
What Is IRS Publication 5708 and Why Tax Preparers Need It Now
IRS Publication 5708, titled Creating a Written Information Security Plan for Your Tax & Accounting Practice, is the official sample Written Information Security Plan (WISP) template published by the IRS Security Summit — a collaborative initiative between the IRS, all 50 state revenue agencies, and the private-sector tax industry. This publication gives tax professionals a structured, fill-in-the-blank starting point for building the data security plan now required under federal law.
If you prepare federal or state tax returns professionally and handle client data — Social Security numbers, income figures, bank account details — you are legally required to maintain a WISP under the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission (FTC) Safeguards Rule. The FTC finalized updated requirements in 2023, explicitly extending coverage to tax preparation businesses of every size.
The FTC Safeguards Rule mandates that all covered financial institutions — which explicitly includes tax preparation businesses — develop, implement, and maintain a written information security program. IRS Publication 5708 is the practical answer to that mandate. It does not replace the need for a customized security plan, but it gives you every required section in draft form so you are not starting from a blank page. For a broader overview of what a WISP requires beyond the template, Publication 5708 and Publication 4557 should be read together.
2026 Filing Season Compliance Requirement
The IRS requires all tax preparers holding a PTIN who prepare returns for compensation to have a current, documented WISP in place before the start of the 2026 filing season. Firms without a compliant plan face potential EFIN suspension, FTC civil penalties up to $100,000 per violation, and state breach notification liability. Review your plan now — before January filing season begins.
Tax Preparers: A High-Value Target for Cybercriminals
Tax professionals occupy a uniquely exposed position in the cybersecurity environment. A single client file contains everything an identity thief needs: full legal name, Social Security number, date of birth, employer information, bank account and routing numbers, and prior-year return data. A mid-size tax practice with 500 clients holds the equivalent of 500 complete identity theft starter kits.
IRS identity theft statistics reinforce this exposure. The agency's Identity Theft Tax Refund Fraud program flagged over 1 million suspicious returns in a recent filing season, and the majority of fraudulent filings trace back to compromised preparer credentials or client data stolen from tax firms — not individual taxpayers. Cyberattacks on tax firms have increased steadily year over year, with phishing attacks targeting tax professionals spiking sharply during January through April when credential harvesting yields the highest return for attackers.
The threat profile for tax practices includes ransomware that encrypts client files and demands payment before filing deadlines, business email compromise (BEC) scams that redirect client refunds or payments, and credential stuffing attacks against IRS e-Services portals using passwords reused from other breached accounts. Understanding these specific threats is why a generic security policy is never sufficient — your WISP must address the actual attack patterns targeting your practice. See our guide on recognizing and stopping phishing attacks for more on the most common entry point.
The security of your client-facing systems matters just as much as internal controls. Weak tax client portal security is a frequent vector attackers use to access stored documents without ever touching your internal network.
Tax Preparer Cybersecurity By The Numbers
IRS Identity Theft Tax Refund Fraud program
Per day of non-compliance under FTC Act Section 5
Most states require notification within this window after discovery
IRS Publication 5708 Sample WISP: Section-by-Section Breakdown
The IRS Publication 5708 sample WISP is organized around the six core elements required by the FTC Safeguards Rule. Understanding each section helps you see exactly what you need to customize — and where the generic language leaves gaps you must fill with practice-specific detail.
1. Designated Security Coordinator
The first section requires you to name a specific individual as your firm's Information Security Program Coordinator. For a solo practice, that is you. For a multi-preparer firm, this should be a named partner or senior employee with the authority to implement security policies. The FTC Safeguards Rule requires this individual to report regularly to the firm's board or senior leadership — for small firms, document how you fulfill this oversight obligation even if you are the only principal.
2. Information and Systems Inventory
This section documents every system, device, and application that stores, processes, or transmits client data. The IRS Publication 5708 sample WISP includes a template inventory table covering workstations, laptops, mobile devices, servers, cloud storage, and tax preparation software. You must list every asset — including home computers used for remote work. An incomplete inventory is one of the most common gaps auditors find in tax practitioner WISPs. Controls you haven't documented for assets you haven't listed provide zero compliance protection. A rigorous asset management process is the foundation for accurate inventory.
