Skip to content

Free 15-minute cybersecurity consultation — no obligation

Book Free Call
Tax44 min readDeep Dive

How to Create a WISP: Complete Guide for Tax Professionals

Learn how to create a WISP for your tax practice. A 7-phase guide covering IRS Pub 4557, the FTC Safeguards Rule, and 2026 PTIN compliance. Get compliant now.

How to Create a WISP: Complete Guide for Tax Professionals - how to create a wisp

What Is a WISP and Why Tax Professionals Need One

A Written Information Security Plan (WISP) is a federally mandated document that spells out how your practice protects sensitive client information. If you hold a Preparer Tax Identification Number (PTIN), you are legally required to have one, and you must be able to prove it exists and works. This guide walks through how to create a WISP that satisfies IRS Publication 4557, the FTC Safeguards Rule, and the NIST Cybersecurity Framework, whether you are a solo practitioner or run a multi-office firm.

The requirement comes from the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. The FTC classifies tax preparation services as "financial institutions," which places your practice under the same information security standards as banks and credit unions. Since 2023, the IRS has reinforced this by requiring preparers to attest to WISP compliance on Form W-12 when renewing a PTIN.

A missing or inadequate WISP can trigger enforcement actions, financial penalties, and potential PTIN suspension, which effectively ends your ability to file returns for clients. The FTC's 2021 Safeguards Rule amendments added nine specific requirements, and the IRS Criminal Investigation division has increased scrutiny of preparers who fail to safeguard taxpayer data. Federal agencies, state regulators, and cyber insurance carriers now expect documented proof that you actively protect client information. If you want a running start, our free 2026 WISP template follows the same structure this guide describes.

WISP Compliance By The Numbers

$4.44M
Avg. Data Breach Cost

IBM Cost of a Data Breach Report 2025

9
FTC Safeguards Requirements

Added by the 2021 amendments

All 50 States
Have Breach Notification Laws

Plus the District of Columbia

The Legal Foundation for Creating a WISP

The requirement to build a WISP comes from several overlapping frameworks that together set information security obligations for tax professionals. Understanding each one helps you write a plan that holds up under examination.

Gramm-Leach-Bliley Act (GLBA)

Enacted in 1999, the GLBA reshaped privacy and security rules for financial institutions by requiring organizations to explain their information-sharing practices and protect sensitive data. The FTC's Safeguards Rule, first implemented in 2003 under GLBA authority and substantially amended in December 2021, turns those general obligations into concrete technical mandates.

FTC Safeguards Rule Classification

The FTC Safeguards Rule defines covered "financial institutions" broadly enough to include tax preparation services. That classification puts tax professionals under the same information security requirements as banks, credit unions, and investment firms. The 2021 amendments added nine specific safeguards every covered entity must implement, including encryption, access controls, and continuous monitoring. Our breakdown of the FTC Safeguards Rule for tax preparers covers how each provision applies to smaller practices.

IRS Enforcement Through PTIN Compliance

The IRS reinforces these rules through IRS Publication 4557 and by making WISP compliance a condition of PTIN renewal. Publication 5708 provides a starter WISP template for tax professionals, though it must be customized to reflect your actual operations and risks. The Taxpayer First Act of 2019 expanded the IRS's authority to revoke PTINs for security failures, giving the agency direct enforcement power over non-compliant preparers.

State-Level Data Security Requirements

State rules add another layer. As of 2026, all 50 states plus the District of Columbia have breach notification laws, and a growing number, including New York (23 NYCRR 500), California (CCPA/CPRA), and Massachusetts (201 CMR 17.00), impose their own written security plan requirements. Firms working across state lines should build a WISP that satisfies the strictest applicable state standard alongside federal rules. Our overview of IRS cybersecurity requirements shows how federal standards map to state obligations.

2026 PTIN Renewal Compliance

Every preparer renewing a PTIN must attest to maintaining a WISP on Form W-12. Renew ahead of the 2026 filing season and confirm your plan is both written and operational, because a paper-only document that does not reflect actual practice can fail an FTC examination.

