Accountants hold some of the most sensitive personal financial data in existence: Social Security numbers, bank account details, W-2s, and years of tax history for thousands of clients. That data is a primary target for cybercriminals, and the IRS has made one thing clear — your firm must have a formal, written plan to protect it.
A Written Information Security Plan (WISP) is a documented security policy that describes how your firm collects, stores, and safeguards client data. Under IRS Publication 4557, Safeguarding Taxpayer Data, and the Federal Trade Commission (FTC) Safeguards Rule (16 CFR Part 314), virtually every tax preparer — sole proprietors included — is required to maintain one. The IRS began actively promoting enforcement after the Security Summit released its own model WISP template in 2022.
The challenge for most accounting firms is not intent — it is execution. The best WISP templates for accountants go far beyond generic fill-in-the-blank documents. They align with the IRS's specific requirements, incorporate current threat scenarios, and are built to be maintained year after year without becoming shelfware.
This guide will help you evaluate your options, understand what separates a compliant template from an inadequate one, and implement a WISP that actually protects your practice.
Tax Firm Cybersecurity: By the Numbers
IBM Cost of Data Breach Report 2024
Verizon Data Breach Investigations Report 2024
IBM Security Report 2024
The IRS WISP Requirement: What Accountants Are Actually Obligated to Do
The legal foundation for WISP requirements rests on two pillars. The first is IRS Publication 4557, which outlines baseline security expectations for all tax preparers. The second is the FTC Safeguards Rule, significantly expanded in 2023, which now applies to tax preparation firms as "financial institutions" under the Gramm-Leach-Bliley Act (GLBA).
Under these combined requirements, your WISP must address the following at minimum:
- An employee designated as your firm's Information Security Coordinator
- An inventory of all systems and storage locations holding taxpayer data
- Risk assessments identifying internal and external threats to that data
- Specific technical, physical, and administrative safeguards to address identified risks
- Vendor and contractor oversight policies covering anyone with access to client data
- An incident response and breach notification procedure with IRS-specific steps
- Annual review and update of the WISP to reflect operational changes
The FTC Safeguards Rule further requires firms with 5,000 or more customer records to implement specific technical controls, including Multi-Factor Authentication (MFA), encryption, and access control logging. Even firms below that threshold face civil penalties for failing to maintain basic safeguards.
For a thorough breakdown of the full IRS framework, see our IRS Publication 4557 guide and the detailed overview of IRS WISP requirements for tax professionals.
A WISP is not a one-time document. Both the IRS and the FTC require you to review it at least annually and update it whenever your firm's technology, personnel, or operating environment changes. A WISP written in 2021 that has never been revised is not compliant — and provides little actual protection.
What Every Strong WISP Template Must Include
- IRS Security Summit alignment with Publication 4557 requirements
- FTC Safeguards Rule technical control requirements for applicable firms
- Designated Information Security Coordinator role and responsibilities
- Complete inventory of systems containing taxpayer data
- Risk assessment procedures for internal and external threats
- Technical safeguards including MFA, encryption, and access controls
- Physical security policies for workstations and paper records
- Vendor management and third-party oversight procedures
- Detailed incident response and breach notification protocols
- Annual review and update procedures with specific triggers
- Employee training requirements and onboarding procedures
- Data retention and secure disposal policies
Evaluating the Best WISP Templates for Accountants: Key Selection Criteria
Not all WISP templates are created equal. A generic cybersecurity policy pulled from a random website may miss IRS-specific language, lack provisions for tax software vendors, or fail to address the FTC Safeguards Rule's technical control requirements. When selecting from the best WISP templates for accountants, apply these five essential criteria before committing to any document.
IRS Security Summit Alignment
The IRS Security Summit — a public-private coalition that includes tax software companies, state tax agencies, and the IRS — released a model WISP template specifically for tax professionals in 2022. Any template worth using should align with this model or exceed it. Look for explicit references to IRS cybersecurity requirements, Electronic Filing Identification Number (EFIN) protection, and IRS e-services portal obligations.
FTC Safeguards Rule Coverage
The amended Safeguards Rule added 16 specific operational requirements for covered financial institutions. A strong accountant WISP template will either incorporate these directly or provide a mapping showing which WISP sections satisfy each requirement. Missing Safeguards Rule coverage is one of the most common gaps in off-the-shelf templates, and it is precisely what regulators look for after a breach.
