Written Information Security Plan: What Tax Pros Must Know

What Is a Written Information Security Plan (WISP)?

A written information security plan (WISP) is a federally mandated cybersecurity framework required under the Gramm-Leach-Bliley Act (GLBA) and enforced through the FTC Safeguards Rule (16 CFR Part 314) for all tax professionals, accounting firms, and financial service providers handling sensitive taxpayer information. These comprehensive security programs must encompass administrative policies, technical controls, and physical safeguards protecting personally identifiable information (PII) from unauthorized access, disclosure, or destruction.

Federal regulations classify tax preparers as financial institutions — subject to the same data protection standards governing banks, credit unions, and investment firms. That classification carries real consequences: non-compliance can trigger FTC penalties up to $46,517 per violation per day, IRS revocation of PTIN credentials, voided professional liability insurance, and average breach costs exceeding $4.88 million according to IBM's 2024 Cost of a Data Breach Report.

Beyond federal mandates, many states impose their own written information security plan requirements. Massachusetts General Laws 201 CMR 17 — Standards for the Protection of Personal Information — requires any entity holding personal information of Massachusetts residents to maintain a comprehensive WISP, regardless of where the business is located. Similar statutes exist in New York (23 NYCRR 500), California (CCPA/CPRA), and other states, creating overlapping compliance obligations that tax professionals must navigate carefully.

The regulatory landscape intensified significantly when the IRS began requiring PTIN certification of WISP implementation on Form W-12 renewal applications in 2023. Question 11 explicitly asks: "Do you have a written data security plan to protect taxpayer information in your possession?" False certification constitutes perjury on a federal form, exposing practitioners to criminal penalties beyond civil fines. For guidance on PTIN renewal security requirements, see our PTIN renewal security guide.

Understanding Federal WISP Requirements for Tax Professionals

The legal mandate for a written information security plan originates from multiple overlapping federal regulations creating comprehensive data protection obligations. Understanding these regulatory frameworks establishes the foundation for developing compliant documentation satisfying all applicable requirements.

Gramm-Leach-Bliley Act and the FTC Safeguards Rule

The Gramm-Leach-Bliley Act, enacted in 1999, established federal privacy and security standards for financial institutions. The law's definition of "financial institution" explicitly includes tax preparation services, subjecting practitioners to identical data protection requirements as banks and investment firms.

The FTC enforces GLBA provisions through its Safeguards Rule (16 CFR Part 314), mandating that covered entities develop, implement, and maintain comprehensive information security programs. The amended Safeguards Rule, effective June 9, 2023, expanded technical mandates requiring:

• Multi-factor authentication on all systems accessing customer information
• Encrypted data storage and transmission using current standards (AES-256 or equivalent)
• Annual penetration testing for firms handling information of 5,000+ consumers
• Biannual vulnerability assessments across all information systems
• Breach reporting within 30 days when incidents affect 500 or more individuals
• Continuous monitoring or annual penetration testing combined with biannual vulnerability assessments

For a detailed breakdown of FTC Safeguards Rule requirements for tax preparers, see our dedicated compliance guide.

IRS Publication 4557 and Tax Professional Security Standards

The IRS established specific security requirements for tax professionals through Publication 4557: Safeguarding Taxpayer Data, a comprehensive guide outlining mandatory data protection measures. This publication explicitly states that tax professionals must create and implement written security plans documenting administrative, technical, and physical safeguards protecting taxpayer information throughout its lifecycle.

The IRS provides two additional resources critical for WISP development:

• Publication 5708 — A 28-page sample written information security plan specifically designed for tax and accounting practices, offering structured frameworks that firms can customize based on size, scope, and operational complexity
• Publication 5709 — Detailed step-by-step guidance on how to create a WISP from scratch, including worksheets and decision trees

Together, these IRS publications establish minimum security standards that align with — but do not replace — the broader FTC Safeguards Rule requirements. Tax professionals must satisfy both IRS and FTC mandates simultaneously, as they address overlapping but distinct compliance obligations.