3. Risk Assessment
Arguably the most substantive section, the risk assessment requires you to identify threats to client data and evaluate your current controls against those threats. The sample WISP provides a structured risk matrix covering insider threats, external cyberattacks, physical theft, and natural disasters. A thorough risk assessment is the foundation everything else in your WISP is built on — the controls you select should directly address the risks you've identified here. The NIST SP 800-30 risk assessment framework provides additional methodology if your practice wants a more rigorous process than the IRS template offers.
4. Employee Management and Training
This section covers how you onboard and offboard employees with access to client data, the training program you maintain, and how you enforce acceptable use policies. Your WISP must specify actual training content and document completion dates — not just assert that training happens. Pair this section with your incident response procedures so employees know what to report and to whom.
5. Physical Security Controls
Often underweighted by practices focused on software threats, physical security covers how you protect devices and paper records. Locked filing cabinets, screen privacy filters, clean-desk policies, and secure document destruction procedures all belong in this section.
6. Incident Response Plan
The sixth section is your documented procedure for what happens when a breach occurs: who is notified first, how you contain the incident, when you notify affected clients, and how you report to the IRS and state tax authorities. The IRS requires you to notify them of any data breach via the IRS data theft reporting portal. An untested incident response plan is nearly as risky as no plan — see our guide on building an incident response plan for tax practices.
Who Is Legally Required to Have a WISP?
The short answer: every paid tax preparer. The legal framework rests on three overlapping requirements that collectively make a Written Information Security Plan mandatory for any professional who handles taxpayer data.
Gramm-Leach-Bliley Act (GLBA): The GLBA classifies tax preparers as financial institutions subject to its data security provisions. This has been federal law since 1999, but enforcement against small tax practices intensified after the FTC finalized the updated Safeguards Rule in 2023.
FTC Safeguards Rule (16 CFR Part 314): The updated rule, effective June 9, 2023, requires covered financial institutions — including tax preparation businesses — to designate a qualified individual to oversee the security program, conduct a written risk assessment, implement specific technical safeguards, and maintain a written security plan. Violations carry civil penalties up to $100,000 per violation under Section 5 of the FTC Act. Our detailed guide on the FTC Safeguards Rule for tax preparers covers the specific technical requirements in depth.
IRS Publication 4557: While not a law itself, IRS Publication 4557 translates the GLBA and FTC requirements into specific guidance for tax professionals. It explicitly states that all tax preparers handling 11 or more returns must have a WISP.
If you hold a Preparer Tax Identification Number (PTIN) and prepare returns for compensation, these requirements apply regardless of firm size. A solo preparer working from a home office has the same legal obligation as a 50-person accounting firm — though the scale and complexity of the required program differs. For PTIN holders specifically, see our breakdown of PTIN WISP requirements.
IRS Publication 5708 WISP Completion Checklist
- Name a specific individual as Information Security Program Coordinator and document their reporting obligations
- Complete the asset inventory table — every workstation, laptop, mobile device, server, and cloud service that touches client data
- Complete the risk assessment matrix covering insider threats, cyberattacks, physical theft, and disasters
- Replace all template placeholder language with specific tools, software names, and policy details
- Document your encryption method for data at rest and data in transit (name the specific tools)
- List every system where Multi-Factor Authentication (MFA) is enforced
- Complete the vendor list with data each vendor accesses and their security attestation (SOC 2 or equivalent)
- Document your employee training program with specific content, frequency, and completion records
- Fill in your incident response procedures including IRS notification contact
- Schedule and document your annual review date and assign responsibility for completing it
Common Gaps in the IRS Sample WISP Template
The IRS Publication 5708 sample WISP is an excellent starting point, but it has deliberate gaps — by design, a template cannot address the specific technology, staffing, and risk profile of every practice. Filling these gaps is where practitioners most often fall short, and where enforcement exposure is highest.
