What Is a Written Information Security Plan?
A Written Information Security Plan (WISP) is a formal, documented policy that describes how your organization collects, stores, protects, and disposes of sensitive client information. For tax preparers, accountants, and financial services professionals in the United States, a WISP is not a best practice suggestion — it is a federal legal requirement.
At its core, a written information security plan functions as the operational blueprint for your data security program. It identifies what sensitive data your business handles, who is responsible for protecting it, what technical and administrative safeguards are in place, and how your team will respond if a breach occurs. Without one, your business lacks both the legal documentation regulators expect and the internal roadmap your staff needs to defend against cyberattacks targeting client data.
This guide explains what a WISP is, why you need one, what it must contain, and how to build one that satisfies the requirements set by IRS Publication 4557, Safeguarding Taxpayer Data, and the Federal Trade Commission's Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA). Whether you're a solo tax preparer or a growing accounting firm, these requirements apply directly to you.
Data Security By The Numbers
IBM Cost of a Data Breach Report 2024
Verizon Data Breach Investigations Report 2024
IRS threshold mandating a Written Information Security Plan for tax preparers
Who Is Required to Have a Written Information Security Plan?
Federal law mandates a written information security plan for a wide range of businesses — not just large corporations. Two primary legal frameworks define this obligation for tax and financial services professionals.
IRS Requirements for Tax Preparers
The IRS requires all tax preparers who file 11 or more federal returns per year to maintain a written information security plan. This requirement flows from IRS Publication 4557 and the Gramm-Leach-Bliley Act, which classifies tax professionals as financial institutions subject to the FTC Safeguards Rule. The IRS explicitly states in Publication 4557 that all tax professionals handling client financial information must implement, maintain, and periodically review a WISP.
This rule applies regardless of firm size. A solo practitioner operating out of a home office and a regional CPA firm with 50 staff are both subject to the same requirement. The IRS has made a compliant WISP a cornerstone of its cybersecurity requirements for tax professionals, and enforcement actions — including EFIN and PTIN revocations — have followed from non-compliance.
FTC Safeguards Rule for Financial Services
The Federal Trade Commission's updated Safeguards Rule under GLBA (revised in 2023) requires financial institutions — including accountants, tax return preparers, mortgage brokers, and investment advisers — to maintain a written information security plan containing specific elements. The FTC rule is more prescriptive than IRS guidance: it requires designating a qualified security program coordinator, conducting formal risk assessments, and implementing encryption and multi-factor authentication (MFA) for systems containing customer financial data.
Learn more about how the FTC Safeguards Rule applies to tax preparers and what it specifically requires of your practice.
Are You Subject to WISP Requirements?
If you prepare 11 or more federal tax returns annually, accept payment for tax advice, or handle any nonpublic personal financial information for clients, you are legally required to have a written information security plan under IRS Publication 4557 and the FTC Safeguards Rule. Failure to maintain one can result in penalties, loss of your PTIN or EFIN, and personal liability in the event of a data breach.
Core Components Every WISP Must Address
A compliant written information security plan is not a single-page checklist. The FTC Safeguards Rule and IRS guidance require your WISP to address specific administrative, technical, and physical safeguard categories in documented form.
Designation of a Security Coordinator
Your WISP must name a specific individual — whether an employee, partner, or qualified service provider — responsible for implementing and overseeing your information security program. For small practices, this is often the owner or managing partner. Larger firms may delegate this to a dedicated IT or compliance role. The designation must appear in writing within the plan itself.
Risk Assessment
Before you can protect client data, you must know where it lives and what threatens it. Your written information security plan must document a formal risk assessment that identifies: all data types collected and stored, systems and locations where data resides, internal and external threats to that data, and the likelihood and potential impact of each identified risk. This assessment must be reviewed and updated at least annually or whenever your business undergoes significant changes.
Safeguards Program
Based on your risk assessment, your WISP must describe the specific controls you use to mitigate identified risks. These safeguards fall into three categories:
- Technical safeguards: Encryption of data at rest and in transit, firewall and antivirus protection, MFA for all systems with client data, automatic session timeouts, and secure remote access protocols.
