Is IRS Publication 5708 mandatory?

Publication 5708 itself is IRS guidance, not a statute. But the underlying requirement — that paid tax preparers maintain a Written Information Security Plan — is enforced through the FTC Safeguards Rule (16 CFR Part 314) and the IRS PTIN renewal attestation. In practice, every PTIN holder is expected to have a WISP that follows the structure in Pub 5708.

What sections must a WISP based on Pub 5708 include?

A designated Data Security Coordinator, a written risk assessment, administrative/technical/physical safeguards, an employee training program, a vendor management policy, an incident response plan, and an annual review attestation.

How is Pub 5708 different from Pub 4557?

Publication 4557 is the older 'Safeguarding Taxpayer Data' guide. Publication 5708 is the more recent, tax-preparer-specific WISP template and explanation. Both are still referenced by the IRS — your WISP should align with the controls in Pub 4557 and the WISP structure in Pub 5708.

The IRS uses the PTIN renewal attestation. The FTC enforces the Safeguards Rule. State attorneys general can act on data breaches involving taxpayer PII. Cyber insurers will also ask for your WISP at renewal.

IRS Publication 5708: The Complete Guide for Tax Preparers

What is IRS Publication 5708?

IRS Publication 5708 — formally titled "Creating a Written Information Security Plan for your Tax & Accounting Practice" — is the IRS's official template and walkthrough for tax preparers building a WISP. It explains who is required to have one, what sections must be included, and how to keep it current. It is the closest thing to an "official IRS WISP template" and is the document most IRS field agents reference during a data security inquiry.

Who is required to follow it?

Every paid tax return preparer with a PTIN
CPA firms and accounting practices that handle taxpayer data
Enrolled Agents and bookkeepers who file or prepare returns
Solo preparers — there is no firm-size exemption

Since 2024, the PTIN renewal form has included an attestation that you maintain a WISP. Lying on that attestation is a federal offense, and the FTC Safeguards Rule provides independent enforcement authority.

The seven sections IRS Pub 5708 expects

Designated Data Security Coordinator — a named person responsible for the plan.
Risk Assessment — what data you hold, how it flows, what could go wrong.
Administrative Safeguards — policies, employee training, background checks, access reviews.
Technical Safeguards — MFA, encryption, endpoint protection, patch management.
Physical Safeguards — locked offices, shred bins, clean desk, device disposal.
Vendor & Service Provider Management — written agreements, due diligence, monitoring.
Incident Response & Annual Review — what you'll do when something happens, and a signed annual attestation.

How Pub 5708 connects to the FTC Safeguards Rule

The IRS WISP requirement does not exist in isolation — it sits on top of the FTC Safeguards Rule. The FTC classifies tax preparers as "financial institutions" under the Gramm-Leach-Bliley Act, which means you must implement the GLBA Safeguards Rule's nine elements. IRS Pub 5708 is the practical, tax-industry-specific version of those nine elements.

If you've satisfied Pub 5708, you've largely satisfied the Safeguards Rule. If you've only satisfied a generic GLBA template, you may still fail an IRS review because Pub 5708 is more prescriptive about tax-preparer workflows.

Common mistakes when applying Pub 5708

Filling in the template once and never touching it again. The annual review attestation is not optional.
Naming a Coordinator who has no authority. The Coordinator must be able to enforce the policy.
Skipping vendor management. Your tax software, e-file transmitter, document-portal vendor, and cloud storage provider all count.
Storing the WISP as a Word doc with no evidence. A WISP is the plan plus the evidence that the plan is being followed.

From the IRS template to a living WISP

The IRS template is a starting point — not an end state. WISP software like WISPWolf takes the Pub 5708 structure, fills it with your firm's actual controls, tracks the evidence behind every safeguard, and produces a signed annual attestation. That's the difference between a static document and a living WISP.

Related guides

Find your gaps in 5 minutes

Where do you stand against Pub 5708?

Take the free 15-question compliance quiz and get a personalized scorecard mapped to IRS Pub 5708 and the FTC Safeguards Rule.

Get Your Compliance Score Download Free Resources Book a Consultation

No credit card required.