The Nine FTC Safeguards Rule Requirements Your WISP Must Address

The December 2021 amendments set nine requirements your WISP must cover. Each one has to be documented, implemented, and verifiable, not merely written down. Here is what the rule demands when you learn how to create a WISP that passes a regulatory review.

  1. Designate a Qualified Individual. Appoint someone to oversee your information security program. This can be an employee or an outsourced managed cybersecurity provider.
  2. Conduct a written risk assessment. Identify reasonably foreseeable internal and external risks to client information, and document findings with risk ratings and remediation timelines.
  3. Design and implement safeguards. Deploy controls to address the risks you found, including access controls, encryption, and multi-factor authentication (MFA).
  4. Regularly monitor and test. Check the effectiveness of safeguards through testing, including penetration testing or vulnerability assessments at least annually.
  5. Train your staff. Provide security awareness training suited to each employee's role, with documented completion records.
  6. Monitor service providers. Assess vendors and contractually require them to maintain appropriate safeguards, including right-to-audit clauses.
  7. Keep your program current. Update the WISP based on operational changes, risk assessment findings, and emerging threats.
  8. Create an incident response plan. Document specific procedures for detecting, responding to, and recovering from security events.
  9. Report to your Qualified Individual. The Qualified Individual reports at least annually to firm leadership on the program's status, including metrics and incident summaries.

A paper-only plan that does not match daily practice will fail examination and expose your firm to enforcement. The FTC has levied fines exceeding $100,000 against financial institutions for documenting safeguards they never put into operation. Every requirement demands both policy language and demonstrable implementation.

What This Means

All tax preparers with a PTIN must maintain a WISP under the GLBA and FTC Safeguards Rule. The nine requirements are not a checklist you write once. Each one must be implemented and provable, and the IRS ties PTIN renewal directly to compliance.

The 7-Phase WISP Implementation Process

1

Conduct a Risk Assessment

Inventory every place taxpayer data lives, review past incidents, and prioritize gaps by severity using NIST SP 800-30 and IRS Publication 4557 guidance.

2

Designate Your Qualified Individual

Name a single accountable owner for the program. Solo firms default to the owner; others may outsource the role to a qualified partner.

3

Implement Technical Safeguards

Deploy encryption, MFA, EDR, network segmentation, and a 3-2-1 backup strategy across every device that touches tax data.

4

Establish Access Controls

Apply least privilege with unique accounts, role-based permissions, and documented onboarding and offboarding procedures.

5

Develop Your Incident Response Plan

Document detection, containment, eradication, recovery, and post-incident review, plus IRS and state notification steps.

6

Implement Employee Training

Train at hire and at least annually, covering phishing, data handling, and AI-assisted social engineering, with signed records.

7

Document and Maintain the WISP

Produce the full document set, keep version control, and follow a quarterly and annual review cadence.

Phase 1: Conduct a Risk Assessment

Risk assessment is the foundation of a WISP. The FTC requires you to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of client information. Document the assessment formally and address three dimensions.

Information systems and data storage. Inventory every device, application, cloud service, and physical location where taxpayer data lives. That includes workstations, laptops, mobile devices, tax software platforms, cloud storage, email systems, portable media, and paper files.

Detected security events and vulnerabilities. Review past incidents, near-misses, and known weaknesses. Evaluate your exposure to the attack vectors that target tax firms most: phishing emails, ransomware, credential theft, and social engineering.

Organizational responses to identified risks. Document the controls you already have, identify the gaps, and prioritize fixes by severity and likelihood. IRS Publication 4557 offers tax-specific guidance that complements the NIST SP 800-30 risk assessment framework. A structured risk assessment process gives you the documented starting point examiners expect.

Phase 2: Designate Your Qualified Individual

The Safeguards Rule requires a designated Qualified Individual to run and supervise the security program. This person is your single point of accountability. For solo practitioners, that role defaults to the owner. Larger firms should pick someone with enough organizational authority, technical aptitude, and operational knowledge to coordinate security across departments.

