IRS Publication 5708 Sample WISP: 2026 Guide for Tax Pros

What Is IRS Publication 5708 and Why Tax Preparers Need It Now

IRS Publication 5708, titled Creating a Written Information Security Plan for Your Tax & Accounting Practice, is the official sample Written Information Security Plan (WISP) template published by the IRS Security Summit — a collaborative initiative between the IRS, all 50 state revenue agencies, and the private-sector tax industry.

This publication gives tax professionals a structured, fill-in-the-blank starting point for building the data security plan now required under federal law. If you prepare federal or state tax returns professionally and handle client data — Social Security numbers, income figures, bank account details — you are legally required to maintain a WISP under the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission (FTC) Safeguards Rule.

The FTC finalized updated requirements in 2023, explicitly extending coverage to tax preparation businesses of every size. The FTC Safeguards Rule now mandates that all covered financial institutions — which explicitly includes tax preparation businesses — develop, implement, and maintain a written information security program.

IRS Publication 5708 is the practical answer to that mandate. It does not replace the need for a customized security plan, but it gives you every required section in draft form so you are not starting from a blank page.

Tax Preparers: A High-Value Target for Cybercriminals

Tax professionals occupy a uniquely exposed position in the cybersecurity environment. A single client file contains everything an identity thief needs: full legal name, Social Security number, date of birth, employer information, bank account and routing numbers, and prior-year return data. A mid-size tax practice with 500 clients holds the equivalent of 500 complete identity theft starter kits.

The IRS identity theft statistics reinforce this exposure. The agency's Identity Theft Tax Refund Fraud program flagged over 1 million suspicious returns in a recent filing season, and the majority of fraudulent filings trace back to compromised preparer credentials or client data stolen from tax firms — not individual taxpayers.

Cyberattacks on tax firms have increased steadily year over year, with phishing attacks targeting tax professionals spiking sharply during January through April when credential harvesting yields the highest return for attackers. The threat profile for tax practices includes ransomware that encrypts client files and demands payment before filing deadlines, business email compromise (BEC) scams that redirect client refunds or payments, and credential stuffing attacks against IRS e-Services portals using passwords reused from other breached accounts.

IRS Publication 5708 Sample WISP: Section-by-Section Breakdown

The IRS Publication 5708 sample WISP is organized around the six core elements required by the FTC Safeguards Rule. Understanding each section helps you see exactly what you need to customize — and where the generic language leaves gaps you must fill with practice-specific detail.

1. Designated Security Coordinator

The first section requires you to name a specific individual as your firm's Information Security Program Coordinator. For a solo practice, that is you. For a multi-preparer firm, this should be a named partner or senior employee with the authority to implement security policies. The FTC Safeguards Rule requires this individual to report regularly to the firm's board or senior leadership — for small firms, document how you fulfill this oversight obligation even if you are the only principal.

2. Information and Systems Inventory

This section documents every system, device, and application that stores, processes, or transmits client data. The IRS Publication 5708 sample WISP includes a template inventory table covering workstations, laptops, mobile devices, servers, cloud storage, and tax preparation software. You must list every asset — including home computers used for remote work.

An incomplete inventory is one of the most common gaps auditors find in tax practitioner WISPs, and it creates a cascading problem: controls you haven't documented for assets you haven't listed provide zero compliance protection.

3. Risk Assessment

Arguably the most substantive section, the risk assessment requires you to identify threats to client data and evaluate your current controls against those threats. The sample WISP provides a structured risk matrix covering insider threats, external cyberattacks, physical theft, and natural disasters.

A thorough asset and risk assessment is the foundation everything else in your WISP is built on — the controls you select should directly address the risks you have identified here. The NIST SP 800-30 risk assessment framework provides additional methodology if your practice wants a more rigorous process than the IRS template offers.

Who Is Legally Required to Have a WISP?

The short answer: every paid tax preparer. The legal framework rests on three overlapping requirements that collectively make a Written Information Security Plan mandatory for any professional who handles taxpayer data.

