Skip to content

IRS requires a Written Information Security Plan — is your firm compliant?

Free Compliance Review
Bellator Cyber Guard

IRS WISP Requirements Explained

What is a WISP and why does the IRS require one? Plain-language breakdown of the 9 mandatory sections every tax preparer needs.

Get Started
9
Required Sections

Mandated by IRS Publication 4557

2023
Enforcement Began

FTC Safeguards Rule now active

$50K+
Penalty Per Violation

FTC fines for non-compliance

Annual
Review Required

Must update your WISP every year

IRS Publication 4557: What It Requires

IRS Publication 4557 is the federal government’s definitive guide for protecting taxpayer data. It translates the FTC Safeguards Rule and Gramm-Leach-Bliley Act into specific, actionable requirements for anyone who prepares, processes, or stores tax returns.

The publication doesn’t merely suggest a Written Information Security Plan — it mandates one. Every tax professional who handles Federal Tax Information (FTI) must document how they protect that data across nine specific areas, from employee training to incident response.

Key takeaway: Publication 4557 applies to all paid tax preparers — not just large firms. Solo practitioners, enrolled agents, bookkeepers, and anyone with a PTIN who handles client tax data must comply.

Who Publication 4557 Applies To

All PTIN holders
Enrolled Agents
CPAs & Tax Attorneys
Bookkeeping & Payroll firms
E-File providers
Anyone handling FTI

The 9 required WISP sections under IRS Pub 4557

1

Designated Security Coordinator

Name one person responsible for your information security program. This individual oversees implementation, monitors compliance, and serves as the point of contact for security incidents. Even solo practitioners must formally designate themselves.

2

Risk Assessment

Identify every place you store, process, or transmit taxpayer data — computers, cloud services, paper files, email. Then evaluate the threats to each: unauthorized access, theft, loss, or accidental disclosure. Document both the risks and how you address them.

3

Safeguards Implementation

Deploy administrative, technical, and physical controls based on your risk assessment. This includes encryption, access controls, firewalls, antivirus, locked offices, and secure disposal procedures. Each safeguard must be documented in your WISP.

4

Employee Management & Training

All employees with access to taxpayer data must receive security awareness training at hire and annually thereafter. Maintain signed acknowledgment forms, training dates, topics covered, and attendance records.

5

Information Systems Management

Document how you manage and monitor the technology that stores client data. This covers system inventories, software updates, patch management, access logging, and network monitoring.

6

Detecting & Managing System Failures

Establish procedures to detect unauthorized access or security breaches in your systems. Define how you monitor for intrusions, what triggers an alert, and the steps to contain and investigate a potential compromise.

7

Data Disposal & Retention

Define how long you retain taxpayer records and how you destroy them securely when no longer needed. Paper records require cross-cut shredding. Electronic data must be wiped beyond recovery — not just deleted.

8

Incident Response Plan

A written, step-by-step plan for what happens when a breach occurs. Includes notification procedures (IRS, FTC, state AGs, affected clients), containment steps, evidence preservation, and recovery timelines. This is not optional — it’s the section auditors check first.

9

Annual Review & Update

Your WISP is a living document. The IRS requires annual review and updates whenever your technology, staff, or business operations change. Document each review with dates, changes made, and the person who conducted it.

PTIN Renewal: Why Your WISP Is Now Mandatory

Starting in 2024, the IRS added a direct WISP certification question to the PTIN renewal process. Form W-12, Line 11 now asks whether you maintain a Written Information Security Plan — and your answer is made under penalty of perjury.

What Happens If You Certify Without a WISP

Perjury exposure — false certification on a federal form
PTIN revocation — cannot legally prepare returns
FTC fines — $50,000+ per Safeguards Rule violation
State AG enforcement — additional penalties in CA, MA, NY, TX

The IRS has signaled that WISP audits will increase through 2026. Having a compliant, documented plan isn’t just about checking a box — it’s the foundation of your practice’s legal standing. If a client’s data is breached and you can’t produce a WISP, the consequences are severe.

The Three Pillars of WISP Compliance

Administrative Safeguards

Policies and procedures that govern how your practice handles taxpayer data day-to-day.

