What a WISP Template Download Gives You — and Who Needs One
If you prepare tax returns, handle payroll, or manage any client financial data, you are legally required to maintain a Written Information Security Plan (WISP). The IRS, the Federal Trade Commission (FTC), and most state data protection laws mandate that tax professionals document exactly how they safeguard sensitive taxpayer information.
A WISP template download gives you a pre-structured document that meets IRS Publication 4557 requirements and FTC Safeguards Rule obligations — so you are not building your security policy from scratch. Rather than spending hours researching federal standards, you start with a professionally designed framework and customize it to reflect your practice's actual tools, procedures, and personnel.
The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule applies to all financial institutions — a category that includes tax preparers. If you file 11 or more returns per year, you are required to maintain a documented security plan. Failure to comply can result in FTC enforcement actions, state penalties, and significant liability if a breach occurs. Beyond the legal requirement, a well-executed WISP is your first line of defense against the phishing attacks, ransomware, and identity theft schemes that increasingly target tax professionals.
For a broader overview of the obligations that frame your WISP requirements, see our guide on cybersecurity for tax professionals.
Tax Firm Cybersecurity By The Numbers
Impacted by tax professional data breaches reported to the IRS in 2024
IBM Cost of a Data Breach Report 2024
FTC Safeguards Rule threshold triggering mandatory Written Information Security Plan
What the IRS and FTC Require in Your WISP
The FTC Safeguards Rule specifies nine elements that every qualifying financial institution's information security program must address. For tax professionals, the IRS has translated these into practical guidance through Publication 4557. Your WISP must document all of the following:
- Designated coordinator — one person (or role) formally responsible for the information security program
- Risk assessment — a written evaluation of threats to client data confidentiality, integrity, and availability
- Safeguards program — specific controls you have in place to mitigate identified risks
- Vendor oversight — how you assess and manage the security posture of service providers with access to client data
- Incident response plan — documented procedures for detecting, containing, and reporting a data breach
- Employee training — ongoing security awareness education for all staff who handle taxpayer information
- Annual program review — documented evidence that the plan was evaluated and updated as needed each year
Review the full obligations covered under the FTC Safeguards Rule for a tax return preparer — particularly the provisions on encryption, multi-factor authentication (MFA), and access controls that must be reflected in your written plan.
The IRS also cross-references your WISP obligation with your IRS cybersecurity requirements as part of the Security Summit initiative. Preparers who cannot produce a current WISP following a reported breach face referral to the IRS Office of Professional Responsibility in addition to FTC scrutiny.
How to Complete Your WISP Template Download
Identify All Information Assets
List every location where taxpayer data is stored or transmitted: tax software databases, cloud storage, email systems, portable devices, paper files, and off-site backups.
Appoint a Security Coordinator
Name the individual responsible for implementing and maintaining the WISP. In a solo practice this is typically the owner. Document this role formally — a named person, not just a job title.
Complete the Written Risk Assessment
Evaluate threats to each data asset — unauthorized access, ransomware, phishing, insider misuse — and record your likelihood and impact ratings. This section must reflect genuine analysis, not placeholder text.
Document Your Current Security Controls
Record every safeguard in place: MFA configurations, encrypted storage and transmission, endpoint protection software, firewall settings, physical access controls, and backup procedures.
Define Your Incident Response Procedures
Document your breach detection, containment, client notification, and IRS reporting steps. The IRS requires preparers to report data theft within 45 days of discovery to IRS Identity Theft Central.
Attach Employee and Vendor Policies
Include signed employee acceptable-use policies, a remote work security agreement, vendor security assessment records, and your annual training schedule with attendance documentation.
Date, Sign, and Store the Completed Plan
The WISP must be signed by the security coordinator, stored securely, and retained with prior versions. Document every annual review with the reviewer's name, date, and a summary of changes made.
