Skip to main content
All resources
Starter Kit

Free WISPWolf Compliance Starter Kit

Free WISPWolf Compliance Starter Kit — IRS WISP starter template, FTC Safeguards checklist, GLBA checklist, risk worksheet, and cyber insurance guide.

January 202614 min read
Written by Alfonso LovoLinkedInReviewed by WISPWolf Compliance TeamLast Updated: January 2026 · Verified July 18, 2026
Short answer

The WISPWolf Compliance Starter Kit is a free download for tax preparers — it includes an IRS WISP starter template, FTC Safeguards checklist, GLBA checklist, risk assessment worksheet, cyber insurance guide, and tax preparer compliance checklist. The starter template is a starting point, not a completed customized WISP.

In a hurry? Get your free Compliance Score, then come back to this guide.

Take the Free Quiz View Sample WISP

If you prepare tax returns for compensation, federal law requires you to maintain a Written Information Security Plan (WISP). This page gives you a free IRS WISP template you can download today, explains exactly what the IRS expects from a tax preparer WISP, and walks through the mistakes that most generic templates miss. It is written for solo preparers, CPA firms, bookkeepers, Enrolled Agents, and any PTIN holder who needs to bring their data security documentation up to standard before PTIN renewal or a cyber insurance review.

A WISP is not optional, and it is not just paperwork. It is the document the IRS, the FTC, and your cyber insurance carrier will ask for the moment something goes wrong — a phishing incident, a stolen laptop, a rogue contractor, or simply a routine audit. The free template below is aligned with IRS Publication 5708 and the FTC Safeguards Rule (16 CFR Part 314), and it is structured the way examiners actually read a plan. For the wider statutory framing, see the GLBA Safeguards Rule pillar, and for the 2026 lens read WISP requirements 2026.

On this page

What Is a WISP?

A Written Information Security Plan is a formal document that describes how your firm protects sensitive client information — primarily taxpayer data, but also payroll records, bank account details, employee files, and any personally identifiable information you collect in the course of business. It is the single artifact that ties together your administrative policies, technical controls, physical safeguards, and incident response procedures into one place a regulator can read.

The term WISP shows up in three places that matter to a tax preparer: the FTC Safeguards Rule, IRS Publication 4557 ("Safeguarding Taxpayer Data"), and IRS Publication 5708 ("Creating a Written Information Security Plan for Your Tax & Accounting Practice"). Each one uses slightly different language, but they all describe the same document — a written plan that identifies the data you handle, the threats you face, the controls you have in place, and the people responsible for keeping the program running.

A WISP is not a one-time deliverable. The FTC Safeguards Rule and the IRS both treat it as a program that has to be reviewed at least annually, updated whenever your firm changes, and accompanied by ongoing evidence — training records, signed acknowledgements, vendor reviews, and an incident response history. If your only WISP is a PDF you generated two years ago and have not opened since, you do not have a compliant WISP. You have a document.

Why the IRS Requires a Written Information Security Plan

The legal authority comes from the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule, not directly from the Internal Revenue Code. Under the Safeguards Rule, "financial institutions" — a category that explicitly includes paid tax return preparers — must develop, implement, and maintain a comprehensive written information security program. The IRS enforces this requirement on its end by baking it into the PTIN application and renewal process.

Since the 2024 filing season, every preparer renewing a Preparer Tax Identification Number has been asked to attest, under penalty of perjury, that they have a written data security plan in place. There is no fee waiver, no small-firm exemption, and no grace period. A solo Enrolled Agent who prepares twelve returns a year has the same obligation as a 200-person CPA firm.

The IRS also reinforces the requirement through its Security Summit publications, the Taxes-Security-Together Checklist, and the annual "Dirty Dozen" warnings about preparer-targeted scams. The agency's position is consistent: a written plan is the minimum, and preparers who lack one are at heightened risk of client-data breaches, identity theft refund fraud, and the regulatory consequences that follow.

