Accounting Firm WISP Template Examples & Guide 2026

What Is a WISP and Why Every Accounting Firm Needs One

A Written Information Security Plan (WISP) is a formal, documented policy that defines how your accounting firm collects, stores, accesses, and protects client data. Under IRS Publication 4557 and the Federal Trade Commission's (FTC) Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, every tax preparer and accounting firm handling client financial data must maintain a written security plan — regardless of firm size or annual return volume.

Accounting firms remain prime targets for cybercriminals. A single client tax file contains Social Security numbers, bank account details, income history, and often business financials spanning multiple years. Professional services firms experienced a 45% increase in ransomware incidents between 2024 and 2025, according to the Verizon 2026 Data Breach Investigations Report (DBIR).

IRS data shows that tax professionals reported over 1,200 data theft incidents in the 2025 filing season — a 20% increase from the previous year. Despite clear legal mandates and well-documented threat patterns, many firms still operate without an IRS-compliant WISP or maintain a generic document that hasn't been reviewed since creation.

This guide provides detailed accounting firm WISP template examples with annotated section breakdowns, complete required components, and a practical implementation framework to ensure your firm is protected and compliant in 2026.

The Legal Framework Requiring WISP Compliance

Three overlapping legal frameworks require accounting firms to maintain a WISP. Understanding each framework shapes how your document must be structured and what specific controls you must implement.

IRS Publication 4557 and the FTC Safeguards Rule

IRS Publication 4557, titled Safeguarding Taxpayer Data, explicitly states that all tax preparers must create and maintain a WISP that identifies risks to client data and describes controls to mitigate those risks. The Publication references the FTC Safeguards Rule as the statutory authority.

Under the updated FTC Safeguards Rule (effective June 2023), any "financial institution" subject to GLBA — including tax return preparers — must implement a written information security program. Key mandates include designating a qualified individual responsible for overseeing the security program, conducting and documenting a written risk assessment, implementing access controls and encryption for all customer financial data, and providing security awareness training for all staff with access to client data.

NIST SP 800-171 as a Structural Framework

While NIST Special Publication 800-171 Revision 3 is written for contractors handling Controlled Unclassified Information (CUI), its 110 security requirements provide an excellent structural framework for accounting firm WISP template examples. Many IRS-recommended WISP templates align closely with NIST SP 800-171 control families, including access control, audit and accountability, incident response, and system and communications protection.

Required Sections in Every Accounting Firm WISP

The IRS and FTC do not prescribe a specific page format, but they specify what a WISP must address. When reviewing accounting firm WISP template examples, ensure each contains these mandatory sections tailored to your specific firm — not generic placeholder language.

Firm Identification and Designated Security Coordinator

Your WISP must identify your firm by legal name and designate a specific individual as the Information Security Coordinator (ISC). This person is accountable for maintaining the WISP, coordinating training, and managing incident response. For solo practitioners, the ISC is typically the preparer. For larger firms, it's usually a managing partner with direct authority over IT decisions.

Complete Inventory of Data and Systems

You cannot protect what you haven't identified. Your WISP must document every system where client data lives: tax software platforms like Drake, Lacerte, UltraTax CS, or ProSeries; cloud storage solutions; email platforms; local servers; backup drives; and mobile devices. For each system, identify who has access, under what conditions, and from which locations.

Written Risk Assessment with Specific Threats

The FTC Safeguards Rule explicitly requires a written risk assessment. Your assessment must identify reasonably foreseeable internal and external threats, evaluate likelihood and impact, document existing controls, and assign mitigation tasks with owners and deadlines. Threats specific to accounting firms include phishing campaigns targeting tax professionals, ransomware delivered through email attachments, credential stuffing against tax software portals, and physical theft of laptops during tax season travel.

Administrative, Technical, and Physical Safeguards

Your WISP must detail the specific controls protecting client data across three categories. Administrative safeguards include employee training programs, access management procedures, and incident response protocols. Technical safeguards encompass encryption, access controls, and audit logging. Physical safeguards address facility security, device management, and secure disposal of sensitive materials.

Common WISP Mistakes Accounting Firms Make

After reviewing dozens of WISPs from CPA firms and tax practices nationwide, several patterns of failure appear consistently. Avoid these mistakes when using accounting firm WISP template examples as your starting point.

Submitting an Unadapted Generic Template

The IRS provides a sample WISP through IRS Publication 5708, and many firms download that document and file it unchanged. A template with placeholder firm names, generic risk descriptions, and no reference to your actual systems is not a compliant WISP — it's a form. Regulators and auditors identify unadapted templates quickly.

Treating the WISP as a Filing Cabinet Artifact

A WISP written in 2022 and never reviewed doesn't reflect your current systems, staff, or operating environment. If your firm adopted new tax software, moved to cloud storage, hired remote employees, or changed IT vendors since the plan was last updated, your document is materially inaccurate. The FTC Safeguards Rule requires periodic review and specifically mandates review after any security incident.

Inadequate Vendor Management Documentation

If your firm uses cloud-based tax platforms, document management systems, or third-party IT providers, data flows through vendor systems outside your direct control. Your WISP must document how you vet vendors' security practices, what contractual provisions you require, and how you monitor ongoing compliance. Reference your cloud service providers' security certifications — SOC 2 Type II, ISO 27001:2022 — directly in this section.

Missing Remote Work Security Policies

The shift to hybrid and remote work models during and after the pandemic created new security gaps many WISPs fail to address. If any staff access taxpayer data outside the office — including seasonal employees working from home — your WISP must address remote security explicitly with specific technical controls and monitoring procedures.

