Skip to main content
Compliance Pillar

IRS Publication 5708: WISP Guide for Tax Preparers

Everything tax preparers, CPA firms, and PTIN holders need to know about IRS Publication 5708 — what it requires, how it intersects with the FTC Safeguards Rule, and how to build a Written Information Security Plan that holds up under audit.

Short answer

IRS Publication 5708 is the IRS's official walkthrough and template for building a Written Information Security Plan in a tax or accounting practice. It is not a statute, but every PTIN holder is expected to keep a WISP that follows its seven-section structure and aligns with the FTC Safeguards Rule (16 CFR Part 314).

On this page

What is IRS Publication 5708?

IRS Publication 5708 — formally titled "Creating a Written Information Security Plan for your Tax & Accounting Practice" — is the IRS's official template and walkthrough for tax preparers building a WISP. It explains who is required to have one, what sections must be included, and how to keep it current. It is the closest thing to an "official IRS WISP template" and is the document most IRS field agents reference during a data security inquiry. For the section-by-section drafting walkthrough, pair this guide with the tax preparer security plan guide.

Who is required to follow it?

Since 2024, the PTIN renewal form has included an attestation that you maintain a WISP. Lying on that attestation is a federal offense, and the FTC Safeguards Rule provides independent enforcement authority.

The seven sections IRS Pub 5708 expects

  1. Designated Data Security Coordinator — a named person responsible for the plan.
  2. Risk Assessment — what data you hold, how it flows, what could go wrong.
  3. Administrative Safeguards — policies, employee training, background checks, access reviews.
  4. Technical Safeguards — MFA, encryption, endpoint protection, patch management.
  5. Physical Safeguards — locked offices, shred bins, clean desk, device disposal.
  6. Vendor & Service Provider Management — written agreements, due diligence, monitoring.
  7. Incident Response & Annual Review — what you'll do when something happens, and a signed annual attestation.

For a defensible structural baseline, start from the free IRS WISP template and the WISPWolf Compliance Starter Kit, then customize every field for your firm.

How Pub 5708 connects to FTC Safeguards & GLBA

The IRS WISP requirement does not exist in isolation — it sits on top of the FTC Safeguards Rule. The FTC classifies tax preparers as "financial institutions" under the Gramm-Leach-Bliley Act, which means you must implement the GLBA Safeguards Rule's nine elements. IRS Pub 5708 is the practical, tax-industry-specific version of those nine elements. For the broader 2026 lens, read the WISP requirements 2026 brief.

If you've satisfied Pub 5708, you've largely satisfied the Safeguards Rule. If you've only satisfied a generic GLBA template, you may still fail an IRS review because Pub 5708 is more prescriptive about tax-preparer workflows.

Common mistakes when applying Pub 5708

  • Filling in the template once and never touching it again. The annual review attestation is not optional — see the annual WISP review checklist.
  • Naming a Coordinator who has no authority. The Coordinator must be able to enforce the policy.
  • Skipping vendor management. Your tax software, e-file transmitter, document-portal vendor, and cloud storage provider all count.
  • Storing the WISP as a Word doc with no evidence. A WISP is the plan plus the evidence that the plan is being followed — and your cyber insurance questionnaire will ask for both.

From the IRS template to a living WISP

The IRS template is a starting point — not an end state. WISP software like WISPWolf takes the Pub 5708 structure, fills it with your firm's actual controls, tracks the evidence behind every safeguard, and produces a signed annual attestation. That's the difference between a static document and a living WISP.

Related guides

Frequently asked questions

Is IRS Publication 5708 mandatory?

Publication 5708 itself is IRS guidance, not a statute. The underlying requirement — that paid tax preparers maintain a Written Information Security Plan — is enforced through the FTC Safeguards Rule (16 CFR Part 314) and the IRS PTIN renewal attestation. In practice, every PTIN holder is expected to have a WISP that follows the structure in Pub 5708.

What sections must a WISP based on Pub 5708 include?

A designated Data Security Coordinator, a written risk assessment, administrative, technical, and physical safeguards, an employee training program, a vendor management policy, an incident response plan, and an annual review attestation.

How is Pub 5708 different from Pub 4557?

Publication 4557 is the older 'Safeguarding Taxpayer Data' guide. Publication 5708 is the more recent, tax-preparer-specific WISP template and explanation. Both are still referenced by the IRS — your WISP should align with the controls in Pub 4557 and the WISP structure in Pub 5708.

Who enforces it?

The IRS uses the PTIN renewal attestation. The FTC enforces the Safeguards Rule. State attorneys general can act on data breaches involving taxpayer PII. Cyber insurers will also ask for your WISP at renewal.

Does Pub 5708 apply to solo tax preparers?

Yes. There is no firm-size exemption. A solo Enrolled Agent or CPA working from a home office is held to the same WISP standard as a multi-partner firm. The PTIN renewal attestation does not distinguish by firm size.

How often does a Pub 5708 WISP need to be reviewed?

At least annually, and any time there is a material change in the firm — new staff, new software, new office, or a security incident. The annual review attestation is one of the first artifacts an IRS Stakeholder Liaison or cyber insurance underwriter will request.

What's the fastest way to start a Pub 5708-aligned WISP?

Begin with the IRS WISP starter template inside the free WISPWolf Compliance Starter Kit, then walk each section through the FTC Safeguards Rule checklist to confirm coverage. The 15-question WISPWolf compliance quiz produces a personalized gap list mapped directly to Pub 5708.

Find your gaps in 5 minutes

Where do you stand against Pub 5708?

Take the free 15-question compliance quiz and get a personalized scorecard mapped to IRS Pub 5708 and the FTC Safeguards Rule.

No credit card required.