
What Is IRS Publication 5708 and Who Needs It?
Every professional tax preparer in the United States is legally required to maintain a Written Information Security Plan (WISP). The IRS Publication 5708 WISP template is the federal government's free, fillable tool designed to help practitioners meet that requirement without hiring an attorney or outside consultant.
The Security Summit, a public-private partnership between the IRS, state tax agencies, and the major tax software companies, published IRS Publication 5708: Creating a Written Information Security Plan for Your Tax & Accounting Practice. You can download IRS Publication 5708 as a fillable PDF from IRS.gov at no cost.
The legal obligation flows from two federal laws. The Gramm-Leach-Bliley Act (GLBA) classifies tax preparers as "financial institutions" because they receive and maintain nonpublic personal financial information from clients. The FTC Safeguards Rule, updated significantly in January 2023, translates GLBA obligations into specific operational requirements: a documented risk assessment, named security controls, employee training records, vendor oversight, and a written incident response plan.
Our detailed breakdown of the FTC Safeguards Rule for tax preparers explains what changed under the 2023 updates and what your practice must document in 2026. IRS Publication 4557: Safeguarding Taxpayer Data reinforces these requirements and explicitly cross-references the WISP obligation. Our Publication 4557 compliance guide covers how the two documents work together as a system.
Non-compliance exposes your practice to FTC enforcement actions, state-level penalties, and the reputational damage of a taxpayer data breach. The GLBA does not exempt small firms or sole practitioners. If you prepare tax returns for clients and handle their financial records, the law applies to you. IRS Publication 5708 was intentionally written in plain language so that practitioners without in-house security staff can complete it independently.
Active Compliance Requirement: No Size Exemption
The FTC Safeguards Rule requires all tax preparers covered by the GLBA to maintain a documented, operative Written Information Security Plan. There is no firm-size exemption. A sole practitioner with a single client is subject to the same core WISP requirements as a multi-partner accounting firm. The IRS reinforces this obligation through annual PTIN renewal guidance. See our PTIN and WISP requirements guide for how compliance connects to your preparer registration.
What the IRS Publication 5708 WISP Template Covers
Tax practices are high-value targets for identity thieves. A single client file contains everything a fraudster needs to file a false return: Social Security numbers, birth dates, income figures, and financial account data. The IRS has listed tax professional data theft among its annual "Dirty Dozen" fraud schemes for multiple consecutive years, and the Security Summit designed IRS Publication 5708 directly in response to that threat.
The template functions as a guided questionnaire. It prompts you to inventory your systems, identify realistic threats, select appropriate safeguards, and document your decisions. It does not prescribe one correct answer for every practice; it guides you to document the right answers for your specific setup. Here is what each major section covers:
- Designated Security Coordinator: You must name one individual accountable for the WISP. In a solo practice, that is you. This person owns the plan, conducts annual reviews, and serves as the point of contact during security incidents.
- Risk Assessment: Catalog the types of taxpayer data you collect, the systems that store or transmit it, and the threats those systems realistically face. This section shapes every safeguard you select afterward.
- Technical Safeguards: Multi-factor authentication (MFA) for tax software access, disk encryption, firewalls, and screen-lock policies are all covered. The template asks you to document what is in place and note what, if anything, provides equivalent protection where a listed control does not apply.
- Physical Safeguards: Office access controls, clean-desk policies, locked filing cabinets, and secure document disposal are frequently overlooked areas where tax offices face genuine exposure. An unlocked office or improperly discarded paper return can expose taxpayer data just as effectively as a network intrusion.
- Service Provider Management: Every cloud storage provider, e-signature platform, payroll processor, or other third party that handles taxpayer data on your behalf must be listed, along with documentation of their security practices or contractual commitments. Our guide to tax client portal security explains what questions to ask vendors before you sign up.
- Employee Training: The plan must document how and when staff are trained on security policies, phishing recognition, and data handling. Verbal mentions in a staff meeting do not satisfy the Safeguards Rule documentation requirement.
- Data Theft Response Plan: This section directs you to document the steps you will take immediately after discovering a breach, including how to reach your IRS Stakeholder Liaison and which state notification requirements apply.
Each section includes fillable prompts, checkboxes, and sample policy language. You are customizing a professionally structured document, not starting from a blank page.