State-Level Written Information Security Plan Requirements

Federal requirements represent the baseline, but state regulations often impose additional obligations. Key state mandates include:

• Massachusetts 201 CMR 17 — Requires a comprehensive written information security plan for any entity holding personal information of MA residents, with specific technical requirements including encryption, access controls, and employee training
• New York 23 NYCRR 500 — The DFS Cybersecurity Regulation mandates written cybersecurity policies, designated CISOs, and annual compliance certification
• California CCPA/CPRA — Establishes consumer data protection rights requiring documented security practices
• Illinois PIPA — Personal Information Protection Act with breach notification and reasonable security measures requirements

Tax professionals serving clients across multiple states must ensure their written information security plan addresses the most stringent applicable requirements — typically by designing the WISP to meet the highest common denominator across all jurisdictions where clients reside.

Essential Components of a Compliant Written Information Security Plan

Federal regulations and industry standards define specific elements that comprehensive written information security plans must address. The NIST Cybersecurity Framework (CSF) 2.0 provides an authoritative structure organizing these components into logical categories. The framework's six core functions — Govern, Identify, Protect, Detect, Respond, and Recover — map directly to WISP requirements and demonstrate holistic security program implementation to regulators and auditors.

1. Security Governance and Designated Responsible Personnel

Every compliant written information security plan begins with clear governance structures designating specific individuals responsible for security program oversight, implementation, and maintenance. The FTC Safeguards Rule mandates that covered institutions designate a "qualified individual" who:

• Coordinates the information security program across the organization
• Possesses sufficient knowledge and experience to assess security risks
• Has authority to implement necessary controls and enforce policies
• Reports directly to the board of directors or senior leadership at least annually

For solo practitioners and small firms, the designated security coordinator may be the firm owner. Larger practices should consider whether internal staff possess adequate expertise or whether engaging a dedicated cybersecurity provider better satisfies the "qualified individual" requirement. The FTC explicitly permits outsourcing this role to third-party security providers.

2. Comprehensive Risk Assessment and Data Inventory

Risk assessment forms the analytical foundation supporting all other WISP components. This systematic evaluation identifies where sensitive information resides, how it moves through organizational systems, who can access it, and what vulnerabilities could enable unauthorized disclosure.

The FTC Safeguards Rule requires that risk assessments identify "reasonably foreseeable internal and external risks" to customer information security, confidentiality, and integrity. Effective risk assessments for tax practices should include:

• Data inventory — Catalog all PII collected, processed, stored, and transmitted: Social Security numbers, ITINs, dates of birth, financial account numbers, income details, employment records, and sensitive correspondence
• Data flow mapping — Document how taxpayer information moves between systems, employees, cloud services, and third-party tax software
• Threat identification — Evaluate threats specific to tax practices including phishing attacks targeting tax professionals, ransomware, and social engineering
• Vulnerability assessment — Identify weaknesses in technical controls, administrative procedures, and physical safeguards
• Risk scoring — Prioritize identified risks by likelihood and potential impact to guide remediation efforts

Risk assessments must be conducted initially during WISP development and repeated at least annually or whenever significant changes occur to systems, personnel, or business operations. For comprehensive guidance, review our asset management and security assessment guide.

Administrative Safeguards: Policies, Procedures, and Training

Administrative safeguards establish the governance framework controlling how organizations manage information security through policies, procedures, and personnel practices. These foundational controls define organizational security expectations, assign responsibilities, establish accountability mechanisms, and ensure consistent security practices across all operational areas.

