What Is IRS Publication 5708 and Who Needs It?
Every professional tax preparer in the United States is legally required to maintain a Written Information Security Plan (WISP)—a formal, documented strategy for protecting sensitive taxpayer data. To help practitioners meet this obligation without hiring a law firm or security consultant, the Security Summit—a public-private partnership between the IRS, state tax agencies, and the tax software industry—published IRS Publication 5708: Creating a Written Information Security Plan for Your Tax & Accounting Practice.
The legal obligation flows from two federal laws. The Gramm-Leach-Bliley Act (GLBA) classifies tax preparers as "financial institutions" because they routinely receive and maintain nonpublic personal financial information from clients. The FTC Safeguards Rule—significantly updated in January 2023—translates those obligations into specific operational requirements: a documented risk assessment, named security controls, employee training records, vendor oversight, and a written incident response plan. Our detailed breakdown of the FTC Safeguards Rule for tax preparers explains what changed under the 2023 updates and what your practice must document in 2026.
IRS Publication 4557, Safeguarding Taxpayer Data, reinforces these requirements and explicitly cross-references the WISP obligation. Our Publication 4557 compliance guide covers how the two documents work together. Non-compliance exposes your practice to FTC enforcement actions, state-level penalties, and—most damaging in a relationship-driven business—the reputational fallout of a taxpayer data breach.
IRS Publication 5708 was intentionally written in plain language, making it practical for sole practitioners and small accounting firms that do not have in-house information security staff. Download IRS Publication 5708 free from IRS.gov—it is available as a fillable PDF you can adapt to your actual systems, staff, and client base.
Why Tax Practices Cannot Afford Weak Security
IBM Cost of Data Breach Report, 2024
IBM Cost of Data Breach Report, 2024
Verizon Data Breach Investigations Report, 2024
What the IRS Publication 5708 WISP Template Covers
Tax practices are high-value targets for identity thieves because a single client file contains everything needed to commit refund fraud: Social Security numbers, birth dates, income figures, and financial account information. The IRS has consistently listed tax professional data theft among its annual "Dirty Dozen" fraud schemes. The Security Summit designed IRS Publication 5708 specifically in response to this threat, giving practitioners a structured framework to document their security posture before an attacker tests it.
The template functions as a guided questionnaire: it prompts you to inventory your systems, identify realistic threats, select appropriate safeguards, and document your decisions. It does not prescribe a single correct answer—it guides you to document the right answers for your practice. Here is what each major section covers:
- Designated Security Coordinator: You must name one individual accountable for the WISP. In a solo practice, that person is you. This individual owns the plan, conducts annual reviews, and serves as the point of contact for security incidents.
- Risk Assessment: Walk through the types of taxpayer data you collect, the systems that store or transmit it, and the realistic threats those systems face. This shapes every safeguard you select afterward.
- Technical Safeguards: From multi-factor authentication (MFA) for tax software access to disk encryption, firewalls, and screen-lock policies, the template itemizes controls and asks you to document what is in place—and what, if anything, provides equivalent protection.
- Physical Safeguards: Office access controls, clean-desk policies, locked filing cabinets, and secure document disposal—frequently overlooked areas where tax offices face genuine exposure.
- Service Provider Management: Every cloud storage provider, e-signature platform, payroll processor, or other third party that handles taxpayer data on your behalf must be listed, with documentation of their security practices or contractual obligations.
- Employee Training: The plan must document how and when staff are trained on security policies, phishing recognition, and data handling—not just that you mentioned it in a staff meeting.
- Data Theft Response Plan: This section directs you to document the steps you will take immediately after discovering a breach, including how to reach your IRS Stakeholder Liaison and which state notification obligations apply.
Each section includes fillable prompts, checkboxes, and sample policy language. You are not starting from a blank page—you are customizing a professionally structured document to match your actual operations.
How to Implement Your WISP Using IRS Publication 5708
Download the Template and Supporting Publications
Obtain IRS Publication 5708, Publication 4557, and Publication 5293 from IRS.gov. Read Publication 4557 first to understand your legal obligations before filling in the template.
