How to Create a WISP: Complete Guide for Tax Professionals

What Is a WISP and Why Do Tax Professionals Need One in 2026?

A Written Information Security Plan (WISP) is a federally mandated documented framework that organizations must implement to protect sensitive customer information under the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. Learning how to create a WISP is no longer optional—it is a legal prerequisite for every tax professional maintaining a Preparer Tax Identification Number (PTIN).

Since June 2023, the IRS requires all tax preparers to attest to WISP compliance on Form W-12 during PTIN renewal. The regulatory landscape has fundamentally shifted: creating a WISP moved from voluntary best practice to mandatory legal obligation backed by enforcement actions, financial penalties, and potential PTIN suspension.

This guide walks you through every phase of how to create a WISP that satisfies IRS Publication 4557, the FTC Safeguards Rule, and NIST Cybersecurity Framework requirements—whether you are a solo practitioner or managing a multi-office tax firm. If you need a head start, download our free 2026 WISP template to follow along.

Understanding the Legal Foundation for Creating a WISP

The legal requirement for creating a WISP stems from multiple overlapping regulatory frameworks that collectively establish comprehensive information security obligations for tax professionals. Understanding these frameworks is essential before you begin building your plan.

Gramm-Leach-Bliley Act (GLBA)

Enacted in 1999, the GLBA fundamentally redefined privacy and security requirements for financial institutions by requiring organizations to explain information-sharing practices and protect sensitive data. The FTC's Safeguards Rule—originally implemented in 2003 under GLBA authority and substantially amended in December 2021—provides specific implementation requirements that transform general security obligations into concrete technical mandates.

FTC Safeguards Rule Classification

The FTC Safeguards Rule explicitly defines covered entities as "financial institutions," a category that encompasses tax preparation services under GLBA's broad definition. This classification subjects tax professionals to identical information security requirements as banks, credit unions, and investment firms. The 2021 amendments added nine specific safeguard requirements that every covered entity must implement, including encryption mandates, access controls, and continuous monitoring. For a detailed breakdown of these requirements, see our FTC Safeguards Rule guide for tax preparers.

IRS Enforcement Through PTIN Compliance

The IRS reinforces these requirements through IRS Publication 4557 and by making WISP compliance a condition of PTIN renewal. Publication 5708 provides a starter WISP template specifically for tax professionals, though it must be customized to your practice's specific operations and risks. The IRS Criminal Investigation division has increased enforcement actions against tax preparers who fail to protect taxpayer data, and the Taxpayer First Act of 2019 expanded the IRS's authority to revoke PTINs for security failures.

State-Level Data Security Requirements

State-level regulations add another layer of obligation. As of 2026, all 50 states plus the District of Columbia have enacted data breach notification laws, and a growing number—including New York (23 NYCRR 500), California (CCPA/CPRA), and Massachusetts (201 CMR 17.00)—impose independent written security plan requirements. Tax firms operating across state lines must ensure their WISP satisfies the most stringent applicable state standard alongside federal requirements. Review our IRS cybersecurity requirements overview for a consolidated compliance reference.

2021 FTC Safeguards Rule: The Nine Requirements Your WISP Must Address

The December 2021 amendments to the FTC Safeguards Rule established nine specific requirements that your WISP must address. Understanding each requirement is essential when learning how to create a WISP that passes regulatory examination.

1. Designate a Qualified Individual — Appoint someone responsible for overseeing your information security program. This can be an employee or an outsourced provider such as a managed cybersecurity provider.
2. Conduct a Written Risk Assessment — Identify reasonably foreseeable internal and external risks to customer information security, documenting findings with risk ratings and remediation timelines.
3. Design and Implement Safeguards — Deploy controls to address risks identified in your assessment, including access controls, encryption, and multi-factor authentication.
4. Regularly Monitor and Test — Continuously monitor the effectiveness of safeguards through testing, including penetration testing or vulnerability assessments at least annually.
5. Train Your Staff — Provide security awareness training appropriate to each employee's role and responsibilities, with documented completion records.
6. Monitor Service Providers — Evaluate and contractually require your vendors to maintain appropriate safeguards, including right-to-audit clauses.
7. Keep Your Program Current — Update your WISP based on operational changes, risk assessment findings, and emerging threats.
8. Create an Incident Response Plan — Document specific procedures for detecting, responding to, and recovering from security events.
9. Report to Your Qualified Individual — The Qualified Individual must report at least annually to governing authority on the program's overall status, including metrics and incident summaries.

