IRS WISP Template PDF: Complete Guide for Tax Professionals

What the IRS WISP Template PDF Is and Why You Need It

The IRS WISP template PDF gives tax professionals a structured starting point for meeting one of the most frequently overlooked federal compliance requirements in the industry. Under the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule, every tax preparer who handles client financial data must maintain a Written Information Security Plan (WISP)—a documented set of policies and procedures designed to protect sensitive taxpayer information from unauthorized access, theft, or disclosure.

The IRS, through its Security Summit initiative—a public-private partnership between the IRS, state tax agencies, and the nation's tax industry—developed a sample WISP template specifically for small practices and sole practitioners who lack dedicated IT staff. This guide walks you through where to find and download that template, what each section requires, and how to tailor it to your practice size and complexity.

Whether you operate as a sole practitioner or manage a growing accounting firm with multiple staff members, the WISP requirement applies to you. The IRS makes clear in Publication 4557, Safeguarding Taxpayer Data that no specific format is mandated—but the plan must exist, be written, and be actively implemented. For a broader overview of your obligations, the IRS WISP requirements guide covers the full regulatory framework in detail.

Who Is Required to Have a WISP Under Federal Law

Tax preparers are classified as financial institutions under the GLBA, which means the FTC Safeguards Rule—codified at 16 C.F.R. Part 314—applies directly to your practice. The FTC's updated Safeguards Rule, which reached full enforcement in June 2023, added new specificity to what a written security program must document and implement. The IRS reinforces these obligations through Publication 4557 and through the IRS Publication 4557 compliance framework.

If your practice prepares federal tax returns for clients, you are required to:

• Maintain a written, implemented, and regularly updated information security plan
• Designate an employee or contractor as your security program coordinator
• Conduct periodic risk assessments of your data systems and identify foreseeable threats
• Implement safeguards to address each identified risk
• Monitor and test the effectiveness of your controls on an ongoing basis
• Oversee all service providers who handle taxpayer data on your behalf

Violations of the FTC Safeguards Rule can result in civil penalties of up to $100,000 per violation and personal liability for practice owners and officers. These penalties apply independently of any IRS disciplinary action your practice might face following a breach.

Tax professionals with an Electronic Filing Identification Number (EFIN) face a compounding risk: if your EFIN credentials are stolen, fraudulent returns can be filed under your identity, exposing you to regulatory sanction and client harm. Protecting your EFIN and associated access credentials is one of the primary goals a well-implemented WISP addresses directly. For context on the broader threat environment facing your practice, the guide on cyberattacks on tax firms documents the most common attack methods used against preparers in recent years.

Where to Download the IRS WISP Template PDF

The IRS Security Summit publishes an official sample WISP document that serves as the most authoritative starting point for any tax professional building a security plan. You can access it directly from the IRS Written Information Security Plan page, where it is available as an editable Word document. Bellator Cyber Guard also offers a free WISP template updated for 2026 that incorporates the IRS Security Summit framework alongside the latest FTC Safeguards Rule requirements, giving your practice a more complete compliance baseline from the start.

When downloading any WISP template, verify the source before opening the file. Threat actors have been known to distribute malware-laden documents disguised as compliance resources—a documented tactic in phishing campaigns specifically targeting tax professionals. Download only from official .gov domains or verified cybersecurity providers.

What the IRS WISP Template PDF Contains

The Security Summit sample document is organized into five major sections, each addressing a distinct area of information security:

1. Business Description and Information Systems — Identifies the types of client data your practice handles, the systems used to process it, and who has access to each data category.
2. Employee Management and Training — Documents your hiring practices, background check procedures, onboarding security training requirements, and ongoing security awareness schedules.
3. Information Systems and Policies — Covers your technical safeguards: password policies, multi-factor authentication (MFA), encryption standards, software update procedures, and remote access controls.
4. Detecting and Responding to Threats — Defines how your practice monitors for breaches, detects unauthorized access attempts, and responds to incidents—including required IRS notification procedures.
5. Physical Security Elements — Addresses office access controls, workstation placement, document destruction policies, and device security for laptops and mobile devices used outside the office.

Beyond these five sections, the IRS template includes a Data Theft Response Plan—an essential sub-document that specifies exactly what steps your practice will take if a breach occurs, including how to reach your IRS Stakeholder Liaison within the required timeframe.

Customizing the IRS WISP Template PDF for Your Practice Size

One of the most practical aspects of the IRS WISP template PDF is its built-in scalability. The IRS explicitly states that a sole practitioner's plan will look very different from a 10-partner accounting firm's—and that difference is by design. Your WISP must be appropriate to the actual size and complexity of your practice, not a generic boilerplate that doesn't reflect how your business operates. Reviewing the best WISP templates for accountants by practice size can help you calibrate the right level of detail before you begin.

Sole Practitioners

If you work alone and prepare returns using a small number of client-facing systems, your WISP can be relatively brief while still covering all five required sections. The IRS Security Summit designed an abbreviated framework specifically for this scenario. Your "employee management" section, for example, may simply note that you are the sole practitioner and that you complete annual security awareness training from a named provider each year.

