IRS Written Information Security Plan: 2026 Guide

What Is an IRS Written Information Security Plan?

An IRS Written Information Security Plan (WISP) is a formal, written document that every tax professional must maintain to protect client data from unauthorized access, theft, or destruction. If you hold a Preparer Tax Identification Number (PTIN) and handle taxpayer data, federal law requires you to have one in place before the 2026 filing season — there is no minimum return threshold and no small-firm exemption.

The legal obligation originates from the Gramm-Leach-Bliley Act (GLBA), which classifies tax preparers as financial institutions subject to the FTC Safeguards Rule (16 CFR Part 314). Under this framework, every tax professional who receives, maintains, processes, or transmits taxpayer data must have a WISP. The IRS reinforces this through IRS Publication 4557, Safeguarding Taxpayer Data, which outlines the specific measures expected of preparers.

Unlike a general IT policy, a WISP tailored to the tax profession must address the unique risks of handling Personally Identifiable Information (PII) — Social Security numbers, financial records, banking details, and dependent information that make tax clients among the most targeted individuals in cybercrime. Your WISP is your security program in writing. It documents how your firm identifies risks, implements controls, trains employees, responds to incidents, and reviews its practices annually.

Without one, your firm is both legally exposed and operationally unprepared for the data threats that specifically target tax professionals every filing season. This guide covers every element of a compliant IRS written information security plan in 2026 — from who needs one, to how to build it, to what happens if you don't have one.

Who Is Required to Have a Written Information Security Plan?

If you prepare federal tax returns or handle taxpayer data in any capacity, you need a WISP. This applies whether you run a solo practice or a multi-partner CPA firm. The FTC Safeguards Rule, strengthened and updated effective June 9, 2023, eliminated the informal distinction between large and small preparers. All tax professionals are now subject to the same baseline written security program requirements.

The following must maintain an IRS written information security plan:

• Individual tax preparers filing returns for any clients
• Enrolled Agents (EAs) and Certified Public Accountants (CPAs)
• Accounting and bookkeeping firms of all sizes
• Payroll processors who handle employee tax data
• Electronic Return Originators (EROs) and tax software resellers
• Annual Filing Season Program (AFSP) participants
• Any person or entity with a Preparer Tax Identification Number (PTIN) who handles client data

The IRS makes the requirement explicit in Publication 4557: tax preparers must implement a written security program. Failure to comply does not require a breach to trigger consequences — the absence of a documented plan alone can constitute a violation. The broader PTIN and WISP requirements build on this foundation, making it the cornerstone of your compliance posture.

The Gramm-Leach-Bliley Act Connection

Many tax professionals are surprised to learn they are classified as financial institutions under the GLBA. The Act defines financial institutions broadly to include any business that is "significantly engaged" in providing financial services — and tax preparation clearly qualifies. This classification brings the obligation to safeguard customer financial information, with the WISP serving as the primary documented mechanism for doing so.

Solo Preparers Are Not Exempt

The updated FTC Safeguards Rule removed the small-business exemption that some solo preparers previously relied upon. If you hold a PTIN and handle client data, you need a WISP — period. Our guide to building a WISP for a small tax firm walks solo and two-person practices through a right-sized approach, and the IRS has increased the frequency of compliance visits to small-firm practitioners in recent years.

Core Components of an IRS-Compliant WISP

The IRS and FTC specify several mandatory elements that every written information security plan must address. These are not optional additions — each element must be documented in your plan and supported by actual operational controls. IRS WISP requirements break down into five primary areas.

1. Designated Program Coordinator

Your WISP must name a specific individual responsible for the security program. In small firms, this is typically the owner or managing partner. This person oversees risk assessments, implements safeguards, and coordinates incident response. The designation must be in writing — verbal assignment does not satisfy the requirement.

2. Inventory of Client Data and Systems

Before you can protect data, you must document where it lives. Your plan must include an inventory of all systems, devices, and storage locations that contain taxpayer data: workstations, laptops, mobile devices, cloud storage, email servers, and third-party software platforms. Tax preparation software, document management tools, and secure client portals all fall within scope.

3. Written Risk Assessment

The risk assessment is the analytical engine of your WISP. It requires you to identify threats to taxpayer data, evaluate the likelihood and potential impact of each threat, and document your current controls. The FTC Safeguards Rule requires this assessment to be conducted in writing and updated whenever significant operational changes occur. Common threats to assess include phishing attacks, ransomware, insider threats, and physical theft of devices.