Beyond the legal mandate, there are three practical reasons every preparer needs a WISP:

  • Cyber insurance. Almost every cyber liability application now asks for a copy of your WISP, or asks questions that can only be answered if you have one. Without it, your application is either denied or priced for the worst case.
  • Client trust. Larger clients — especially businesses, high-net-worth individuals, and anyone in a regulated industry — increasingly ask their preparer to confirm a written security program is in place before sharing data.
  • Breach response. If a breach happens, the WISP is the playbook. Firms without one spend the first 48 hours trying to invent procedures while the clock on IRS, state attorney general, and FTC notifications is already running.

IRS Publication 5708 Requirements Explained

IRS Publication 5708 is the plain-language guide the IRS published specifically for tax and accounting firms. It is not a regulation in itself — the underlying law is still the FTC Safeguards Rule — but it translates the regulation into something a small-firm owner can act on, and the included sample template is the most commonly referenced starting point for a preparer WISP.

Publication 5708 organizes the WISP into six required elements. A compliant tax preparer WISP must address every one of them in writing:

  1. Designation of a responsible individual. The Safeguards Rule calls this person the "Qualified Individual." In a small firm this is often the owner, but the role must be named in the WISP and the person must have authority and budget to run the program.
  2. Risk assessment. A written identification of the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information — including how taxpayer data moves into, through, and out of the firm.
  3. Safeguards to control identified risks. Administrative (policies, training, background checks), technical (MFA, encryption, endpoint protection, access controls), and physical (locked file rooms, alarm systems, clean-desk policy) controls mapped to the risks above.
  4. Service provider oversight. Written due-diligence and contractual requirements for every vendor that touches taxpayer information — software vendors, hosting providers, e-file transmitters, bookkeepers, and outsourced IT.
  5. Program evaluation and adjustment. A documented annual review, plus an obligation to update the WISP whenever there is a material change in the business or a security incident occurs.
  6. Incident response plan. A written procedure for detecting, responding to, and recovering from a security incident, including notification of the IRS Stakeholder Liaison and any state agencies that require it.

Publication 5708 also includes a sample WISP template and worksheets. The template is genuinely useful, but on its own it is a starting skeleton — not a finished plan. The sections below explain what most firms need to add or adapt before the document will hold up under scrutiny.

What Must Be Included in a Tax Preparer WISP

Beyond the six Publication 5708 elements, a tax-preparer WISP that will actually pass a Safeguards Rule review or an insurer's questionnaire needs to include the following sections in writing. Each one is included in the free template available below.

  • Scope statement. Define which entities, locations, staff, and systems the WISP covers. Multi-state firms and firms with seasonal preparers should be explicit.
  • Data inventory. A written list of the categories of taxpayer and client data you collect, where each is stored (tax software, document management, email, paper files), and how long it is retained.
  • Access control policy. Who can access what, with role-based permissions, MFA requirements, and a documented onboarding/offboarding checklist for employees and contractors.
  • Authentication and password standards. Minimum password length and complexity, mandatory MFA on email and tax software, prohibition on shared accounts, and password manager requirements.
  • Encryption standards. Encryption at rest for all devices that store taxpayer data (full-disk encryption on laptops, encrypted backups) and encryption in transit for all transmission of taxpayer data (TLS, secure client portals, encrypted email or portal-based delivery).
  • Endpoint and network protection. Endpoint detection, firewall configuration, patch management, prohibition on personal devices accessing client data, and secure Wi-Fi requirements.
  • Employee training and acknowledgements. Annual security awareness training, phishing simulations, signed acknowledgements that staff have read and understood the WISP and the firm's acceptable use policy.
  • Vendor management. A written vendor inventory, a standard due-diligence checklist applied to each vendor, and contract language requiring vendors to safeguard taxpayer data and notify you of breaches.
  • Physical security. Locked file storage, visitor procedures, secure document shredding, and policies for working off-site or from home offices.
  • Incident response procedure. Step-by-step actions for the first 24, 48, and 72 hours of a suspected incident, with contact information for the IRS Stakeholder Liaison, the firm's cyber insurance carrier, legal counsel, and applicable state agencies.
  • Annual review and sign-off. A dated signature block for the Qualified Individual attesting that the WISP has been reviewed in the last 12 months, with a record of changes made.