- Administrative safeguards: Written access control policies, employee background checks, security awareness training schedules, vendor management procedures, and acceptable use policies for devices and software.
- Physical safeguards: Locked filing cabinets for paper records, controlled access to server rooms, clean desk policies, and secure destruction of physical documents containing client information.
Vendor and Service Provider Oversight
If you share client data with third parties — cloud storage providers, payroll processors, or tax software vendors — your WISP must include provisions for evaluating and monitoring those vendors. The FTC Safeguards Rule requires written contracts with service providers that include data security protections. Unsecured third-party access is one of the most common entry points for tax data breaches, as detailed in our analysis of cyberattacks on tax firms.
Incident Response Plan
Your written information security plan must include a defined procedure for responding to a data security incident. This includes: who is notified internally and externally, when clients and regulators are informed, how systems are contained and restored, and how the incident is documented for future reference. Many states impose breach notification deadlines of 30 to 72 hours, so your incident response procedures must be ready to activate immediately — not assembled in the middle of a crisis.
Employee Training Program
Human error accounts for the majority of documented breaches. Your WISP must describe how employees are trained on your data security policies, how often training occurs, and what topics are covered. At minimum, training should address phishing recognition, password hygiene, and the proper handling of client data on mobile devices and remote work environments.
How to Build Your Written Information Security Plan: 7 Steps
Designate Your Information Security Coordinator
Name the individual responsible for your WISP in writing. For solo practitioners, this is typically you. For firms, assign a partner or qualified IT contact. Document this role in your WISP with full contact information and defined responsibilities.
Inventory All Sensitive Data and Systems
List every category of client data your firm collects — Social Security numbers, EINs, financial records, bank account information — and map where that data is stored: local servers, cloud platforms, email systems, mobile devices, and paper files.
Conduct a Formal Risk Assessment
Evaluate each data storage location and workflow for threats and vulnerabilities. Score each identified risk by likelihood and potential business impact. This assessment becomes the foundation of your safeguards program and must be documented within the WISP itself.
Define and Implement Your Safeguards
Based on your risk assessment, document the specific technical, administrative, and physical controls your firm is implementing. Include encryption standards, access control policies, MFA requirements, and physical security measures for paper records and office equipment.
Establish Vendor Oversight Procedures
Create a vendor inventory identifying every third-party service provider with access to client data. Draft or reference written agreements requiring those vendors to maintain appropriate security standards. Schedule annual vendor security reviews and document them.
Write Your Incident Response Procedures
Define your breach response protocol step by step: detection, containment, notification, and remediation. Include contact information for the IRS, your state tax agency, and affected clients. Know your state's breach notification deadlines before you need them.
Train Staff and Schedule Annual Reviews
Deliver initial security training to all employees and document attendance. Schedule recurring training at minimum annually. Set a calendar reminder to review and update your written information security plan each year or after any significant security incident or business change.
What Many Practices Have vs. What a WISP Actually Requires
Many tax professionals believe they have data security covered because they use reputable tax software or have an IT company managing their computers. A written information security plan goes further than any individual tool or vendor relationship. The WISP is the governing document that ties all of your security controls together and demonstrates that your data protection program is intentional, documented, and reviewed regularly.
The IRS and FTC will not accept "we use good software" as evidence of compliance. What they look for during audits or breach investigations is documentation: a signed, dated, written plan that reflects your actual security environment. If a breach occurs and you cannot produce a WISP, your liability exposure increases substantially — both with regulators and in civil litigation brought by affected clients.
Review the IRS WISP requirements page for the specific elements the IRS expects your plan to address, and our detailed breakdown of IRS WISP requirements for tax professionals for a provision-by-provision analysis.
