What Is IRS Publication 5708 and Why Does It Matter?
IRS Publication 5708, titled Creating a Written Information Security Plan for Your Tax & Accounting Practice, is the official sample Written Information Security Plan (WISP) template published by the IRS Security Summit — a collaborative initiative between the IRS, all 50 state revenue agencies, and the private-sector tax industry. The publication gives tax professionals a structured, fill-in-the-blank starting point for building the data security plan now required under federal law.
If you prepare federal or state tax returns professionally and handle client data — Social Security numbers, income figures, bank account details — you are legally required to maintain a WISP under the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission (FTC) Safeguards Rule. The FTC updated those requirements in 2023, extending coverage explicitly to tax preparation businesses. The FTC Safeguards Rule now mandates that all covered financial institutions — which explicitly includes tax preparation businesses — develop, implement, and maintain a written information security program.
IRS Publication 5708 is the practical answer to that mandate. It does not replace the need for your own customized security plan, but it gives you every required section in draft form so you are not starting from a blank page. This guide breaks down exactly what the IRS Publication 5708 sample WISP contains, who is required to use it, how to customize it for your practice, and what additional controls you will need to make your program complete and defensible in the event of an IRS inquiry or FTC enforcement action.
Tax Preparers: A High-Value Target for Cybercriminals
IBM Cost of Data Breach Report 2024
IBM Cost of Data Breach Report 2024
Verizon DBIR 2025
Verizon DBIR 2025
What IRS Publication 5708 Contains: A Section-by-Section Breakdown
The IRS Publication 5708 sample WISP is organized around the six core elements required by the FTC Safeguards Rule. Understanding each section helps you see exactly what you need to customize — and where the generic language leaves gaps you must fill with practice-specific detail.
Designated Security Coordinator
The first section requires you to name a specific individual as your firm's Information Security Program Coordinator. For a solo practice, that is you. For a multi-preparer firm, this should be a named partner or senior employee with the authority to implement security policies. The publication provides the draft language; you insert the name, title, and contact information.
Information and Systems Inventory
This section documents every system, device, and application that stores, processes, or transmits client data. The IRS Publication 5708 sample WISP includes a template inventory table covering workstations, laptops, mobile devices, servers, cloud storage, and tax preparation software. You must list every asset — including home computers used for remote work. An incomplete inventory is one of the most common gaps auditors find in tax practitioner WISPs.
Risk Assessment
Arguably the most substantive section, the risk assessment requires you to identify threats to client data and evaluate your current controls against those threats. The sample WISP provides a structured risk matrix covering insider threats, external cyberattacks, physical theft, and natural disasters. A thorough asset and risk assessment is the foundation everything else in your WISP is built on — the controls you select should directly address the risks you have identified here.
Employee Training and Awareness
The training section requires you to document how and when employees receive security awareness training. At minimum, the IRS expects annual training covering phishing recognition, password hygiene, and data handling procedures. Phishing attacks targeting tax professionals spike during filing season, making this section especially important to maintain year-round — not just at initial hire.
Service Provider Oversight
If you use any third-party vendors who access, store, or process client data — cloud backup providers, remote support technicians, payroll software vendors — you must document those relationships and confirm those vendors maintain their own security programs. The sample WISP includes a vendor management table with fields for vendor name, data type accessed, and contract security requirements.
Incident Response Plan
The final major section covers what you will do when — not if — a security incident occurs. This includes breach detection procedures, notification obligations under your state's data breach law, IRS reporting requirements, and steps to contain and recover from an attack. See our guide on ransomware protection for tax practices for detailed recovery strategies that belong in this section.
Core Elements the IRS Publication 5708 Sample WISP Must Address
Designated Security Coordinator
Name a specific individual responsible for overseeing and implementing your information security program.
Asset and Data Inventory
Document every device, system, and application that touches client Personally Identifiable Information (PII).
Written Risk Assessment
Identify threats, evaluate existing controls, and document risk mitigation decisions with a formal risk matrix.