Areas sole practitioners frequently underestimate: remote access security when working from a laptop outside the office, cloud storage permission settings that may expose client files to unauthorized sharing, and what happens to client data if you become incapacitated or permanently close your practice. Each of these scenarios warrants specific documentation in your WISP.

Small and Mid-Size Practices

Practices with two to ten employees face a wider attack surface. Each additional user account, shared network drive, or remote worker creates new vectors for unauthorized access to client data. At this scale, your WISP should include role-based access controls—documenting exactly which employees can access which client records—alongside the standard narrative sections. For practices using tax software from multiple vendors such as Drake, Lacerte, or ProSeries, the WISP should address each platform's data handling practices and how you verify vendor security through written agreements or attestations. See accounting firm WISP examples for detailed structural models at this scale.

Larger Accounting Firms

Firms with 11 or more employees, multiple office locations, or significant cloud infrastructure should treat the IRS WISP template PDF as a baseline rather than a finished compliance product. At this scale, NIST SP 800-171—the National Institute of Standards and Technology's guidance on protecting Controlled Unclassified Information—provides a more rigorous framework that complements the IRS template and helps position the firm for SOC 2 Type II or ISO 27001:2022 readiness if needed.

Completing the Data Theft Response Plan Section

The Data Theft Response Plan is frequently the most overlooked section of the IRS WISP template PDF—and the most consequential when something goes wrong. If your practice experiences a breach, the IRS expects you to act within a defined timeframe and notify specific parties in a specific order. Failing to follow these procedures can result in EFIN suspension and civil penalties on top of any direct harm to your clients.

Immediate Actions Within 24 Hours of Discovery

• Disconnect the affected system from your network to prevent further data exfiltration
• Preserve all system logs and forensic evidence—do not wipe or reformat any device before consulting a cybersecurity professional
• Contact your local IRS Stakeholder Liaison to report the incident and receive guidance on next steps
• Notify your state tax agency's designated security contact
• File a report with the FBI Internet Crime Complaint Center (IC3) at ic3.gov

Client Notification Requirements

Most states mandate notification to affected clients within 30 to 72 hours of breach discovery. Your WISP should identify the specific state breach notification laws applicable to your practice—including requirements for clients in states other than your own—and document the notification template your practice will use. State attorneys general actively enforce these laws against tax and financial service businesses, often independently of any IRS or FTC action.

Recovery and Post-Incident Review

After immediate containment, your response plan should address how you will restore operations from clean backups, verify restored data integrity, and document changes made to your security controls to prevent recurrence. For practices facing ransomware—one of the most frequent attack methods used against tax firms—a tested, offsite backup and recovery procedure is the difference between a recoverable incident and catastrophic data loss. The guide on ransomware protection for tax practices details backup architectures that meet IRS data retention standards. You can also review the IRS WISP requirements for handling W-9 and related forms to ensure your response plan accounts for all document types your practice manages.

Storing, Distributing, and Maintaining Your Completed WISP

Completing the IRS WISP template PDF is not a one-time event. Federal regulations require that your plan be actively implemented, periodically reviewed, and updated when material changes occur in your business. Both the IRS and FTC expect to see evidence that your WISP is a living document—not a file created once, never touched again, and produced under pressure only when a regulator comes calling.

Where to Store Your WISP

Maintain your WISP in at least two locations: a local copy accessible to your designated security coordinator and an offsite or cloud-based copy for disaster recovery. Password-protect the document—it contains details about your security architecture that should not be visible to unauthorized parties. If you store it in a cloud service, ensure that provider appears in your vendor management section, since their own security practices directly affect the confidentiality of your plan.

Employee Acknowledgment and Training Records

Every employee who handles client data should receive a copy of the relevant WISP sections and sign a dated acknowledgment confirming they have read and understood the policies. Retain these records as part of your compliance documentation. If the IRS or FTC ever audits your security program, signed acknowledgments are among the first documents they will request. This practice aligns directly with IRS Publication 4557 guidance on employee training documentation requirements.

When to Update Your WISP

The FTC Safeguards Rule requires updates whenever a material change occurs in your business or technology environment. Events that trigger an immediate update include:

• Hiring a new employee with access to client data
• Changing your tax software, cloud storage provider, or business email platform
• Opening a new office location or establishing a remote work policy for the first time
• Experiencing a security incident or near-miss event of any kind
• Receiving notification that a vendor who holds your client data has experienced a breach of their own

Beyond these event-driven updates, conduct a formal annual review before tax season—the period when targeted attacks against tax professionals intensify measurably. The tax season cybersecurity checklist is a practical companion to your annual WISP review. For the complete regulatory picture underlying your obligations, the FTC Safeguards Rule guide for tax preparers and the IRS Written Information Security Plan overview provide authoritative context that will help you keep your WISP current and defensible.