Practical Usability, Not Compliance Theater
The best WISP templates for accountants are built to be actually used — with tables to fill in, options for common scenarios, and instructions written for non-technical users. A 40-page document full of legal boilerplate that staff never reads offers worse protection than a focused 15-page plan they reference during an incident. Usability and compliance are not in conflict; the right template achieves both.
Scaled for Small and Mid-Size Practices
Enterprise security templates are often over-engineered for small CPA firms. The right template should scale appropriately — covering a solo practitioner through a 50-person firm — without requiring a dedicated IT department. Our free WISP template for 2026 is designed with this balance as a core requirement, not an afterthought.
Detailed Incident Response and Breach Notification
One area where many templates fall short is incident response. The IRS requires tax preparers to notify the IRS upon discovering a data breach, and most states impose their own notification timelines (commonly 30-72 hours). A compliant template must include specific breach response procedures — not a generic placeholder. Our all-in-one compliance package provides a detailed incident response companion resource for this section.
The IRS Model WISP Template: Strengths and Real Limitations
In August 2022, the IRS Security Summit released a model WISP template specifically designed for tax professionals. This was a meaningful step forward — before its release, many firms were adapting generic IT security policies that lacked IRS-specific language entirely.
The IRS model covers the core requirements of Publication 4557 and includes sections on physical security, network security, employee responsibilities, and incident response. However, the IRS model has meaningful gaps that accountants should understand before adopting it unchanged.
FTC Safeguards Rule gaps: The IRS template was not updated to fully reflect the 2023 Safeguards Rule amendments, which added specific requirements for penetration testing, continuous monitoring, and access control logging for firms above the 5,000-record threshold.
Limited cloud guidance: Most modern accounting firms use cloud-based tax software, document portals, and remote desktop access. The IRS model provides minimal guidance on securing these environments. Our guide on secure client portals for tax practices addresses this gap directly.
No vendor risk management framework: The template does not include a structured process for evaluating third-party vendors — a specific requirement under both the Safeguards Rule and NIST SP 800-171.
Generic incident response section: The breach notification language lacks state-specific guidance and does not walk through the IRS e-services notification process step by step — leaving firms uncertain about what to do when minutes matter.
The IRS model is an excellent starting point, but treating it as a finished compliance product leaves your firm exposed. The strongest approach is to use the IRS template as a foundation and layer in the additional controls required by the Safeguards Rule, NIST guidance, and your state's data security laws.
How to Implement Your WISP: Step-by-Step
Download and Review Your Template
Start with the IRS model template or a complete template that includes FTC Safeguards Rule coverage. Review the entire document before beginning customization so you understand every section you'll need to complete.
Designate Your Information Security Coordinator
Assign a specific person — usually the firm owner or office manager — as your Information Security Coordinator. This person is responsible for WISP implementation, staff training, and annual updates.
Complete Your System and Data Inventory
Document every system, application, and storage location that contains taxpayer data. Include cloud services, local servers, mobile devices, remote access tools, and third-party vendors who access your systems.
Conduct Your Initial Risk Assessment
Identify potential threats to your data, evaluate current controls against IRS and FTC requirements, and document gaps. This forms the basis for your security improvement roadmap and must be updated annually.
Customize Policies to Match Your Operations
Modify template language to reflect your actual technology environment, staff responsibilities, and business processes. Never document controls you don't have in place — this creates legal liability, not protection.
Implement Priority Security Controls
Focus on high-impact controls first: MFA for all tax software and email, encrypted storage for laptops, regular tested backups, and employee security awareness training.
Train Staff on WISP Requirements
Ensure all employees understand their security responsibilities, know how to report incidents, and can locate the WISP when needed. Document training completion dates in your WISP.
Schedule Your Annual Review
Set calendar reminders to review and update your WISP annually — or immediately when significant changes occur to your technology, staff, or operations.
Common WISP Mistakes Accounting Firms Make — and How to Avoid Them
After working with hundreds of tax practices, the security team at Bellator Cyber Guard has identified a consistent set of WISP failures that leave firms exposed even when they believe they are compliant. Avoid these mistakes when building or updating your plan.
Treating the WISP as a One-Time Filing Exercise
The most common failure mode is creating a WISP during a compliance push, filing it away, and never updating it. The FTC Safeguards Rule requires annual review, and the IRS expects your WISP to reflect current operations. If you onboarded a cloud document portal last year and your WISP still references only a local server, you have a documented compliance gap — one that regulators will find after a breach.
Omitting Vendor Oversight Requirements
Tax firms routinely share client data with payroll providers, document management platforms, and cloud-based tax software. Each of those relationships is a potential attack vector. Your WISP must include a section requiring you to review vendor security practices, obtain written security assurances, and terminate vendor access when a relationship ends. This is a specific FTC Safeguards Rule requirement that generic templates almost universally miss.