Common Mistakes Found in WISP Templates

Most WISP templates floating around the internet — including some that come bundled with tax software — are reasonable as starting points but contain predictable gaps. Examiners and insurance underwriters have seen the same template hundreds of times and know exactly where to look for weaknesses.

  • Vague safeguards. The template says "We use strong passwords" but never defines minimum length, expiration, MFA, or which systems are covered. Specifics matter.
  • No data inventory. The Safeguards Rule explicitly requires you to know what information you have and where it lives. Many templates skip this entirely.
  • Generic incident response. "We will respond to incidents promptly" is not an incident response plan. The plan must name a coordinator, list contacts, and define notification timelines.
  • Missing Qualified Individual. The Safeguards Rule requires you to designate one person responsible for the program. Templates often leave this as a blank line that never gets filled in.
  • No vendor list. Service provider oversight is one of the six required Publication 5708 elements. A template without a vendor section forces you to bolt one on later.
  • No annual review record. A WISP without a dated signature within the last 12 months is treated by most insurers as evidence the program is not maintained.
  • Outdated regulatory references. Many older templates predate the 2023 updates to the FTC Safeguards Rule and still reference the prior version. Examiners notice.
  • No employee acknowledgements. The plan exists on paper, but no one in the firm has read it or signed it. From a regulator's perspective, that means it is not in effect.

Why Generic Templates Often Fail During Audits

A free WISP template is a perfectly acceptable place to start, but a generic template — by itself — is not what the FTC Safeguards Rule or the IRS actually requires. Both regulators expect a program that reflects your specific firm: your staff, your software, your data flows, your vendors, and your risks. A template that could belong to any firm in the country is, almost by definition, not yet a program.

The failure modes during an audit, an insurance underwriting review, or a post-breach investigation tend to look the same:

  • The plan describes safeguards the firm does not actually have in place — for example, MFA on tax software when in practice some preparers still log in with a shared password.
  • The plan is dated years ago, with no record of an annual review, no signature, and no change log.
  • The plan names a Qualified Individual who no longer works at the firm.
  • The plan references vendors the firm no longer uses, and omits the cloud services it relies on today.
  • No employee has signed an acknowledgement, no training records exist, and no incident response procedure has ever been tested.

In a Safeguards Rule investigation, the gap between what the plan claims and what the firm can prove is usually the headline finding. The fix is not to write a longer document — it is to maintain a real program around the document. That is the difference between a template and a Living WISP.

Free Compliance Starter Kit

Free WISPWolf Compliance Starter Kit

Download the starter kit and identify your compliance gaps. The free WISPWolf Compliance Starter Kit includes:

  • IRS WISP Starter Template (.docx)
  • FTC Safeguards Rule Checklist (PDF)
  • GLBA Compliance Checklist (PDF)
  • Risk Assessment Worksheet (.xlsx)
  • Cyber Insurance Questionnaire Guide (PDF)
  • Tax Preparer Compliance Checklist (PDF)

Note: The IRS WISP file is a starter template — not a completed customized WISP. Want a customized Written Information Security Program instead? Generate your WISP with WISPWolf.

Provided for educational purposes only. Not legal advice. Customize for your firm before use.

Generate a Customized WISP Instead

Downloading a template is the right first step. Maintaining a written program around it for the next several years is the harder part — and it is where most firms quietly fall behind. WISPWolf was built for tax preparers, CPA firms, and small businesses that want their WISP to be a live compliance program, not a static document that ages out.