The 2021 amendments explicitly allow you to outsource this role to a qualified third party, as long as your firm keeps ultimate compliance responsibility. That option helps small practices without in-house cybersecurity expertise. Your Qualified Individual can be a managed security partner who brings the technical depth your team may lack.

Phase 3: Implement Technical Safeguards

Technical safeguards are the operational core of a WISP. The Safeguards Rule requires specific controls that every practice must deploy.

Encryption. All taxpayer information sent electronically must use Transport Layer Security (TLS) 1.2 or higher, which covers email, file transfers, client portals, and remote access. Data stored on workstations, servers, portable devices, and cloud platforms must be encrypted with Advanced Encryption Standard (AES) 256-bit or equivalent. Turn on full-disk encryption, BitLocker for Windows and FileVault for macOS, on every device that touches tax data. If you want the difference between encryption and one-way protection, our guide on hashing versus encryption explains where each fits.

Multi-Factor Authentication (MFA). MFA is mandatory for every account that reaches client information systems, including tax software, email, cloud storage, remote desktop, and admin portals. Use authenticator apps or hardware security keys instead of SMS-based codes, which are vulnerable to SIM-swapping.

Endpoint protection and network security. Every workstation and server should run enterprise-grade Endpoint Detection and Response (EDR), not consumer antivirus. EDR adds behavioral threat detection, automated response, and forensic tools that traditional antivirus cannot match. If you are weighing your options, compare EDR, MDR, and XDR before you buy. Segment your network with a business-grade firewall that separates the tax data environment from guest networks and personal devices. When staff work remotely, require a VPN for all access to firm systems.

Secure backup. Follow the 3-2-1 rule: three copies of data, on two media types, with one stored offsite. Test restoration quarterly to confirm data integrity, because a backup you have never restored is an assumption, not a safeguard.

Need Help Building Your WISP?

Our security team helps tax professionals turn IRS and FTC requirements into a working, examination-ready Written Information Security Plan.

WISP Technical Safeguards Checklist

  • Enable full-disk encryption (BitLocker or FileVault) on all workstations and laptops
  • Implement MFA on all tax software, email, cloud storage, and remote access systems
  • Deploy enterprise-grade EDR (not consumer antivirus) on every endpoint
  • Configure a business-grade firewall with segmentation between tax data and guest networks
  • Require a VPN for all remote access to firm systems
  • Enforce unique user accounts with role-based access permissions and no shared logins
  • Implement a 3-2-1 backup strategy with quarterly restoration testing
  • Enable TLS 1.2 or higher for all data in transit, including email and client portals
  • Deploy a firm-wide password manager with a 12-character minimum passphrase policy
  • Establish documented onboarding and offboarding access procedures
  • Secure physical access to servers, filing cabinets, and workstations
  • Enable audit logging on all systems that process taxpayer data

Phase 4: Establish Access Controls

A WISP requires disciplined use of least privilege: employees get only the minimum system access and data permissions they need for their job. Overly broad permissions widen the blast radius of a compromised credential, an insider threat, or a social engineering attack. Put these measures in place across your firm.

  • Unique user accounts. Every employee gets individual credentials. Shared accounts erase audit trails and accountability.
  • Role-based access. Define access by job function (partner, preparer, administrative staff, seasonal employee) and restrict each role to the systems it actually needs.
  • Password policies. Require a 12-character minimum using passphrases, and run a password manager firm-wide.
  • Onboarding and offboarding. Document how access is granted to new hires and, just as important, how it is revoked immediately on termination or role change.
  • Physical access controls. Secure server rooms, lock cabinets holding paper records, enforce a clean-desk policy, and control visitor access to areas where taxpayer data is visible.

Phase 5: Develop Your Incident Response Plan

A tested incident response plan is mandatory under FTC requirements. According to the IBM Cost of a Data Breach Report 2025, organizations that deploy security AI and automation extensively save an average of $1.9 million per breach compared with those that do not, and a well-drilled response team is a large part of that gap. Build your plan around five phases.