Writing a WISP That Doesn't Match Reality
Documenting controls you do not actually have in place — for example, stating that MFA is enforced when it has not been deployed — creates a paper trail of non-compliance rather than protection. Regulators and plaintiff attorneys look for exactly this discrepancy following a breach. Your WISP should describe what your firm actually does, paired with a prioritized roadmap to close gaps. Our analysis of cyberattacks on tax firms shows how attackers routinely exploit the difference between documented and actual controls.
Neglecting Physical Security
Digital controls receive most of the attention in template discussions, but physical security remains a genuine gap area. IRS Publication 4557 specifically requires policies for locking workstations when unattended, securing paper files containing taxpayer data, and controlling physical access to areas where client data is processed. A WISP without a physical security section is incomplete under IRS standards — even if the digital controls are strong.
Skipping the Incident Response Section
Many small firms operate as though a data breach is unlikely. The 2024 Verizon Data Breach Investigations Report found that 46% of all breaches involved small businesses. When an incident does occur, the difference between a manageable situation and a catastrophic one often comes down to whether staff knew what to do in the first minutes. Your incident response section must include a specific call list, IRS notification steps, and your state's breach reporting obligations and timelines.
IRS and FTC Enforcement Is Real
The FTC has issued civil penalties for Safeguards Rule violations since enforcement ramped up in 2023. The IRS can suspend EFIN privileges for non-compliance with Publication 4557 requirements, preventing your firm from filing returns electronically. State attorneys general are increasingly pursuing data security enforcement against small businesses. A documented, implemented WISP is your first line of legal defense — and your obligation under federal law.
WISP Templates by Firm Size: What Changes and What Stays the Same
The core components of a compliant WISP are the same regardless of how many people work at your firm. What scales is the depth and complexity of each section. Here is how to calibrate the best WISP templates for accountants at different practice sizes.
Solo Practitioners and Small Firms (1–5 Staff)
A solo CPA or small bookkeeping firm needs a focused, practical WISP — typically 10-15 pages — that covers the IRS requirements without over-engineering. The Information Security Coordinator is usually the owner. The risk assessment can be relatively concise if your technology environment is simple. Key controls to document: a password manager, MFA on all tax software and email, encrypted laptop storage, and a clear incident response call list. Our free 2026 WISP template is built to work for this practice profile without requiring a consultant.
Mid-Size CPA and Accounting Firms (6–50 Staff)
Firms with multiple staff members face additional complexity: shared drives, diverse workstations, varied software environments, and more vendor relationships. Your WISP should include formal onboarding and offboarding procedures for IT access, a structured vendor risk assessment process, and documented network segmentation policies. Determine whether your firm holds 5,000 or more customer records — if so, the FTC Safeguards Rule triggers additional specific technical requirements that your WISP must address. See our PTIN and WISP requirements guide for details on how these thresholds apply.
Multi-Office and Regional Accounting Firms (50+ Staff)
Larger firms should treat the WISP as the top-level governance document in a suite of security policies, supported by separate policies for remote access, acceptable use, vendor management, and change control. This tier also benefits most from third-party security validation — either a formal penetration test or a NIST CSF-based gap assessment — to confirm that documented controls are operating as described. A WISP that says controls exist but hasn't been tested offers little actual assurance. For broader security strategy guidance, see our accounting and CPA cybersecurity solutions.
Bottom Line
Every tax preparer — regardless of firm size — must have a written, implemented, and annually updated WISP under IRS Publication 4557 and the FTC Safeguards Rule. The best WISP templates for accountants go beyond the IRS model by covering 2023 Safeguards Rule amendments, cloud environments, and vendor risk. Document what you actually do, close gaps with a roadmap, and review annually.
Get Your Free 2026 WISP Template
Our complete template package includes IRS-compliant policies, FTC Safeguards Rule coverage, a vendor assessment framework, and step-by-step implementation guidance — built specifically for tax professionals.
Related Tax Security Resources
Building a compliant WISP is one component of a complete tax firm security program. These resources address the technical controls and employee practices your WISP will reference:
- Security awareness training for tax firms — satisfy the annual training requirement your WISP mandates
- Ransomware protection for tax practices — specific defenses against the top threat to accounting firms
- Tax document encryption requirements — meet the technical encryption standards required by your WISP
- How to create a WISP — step-by-step guidance for drafting your plan from scratch
- IRS Publication 5708 sample WISP — the IRS's own annotated example with explanations
- Identity theft prevention for tax professionals — protecting your clients and your EFIN
Get a Free WISP Review from Our Tax Security Experts
Unsure whether your current WISP satisfies IRS Publication 4557 and FTC Safeguards Rule requirements? Our cybersecurity specialists will review your existing plan — or help you build one from scratch — at no cost.