Designate Your Security Coordinator
Name the individual responsible for the WISP before completing any other section. In a solo practice, you are the coordinator. Record the name and contact information directly in the plan.
Complete Your Risk Assessment
Inventory every system, application, and storage location where taxpayer data lives—tax software, shared drives, email accounts, paper files—then document realistic threats each faces.
Document Technical and Physical Safeguards
For each identified risk, record the controls in place: MFA settings, encryption status, firewall configuration, locked filing cabinets, clean-desk policy, and visitor access procedures.
Catalog All Service Providers
List every vendor that stores, processes, or transmits taxpayer data, and document their security practices or the contractual security provisions in your agreements with them.
Record Your Employee Training Program
Document when training occurred, who attended, what topics were covered, and how often training will recur. Verbal briefings are not sufficient—you need written records the plan can reference.
Write Your Incident Response Procedures
Record your IRS Stakeholder Liaison's direct contact information, the immediate containment steps you will take after a breach, and your state's notification requirements.
Schedule Annual Reviews and Test Your Controls
Set a review date—many practices use the post-filing-season quiet period—update the WISP after any material change, and verify that the controls you documented actually work as intended.
Tailoring the IRS Publication 5708 WISP Template to Your Firm's Size
The Security Summit built the IRS Publication 5708 WISP template so that a sole practitioner and a ten-partner accounting firm can both use it—but produce appropriately different outputs. Firm size does not change your legal obligation; it changes how detailed your documentation needs to be.
Sole practitioners operating from a single workstation with one cloud-based tax platform and no employees face a limited risk surface. Your WISP still requires every section, but the answers will be concise. The template's sample language is already written with smaller practices in mind, and a well-prepared sole-practitioner WISP can typically be completed in an afternoon.
Firms with two to ten staff face a more complex task. You have multiple endpoints to secure, employees who require formal training documentation, and several service provider relationships to catalog. Access controls and employee offboarding deserve particular attention at this scale—staff turnover is one of the most common causes of data exposure in small tax offices. When an employee departs without having their credentials revoked, every system they accessed becomes a potential entry point.
Firms with more than ten employees will find Publication 5708 serves as a solid foundation, but the template alone rarely covers the full scope of documentation needed. At this scale, role-based access controls, formal onboarding and offboarding procedures, and network segmentation typically warrant their own subsidiary policy documents that the WISP references as appendices.
The FTC Safeguards Rule requires that your security program be appropriate for the sensitivity of the data you handle—not just its volume. If you specialize in high-net-worth clients, business returns, or payroll services, your risk assessment should reflect that heightened exposure, and your controls must match. The comparison below outlines how documentation requirements shift across firm sizes.
The Data Theft Response Plan: Your Most Time-Sensitive WISP Section
Of all the sections in the IRS Publication 5708 WISP template, the data theft response plan demands the most immediate attention when something goes wrong. Tax preparers who discover a breach face a narrow window to act: IRS Stakeholder Liaisons expect prompt notification, state laws may impose 72-hour reporting deadlines, and delayed action amplifies both financial and reputational damage.
Thinking through your response before an incident occurs is what separates a controlled recovery from a chaotic one. Your plan should answer four questions before anything ever goes wrong:
- Who is your IRS Stakeholder Liaison? Every state has one. Find your Stakeholder Liaison using the IRS contact directory and record their direct phone number in your WISP now—not buried in a bookmark you may not be able to reach during a crisis.
- What data was exposed, and where does it live? This is exactly why the risk assessment section matters. If you have already inventoried every location where taxpayer data lives, you can rapidly assess the scope of any incident rather than guessing under pressure.
- Who else must be notified? Depending on your state, a breach affecting Social Security numbers or financial account information may trigger mandatory notification to the state attorney general, affected clients, and potentially credit bureaus. List these obligations explicitly in your plan—do not leave them to be discovered in a crisis moment.