What a Quality WISP Template Download Should Include
Not all WISP templates are equal. Generic one-page templates frequently omit IRS-specific requirements or fail to address the current threat environment facing tax firms. When evaluating a WISP template download, confirm it covers these four areas in full:
Administrative Safeguards
This section should cover your security coordinator designation, risk assessment methodology, employee screening and onboarding procedures, annual security training requirements, and the process for reviewing and updating the plan. The IRS expects you to document who is accountable — a vague reference to "management" does not satisfy the requirement.
Technical Safeguards
Your template should provide fillable fields for documenting your endpoint protection software, MFA configurations, encryption standards for data at rest and in transit, remote access controls, and your patch management schedule. Practices that work with government clients or handle Controlled Unclassified Information (CUI) should also reference NIST SP 800-171 Rev. 3 controls in this section.
Physical Safeguards
Physical security is frequently missing from downloaded templates. This section must document office access controls, workstation screen-lock policies, secure disposal procedures for paper and electronic media, and your policies for portable devices such as laptops, tablets, and USB drives — all of which fall within scope under IRS Publication 4557.
Incident Response Integration
A strong WISP template either includes or directly references a complete incident response plan template with IRS Identity Theft Central reporting steps, state notification timelines, and client communication templates. Before finalizing your document, use the WISP checklist to verify every required element is addressed.
What Bellator's WISP Template Covers
IRS Publication 4557 Alignment
Every section maps directly to IRS guidance so you can demonstrate compliance during an audit or post-breach review.
FTC Safeguards Rule Checklist
Built-in checklist verifies all nine required program elements are addressed before you sign and date the plan.
Editable Risk Assessment Matrix
Pre-populated with the most common threats to tax firms — phishing, ransomware, insider misuse — with space to document risks specific to your practice.
Employee Policy Templates
Ready-to-use acceptable-use policy, clean-desk policy, and remote work security agreement that attach directly to your WISP as appendices.
Incident Response Playbook
Step-by-step breach response procedures with IRS reporting requirements, client notification letter templates, and evidence preservation checklist.
Annual Review Worksheet
Structured worksheet to guide your yearly WISP review, document what changed, and maintain a signed version history that satisfies FTC expectations.
Common WISP Mistakes Tax Professionals Make
Downloading a WISP template is the right first step — but several common errors undermine the document's value and leave preparers exposed to both regulatory penalties and actual breaches.
Completing the Template Without Reading It
Many preparers fill in a WISP template by inserting their name and firm details without engaging with the substantive sections. The risk assessment section requires a genuine evaluation of the threats your practice faces. A checkbox response defeats the purpose and will not withstand IRS scrutiny if a breach occurs.
Omitting Current Technology
Your WISP must reflect the tools you actually use today. If you added a cloud storage service, switched tax software, or expanded remote work access since your last update, those changes must be documented. An outdated WISP is nearly as problematic as having none — it demonstrates that your security program is not actively maintained.
No Employee Acknowledgment Records
The FTC Safeguards Rule requires that employees with access to client data receive training and formally acknowledge your security policies. Without signed acknowledgment forms, you cannot demonstrate that your program was communicated to staff — a gap that surfaces immediately in any regulatory inquiry.
Missing IRS-Specific Provisions
General business WISP templates frequently omit IRS-specific requirements such as the PTIN renewal security requirements documentation, the Identity Theft Protection Affidavit process, and the IRS e-Services MFA requirement. Tax-specific templates address these provisions; generic business templates typically do not — making them an inadequate starting point for tax preparers.
Do Not Use a Generic Business WISP Template
Tax-specific WISP requirements differ materially from general business security plans. IRS Publication 4557 and Security Summit guidance include provisions — Identity Theft Protection reporting, IRS e-Services MFA documentation, preparer-specific incident notification procedures — that generic FTC Safeguards Rule templates do not address. Using a general-purpose template risks leaving required sections incomplete, which regulators treat as non-compliance in the event of a data incident.