Operationalizing Your WISP: From Document to Practice

A WISP is a living document, not a filing cabinet artifact. Both the FTC Safeguards Rule and IRS guidance require that your security program be implemented, not merely written. Here's how to operationalize the key sections of your accounting firm WISP template after the document is complete.

Embed Access Controls Into Your Technology Stack

Rather than relying on policy reminders, build access control into your systems. Configure tax software and cloud storage to require multi-factor authentication at every login. Use group policy or mobile device management (MDM) to enforce password complexity and automatic screen-lock timeouts on all firm devices. Set up automated account deprovisioning workflows so that when an employee's termination is processed in HR, their system access is revoked simultaneously — not days later.

Document Every Training Event with Verifiable Records

The IRS expects training records on request. Use a learning management system (LMS) or signed paper attendance sheets to document who completed training, what topics were covered, and the date. For phishing simulations, document click rates and the remediation steps taken with employees who failed the test. These records belong in your WISP appendix and should be updated after every training event.

Remote Work Requires Explicit Security Controls

If any staff access taxpayer data outside the office — including seasonal employees working from home — your WISP must address remote security explicitly. Require all remote access to firm systems to occur through a firm-managed virtual private network (VPN). Personal devices used for work must meet the same security standards as firm-owned devices: full-disk encryption, MFA, and current patch levels. Our VPN selection guide covers recommended configurations you can reference directly in your policy section.

Structuring Your WISP Around the IRS Security Six

The IRS Security Six represent the baseline security measures every tax professional must implement. When developing your accounting firm WISP template, explicitly reference each by name, document the specific tools your firm uses to satisfy each requirement, and assign a named owner for each control. This approach aligns your WISP directly with IRS expectations and makes compliance verification straightforward during a review.

Here's how each of the Security Six maps to a WISP policy section:

• Anti-virus software: Name the specific endpoint protection product deployed on all firm workstations and laptops, how it's updated, and who monitors alerts. Reference your device inventory as supporting documentation.
• Firewalls: Document the firewall protecting your office network and any remote access gateway. Reference configuration standards and your annual review schedule.
• Multi-factor authentication: Specify which systems require MFA, which MFA method is applied (authenticator app is preferred over SMS), and who manages account provisioning and deprovisioning.
• Drive encryption: Name the encryption tool on every firm device. For Windows laptops, this is typically BitLocker; for macOS devices, FileVault. Document key storage location and the recovery procedure if a device is lost.
• Backup and recovery: Define backup schedule, storage location (offsite or cloud), and your recovery time objective (RTO). The ransomware protection guide covers recommended backup architectures for firms of all sizes.
• Phishing awareness training: Document training frequency, delivery method, and quarterly phishing simulation results. Include a log of completion dates in your WISP appendix.

A WISP that addresses each of the Security Six by name — rather than describing controls in abstract terms — provides a defensible, auditable document that maps directly to what the IRS expects to see during a compliance review.

Advanced WISP Considerations for Growing Firms

As accounting practices grow beyond solo practitioners to multi-partner firms with remote staff, your WISP must address additional complexity. These advanced considerations distinguish thorough accounting firm WISP template examples from basic compliance documents.

Cloud Service Provider Security Assessment

When evaluating tax software vendors and cloud storage providers, your WISP should document specific security criteria. Look for SOC 2 Type II reports, which verify that service providers have implemented appropriate controls for security, availability, processing integrity, confidentiality, and privacy. For larger firms, require ISO 27001:2022 certification, which demonstrates a systematic approach to managing sensitive information.

Segregation of Duties for Administrative Access

Firms with multiple staff members should implement segregation of duties for critical security functions. No single individual should have unrestricted access to all client data, backup systems, and administrative controls. Your WISP should document role-based access controls and require approval workflows for sensitive operations like data exports, system configuration changes, or user account modifications.

Incident Response Testing and Documentation

Beyond documenting incident response procedures, your WISP should include an annual testing schedule. Conduct tabletop exercises that simulate realistic scenarios: a staff member receives a convincing phishing email, a laptop is stolen from a client site, or ransomware encrypts your tax software database. Document the results of these exercises and update your procedures based on identified gaps. The incident response planning guide provides specific scenario templates for tax practices.

For firms using multiple locations or extensive remote work arrangements, consider geographic risk factors. If your backup data is stored in a region prone to natural disasters, or if remote staff work from areas with unreliable internet connectivity, these factors should influence your business continuity planning within the WISP framework.

Building Your WISP Implementation Timeline

Creating a compliant WISP is not a weekend project. Most accounting firms need 4-6 weeks to properly assess their current security posture, document required procedures, and implement missing technical controls. Start your WISP development process early in the calendar year — not during tax season when your staff is focused on client deadlines.

Consider using professional WISP template resources that provide firm-specific examples rather than generic checklists. Many successful accounting firm WISP template examples include detailed policy language for common tax practice scenarios: seasonal employee onboarding, client portal security, document retention schedules, and vendor management procedures.

Your completed WISP becomes the foundation for other security initiatives. Use it to guide technology purchasing decisions, evaluate insurance coverage adequacy, and establish security training curricula for your staff. The step-by-step WISP creation guide provides detailed timelines and resource requirements for firms of different sizes.

Remember that WISP compliance is not a one-time achievement. The FTC Safeguards Rule requires regular updates, and the threat environment facing tax practices continues to evolve. Plan to review and update your WISP at least annually, and immediately after any security incident or significant change to your technology environment.