What the IRS WISP Template PDF Is—and Why You Need It
The IRS WISP template PDF gives tax professionals a structured starting point for meeting one of the most frequently overlooked federal compliance requirements in the industry. Under the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule, every tax preparer who handles client financial data must maintain a Written Information Security Plan (WISP)—a documented set of policies and procedures designed to protect sensitive taxpayer information from unauthorized access, theft, or disclosure.
The IRS developed a sample WISP template through its Security Summit initiative—a public-private partnership between the IRS, state tax agencies, and the tax industry—specifically for small practices and sole practitioners who lack dedicated IT staff. Published alongside IRS Publication 4557, Safeguarding Taxpayer Data, the template gives you a ready-to-customize document that satisfies federal requirements without requiring a legal or IT team to build from scratch.
This guide walks you through where to find and download the template, what each section requires, and how to tailor it to your practice size and complexity. Whether you operate as a sole practitioner or manage a growing accounting firm with multiple staff members, the WISP requirement applies to you. For a full breakdown of your obligations, our IRS WISP requirements guide covers the regulatory framework in detail.
Tax Firm Cybersecurity by the Numbers
IBM Cost of a Data Breach Report 2024
Time tax preparers have to notify the IRS after discovering a client data theft
Verizon 2024 Data Breach Investigations Report: human element in most breaches
Who Must Have a WISP—and What Happens Without One
Every tax professional who prepares federal returns for compensation must have a WISP. The FTC Safeguards Rule, which took full effect for tax preparers on June 9, 2023, classifies tax preparers as "financial institutions" under GLBA. That classification means the same data protection standards applied to banks and credit unions also apply to your office—regardless of firm size, revenue, or number of returns filed per year.
IRS Publication 4557 reinforces this requirement and specifies that no particular format is mandated, but the plan must be written, actively implemented, and regularly reviewed. The IRS does not grade formatting—it evaluates whether you have a real, documented plan and whether your staff follows it.
Penalties for non-compliance are real. The FTC can assess civil penalties up to $100,000 per violation under the Safeguards Rule, with individual officers and directors facing up to $10,000 per violation. Beyond financial penalties, the IRS can suspend or revoke a tax preparer's Preparer Tax Identification Number (PTIN)—which ends your ability to prepare returns for compensation. Our guide on PTIN and WISP requirements explains exactly how PTIN renewal and security plan compliance intersect.
The IRS has escalated enforcement since the Security Summit launched its multi-year awareness campaign. Examiners now routinely request a WISP during compliance reviews, and "I didn't know it was required" is not a defense that holds weight with auditors.
Active IRS Compliance Requirement
The IRS requires all tax preparers—including sole practitioners and part-time preparers—to maintain a current, written WISP. An outdated plan from a prior filing season does not satisfy the requirement. Your WISP must reflect your current systems, staff, and risk environment. Review and update it at the start of each filing season and any time you add new software, hire staff, or change service providers.
Where to Find and Download the IRS WISP Template PDF
The IRS makes its sample Written Information Security Plan available through two primary channels. The first is IRS Publication 5708, a standalone document titled Creating a Written Information Security Plan for Your Tax & Accounting Practice. Publication 5708 provides a fill-in-style template with explanatory notes for each section, written specifically for small practices without in-house legal or IT resources. Our detailed breakdown of IRS Publication 5708 explains what each section requires in plain language.
The second source is the IRS Security Summit's annual "Protect Your Clients; Protect Yourself" campaign materials, available through the Security Summit resource page on IRS.gov. These materials are updated each year ahead of the filing season and often include revised template language that reflects new threats and regulatory updates—which means a template downloaded in 2023 may be missing guidance relevant to the 2026 filing season.
Bellator Cyber Guard also provides a professionally maintained free WISP template for tax preparers that mirrors the IRS framework while incorporating current security controls, updated threat language, and plain-English instructions for completing each section. Unlike a raw PDF pulled from a government site, the template includes inline guidance and is formatted for immediate use.
When downloading any WISP template, verify the source. Only use templates from IRS.gov, recognized industry associations, or established cybersecurity firms specializing in tax firm compliance. Generic business sites sometimes publish outdated templates that predate the 2023 FTC Safeguards Rule changes—using one of these puts you out of compliance before you start.