Gramm-Leach-Bliley Act (GLBA): The GLBA classifies tax preparers as financial institutions subject to its data security provisions. This has been federal law since 1999, but enforcement against small tax practices intensified after the FTC finalized the updated Safeguards Rule in 2023.

FTC Safeguards Rule (16 CFR Part 314): The updated rule, effective June 9, 2023, requires covered financial institutions — including tax preparation businesses — to designate a qualified individual to oversee the security program, conduct a written risk assessment, implement specific technical safeguards, and maintain a written security plan. Violations carry civil penalties up to $100,000 per violation under Section 5 of the FTC Act.

IRS Publication 4557: While not a law itself, IRS Publication 4557 translates the GLBA and FTC requirements into specific guidance for tax professionals. It explicitly states that all tax preparers handling 11 or more returns must have a WISP.

If you hold a Preparer Tax Identification Number (PTIN) and prepare returns for compensation, these requirements apply regardless of firm size. A solo preparer working from a home office has the same legal obligation as a 50-person accounting firm — though the scale and complexity of the required program differs.

Common Gaps in the IRS Sample WISP Template

The IRS Publication 5708 sample WISP is an excellent starting point, but it has deliberate gaps — by design, a template cannot address the specific technology, staffing, and risk profile of every practice. Filling these gaps is where practitioners most often fall short, and where enforcement exposure is highest.

Generic Controls Without Specificity

The template uses placeholder language like "we use appropriate encryption" and "employees receive regular training." Neither statement would satisfy an FTC examiner or an IRS ERO reviewer. Your completed WISP must name the specific software you use — for example, "BitLocker for full-disk encryption on all Windows workstations" — the specific Multi-Factor Authentication (MFA) method you have implemented, and the exact training platform employees use with training dates documented.

Vague language in a WISP offers no more legal protection than having no WISP at all, because it demonstrates the plan was never operationalized.

Incomplete Vendor Management

Most tax preparers use five to fifteen third-party services that touch client data — tax software, cloud storage, remote access tools, client document portals, and payment processors. The IRS Publication 5708 sample WISP's vendor section often gets left half-complete.

You need a full vendor list with the data each vendor accesses and evidence that each vendor maintains their own security program, typically a SOC 2 Type II report or equivalent attestation. The absence of documented vendor oversight has been cited in FTC enforcement actions as a standalone Safeguards Rule violation.

Technical Security Controls Your WISP Must Document

The IRS Publication 5708 sample WISP identifies the categories of technical controls your program must address, but you are responsible for documenting what those controls actually look like in your practice. Regulators do not want to see "we use antivirus" — they want specifics.

Encryption Standards

Document encryption for data at rest — full-disk encryption on all workstations and storage devices using a named tool (BitLocker, FileVault, VeraCrypt) — and data in transit using Transport Layer Security (TLS) 1.2 or higher for all client portal communications and email. The distinction between hashing and encryption matters here: password storage and data protection require different approaches.

Access Controls and Least Privilege

Your WISP must document how user accounts are managed — including how quickly accounts are disabled when an employee leaves, the principle of least privilege (employees access only data necessary for their role), and how administrative privileges are restricted. This section should also address password policy: minimum 12-character length, complexity requirements, prohibition of password reuse, and mandatory use of a password manager.

Multi-Factor Authentication

Name every system where MFA is enforced: IRS e-Services, all tax preparation software accounts, cloud storage services, remote desktop or VPN access, and any client-facing portals. If any system does not support MFA, document that as an identified risk and describe compensating controls in place until the gap is remediated.

FTC Safeguards Rule Enforcement and Compliance Costs

The FTC has increased enforcement of the Safeguards Rule significantly since its 2023 updates. While most publicized cases involve larger financial institutions, the FTC has explicitly stated that tax preparation businesses of all sizes are covered — and state attorneys general have been equally active in pursuing smaller firms under state data protection laws.

