Microsoft 365 already produces most of the technical evidence your WISP needs — MFA status, conditional access, encryption, audit logs, and external sharing posture. Reading that data through the Microsoft Graph API turns your tenant into live, continuously-verified WISP evidence.
In a hurry? Get your free Compliance Score, then come back to this guide.
Take the Free Quiz View Sample WISPThe FTC Safeguards Rule does not just require you to write down a security plan — it requires you to monitor and test the safeguards in it. The element-by-element requirement list is in the FTC Safeguards Rule checklist, and the IRS counterpart is Publication 5708. For most tax and accounting firms, the single biggest leverage point for that monitoring is the Microsoft 365 tenant you are already paying for. Nearly every control your WISP needs to demonstrate — multi-factor authentication, conditional access, mailbox encryption, audit logging, secure file sharing — is already running inside M365. The question is whether you can prove it on demand.
Why Microsoft 365 Is the Right Place to Anchor a WISP
Roughly 70 percent of small and mid-size accounting firms run their email, document storage, and identity inside Microsoft 365 (Exchange Online, SharePoint, OneDrive, and Entra ID). That tenant is the system of record for the most sensitive client data a firm holds: 1040s, K-1s, engagement letters, PTIN correspondence, and IRS notices. If the WISP describes safeguards but does not connect to where the data actually lives, it is theater.
The Five M365 Signals That Map Directly to Your WISP
These are the controls that an auditor, insurer, or IRS reviewer will look for evidence of. Each maps to a specific FTC Safeguards Rule and IRS Pub 5708 requirement.
1. Multi-Factor Authentication Enforcement
Required by 16 CFR § 314.4(c)(5). Microsoft 365 reports on every user account and whether MFA is enforced via Security Defaults or a Conditional Access policy. Live evidence answers the question "is MFA actually on for every preparer, including the partner who keeps asking to be exempted?"
2. Conditional Access and Risk-Based Sign-In
Required as part of access controls. Conditional Access policies that block legacy authentication, require compliant devices, and flag impossible-travel sign-ins satisfy the "access controls" and "monitoring" requirements of the Rule. The policy JSON itself is the evidence.
3. Encryption at Rest and in Transit
Required by 16 CFR § 314.4(c)(3). Exchange Online, OneDrive, and SharePoint encrypt data with AES-256 at rest and TLS 1.2+ in transit by default. A WISP needs to reference that fact and link to Microsoft's compliance documentation as the underlying attestation.
4. Unified Audit Log Retention
Required by 16 CFR § 314.4(d). The Unified Audit Log records every mailbox access, file download, sharing event, and admin action. Most firms have it enabled but never check retention. Pulling the audit log status into your WISP demonstrates that you can reconstruct events after a suspected incident.
5. External Sharing and DLP
Required as part of "secure development and disposal" and access controls. SharePoint and OneDrive external sharing settings, plus Data Loss Prevention policies, control whether a preparer can accidentally email a 1040 to the wrong client. Reporting on those settings closes one of the most common breach vectors.
Manual Evidence Collection Does Not Scale
A diligent firm administrator can log into the Microsoft 365 admin center every quarter, screenshot each policy, paste it into a Word document, and call that evidence. In practice no one sustains this for more than two cycles. By month nine, the screenshots are stale, a new user was added without MFA, a Conditional Access policy was disabled to fix a printing issue, and the WISP no longer reflects reality. The Rule's monitoring requirement is failed even though the document still exists — the same drift problem covered in why a one-time WISP document is no longer enough, and the reason firms now adopt the annual WISP review checklist as a recurring program rather than a yearly memo.
What Continuous Integration Looks Like
A WISP platform that connects to your M365 tenant via a read-only Graph API consent does three things automatically:
- Pulls the current state of MFA, Conditional Access, audit log, and sharing settings on a recurring schedule.
- Maps each signal to the specific FTC Safeguards Rule subsection and IRS Pub 5708 control it satisfies.
- Flags drift — for example, a newly added user without MFA — and surfaces it as a remediation item before an audit, insurer, or breach finds it.
The result is a WISP whose evidence section is never more than a few hours out of date, and a compliance score that reflects the firm's actual security posture rather than its intentions.
What Permissions Are Required
A read-only integration uses delegated or application permissions like Policy.Read.All, AuditLog.Read.All, and Directory.Read.All. No mailbox content, no file content, and no passwords are accessed. The connection can be revoked from the Microsoft 365 admin center at any time. Tax document content never leaves your tenant.
What This Means in Practice
A firm that connects its tenant to a live WISP platform stops writing security policies as fiction. The document and the reality match because the document is generated from the reality. When an insurer asks for proof of MFA, the answer is a timestamped export. When a client asks for the WISP as part of vendor due diligence, the answer is a current PDF. When the partner asks "are we actually compliant," the answer is a number that updates every day.
That is the difference between a WISP that exists and a WISP that works. Pair the live evidence with a defensible structural baseline — the free WISPWolf Compliance Starter Kit — and benchmark your current posture with the 15-question Compliance Score.
Sources & References
Primary regulatory and standards sources used throughout WISPWolf's compliance guidance.
- IRS Publication 5708 — Creating a Written Information Security Plan
- IRS Publication 4557 — Safeguarding Taxpayer Data
- FTC Safeguards Rule (16 CFR Part 314)
- Gramm-Leach-Bliley Act (GLBA) Safeguards
- IRS Tax Security — Protect Your Clients, Protect Yourself
- NIST Cybersecurity Framework
- Microsoft Security Documentation
Get the free WISPWolf Compliance Starter Kit
Download the starter kit and identify your compliance gaps. Includes an IRS WISP starter template (not a completed customized WISP), FTC Safeguards Rule checklist, GLBA checklist, risk assessment worksheet, cyber insurance guide, and tax preparer compliance checklist.
Get Your Free WISP Compliance Score
See how your firm's security practices compare to FTC Safeguards Rule and IRS WISP expectations. Answer 15 questions and get a personalized scorecard in minutes.
IRS Pub 5708 Compliant · FTC Safeguards Rule · AES-256 Encrypted · No Credit Card Required