How to Complete Your IRS WISP Step by Step
Download the Official Template
Obtain IRS Publication 5708 from IRS.gov or use Bellator's updated 2026 WISP template. Do not use undated templates from general search results—verify the source before building your compliance document around it.
Designate a Security Coordinator
Identify the person responsible for implementing and maintaining your WISP. In sole proprietorships, this is typically the owner. In larger firms, it may be an office manager or senior staff member. Name this person in the document.
Inventory Your Systems and Data
Document every device, software application, and location where client taxpayer data is stored, processed, or transmitted—including laptops, cloud storage, tax software portals, and email accounts. Include personally owned devices used for work.
Complete the Risk Assessment
Identify realistic threats to your client data (phishing, ransomware, physical theft, employee error), assess the likelihood and impact of each, and document the controls you have in place to address them.
Document Your Technical Safeguards
Record your security controls: endpoint protection software, multi-factor authentication (MFA) on all tax applications, encryption for data at rest and in transit, firewall settings, automatic software updates, and data backup procedures.
Write Your Incident Response Plan
Define what happens when a breach occurs—who gets notified, in what order, and within what timeframe. Include the IRS notification requirement (within 24 hours of discovery), your state tax agency contacts, and how affected clients will be notified.
Train Your Staff and Document It
Conduct security awareness training for all employees who handle client data. Record the date, topics covered, and attendees. The IRS expects documented training logs, not just verbal instruction at a staff meeting.
Review and Update Annually
Revisit your WISP at the start of each filing season and any time you add new systems, software, or staff. Date each revision and retain prior versions. Your version history is evidence of an actively maintained compliance program.
What the IRS WISP Template Sections Actually Require
The IRS sample WISP template is organized into six functional areas. Understanding what each section demands helps you complete the document accurately, rather than filling it with boilerplate language that won't hold up under scrutiny.
Part I: Identifying and Assessing Risk
This section asks you to inventory the types of client data you collect—Social Security numbers, bank account information, income records—where that data lives, and what threats could expose it. The risk assessment does not need to be exhaustive; it needs to be honest and specific to your practice. A sole practitioner working from home faces different risks than a five-person firm in a shared office building, and your WISP should reflect that difference.
Part II: Employee Management and Training
Document your hiring and termination procedures as they relate to data access. Who receives credentials to tax software? What happens to those credentials when an employee leaves? The IRS expects training to occur at onboarding and at least annually thereafter. Our guide on security awareness training for tax firms covers what effective annual programs include—phishing recognition, password hygiene, and incident reporting are the minimum.
Part III: Physical Security
Physical security covers how you protect paper records, workstations, and storage devices from unauthorized access. This includes locked file cabinets, office access controls, screen privacy filters, and clean-desk policies. If you work from a home office, this section must address how you secure your workspace from household members and visitors.
Part IV: Electronic Security
This is typically the most detailed section and the one most likely to reveal gaps. It requires you to document your use of encryption, multi-factor authentication, firewalls, endpoint protection, automatic updates, and secure data transmission methods. Be specific: name the actual software you use, not just the category. "We use MFA" is insufficient—"We use TOTP-based MFA via Google Authenticator on all tax software accounts" satisfies the requirement.
Part V: Service Provider Oversight
If you use cloud storage, a client portal, payroll processing software, or any vendor who can access client data, you must document those relationships and confirm each provider maintains adequate security. Request written assurances—contracts, service agreements, or security attestations—from each vendor and retain them with your WISP documentation.
Part VI: Incident Response Plan
Your incident response plan must define the steps you will take when a breach occurs—or when you suspect one has. Include the IRS Security Summit contact information for reporting, your state tax agency notification process, and how you will notify affected clients. For a deeper look at the most common attack type targeting tax practices, our ransomware protection guide for tax firms covers incident response in practical detail.