Technical Security Controls
Address encryption, Multi-Factor Authentication (MFA), access controls, and endpoint protection in writing.
Employee Security Training
Document annual and onboarding training programs covering phishing, password management, and data handling.
Incident Response Plan
Define detection, containment, notification, and recovery procedures for data breaches and ransomware events.
Who Is Legally Required to Have a WISP?
The short answer: every paid tax preparer. The legal framework rests on three overlapping requirements that collectively make a Written Information Security Plan mandatory for any professional who handles taxpayer data.
Gramm-Leach-Bliley Act (GLBA): The GLBA classifies tax preparers as financial institutions subject to its data security provisions. This has been federal law since 1999, but enforcement against small tax practices intensified after the FTC finalized the updated Safeguards Rule in 2023.
FTC Safeguards Rule (16 CFR Part 314): The updated rule, effective June 9, 2023, requires covered financial institutions — including tax preparation businesses — to designate a qualified individual to oversee the security program, conduct a written risk assessment, implement specific technical safeguards, and maintain a written security plan. Violations carry civil penalties up to $100,000 per violation under Section 5 of the FTC Act.
IRS Publication 4557: While not a law itself, IRS Publication 4557 translates the GLBA and FTC requirements into specific guidance for tax professionals. It explicitly states that all tax preparers handling 11 or more returns must have a WISP. The IRS uses Publication 4557 as a compliance checklist during its Electronic Return Originator (ERO) reviews.
If you hold a Preparer Tax Identification Number (PTIN) and prepare returns for compensation, these requirements apply to you regardless of firm size. A solo preparer working from a home office has the same legal obligation as a 50-person accounting firm — though the scale and complexity of the required program differs. The full WISP requirements for tax professionals are detailed in our dedicated guide.
How to Customize the IRS Publication 5708 Sample WISP for Your Practice
Download the Official Template
Obtain the current IRS Publication 5708 directly from IRS.gov to ensure you have the most recent version. The document is updated periodically by the IRS Security Summit and the version on IRS.gov supersedes any third-party copies.
Complete Your Asset Inventory
List every workstation, laptop, mobile device, server, cloud service, and tax software application that processes or stores client data. Include home computers used for remote work — regulators treat these as in-scope assets.
Conduct Your Written Risk Assessment
For each asset, identify realistic threats (phishing, theft, ransomware), rate their likelihood and potential impact, and document the controls you have in place or plan to implement. This is the section most practitioners leave incomplete.
Assign Roles and Responsibilities
Name your Information Security Coordinator and define who handles incident response, vendor oversight, and employee training. Even in a solo practice, explicitly document that you hold these responsibilities.
Document Your Technical Controls
Record specific tools and configurations: which endpoint protection software you use, how MFA is enforced on all accounts, your encryption standards for data at rest and in transit, and your backup procedures including storage location and retention period.
Build Your Incident Response Procedures
Define step-by-step actions for common scenarios: a phishing compromise, a ransomware infection, a lost or stolen laptop. Include IRS incident reporting contacts and your state's breach notification timeline — these must be named explicitly, not left as placeholders.
Train Employees and Document It
Conduct initial and annual security awareness training. Keep signed acknowledgment records for each employee — these records are what you will need to produce during an IRS ERO review or FTC inquiry to prove your training program is real, not theoretical.
Review and Update Annually
Your WISP must be a living document. Schedule an annual review — ideally before tax season — to update your asset inventory, re-evaluate risks, and reflect any changes to your technology, staffing, or vendor relationships.
Common Gaps in the IRS Sample WISP Template
The IRS Publication 5708 sample WISP is an excellent starting point, but it has deliberate gaps — by design, a template cannot address the specific technology, staffing, and risk profile of every practice. Filling these gaps is where practitioners most often fall short, and where enforcement exposure is highest.