Generic Controls Without Specificity
The template uses placeholder language like "we use appropriate encryption" and "employees receive regular training." Neither statement would satisfy an FTC examiner or an IRS Electronic Return Originator (ERO) reviewer. Your completed WISP must name the specific software you use — for example, "BitLocker for full-disk encryption on all Windows workstations" — the specific Multi-Factor Authentication (MFA) method you've implemented, and the exact training platform employees use with training dates documented. Vague language in a WISP offers no more legal protection than having no WISP at all, because it demonstrates the plan was never operationalized.
Incomplete Vendor Management
Most tax preparers use five to fifteen third-party services that touch client data — tax software, cloud storage, remote access tools, client document portals, and payment processors. The IRS Publication 5708 sample WISP's vendor section often gets left half-complete. You need a full vendor list with the data each vendor accesses and evidence that each vendor maintains their own security program, typically a SOC 2 Type II report or equivalent attestation. The absence of documented vendor oversight has been cited in FTC enforcement actions as a standalone Safeguards Rule violation.
Missing Password and Access Control Specifics
Many completed WISPs describe access controls in general terms without specifying the password policy, account lockout thresholds, or how quickly departed employee accounts are disabled. Regulators look for specifics: minimum 12-character passwords, prohibition of reuse across systems, and a named password manager for secure credential storage. These details turn a compliance document into an operational policy employees can actually follow.
No Documented Remote Work Procedures
For practices where preparers work from home or access client data remotely, the WISP must address how that access is secured. A Virtual Private Network (VPN) requirement, endpoint security standards for home computers, and prohibition of public Wi-Fi for client data access are all elements that belong in the remote work section. Practices that added remote capabilities during recent years frequently have WISPs that predate those arrangements — an immediate compliance gap. Our guide on remote work security for small teams covers the controls to document.
Bottom Line
A WISP that uses template placeholder language is not a compliant WISP. The FTC Safeguards Rule requires a written plan that reflects your actual security program — specific tools, named vendors, documented procedures. An unmodified Publication 5708 template demonstrates you started the process but never completed it, which provides no legal protection and may actually harm your defense in an enforcement action.
Technical Security Controls Your WISP Must Document
The IRS Publication 5708 sample WISP identifies the categories of technical controls your program must address, but you are responsible for documenting what those controls actually look like in your practice. Regulators do not want to see "we use antivirus" — they want specifics.
Encryption Standards
Document encryption for data at rest — full-disk encryption on all workstations and storage devices using a named tool (BitLocker, FileVault, VeraCrypt) — and data in transit using Transport Layer Security (TLS) 1.2 or higher for all client portal communications and email. Understanding the difference between hashing and encryption matters here: password storage and data protection require different technical approaches, and your WISP should reflect that distinction.
Access Controls and Least Privilege
Your WISP must document how user accounts are managed — including how quickly accounts are disabled when an employee leaves, the principle of least privilege (employees access only data necessary for their role), and how administrative privileges are restricted. This section should also address password policy: minimum 12-character length, complexity requirements, prohibition of password reuse, and mandatory use of a password manager. Strong passwords alone are insufficient — document how you enforce these policies, not just that they exist.
Multi-Factor Authentication
Name every system where MFA is enforced: IRS e-Services, all tax preparation software accounts, cloud storage services, remote desktop or VPN access, and any client-facing portals. If any system does not support MFA, document that as an identified risk and describe compensating controls in place until the gap is remediated. The IRS now requires MFA for accessing IRS e-Services — this is not optional.
Endpoint Protection
"Antivirus" is no longer sufficient to describe endpoint security in a WISP that will satisfy a 2026 examiner. Document whether you use traditional antivirus, Endpoint Detection and Response (EDR), or a managed detection service. The distinction matters for your risk assessment: EDR solutions detect behavioral anomalies and provide forensic data after an incident; traditional antivirus detects known malware signatures only. Our guide to EDR vs. MDR vs. XDR explains the differences and what each covers.