Security coordinator designation
Employee training programs
Vendor oversight requirements
Background checks for staff

Technical Safeguards

Technology controls that protect data in your systems, networks, and devices.

Encryption (at rest and in transit)
Multi-factor authentication
Firewall and antivirus
Access controls and logging

Physical Safeguards

Physical security measures for your office, equipment, and paper records.

Locked offices and file cabinets
Visitor access policies
Cross-cut shredding procedures
Device disposal protocols

What happens without a compliant WISP

IRS Penalties & PTIN Loss

False certification on Form W-12 exposes you to perjury charges. The IRS can revoke your PTIN, ending your ability to prepare returns for compensation. Reinstatement is not guaranteed.

FTC Safeguards Rule Fines

The FTC treats tax preparers as financial institutions under GLBA. Violations of the Safeguards Rule carry fines starting at $50,000 per violation — and each missing WISP section counts separately.

State Attorney General Actions

States like California, Massachusetts, New York, and Texas have their own data protection laws with independent penalties. A single breach can trigger enforcement actions in every state where affected clients reside.

Client Lawsuits & Reputation Damage

Clients whose data is compromised can pursue civil action. Without a documented WISP, you have no defense to show reasonable security measures were in place. The reputational damage often exceeds the legal costs.

Need a professionally written WISP?

If you don’t have the time to build your own, our security team will write a custom WISP tailored to your practice — covering all 9 sections, fully audit-ready, delivered in under a week.

Get a Custom WISP — $577

One-time purchase • No subscriptions

IRS Required — Pub 4557

Free IRS-compliant WISP template

The IRS requires every tax preparer to maintain a Written Information Security Plan. Download a free template that covers all 9 sections mandated by Publication 4557 and the FTC Safeguards Rule.

  • Covers IRS Publication 4557, FTC Safeguards Rule & GLBA
  • Includes a free Incident Response Plan
  • Updated for 2026 requirements
  • Used by 4,000+ tax professionals

AICPA Certified | A+ BBB Rating | No credit card required

Download Your Free WISP

IRS WISP requirements — frequently asked questions

Yes. Under the FTC Safeguards Rule (which implements the Gramm-Leach-Bliley Act), every tax professional who handles non-public personal information must maintain a Written Information Security Plan. This applies regardless of firm size — solo practitioners with a PTIN are held to the same standard as large firms. The IRS reinforces this through Publication 4557 and now requires certification during PTIN renewal.

IRS Publication 4557 requires nine sections: (1) Designated Security Coordinator, (2) Risk Assessment, (3) Safeguards Implementation, (4) Employee Management & Training, (5) Information Systems Management, (6) Detecting & Managing System Failures, (7) Data Disposal & Retention, (8) Incident Response Plan, and (9) Annual Review & Update. Each section must reflect your actual practices — not generic language copied from a template.

A free template gives you the correct structure and all 9 required sections, which is a solid starting point. However, the IRS expects your WISP to describe your specific technology, procedures, and safeguards — not theoretical ones. You’ll need to customize every section to match your actual practice. If you don’t have the time or expertise to do that yourself, a professionally written WISP ensures it’s audit-ready from day one.

If the IRS or FTC audits your security practices, they’ll ask to see your written plan. They verify that the document exists, covers all 9 required sections, reflects your actual operations, includes employee training records and signed acknowledgments, and shows evidence of annual review. The most common audit failures are missing incident response plans, no training documentation, and plans that haven’t been updated since they were first created.

At minimum, once per year. The FTC Safeguards Rule requires annual review, and you must also update your WISP whenever there are material changes to your business — new employees, new software, office moves, changes in how you store or transmit client data. Each review should be documented with the date, who conducted it, and what changes were made.

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect customer data. The FTC Safeguards Rule implements GLBA with specific requirements — including the mandate for a Written Information Security Plan. IRS Publication 4557 then translates these federal requirements into practical guidance specifically for tax professionals. Together, they create a clear legal obligation: every tax preparer must have a WISP that meets all 9 required sections.

Protect your tax practice from cyber threats

Schedule a free consultation to assess your firm's security posture.

Book a Free ConsultationGet Your Free WISP