Generic Controls Without Specificity
The template uses placeholder language like "we use appropriate encryption" and "employees receive regular training." Neither statement would satisfy an FTC examiner or an IRS ERO reviewer. Your completed WISP must name the specific software you use (e.g., "BitLocker for full-disk encryption on all Windows workstations"), the specific MFA method you have implemented (e.g., "authenticator app required for all IRS e-Services logins"), and the exact training platform employees use with training dates documented.
Incomplete Vendor Management
Most tax preparers use five to fifteen third-party services that touch client data — tax software, cloud storage, remote access tools, client document portals, and payment processors. The IRS Publication 5708 sample WISP's vendor section often gets left half-complete. You need a full vendor list with the data each vendor accesses and evidence that each vendor maintains their own security program, typically a SOC 2 Type II report or equivalent attestation.
No Multi-Factor Authentication Policy
MFA is now a baseline requirement under both the FTC Safeguards Rule and IRS guidance. Your WISP must explicitly state that MFA is required for all remote access, all cloud services containing client data, and all tax software accounts. If you have not yet implemented MFA across all these systems, your WISP should document your remediation timeline. Our guide on two-factor authentication for tax professionals covers implementation step by step.
Insufficient Incident Response Procedures
The sample WISP's incident response section provides a general framework but does not walk you through the IRS's specific reporting requirements. Under IRS Publication 4557, tax professionals must report data thefts to the IRS immediately using Form 14242 for suspicious activity or by contacting the IRS Stakeholder Liaison. Your state may also have breach notification requirements with specific timelines — often 30 to 72 hours. These must be named explicitly in your WISP, not left as generic placeholders.
IRS Publication 5708 Sample WISP vs. Your Available Options
| Feature | IRS Pub 5708 (Template Only) | DIY Customized WISP | RecommendedManaged WISP (Bellator) |
|---|---|---|---|
| Meets FTC Safeguards Rule | Partial | Yes (if done correctly) | ✓ Verified |
| Practice-Specific Language | — | Yes (your effort) | ✓ Included |
| Technical Control Documentation | Placeholder only | Variable | ✓ Detailed |
| Vendor Management Section | Basic template | Variable | ✓ Complete |
| MFA and Encryption Policy | Not addressed | Variable | ✓ Included |
| Incident Response Procedures | Generic | Variable | ✓ IRS-specific |
| Annual Review Support | — | — | ✓ Included |
| ERO Audit Ready | Unlikely alone | Possible | ✓ Confirmed |
Technical Security Controls Your WISP Must Document
The IRS Publication 5708 sample WISP identifies the categories of technical controls your program must address, but you are responsible for documenting what those controls actually look like in your practice. Regulators do not want to see "we use antivirus" — they want specifics. Here are the controls that must appear by name in your completed WISP:
Encryption Standards
Document encryption for data at rest (full-disk encryption on all workstations and storage devices), data in transit (TLS 1.2 or higher for all client portal communications and email), and data stored in tax software databases. The IRS encryption requirements for tax documents specify that client data must never travel over unencrypted channels — your WISP must reflect specific tools that enforce this.
Access Controls and Least Privilege
Your WISP must document how user accounts are managed — including how quickly accounts are disabled when an employee leaves, the principle of least privilege (employees access only data necessary for their role), and how administrative privileges are restricted. This section should also address password policy: minimum length, complexity requirements, and the use of a password manager. Our guide on creating strong passwords provides policy language you can adapt directly.
Multi-Factor Authentication
Name every system where MFA is enforced. At minimum: IRS e-Services, all tax preparation software accounts, cloud storage services, remote desktop or VPN access, and any client-facing portals. If any system does not support MFA, document that as an identified risk and describe compensating controls in place until the gap is remediated.
Backup and Recovery
The FTC Safeguards Rule requires a written data backup and recovery plan. Document your backup frequency (at minimum daily for active client data), backup storage location (offsite or cloud-based), retention period, and how frequently you test restores. A tested, offsite backup is your most effective recovery tool in the event of a ransomware incident — without it, the only alternative is paying a ransom with no guarantee of data recovery.
