How to Create a WISP: Complete Guide for Tax Professionals

What Is a WISP and Why Do Tax Professionals Need One?

A Written Information Security Plan (WISP) is a federally mandated document that details how your organization protects sensitive customer information. Under the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule, every tax professional who maintains a Preparer Tax Identification Number (PTIN) must have a WISP in place—and must be able to prove it.

The FTC classifies tax preparation services as "financial institutions," subjecting your practice to the same information security standards as banks and credit unions. Since June 2023, the IRS has reinforced this obligation by requiring all tax preparers to attest to WISP compliance on Form W-12 during PTIN renewal. A missing or inadequate WISP can trigger enforcement actions, financial penalties, and potential PTIN suspension—effectively ending your ability to file returns on behalf of clients.

Understanding how to create a WISP is now a professional necessity. The FTC's 2021 Safeguards Rule amendments introduced nine specific technical requirements, and the IRS Criminal Investigation division has stepped up enforcement against preparers who fail to safeguard taxpayer data. Federal agencies, state regulators, and even cyber insurance carriers now expect documented proof that you are actively protecting client information.

This guide walks you through every phase of how to create a WISP that satisfies IRS Publication 4557, the FTC Safeguards Rule, and NIST Cybersecurity Framework requirements—whether you are a solo practitioner or managing a multi-office tax firm. If you need a head start, download our free 2026 WISP template to follow along.

Understanding the Legal Foundation for Creating a WISP

The legal requirement for creating a WISP stems from multiple overlapping regulatory frameworks that collectively establish information security obligations for tax professionals. Understanding these frameworks is essential before you begin building your plan.

Gramm-Leach-Bliley Act (GLBA)

Enacted in 1999, the GLBA redefined privacy and security requirements for financial institutions by requiring organizations to explain information-sharing practices and protect sensitive data. The FTC's Safeguards Rule—originally implemented in 2003 under GLBA authority and substantially amended in December 2021—provides specific implementation requirements that transform general security obligations into concrete technical mandates.

FTC Safeguards Rule Classification

The FTC Safeguards Rule explicitly defines covered entities as "financial institutions," a category that encompasses tax preparation services under GLBA's broad definition. This classification subjects tax professionals to identical information security requirements as banks, credit unions, and investment firms. The 2021 amendments added nine specific safeguard requirements that every covered entity must implement, including encryption mandates, access controls, and continuous monitoring.

IRS Enforcement Through PTIN Compliance

The IRS reinforces these requirements through IRS Publication 4557 and by making WISP compliance a condition of PTIN renewal. Publication 5708 provides a starter WISP template specifically for tax professionals, though it must be customized to reflect your practice's actual operations and risks. The Taxpayer First Act of 2019 expanded the IRS's authority to revoke PTINs for security failures, giving the agency direct enforcement power over non-compliant preparers.

State-Level Data Security Requirements

State-level regulations add another layer of obligation. As of 2026, all 50 states plus the District of Columbia have enacted data breach notification laws, and a growing number—including New York (23 NYCRR 500), California (CCPA/CPRA), and Massachusetts (201 CMR 17.00)—impose independent written security plan requirements. Tax firms operating across state lines must ensure their WISP satisfies the most stringent applicable state standard alongside federal requirements. Review our NIST Cybersecurity Framework alignment to see how federal standards map to state obligations.

The Nine FTC Safeguards Rule Requirements Your WISP Must Address

The December 2021 amendments to the FTC Safeguards Rule established nine specific requirements that your WISP must address. Each requirement must be documented, implemented, and verifiable—not merely written down. Here is what the rule demands when you learn how to create a WISP that passes regulatory examination.

1. Designate a Qualified Individual — Appoint someone responsible for overseeing your information security program. This can be an employee or an outsourced provider such as a managed cybersecurity provider.
2. Conduct a Written Risk Assessment — Identify reasonably foreseeable internal and external risks to customer information security, documenting findings with risk ratings and remediation timelines.
3. Design and Implement Safeguards — Deploy controls to address risks identified in your assessment, including access controls, encryption, and multi-factor authentication (MFA).
4. Regularly Monitor and Test — Continuously monitor the effectiveness of safeguards through testing, including penetration testing or vulnerability assessments at least annually.
5. Train Your Staff — Provide security awareness training appropriate to each employee's role and responsibilities, with documented completion records.
6. Monitor Service Providers — Evaluate and contractually require your vendors to maintain appropriate safeguards, including right-to-audit clauses.
7. Keep Your Program Current — Update your WISP based on operational changes, risk assessment findings, and emerging threats.
8. Create an Incident Response Plan — Document specific procedures for detecting, responding to, and recovering from security events.
9. Report to Your Qualified Individual — The Qualified Individual must report at least annually to governing authority on the program's overall status, including metrics and incident summaries.

A paper-only plan that does not reflect actual practice will fail FTC examination and expose your firm to enforcement action. The FTC has levied fines exceeding $100,000 against financial institutions for documenting safeguards they never operationalized. Every one of these nine requirements demands both policy language and demonstrable implementation.

