IRS WISP Template: Build Your Written Security Plan

What Is the IRS WISP Template and Who Needs One?

If you prepare federal tax returns—whether you run a solo practice or a multi-partner firm—you are legally required to maintain a Written Information Security Plan (WISP). The IRS WISP template is a standardized document framework that helps tax professionals meet this obligation under IRS Publication 4557, Safeguarding Taxpayer Data.

The requirement stems from the Gramm-Leach-Bliley Act (GLBA), which mandates that financial institutions—a category that includes tax return preparers under the Federal Trade Commission's (FTC) definition—implement a written information security program. The IRS and the FTC jointly enforce these requirements. Failure to comply can result in civil penalties, loss of your Preparer Tax Identification Number (PTIN), and personal liability for data breaches affecting client information.

A WISP is not a one-size-fits-all document. The IRS WISP template for tax professionals provides a customizable starting point, but your final plan must reflect your actual business operations, the specific data you collect, and the risks your practice faces. A template sitting in a drawer without customization does not satisfy regulators—they expect documented evidence that you have genuinely evaluated your security posture and put real controls in place.

The IRS collaborated with state tax agencies and the tax professional community to release an updated WISP template, and that framework remains the baseline expectation in 2026. The agency further reinforced these expectations with IRS Publication 5708, which provides a sample WISP document that tax professionals can use as an additional reference alongside the original template. Understanding how to use and tailor these resources is where sound cybersecurity for tax professionals begins.

IRS Publication 4557 and Your Legal Obligations

IRS Publication 4557 is the primary guidance document outlining data security requirements for tax professionals. It covers physical security of client files, proper data disposal, employee training, and the technical controls you must have in place. These are not optional best practices—they describe the minimum standard of care the IRS expects from anyone who handles taxpayer information.

Under Publication 4557, tax preparers must:

• Designate a WISP coordinator responsible for managing and updating the plan
• Conduct a formal risk assessment identifying threats to client data
• Document safeguards that address each identified risk across administrative, technical, and physical domains
• Train employees on data security policies at least annually
• Oversee third-party service providers and their data security practices
• Monitor, test, and adjust safeguards on an ongoing basis
• Maintain a written incident response procedure with specific notification timelines

These IRS cybersecurity requirements apply to all paid tax return preparers, regardless of firm size. Even a sole proprietor preparing a handful of returns per year must maintain a documented WISP. There is no small-firm exemption.

Employee training deserves particular attention. According to the Verizon 2024 Data Breach Investigations Report, 68% of breaches involve a human element—meaning staff who click phishing links, mishandle credentials, or fall for social engineering are the single greatest risk vector in most tax firm environments. Your WISP must document a real security awareness training program, not just a policy statement saying employees should be careful.

Beyond the IRS, the FTC's updated Safeguards Rule adds specificity around technical controls. Understanding the FTC Safeguards Rule for tax return preparers is essential to building a WISP that satisfies both agencies simultaneously.

Core Components Every IRS WISP Template Must Include

Whether you use the IRS-provided template, a WISP example as a reference, or build your own from scratch, every compliant WISP must address three categories of safeguards: administrative, technical, and physical. Each addresses a distinct dimension of risk, and auditors will look for documentation in all three areas.

Administrative Safeguards

Administrative safeguards govern how your firm manages data security as a matter of policy. This includes your risk assessment process, employee training program, vendor management practices, and the oversight role of your WISP coordinator. A key element regulators focus on is vendor oversight—your WISP must document exactly how you vet third-party software providers and cloud storage vendors before sharing client data with them, and how you confirm they maintain adequate security over time.

Your vendor management documentation should include a list of all service providers with access to taxpayer data, the due diligence steps you took before engaging them, any contractual security requirements, and a schedule for periodic reviews of their security practices.

Technical Safeguards

Technical safeguards are the controls embedded in your systems and software. At minimum, your IRS WISP template should document:

• Access controls: Who can access systems holding client data, how credentials are managed, and how terminated employees are promptly removed
• Encryption: How data is protected on local drives, in cloud storage, and during transmission via email or encrypted file transfer portals
• Multi-factor authentication: Required by the FTC Safeguards Rule for any system accessing customer financial data
• Session management: Automatic logoff policies for unattended workstations
• Audit logging: How your systems record data access events and how those logs are reviewed
• Patch management: How and how frequently software updates are applied across all devices that touch client data

Physical Safeguards

Physical safeguards protect hardware and paper records. This covers locking file cabinets, restricting access to network equipment, and defining a secure document destruction process. If staff work from home, the WISP must address home office security—who else has access to the workspace and how client data is protected in that environment.