Audit Logging and Monitoring
Document how you log access to systems containing client data and how those logs are reviewed. The FTC Safeguards Rule requires monitoring and testing of your controls — a log that nobody reviews does not satisfy this requirement. Specify log retention periods (typically 12 months minimum) and who is responsible for reviewing anomalies.
FTC Safeguards Rule Enforcement and Compliance Costs
The FTC has increased enforcement of the Safeguards Rule significantly since its 2023 updates. While most publicized cases involve larger financial institutions, the FTC has explicitly stated that tax preparation businesses of all sizes are covered — and state attorneys general have been equally active in pursuing smaller firms under state data protection laws.
The non-compliance exposure for a tax practice operates on multiple tracks simultaneously. At the federal level, FTC civil penalties run up to $100,000 per violation under Section 5 of the FTC Act, with each day of non-compliance potentially constituting a separate violation. At the IRS level, the agency can suspend or revoke your Electronic Filing Identification Number (EFIN) if you fail to maintain adequate data security, effectively shutting down your e-filing capability during tax season. EFIN suspension is an existential threat to a tax practice — it is not a fine, it is a complete loss of the ability to file returns electronically for clients.
All 50 states have breach notification laws. Failure to notify within required timeframes — often 30 to 72 hours — carries separate civil penalties on top of any federal action. State-specific requirements add additional obligations: California's CCPA/CPRA, New York's SHIELD Act, and Massachusetts' 201 CMR 17.00 each impose requirements that may exceed federal minimums. The reputational cost of a breach that becomes public, even a small one, can permanently damage a practice built over decades. Understanding what to do after a data breach before one occurs is part of a defensible security program.
For practices that want a full picture of IRS-specific security obligations beyond the WISP requirement, our overview of IRS cybersecurity requirements for tax preparers covers the complete framework.
Annual WISP Review: Required Steps
Update Your Asset Inventory
Walk through every device, software subscription, and cloud service in use. Add anything added since the last review. Remove anything decommissioned. Every asset that touches client data must appear on this list.
Verify Vendor Attestations Are Current
Collect current SOC 2 Type II reports or security questionnaires from every vendor with access to client data. An attestation from two years ago is not current. Document the collection date for each vendor.
Test Your Incident Response Plan
Run a 90-minute tabletop exercise before January filing season. Walk your team through a simulated phishing compromise or stolen laptop. Document the exercise, findings, and any procedures updated as a result.
Confirm Training Records Match Your WISP
Your WISP states employees receive annual training. Your training log must prove it. Verify that dates, topics, and employee signatures are current and match what your WISP describes.
Check for IRS Publication 5708 Updates
The IRS Security Summit publishes revised guidance annually. Check the IRS Security Summit resource page each time you conduct your WISP review and update your plan to reflect any new requirements.
Document the Review Itself
The FTC Safeguards Rule requires evidence that your review occurred. Create a dated memo summarizing what was reviewed, what changed, and who conducted the review. This is the document you produce in an enforcement inquiry.
IRS Publication 5708 and the Broader Tax Security Framework
IRS Publication 5708 does not exist in isolation. It is one component of a broader tax professional security framework that the IRS Security Summit has built over several years. Understanding where it sits in relation to other requirements helps you avoid treating WISP compliance as a standalone task.
IRS Publication 4557 is the overarching guide to safeguarding taxpayer data — it sets out what controls the IRS expects and uses as the basis for ERO reviews. Publication 5708 is the sample WISP template that satisfies Publication 4557's WISP requirement. The two documents should be read together: 4557 tells you what the IRS expects, 5708 gives you the template to document how you meet those expectations.
Beyond these two publications, tax practices with more than 5,000 records must also meet the FTC Safeguards Rule's additional requirements for larger institutions, including annual penetration testing and vulnerability assessments conducted by a qualified external party. Firms in states with their own data protection frameworks must ensure their WISP satisfies both federal and state requirements simultaneously.
