Cybersecurity Solutions For:

0

IRS & FTC Required Since 2023

Written Information Security Plan Template & Complete Guide 2025

The Complete Guide & Free Template for Tax Professionals

IRS CompliantFTC Safeguards9,500+ Users

What Is a Written Information Security Plan?

A Written Information Security Plan (WISP) is a comprehensive document that outlines how your tax practice protects sensitive client information from unauthorized access, use, or disclosure. It serves as your blueprint for data security, documenting the administrative, technical, and physical safeguards you implement to protect taxpayer data. Under the FTC Safeguards Rule and enforced through IRS regulations, every tax professional who handles non-public personal information must maintain a compliant WISP that addresses nine specific components mandated by federal law.

Why It Matters: Beyond legal compliance, your WISP demonstrates professionalism and commitment to client data protection. It provides clear procedures for your team, satisfies insurance requirements, and protects your practice from potentially devastating penalties. A well-crafted WISP transforms security from an abstract concept into actionable policies that safeguard both your clients and your business.

Who Needs One: Every tax professional with a PTIN must have a Written Information Security Plan. This includes CPAs, Enrolled Agents, tax attorneys, and unenrolled preparers – regardless of practice size.

Quick Facts

  • Required by: FTC Safeguards Rule
  • Enforced through: IRS Form W-12
  • Penalties: Up to $100,000
  • Components: 9 mandatory

Download Your Free WISP Template Now

Free WISP Template (Main Site)

✓ Instant download • ✓ No spam • ✓ 100% IRS compliant WISP template

WISP Legal Requirements & Compliance

Federal Requirements

  • Gramm-Leach-Bliley Act (GLBA): Establishes the foundation for financial privacy protection, requiring all financial institutions to safeguard customer information.
  • FTC Safeguards Rule: Implements GLBA through specific requirements for Written Information Security Plans with nine mandatory components.
  • IRS Publication 4557: Provides detailed guidance for tax professionals on protecting taxpayer data and maintaining compliance.

IRS Enforcement

  • Form W-12 Question 11: Requires certification of WISP compliance under penalty of perjury during PTIN renewal.
  • PTIN Renewal Requirement: Annual certification that you maintain a compliant Written Information Security Plan.
  • False Certification Penalties: Perjury charges, PTIN revocation, and inability to prepare returns for compensation.

Compliance Timeline

  • 2023: FTC enforcement begins – all tax professionals must have Written Information Security Plans in place.
  • 2024: IRS adds WISP certification to PTIN renewal process through Form W-12.
  • 2025: Full compliance required – enhanced enforcement and potential audits for non-compliant practices.

State-Specific WISP Requirements

California

24-Hour Breach Notification

The nation’s strictest timeline. CCPA requires immediate action when personal information is compromised. Must notify affected residents within 24 hours of discovering a breach creating substantial risk.

Key Points:
  • Notify CA AG if 500+ affected
  • Penalties up to $7,500 per violation
  • Private right of action available

Massachusetts

Encryption Requirements

201 CMR 17.00 mandates comprehensive security exceeding federal standards. Encryption required for all portable devices and transmitted data containing personal information.

Key Points:
  • Mandatory encryption standards
  • Annual security reviews required
  • $50,000 per violation maximum

New York

SHIELD Act Compliance

Stop Hacks and Improve Electronic Data Security Act imposes specific technical safeguards. Any business with NY resident data must implement comprehensive security programs.

Key Points:
  • Risk assessment requirements
  • Employee training mandates
  • $250,000 maximum penalty

Texas

Identity Theft Provisions

Texas Identity Theft Enforcement and Protection Act includes specific data disposal and breach notification requirements affecting all businesses with Texas resident data.

Key Points:
  • 60-day breach notification
  • Notify AG if 250+ affected
  • $250,000 per breach maximum

Florida

Information Protection Act

Florida Information Protection Act (FIPA) requires reasonable measures to protect and properly dispose of personal information, with specific breach notification requirements.

Key Points:
  • 30-day breach notification
  • Notice to AG if 500+ affected
  • $500,000 per breach maximum

Common WISP Mistakes to Avoid

Using Generic Templates

A WISP must reflect YOUR actual practices, not theoretical ones. Generic templates fail audits because they don’t match your operations. Customize every section to your specific technology, procedures, and client base.

Missing Annual Updates

Creating a WISP isn’t one-and-done. The FTC requires annual reviews and updates. Failing to document regular reviews suggests your WISP is abandoned, not actively implemented.

No Training Documentation

Employee training is mandatory, not optional. Without documented training records, you can’t prove compliance. Keep signed acknowledgments, training dates, and materials covered.