  1. Detection and identification. Define what counts as an incident, set up monitoring and alerting, and specify who gets the first notification. Common indicators include unusual logins, unexpected data transfers, ransomware encryption activity, or client reports of fraudulent filings.
  2. Containment. Isolate affected systems, disable compromised accounts, and block malicious IP addresses to stop the spread.
  3. Eradication. Remove malware, close exploited vulnerabilities, reset compromised credentials, and verify system integrity.
  4. Recovery. Restore from clean backups, verify data integrity, bring systems back gradually, and watch for recurrence.
  5. Post-incident analysis. Run a lessons-learned review within 72 hours, document root cause, and update the WISP to close the gaps you found.

Your plan must also cover notification duties. Tax professionals who suffer a breach need to notify the IRS, affected clients, and state attorneys general under applicable laws. Many states require notice within 30 to 60 days, and some demand it in as few as 15. Our guide on what to do after a data breach details the reporting sequence for tax firms.

Phase 6: Implement Employee Training

The Safeguards Rule requires security awareness training for everyone with access to client information. Most breaches trace back to a human element, whether through phishing, credential misuse, or simple error, so training is one of the highest-return security investments a practice can make. Train at hire, at least annually after that, following any incident, when you make significant program changes, and whenever new threats emerge.

In 2026, that means addressing AI-assisted attacks head-on. Attackers now use large language models to write convincing phishing emails free of the grammatical errors that once gave them away. Effective programs for tax practices cover phishing identification (the number one attack vector against tax firms), data handling, password and MFA habits, physical security, and social engineering. Document every session with dates, attendees, topics, and assessment results, because examiners ask for it. As the Verizon 2025 Data Breach Investigations Report notes, phishing simulations paired with measured outcomes are the most effective way to reduce human-factor risk. Our phishing awareness resources give staff a practical starting point.

Phase 7: WISP Documentation and Maintenance

A WISP requires specific documentation that proves both compliance and real-world implementation. The IRS provides a foundation through Publication 5708, but that template must be substantially customized to reflect your actual practices, specific risks, and deployed controls. Generic, unmodified templates consistently fail examination. Our walkthrough of the IRS Publication 5708 sample WISP shows exactly what to change. Your document should include the following.

  • Scope statement. The systems, data types, locations, and personnel the WISP covers.
  • Risk assessment results. Findings from your Phase 1 assessment with risk ratings and remediation priorities.
  • Security policies. Rules governing encryption, access control, authentication, data retention, and disposal.
  • Technical safeguard inventory. Every security tool, configuration, and control deployed, with responsible parties named.
  • Incident response plan. The Phase 5 procedures, including contact information and notification templates.
  • Training records. Documentation of all training, including content, dates, and attendee sign-off.
  • Vendor management records. Security assessments and contractual requirements for every third party that handles taxpayer data.
  • Change log. A record of all WISP modifications with dates, reasons, and approving authority.

Maintenance Schedule

A WISP is a living document. Hold a quarterly review to check access control lists, test one component of your incident response plan, verify backup integrity, and review security logs for anomalies. Run an annual review to reassess risk in full, update policies, refresh training, review vendor agreements, and test the complete incident response procedure. Update on a trigger basis right after any incident, significant operational change (new software, office move, staffing change), regulatory update, or emerging threat. Keep version control on the document, date every revision, note what changed and why, and retain prior versions for at least three years to show continuous compliance during examinations.

Advanced WISP Strategies for Stronger Security

Once the foundation is in place, these strategies push past minimum compliance, add defense in depth, and signal security maturity to regulators and insurers.

Continuous Monitoring and Threat Detection

Move past point-in-time assessments toward continuous monitoring. Deploy a Security Information and Event Management (SIEM) solution or engage a managed detection and response (MDR) provider for 24/7 coverage. Continuous monitoring aligns with the NIST Cybersecurity Framework 2.0 "Detect" function and demonstrates proactive management to regulators and carriers.

Vendor Risk Management Program

Tax practices depend on many third parties: tax software vendors, cloud hosts, IT support, document management platforms, and payroll processors. Each vendor with access to taxpayer data is a potential entry point. Build a formal program with security questionnaires, contractual security requirements, annual reassessments, and right-to-audit clauses. The FTC specifically examines vendor oversight during enforcement.