For tax practices that also handle any health-related financial data — medical deductions, Health Savings Account (HSA) records, or insurance reimbursement documentation — there may be additional obligations under HIPAA's Security Rule (45 CFR Part 164) that intersect with your WISP requirements. Our guide on HIPAA cybersecurity requirements covers where these obligations overlap.
The IRS Security Summit also publishes the "Taxes-Security-Together" checklist annually, which functions as a self-assessment companion to Publication 5708. Completing this checklist alongside your WISP review provides an additional layer of documentation that your program is current with IRS expectations.
For small firms building their security program from the ground up, our guide on creating a WISP for a small tax firm walks through right-sizing the requirements for a one- to five-preparer practice without over-engineering the program.
Beyond the Template: Making Your WISP a Working Security Program
A filed WISP that no one reads is still a compliance risk. The IRS and FTC are not just looking for a document — they want evidence that your security program is actually implemented and followed.
Conduct a Tabletop Exercise Before Tax Season
Walk your team through a simulated incident — a phishing email that led to a credential compromise, or a laptop reported stolen. Do this as a planned exercise, not a real response. The goal is to verify that everyone knows their role in the incident response plan before an actual event forces the issue. A 90-minute tabletop exercise before January 15 is one of the highest-value security activities a tax practice can perform. Document the scenario, participants, and any gaps identified — this record demonstrates your program is active, not just documented.
Tie Training Records to Your WISP
Your WISP states that employees receive annual training. Your training records prove it. Keep a training log — dates, topics covered, and employee signatures — that directly corresponds to your WISP's training section. This is the evidence you will produce during an IRS ERO review or FTC inquiry. Training should cover phishing recognition, password hygiene, and the specific procedures in your incident response plan — not just generic cybersecurity awareness.
Audit Your Vendor List Annually
Software subscriptions and cloud services change frequently. Every time you add a new tool that touches client data — a new document portal, a cloud backup service, an AI-assisted tax tool — update your WISP's vendor section before deploying the tool in a client-data environment. This is especially relevant as AI-powered tax tools enter the market: any service that processes or stores client data is a covered vendor under the Safeguards Rule, regardless of how it's marketed.
For practitioners who want a professionally developed WISP that goes beyond the IRS template, our free WISP template for 2026 and the all-in-one compliance package provide complete security programs for firms that need more than a standalone document. Our tax practice security solutions cover the full range of managed security options for practices of any size.
Need Help Building Your WISP?
Our security team has helped thousands of tax professionals create compliant Written Information Security Plans that satisfy IRS Publication 5708, FTC Safeguards Rule, and state requirements.
Identity Theft Prevention as Part of Your WISP Program
A WISP is a compliance document, but its ultimate purpose is preventing tax-related identity theft — both for your clients and for your practice. The IRS Security Summit's research consistently shows that practices with documented, implemented security programs experience significantly fewer successful attacks than those without.
The controls that satisfy your WISP requirements are also your best defense against the specific attacks targeting tax practices. MFA prevents credential stuffing. Encryption renders stolen laptops harmless. Vendor management catches third-party breaches before they become your breach. Incident response planning minimizes damage when — not if — an incident occurs.
Tax-related identity theft imposes costs beyond the immediate financial loss: clients whose information is compromised may leave the practice, regulatory scrutiny follows a publicly known breach, and cyber insurance claims raise future premiums. Prevention through a well-implemented WISP is substantially less costly than remediation. For a complete guide to identity theft prevention for tax professionals, including controls beyond the WISP requirement, our resource center covers the full prevention framework.
Practices concerned about their overall IRS compliance posture — not just the WISP requirement — can use our tax security FAQ as a starting point for identifying gaps.
Get a WISP That Goes Beyond the IRS Template
Our cybersecurity experts help tax professionals build Written Information Security Plans that exceed IRS Publication 5708 requirements and provide real protection against modern threats targeting tax practices.
