IRS Written Information Security Plan: 2026 Guide

What Is an IRS Written Information Security Plan?

An IRS Written Information Security Plan (WISP) is a formal, documented policy that tax professionals must maintain to protect client data from unauthorized access, theft, or destruction. The legal obligation originates from the Gramm-Leach-Bliley Act (GLBA), which classifies tax preparers as financial institutions subject to the FTC Safeguards Rule (16 CFR Part 314). Under this framework, every tax professional who receives, maintains, processes, or transmits taxpayer data must have a WISP in place.

The IRS reinforces this requirement through IRS Publication 4557, "Safeguarding Taxpayer Data," which outlines the specific security measures expected of tax preparers. Unlike a general IT policy, a WISP tailored to the tax profession must address the unique risks of handling Personally Identifiable Information (PII) — Social Security numbers, financial records, banking details, and dependent information that make tax clients among the most targeted individuals in cybercrime.

In plain terms: your WISP is your security program in writing. It documents how your firm identifies risks, implements controls, trains employees, responds to incidents, and reviews its practices annually. Without one, your firm is both legally exposed and operationally unprepared for the data threats that specifically target tax professionals every filing season.

Who Is Required to Have a Written Information Security Plan?

If you prepare federal tax returns or handle taxpayer data in any capacity, you need a WISP. This applies whether you run a solo practice or a multi-partner CPA firm. The FTC Safeguards Rule, strengthened and updated effective June 9, 2023, eliminated the informal distinction between large and small preparers. All tax professionals are now subject to the same baseline written security program requirements.

The following must maintain an IRS written information security plan:

• Individual tax preparers filing returns for any clients
• Enrolled Agents (EAs) and Certified Public Accountants (CPAs)
• Accounting and bookkeeping firms of all sizes
• Payroll processors who handle employee tax data
• Electronic Return Originators (EROs) and tax software resellers

The IRS makes the requirement explicit in Publication 4557: tax preparers must implement a written security program. Failure to comply does not require a breach to trigger consequences — the absence of a documented plan alone can constitute a violation. The broader IRS cybersecurity requirements build on this WISP foundation, making it the cornerstone of your compliance posture.

The Gramm-Leach-Bliley Act Connection

Many tax professionals are surprised to learn they are classified as financial institutions under the GLBA. The Act defines financial institutions broadly to include any business that is "significantly engaged" in providing financial services — and tax preparation clearly qualifies. This classification brings the obligation to safeguard customer financial information, with the WISP serving as the primary documented mechanism for doing so. The NIST Cybersecurity Framework provides a widely-adopted reference architecture that many WISP authors use to structure their risk management approach.

Core Components of an IRS-Compliant WISP

The IRS and FTC specify several mandatory elements that every written information security plan must address. These are not optional additions — each element must be documented in your plan and supported by actual operational controls. IRS WISP requirements break down into five primary areas that every compliant plan must cover.

Designated Program Coordinator

Your WISP must name a specific individual responsible for the security program. In small firms, this is typically the owner or managing partner. This person oversees risk assessments, implements safeguards, and coordinates incident response. The designation must be in writing — verbal assignment does not satisfy the requirement.

Inventory of Client Data and Systems

Before you can protect data, you must document where it lives. Your plan must include an inventory of all systems, devices, and storage locations that contain taxpayer data: workstations, laptops, mobile devices, cloud storage, email servers, and third-party software platforms. Tax preparation software, document management tools, and client portals all fall within scope.

Written Risk Assessment

The risk assessment is the analytical engine of your WISP. It requires you to identify threats to taxpayer data, evaluate the likelihood and potential impact of each threat, and document your current controls. The FTC Safeguards Rule requires this assessment to be conducted in writing and updated whenever significant operational changes occur. Common threats to assess include phishing attacks, ransomware, insider threats, and physical theft of devices. Our guide on phishing attacks targeting tax professionals details the specific vectors your assessment must address.

Security Safeguards

Based on your risk assessment, your WISP must document the specific controls you have implemented. The FTC groups these into three categories: technical safeguards (encryption, Multi-Factor Authentication (MFA), firewalls), administrative safeguards (employee training, access controls), and physical safeguards (screen locks, secure document disposal, office access controls). Your ransomware protection strategy should be explicitly referenced as part of your technical safeguards section.

Incident Response Plan

Your WISP must include written procedures for responding to security incidents. This plan must specify who is notified — including the IRS — what steps are taken to contain the breach, how affected clients are informed, and how the incident is documented. The IRS requires tax professionals to report data theft through the IRS Stakeholder Partnerships, Education and Communication (SPEC) channel and to notify their state tax agencies within required timeframes.

