A WISP signed once and filed away no longer meets the FTC Safeguards Rule, which requires ongoing monitoring and testing of safeguards. Auditors, insurers, and the IRS now expect to see dated evidence that the plan reflects current reality — not a static PDF from prior years.
In a hurry? Get your free Compliance Score, then come back to this guide.
Take the Free Quiz View Sample WISPIf your firm bought a $29 WISP template a few years ago, filed it in a shared drive, and hasn't opened it since, you are not actually compliant — even if the document itself was technically sound the day you signed it. The shift that most firm owners have missed is that a Written Information Security Plan is no longer treated as a deliverable. It is treated as evidence of an ongoing program. Auditors, regulators, and insurance carriers have all moved in the same direction, and a static PDF stopped being a credible artifact some time ago.
The first reason this matters is the language of the revised FTC Safeguards Rule itself. The 2021 amendments to 16 CFR Part 314, fully enforceable since June 9, 2023, explicitly require the Qualified Individual designated by your firm to provide a written report to your board or senior management at least annually. That report must cover the overall status of the information security program, your firm's compliance with the regulation, and material matters such as risk assessments, testing results, security events, and recommendations for changes. A document drafted in 2022 and never touched cannot satisfy a requirement to produce a yearly written report covering events that occurred in 2024. If the report doesn't exist, the program doesn't exist — at least as far as the FTC is concerned. For the element-by-element requirement breakdown, see the FTC Safeguards Rule checklist.
The second reason is more practical, and it's the one that tends to surprise firm owners: static documents fail at describing the firm as it actually exists today. Your WISP names a Qualified Individual, but that person left two years ago. It lists tax preparation software you switched away from last season. It references a data center your IT provider closed. It assumes you have five staff, but you have eleven. It promises annual phishing simulation training that no one has scheduled. None of these gaps are exotic — they are the ordinary drift of a real business — and an IRS auditor or an FTC investigator only needs a few of them to conclude that your firm's written security plan is a fiction. The remedy is operational, not editorial — the annual WISP review checklist walks through the recurring evidence the rule actually expects.
The third reason is your cyber insurance policy, and this is where firms get hurt financially regardless of what the regulators do. Insurance carriers have spent the last three years rewriting their tax and accounting underwriting questionnaires because their loss ratios on this industry have been brutal. The NetGuard Plus questionnaire, the standard ransomware supplemental, and most renewal questionnaires now ask explicitly about the date of your last WISP review, the name of your current Qualified Individual, your most recent risk assessment, and evidence that controls like MFA and encryption are actually in production. The cyber insurance questionnaire walkthrough covers the specific questions that trip firms up. They are asking because they have learned, through claims, that firms with stale documentation almost always have stale controls — and they are denying claims on that basis. A breach in 2025 with a WISP dated 2022 is the kind of situation where a carrier will look at the policy warranties, find that you represented yourself as maintaining "current" written security policies, and reserve their rights. You don't want to discover that conversation during the worst week of your professional life.
The fourth reason is the most concrete, and it's what makes audits go badly even when firms have done most of the right things. IRS revenue agents and Office of Professional Responsibility investigators have been specifically trained to ask not "do you have a WISP" but "show me your last three annual reviews, your training logs for the current year, your incident response test, and your vendor risk assessments." A bound copy of IRS Pub 5708 is a starting point, not a responsive answer. Firms that produce dated review logs, signed employee acknowledgments, screenshots or exports of control state, and a current Qualified Individual sign-off get through these inquiries quickly. Firms that produce a single dated PDF do not.
The honest summary is that a WISP is not a thing you write; it's a thing you operate. The Rule, the carriers, and the IRS have all converged on the same expectation — that the document describes a living program with continuous evidence behind it. Firms that treat the WISP as a one-time artifact are essentially carrying a paper shield into a fight that the rest of the system has already decided is about behavior, not documents. The fix is not a better template. The fix is moving from a document to a program, with whatever cadence of review, training, testing, and reporting the Rule requires, and producing the artifacts that prove it.
That's what WISPWolf is built to do. It produces the document, but it also keeps it alive — continuous control verification, annual review automation, signed acknowledgments, an incident response binder, and an evidence packet your insurer will accept. If your current WISP is older than your current tax software, replace the static draft with the free WISPWolf Compliance Starter Kit and take the 15-question Compliance Score to see where you actually stand.
Sources & References
Primary regulatory and standards sources used throughout WISPWolf's compliance guidance.
- IRS Publication 5708 — Creating a Written Information Security Plan
- IRS Publication 4557 — Safeguarding Taxpayer Data
- FTC Safeguards Rule (16 CFR Part 314)
- Gramm-Leach-Bliley Act (GLBA) Safeguards
- IRS Tax Security — Protect Your Clients, Protect Yourself
- NIST Cybersecurity Framework
- Microsoft Security Documentation
Get the free WISPWolf Compliance Starter Kit
Download the starter kit and identify your compliance gaps. Includes an IRS WISP starter template (not a completed customized WISP), FTC Safeguards Rule checklist, GLBA checklist, risk assessment worksheet, cyber insurance guide, and tax preparer compliance checklist.
Get Your Free WISP Compliance Score
See how your firm's security practices compare to FTC Safeguards Rule and IRS WISP expectations. Answer 15 questions and get a personalized scorecard in minutes.
IRS Pub 5708 Compliant · FTC Safeguards Rule · AES-256 Encrypted · No Credit Card Required