Frequently Asked Questions About WISP Templates for Accountants
All tax preparers are required to maintain a WISP under IRS Publication 4557 — including sole proprietors and one-person bookkeeping firms. The FTC Safeguards Rule applies to any firm that prepares tax returns and qualifies as a "financial institution" under the Gramm-Leach-Bliley Act, which covers the vast majority of tax preparation practices. Firm size affects the complexity and depth of your WISP, not whether you are required to have one.
The IRS Security Summit released a model WISP template in August 2022 that covers the baseline requirements of IRS Publication 4557. It is a strong starting point but was not updated to reflect the 2023 FTC Safeguards Rule amendments, which added specific requirements for penetration testing, continuous monitoring, and access control logging for firms above the 5,000-record threshold. The IRS model also lacks detailed cloud security guidance and a structured vendor risk management process. Using it unchanged leaves gaps that regulators and insurers will identify after a breach.
Length should match your firm's complexity, not a fixed page count. Solo practitioners and small firms (1-5 staff) typically need 10-15 pages. Mid-size firms (6-50 staff) generally require 15-25 pages to cover access control procedures, vendor management, and network security in adequate detail. Larger firms often maintain a 25+ page WISP alongside separate supporting policies. A document that is too short may miss required elements; one that is too long may never be used in an actual incident.
Both the IRS and the FTC Safeguards Rule require at minimum an annual review. Beyond the annual review, you must update your WISP whenever you add new technology systems, hire or terminate staff with data access, onboard new vendors, change office locations, or modify how you collect or store taxpayer data. A WISP that hasn't been revised in more than 12 months is almost certainly outdated — and that outdated version is what regulators will scrutinize after an incident.
Consequences depend on which authority is acting. The IRS can suspend your Electronic Filing Identification Number (EFIN), which prevents you from submitting returns electronically — effectively shutting down your practice during tax season. The FTC can impose civil penalties for Safeguards Rule violations. Most states have their own data security laws with separate penalty structures. After a data breach, lacking a WISP significantly increases civil liability in client lawsuits and may void or reduce cyber insurance coverage.
Free templates can fully satisfy compliance requirements if they are current, complete, and properly customized. The IRS model template is free and covers Publication 4557 requirements. Our free 2026 WISP template adds FTC Safeguards Rule coverage and cloud guidance. You may benefit from consulting support if your technology environment is complex, if you've had a previous security incident, or if your firm is approaching the 5,000-record threshold that triggers additional Safeguards Rule obligations.
Yes. IRS Publication 4557 and the FTC Safeguards Rule apply to all environments where taxpayer data is accessed, transmitted, or stored — including home offices, cloud tax software platforms, client document portals, and mobile devices. This is one of the most significant gaps in older WISP templates: documents written before 2020 often address only on-premise servers and workstations. If your firm uses any cloud-based tools (which virtually all firms do), your WISP must include specific policies for those environments.
Cyber insurance underwriters routinely require documented security policies including a current WISP as a condition of coverage. Having an implemented, annually reviewed WISP can reduce your premium and — more importantly — affects claims outcomes after a breach. Insurers investigate whether documented controls were actually in place at the time of the incident. If your WISP lists MFA as a control but it wasn't deployed, the insurer may deny or reduce your claim. Your WISP should accurately document implemented controls, not aspirational ones.
A WISP is a specific type of written security plan required by name under IRS Publication 4557 and referenced in the FTC Safeguards Rule for financial institutions. It focuses specifically on how your firm protects client financial data, who is responsible for security decisions, how incidents are reported and handled, and how the plan is maintained. A general cybersecurity policy may address IT security topics broadly but may not satisfy the specific language and structural requirements the IRS and FTC expect in a WISP. Tax preparers need both: a WISP for regulatory compliance and, ideally, supporting policies for specific technical areas.
A single WISP can cover multiple locations as long as the same security standards apply across all of them. However, your WISP must acknowledge each location and address any location-specific risks — such as different network configurations, physical security arrangements, or local staff access procedures. If branch offices operate with significantly different technology environments or staff access levels, your risk assessment and control documentation should address each location's specific circumstances.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.
