IRS WISP Template: Build Your Written Security Plan

What Is the IRS WISP Template and Who Needs One?

If you prepare federal tax returns — whether you run a solo practice or a multi-partner firm — you are legally required to maintain a Written Information Security Plan (WISP). The IRS WISP template is a standardized document framework that helps tax professionals meet this obligation under IRS Publication 4557, Safeguarding Taxpayer Data.

The requirement stems from the Gramm-Leach-Bliley Act (GLBA), which mandates that financial institutions — a category that includes tax return preparers under the FTC's definition — implement a written information security program. The IRS and the Federal Trade Commission (FTC) jointly enforce these requirements. Failure to comply can result in civil penalties, loss of your Preparer Tax Identification Number (PTIN), and personal liability for data breaches affecting client information.

A WISP is not a one-size-fits-all document. The IRS WISP template for tax professionals provides a customizable starting point, but your final plan must reflect your actual business operations, the specific data you collect, and the risks your practice faces. A template sitting in a drawer without customization does not satisfy regulators — they expect documented evidence that you have genuinely evaluated your security posture and put real controls in place.

The IRS collaborated with state tax agencies and the tax professional community to release an updated WISP template in 2022. That framework remains the baseline expectation today. Understanding how to use and tailor this template is where sound cybersecurity for tax professionals begins.

IRS Publication 4557 and Your Legal Obligations

IRS Publication 4557 is the primary guidance document outlining data security requirements for tax professionals. It covers physical security of client files, proper data disposal, employee training, and the technical controls you must have in place. These are not optional best practices — they describe the minimum standard of care the IRS expects from anyone who handles taxpayer information.

Under Publication 4557, tax preparers must:

• Designate a WISP coordinator responsible for managing and updating the plan
• Conduct a formal risk assessment identifying threats to client data
• Document safeguards that address each identified risk
• Train employees on data security policies at least annually
• Oversee the data security practices of third-party service providers
• Monitor, test, and adjust safeguards on an ongoing basis
• Maintain a written incident response procedure

These IRS cybersecurity requirements apply to all paid tax return preparers, regardless of firm size. Even a sole proprietor preparing a handful of returns per year must maintain a documented WISP. There is no small-firm exemption.

Employee training deserves particular attention. According to the Verizon 2024 Data Breach Investigations Report, 68% of breaches involve a human element — meaning staff who click phishing links, mishandle credentials, or fall for social engineering are the single greatest risk vector in most tax firm environments. Your WISP must document a real training program, not just a policy statement.

Beyond the IRS, the FTC's updated Safeguards Rule — which took full effect in 2023 — adds specificity around technical controls. Understanding the FTC Safeguards Rule for a tax return preparer is essential to building a WISP that satisfies both agencies simultaneously.

Core Components Every IRS WISP Template Must Include

Whether you use the IRS-provided template or build your own from scratch, every compliant WISP must address three categories of safeguards: administrative, technical, and physical. Each addresses a distinct dimension of risk, and auditors will look for documentation in all three areas.

Administrative Safeguards

Administrative safeguards govern how your firm manages data security as a matter of policy. This includes your risk assessment process, employee training program, vendor management practices, and the oversight role of your WISP coordinator. A key element regulators focus on is vendor oversight — your WISP must document exactly how you vet third-party software providers and cloud storage vendors before sharing client data with them, and how you confirm they maintain adequate security over time.

Technical Safeguards

Technical safeguards are the controls embedded in your systems and software. At minimum, your IRS WISP template should document:

• Access controls: Who can access systems holding client data, how credentials are managed, and how terminated employees are promptly removed
• Encryption: How data is protected on local drives, in cloud storage, and during transmission via email or file transfer portals
• Session management: Automatic logoff policies for unattended workstations
• Audit logging: How your systems record data access events and how those logs are reviewed
• Patch management: How and how frequently software updates are applied across all devices that touch client data

Physical Safeguards

Physical safeguards protect hardware and paper records. This covers locking file cabinets, restricting access to network equipment, and defining a secure document destruction process. If staff work from home, the WISP must address home office security — who else has access to the workspace and how client data is protected in that environment.

Use our wisp checklist alongside the IRS template to confirm every required element is addressed before you finalize your plan.

The FTC Safeguards Rule: Additional Requirements Beyond the IRS Template

The IRS WISP template addresses IRS Publication 4557 compliance, but tax preparers also fall under the FTC's updated Safeguards Rule, which took full effect in 2023 with more specific technical mandates. If you prepare tax returns for clients, the FTC classifies you as a financial institution under the GLBA — with all the obligations that entails.

The updated Safeguards Rule introduces requirements that go beyond the IRS template's baseline:

• Multi-factor authentication for any system accessing customer financial data
• Encryption of all customer data at rest and in transit
• A written incident response plan as a standalone documented element
• Regular testing of safeguards, including penetration testing on a defined schedule for larger firms
• A designated qualified individual to oversee the security program — with documented oversight if a third-party provider fills this role

The practical result: a WISP built solely from the IRS template may satisfy Publication 4557 but fall short of the Safeguards Rule if it does not document these specific technical controls. Your plan needs to satisfy both simultaneously.

The IBM Cost of Data Breach Report 2024 found that organizations using security AI and automation cut breach costs by an average of $2.2 million compared to those without — a meaningful case for implementing documented technical controls, not just paper policies.

Review your PTIN renewal security requirements as well — PTIN holders are increasingly expected to demonstrate active compliance as part of the renewal process, and regulators are beginning to cross-reference PTIN status with reported incident histories.

Maintaining Your WISP: Annual Reviews and Triggered Updates

Creating your IRS WISP template is the starting point, not the finish line. Both the IRS and FTC require that your written security plan be reviewed and updated regularly — and both agencies expect you to revise it whenever a material change occurs in your business environment.

Trigger a WISP update any time you:

• Add or remove a service provider that handles client data
• Adopt new tax software, cloud storage, or payment processing tools
• Hire or terminate employees with access to client information
• Experience a security incident or a near-miss that reveals a gap
• Move your office, change your network configuration, or expand remote work arrangements
• Receive new guidance from the IRS, FTC, or your state tax authority

Most tax firms should schedule their formal annual WISP review in the fall — before the busy season begins in January. This gives you time to close any gaps before you're handling high volumes of sensitive client data. Version-control each revision with a clear date so you can demonstrate to a regulator exactly what was in place during any given filing season.

If a breach does occur, your incident response procedures activate immediately. The IRS requires you to notify your IRS stakeholder liaison and you may face state notification obligations within specific time windows. These contacts and timelines must be in your WISP before an incident — not researched after the fact. Use our incident response plan template to build out this section in detail.

Firms that want to align their WISP with broader federal security frameworks will find value in understanding what is a written information security plan in the context of NIST SP 800-171 and ISO 27001:2022 — both of which provide a more rigorous structural foundation for practices managing large volumes of sensitive data.