Skip to main content
All resources
Fundamentals

What Is a Written Information Security Plan and Why You Need One

A plain-English primer on the Written Information Security Plan (WISP): what it is, what it must contain, who is required to have one, and why it matters for tax and accounting firms in 2026.

May 20266 min read
Written by Alfonso LovoLinkedInReviewed by WISPWolf Compliance TeamLast Updated: May 2026 · Verified July 10, 2026
Short answer

A Written Information Security Plan (WISP) is the document that describes how your firm protects client data, who's responsible for the program, and how you review it over time. The IRS and the FTC both require every paid tax preparer to have a current WISP — there is no small-firm exemption.

In a hurry? Get your free Compliance Score, then come back to this guide.

Take the Free Quiz View Sample WISP

A Written Information Security Plan (WISP) is the foundational document that describes how your firm protects taxpayer and client data. If you prepare federal returns for compensation, the IRS and the Federal Trade Commission both require you to have one — in writing, kept current, and actually followed. This guide explains what a WISP is, what it must contain, who is required to have one, and why a generic template you downloaded two years ago will not pass a modern audit or insurance review.

The Short Definition

A WISP is a written document that identifies the personal and financial information your firm collects, the administrative, technical, and physical safeguards you have in place to protect it, the person responsible for the program, and the process you use to review and update those safeguards over time. It is the security program your firm actually runs, written down in a form that a regulator, insurer, or client can read.

Who Is Required to Have a WISP

In the tax and accounting world, the WISP requirement applies broadly:

  • Every paid preparer with a PTIN — solo preparers, Enrolled Agents, CPAs, attorneys, and firms of all sizes. The specifics are in the IRS WISP requirement for PTIN holders.
  • Every firm covered by the FTC Safeguards Rule (16 CFR Part 314) — see the GLBA Safeguards Rule pillar for the statutory framing.
  • Anyone applying for or renewing a PTIN — the IRS now affirmatively asks whether you have a data security plan in place.

There is no small-firm exemption. A solo preparer working from a home office has the same WISP obligation as a 200-person CPA firm.

What a Compliant WISP Must Contain

A WISP that satisfies both the FTC Safeguards Rule and IRS Publication 5708 must address six areas (the element-by-element walkthrough is in the FTC Safeguards Rule checklist and the 2026 WISP requirements brief):

  1. Designated Qualified Individual. One named person responsible for overseeing the program.
  2. Risk assessment. A written analysis of where client data lives, who can access it, and what could go wrong.
  3. Administrative safeguards. Policies, employee training, background checks, and acceptable-use rules.
  4. Technical safeguards. Multi-factor authentication, encryption at rest and in transit, access controls, logging, and patching.
  5. Physical safeguards. Locked file cabinets, secure disposal, visitor controls, and clean-desk practices.
  6. Incident response and annual review. A written plan for what happens if data is breached, plus documented annual review and update.

Why a WISP Matters Beyond Compliance

A WISP is not just a regulatory checkbox. Three other audiences will ask to see it:

  • Cyber insurance carriers. Almost every renewal application now requires you to attest to a WISP — see the cyber insurance questionnaire walkthrough. Carriers like Travelers, CNA, and Coalition increasingly ask for the actual document.
  • Larger clients. Corporate clients performing vendor due diligence will request your WISP as part of their own security review.
  • Plaintiffs' attorneys after a breach. If client data is exposed, the first document subpoenaed is your WISP and the evidence that you actually followed it.

Why Static WISP Templates Fail

The most common mistake firms make is downloading a generic WISP template, signing the cover page, and filing it. That document is obsolete the moment it is saved — read why a one-time WISP document is no longer enough for the regulator and insurer view. The FTC Safeguards Rule explicitly requires you to monitor and test your safeguards on a recurring basis and to update the plan whenever your business changes. A static PDF cannot do that. When an auditor or insurer asks "show me the evidence that your MFA policy was enforced last quarter," a PDF cannot answer. The remedy is a recurring program — see the annual WISP review checklist.

What a Living WISP Looks Like Instead

A modern WISP is a continuously-monitored program. It pulls live evidence from your Microsoft 365 or Google Workspace tenant — MFA enforcement, conditional access policies, encryption status, audit log retention — and ties each control back to the specific FTC and IRS requirement it satisfies. When something drifts, it flags the gap before an auditor does. The written document becomes a faithful description of what is actually happening, not an aspirational artifact.

That is what WISPWolf is built to do: turn the WISP from a one-time document into an always-current compliance program for tax and accounting firms. Start from the free WISPWolf Compliance Starter Kit, then take the 15-question Compliance Score to see where your firm actually stands today.

Generate Your IRS-Compliant WISP →

References

Sources & References

Primary regulatory and standards sources used throughout WISPWolf's compliance guidance.

  1. IRS Publication 5708 — Creating a Written Information Security Plan
  2. IRS Publication 4557 — Safeguarding Taxpayer Data
  3. FTC Safeguards Rule (16 CFR Part 314)
  4. Gramm-Leach-Bliley Act (GLBA) Safeguards
  5. IRS Tax Security — Protect Your Clients, Protect Yourself
  6. NIST Cybersecurity Framework
  7. Microsoft Security Documentation
Free Compliance Starter Kit

Get the free WISPWolf Compliance Starter Kit

Download the starter kit and identify your compliance gaps. Includes an IRS WISP starter template (not a completed customized WISP), FTC Safeguards Rule checklist, GLBA checklist, risk assessment worksheet, cyber insurance guide, and tax preparer compliance checklist.

Free WISP Compliance Score

Get Your Free WISP Compliance Score

See how your firm's security practices compare to FTC Safeguards Rule and IRS WISP expectations. Answer 15 questions and get a personalized scorecard in minutes.

IRS Pub 5708 Compliant · FTC Safeguards Rule · AES-256 Encrypted · No Credit Card Required