WISP Development Approaches: Choosing the Right Path for Your Firm
| Feature | DIY from Scratch | RecommendedTemplate-Based | Professionally Managed |
|---|---|---|---|
| Time to Complete | 20–40+ hours | 4–8 hours | 1–2 hours (your input only) |
| IRS/FTC Compliance | Variable — depends on expertise | High — if template is current | Verified — expert review included |
| Customized to Your Firm | Yes | Partial | Yes |
| Annual Update Support | You are responsible | You are responsible | Included |
| Risk Assessment Included | You must conduct it | Guided worksheets | Conducted by security experts |
| Incident Response Plan | You must write it | Template provided | Built to your environment |
| Best For | Security-savvy practitioners | Solo/small firms needing speed | Firms prioritizing audit-readiness |
What a WISP Cannot Do on Its Own
A written information security plan is a document — not a technical control. The WISP describes your security program, but it does not implement it. Every policy you write in your WISP must be backed by real controls that are actually operating in your environment. Common gaps between what firms document and what they have actually deployed include:
- Claiming MFA is required but not enforcing it on all systems containing client data
- Documenting annual employee training but never scheduling or delivering it
- Listing a vendor security review process but having no documented reviews on file
- Stating data is encrypted while using legacy software or storage systems that lack encryption support
Regulators specifically look at whether your practices match your documentation. If your WISP says one thing and your technical environment does another, the written plan provides minimal protection in an enforcement action. Use our tax season cybersecurity checklist to verify that your actual controls align with your WISP documentation before each filing season begins.
Keeping Your WISP Current
Your written information security plan is a living document. The IRS and FTC both require that you review and update it regularly. Specific triggers that should prompt an immediate WISP review include: adding new employees or remote workers, adopting new software or cloud services, changing your data storage or backup systems, experiencing any security incident, and changes to relevant federal or state laws.
Ransomware attacks on tax practices have increased substantially between 2023 and 2026, with attackers deliberately targeting firms during high-volume filing periods. Your WISP should address ransomware protection explicitly — including backup procedures, recovery time objectives, and your ransomware response escalation path. A plan that treats ransomware as a hypothetical is not adequate for the current threat environment.
What a Compliant WISP Does for Your Practice
Demonstrates Regulatory Compliance
A documented WISP provides direct evidence of compliance with IRS Publication 4557, the FTC Safeguards Rule, and applicable state data security laws — reducing your exposure during audits or breach investigations.
Protects Client Trust
Clients entrust you with their most sensitive financial and identity data. A WISP signals that you have a disciplined, documented approach to protecting that information — a meaningful differentiator for your practice.
Accelerates Incident Response
When a breach occurs, a pre-documented response plan means your team knows exactly what to do, who to call, and when to notify regulators and clients — cutting the chaos and containing the damage.
Builds a Security-Aware Staff
The training requirements embedded in your WISP turn employees from a vulnerability into a security asset — reducing the likelihood of phishing success and accidental data exposure throughout the year.
Satisfies Cyber Insurance Requirements
Most cyber insurance underwriters require documented security policies as a condition of coverage. A WISP is frequently a specific requirement for claims eligibility following a breach event.
Supports Business Continuity
By documenting backup procedures, recovery processes, and vendor dependencies, your WISP ensures your firm can restore operations quickly after a disruptive security event — not just survive the breach itself.
WISP Templates and Professional Resources for Tax and Financial Firms
The IRS released a sample Written Information Security Plan template for tax professionals in 2022, developed in partnership with major tax professional associations. This template provides a useful starting point, but it requires customization to reflect your specific firm's size, technology environment, data types, and operational practices. Submitting a generic template as-is — without completing the practice-specific sections — offers far less legal and regulatory protection than a plan that accurately describes your actual security environment.
For accounting and tax practices looking for a structured starting point, our team has developed a free WISP template for 2026 that reflects current IRS and FTC Safeguards Rule requirements. It includes guided worksheets for the risk assessment section, a vendor inventory, an employee training log, and an incident response protocol — the sections most commonly left incomplete in solo-practitioner WISPs.
You can also explore our comparison of the best WISP templates for accountants and review real-world accounting firm WISP template examples to understand how firms of different sizes structure their plans effectively.
For healthcare organizations also subject to the HIPAA Security Rule (45 CFR §164.306), a written information security plan addresses overlapping requirements to the HIPAA Written Security Policy mandate — though the specific required elements differ. Learn more about HIPAA compliance requirements for small practices and how the Security Rule maps to your documentation obligations alongside any GLBA WISP requirements your organization may carry.