Cyber Insurance Optimization

A well-documented WISP directly affects your cyber insurance coverage and premiums. Carriers increasingly require evidence of specific controls before issuing a policy or approving a claim. Firms with verified technical controls and a complete WISP often see meaningful premium reductions and faster claims handling, while firms lacking documented programs are increasingly denied. That makes your WISP a financial protection mechanism as much as a compliance document.

Security Metrics and Reporting

Track measurable metrics your Qualified Individual can report on annually: phishing simulation failure rate (target below 5%), mean time to patch (target under 72 hours), share of systems with current EDR agents (target 100%), MFA adoption (target 100%), and backup restoration test success. These numbers demonstrate improvement and maturity during examinations. For firms that want a turnkey path, our all-in-one compliance package handles metric tracking, documentation, and ongoing advisory support.

Bottom Line

A WISP is only as strong as its implementation. Write the document, deploy the controls, train your people, and keep dated records of all three. That combination is what satisfies the IRS and FTC, lowers your breach risk, and protects your PTIN and your practice heading into the 2026 filing season.

Get Your Tax Practice WISP-Compliant Before Filing Season

Our cybersecurity experts specialize in tax practice security. Schedule a free assessment and get a customized WISP implementation plan tailored to your firm's size, software stack, and compliance requirements.

Frequently Asked Questions

A Written Information Security Plan (WISP) is a document that details how your practice protects sensitive client information. Every tax professional who holds a PTIN needs one under the Gramm-Leach-Bliley Act and the FTC Safeguards Rule. The IRS ties WISP compliance to PTIN renewal through Form W-12.

There is no required page count. Length follows your firm's size and complexity. A solo practice might produce 10 to 15 pages, while a multi-office firm may run 30 or more. What matters is that the plan addresses all nine FTC safeguards and reflects your actual controls, not that it hits a specific length.

Not necessarily. Solo practitioners can build a compliant plan using the IRS Publication 5708 template and a structured guide like this one. Firms with multiple employees, remote workers, or complex software stacks often benefit from professional help to make sure the technical controls are correctly deployed and documented.

Consequences range from FTC enforcement actions and financial penalties to potential PTIN suspension, which stops you from filing returns for clients. The FTC has fined financial institutions more than $100,000 for failing to operationalize safeguards. State breach laws can add separate penalties if an incident occurs.

Review it at least annually with a full risk reassessment, and conduct quarterly checks of access controls, backups, and logs. Update immediately after any security incident, major operational change, regulatory update, or new threat. Keep a dated change log and retain prior versions for at least three years.

No. Publication 5708 is a starting point that must be customized to your specific systems, risks, and controls. Generic, unmodified templates consistently fail regulatory examination because they do not reflect how your practice actually operates.

The Qualified Individual is the single person responsible for implementing and supervising your information security program. For solo firms, this is the owner. Larger firms designate someone with authority and technical knowledge, or outsource the role to a qualified provider while keeping ultimate compliance responsibility.

Carriers increasingly require evidence of specific controls before issuing a policy or paying a claim. A complete WISP with verified technical controls can lower premiums and speed claims handling, while a missing or undocumented program can lead to denied coverage.

Yes. Any device, cloud platform, or remote connection that touches taxpayer data falls within scope. Your plan should require encryption, MFA, VPN access, and vendor oversight for cloud providers, and document how remote staff access firm systems securely.

A cybersecurity policy states general rules and expectations. A WISP is broader and more specific: it documents your risk assessment, technical safeguards, incident response plan, training, and vendor management, and it must show real implementation. A WISP typically contains several policies within it.

Share

Share on X
Share on LinkedIn
Share on Facebook
Send via Email
Copy URL
(800) 492-6076
Share

Schedule

Need help with IRS compliance?

Our tax cybersecurity specialists can review your security posture and help you get compliant.

Protect your tax practice from cyber threats

Schedule a free consultation to assess your firm's security posture.