Skip to main content
All resources
Compliance

Tax Preparer Security Plan Guide: Building a Compliant WISP

A complete tax preparer security plan guide — how to scope, write, implement, and maintain a Written Information Security Plan that satisfies IRS Publication 5708 and the FTC Safeguards Rule.

May 31, 202610 min read
Written by Alfonso LovoLinkedInReviewed by WISPWolf Compliance TeamLast Updated: May 31, 2026 · Verified July 18, 2026
Short answer

A tax preparer security plan — your WISP — is the written document that describes how your firm protects client data, who is responsible, and how you review it each year. To satisfy IRS Publication 5708 and the FTC Safeguards Rule, it must cover six areas: a designated coordinator, risk assessment, administrative, technical, and physical safeguards, and incident response with an annual review.

In a hurry? Get your free Compliance Score, then come back to this guide.

Take the Free Quiz View Sample WISP

What a "tax preparer security plan" actually is

A tax preparer security plan is the practical, working version of a Written Information Security Plan (WISP). The IRS, FTC, and cyber insurance carriers all use slightly different language — "WISP", "information security program", "data security plan" — but they're describing the same thing: a written, maintained document plus the evidence that the controls described in it are actually in place.

Step 1 — Scope your environment

Before you write anything, list everything that touches taxpayer data:

  • People (you, employees, contractors, seasonal preparers)
  • Devices (workstations, laptops, phones, tablets, printers, scanners)
  • Software (tax prep, accounting, email, document portal, cloud storage)
  • Locations (office, home offices, off-site backup)
  • Vendors (tax software vendor, e-file transmitter, IT provider, payroll service)

Step 2 — Designate a Qualified Individual

Under the FTC Safeguards Rule and IRS Pub 5708 you must name a Data Security Coordinator (the IRS term) / Qualified Individual (the FTC term). In a solo practice it's you. In a multi-person firm it's typically the owner, managing partner, or IT-savviest staff member. The Qualified Individual must have the authority to enforce the plan.

Step 3 — Conduct a written risk assessment

Document, in writing, the threats most likely to compromise taxpayer data: phishing, credential theft, lost devices, ransomware, vendor compromise, malicious insiders. For each threat, document existing safeguards and remaining risk.

Step 4 — Implement administrative safeguards

  • Written acceptable use, password, and confidentiality policies
  • Background checks for employees with data access
  • Annual phishing-resistant security awareness training
  • Documented offboarding (revoke access on day one)
  • Vendor due diligence and written contracts

Step 5 — Implement technical safeguards

  • MFA on every system that touches taxpayer data
  • Encryption at rest (BitLocker/FileVault) and in transit (TLS)
  • Endpoint protection (EDR or a reputable antivirus)
  • Patch management with a documented monthly cadence
  • Separate admin and user accounts
  • Regular, tested backups stored separately from production data

Step 6 — Implement physical safeguards

  • Locked office and locked file cabinets for paper
  • Clean desk policy
  • Shred bin (or cross-cut shredder) for sensitive paper
  • Secure device disposal — wipe drives before disposal/donation
  • Locked screens after 10 minutes of inactivity

Step 7 — Write your incident response plan

Three sections at minimum: (1) who decides it's an incident, (2) who gets called (IT, attorney, insurance, IRS Stakeholder Liaison), (3) what gets done in the first 24 / 72 hours. The FTC Safeguards Rule now requires 30-day notification for incidents affecting 500+ consumers.

Step 8 — Sign and date the annual review

Without a dated annual review attestation, your WISP doesn't satisfy the IRS PTIN attestation. Calendar it. Annually. Forever.

Step 9 — Keep evidence

Auditors and insurers don't trust your policy document — they trust the evidence behind it. Screenshots of MFA enforcement, signed training acknowledgements, backup logs, vendor SOC 2 reports. A living WISP is one where the evidence stays current alongside the document.

The shortest path

  1. Take the free compliance quiz — find out where you currently stand.
  2. Read the IRS Publication 5708 guide.
  3. Use the free IRS WISP template as your starting structure.
  4. Check yourself against the FTC Safeguards Rule checklist.
  5. Don't forget the cyber insurance questionnaire — it doubles as a great audit prep checklist.

Going from plan to platform

Once you've drafted the plan, the hard part is keeping it alive — annual review, evidence collection, vendor changes, new staff, new software. WISPWolf is purpose-built WISP compliance software for tax preparers and small firms that handles exactly that.

References

Sources & References

Primary regulatory and standards sources used throughout WISPWolf's compliance guidance.

  1. IRS Publication 5708 — Creating a Written Information Security Plan
  2. IRS Publication 4557 — Safeguarding Taxpayer Data
  3. FTC Safeguards Rule (16 CFR Part 314)
  4. Gramm-Leach-Bliley Act (GLBA) Safeguards
  5. IRS Tax Security — Protect Your Clients, Protect Yourself
  6. NIST Cybersecurity Framework
  7. Microsoft Security Documentation
Free Compliance Starter Kit

Get the free WISPWolf Compliance Starter Kit

Download the starter kit and identify your compliance gaps. Includes an IRS WISP starter template (not a completed customized WISP), FTC Safeguards Rule checklist, GLBA checklist, risk assessment worksheet, cyber insurance guide, and tax preparer compliance checklist.

Free WISP Compliance Score

Get Your Free WISP Compliance Score

See how your firm's security practices compare to FTC Safeguards Rule and IRS WISP expectations. Answer 15 questions and get a personalized scorecard in minutes.

IRS Pub 5708 Compliant · FTC Safeguards Rule · AES-256 Encrypted · No Credit Card Required