An annual WISP review is the documented, once-a-year check that your Written Information Security Plan still matches how your firm actually operates. The FTC Safeguards Rule and IRS Publication 5708 both require it, and insurers and auditors will ask to see the dated review record.
In a hurry? Get your free Compliance Score, then come back to this guide.
Take the Free Quiz View Sample WISPA Written Information Security Plan is not a one-time document. The FTC Safeguards Rule (16 CFR § 314.4(i)) and IRS Publication 5708 both require firms to review and update the WISP at least annually, and whenever a material change to the business occurs. For CPA firms, the right time to do this is after the close of busy season — while the year's lessons are fresh and before next year's PTIN renewals begin. Use this checklist as the agenda for that review. If you need a primer first, start with what a WISP actually is and the 2026 WISP requirements brief.
Before the Review Meeting
- Pull the current WISP document and the prior year's review notes.
- Export the past 12 months of incidents, suspicious-login alerts, and helpdesk security tickets.
- Pull a current user list from Microsoft 365, your tax software, and any portals (SmartVault, Canopy, Drake, Lacerte, etc.).
- Pull the current Conditional Access and MFA enforcement report from Entra ID.
- Pull a current vendor list with every third party that touches client data.
1. Governance and the Qualified Individual
- Is the named Qualified Individual still in the role? If they left the firm, designate a successor in writing.
- Has the partner or owner reviewed the prior year's WISP and signed off?
- Are training records on file for every employee who joined in the past 12 months?
2. Risk Assessment Refresh
- List any new categories of client data the firm started handling (e.g. new entity types, advisory engagements, foreign filings).
- List any new systems added (new tax software, portal, AI tool, e-signature platform).
- List any new offices, remote workers, or contractors.
- For each item above, update the WISP's risk register with the threat and the safeguard.
3. User Access Review
- Disable every account belonging to a former employee, seasonal preparer, or terminated contractor.
- Confirm every active user has MFA enforced. No exceptions for partners.
- Confirm administrative roles are limited and that no one is using a privileged account for daily email.
- Review external sharing in SharePoint and OneDrive. Remove anonymous links older than 90 days.
4. Technical Safeguards Verification
- Encryption at rest and in transit: confirmed for email, document storage, and backups. Cross-check against the FTC Safeguards Rule checklist.
- Endpoint protection: every workstation and laptop reports a healthy status.
- Patching: operating systems and tax software are current; document the patch cadence.
- Backups: at least one restore was tested in the past 12 months. Document the test.
- Audit logging: Unified Audit Log enabled with retention that matches your record-keeping policy.
5. Vendor and Third-Party Review
- For every vendor that touches client data, confirm a written agreement is on file with security and breach-notification terms.
- Request a current SOC 2 report or equivalent attestation from each major vendor (tax software, portal, cloud backup).
- Remove vendors no longer in use and revoke their access.
6. Incident Response Plan
- Walk through the written incident response plan with the team. Update phone numbers and escalation paths.
- Confirm the IRS Stakeholder Liaison contact and your state's notification thresholds are current.
- Confirm the cyber insurance carrier and policy number listed in the plan match the current policy — pre-fill renewal answers with the cyber insurance questionnaire walkthrough.
- Run at least one tabletop exercise — even a 30-minute discussion of a phishing-to-wire-fraud scenario counts.
7. Training and Awareness
- Every employee completed annual security awareness training. Records on file.
- New hires received WISP-specific training within their first 30 days.
- Phishing simulation results from the past year are summarized; repeat-clickers received follow-up training.
8. Physical Safeguards
- Office locks, alarm codes, and after-hours access lists are current.
- Clean-desk policy was reinforced after busy season.
- Paper records due for destruction were shredded with a documented certificate.
9. Document the Review
The single most important step is creating a dated record that the review happened. Save a memo signed by the Qualified Individual that lists the date of the review, who participated, what changed, and what the open remediation items are. That memo is the artifact an auditor, insurer, or plaintiff's attorney will ask for first.
How a Living WISP Shortens This Process
A continuously-monitored WISP platform makes most of the above happen automatically: user access, MFA enforcement, audit log status, and Conditional Access posture are pulled live from your Microsoft 365 tenant, and drift is flagged as it happens rather than discovered once a year. See why a one-time WISP document is no longer enough for the regulator's view, and use the free Compliance Starter Kit as the structural baseline. The annual review then becomes a 30-minute sign-off rather than a multi-day project — and the documentation produces itself.
Sources & References
Primary regulatory and standards sources used throughout WISPWolf's compliance guidance.
- IRS Publication 5708 — Creating a Written Information Security Plan
- IRS Publication 4557 — Safeguarding Taxpayer Data
- FTC Safeguards Rule (16 CFR Part 314)
- Gramm-Leach-Bliley Act (GLBA) Safeguards
- IRS Tax Security — Protect Your Clients, Protect Yourself
- NIST Cybersecurity Framework
- Microsoft Security Documentation
Get the free WISPWolf Compliance Starter Kit
Download the starter kit and identify your compliance gaps. Includes an IRS WISP starter template (not a completed customized WISP), FTC Safeguards Rule checklist, GLBA checklist, risk assessment worksheet, cyber insurance guide, and tax preparer compliance checklist.
Get Your Free WISP Compliance Score
See how your firm's security practices compare to FTC Safeguards Rule and IRS WISP expectations. Answer 15 questions and get a personalized scorecard in minutes.
IRS Pub 5708 Compliant · FTC Safeguards Rule · AES-256 Encrypted · No Credit Card Required