Conducting a WISP-Compliant Risk Assessment

The risk assessment section is where many tax professionals fall short. Writing "we use antivirus software" does not constitute a compliant assessment. The FTC Safeguards Rule requires a systematic, documented evaluation of your specific threat environment. Here is what that looks like in practice.

Start by mapping your data flows. Where does client data enter your systems? Tax returns arrive via email, client portals, fax, and paper documents. Each entry point represents a potential attack surface. Map data from receipt through processing, storage, and eventual destruction. The tax document encryption requirements guide covers the specific standards that apply at each stage of this lifecycle.

Threat Categories to Assess

Your written risk assessment must address at minimum the threat categories outlined in IRS Publication 5709:

• External threats: Phishing campaigns, credential stuffing, ransomware deployments, and social engineering attacks targeting staff
• Internal threats: Unauthorized employee access, accidental data disclosure, and malicious insider activity
• Physical threats: Theft of laptops or storage media, unauthorized office access, and improper document disposal
• Vendor and third-party threats: Breaches at software providers, cloud storage vendors, or payroll processors with access to your data

For each threat, document the likelihood of occurrence, the potential impact on clients and your business, your current controls, and whether additional safeguards are needed. The gap between your current state and required controls becomes your action plan. The asset management and security assessment methodology provides a detailed framework for this process.

Using NIST SP 800-171 as a Framework

While the FTC Safeguards Rule does not mandate a specific framework, many tax professionals use NIST Special Publication (SP) 800-171 to structure their risk assessment. SP 800-171 organizes security requirements into 14 control families covering access control, incident response, configuration management, and more. Using this framework ensures your assessment is thorough and defensible in the event of an audit or regulatory review.

Maintaining Your WISP: Ongoing Obligations After Year One

Creating your IRS written information security plan is not a one-time task. Both the FTC Safeguards Rule and IRS Publication 4557 require ongoing maintenance. A WISP that was accurate three years ago but has not been updated since your firm moved to a cloud-based practice management system is not a compliant WISP — it is a liability document that could be used against you.

When You Must Update Your WISP

Your written information security plan must be reviewed and updated in any of the following circumstances:

• At least annually, regardless of whether changes have occurred
• When you adopt new technology — new tax software, cloud storage, or mobile devices
• After any security incident or near-miss event
• When you hire or terminate employees with data access
• When you add new service lines such as payroll processing
• When a key vendor experiences a breach or changes its security practices

Employee Security Training Documentation

Your WISP must document a security training program for all employees who handle taxpayer data. Employees must actually receive this training, and you must keep records of completion. Annual training covering phishing recognition, password security, and data handling procedures satisfies the baseline requirement. Review the common cyberattacks on tax firms to build a training curriculum that addresses real-world threats your staff will encounter.

Hands-on phishing simulations, rather than slideshow-only training, produce the most measurable improvement in employee behavior. Document your training method, topics covered, and outcomes in your WISP.

Vendor Management Requirements

The updated FTC Safeguards Rule places specific weight on third-party vendor oversight. Your WISP must include written procedures for selecting, vetting, and monitoring service providers who have access to your client data — including your tax software provider, cloud backup vendor, payroll processor, and IT support company. Contracts with these vendors should include data protection obligations and audit rights. Maintain a vendor log as part of your WISP documentation package.

Consequences of Operating Without a WISP

Tax professionals who lack a documented written information security plan face risks on multiple fronts. Understanding these consequences is essential for any practitioner who has deferred this compliance obligation.

FTC Enforcement and Civil Penalties

The FTC actively enforces the Safeguards Rule against financial institutions, including tax preparers. Violations can result in civil penalties of up to $51,744 per violation per day under the FTC Act. While large-scale enforcement actions against solo preparers are less common, the risk escalates dramatically following a data breach. Regulators use the absence of a WISP as evidence of systemic negligence, which amplifies both penalties and reputational damage.

IRS Implications for Preparer Credentials

The IRS can revoke your Electronic Filing Identification Number (EFIN) if you fail to maintain adequate security safeguards. Without an EFIN, you cannot e-file returns on behalf of clients — effectively ending your practice. The IRS also expects preparers to self-report data breaches promptly, and a missing WISP significantly weakens your position in any subsequent review. Understanding the full scope of IRS WISP requirements for tax professionals is essential to protecting your EFIN and preparer credentials.

Breach Liability and Client Trust

Beyond regulatory penalties, a data breach without a documented WISP exposes your firm to civil litigation from affected clients. Courts and arbitration panels view the absence of a written security plan as a failure of professional duty. The reputational cost of a publicized breach — clients whose Social Security numbers and financial records were exposed — can permanently damage a practice built over decades. The cyber risk management framework for small businesses provides additional context on quantifying and managing this exposure before an incident occurs.