Written Information Security Plan: What Tax Pros Must Know

What Is a Written Information Security Plan (WISP)?

A written information security plan (WISP) is a federally mandated cybersecurity framework required under the Gramm-Leach-Bliley Act and enforced through the FTC Safeguards Rule for all tax professionals handling sensitive taxpayer information. Every tax preparer managing 11 or more returns annually must maintain a WISP documenting administrative policies, technical controls, and physical safeguards protecting personally identifiable information (PII) from unauthorized access.

Who needs a WISP: All tax preparers, accounting firms, and financial service providers handling taxpayer data are classified as financial institutions under federal law. This includes solo practitioners, CPA firms, and multi-office tax practices regardless of size.

What to do next: Start with IRS Publication 5708 for a template, conduct a risk assessment, and document your current security practices. Non-compliance triggers FTC penalties up to $46,517 per violation per day and potential IRS revocation of PTIN credentials.

Federal WISP Requirements for Tax Professionals

The legal mandate for written information security plans originates from multiple overlapping federal regulations creating detailed data protection obligations for tax professionals classified as financial institutions.

Gramm-Leach-Bliley Act and FTC Safeguards Rule

The FTC Safeguards Rule (16 CFR Part 314) mandates that tax preparers develop, implement, and maintain information security programs. The amended rule, effective June 9, 2023, expanded technical mandates requiring:

• Multi-factor authentication on all systems accessing customer information
• Encrypted data storage and transmission using current standards (AES-256 or equivalent)
• Annual penetration testing for firms handling information of 5,000+ consumers
• Biannual vulnerability assessments across all information systems
• Breach reporting within 30 days when incidents affect 500 or more individuals

For detailed FTC compliance requirements, see our FTC Safeguards Rule guide for tax preparers.

IRS Security Standards and Publications

The IRS established specific security requirements through Publication 4557: Safeguarding Taxpayer Data, explicitly stating that tax professionals must create written security plans. Key IRS resources include:

• Publication 5708 — A 28-page sample written information security plan designed for tax practices
• Publication 5709 — Step-by-step guidance for creating a WISP from scratch with worksheets
• Publication 4557 — Detailed security requirements and best practices

Tax professionals must satisfy both IRS and FTC mandates simultaneously, as they address overlapping but distinct compliance obligations.

Administrative Safeguards: Policies and Training

Administrative safeguards establish the governance framework controlling how organizations manage information security through policies, procedures, and personnel practices. These foundational controls define security expectations and ensure consistent practices across all operational areas.

Core Policies Every WISP Must Include

• Acceptable use policy — Governs employee use of firm technology, internet access, and personal devices
• Access control policy — Defines role-based information access using least-privilege principles
• Password and authentication policy — Establishes credential requirements including complexity and MFA mandates
• Data classification policy — Categorizes information by sensitivity level with handling requirements
• Encryption policy — Specifies when and how to protect client tax data
• Remote work policy — Controls security for distributed workforces including VPN requirements
• Vendor management policy — Governs third-party relationships with security provisions
• Data retention policy — Establishes retention schedules (typically 7 years for tax records per IRS guidelines)

Employee Security Awareness Training

Human error remains the leading cause of data breaches, with the 2025 Verizon Data Breach Investigations Report confirming that 68% of breaches involved a human element. Effective training programs must address:

• Recognition and reporting of phishing attempts and suspicious communications
• Proper handling and classification of sensitive taxpayer data
• Strong password creation and credential management practices
• Physical security awareness including clean desk policies
• Incident reporting procedures and escalation contacts

Training must occur during onboarding and annually for all staff. Document attendance and assessment results as compliance evidence.

Technical and Physical Safeguards

Technical safeguards comprise the technology controls protecting electronic information systems from unauthorized access, while physical safeguards prevent unauthorized individuals from accessing facilities containing sensitive information.

Essential Technical Controls

Endpoint Protection: Modern endpoint detection and response (EDR) solutions provide threat prevention, detection, and remediation capabilities that exceed legacy antivirus. EDR uses behavioral analysis to identify zero-day attacks targeting tax practices during filing season.

Network Security: Next-generation firewalls combine packet filtering with application awareness and intrusion prevention. Properly configured firewalls implement default-deny policies blocking unnecessary connections.

Encryption Standards: The FTC Safeguards Rule requires encryption of customer information:

• Data at rest — Full-disk encryption on workstations; AES-256 for databases
• Data in transit — TLS 1.2+ for network communications; encrypted email for sensitive documents
• Backup encryption — All backup copies with keys stored separately

Access Controls: Implement unique user accounts, multi-factor authentication on all tax systems, automatic session timeouts, and immediate access revocation for terminated employees.

Physical Security Measures

Your WISP must document physical safeguards including facility access controls with keyed locks or electronic systems, visitor management procedures, workstation security with screen locks and clean desk policies, secured server equipment in locked rooms, and document disposal with cross-cut shredding services.

Incident Response and Breach Notification

No security program prevents every incident, making documented response procedures essential for minimizing damage when breaches occur. Your incident response plan must establish clear protocols for preparation, detection and analysis, containment, eradication, recovery, and post-incident review.

Breach Notification Timelines

Breach notification requirements carry strict regulatory timelines:

• IRS notification — Contact the IRS Stakeholder Liaison Office within 24 hours
• FTC notification — Report within 30 days when events affect 500+ individuals
• State notification — Most states require notification within 30-60 days
• Individual notification — Affected taxpayers per state breach laws
• Law enforcement — FBI Internet Crime Complaint Center and local authorities

For detailed incident response procedures, see our security awareness training guide and ransomware protection strategies.

WISP Requirements by Practice Size

While all tax professionals need a WISP, requirements scale based on practice complexity. Understanding size-specific obligations helps ensure appropriate implementation.

Solo Practitioners and Small Firms (1-5 Employees)

Small practices can implement proportional WISP requirements. The firm owner typically serves as the designated security coordinator. IRS Publications 5708 and 5709 provide templates specifically scaled for small practices. Cloud-based tax software with built-in encryption and MFA can satisfy multiple technical requirements simultaneously.

Mid-Size and Large Firms (6+ Employees)

Larger practices face the full scope of FTC Safeguards Rule requirements including designated qualified individuals with documented expertise, annual penetration testing and biannual vulnerability assessments, formal incident response plans with assigned team roles, vendor risk management programs, and annual board reporting on security program status.

Using Templates vs. Custom Development

Templates provide an excellent starting point, but they must be customized to reflect your actual operations. The IRS explicitly provides templates expecting practitioners to adapt them. Effective customization requires accurate system inventory, firm-specific policies, real contact information, current risk assessment, and applicable state regulations.

For step-by-step guidance on PTIN WISP requirements and CPA firm cybersecurity, see our dedicated compliance resources.