Get a WISP Built for Your Practice — Free Consultation
Our cybersecurity experts work with tax professionals, accountants, and financial services firms to build Written Information Security Plans that satisfy IRS and FTC requirements. Schedule a free strategy call and get a personalized compliance roadmap for your practice.
Frequently Asked Questions About Written Information Security Plans
A Written Information Security Plan (WISP) is a formal, documented policy that describes how your organization protects sensitive client data. It covers the types of data you collect, the technical and administrative safeguards you use, your employee security training program, your vendor management procedures, and your plan for responding to data breaches. For tax preparers and financial professionals, maintaining a WISP is a federal legal requirement under IRS Publication 4557 and the FTC Safeguards Rule.
Under the FTC Safeguards Rule (Gramm-Leach-Bliley Act), any business that qualifies as a "financial institution" must maintain a written information security plan. This includes tax preparers, accountants, mortgage brokers, and investment advisers. The IRS specifically requires all tax professionals who prepare 11 or more federal returns per year to maintain a WISP per IRS Publication 4557. Many states have additional requirements that may apply to a broader range of businesses handling nonpublic personal information.
A compliant written information security plan must include: (1) designation of a security coordinator, (2) a formal risk assessment identifying threats to client data, (3) documented technical, administrative, and physical safeguards proportionate to identified risks, (4) vendor and service provider oversight procedures, (5) a documented employee security training program, and (6) an incident response plan. The FTC Safeguards Rule also specifically requires encryption of customer information and multi-factor authentication for systems containing nonpublic personal information.
A DIY WISP built from scratch can take 20 to 40 or more hours depending on your practice's complexity. Using a professionally developed template reduces this to 4 to 8 hours for most solo or small-firm practitioners. Working with a cybersecurity firm on a professionally managed WISP typically requires 1 to 2 hours of your time to provide practice-specific input, with the remaining development handled by the security team. The risk assessment section is generally the most time-intensive component regardless of approach.
Yes — the IRS provides a sample WISP template for tax professionals that you can use as a foundation. However, simply downloading and submitting the template as-is is not sufficient for compliance. You must customize it to accurately reflect your specific firm: your actual data types, systems, staff, vendors, and security controls. A generic template that does not match your real operations provides minimal legal protection if a breach occurs or an audit is conducted.
Your written information security plan must be reviewed and updated at least annually. You should also update it whenever your business undergoes significant changes — such as hiring new employees, adding remote workers, adopting new software, changing data storage systems, or experiencing a security incident. The FTC Safeguards Rule requires that your WISP reflect your current operating environment, not the state of your business when the plan was first written.
Operating without a required written information security plan creates significant legal and financial exposure. The IRS can revoke your Preparer Tax Identification Number (PTIN) or Electronic Filing Identification Number (EFIN). The FTC can impose civil penalties for Safeguards Rule violations. If a client data breach occurs, the absence of a WISP substantially increases your liability in regulatory proceedings and civil litigation. Cyber insurance claims may also be denied if you cannot demonstrate that a documented security program was in place at the time of the incident.
Yes. The IRS WISP requirement and the FTC Safeguards Rule apply regardless of firm size. A solo tax preparer who files 11 or more returns per year is subject to the same WISP obligation as a large regional accounting firm. The scope and complexity of your WISP should be proportional to your business size and the volume of client data you handle — but the obligation to have one does not scale down based on firm size.
A written information security plan and a general cybersecurity policy overlap significantly but are not identical. A WISP is a specific legal document required by the IRS and FTC that addresses the protection of nonpublic personal financial information and must meet defined regulatory standards. A cybersecurity policy is a broader term for any documented set of rules governing how an organization handles digital security. For tax professionals and financial services firms, the WISP is the governing compliance document — it subsumes and replaces any informal cybersecurity policies your firm may have had previously.
Bellator Cyber Guard specializes in building written information security plans for tax professionals, accounting firms, and financial services businesses. We offer a free 2026 WISP template as well as full professional WISP development services that include a formal risk assessment, vendor review, and incident response planning tailored to your firm. Schedule a free consultation to discuss your specific compliance needs and get a plan built for your actual practice environment.
Free Consultation
Want personalized advice?
Our cybersecurity experts can help you implement these best practices. Free consultation.
