IRS WISP Template PDF: Complete Guide for Tax Professionals

What the IRS WISP Template PDF Is—and Why You Need It

The IRS WISP template PDF gives tax professionals a structured starting point for meeting one of the most frequently overlooked federal compliance requirements in the industry. Under the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule, every tax preparer who handles client financial data must maintain a Written Information Security Plan (WISP)—a documented set of policies and procedures designed to protect sensitive taxpayer information from unauthorized access, theft, or disclosure.

The IRS developed a sample WISP template through its Security Summit initiative—a public-private partnership between the IRS, state tax agencies, and the tax industry—specifically for small practices and sole practitioners who lack dedicated IT staff. Published alongside IRS Publication 4557, Safeguarding Taxpayer Data, the template gives you a ready-to-customize document that satisfies federal requirements without requiring a legal or IT team to build from scratch.

This guide walks you through where to find and download the template, what each section requires, and how to tailor it to your practice size and complexity. Whether you operate as a sole practitioner or manage a growing accounting firm with multiple staff members, the WISP requirement applies to you. For a detailed breakdown of your obligations, our IRS WISP requirements guide covers the regulatory framework in detail.

Who Must Have a WISP—and What Happens Without One

Every tax professional who prepares federal returns for compensation must have a WISP. The FTC Safeguards Rule, which took full effect for tax preparers on June 9, 2023, classifies tax preparers as "financial institutions" under GLBA. That classification means the same data protection standards applied to banks and credit unions also apply to your office—regardless of firm size, revenue, or number of returns filed per year.

IRS Publication 4557 reinforces this requirement and specifies that no particular format is mandated, but the plan must be written, actively implemented, and regularly reviewed. The IRS does not grade formatting—it evaluates whether you have a real, documented plan and whether your staff follows it.

Penalties for non-compliance are real. The FTC can assess civil penalties up to $100,000 per violation under the Safeguards Rule, with individual officers and directors facing up to $10,000 per violation. Beyond financial penalties, the IRS can suspend or revoke a tax preparer's Preparer Tax Identification Number (PTIN)—which ends your ability to prepare returns for compensation. Our guide on PTIN and WISP requirements explains exactly how PTIN renewal and security plan compliance intersect.

The IRS has escalated enforcement since the Security Summit launched its multi-year awareness campaign. Examiners now routinely request a WISP during compliance reviews, and "I didn't know it was required" is not a defense that holds weight with auditors.

Where to Find and Download the IRS WISP Template PDF

The IRS makes its sample Written Information Security Plan available through two primary channels. The first is IRS Publication 5708, a standalone document titled Creating a Written Information Security Plan for Your Tax & Accounting Practice. Publication 5708 provides a fill-in-style template with explanatory notes for each section, written specifically for small practices without in-house legal or IT resources. Our detailed breakdown of IRS Publication 5708 explains what each section requires in plain language.

The second source is the IRS Security Summit's annual "Protect Your Clients; Protect Yourself" campaign materials, available through the Security Summit resource page on IRS.gov. These materials are updated each year ahead of the filing season and often include revised template language that reflects new threats and regulatory updates—which means a template downloaded in 2023 may be missing guidance relevant to the 2026 filing season.

Bellator Cyber Guard also provides a professionally maintained free WISP template for tax preparers that mirrors the IRS framework while incorporating current security controls, updated threat language, and plain-English instructions for completing each section. Unlike a raw PDF pulled from a government site, the template includes inline guidance and is formatted for immediate use.

When downloading any WISP template, verify the source. Only use templates from IRS.gov, recognized industry associations, or established cybersecurity firms specializing in tax firm compliance. Generic business sites sometimes publish outdated templates that predate the 2023 FTC Safeguards Rule changes—using one of these puts you out of compliance before you start.

What the IRS WISP Template Sections Actually Require

The IRS sample WISP template is organized into six functional areas. Understanding what each section demands helps you complete the document accurately, rather than filling it with boilerplate language that won't hold up under scrutiny.

Part I: Identifying and Assessing Risk

This section asks you to inventory the types of client data you collect—Social Security numbers, bank account information, income records—where that data lives, and what threats could expose it. The risk assessment does not need to be exhaustive; it needs to be honest and specific to your practice. A sole practitioner working from home faces different risks than a five-person firm in a shared office building, and your WISP should reflect that difference.

Part II: Employee Management and Training

Document your hiring and termination procedures as they relate to data access. Who receives credentials to tax software? What happens to those credentials when an employee leaves? The IRS expects training to occur at onboarding and at least annually thereafter. Our guide on security awareness training for tax firms covers what effective annual programs include—phishing recognition, password hygiene, and incident reporting are the minimum.

Part III: Physical Security

Physical security covers how you protect paper records, workstations, and storage devices from unauthorized access. This includes locked file cabinets, office access controls, screen privacy filters, and clean-desk policies. If you work from a home office, this section must address how you secure your workspace from household members and visitors.

Part IV: Electronic Security

This is typically the most detailed section and the one most likely to reveal gaps. It requires you to document your use of encryption, multi-factor authentication, firewalls, endpoint protection, automatic updates, and secure data transmission methods. Be specific: name the actual software you use, not just the category. "We use MFA" is insufficient—"We use TOTP-based MFA via Google Authenticator on all tax software accounts" satisfies the requirement.