- How will you contain and recover? Document the immediate steps: isolating compromised systems, revoking affected credentials, engaging your IT provider or managed security service, and preserving evidence for forensic review.
A well-documented incident response plan for your tax practice is evidence of reasonable care if your firm ever faces regulatory scrutiny after a breach. If a regulator asks whether you took data security seriously, the documented response plan is exhibit A.
Annual Review Required — FTC Safeguards Rule
The FTC Safeguards Rule requires you to review and update your Written Information Security Plan at least once per year and whenever there is a material change to your business—new software, staff changes, a new office location, or a security incident. A WISP with a creation date but no documented revision history is not compliant, regardless of when it was originally completed. Set your next annual review date before closing out the current filing season.
Common WISP Gaps That Leave Tax Practices Exposed
After working with tax and accounting firms across the country, the same documentation failures appear repeatedly. Most reflect a document completed once and never revisited. The IRS Publication 5708 WISP template is only as effective as the discipline applied to keeping it current.
Gap 1: Treating the WISP as a one-time task. The FTC Safeguards Rule requires annual testing and review of your security program—not a rubber-stamp renewal, but an actual assessment of whether your controls still work. If your WISP has a creation date but no revision history, it is likely out of compliance. Many practitioners align their annual review with the end of filing season, when client demands ease and staff have time to actually read the document.
Gap 2: Missing or incomplete vendor documentation. Tax offices routinely add new software tools—e-signature platforms, document portals, payroll integrations—without updating the WISP. Every new vendor that handles taxpayer data belongs in your service provider section before they go live. Explore the security considerations for tax client portals to understand what questions to ask vendors before you sign up.
Gap 3: No evidence of employee training. Telling staff about security policies verbally is not sufficient documentation under the Safeguards Rule. Your WISP must reflect that training occurred, who attended, what was covered, and when it will recur. Formal security awareness training for tax preparers generates the attendance records and topic logs your WISP needs to reference.
Gap 4: Incomplete MFA documentation. The IRS has made Multi-Factor Authentication an explicit requirement for accessing tax software and client portals. Your WISP should document not only that MFA is enabled, but which systems it covers, the authentication method in use (authenticator app, hardware token, or SMS), and your recovery procedure when a staff member loses device access.
Gap 5: No physical security provisions. Digital safeguards receive most of the attention, but Publication 5708 also covers physical access controls—locking filing cabinets, clean-desk policies, visitor logs, and secure document disposal. These sections are frequently left blank. Physical exposure matters: an unlocked office or an improperly discarded document can expose taxpayer data just as effectively as a network intrusion.
Bottom Line
The five gaps above appear in the majority of tax practice WISPs reviewed by our team. Each one—especially incomplete MFA documentation and missing vendor records—can transform a good-faith compliance effort into an enforcement liability. Addressing them proactively takes hours; addressing them reactively, after a breach or audit, costs far more in time, money, and client trust.
WISP Compliance Checklist for Tax Preparers
- Designate a named security coordinator and record their contact information in the WISP
- Inventory all systems, applications, and file storage locations that contain taxpayer data
- Complete a formal risk assessment for each identified data location and threat scenario
- Enable and document multi-factor authentication on all tax software, portals, and email accounts
- List all vendors with access to taxpayer data, including cloud storage and e-signature platforms
- Establish and document physical security controls: locked cabinets, clean-desk policy, visitor log
- Record employee security training dates, attendees, and topics covered — obtain written acknowledgments
- Record your IRS Stakeholder Liaison's direct contact information in your breach response plan
- Document step-by-step data breach containment and state notification procedures
- Set a calendar reminder for your next annual WISP review and controls testing cycle
Free WISP Template for Tax Preparers
Bellator Cyber Guard provides a ready-to-use WISP template built for IRS Publication 5708 compliance. All required sections, sample policy language, and fillable fields — ready to customize for your firm size.
