
Accountants hold some of the most sensitive personal financial data in existence: Social Security numbers, bank account details, W-2s, and years of tax history for thousands of clients. That data is a primary target for cybercriminals, and the IRS has made one thing clear, your firm must have a formal, written plan to protect it.
A Written Information Security Plan (WISP) is a documented security policy that describes how your firm collects, stores, and safeguards client data. Under IRS Publication 4557, Safeguarding Taxpayer Data, and the Federal Trade Commission (FTC) Safeguards Rule (16 CFR Part 314), virtually every tax preparer, sole proprietors included, is required to maintain one. The IRS began actively promoting enforcement after the Security Summit released its own model WISP template in 2022.
The challenge for most accounting firms is not intent, it is execution. The best WISP templates for accountants go far beyond generic fill-in-the-blank documents. They align with the IRS's specific requirements, incorporate current threat scenarios, and are built to be maintained year after year without becoming shelfware. This guide will help you evaluate your options, understand what separates a compliant template from an inadequate one, and implement a WISP that actually protects your practice.
For detailed implementation guidance, see our step-by-step WISP creation guide and complete overview of IRS WISP requirements.
Tax Firm Cybersecurity: By the Numbers
Verizon 2025 Data Breach Investigations Report
IBM Cost of Data Breach Report 2024
Verizon DBIR, phishing remains the top initial access vector for tax firms
The IRS WISP Requirement: What Accountants Are Actually Obligated to Do
The legal foundation for WISP requirements rests on two pillars. The first is IRS Publication 4557, which outlines baseline security expectations for all tax preparers. The second is the FTC Safeguards Rule, significantly expanded in 2023, which now applies to tax preparation firms as "financial institutions" under the Gramm-Leach-Bliley Act (GLBA).
Under these combined requirements, your WISP must address the following at minimum:
- An employee designated as your firm's Information Security Coordinator
- An inventory of all systems and storage locations holding taxpayer data
- Risk assessments identifying internal and external threats to that data
- Specific technical, physical, and administrative safeguards to address identified risks
- Vendor and contractor oversight policies covering anyone with access to client data
- An incident response and breach notification procedure with IRS-specific steps
- Annual review and update of the WISP to reflect operational changes
The FTC Safeguards Rule further requires firms with 5,000 or more customer records to implement specific technical controls, including Multi-Factor Authentication (MFA), encryption, and access control logging. Even firms below that threshold face civil penalties for failing to maintain basic safeguards.
For a thorough breakdown of the full IRS framework, see our IRS Publication 4557 compliance guide and the detailed overview of PTIN and WISP requirements for tax professionals.
2026 Compliance Deadline
A WISP is not a one-time document. Both the IRS and the FTC require you to review it at least annually and update it whenever your firm's technology, personnel, or operating environment changes. A WISP written in 2021 that has never been revised is not compliant, and provides little actual protection. Start 2026 with an updated plan using our free 2026 WISP template.
What Every Strong WISP Template Must Include
Most off-the-shelf templates cover the obvious ground, basic definitions, a few policy statements, and a signature line. A template designed for real-world tax practice compliance goes much further. Before you download or purchase any WISP document, confirm it addresses all of the elements below.
Evaluating the Best WISP Templates for Accountants: Key Selection Criteria
Not all WISP templates are created equal. A generic cybersecurity policy pulled from a random website may miss IRS-specific language, lack provisions for tax software vendors, or fail to address the FTC Safeguards Rule's technical control requirements. When selecting from the best WISP templates for accountants, apply these five criteria before committing to any document.
IRS Security Summit Alignment
The IRS Security Summit, a public-private coalition that includes tax software companies, state tax agencies, and the IRS, released a model WISP template specifically for tax professionals in 2022. Any template worth using should align with this model or exceed it. Look for explicit references to IRS cybersecurity requirements, Electronic Filing Identification Number (EFIN) protection, and IRS e-services portal obligations.
FTC Safeguards Rule Coverage
The amended Safeguards Rule added 16 specific operational requirements for covered financial institutions. A strong accountant WISP template will either incorporate these directly or provide a mapping showing which WISP sections satisfy each requirement. Missing Safeguards Rule coverage is one of the most common gaps in off-the-shelf templates, and it is precisely what regulators look for after a breach. See our FTC Safeguards Rule guide for tax preparers for details on how these thresholds apply.