Each of these nine requirements must be documented, implemented, and verifiable in your WISP. A paper-only plan that does not reflect actual practice will fail FTC examination and expose your firm to enforcement action. The FTC has levied fines exceeding $100,000 against financial institutions for failing to implement safeguards they documented but never operationalized.

Phase 1: Conduct a Comprehensive Risk Assessment

Risk assessment forms the foundational cornerstone when creating a WISP. The FTC explicitly requires organizations to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. This assessment must be formally documented and address three critical dimensions:

Information systems and data storage — Inventory every device, application, cloud service, and physical location where taxpayer data resides. This includes workstations, laptops, mobile devices, tax software platforms, cloud storage services, email systems, portable media, and paper files. Use an asset management and security assessment methodology to ensure nothing is missed.

Detected security events and vulnerabilities — Review past incidents, near-misses, and known vulnerabilities. Evaluate your exposure to common attack vectors targeting tax professionals: phishing emails, ransomware, credential theft, and social engineering attacks.

Organizational responses to identified risks — Document what controls currently exist, identify gaps, and prioritize remediation based on risk severity and likelihood.

IRS Publication 4557 provides tax-specific risk assessment guidance that complements the general NIST SP 800-30 (Guide for Conducting Risk Assessments) framework. Use both resources to build a thorough, defensible assessment. For broader risk management context, review our cyber risk management guide for SMBs.

Phase 2: Designate Your Qualified Individual

The FTC Safeguards Rule mandates that organizations designate a Qualified Individual specifically responsible for implementing and supervising the comprehensive information security program. This person serves as the single point of accountability for your WISP.

For solo practitioners, this responsibility defaults to the owner by necessity. Larger firms should designate someone with sufficient organizational authority, appropriate technical aptitude, and comprehensive operational knowledge to coordinate security efforts effectively across departments.

The Qualified Individual does not need to be an internal employee. The 2021 Safeguards Rule amendments explicitly permit outsourcing this role to a qualified third-party provider—such as a managed cybersecurity provider—provided the firm retains ultimate compliance responsibility. This option is particularly valuable for small practices that lack in-house cybersecurity expertise.

Phase 3: Implement Technical Safeguards

Technical safeguards form the operational core when creating a WISP that genuinely protects sensitive information. The FTC Safeguards Rule mandates specific technical controls that every tax practice must implement.

Encryption Requirements

Data in transit — All taxpayer information transmitted electronically must use TLS 1.2 or higher. This applies to email communications, file transfers, client portals, and remote access connections. Review our guide on tax document encryption requirements for implementation details.

Data at rest — Taxpayer data stored on workstations, servers, portable devices, and cloud platforms must be encrypted using AES-256 or equivalent. Enable full-disk encryption (BitLocker for Windows, FileVault for macOS) on every device that accesses tax data. Verify that your cloud storage is IRS-compliant with encryption standards.

Multi-Factor Authentication (MFA)

MFA is mandatory for all accounts accessing customer information systems. This includes tax preparation software, email accounts, cloud storage, remote desktop connections, and administrative portals. Implement authenticator apps or hardware security keys rather than SMS-based MFA, which is vulnerable to SIM-swapping attacks. See our detailed guide on two-factor authentication for tax professionals.

Endpoint Protection

Every workstation and server must run enterprise-grade endpoint detection and response (EDR) software—not consumer antivirus. EDR provides behavioral threat detection, automated response capabilities, and forensic investigation tools that traditional antivirus cannot match. Learn the differences in our EDR vs. MDR comparison.

Network Security

Configure properly segmented networks with business-grade firewalls separating your tax data environment from guest networks and personal devices. Our firewall setup guide for tax offices covers configuration best practices. If staff work remotely, require VPN connections for all access to firm systems.

Secure Backup

Implement the 3-2-1 backup rule: three copies of data, on two different media types, with one stored offsite. Test backup restoration quarterly to verify data integrity. Our tax data backup plan guide provides step-by-step instructions.