Where to Get the Template and Build Your Supporting Resources
IRS Publication 5708 is available at no cost directly from the IRS. Download IRS Publication 5708 as a fillable PDF from IRS.gov. For a thorough view of your compliance obligations, also obtain IRS Publication 4557: Safeguarding Taxpayer Data and IRS Publication 5293, the Data Security Resource Guide for Tax Professionals. All three documents are designed to work together: Publication 4557 explains your legal obligations; Publication 5708 provides the WISP template to document how you meet them; Publication 5293 gives threat-by-threat guidance on the attack vectors most commonly used against tax practices.
For remote staff or practitioners who access client data outside the main office, document your remote access controls—VPN requirements, device management policies, and screen-lock enforcement—in the technical safeguards section. Our guide on IRS Written Information Security Plan requirements covers remote work documentation in detail, including how to handle personal devices used for business purposes.
If you need help completing the template, identifying gaps in your current security posture, or verifying that your WISP meets current FTC and IRS requirements, Bellator Cyber Guard offers a structured WISP assessment and documentation service for tax and accounting practices. Our team works exclusively with financial and tax professionals and understands both the specific data environments and the threat actors that target this industry.
Not Sure If Your WISP Is Compliant? Get a Free Review.
Our cybersecurity team works exclusively with tax and accounting practices. We will review your existing WISP — or help you build one from scratch using IRS Publication 5708 — and identify any gaps before a breach or regulatory audit finds them first.
Frequently Asked Questions
IRS Publication 5708 is a free, fillable Written Information Security Plan (WISP) template published by the IRS Security Summit—a collaboration between the IRS, state tax agencies, and tax software companies. The template gives tax and accounting professionals a structured framework to document their data security program, covering risk assessment, technical and physical safeguards, employee training, vendor management, and breach response procedures.
Under the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule, any professional tax preparer—including sole practitioners, enrolled agents, CPAs, bookkeepers, and registered tax return preparers—who receives, maintains, or transmits nonpublic personal financial information is required to have a WISP. This obligation applies regardless of firm size, number of clients, or number of returns filed annually.
The FTC sets no minimum or maximum page length for a WISP. The plan must be appropriate for the size, complexity, and sensitivity of the data your practice handles. A sole practitioner using a single tax software platform may complete a thorough plan in five to ten pages. A multi-partner firm with remote staff and multiple vendor integrations may require a more detailed document with attached subsidiary policies. Length should reflect your real operations—not a desire to appear thorough.
You must review and update your WISP at least once per year. You should also update it whenever there is a material change to your business: adding new software, onboarding new staff, ending a vendor relationship, moving offices, or experiencing a security incident. The FTC Safeguards Rule requires an actual annual assessment of whether your controls still work—not just confirming the document still exists.
IRS Publication 4557 (Safeguarding Taxpayer Data) explains your legal obligations as a tax preparer and outlines the baseline security practices the IRS expects. IRS Publication 5708 is the fillable WISP template that helps you fulfill those obligations by documenting your security program in a structured format. Read Publication 4557 to understand what the law requires; use Publication 5708 to document how you meet those requirements.
Yes, but customization is expected and required. The template provides sample language and fillable sections, but you must adapt each section to reflect your actual systems, staff, vendors, and practices. A plan with unmodified placeholder language that does not match your real operations does not constitute a compliant WISP under the FTC Safeguards Rule—it is a document that describes a hypothetical practice, not yours.
Tax preparers without a WISP—or with an outdated, incomplete plan—face potential FTC enforcement actions and civil penalties under the Gramm-Leach-Bliley Act. Many states have their own data security laws with separate penalties. Beyond regulatory exposure, the absence of a documented security plan is typically treated as evidence of inadequate care if a breach leads to regulatory or legal proceedings. The IRS may also factor WISP compliance into preparer oversight actions.
Neither an attorney review nor a security professional's approval is legally required, but both add meaningful value. Legal review helps ensure your plan addresses state-specific notification requirements and liability exposure. A cybersecurity professional can verify that your documented safeguards actually work in practice—particularly for technical controls like multi-factor authentication, encryption, and network configuration. Many tax practices benefit from an annual third-party WISP review before filing season begins, when there is still time to address any identified gaps.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.
