeguards Rule for tax preparers — the full regulatory text translated for accounting firm compliance
- Cyberattacks on tax firms — real incident patterns to use when building your risk assessment threat list
- How to create a WISP — step-by-step build process with section templates
- All-in-one compliance package for tax firms — WISP, incident response plan, and security policy bundle
Get a Free Accounting Firm WISP Review
Our cybersecurity specialists will review your existing WISP — or build one from scratch — to ensure your accounting firm meets IRS Publication 4557 and FTC Safeguards Rule requirements. No generic templates, no placeholders.
Frequently Asked Questions: Accounting Firm WISP Templates
Yes. Under IRS Publication 4557 and the FTC's GLBA Safeguards Rule, all tax preparers and accounting firms handling client financial data are required to maintain a written information security plan — regardless of firm size, number of employees, or annual return volume. Solo practitioners are subject to the same requirement as multi-partner firms.
No. The IRS sample WISP (published in IRS Publication 5708) is a starting point, not a finished document. Filing an unadapted template with placeholder firm names and generic risk descriptions does not constitute a compliant WISP. Every section must reflect your specific firm — actual staff names, real systems, current vendors, and site-specific risk assessments. Regulators identify unadapted templates quickly during reviews.
There is no prescribed page count. A thorough WISP for a small firm typically runs 15–25 pages including appendices. Larger firms with complex IT environments, multiple locations, or remote staff may require 30–50 pages. The goal is completeness, not length — every required section must be present and specific. A five-page WISP with vague language is less defensible than a 20-page document with named individuals, specific tools, and scored risk assessments.
The FTC Safeguards Rule requires a periodic review of your security program and a review after any security incident. In practice, this means at minimum once per year. Bellator Cyber Guard recommends scheduling your annual review every November, before peak filing season. You must also update the WISP any time you add new staff, adopt new technology, change vendors, or experience a data security event.
Non-compliant firms face multiple consequences. The IRS can refer cases to the FTC for GLBA Safeguards Rule violations, which carry civil penalties up to $100,000 per violation. Individual firm officers can face personal fines up to $10,000. Repeated violations can result in PTIN suspension — which ends your ability to file returns legally. Beyond regulatory penalties, firms without a WISP are also significantly more vulnerable to cyberattacks, and cyber insurers increasingly require documented security programs as a condition of coverage.
Yes. If any staff member accesses taxpayer data outside the office — including seasonal employees working from home — your WISP must explicitly address remote security. This includes a VPN requirement, device security standards for personal devices used for work (full-disk encryption, MFA, current patches), and a policy on which systems may be accessed remotely. A WISP that does not address remote access does not reflect your firm's actual operating environment and is considered incomplete.
A WISP is a broad security governance document that covers your entire information security program — risk assessment, access controls, encryption, training, vendor management, and more. An incident response plan (IRP) is a specific operational runbook that defines exactly what your firm does when a breach occurs: who to call, in what order, within what timeframes, and how to contain and recover. The IRS requires both. Your WISP should include an incident response section, and many firms maintain a separate, more detailed IRP as an appendix to their WISP.
No. Your WISP is an internal document — you are not required to file it with the IRS or share it with clients. However, you must be able to produce it on request during an IRS compliance review or FTC investigation. Keep a signed, dated copy in a secure, accessible location. Some enterprise clients may also request evidence of your security program as part of their vendor due diligence process, in which case a summary version or attestation letter may be appropriate.
Increasingly, yes. Most cyber insurance carriers now include a written information security plan as a condition of coverage in their application questionnaires. Firms without a WISP may be denied coverage, charged higher premiums, or face claim denial after an incident on the grounds that they failed to maintain required security controls. A well-documented, firm-specific WISP also demonstrates security program maturity, which can reduce premiums and strengthen your negotiating position at renewal.
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions — a category that includes tax return preparers under FTC interpretation — to protect client financial data. The FTC Safeguards Rule is the implementing regulation that specifies exactly how that protection must be documented and maintained. A WISP is the written security program that the Safeguards Rule mandates. IRS Publication 4557 translates these FTC requirements into practical guidance for tax professionals. All three documents reinforce the same underlying obligation: your firm must have a written, implemented, and annually reviewed security plan.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.