Network Security
Your WISP should document firewall configuration, Wi-Fi security standards (WPA3 or WPA2-Enterprise for office networks, prohibition of client data access on public Wi-Fi without a VPN), and network segmentation if your office network hosts devices beyond work computers. Business network security for tax firms covers the specific configurations the IRS expects to see documented.
Annual WISP Review Is a Legal Requirement — Not a Suggestion
The FTC Safeguards Rule requires you to review and update your Written Information Security Plan at least once per year and whenever there is a material change to your operations, technology, or staffing. A WISP written in 2022 and never updated is not compliant — even if it was thorough when first created. Add your annual WISP review to your pre-tax-season checklist, document the review date, and record any changes made directly in the plan.
FTC Safeguards Rule Enforcement and What Non-Compliance Costs
The FTC has increased enforcement of the Safeguards Rule significantly since its 2023 updates. While most publicized cases involve larger financial institutions, the FTC has explicitly stated that tax preparation businesses of all sizes are covered — and state attorneys general have been equally active in pursuing smaller firms under state data protection laws.
Non-compliance consequences include:
- FTC civil penalties: Up to $100,000 per violation under Section 5 of the FTC Act, with each day of non-compliance potentially constituting a separate violation
- IRS ERO sanctions: The IRS can suspend or revoke your Electronic Filing Identification Number (EFIN) if you fail to maintain adequate data security — effectively shutting down your e-filing capability during tax season
- State breach notification penalties: All 50 states have breach notification laws; failure to notify within required timeframes (often 30 to 72 hours) carries separate civil penalties on top of any federal action
- Civil liability: Clients whose data is compromised due to inadequate security practices can bring negligence claims, particularly in states with private rights of action under consumer protection statutes
Beyond regulatory penalties, the reputational cost of a breach can be devastating for a tax practice. Clients entrust you with their most sensitive financial data — a breach that becomes public, even a small one, can permanently damage a practice built over decades. Having a well-documented, compliant WISP based on the IRS Publication 5708 sample is your first line of defense against both breaches and the legal exposure that follows them. Review the FTC's official Safeguards Rule guidance alongside the IRS publication for a complete picture of your obligations.
For an end-to-end view of your tax practice security obligations across all requirements, review our tax season cybersecurity checklist and the full IRS WISP requirements guide.
Beyond the Template: Making Your WISP a Working Security Program
A filed WISP that no one reads is still a compliance risk. The IRS and FTC are not just looking for a document — they want evidence that your security program is actually implemented and followed. Here is how to turn the IRS Publication 5708 sample WISP from a static document into an active security program:
Conduct a Tabletop Exercise Before Tax Season
Walk your team through a simulated incident — a phishing email that led to a credential compromise, or a laptop reported stolen. Do this as a planned exercise, not a real response. The goal is to verify that everyone knows their role in the incident response plan before an actual event forces the issue. Document that you conducted the exercise and note any process gaps it revealed.
Tie Training Records to Your WISP
Your WISP states that employees receive annual training. Your training records prove it. Keep a training log — dates, topics covered, and employee signatures — that directly corresponds to your WISP's training section. This is the evidence you will produce during an IRS ERO review or FTC inquiry. A statement in your WISP about training without corresponding records provides no protection.
Audit Your Vendor List Annually
Software subscriptions and cloud services change frequently. Every time you add a new tool that touches client data — a new document portal, a cloud backup service, an AI-assisted tax tool — update your WISP's vendor section. Maintaining alignment between your actual technology stack and your documented one is an ongoing responsibility. The IRS Security Summit resource page publishes updated guidance annually, including revised versions of Publication 5708 — check it each time you conduct your WISP review.
For practitioners who want a professionally developed WISP that goes beyond the IRS template, see our free WISP template for 2026, our best WISP templates for accountants comparison guide, and our collection of accounting firm WISP template examples showing how practices of different sizes structure their plans.