Part V: Service Provider Oversight

If you use cloud storage, a client portal, payroll processing software, or any vendor who can access client data, you must document those relationships and confirm each provider maintains adequate security. Request written assurances—contracts, service agreements, or security attestations—from each vendor and retain them with your WISP documentation.

Part VI: Incident Response Plan

Your incident response plan must define the steps you will take when a breach occurs—or when you suspect one has. Include the IRS Security Summit contact information for reporting, your state tax agency notification process, and how you will notify affected clients. For a deeper look at the most common attack type targeting tax practices, our ransomware protection guide for tax firms covers incident response in practical detail.

Customizing the Template for Your Practice Size

The IRS sample WISP is written for the broadest possible audience, which means some sections will not apply to your situation and others will need significant expansion. Tailoring the template is not optional: a WISP that describes systems or procedures you do not actually have is worse than a simple, accurate plan, because it creates documented gaps you cannot defend during a compliance review.

Sole Practitioners

As a solo practitioner, your WISP will be relatively brief. Focus on your personal devices, your home or office network security, and the specific tax software applications you use. Your incident response plan is simpler because there are no internal escalation steps—you are the decision-maker. Still, document the IRS notification process, your state agency contacts, and how you would notify affected clients in specific, actionable language. Vague statements like "I will contact clients as needed" do not satisfy the requirement.

Small Firms (2–10 Employees)

Multi-employee firms must address access controls more carefully. Not every employee should have access to every client's data. Document who has access to which systems, how credentials are managed, and what the off-boarding procedure looks like when an employee leaves the practice. Consider also documenting how you handle employees who transition between roles, since role changes often create lingering access that was never revoked.

Mid-Size Firms (11+ Employees)

Larger practices should consider a formal security assessment to verify that documented controls match what is actually deployed. A gap between your WISP and your real environment is an audit liability. Our managed security services for CPA and accounting firms include WISP review and validation as part of an ongoing compliance program, so your documented security posture stays accurate year-round.

Regardless of firm size, your WISP should read like a real operational document, not a completed form. Use the names of the actual software you run, the real names of your service providers, and specific procedures your staff actually follows. Specific language like "all tax software accounts require a minimum 12-character password and TOTP-based multi-factor authentication, enforced through Drake Tax's administrator settings" demonstrates compliance. Generic language like "we use strong passwords" does not.

Common WISP Mistakes Tax Preparers Make

These are the errors that come up most consistently when tax professionals attempt to complete their WISPs without guidance—and the ones most likely to create compliance exposure.

Copying the Template Without Customizing It

The IRS sample is a model document, not a finished one. Submitting a plan with placeholder text, generic software names, or procedures that do not match your actual operations creates a document that is legally worse than having a simple but accurate plan. Every field that asks about "your" systems must describe your actual systems—not IRS examples or placeholder copy.

Missing the Vendor Oversight Section

Most small tax practices use at least one cloud-based application: tax software, document storage, client portal, or email. Many have also contracted with IT support. The WISP must acknowledge each of these relationships and confirm that vendors maintain adequate safeguards. Request a copy of each vendor's security attestation or certifications—SOC 2 Type II or ISO 27001:2022 are the most common—and attach them to your WISP file.

No Documented Incident Response Plan

A WISP without an incident response plan is incomplete by IRS standards. Tax preparers must notify the IRS within 24 hours of discovering a data theft or breach. If your plan does not define exactly who makes that call, how, and with what information, your staff will be unprepared when an incident actually occurs. Our WISP implementation guide walks through incident response planning step by step.

No Annual Review

A WISP written in 2023 and never revisited does not reflect a current security environment. Each time you add new software, hire or terminate an employee, change your office location, or adopt a new service provider, your WISP must be updated. Date every revision and maintain a version history—this demonstrates an actively managed program rather than a one-time checkbox exercise.

Skipping Documented Employee Training

The WISP requires documented training, not just the intent to train. Keep a simple log: date, topics covered, and names of employees present. If a breach occurs and you are asked to demonstrate your compliance program, training records are among the first things examiners request. At minimum, annual training should cover phishing recognition, password hygiene, and the internal incident reporting procedure.

Keeping Your WISP Current: Annual Review Requirements

The IRS and FTC both expect your WISP to reflect your current security environment. An annual review is the minimum; mid-year updates are required any time a material change occurs in your practice. Material changes include: adding or removing a tax software platform, hiring or terminating an employee with access to client data, changing your office location or adding a remote work arrangement, switching IT vendors, or experiencing any security incident. Each of these events should prompt a WISP review within 30 days.

The annual review process does not need to be lengthy. Work through each section systematically: confirm that the named security coordinator is still current, verify that your system inventory matches your actual environment, and test your incident response contacts. Document the date of your review and sign the updated version. Retaining the prior year's version in your files provides a useful audit trail showing the plan evolves with your practice.

For tax preparers managing multiple office locations or complex IT environments, consider engaging a cybersecurity firm that specializes in tax industry compliance. Our WISP consulting services include annual reviews, gap assessments, and ongoing updates to ensure your plan remains accurate and defensible throughout the year.