The Cost of Weak Security: By the Numbers
IBM Cost of Data Breach Report 2024
Verizon Data Breach Investigations Report 2024
IBM Cost of Data Breach Report 2024
Tailoring the IRS Publication 5708 WISP Template to Your Firm's Size
The Security Summit designed IRS Publication 5708 so that a sole practitioner and a ten-partner accounting firm can both use it, but produce appropriately different outputs. Firm size does not change your legal obligation; it changes how detailed your documentation needs to be.
Sole practitioners operating from a single workstation with one cloud-based tax platform and no employees face a limited risk surface. Your WISP still requires every section, but the answers will be concise. A well-prepared sole-practitioner WISP can typically be completed in an afternoon. Our dedicated WISP guide for small tax firms provides a section-by-section walkthrough at this scale.
Firms with two to ten staff face a more complex task. Multiple endpoints require security, employees need formal training documentation, and several service provider relationships must be catalogued. Access controls and employee offboarding deserve particular attention at this scale. Staff turnover is one of the most common causes of data exposure in small tax offices. When an employee departs without having their credentials revoked, every system they previously accessed becomes a potential entry point.
Firms with more than ten employees will find Publication 5708 serves as a solid foundation, but the template alone rarely covers the full scope of documentation needed. Role-based access controls (RBAC), formal onboarding and offboarding procedures, and network segmentation typically warrant their own subsidiary policy documents that the WISP references as appendices.
The FTC Safeguards Rule requires that your security program be appropriate for the sensitivity of the data you handle, not just its volume. If you specialize in high-net-worth clients, business returns, or payroll services, your risk assessment should reflect that heightened exposure, and your controls must match.
The Data Theft Response Plan: Your Most Time-Sensitive WISP Section
Of all the sections in the IRS Publication 5708 WISP template, the data theft response plan requires the most preparation before any incident occurs. Tax preparers who discover a breach face a narrow window to act. IRS Stakeholder Liaisons expect prompt notification, and state laws may impose reporting deadlines as short as 72 hours. Delayed action amplifies both financial and reputational damage.
Your plan should answer four questions before any incident ever occurs:
Who is your IRS Stakeholder Liaison? Every state has one. Find your Stakeholder Liaison using the IRS contact directory and record their direct phone number in your WISP now, not buried in a bookmark you may not be able to access during a crisis. Our incident response plan guide for tax practices covers how to document containment steps and forensic evidence preservation.
What data was exposed, and where does it live? This is exactly why the risk assessment section matters. If you have already inventoried every location where taxpayer data resides, you can rapidly assess the scope of any incident rather than guessing under pressure.
Who else must be notified? Depending on your state, a breach affecting Social Security numbers or financial account information may trigger mandatory notification to the state attorney general, affected clients, and potentially credit bureaus. List these obligations explicitly in your plan. Our guide on what to do after a data breach provides a practical post-incident checklist for tax preparers.
How will you contain and recover? Document the immediate steps: isolating compromised systems, revoking affected credentials, engaging your IT provider or managed security service, and preserving evidence for forensic review. A well-documented incident response plan is evidence of reasonable care if your firm ever faces regulatory scrutiny after a breach.
How to Complete Your IRS Publication 5708 WISP
Download the Template
Get IRS Publication 5708 as a free fillable PDF from IRS.gov. Also download IRS Publication 4557 and Publication 5293, which work together with the WISP template to cover all compliance areas.
Designate Your Security Coordinator
Name one individual accountable for the WISP and record their contact information in the plan. In a solo practice, this is the owner. In larger firms, it should be a named partner or operations lead.
Inventory All Data Systems
List every location where taxpayer data is stored, transmitted, or processed: desktop software, cloud platforms, email accounts, backup drives, and any third-party portals or file-sharing tools.
Complete the Risk Assessment
For each data location, identify realistic threats such as phishing, ransomware, and physical theft, then document the likelihood and potential impact of each threat scenario.
Document Technical and Physical Safeguards
Enable and document MFA on all tax software and client portals. Record encryption status, firewall configuration, screen-lock policies, and physical access controls for your office space.
List All Service Providers
Catalog every vendor that handles taxpayer data: e-signature platforms, document portals, payroll integrations, and cloud storage. Note their security certifications or contractual obligations.