With WISPWolf you can:

  • Answer a short, plain-English intake about your firm and receive a tailored WISP mapped to every required IRS Publication 5708 and FTC Safeguards Rule element — generated in minutes.
  • See a compliance readiness score and a prioritized gap list, so you know exactly what to fix before PTIN renewal or your next insurance review.
  • Track employee acknowledgements, vendor reviews, training records, and your annual sign-off in one place, instead of scattered emails and screenshots.
  • Export an audit-ready evidence packet whenever an insurer, regulator, or large client asks for one.

WISPWolf is a pilot-stage compliance management platform built by cybersecurity professionals with real-world compliance and incident response experience. It does not provide legal advice or guarantee regulatory compliance — but it does give a tax preparer a structured way to run the kind of ongoing program the FTC Safeguards Rule actually expects.

Frequently Asked Questions

Do tax preparers need a WISP?

Yes. Every paid tax return preparer who handles taxpayer information is required to maintain a Written Information Security Plan. The requirement comes from the FTC Safeguards Rule, which classifies paid preparers as financial institutions, and it is reinforced annually at PTIN renewal.

Is a WISP required by the IRS?

The legal authority is the FTC Safeguards Rule, but the IRS enforces the requirement at PTIN renewal and references it throughout IRS Publication 5708, Publication 4557, and the Security Summit guidance. From a preparer's perspective, the IRS is the agency that will be asking whether you have one.

Can I use a free WISP template?

Yes. A free template is a legitimate starting point and is exactly what Publication 5708 is designed to provide. The risk is treating the template as the finished product. To satisfy the Safeguards Rule long-term, you have to maintain a program around it — annual reviews, employee training, vendor oversight, evidence, and a documented incident response capability.

How often should a WISP be updated?

At minimum, annually. The Safeguards Rule and Publication 5708 both expect a documented annual review. Beyond that, update the WISP any time there is a material change — new staff, new software, a new office, a security incident, or new regulatory guidance.

What is IRS Publication 5708?

Publication 5708, "Creating a Written Information Security Plan for Your Tax & Accounting Practice," is the IRS's plain-language guide for paid preparers. It outlines the six required WISP elements, explains how the Safeguards Rule applies to a tax practice, and includes a sample template you can adapt for your firm.

Disclaimer: The information on this page and the downloadable templates are provided for educational purposes only and do not constitute legal, tax, or compliance advice. WISPWolf assists with compliance readiness and documentation; it does not guarantee compliance with the FTC Safeguards Rule, IRS Publication 5708, or any other regulation. Tax preparers remain responsible for implementing appropriate safeguards and confirming compliance with qualified legal and compliance advisors.

References

Sources & References

Primary regulatory and standards sources used throughout WISPWolf's compliance guidance.

  1. IRS Publication 5708 — Creating a Written Information Security Plan
  2. IRS Publication 4557 — Safeguarding Taxpayer Data
  3. FTC Safeguards Rule (16 CFR Part 314)
  4. Gramm-Leach-Bliley Act (GLBA) Safeguards
  5. IRS Tax Security — Protect Your Clients, Protect Yourself
  6. NIST Cybersecurity Framework
  7. Microsoft Security Documentation
Free Compliance Starter Kit

Get the free WISPWolf Compliance Starter Kit

Download the starter kit and identify your compliance gaps. Includes an IRS WISP starter template (not a completed customized WISP), FTC Safeguards Rule checklist, GLBA checklist, risk assessment worksheet, cyber insurance guide, and tax preparer compliance checklist.

Free WISP Compliance Score

Get Your Free WISP Compliance Score

See how your firm's security practices compare to FTC Safeguards Rule and IRS WISP expectations. Answer 15 questions and get a personalized scorecard in minutes.

IRS Pub 5708 Compliant · FTC Safeguards Rule · AES-256 Encrypted · No Credit Card Required