Practical Usability, Not Compliance Theater
The best WISP templates for accountants are built to be actually used, with tables to fill in, options for common scenarios, and instructions written for non-technical users. A 40-page document full of legal boilerplate that staff never reads offers worse protection than a focused 15-page plan they reference during an incident. Usability and compliance are not in conflict; the right template achieves both.
Scaled for Small and Mid-Size Practices
Enterprise security templates are often over-engineered for small CPA firms. The right template should scale appropriately, covering a solo practitioner through a 50-person firm, without requiring a dedicated IT department. Our free WISP template for 2026 is designed with this balance as a primary requirement, not an afterthought.
Detailed Incident Response and Breach Notification
One area where many templates fall short is incident response. The IRS requires tax preparers to notify the IRS upon discovering a data breach, and most states impose their own notification timelines (commonly 30-72 hours). A compliant template must include specific breach response procedures, not a generic placeholder. Our all-in-one compliance package provides a detailed incident response companion resource for this section.
The IRS Model WISP Template: Strengths and Real Limitations
In August 2022, the IRS Security Summit released a model WISP template specifically designed for tax professionals. This was a meaningful step forward, before its release, many firms were adapting generic IT security policies that lacked IRS-specific language entirely. The IRS model covers the primary requirements of Publication 4557 and includes sections on physical security, network security, employee responsibilities, and incident response.
However, the IRS model has gaps that accountants should understand before adopting it unchanged.
FTC Safeguards Rule gaps: The IRS template was not updated to fully reflect the 2023 Safeguards Rule amendments, which added specific requirements for penetration testing, continuous monitoring, and access control logging for firms above the 5,000-record threshold.
Limited cloud guidance: Most modern accounting firms use cloud-based tax software, document portals, and remote desktop access. The IRS model provides minimal guidance on securing these environments. For additional context, see our guide on secure client portals for tax practices.
No vendor risk management framework: The template does not include a structured process for evaluating third-party vendors, a specific requirement under both the Safeguards Rule and NIST SP 800-171.
Generic incident response section: The breach notification language lacks state-specific guidance and does not walk through the IRS e-services notification process step by step, leaving firms uncertain about what to do when minutes matter.
The IRS model is an excellent starting point, but treating it as a finished compliance product leaves your firm exposed. The strongest approach is to use the IRS template as a foundation and layer in the additional controls required by the Safeguards Rule, NIST guidance, and your state's data security laws. Our IRS Publication 5708 sample WISP walkthrough covers how to interpret the IRS's own annotated example.
How to Implement Your WISP: Step-by-Step
Designate Your Information Security Coordinator
Assign a specific person, owner, office manager, or IT lead, as the named coordinator responsible for the WISP. Document their name and contact information in the plan.
Inventory Every System Holding Client Data
List all workstations, servers, cloud storage, tax software platforms, email systems, and any paper filing systems that store or process taxpayer information.
Conduct a Risk Assessment
Identify realistic internal threats (employee error, departing staff) and external threats (phishing, ransomware, credential theft). Prioritize by likelihood and impact.
Document Your Existing Safeguards
Record the controls you already have in place: MFA settings, encryption, antivirus, backup procedures, physical locks. Note gaps honestly, your WISP should reflect reality.
Build Your Vendor Oversight Process
List every third-party service with access to client data. Document your process for reviewing their security practices and the steps you take when a vendor relationship ends.
Write Your Incident Response Procedure
Create a specific call list and a step-by-step response checklist. Include the IRS e-services notification URL, your state's breach reporting timeline, and your cyber insurer's claim line.
Train Staff and Schedule Annual Review
Brief every employee on the WISP before tax season. Set a calendar reminder to review and update the document at least once per year and whenever your technology environment changes.
Need Help Building Your WISP?
Our security team has helped thousands of tax professionals create compliant Written Information Security Plans built for IRS and FTC requirements.
Common WISP Mistakes Accounting Firms Make, and How to Avoid Them
After working with hundreds of tax practices, the security team at Bellator Cyber Guard has identified a consistent set of WISP failures that leave firms exposed even when they believe they are compliant.
Treating the WISP as a One-Time Filing Exercise
The most common failure mode is creating a WISP during a compliance push, filing it away, and never updating it. The FTC Safeguards Rule requires annual review, and the IRS expects your WISP to reflect current operations. If you onboarded a cloud document portal last year and your WISP still references only a local server, you have a documented compliance gap, one that regulators will find after a breach.