4. Security Safeguards

Based on your risk assessment, your WISP must document the specific controls you have implemented. The FTC groups these into three categories:

• Technical safeguards: encryption, Multi-Factor Authentication (MFA), firewalls, and endpoint protection software
• Administrative safeguards: employee training, access controls, and acceptable use policies
• Physical safeguards: screen locks, secure document disposal, and office access controls

Your ransomware protection strategy should be explicitly referenced as part of your technical safeguards section.

5. Incident Response Plan

Your WISP must include written procedures for responding to security incidents. This plan must specify who is notified — including the IRS — what steps are taken to contain the breach, how affected clients are informed, and how the incident is documented. The IRS requires tax professionals to report data theft through their IRS Stakeholder Liaison and to notify state tax agencies within required timeframes. Our incident response plan guide for tax practices details the notification sequence step by step.

How to Write Your IRS Written Information Security Plan

Writing a WISP from scratch can feel overwhelming, but the process becomes manageable when you break it into sequential steps. The goal is to produce a document that accurately reflects your practice's security posture — not to create an aspirational wish list of controls you might implement someday.

Start with what you already do. Most tax practices already have security measures in place, even if they are informal. You probably lock your office, use passwords on your computers, and shred paper documents. Your WISP formalizes these practices and fills the gaps. The IRS released Publication 5708 specifically to give tax professionals a section-by-section template they can customize.

Conducting a WISP-Compliant Risk Assessment

The risk assessment is the analytical backbone of your IRS written information security plan. Writing "we use antivirus software" does not constitute a compliant assessment. The FTC Safeguards Rule requires a systematic, documented evaluation of your specific threat environment.

Data Flow Mapping

Start by mapping your data flows. Where does client data enter your systems? Tax returns arrive via email, client portals, fax, and paper documents. Each entry point represents a potential attack surface. Map data from receipt through processing, storage, and eventual destruction. Understanding whether your tax preparation software is secure is part of this analysis.

Threat Categories to Assess

Your written risk assessment must address, at minimum, four threat categories:

• External threats: Phishing campaigns, credential stuffing, ransomware deployments, and social engineering targeting staff. Tax professionals face a sharp increase in targeted phishing during filing season, and your assessment must account for this seasonal spike.
• Internal threats: Unauthorized employee access, accidental data disclosure, and malicious insider activity. Even in a two-person firm, access controls and separation of duties should be documented.
• Physical threats: Theft of laptops or storage media, unauthorized office access, and improper document disposal. A lost laptop with unencrypted client files is a reportable breach.
• Vendor and third-party threats: Breaches at software providers, cloud storage vendors, or payroll processors with access to your data. The 2023 MOVEit incident and similar supply-chain attacks illustrate why vendor risk deserves its own category.

For each threat, document the likelihood of occurrence, the potential impact on clients and your business, your current controls, and whether additional safeguards are needed. The gap between your current state and required controls becomes your action plan. Reviewing the business email compromise and remote desktop attacks targeting tax practices can help you ground these categories in real-world scenarios.

Using NIST SP 800-171 as a Framework

While the FTC Safeguards Rule does not mandate a specific framework, many tax professionals use NIST Special Publication 800-171 to structure their risk assessment. SP 800-171 Revision 3 organizes security requirements into control families covering access control, incident response, configuration management, and more. Using this framework ensures your assessment is thorough and defensible in the event of an audit or regulatory review.

WISP Development Options: DIY vs. Template vs. Managed

Tax professionals generally have three paths for creating their IRS written information security plan. Each has distinct advantages and drawbacks, and the right choice depends on your firm's size, technical expertise, and budget.

The DIY approach gives you complete control over content and structure. You will need to research the applicable regulations thoroughly — the FTC Safeguards Rule, GLBA, IRS Publications 4557 and 5708, and relevant state data protection laws. This approach works best for preparers with a strong understanding of information security concepts and the time to dedicate to the project. The risk with DIY is coverage gaps. Without a framework to follow, it is easy to overlook requirements such as vendor management obligations or specific encryption standards in the updated Safeguards Rule.

The template approach provides a structured starting point that covers all required WISP components. The IRS released Publication 5708 as a sample WISP, and Bellator Cyber Guard offers a free 2026 WISP template designed to align with both IRS and FTC requirements. The key with any template is customization — a generic template you sign without tailoring it to your actual operations creates a false record showing controls that do not exist. Every section must reflect what your firm actually does. Our guide on how to create a WISP walks through real customization scenarios.