Core Policies Every WISP Must Include

A comprehensive written information security plan must address these administrative policy areas:

• Acceptable use policy — Governs how employees use firm technology, internet access, email, and personal devices for work purposes
• Access control policy — Defines role-based information access using least-privilege principles, ensuring employees access only the data necessary for their job functions
• Password and authentication policy — Establishes credential requirements including complexity, rotation schedules, and mandatory multi-factor authentication for tax software
• Data classification policy — Categorizes information by sensitivity level (public, internal, confidential, restricted) with handling requirements for each tier
• Encryption policy — Specifies when and how to protect data, covering encryption requirements for client tax data at rest and in transit
• Remote work policy — Controls security for distributed workforces including VPN requirements, home network security, and device management
• Vendor management policy — Governs third-party relationships with due diligence requirements, contractual security provisions, and ongoing monitoring of service provider compliance
• Data retention and disposal policy — Establishes retention schedules (typically 7 years for tax records per IRS guidelines) and secure disposal methods including cross-cut shredding for paper and cryptographic erasure for electronic media

Employee Security Awareness Training

Human error remains the leading cause of data breaches, with the 2024 Verizon Data Breach Investigations Report confirming that 68% of breaches involved a human element. Effective written information security plans require documented training programs that address:

• Recognition and reporting of phishing attempts and suspicious communications
• Proper handling and classification of sensitive taxpayer data
• Strong password creation and credential management practices
• Physical security awareness including clean desk policies and visitor protocols
• Incident reporting procedures and escalation contacts

Training must occur during onboarding for new employees and at least annually for all staff. Document attendance, content covered, and assessment results as evidence of compliance. The FTC Safeguards Rule also requires establishing disciplinary measures — up to and including termination — for employees who violate security policies.

Technical Safeguards: Technology Controls Protecting Information Systems

Technical safeguards comprise the technology controls protecting electronic information systems from unauthorized access, disclosure, modification, or destruction. These measures form the infrastructure supporting secure information processing, storage, and transmission throughout your tax practice.

Endpoint Protection and Detection

Endpoint protection represents the first line of defense against malware, ransomware, and other malicious code. Modern endpoint detection and response (EDR) solutions provide comprehensive threat prevention, detection, investigation, and remediation capabilities that far exceed legacy antivirus software. EDR solutions use behavioral analysis and machine learning to identify threats that signature-based detection misses — critical for defending against zero-day attacks targeting tax season.

Network Security Controls

Network security controls regulate traffic flow between internal systems and external networks. Next-generation firewalls combine traditional packet filtering with application awareness, intrusion prevention, threat intelligence integration, and encrypted traffic inspection. Properly configured firewalls implement default-deny policies blocking all inbound connections except those explicitly required for business operations, significantly reducing attack surface exposure. For more on securing your firm's business network, see our dedicated guide.

Encryption Standards

The FTC Safeguards Rule requires encryption of customer information both at rest and in transit. Tax practices must implement:

• Data at rest — Full-disk encryption (BitLocker, FileVault) on all workstations and laptops; AES-256 encryption for databases and file storage containing taxpayer data
• Data in transit — TLS 1.2 or higher for all network communications; encrypted email for transmitting sensitive documents; secure client portals replacing unencrypted email attachments
• Backup encryption — All backup copies of taxpayer data must be encrypted with keys stored separately from the backup media

Access Controls and Authentication

Technical access controls enforce the principle of least privilege, ensuring users access only the systems and data required for their specific role. Implementation requirements include:

• Unique user accounts — No shared logins; every staff member has individual credentials for audit trail integrity
• Multi-factor authentication (MFA) — Required on all systems accessing taxpayer data, including tax preparation software, email, cloud storage, and remote access portals
• Automatic session timeouts — Systems lock after 15 minutes of inactivity
• Access revocation procedures — Immediately disable accounts for terminated employees before separation notification, not after

Monitoring, Logging, and Vulnerability Management

Continuous monitoring provides visibility into system activity essential for detecting unauthorized access attempts and security anomalies. Written information security plans must document procedures for:

• Centralized log collection and retention (minimum 12 months per NIST SP 800-171 guidelines)
• Automated alerting on suspicious activity including failed login attempts, privilege escalation, and unusual data access patterns
• Network security audits performed at minimum every 30 days
• Operating system and application security patches installed within 30 days of release
• Annual penetration testing and biannual vulnerability assessments as required by the amended Safeguards Rule

Physical Safeguards: Protecting Facilities and Equipment

Physical safeguards prevent unauthorized individuals from accessing locations containing sensitive information or equipment processing taxpayer data. These controls address traditional physical security concerns often overlooked in technology-focused security discussions but essential for comprehensive WISP compliance.