Omitting Vendor Oversight Requirements
Tax firms routinely share client data with payroll providers, document management platforms, and cloud-based tax software. Each of those relationships is a potential attack vector. Your WISP must include a section requiring you to review vendor security practices, obtain written security assurances, and terminate vendor access when a relationship ends. This is a specific FTC Safeguards Rule requirement that generic templates almost universally miss.
Writing a WISP That Does Not Match Reality
Documenting controls you do not actually have in place, for example, stating that MFA is enforced when it has not been deployed, creates a paper trail of non-compliance rather than protection. Regulators and plaintiff attorneys look for exactly this discrepancy following a breach. Your WISP should describe what your firm actually does, paired with a prioritized roadmap to close gaps. For practical guidance on deploying actual controls, see our resources on WISP implementation for small tax firms and ransomware protection for small practices.
Neglecting Physical Security
Digital controls receive most of the attention in template discussions, but physical security remains a genuine gap area. IRS Publication 4557 specifically requires policies for locking workstations when unattended, securing paper files containing taxpayer data, and controlling physical access to areas where client data is processed. A WISP without a physical security section is incomplete under IRS standards, even if the digital controls are strong.
Skipping the Incident Response Section
Many small firms operate as though a data breach is unlikely. The 2025 Verizon Data Breach Investigations Report found that 46% of all breaches involved small businesses. When an incident does occur, the difference between a manageable situation and a catastrophic one often comes down to whether staff knew what to do in the first minutes. Your incident response section must include a specific call list, IRS notification steps, and your state's breach reporting obligations and timelines. For detailed guidance, see our incident response plan for tax practices.
Bottom Line
A WISP that sits in a drawer is not a WISP, it is a liability. The IRS and FTC both expect documented evidence that your firm reviews and updates its security plan regularly. A plan that reflects how your firm operated three years ago, with software you no longer use, exposes you to the same enforcement risk as having no plan at all. Build it to match your real operations, then keep it current.
WISP Templates by Firm Size: What Changes and What Stays the Same
The essential components of a compliant WISP are the same regardless of how many people work at your firm. What scales is the depth and complexity of each section. Here is how to calibrate the best WISP templates for accountants at different practice sizes.
Solo Practitioners and Small Firms (1-5 Staff)
A solo CPA or small bookkeeping firm needs a focused, practical WISP, typically 10-15 pages, that covers the IRS requirements without over-engineering. The Information Security Coordinator is usually the owner. The risk assessment can be relatively concise if your technology environment is simple. Key controls to document: a password manager, MFA on all tax software and email, encrypted laptop storage, and a clear incident response call list. Our free 2026 WISP template is built to work for this practice profile without requiring a consultant.
Mid-Size CPA and Accounting Firms (6-50 Staff)
Firms with multiple staff members face additional complexity: shared drives, diverse workstations, varied software environments, and more vendor relationships. Your WISP should include formal onboarding and offboarding procedures for IT access, a structured vendor risk assessment process, and documented network segmentation policies. Determine whether your firm holds 5,000 or more customer records, if so, the FTC Safeguards Rule triggers additional specific technical requirements that your WISP must address. For the full breakdown of those requirements, see our FTC Safeguards Rule guide for tax preparers.
Multi-Office and Regional Accounting Firms (50+ Staff)
Larger firms should treat the WISP as the top-level governance document in a suite of security policies, supported by separate policies for remote access, acceptable use, vendor management, and change control. This tier also benefits most from third-party security validation, either a formal penetration test or a NIST Cybersecurity Framework (CSF)-based gap assessment, to confirm that documented controls are operating as described. A WISP that says controls exist but has not been tested offers little actual assurance. For broader security strategy at this scale, see our accounting and CPA cybersecurity solutions.
Related Tax Security Resources
Building a compliant WISP is one component of a complete tax firm security program. These resources address the technical controls and employee practices your WISP will reference:
- IRS cybersecurity requirements for tax professionals, understand the full regulatory picture behind your WISP obligations
- Phishing awareness for tax firms, satisfy the annual training requirement your WISP mandates
- Ransomware protection for tax practices, specific defenses against the top threat to accounting firms
- How to create a WISP, step-by-step guidance for drafting your plan from scratch
- IRS Publication 5708 sample WISP, the IRS's own annotated example with explanations
- Identity theft prevention for tax professionals, protecting your clients and your EFIN
- Incident response planning for tax practices, what to do when a breach happens
Get Your Free 2026 WISP Template
Download our IRS Publication 4557 and FTC Safeguards Rule compliant WISP template, designed specifically for tax professionals and accounting firms. No consultant required.
