Skip to content

IRS requires a Written Information Security Plan — is your firm compliant?

Free Compliance Review
Bellator Cyber Guard
IRS Publication 4557 Compliant

Get your WISP started today

IRS Publication 4557 requires every tax preparer to have a Written Information Security Plan. We make it easy.

  • Covers IRS Publication 4557, FTC Safeguards Rule & GLBA
  • Includes a free Incident Response Plan
  • Updated for 2026 requirements
  • Used by 4,000+ tax professionals

AICPA Certified | A+ BBB Rating | No credit card required

Download Your Free WISP

4,000+
WISPs Delivered
100%
IRS Pub 4557 Compliant
30 min
Average Setup Time

What Is a Written Information Security Plan?

A Written Information Security Plan (WISP) is a comprehensive document that outlines how your tax practice protects sensitive client information from unauthorized access, use, or disclosure.

It serves as your blueprint for data security, documenting the administrative, technical, and physical safeguards you implement to protect taxpayer data.

Under the FTC Safeguards Rule and enforced through IRS regulations, every tax professional who handles non-public personal information must maintain a compliant WISP that addresses nine specific components mandated by federal law.

Why It Matters

  • Demonstrates professionalism and commitment to client data protection
  • Provides clear procedures for your team to follow
  • Satisfies insurance requirements and protects your practice from devastating penalties
  • Transforms security from an abstract concept into actionable policies

WISP Legal Requirements & Compliance

Federal Requirements

Gramm-Leach-Bliley Act (GLBA): Establishes the foundation for financial privacy protection, requiring all financial institutions to safeguard customer information.

FTC Safeguards Rule: Implements GLBA through specific requirements for Written Information Security Plans with nine mandatory components.

IRS Publication 4557: Provides detailed guidance for tax professionals on protecting taxpayer data and maintaining compliance.

IRS Enforcement

Form W-12 Question 11: Requires certification of WISP compliance under penalty of perjury during PTIN renewal.

PTIN Renewal Requirement: Annual certification that you maintain a compliant Written Information Security Plan.

False Certification Penalties: Perjury charges, PTIN revocation, and inability to prepare returns for compensation.

Compliance Timeline

2023: FTC enforcement begins — all tax professionals must have Written Information Security Plans in place.

2024: IRS adds WISP certification to PTIN renewal process.

2026: Increased enforcement and audits — updated WISP required annually.

Three steps to a compliant WISP

1

Download the template

Get our free, professionally written WISP template — pre-filled with IRS-required sections and plain-English guidance.

2

Customize for your practice

Fill in your firm's details, employee count, systems, and data handling procedures. Our instructions walk you through every section.

3

Implement & maintain

Activate the security controls listed in your WISP. We offer managed services to handle this for you — endpoint protection, monitoring, and annual updates.

State-Specific WISP Requirements

California

24-Hour Breach Notification

The nation’s strictest timeline. CCPA requires immediate action when personal information is compromised. Must notify affected residents within 24 hours of discovering a breach.

  • Notify CA AG if 500+ affected
  • Penalties up to $7,500 per violation
  • Private right of action available
Massachusetts

Encryption Requirements

201 CMR 17.00 mandates comprehensive security exceeding federal standards. Encryption required for all portable devices and transmitted data containing personal information.

  • Mandatory encryption standards
  • Annual security reviews required
  • $50,000 per violation maximum
New York

SHIELD Act Compliance

Stop Hacks and Improve Electronic Data Security Act imposes specific technical safeguards. Any business with NY resident data must implement comprehensive security programs.

  • Risk assessment requirements
  • Employee training mandates
  • $250,000 maximum penalty
Texas

Identity Theft Enforcement

Texas Business and Commerce Code requires businesses to implement and maintain reasonable security procedures. AG can pursue enforcement actions for failure to protect personal information.

  • 60-day breach notification deadline
  • AG enforcement authority
  • $100,000+ penalty per breach

Common WISP Mistakes to Avoid

Using Generic Templates

A WISP must reflect YOUR actual practices, not theoretical ones. Generic templates fail audits because they don't match your operations. Customize every section to your specific technology, procedures, and client base.

Missing Annual Updates

Creating a WISP isn't one-and-done. The FTC requires annual reviews and updates. Failing to document regular reviews suggests your WISP is abandoned, not actively implemented.

No Training Documentation

Employee training is mandatory, not optional. Without documented training records, you can't prove compliance. Keep signed acknowledgments, training dates, and materials covered.

Ignoring Vendor Management

Every service provider with data access needs oversight. Failing to assess vendor security or update contracts leaves you liable for their breaches. Document all vendor reviews.

WISP Implementation Options

DIY Approach

40–60 hours of your time

$0
  • Free template download
  • Self-implementation
  • IRS Pub 4557 compliant structure
  • Basic incident response plan
  • Custom to your practice
  • Annual updates included
  • Endpoint protection
  • Dark web monitoring
Get Your Free WISP
MOST POPULAR

Professional WISP

8–12 hours of your time

$577
  • Custom documentation
  • Expert review
  • IRS + FTC + GLBA compliant
  • Full incident response plan + support
  • Custom to your practice
  • Annual updates included
  • Endpoint protection
  • Dark web monitoring
Get a Custom WISP — $577

I downloaded the free WISP template and had it customized for my practice in under an hour. When I was ready for full protection, Bellator handled everything — EDR, monitoring, the works.

DC
David ChenEnrolled Agent at Chen Tax Services

WISP frequently asked questions

Yes. The template is completely free to download and use. We created it because every tax professional deserves access to a compliant WISP, regardless of budget. If you want us to customize it or add managed security services, those are paid — but the template itself is always free.

Our template covers all requirements outlined in IRS Publication 4557 (Safeguarding Taxpayer Data), the FTC Safeguards Rule, and relevant sections of NIST SP 800-171. It includes sections for data classification, access controls, incident response, employee training, and physical security.

The IRS expects your WISP to be a living document — updated at least annually, and whenever you make significant changes to your technology, staff, or processes. Our professional plan includes automatic annual updates.

Absolutely. The template scales from solo practitioners to firms with 50+ employees. Larger firms may want our professional customization service to ensure every department and role is properly covered.

A WISP is your overall security policy — it describes how you protect data day-to-day. An incident response plan is a specific section within your WISP that details what to do when a breach or security event occurs. Our template includes both.

Protect your tax practice from cyber threats

Schedule a free consultation to assess your firm's security posture.

Book a Free ConsultationGet Your Free WISP