The FTC Safeguards Rule: Requirements Beyond the IRS Template

The IRS WISP template addresses IRS Publication 4557 compliance, but tax preparers also fall under the FTC's updated Safeguards Rule, which introduced more specific technical mandates. If you prepare tax returns for clients, the FTC classifies you as a financial institution under the GLBA—with all the obligations that entails.

The updated Safeguards Rule introduces requirements that go beyond the IRS template's baseline:

• Multi-factor authentication (MFA) for any system accessing customer financial data
• Encryption of all customer data at rest and in transit
• A written incident response plan as a standalone documented element, not just a section buried in a general policy
• Regular testing of safeguards, including penetration testing on a defined schedule for firms handling data on 5,000 or more consumers
• A designated qualified individual to oversee the security program—with documented oversight if a third-party provider fills this role
• Annual reporting by the qualified individual to your board of directors or equivalent governing body

The practical result: a WISP built solely from the IRS template may satisfy Publication 4557 but fall short of the Safeguards Rule if it does not document these specific technical controls. Your plan needs to satisfy both simultaneously. The IBM Cost of Data Breach Report 2024 found that organizations using security AI and automation cut breach costs by an average of $2.2 million compared to those without—a strong case for implementing documented technical controls, not just paper policies.

Review your PTIN renewal security requirements as well—PTIN holders are increasingly expected to demonstrate active compliance as part of the renewal process, and regulators are beginning to cross-reference PTIN status with reported incident histories.

Maintaining Your WISP: Annual Reviews and Triggered Updates

Creating your IRS WISP template is the starting point, not the finish line. Both the IRS and FTC require that your written security plan be reviewed and updated regularly—and both agencies expect you to revise it whenever a material change occurs in your business environment.

Trigger a WISP update any time you:

• Add or remove a service provider that handles client data
• Adopt new tax software, cloud storage, or payment processing tools
• Hire or terminate employees with access to client information
• Experience a security incident or a near-miss that reveals a gap
• Move your office, change your network configuration, or expand remote work arrangements
• Receive new guidance from the IRS, FTC, or your state tax authority

Most tax firms should schedule their formal annual WISP review in the fall—before the busy season begins in January. This gives you time to close any gaps before you are handling high volumes of sensitive client data. Version-control each revision with a clear date so you can demonstrate to a regulator exactly what was in place during any given filing season.

If a breach does occur, your incident response procedures activate immediately. The IRS requires you to notify your IRS stakeholder liaison, and you may face state notification obligations within specific time windows—often 30 to 60 days depending on the state. These contacts and timelines must be in your WISP before an incident, not researched after the fact. Firms that need help building this section should reference a dedicated incident response and ransomware protection plan.

Firms managing large volumes of sensitive data or pursuing higher security maturity will find value in understanding what a written information security plan looks like in the context of NIST SP 800-171 and ISO 27001:2022. Both frameworks provide a more rigorous structural foundation that goes well beyond IRS minimums and can help your firm stand out to security-conscious clients.

Why a WISP Alone Is Not Enough

A well-written WISP documents your security policies—but policies without enforcement are just paper. The IRS and FTC expect your WISP to describe controls that are actually deployed and operating, not aspirational goals. If your WISP says you use endpoint detection and response but you have not actually installed EDR software on every workstation, you are exposed in an audit and vulnerable in a breach.

This is where many tax practices struggle. Writing the document is one thing; implementing the technical controls it describes is another. A full compliance package pairs your WISP documentation with the actual security tools and monitoring needed to back it up—including managed EDR, encrypted backups, and ongoing data protection.

For firms weighing their options, the question is not whether you need a WISP—that is settled law. The question is whether your WISP reflects reality or just checks a box. Start with the step-by-step WISP creation guide, use the WISP checklist for CPA firms to validate every section, and invest in the technical controls that make your plan enforceable.