Frequently Asked Questions About WISP Templates for Accountants
All tax preparers who handle federal tax returns are required to have a WISP under IRS Publication 4557, regardless of firm size. This includes sole proprietors, single-person CPA practices, and bookkeepers who prepare returns. The FTC Safeguards Rule applies to tax preparation firms as financial institutions under the Gramm-Leach-Bliley Act, with additional technical requirements triggered at 5,000 or more customer records. There is no small-firm exemption from the baseline WISP requirement.
The IRS Security Summit released a model WISP template in August 2022, designed as a starting point for tax professionals. It covers the core Publication 4557 requirements including physical security, network security, and basic incident response. However, it was not updated to address the 2023 FTC Safeguards Rule amendments, contains limited cloud and remote work guidance, and lacks a structured vendor risk management section. Using the IRS model unchanged leaves meaningful compliance gaps, it is best treated as a foundation to build on, not a finished product.
There is no mandated page count. A solo practitioner's WISP might run 10-15 pages and cover the core IRS requirements concisely. A mid-size firm with multiple staff, vendor relationships, and diverse technology environments might need 20-30 pages. What matters is that the document actually addresses each required area with enough specificity to guide real decisions, not that it meets a word count. A focused, usable 12-page WISP is more valuable than an 80-page document no one reads.
The IRS and FTC both require at minimum an annual review. Beyond the annual calendar review, you should update your WISP whenever your technology environment changes materially, adding a new cloud platform, changing tax software, hiring or departing staff with system access, or onboarding a new vendor with access to client data. A practical approach is to schedule your WISP review each fall before the filing season begins, so you start each year with a current plan.
Consequences vary by circumstance. The IRS can issue compliance notices and, in persistent cases, suspend or revoke a firm's EFIN or PTIN. The FTC can pursue civil penalties under the Safeguards Rule, with penalties up to $51,744 per violation per day for covered firms. State attorneys general can bring separate enforcement actions under state data security laws. Beyond regulatory penalties, the absence of a WISP significantly weakens a firm's position in any litigation following a data breach, plaintiff attorneys specifically look for documented evidence that no security plan existed.
A well-designed free template is sufficient for most small to mid-size accounting firms. The key is choosing a template built specifically for tax professionals, not a generic cybersecurity policy template. Our free 2026 WISP template is mapped to IRS Publication 4557 and the FTC Safeguards Rule, includes sections for vendor management and incident response, and is written for non-technical users. Firms with complex environments, multiple offices, or 5,000+ client records may benefit from a consultant review to ensure technical controls are properly documented and tested.
Yes. The IRS and FTC expect your WISP to reflect your actual operating environment. If your firm uses cloud-based tax software, remote desktop access, or staff who work from home, those scenarios must be addressed in your plan. This includes policies for VPN use, home network security requirements, and access controls for cloud platforms. A WISP that only addresses an on-premises server environment while your firm has moved to the cloud is not compliant, it documents controls that no longer match your real risk profile.
Cyber insurers increasingly require a WISP as a condition of coverage. More importantly, having a documented WISP can directly affect your policy premiums and, in the event of a claim, whether your insurer covers the breach. Insurers often ask during the application and renewal process whether you maintain a written security plan, conduct annual reviews, and have implemented specific controls like MFA and encryption. A current, compliant WISP supports a stronger insurance position. Conversely, filing a claim after a breach when you had no WISP can create coverage disputes.
The terms are often used interchangeably, but there is a meaningful distinction. A cybersecurity policy is a broad statement of your firm's security intentions and rules. A WISP is a specific, IRS-and-FTC-defined document that goes further: it requires a named coordinator, a documented risk assessment, an inventory of systems, specific safeguards, vendor oversight procedures, and an incident response plan. All WISPs are security policies, but not all security policies satisfy the WISP requirement. The IRS uses the term WISP specifically in Publication 4557, that is the document you need.
Generally, one WISP can cover a multi-office firm as long as it addresses the security environment at each location. If your offices have meaningfully different technology environments, vendor relationships, or physical security setups, you may need location-specific appendices within the main WISP rather than entirely separate documents. The key requirement is that your WISP accurately reflects the actual controls in place at each location where client data is stored or processed. For multi-office firms, a managed security assessment can help identify gaps across locations before documenting them in your plan.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.