The managed approach means a security provider handles the WISP development process for you, typically as part of a broader data protection engagement for accounting firms. The provider assesses your environment, identifies gaps, implements technical controls, writes the documentation, and manages ongoing updates. This is the most thorough path but also the most expensive. For firms that handle large volumes of taxpayer data or have already experienced a security incident, the managed approach may be the most prudent investment.

Maintaining Your WISP: Ongoing Obligations After Year One

Creating your IRS written information security plan is not a one-time task. Both the FTC Safeguards Rule and IRS Publication 4557 require ongoing maintenance. A WISP that was accurate three years ago but has not been updated since your firm migrated to cloud-based practice management is not a compliant WISP — it is a liability document that could be used against you.

When You Must Update Your WISP

Your written information security plan must be reviewed and updated in any of the following circumstances:

• At least annually, regardless of whether changes have occurred
• When you adopt new technology — new tax software, cloud storage, or mobile devices
• After any security incident or near-miss event
• When you hire or terminate employees with data access
• When you add new service lines such as payroll processing
• When a key vendor experiences a breach or changes its security practices
• When federal or state regulations change

Employee Security Training Documentation

Your WISP must document a security training program for all employees who handle taxpayer data. The training must actually occur, and you must keep records of completion. Annual training covering phishing recognition, password security, and data handling procedures satisfies the baseline requirement. Hands-on phishing simulations, rather than slideshow-only training, produce the most measurable improvement in employee behavior. Our security awareness training program builds a curriculum around the real-world threats your staff will encounter. Document your training method, topics covered, and completion records in your WISP.

Vendor Management Requirements

The updated FTC Safeguards Rule places specific emphasis on third-party vendor oversight. Your WISP must include written procedures for selecting, vetting, and monitoring service providers who have access to your client data — including your tax software provider, cloud backup vendor, payroll processor, and IT support company. Contracts with these vendors should include data protection obligations and audit rights. Maintain a vendor log as part of your WISP documentation.

Consequences of Operating Without a WISP

Tax professionals who lack a documented written information security plan face risks on multiple fronts. Understanding these consequences is essential for any practitioner who has deferred this compliance obligation.

FTC Enforcement and Civil Penalties

The FTC actively enforces the Safeguards Rule against financial institutions, including tax preparers. Violations can result in civil penalties of up to $51,744 per violation per day under the FTC Act. While large-scale enforcement actions against solo preparers are less common, the risk escalates sharply following a data breach. Regulators may treat the absence of a WISP as evidence of systemic negligence, which can amplify both penalties and reputational damage. The FTC Safeguards Rule guidance details the full scope of enforcement authority, and our FTC Safeguards Rule guide for tax preparers breaks it down in plain language.

IRS Implications for Preparer Credentials

The IRS can revoke your Electronic Filing Identification Number (EFIN) if you fail to maintain adequate security safeguards. Without an EFIN, you cannot e-file returns on behalf of clients — effectively ending your practice. The IRS can also refer cases to the Office of Professional Responsibility (OPR) for enrolled agents and other credentialed professionals. During compliance visits, IRS reviewers routinely ask to see the firm's WISP, and the frequency of these visits has increased in recent years.

Breach Liability and Client Trust

Beyond regulatory penalties, a data breach without a documented WISP exposes your firm to civil litigation from affected clients. Courts and arbitration panels may view the absence of a written security plan as a failure of professional duty. The reputational cost of a publicized breach — clients whose Social Security numbers and financial records were exposed — can permanently damage a practice built over decades. Our identity theft prevention guide for tax professionals and our walkthrough of what to do after a data breach cover the downstream consequences in detail.

IRS Publications and Resources for WISP Development

The IRS and other federal agencies have published several resources to help tax professionals build compliant security plans. Familiarize yourself with these documents before starting your WISP:

• IRS Publication 4557 — Safeguarding Taxpayer Data: The IRS's primary guidance document for tax professionals. It covers data protection best practices, the WISP requirement, and reporting procedures for data theft. Download it directly from IRS.gov.
• IRS Publication 5708 — Creating a Written Information Security Plan: A section-by-section sample WISP the IRS developed with input from the tax professional community. Read our detailed breakdown of Publication 5708 for practical customization guidance.
• FTC Safeguards Rule (16 CFR Part 314): The full regulatory text and compliance guidance are available from the FTC's website.
• NIST SP 800-171 Revision 3: While designed for protecting Controlled Unclassified Information in non-federal systems, its control families map well to WISP requirements. Access it from the NIST Computer Security Resource Center.

For a guided path to compliance, explore our Publication 4557 compliance solution or our all-in-one compliance package if you prefer a done-for-you approach.