IRS WISP Completion Checklist
- Designate a named security coordinator responsible for implementing and maintaining the WISP
- Inventory all devices, software, and locations where taxpayer data is stored or transmitted
- Complete a written risk assessment identifying realistic threats to your practice
- Enable multi-factor authentication on all tax software, email, and cloud accounts
- Document encryption used for data in transit and at rest
- Confirm endpoint protection software is installed and updated on all workstations
- Establish a documented data backup process and test it at least quarterly
- Document physical security measures for your office and all paper records
- Obtain written security assurances from every vendor with access to client data
- Write an incident response plan including IRS notification steps (within 24 hours of discovery)
- Conduct and document annual security awareness training for all staff
- Sign and date the completed WISP; schedule your next annual review
Customizing the Template for Your Practice Size
The IRS sample WISP is written for the broadest possible audience, which means some sections will not apply to your situation and others will need significant expansion. Tailoring the template is not optional: a WISP that describes systems or procedures you do not actually have is worse than a simple, accurate plan, because it creates documented gaps you cannot defend during a compliance review.
Sole Practitioners
As a solo practitioner, your WISP will be relatively brief. Focus on your personal devices, your home or office network security, and the specific tax software applications you use. Your incident response plan is simpler because there are no internal escalation steps—you are the decision-maker. Still, document the IRS notification process, your state agency contacts, and how you would notify affected clients in specific, actionable language. Vague statements like "I will contact clients as needed" do not satisfy the requirement.
Small Firms (2–10 Employees)
Multi-employee firms must address access controls more carefully. Not every employee should have access to every client's data. Document who has access to which systems, how credentials are managed, and what the off-boarding procedure looks like when an employee leaves the practice. Consider also documenting how you handle employees who transition between roles, since role changes often create lingering access that was never revoked.
Mid-Size Firms (11+ Employees)
Larger practices should consider a formal security assessment to verify that documented controls match what is actually deployed. A gap between your WISP and your real environment is an audit liability. Our managed security services for CPA and accounting firms include WISP review and validation as part of an ongoing compliance program, so your documented security posture stays accurate year-round.
Regardless of firm size, your WISP should read like a real operational document, not a completed form. Use the names of the actual software you run, the real names of your service providers, and specific procedures your staff actually follows. Specific language like "all tax software accounts require a minimum 12-character password and TOTP-based multi-factor authentication, enforced through Drake Tax's administrator settings" demonstrates compliance. Generic language like "we use strong passwords" does not.
Bottom Line
The IRS WISP template PDF is a starting point, not a finished product. Downloading the template and leaving placeholder text in place—or copying it without customizing it to your practice—does not satisfy the requirement. The IRS and FTC expect a plan that reflects your actual systems, your real staff, and the specific threats relevant to your practice. A tailored, accurate WISP protects you from both regulators and attackers who specifically target firms whose security exists only on paper.
Common WISP Mistakes Tax Preparers Make
These are the errors that come up most consistently when tax professionals attempt to complete their WISPs without guidance—and the ones most likely to create compliance exposure.
Copying the Template Without Customizing It
The IRS sample is a model document, not a finished one. Submitting a plan with placeholder text, generic software names, or procedures that do not match your actual operations creates a document that is legally worse than having a simple but accurate plan. Every field that asks about "your" systems must describe your actual systems—not IRS examples or placeholder copy.
Missing the Vendor Oversight Section
Most small tax practices use at least one cloud-based application: tax software, document storage, client portal, or email. Many have also contracted with IT support. The WISP must acknowledge each of these relationships and confirm that vendors maintain adequate safeguards. Request a copy of each vendor's security attestation or certifications—SOC 2 Type II or ISO 27001:2022 are the most common—and attach them to your WISP file.
No Documented Incident Response Plan
A WISP without an incident response plan is incomplete by IRS standards. Tax preparers must notify the IRS within 24 hours of discovering a data theft or breach. If your plan does not define exactly who makes that call, how, and with what information, your staff will be unprepared when an incident actually occurs. Our WISP implementation guide walks through incident response planning step by step.
No Annual Review
A WISP written in 2023 and never revisited does not reflect a current security environment. Each time you add new software, hire or terminate an employee, change your office location, or adopt a new service provider, your WISP must be updated. Date every revision and maintain a version history—this demonstrates an actively managed program rather than a one-time checkbox exercise.
Skipping Documented Employee Training
The WISP requires documented training, not just the intent to train. Keep a simple log: date, topics covered, and names of employees present. If a breach occurs and you are asked to demonstrate your compliance program, training records are among the first things examiners request. At minimum, annual training should cover phishing recognition, password hygiene, and the internal incident reporting procedure.