Your written information security plan must document these physical security measures:

• Facility access controls — Keyed locks, electronic keycard systems, or biometric readers restricting entry to offices containing sensitive information
• Visitor management — Sign-in procedures, visitor badges, and escort requirements for non-employees accessing controlled areas
• Physical access logs — Documentation of who entered controlled areas and when, creating audit trails supporting incident investigations
• Workstation security — Screen privacy filters, cable locks for laptops, and clean desk policies requiring sensitive documents to be secured when unattended
• Server and network equipment — Locked server rooms or closets with restricted access limited to authorized IT personnel
• Document disposal — Cross-cut shredders on-site or contracted professional shredding services with certificates of destruction for paper records containing taxpayer PII
• Media disposal — Documented procedures for sanitizing or destroying hard drives, USB drives, and other electronic media before disposal using NIST SP 800-88 guidelines

Filing cabinets containing taxpayer documents must have locking mechanisms, and keys or combinations should be restricted to authorized personnel only. For practices storing physical records off-site, vendor security assessments must verify that storage facilities maintain equivalent physical safeguards.

Incident Response Planning and Breach Notification

No security program prevents every possible incident, making documented response procedures essential for minimizing damage when breaches occur. A comprehensive incident response plan for your tax practice establishes clear protocols organized around six phases aligned with the NIST Computer Security Incident Handling Guide (SP 800-61).

The Six Phases of Incident Response

1. Preparation — Establish the response team, communication channels, and tools before an incident occurs
2. Detection and Analysis — Identify security events through monitoring, alerts, and employee reporting; assess severity and scope
3. Containment — Isolate affected systems to prevent further damage while preserving forensic evidence
4. Eradication — Remove the threat from all systems, patch exploited vulnerabilities, and verify elimination
5. Recovery — Restore normal operations from clean backups, implement additional safeguards, and verify system integrity
6. Post-Incident Review — Document lessons learned, update the WISP and response procedures, and report to stakeholders

Breach Notification Timelines

Breach notification requirements carry strict regulatory timelines that your written information security plan must document:

• IRS notification — Contact the IRS Stakeholder Liaison Office within 24 hours of confirming breaches involving taxpayer information
• FTC notification — Report to the FTC within 30 days when security events affect 500 or more individuals under the amended Safeguards Rule
• State notification — Most states require notification within 30-60 days; some (e.g., Florida at 30 days, Colorado at 30 days) have shorter windows
• Individual notification — Affected taxpayers must be notified per applicable state breach notification laws, typically within 30-60 days
• Law enforcement — File reports with the FBI's Internet Crime Complaint Center (IC3) and local law enforcement as appropriate

For a ready-to-customize response framework, download our cybersecurity incident response plan template.

WISP Requirements by Practice Size

The FTC Safeguards Rule and IRS guidance recognize that written information security plan requirements should scale based on practice size and complexity. However, all tax professionals handling taxpayer data need a WISP — there is no minimum size exemption.

Solo Practitioners and Small Firms (1-5 Employees)

Solo practitioners and small tax practices face the same fundamental WISP requirements but can implement them proportionally. Key considerations for small firm WISP compliance:

• The firm owner typically serves as the designated security coordinator
• IRS Publications 5708 and 5709 provide templates specifically scaled for small practices
• Cloud-based tax software with built-in encryption and MFA can satisfy multiple technical requirements simultaneously
• Managed security services allow small firms to meet monitoring and response requirements without dedicated IT staff
• The FTC exempts firms handling fewer than 5,000 consumer records from certain requirements (annual penetration testing, written incident response plan, annual board reporting) — but the core WISP requirement still applies

Mid-Size Firms (6-50 Employees)

Mid-size practices face the full scope of FTC Safeguards Rule requirements and must implement more formal security governance:

• Designated qualified individual with documented security expertise or a contracted cybersecurity provider filling the role
• Formal role-based access controls with documented approval processes
• Annual penetration testing and biannual vulnerability assessments (required if handling 5,000+ consumer records)
• Written incident response plan with assigned team roles
• Vendor risk management program for all third-party service providers accessing taxpayer data
• Annual board or senior leadership reporting on security program status

Large Firms and Multi-Office Practices (50+ Employees)

Large tax and accounting firms should implement enterprise-grade security programs aligned with NIST SP 800-171 or ISO 27001:2022 frameworks, including dedicated security personnel or a virtual CISO, proactive threat hunting capabilities, Security Information and Event Management (SIEM) platforms, formal change management procedures, and third-party security audits.

Using Templates vs. Building a Custom WISP

One of the most common questions tax professionals ask is whether they can use a template for their written information security plan or must build one from scratch. The answer: templates are an excellent starting point, but they must be customized.

The IRS explicitly provides templates (Publications 5708 and 5709) expecting practitioners to adapt them. Industry organizations like CAMICO (professional liability insurers for CPAs) also offer WISP templates designed for accounting professionals. The key is that regulators will scrutinize whether your WISP reflects your actual operations — a generic, unmodified template that doesn't match your firm's systems, personnel, or procedures will not satisfy compliance requirements.

Effective WISP customization requires:

• Accurate system inventory — Replace template placeholders with your actual software, hardware, and cloud services
• Firm-specific policies — Tailor acceptable use, remote work, and access control policies to your operational reality
• Real contact information — Include actual names, roles, and contact details for your security coordinator and incident response team
• Current risk assessment — Document risks specific to your practice, not generic industry risks
• Applicable regulations — Address state-specific requirements based on where your clients reside

For a professionally guided template that walks you through customization, see our free 2026 WISP template designed specifically for tax professionals.

Common WISP Compliance Mistakes Tax Professionals Make

After working with tax practices across the country, these are the most frequent written information security plan deficiencies we encounter:

1. Using an unmodified template — Downloading a generic WISP template without customizing it to reflect actual firm operations, systems, and personnel
2. Treating the WISP as a one-time document — Creating a plan once and never updating it. The FTC requires annual reviews and updates after significant changes or incidents
3. Missing employee training documentation — Having informal security practices but no documented training records proving employees were trained on WISP policies
4. Ignoring third-party vendor risk — Failing to assess and document security practices of cloud providers, tax software vendors, IT support companies, and other third parties accessing taxpayer data
5. No incident response plan — Having a WISP that covers preventive controls but lacks documented procedures for what happens when a breach occurs
6. Inadequate access controls — Using shared logins, failing to implement MFA, or not revoking access for terminated employees
7. Overlooking physical safeguards — Focusing exclusively on technology while leaving filing cabinets unlocked, servers in accessible areas, or visitor access uncontrolled
8. No data retention or disposal policy — Keeping taxpayer data indefinitely without documented retention schedules or secure disposal procedures

Each of these gaps represents a potential violation that the FTC, IRS, or state regulators can cite during an audit or enforcement action. A compliant written information security plan addresses all of them systematically.

Taking Action: Your WISP Implementation Path Forward

The regulatory environment governing tax professional data security continues intensifying with escalating enforcement activity, coordinated multi-agency investigations, and increasingly sophisticated cyber threats targeting tax firms of all sizes. Organizations without documented written information security plans face mounting risks from regulatory penalties, PTIN credential revocation, insurance coverage denial, and devastating financial consequences following data breaches.

The question isn't whether your practice needs a written information security plan — federal law already mandates one. The question is whether you'll implement proper protections proactively or reactively after incidents force compliance at exponentially greater cost with potentially irreparable reputational damage.

Begin today by conducting an honest assessment of your current security posture using the frameworks and checklists in this guide. Identify documentation gaps, prioritize actions addressing critical vulnerabilities, and develop a systematic implementation plan. Whether you use our free 2026 WISP template, the IRS Publication 5708 sample plan, or engage professional assistance, the most important step is starting now — before your next PTIN renewal, your next tax season, or your next client asks to see your security documentation.