Record Employee Training Procedures
Document when training occurs, who attends, what topics are covered, and how attendance is recorded. Collect written acknowledgments from staff confirming they reviewed your security policies.
Complete the Data Theft Response Plan
Record your IRS Stakeholder Liaison's direct phone number, list applicable state notification requirements, and write out step-by-step containment and recovery procedures.
Schedule Your Annual Review
Set a calendar reminder to review and update the WISP at least once per year. Many tax offices align this review with the end of filing season, when client demands ease and staff have time for the task.
The Annual Review Requirement
The FTC Safeguards Rule requires annual testing and review of your security program, not a rubber-stamp renewal but an actual assessment of whether your controls still work. If your WISP has a creation date but no revision history, it is likely out of compliance. A plan completed in 2023 and never updated does not satisfy the Safeguards Rule's ongoing compliance requirements.
Common WISP Gaps That Leave Tax Practices Exposed
After working with tax and accounting firms across the country, Bellator Cyber Guard's team consistently sees the same documentation failures. Most reflect a plan completed once and never revisited. The IRS Publication 5708 WISP template is only as effective as the discipline applied to keeping it current.
Gap 1: Treating the WISP as a one-time task. The FTC Safeguards Rule requires annual testing and review of your security program. If your WISP has a creation date but no revision history, it is likely out of compliance. Controls change, staff changes, and software changes; the document must keep pace with your actual operations.
Gap 2: Missing or incomplete vendor documentation. Tax offices routinely add new software tools without updating the WISP. Every new vendor that handles taxpayer data belongs in your service provider section before they go live. The Safeguards Rule requires documented oversight of all third parties with access to customer information.
Gap 3: No evidence of employee training. Telling staff about security policies verbally is not sufficient documentation under the Safeguards Rule. Your WISP must reflect that training occurred: who attended, what was covered, and when it will recur. Written acknowledgment from each employee strengthens the documentation considerably.
Gap 4: Incomplete MFA documentation. The IRS makes Multi-Factor Authentication an explicit requirement for accessing tax software and client portals. Your WISP should document not only that MFA is enabled, but which systems it covers, the authentication method in use, and your recovery procedure when a staff member loses device access.
Gap 5: No physical security provisions. Digital safeguards receive most of the attention, but Publication 5708 also covers physical access controls: locking filing cabinets, clean-desk policies, visitor logs, and secure document disposal. These sections are frequently left blank. Physical exposure matters as much as network security, especially in shared office environments or home-based practices.
WISP Compliance Checklist for Tax Preparers
- Designate a named security coordinator and record their contact information in the WISP
- Inventory all systems, applications, and file storage locations that contain taxpayer data
- Complete a formal risk assessment for each identified data location and threat scenario
- Enable and document multi-factor authentication on all tax software, client portals, and email accounts
- List all vendors with access to taxpayer data, including cloud storage and e-signature platforms
- Establish and document physical security controls: locked cabinets, clean-desk policy, and visitor log
- Record employee security training dates, attendees, and topics covered with written acknowledgments
- Record your IRS Stakeholder Liaison's direct phone number in your breach response plan
- Document step-by-step data breach containment, notification, and recovery procedures
- Set a calendar reminder for your annual WISP review and controls testing cycle
Free 2026 WISP Template for Tax Preparers
Download Bellator Cyber Guard's 2026 WISP template, built around IRS Publication 5708 and updated for current FTC Safeguards Rule requirements.
Where to Get the Template and Build Your Supporting Resources
IRS Publication 5708 is available at no cost from the IRS. Download the fillable PDF from IRS.gov and begin customizing it to your practice. For a thorough view of your compliance obligations, also obtain IRS Publication 4557: Safeguarding Taxpayer Data and IRS Publication 5293, the Data Security Resource Guide for Tax Professionals. All three documents are designed to work together: Publication 4557 explains your legal obligations, Publication 5708 provides the WISP template to document how you meet them, and Publication 5293 gives threat-by-threat guidance on the attack vectors most commonly used against tax practices.
Our IRS Written Information Security Plan guide explains how these documents interrelate and what a complete compliance package looks like. For remote staff or practitioners who access client data outside the main office, document your remote access controls in the technical safeguards section: VPN requirements, device management policies, and screen-lock enforcement. Publication 5708 includes specific prompts for remote work scenarios in the technical safeguards section.