Keeping Your WISP Current: Annual Review Requirements
The IRS and FTC both expect your WISP to reflect your current security environment. An annual review is the minimum; mid-year updates are required any time a material change occurs in your practice. Material changes include: adding or removing a tax software platform, hiring or terminating an employee with access to client data, changing your office location or adding a remote work arrangement, switching IT vendors, or experiencing any security incident. Each of these events should prompt a WISP review within 30 days.
The annual review process does not need to be lengthy. Work through each section systematically: confirm that the named security coordinator is still current, verify that your system inventory matches your actual environment, and test your incident response contacts. Document the date of your review and sign the updated version. Retaining the prior year's version in your files provides a useful audit trail showing the plan evolves with your practice.
Get a Pre-Built, Compliant WISP Template
Bellator Cyber Guard's free WISP template for tax preparers is updated for 2026, includes inline instructions for every section, and is formatted for immediate use. No legal team required.
Book a Free Tax Cybersecurity Assessment
Our security experts will review your current WISP, identify gaps against IRS Publication 4557 requirements, and provide actionable recommendations—at no cost to your practice.
Frequently Asked Questions
The IRS publishes its sample Written Information Security Plan in Publication 5708, available as a free PDF directly from IRS.gov. The IRS Security Summit also publishes updated template materials each year ahead of the filing season. Bellator Cyber Guard provides a free, updated WISP template for tax preparers with inline instructions for every section, formatted for immediate use.
Yes. The FTC Safeguards Rule and IRS Publication 4557 apply to any individual or firm that prepares federal tax returns for compensation, regardless of the number of returns prepared or whether the activity is part-time. Even a sole practitioner who prepares ten returns per year must maintain a Written Information Security Plan. There is no minimum return threshold that exempts a preparer from this requirement.
IRS Publication 4557, Safeguarding Taxpayer Data, is the primary compliance guidance document. It explains the legal requirements for protecting client information and describes what a WISP must include. Publication 5708, Creating a Written Information Security Plan for Your Tax & Accounting Practice, is a practical how-to guide with a fill-in sample WISP template. Use Publication 4557 to understand the requirements and Publication 5708 as the starting point for drafting your plan.
No. The IRS sample WISP is a model document that must be customized to reflect your specific practice. It contains placeholder text throughout that refers to generic systems, unnamed software, and unspecified procedures. Using the template without completing it with your actual information means your WISP does not describe your real security posture—which defeats its purpose and creates compliance exposure if you are ever reviewed.
You must review and update your WISP at least annually. The IRS expects the plan to reflect your current security environment, so updates are also required any time you add new software or systems, hire or terminate an employee with data access, change your office location, switch service providers, or experience a security incident. Date and sign each revised version and retain prior copies as part of your compliance records.
The FTC Safeguards Rule authorizes civil penalties up to $100,000 per violation for organizations and up to $10,000 per violation for individual officers and directors. The IRS can also suspend or revoke a tax preparer's PTIN, ending their ability to prepare returns for compensation. Non-compliant firms face increased liability exposure in the event of a client data breach, since the absence of a WISP is evidence of inadequate security practices in any subsequent regulatory action or civil litigation.
No. Tax preparers are not required to submit their WISP to the IRS or FTC. The plan must be written and maintained internally, and you must be prepared to produce it during a compliance review or examination. If the IRS conducts a security-related review of your practice, they will ask to see your current WISP and your training documentation as part of that process.
Your incident response plan should identify who is responsible for managing a breach response, define the steps to take when a breach is discovered, and include specific contact information for notifying the IRS (required within 24 hours of discovery), your state tax agency, and affected clients. It should also specify how you will contain the incident, preserve evidence, and document the response. For detailed guidance, our WISP implementation guide covers incident response planning in depth.
Yes. Remote and home-based tax preparers must maintain a WISP and must address the specific risks of a home office environment. This includes securing your home Wi-Fi network, controlling physical access to your workspace, using a virtual private network (VPN) when accessing client data remotely, and ensuring that any personal devices used for work meet the same security standards as dedicated office equipment. Our guide to choosing a VPN for your tax practice covers secure remote access requirements in detail.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.