Phase 4: Establish Access Controls

Creating a WISP requires rigorous implementation of the principle of least privilege throughout your organization. This fundamental security concept means employees receive only the minimum system access and data permissions necessary to perform their specific job functions. Overly broad access permissions dramatically increase organizational risk by expanding the potential impact of compromised credentials, insider threats, or social engineering attacks.

Implement these access control measures:

• Unique user accounts — Every employee must have individual login credentials. Shared accounts eliminate audit trails and accountability.
• Role-based access — Define access levels by job function (partner, preparer, administrative staff, seasonal employee) and restrict each role to necessary systems only.
• Password policies — Require minimum 12-character passwords using passphrases. Implement a password manager for your firm. See our guide on creating strong passwords.
• Onboarding and offboarding procedures — Document how access is provisioned for new hires and—critically—how it is revoked immediately upon termination or role change.
• Physical access controls — Secure server rooms, lock filing cabinets containing paper records, implement clean-desk policies, and control visitor access to areas where taxpayer data is visible.

Phase 5: Develop Your Incident Response Plan

A comprehensive, tested incident response plan represents a mandatory component when creating a WISP under FTC requirements. According to IBM's Cost of a Data Breach Report 2025, organizations with documented incident response plans and regularly tested response teams save an average of $2.66 million per breach compared to organizations without formal plans—a compelling financial justification beyond regulatory compliance.

Your incident response plan must document specific procedures for five phases:

1. Detection and identification — Define what constitutes a security incident, establish monitoring and alerting mechanisms, and specify who receives initial notifications. Common indicators include unusual login activity, unexpected data transfers, ransomware encryption activity, or client reports of fraudulent tax filings.
2. Containment — Procedures to prevent the incident from spreading: isolating affected systems, disabling compromised accounts, and blocking malicious IP addresses.
3. Eradication — Steps to eliminate the root cause: removing malware, closing exploited vulnerabilities, resetting compromised credentials, and verifying system integrity.
4. Recovery — Restoring affected systems from clean backups, verifying data integrity, gradually bringing systems back online, and monitoring for recurrence.
5. Post-incident analysis — Conducting a lessons-learned review within 72 hours, documenting root cause, updating your WISP to address identified gaps, and fulfilling regulatory notification requirements.

Your plan must also address regulatory notification obligations. Tax professionals who experience a data breach must notify the IRS, affected clients, state attorneys general (per state breach notification laws), and potentially the FTC. Many states require notification within 30–60 days—some as few as 15 days. Use our incident response plan template for tax practices as a starting framework.

Phase 6: Implement Employee Training Program

Creating a WISP mandates documented security awareness training for all personnel with any level of access to customer information. The FTC Safeguards Rule explicitly requires training appropriate to employees' specific roles and responsibilities. According to the Verizon 2025 Data Breach Investigations Report, 68% of breaches involve a human element—making employee training one of the highest-ROI security investments your firm can make.

Training must occur:

• Initially upon hire or role change
• At least annually thereafter
• Following security incidents or near-misses
• When significant program changes are implemented
• When new threat vectors emerge (e.g., AI-generated phishing campaigns, deepfake voice scams)

Effective training programs for tax practices should cover phishing identification (the number one attack vector against tax firms), proper data handling procedures, password and MFA best practices, physical security protocols, and social engineering awareness. In 2026, training must also address AI-powered threats—attackers now use large language models to craft convincing phishing emails free of the grammatical errors that once made them easy to spot.

Document all training sessions with dates, attendees, topics covered, and assessment results—this documentation is required during regulatory examinations.

Phase 7: WISP Documentation Requirements and Maintenance

Creating a WISP requires producing specific documentation that demonstrates both regulatory compliance and operational implementation. The IRS provides a foundational template through Publication 5708 that serves as an excellent starting point, but this template must be substantially customized to reflect your actual practices, specific risks, and implemented controls. Generic, unmodified templates consistently fail regulatory examinations because they demonstrate no genuine understanding of your organization's specific risks, operations, or security posture.