Get a WISP That Passes IRS and FTC Review
Our cybersecurity experts will assess your current security posture, identify gaps in your existing WISP, or build a complete plan from scratch — fully aligned with IRS Publication 5708, IRS Publication 4557, and FTC Safeguards Rule requirements.
Frequently Asked Questions About IRS Publication 5708 and the Sample WISP
IRS Publication 5708 is the official sample Written Information Security Plan (WISP) template published by the IRS Security Summit. It provides tax professionals with a fill-in-the-blank document covering the six core elements required by the FTC Safeguards Rule: a designated security coordinator, an asset inventory, a risk assessment, employee training, vendor management, and an incident response plan. You can download the current version directly from IRS.gov.
No. The IRS Publication 5708 sample WISP is a template, not a finished compliance document. It uses generic placeholder language that must be replaced with specifics about your practice's technology, staffing, vendors, and controls. A WISP submitted to an IRS ERO reviewer or an FTC examiner that still contains placeholder text would not be considered compliant. You must customize every section with firm-specific detail before the document has any legal or protective value.
All paid tax preparers who handle taxpayer data are required to maintain a WISP under the Gramm-Leach-Bliley Act (GLBA) and FTC Safeguards Rule. IRS Publication 4557 specifically states that tax preparers who prepare 11 or more returns per year must have a written security plan. This applies regardless of firm size — a solo preparer working from a home office has the same legal obligation as a large accounting firm, though the scope and complexity of the required program will differ.
The FTC Safeguards Rule requires you to review and update your WISP at least annually. You must also update it whenever there is a material change to your business operations, technology systems, or staffing. Best practice is to conduct your annual review before tax season each year and document the review date and any changes made directly in the plan itself — this documentation is what demonstrates ongoing compliance.
Penalties for non-compliance include FTC civil penalties up to $100,000 per violation, IRS suspension or revocation of your Electronic Filing Identification Number (EFIN), state breach notification penalties, and civil liability from affected clients. The IRS also considers WISP compliance as part of its Electronic Return Originator (ERO) reviews, which can directly affect your ability to e-file returns for clients.
IRS Publication 5708 was designed to align with FTC Safeguards Rule requirements and covers the core required elements. However, the 2023 updates to the Safeguards Rule added specific requirements — including mandatory Multi-Factor Authentication (MFA), defined encryption standards, and a formally designated qualified individual to oversee the program — that may require more detail than the sample template provides on its own. Review the full FTC Safeguards Rule guidance alongside Publication 5708 to ensure your customized plan addresses every current requirement.
IRS Publication 4557, Safeguarding Taxpayer Data, is the broader IRS data security guidance document that explains the full range of security obligations for tax professionals — including WISP requirements, phishing awareness, physical security, and incident reporting. IRS Publication 5708 is specifically the sample WISP template that helps you fulfill one of those obligations. Think of Publication 4557 as the rulebook and Publication 5708 as the form you complete to comply with one of its rules.
Yes, but the complexity of your WISP should scale with your firm's size and structure. A multi-preparer firm needs to document access controls for multiple employees, role-based permissions, a more detailed training program, and more thorough vendor management. The IRS Publication 5708 sample WISP's structure works for firms of any size, but larger firms must expand each section significantly. Our accounting firm WISP template examples show how multi-preparer practices structure their plans.
Yes. If you or your employees access client data from outside the office — from home, a client site, or while traveling — your WISP must address remote access security explicitly. This includes requiring VPN use for remote access, prohibiting work on public Wi-Fi without a VPN, ensuring home computers meet the same security standards as office equipment, and documenting how remote devices are managed, patched, and protected. The IRS treats home computers used for tax work as in-scope assets subject to the same controls as office workstations.
Bellator Cyber Guard offers a free WISP template for 2026 that builds on the IRS Publication 5708 sample by including pre-filled control language for common tax software platforms, an expanded vendor management section, and state-specific breach notification timelines. You can also download the official IRS template directly from IRS.gov as your starting point — just ensure you replace every placeholder with your firm's specific details before treating it as a finished document.
Free Consultation
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.