Maintaining Your WISP After the Initial Download
Completing your WISP template download is the beginning, not the end. The FTC Safeguards Rule requires annual review at minimum — but the IRS recommends updating your plan whenever any of the following occur:
- You add or change tax software, cloud services, or payment systems
- You hire new staff or change employee roles involving data access
- A security incident occurs, even if it was detected and contained quickly
- New IRS Security Summit guidance or FTC rule amendments are issued
- Your state enacts new data protection or breach notification requirements
Treat your WISP as a living document, not a one-time filing. Document every review with the reviewer's name, date, and a summary of what changed. If no changes were needed, note that explicitly — it demonstrates active oversight rather than neglect, which matters significantly if you are ever subject to a regulatory inquiry.
For firms that find ongoing compliance maintenance burdensome, a managed compliance service handles WISP updates, employee training records, and regulatory monitoring on a continuous basis. If you are new to these requirements, start with a thorough understanding of what a written information security plan involves before customizing your template.
WISP Options: Which Approach Fits Your Practice?
Download Your Free IRS-Compliant WISP Template
Get Bellator Cyber Guard's tax-specific WISP template — aligned with IRS Publication 4557, FTC Safeguards Rule, and current IRS Security Summit guidance. Or schedule a free consultation to have our team complete and maintain your WISP for you.
WISP Template Download: Frequently Asked Questions
Any tax professional who files 11 or more federal tax returns per year is required to maintain a Written Information Security Plan under the FTC Safeguards Rule. The IRS also strongly recommends that all tax preparers — including sole proprietors filing fewer returns — maintain a documented security plan per IRS Publication 4557, since all preparers handle sensitive taxpayer data that is a high-value target for identity thieves.
The IRS does not provide a single official WISP form. IRS Publication 4557 and the Security Summit's "Protect Your Clients; Protect Yourself" materials outline exactly what your WISP must contain, but the format is left to the preparer. Third-party templates — including the one available from Bellator Cyber Guard — are built to satisfy those published requirements. Always verify that any template you use addresses every element listed in IRS Publication 4557 before finalizing your plan.
The IRS does not specify a page count. For a solo preparer or small firm, a thorough WISP typically runs 10–20 pages including attached policies. Larger multi-partner firms with more complex infrastructure may have plans exceeding 30 pages. Length matters less than completeness — every required element must be addressed with specificity, not placeholder language.
Not recommended. Generic business security templates address the broad FTC Safeguards Rule but typically omit IRS-specific requirements such as Identity Theft Protection provisions, IRS e-Services MFA documentation, Security Summit incident reporting procedures, and PTIN-related security obligations. Use a tax-specific WISP template that explicitly covers IRS Publication 4557 requirements.
At minimum, annually. The FTC Safeguards Rule requires that you review and update your information security program at least once a year. You should also update your WISP whenever you change technology systems, add new service providers, experience a security incident, make staffing changes involving data access, or when new IRS or FTC guidance is published. Document each review with a date and the reviewer's signature.
Operating without a WISP exposes your practice to FTC enforcement action, state data protection penalties, and significant civil liability if a breach occurs. The IRS can refer non-compliant preparers to the Office of Professional Responsibility. Beyond regulatory consequences, preparers without a documented security plan have no structured process for responding to a breach — which typically results in larger data exposure, higher remediation costs, and greater reputational damage to the practice.
Yes. The FTC Safeguards Rule and IRS Publication 4557 both apply to all client information regardless of format. Paper files, electronic records, and portable media are all in scope. Your WISP must document physical safeguards including office access controls, paper file storage and disposal procedures, and policies for portable devices and removable media.
A WISP is the overarching written policy that documents your entire information security program — risk assessment, controls, training, vendor management, and breach response. An incident response plan is one component within the WISP that details your specific procedures for detecting, containing, and reporting a security incident. Many WISP templates include an incident response section, but for larger firms, a standalone incident response plan may be created as a separate attached document referenced within the WISP.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.