Phase 1: Conduct a Risk Assessment

Risk assessment forms the foundation when creating a WISP. The FTC explicitly requires organizations to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. This assessment must be formally documented and address three dimensions:

Information systems and data storage. Inventory every device, application, cloud service, and physical location where taxpayer data resides. This includes workstations, laptops, mobile devices, tax software platforms, cloud storage services, email systems, portable media, and paper files.

Detected security events and vulnerabilities. Review past incidents, near-misses, and known vulnerabilities. Evaluate your exposure to common attack vectors targeting tax professionals: phishing emails, ransomware, credential theft, and social engineering attacks.

Organizational responses to identified risks. Document what controls currently exist, identify gaps, and prioritize remediation based on risk severity and likelihood. IRS Publication 4557 provides tax-specific risk assessment guidance that complements the NIST SP 800-30 (Guide for Conducting Risk Assessments) framework.

Phase 2: Designate Your Qualified Individual

The FTC Safeguards Rule mandates that organizations designate a Qualified Individual responsible for implementing and supervising the information security program. This person serves as the single point of accountability for your WISP.

For solo practitioners, this responsibility defaults to the owner. Larger firms should designate someone with sufficient organizational authority, appropriate technical aptitude, and operational knowledge to coordinate security efforts across departments.

The 2021 Safeguards Rule amendments explicitly permit outsourcing this role to a qualified third-party provider, provided the firm retains ultimate compliance responsibility. This option is particularly valuable for small practices that lack in-house cybersecurity expertise—your Qualified Individual can be a managed security partner who brings the technical depth your team may not have.

Phase 3: Implement Technical Safeguards

Technical safeguards form the operational core when creating a WISP. The FTC Safeguards Rule mandates specific technical controls that every tax practice must deploy.

Encryption Requirements

All taxpayer information transmitted electronically must use TLS 1.2 or higher—this applies to email communications, file transfers, client portals, and remote access connections. Taxpayer data stored on workstations, servers, portable devices, and cloud platforms must be encrypted using AES-256 or equivalent. Enable full-disk encryption (BitLocker for Windows, FileVault for macOS) on every device that accesses tax data. Our guide on tax document encryption requirements covers implementation details.

Multi-Factor Authentication (MFA)

MFA is mandatory for all accounts accessing customer information systems, including tax preparation software, email accounts, cloud storage, remote desktop connections, and administrative portals. Use authenticator apps or hardware security keys rather than SMS-based MFA, which is vulnerable to SIM-swapping attacks.

Endpoint Protection and Network Security

Every workstation and server must run enterprise-grade Endpoint Detection and Response (EDR) software—not consumer antivirus. EDR provides behavioral threat detection, automated response capabilities, and forensic investigation tools that traditional antivirus cannot match. Configure properly segmented networks with business-grade firewalls separating your tax data environment from guest networks and personal devices. Our firewall setup guide for tax offices covers configuration best practices. If staff work remotely, require VPN connections for all access to firm systems.

Secure Backup

Implement the 3-2-1 backup rule: three copies of data, on two different media types, with one stored offsite. Test backup restoration quarterly to verify data integrity.

Phase 4: Establish Access Controls

Creating a WISP requires rigorous implementation of the principle of least privilege. This means employees receive only the minimum system access and data permissions necessary to perform their specific job functions. Overly broad permissions dramatically increase risk by expanding the potential impact of compromised credentials, insider threats, or social engineering attacks.

Implement these access control measures throughout your organization:

• Unique user accounts — Every employee must have individual login credentials. Shared accounts eliminate audit trails and accountability.
• Role-based access — Define access levels by job function (partner, preparer, administrative staff, seasonal employee) and restrict each role to necessary systems only.
• Password policies — Require minimum 12-character passwords using passphrases. Implement a password manager firm-wide.
• Onboarding and offboarding procedures — Document how access is provisioned for new hires and—just as important—how it is revoked immediately upon termination or role change.
• Physical access controls — Secure server rooms, lock filing cabinets containing paper records, implement clean-desk policies, and control visitor access to areas where taxpayer data is visible.

Phase 5: Develop Your Incident Response Plan

A tested incident response plan is a mandatory component when creating a WISP under FTC requirements. According to the IBM Cost of a Data Breach Report 2025, organizations with documented incident response plans and regularly tested response teams save an average of $2.66 million per breach compared to those without formal plans.

Your incident response plan must document specific procedures for five phases:

1. Detection and identification — Define what constitutes a security incident, establish monitoring and alerting mechanisms, and specify who receives initial notifications. Common indicators include unusual login activity, unexpected data transfers, ransomware encryption activity, or client reports of fraudulent tax filings.
2. Containment — Isolate affected systems, disable compromised accounts, and block malicious IP addresses to prevent the incident from spreading.
3. Eradication — Remove malware, close exploited vulnerabilities, reset compromised credentials, and verify system integrity.
4. Recovery — Restore affected systems from clean backups, verify data integrity, gradually bring systems back online, and monitor for recurrence.
5. Post-incident analysis — Conduct a lessons-learned review within 72 hours, document root cause, and update your WISP to address identified gaps.