Frequently Asked Questions
IRS Publication 5708, titled Creating a Written Information Security Plan for Your Tax & Accounting Practice, is the official sample Written Information Security Plan (WISP) template published by the IRS Security Summit. It provides tax professionals with a structured, fill-in-the-blank starting point for building the written data security plan required under the Gramm-Leach-Bliley Act and the FTC Safeguards Rule. The publication is updated annually by the IRS Security Summit and is available free from the IRS website.
Any paid tax preparer who holds a Preparer Tax Identification Number (PTIN) and prepares returns for compensation is legally required to maintain a Written Information Security Plan. IRS Publication 4557 specifies that preparers handling 11 or more returns must have a WISP. The requirement applies regardless of firm size — a solo home-office preparer has the same obligation as a large regional accounting firm, though the scope and complexity of the required plan differs.
No. Using the template without customization does not produce a compliant WISP. The IRS Publication 5708 template contains placeholder language that must be replaced with your practice's specific tools, vendors, personnel, and procedures. An unmodified template demonstrates you started the process but never completed it, which provides no legal protection and may actually harm your defense in an FTC enforcement action or IRS ERO review. Every section must reflect your actual security program.
The FTC Safeguards Rule requires you to review and update your information security program in response to material changes to your operations, business arrangements, or any circumstance that materially impacts your security program. At minimum, conduct a documented annual review. For tax practices, the trigger fires frequently: new software subscriptions, staff turnover, new remote work arrangements, and annual IRS Security Summit guidance updates all require WISP review and potential revision. Check the IRS Security Summit resource page for updated Publication 5708 versions each year.
Non-compliance with the WISP requirement creates exposure on multiple tracks simultaneously. The FTC can impose civil penalties up to $100,000 per violation under Section 5 of the FTC Act, with each day of non-compliance potentially constituting a separate violation. The IRS can suspend or revoke your EFIN, eliminating your ability to e-file returns for clients during tax season. All 50 states have breach notification laws with their own penalties. In the event of a breach, the absence of a WISP significantly increases your liability exposure and complicates your defense.
Not automatically. IRS Publication 5708 satisfies federal requirements under the GLBA and FTC Safeguards Rule, but state requirements vary. California (CCPA/CPRA), New York (SHIELD Act), and Massachusetts (201 CMR 17.00) impose data security requirements that may exceed federal minimums. Your WISP must be reviewed against the specific requirements of every state where you have clients or where your business operates. In some cases, a single WISP can address both federal and state requirements if structured carefully.
Your WISP must document specific implementations — not general categories. Required specifics include: the named encryption tool for data at rest (e.g., BitLocker, FileVault) and the encryption standard for data in transit (TLS 1.2 or higher); the specific Multi-Factor Authentication (MFA) method and every system where it is enforced; your endpoint protection software by name; your password policy including minimum length, complexity, and reuse prohibition; your account management procedures including how quickly departed employee accounts are disabled; and your audit logging approach including retention periods.
Yes — and you should. The IRS Publication 5708 template is designed to be scaled. A solo preparer's WISP will be shorter and simpler than a ten-person firm's, reflecting different risk profiles, fewer systems to inventory, and a simpler vendor list. The key requirement is that your completed WISP accurately reflects your actual security program. Right-sizing the plan to your practice is appropriate; leaving sections blank or using template placeholder language is not.
IRS Publication 4557, Safeguarding Taxpayer Data, is the overarching IRS guide to data security for tax professionals. It sets out what controls the IRS expects and uses as the basis for Electronic Return Originator (ERO) compliance reviews. IRS Publication 5708 is the sample WISP template that satisfies Publication 4557's specific requirement for a written security plan. Read them together: Publication 4557 defines the expectations; Publication 5708 provides the template for documenting how you meet them.
Your WISP's vendor section must list every third-party service that stores, processes, or transmits client data. For each vendor, document what client data they access, how that access is secured, and evidence that the vendor maintains their own security program. The standard evidence is a current SOC 2 Type II report, though some vendors provide security questionnaire responses or ISO 27001 certifications instead. Vendor attestations should be collected annually and stored with your WISP documentation. The absence of vendor documentation has been cited as a standalone Safeguards Rule violation in FTC enforcement actions.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.