Practices that want a pre-built solution combining WISP documentation with active security monitoring can explore our all-in-one tax compliance package, which covers both the documentation layer and the technical controls the IRS expects to see in place. If you need help completing the template, identifying gaps in your current security posture, or verifying that your WISP meets current FTC and IRS requirements, Bellator Cyber Guard offers a structured WISP assessment and documentation service built exclusively for tax and accounting practices.
Not Sure If Your WISP Is Compliant? Get a Free Review.
Our cybersecurity team works exclusively with tax and accounting practices. We will review your existing WISP or help you build one from scratch using IRS Publication 5708, and identify any gaps before a breach or regulatory audit finds them first.
Frequently Asked Questions
IRS Publication 5708, officially titled Creating a Written Information Security Plan for Your Tax & Accounting Practice, is a free, fillable template published by the IRS Security Summit. It guides tax preparers through creating a Written Information Security Plan (WISP) that meets the requirements of the FTC Safeguards Rule and IRS data security guidance. The document is available as a downloadable PDF from IRS.gov and is written in plain language that requires no specialized cybersecurity knowledge to complete.
All professional tax preparers who handle nonpublic personal financial information from clients are required to have a WISP under the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. This includes sole practitioners, small and large accounting firms, CPAs, enrolled agents, and any other paid tax return preparers. There is no size exemption. Even a sole practitioner who prepares only a few returns per year is covered by the law.
There is no required page count or minimum length for a WISP. A sole practitioner with a simple technology setup can have an adequate WISP in five to ten pages. Larger firms with multiple employees, locations, and service providers will naturally produce a longer, more detailed document. What matters is that the WISP accurately reflects your actual systems, controls, and procedures. A short, accurate WISP is better than a long one that does not match your real operations.
The FTC Safeguards Rule requires that you review and update your WISP at least once per year, and whenever there is a material change to your business operations, technology environment, or threat situation. Material changes include adding a new tax software platform, hiring or terminating employees with data access, opening a new office location, or switching to remote work arrangements. The annual review should be documented, dated, and referenced in a revision history section of the WISP.
IRS Publication 4557: Safeguarding Taxpayer Data explains the legal requirements and obligations tax preparers must meet. It describes what you must protect, the laws that require protection, and the consequences of non-compliance. IRS Publication 5708 is the operational complement: it provides the actual WISP template you use to document how you meet those obligations. Publication 4557 explains your requirements; Publication 5708 is the fill-in-the-blanks tool to document your compliance program.
No. The template is designed to be customized to your specific practice. It includes sample language and fillable fields that you must complete with information specific to your systems, staff, vendors, and procedures. An unmodified, blank, or generic template does not satisfy the FTC Safeguards Rule's requirement for a security program appropriate to your size, complexity, and the sensitivity of the data you handle. Every section must reflect your actual operations.
Operating without a WISP violates the FTC Safeguards Rule, which gives the FTC authority to pursue enforcement actions including civil penalties. State attorneys general also have enforcement authority under many state data protection laws. Beyond regulatory penalties, a tax preparer without a WISP who experiences a data breach faces client notification costs, potential civil liability, loss of professional reputation, and possible consequences during PTIN renewal. The IRS has identified WISP compliance as an active concern in its preparer oversight activities.
The FTC Safeguards Rule does not explicitly require that your WISP be reviewed by an attorney or certified security professional. However, if your practice handles particularly sensitive data, employs multiple staff members, or has experienced a prior security incident, professional review adds a meaningful layer of assurance. A qualified reviewer can identify gaps you may have overlooked, confirm that your controls are technically adequate, and produce documentation that demonstrates reasonable care if your firm faces regulatory scrutiny. A managed security provider experienced in the tax and accounting industry can typically complete this review efficiently and at a reasonable cost.
The IRS Security Summit is a public-private partnership between the IRS, state tax agencies, and major tax software companies formed in 2015 to combat tax-related identity theft and refund fraud. The Security Summit coordinates industry-wide security initiatives, develops best-practice guidance for tax preparers, and publishes resources like IRS Publication 5708. It represents a coordinated effort to strengthen the entire tax filing system against data theft, with participating companies agreeing to shared security standards and data safeguards.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.