Your plan must also address regulatory notification obligations. Tax professionals who experience a data breach must notify the IRS, affected clients, and state attorneys general per applicable breach notification laws. Many states require notification within 30–60 days, and some mandate notification in as few as 15 days.

Phase 6: Implement Employee Training

The FTC Safeguards Rule explicitly requires security awareness training for all personnel with access to customer information. With the majority of data breaches tracing back to a human element—whether through phishing, credential misuse, or simple error—employee training is one of the highest-ROI security investments your practice can make.

Training must occur at initial hire, at least annually thereafter, following security incidents, when significant program changes are implemented, and whenever new threat vectors emerge. In 2026, that specifically means addressing AI-powered threats: attackers now use large language models to craft convincing phishing emails free of the grammatical errors that once made them easy to spot.

Effective training programs for tax practices should cover phishing identification (the number one attack vector against tax firms), proper data handling procedures, password and MFA best practices, physical security protocols, and social engineering awareness. Document all training sessions with dates, attendees, topics covered, and assessment results—this documentation is required during regulatory examinations. As noted in the Verizon 2025 Data Breach Investigations Report, phishing simulations and measured training outcomes are the most effective way to reduce human-factor breach risk.

Phase 7: WISP Documentation and Maintenance

Creating a WISP requires producing specific documentation that demonstrates both regulatory compliance and operational implementation. The IRS provides a foundational template through Publication 5708, but this template must be substantially customized to reflect your actual practices, specific risks, and implemented controls. Generic, unmodified templates consistently fail regulatory examinations.

Your WISP document must include:

• Scope statement — Define which systems, data types, locations, and personnel the WISP covers.
• Risk assessment results — Documented findings from your Phase 1 assessment with risk ratings and remediation priorities.
• Security policies — Specific policies governing encryption, access control, authentication, data retention, and disposal.
• Technical safeguard inventory — Every security tool, configuration, and control deployed, with responsible parties identified.
• Incident response plan — Procedures as outlined in Phase 5, including contact information and notification templates.
• Training records — Documentation of all security training conducted, including content, dates, and attendee sign-off.
• Vendor management records — Security assessments and contractual requirements for all third-party service providers handling taxpayer data.
• Change log — Record of all WISP modifications with dates, reasons, and approving authority.

Maintenance Schedule

A WISP is a living document. Establish the following review cadence:

Quarterly: Review access control lists, test one component of your incident response plan, verify backup integrity, and review security logs for anomalies.

Annually: Conduct a full risk reassessment, update all policies, refresh employee training, review and update vendor agreements, and test your complete incident response procedures.

Trigger-based: Update immediately after any security incident, significant operational change (new software, office relocation, staffing change), regulatory update, or emerging threat affecting tax professionals.

Maintain version control on your WISP document. Date every revision, document what changed and why, and retain previous versions for at least three years to demonstrate continuous compliance during regulatory examinations.

Advanced WISP Strategies for Stronger Security

Organizations that have completed foundational WISP implementation can enhance their security posture through advanced strategies that exceed minimum compliance requirements. These approaches provide defense-in-depth protection, reduce attack surface exposure, and demonstrate security maturity that differentiates your practice competitively.

Continuous Monitoring and Threat Detection

Move beyond point-in-time assessments to continuous security monitoring. Deploy a Security Information and Event Management (SIEM) solution or engage a managed detection and response (MDR) provider for 24/7 threat monitoring. Continuous monitoring aligns with the NIST Cybersecurity Framework 2.0 emphasis on the "Detect" function and demonstrates proactive security management to regulators and insurance carriers.

Vendor Risk Management Program

Tax practices rely on numerous third-party vendors: tax software providers, cloud hosting services, IT support companies, document management platforms, and payroll processors. Each vendor with access to taxpayer data represents a potential attack vector. Implement a formal vendor risk management program that includes security questionnaires, contractual security requirements, annual reassessments, and right-to-audit clauses. The FTC specifically examines vendor oversight during enforcement proceedings.

Cyber Insurance Optimization

A well-documented WISP directly impacts your cyber insurance coverage and premiums. Insurance carriers increasingly require evidence of specific controls before issuing policies or approving claims. Firms with verified technical controls and a complete WISP typically receive 15–30% premium reductions and faster claims processing. Conversely, carriers increasingly deny breach claims for organizations lacking documented security programs—making your WISP a financial protection mechanism alongside a compliance document.

Security Metrics and Reporting

Implement measurable security metrics that your Qualified Individual can report on annually: phishing simulation failure rate (target below 5%), mean time to patch vulnerabilities (target under 72 hours), percentage of systems with current EDR agents (target 100%), MFA adoption rate (target 100%), and backup restoration test success rate. These metrics demonstrate continuous improvement and program maturity during regulatory examinations. For firms seeking a turnkey approach, our all-in-one compliance package includes metric tracking, documentation management, and ongoing advisory support.