The non-compliance exposure for a tax practice operates on multiple tracks simultaneously. At the federal level, FTC civil penalties run up to $100,000 per violation under Section 5 of the FTC Act, with each day of non-compliance potentially constituting a separate violation.

At the IRS level, the agency can suspend or revoke your Electronic Filing Identification Number (EFIN) if you fail to maintain adequate data security, effectively shutting down your e-filing capability during tax season. EFIN suspension is an existential threat to a tax practice — it is not a fine, it is a complete loss of the ability to file returns electronically for clients.

All 50 states have breach notification laws. Failure to notify within required timeframes — often 30 to 72 hours — carries separate civil penalties on top of any federal action. The reputational cost of a breach that becomes public, even a small one, can permanently damage a practice built over decades.

Annual WISP Review Is a Legal Requirement

The FTC Safeguards Rule explicitly requires covered institutions to review and update their information security program in response to material changes to operations or business arrangements, or any other circumstance that may have a material impact on your information security program.

For tax practices, that trigger fires constantly: new tax software subscriptions, staff turnover, new remote work arrangements, new cloud storage tools, and the IRS's own annual updates to Publication 5708.

A defensible annual review includes walking through your asset inventory to confirm it still reflects every device and service in use, verifying that all vendor attestations (SOC 2 reports, security questionnaires) are current, testing your incident response procedures through a tabletop exercise, confirming that training records align with the training section of the WISP, and documenting any changes made as a result of the review.

The IRS Security Summit resource page publishes updated guidance annually, including revised versions of Publication 5708 — check it each time you conduct your WISP review.

Beyond the Template: Making Your WISP a Working Security Program

A filed WISP that no one reads is still a compliance risk. The IRS and FTC are not just looking for a document — they want evidence that your security program is actually implemented and followed.

Conduct a Tabletop Exercise Before Tax Season

Walk your team through a simulated incident — a phishing email that led to a credential compromise, or a laptop reported stolen. Do this as a planned exercise, not a real response. The goal is to verify that everyone knows their role in the incident response plan before an actual event forces the issue.

A 90-minute tabletop exercise before January 15 is one of the highest-value security activities a tax practice can perform.

Tie Training Records to Your WISP

Your WISP states that employees receive annual training. Your training records prove it. Keep a training log — dates, topics covered, and employee signatures — that directly corresponds to your WISP's training section. This is the evidence you will produce during an IRS ERO review or FTC inquiry.

Audit Your Vendor List Annually

Software subscriptions and cloud services change frequently. Every time you add a new tool that touches client data — a new document portal, a cloud backup service, an AI-assisted tax tool — update your WISP's vendor section before deploying the tool in a client-data environment.

For practitioners who want a professionally developed WISP that goes beyond the IRS template, see our free WISP template for 2026 and the all-in-one compliance package for firms that need a complete security program rather than a standalone document.

IRS Publication 5708 and the Broader Tax Security Framework

IRS Publication 5708 does not exist in isolation. It is one component of a broader tax professional security framework that the IRS Security Summit has built over several years. Understanding where it sits in relation to other requirements helps you avoid treating WISP compliance as a standalone task.

IRS Publication 4557 is the overarching guide to safeguarding taxpayer data — it sets out what controls the IRS expects and uses as the basis for ERO reviews. Publication 5708 is the sample WISP template that satisfies Publication 4557's WISP requirement. The two documents should be read together: 4557 tells you what the IRS expects, 5708 gives you the template to document how you meet those expectations.

Beyond these two publications, tax practices with more than 5,000 records may also need to meet the FTC Safeguards Rule's additional requirements for larger institutions, including annual penetration testing and vulnerability assessments.

Firms in states with their own data protection frameworks — California (CCPA/CPRA), New York (SHIELD Act), Massachusetts (201 CMR 17.00) — must ensure their WISP satisfies both federal and state requirements simultaneously.

For tax practices that also handle any health-related financial data — medical deductions, Health Savings Account (HSA) records, or insurance reimbursement documentation — there may be additional obligations under HIPAA's Security Rule (45 CFR Part 164) that intersect with your WISP requirements.