Ignoring Vendor Management

Every service provider with data access needs oversight. Failing to assess vendor security or update contracts leaves you liable for their breaches. Document all vendor reviews.

Incomplete Incident Plans

Having no incident response plan or one that’s never tested guarantees chaos during a breach. Your plan needs specific procedures, contact lists, and regular testing documentation.

No Testing Procedures

Safeguards without testing are just assumptions. Regular testing of backups, access controls, and security measures is required. Document all tests, results, and corrective actions taken.

WISP Implementation Options

DIY Approach

$0

40-60 hours

  • Free template
  • Self-implementation

Use Free Template

MOST POPULAR

Professional WISP

$577

8-12 hours

  • Custom documentation
  • Expert review

Get Professional WISP

Managed Service

Custom

Minimal time

  • Full management
  • Ongoing support

Contact Us

Written Information Security Plan FAQs

What is a WISP?

A WISP (Written Information Security Plan) is a comprehensive document required by the FTC Safeguards Rule that outlines how tax professionals protect client data. It must include nine mandatory components covering administrative, technical, and physical safeguards for taxpayer information. Think of it as your practice’s security blueprint – documenting policies, procedures, and controls that protect sensitive data from unauthorized access or breaches.

Who needs a Written Information Security Plan?

Every tax professional with a PTIN must have a Written Information Security Plan, regardless of practice size. This includes CPAs, Enrolled Agents, tax attorneys, and all paid preparers. Solo practitioners and large firms alike must maintain compliant WISPs. The FTC makes no exceptions based on practice size or revenue – if you handle taxpayer data and prepare returns for compensation, you need a WISP.

Is a WISP required by law?

Yes, a WISP is legally required under the FTC Safeguards Rule for all financial institutions, including tax professionals. The IRS enforces this through Form W-12 Question 11 during PTIN renewal, requiring certification of WISP compliance. This isn’t optional guidance – it’s federal law with significant penalties for non-compliance. State laws may impose additional requirements beyond federal mandates.

What happens without a WISP?

Operating without a WISP can result in FTC fines up to $100,000 per violation, PTIN revocation, inability to prepare returns for compensation, denial of cyber insurance claims, and personal liability for data breaches. False certification on Form W-12 constitutes perjury. Beyond legal penalties, lacking a WISP leaves you unprepared for security incidents and vulnerable to reputation damage if a breach occurs.

How often to update a WISP?

The FTC requires annual WISP reviews at minimum, but you should update whenever significant changes occur. This includes adding new services, changing software providers, hiring employees, moving offices, or experiencing security incidents. Document all reviews and updates, even if no changes are made. Many practitioners schedule quarterly reviews to ensure ongoing compliance and catch needed updates early.

DIY vs professional WISP?

DIY WISPs using free templates can work but require 40-60 hours to properly customize and implement. Professional WISPs cost around $577 but save significant time and ensure compliance with expert-written policies. Consider your time value, comfort with regulations, and risk tolerance. Errors in DIY WISPs can be costly if discovered during audits or after breaches.

WISP vs cyber insurance?

A WISP and cyber insurance serve different purposes. Your WISP is a legally required security program documenting how you protect data. Cyber insurance provides financial protection if a breach occurs despite your safeguards. They work together – your WISP helps prevent breaches while insurance covers costs if prevention fails. Most insurers require a WISP for coverage validity.

Solo practitioner requirements?

Solo practitioners must address all nine WISP components but can have simpler implementations than larger firms. You serve as your own Qualified Individual, but still need documented risk assessments, safeguards, incident response plans, and annual reviews. Even without employees, document your security training and procedures. The FTC expects reasonable measures appropriate to your practice size.

Multi-state compliance?

You must comply with requirements in every state where you have clients, not just your office location. This means following the strictest applicable standard for each requirement. California’s 24-hour breach notification, Massachusetts’ encryption mandates, and New York’s SHIELD Act may all apply. Your WISP should address the highest standard to ensure comprehensive compliance.

Cloud software and WISP?

Using secure cloud software like TaxDome or Drake is important but doesn’t eliminate WISP requirements. These are technical safeguards – just one component of nine required elements. You still need documented policies, training procedures, incident response plans, and vendor oversight. Your WISP should document how you securely use these tools within your overall security program.

Protect Your Practice with a Compliant WISP

Join 9,500+ tax professionals who trust our WISP solutions to keep their practices compliant and clients protected.

0
    Your Cart
    Your cart is emptyReturn to Shop
    Continue Shopping