Your WISP document must include:

• Scope statement — Define which systems, data types, locations, and personnel the WISP covers
• Risk assessment results — Documented findings from your Phase 1 assessment with risk ratings and remediation priorities
• Security policies — Specific policies governing encryption, access control, authentication, data retention, and disposal
• Technical safeguard inventory — List every security tool, configuration, and control deployed, with responsible parties identified
• Incident response plan — Complete procedures as outlined in Phase 5, including contact information and notification templates
• Training records — Documentation of all security training conducted, including content, dates, and attendee sign-off
• Vendor management records — Security assessments and contractual requirements for all third-party service providers handling taxpayer data
• Change log — Record of all WISP modifications with dates, reasons, and approving authority

Maintenance Schedule

A WISP is a living document that must be updated continuously. Establish the following review cadence:

• Quarterly — Review access control lists, test one component of your incident response plan, verify backup integrity, review security logs for anomalies
• Annually — Conduct a full risk reassessment, update all policies, refresh employee training, review and update vendor agreements, test complete incident response procedures
• Trigger-based — Update immediately after any security incident, significant operational change (new software, office relocation, staffing change), regulatory update, or emerging threat affecting tax professionals

Maintain version control on your WISP document. Date every revision, document what changed and why, and retain previous versions for at least three years to demonstrate continuous compliance during regulatory examinations.

Advanced WISP Strategies for Enhanced Security Posture

Organizations that have completed foundational WISP implementation can substantially enhance their security posture through advanced strategies exceeding minimum compliance requirements. These approaches provide defense-in-depth protection, systematically reduce attack surface exposure, and demonstrate security maturity that differentiates your practice competitively.

Continuous Monitoring and Threat Detection

Move beyond point-in-time assessments to continuous security monitoring. Deploy a Security Information and Event Management (SIEM) solution or engage a managed detection and response (MDR) provider for 24/7 threat monitoring. Continuous monitoring aligns with NIST Cybersecurity Framework 2.0's emphasis on the "Detect" function and demonstrates proactive security management to regulators and insurance carriers. Review our threat hunting strategies to understand how proactive detection works.

Vendor Risk Management Program

Tax practices rely on numerous third-party vendors: tax software providers, cloud hosting services, IT support companies, document management platforms, and payroll processors. Each vendor with access to taxpayer data represents a potential attack vector. Implement a formal vendor risk management program that includes security questionnaires, contractual security requirements, annual reassessments, and right-to-audit clauses. The FTC specifically examines vendor oversight during enforcement proceedings.

Cyber Insurance Optimization

A well-documented WISP directly impacts your cyber insurance coverage and premiums. Insurance carriers increasingly require evidence of specific controls before issuing policies or approving claims. Firms with comprehensive WISPs and verified technical controls typically receive 15–30% premium reductions and faster claims processing. Conversely, carriers increasingly deny breach claims for organizations lacking documented security programs—making your WISP a financial protection mechanism as well as a compliance document.

Security Metrics and Reporting

Implement measurable security metrics that your Qualified Individual can report on annually. Track metrics including: number of phishing simulation failures (target below 5%), mean time to patch critical vulnerabilities (target under 72 hours), percentage of systems with current EDR agents (target 100%), MFA adoption rate (target 100%), and backup restoration test success rate. These metrics demonstrate continuous improvement and program maturity during regulatory examinations. Our tax season cybersecurity checklist provides a practical framework for tracking these metrics during peak filing periods.

Creating a WISP Is Essential Practice Management

Creating a WISP has permanently evolved from optional best practice to mandatory business operation for all tax professionals handling sensitive client information. The regulatory environment fundamentally shifted with the FTC's 2021 Safeguards Rule amendments establishing specific technical requirements and the IRS's 2023 PTIN attestation requirement making compliance a professional credential prerequisite.

Federal agencies actively enforce compliance through examinations and substantial penalties. Cyber insurance carriers increasingly deny breach claims for organizations lacking proper security documentation. Sophisticated clients progressively evaluate information security capabilities when selecting tax professionals, making security posture a competitive differentiator rather than a back-office administrative burden.

The seven-phase implementation process outlined in this guide—risk assessment, Qualified Individual designation, technical safeguards, access controls, incident response planning, employee training, and documentation—provides a clear, manageable path to compliance. Most small practices can complete initial implementation in 30–60 days with 15–20 hours of focused effort.

The tax professionals who thrive in 2026 and beyond will be those who genuinely protect client data through comprehensive WISPs that exceed minimum compliance thresholds. Start with our free WISP template, follow the phases in this guide, and consider engaging a qualified cybersecurity provider to validate your program. Your clients' data—and your professional livelihood—depend on it.