WISP Template: What a Compliant Plan Should Include

A WISP template is the fastest way to stand up a Written Information Security Plan, but only if you treat it as a structure to customize — not a finished document to print. This guide explains what a good template includes, why generic Word documents from the internet fail under IRS and FTC review, and how to choose the right starting point for a tax, CPA, enrolled agent, bookkeeping, or small-business practice.

What every WISP template should include

Whether the template comes from the IRS, a vendor, your insurer, or WISPWolf, the bones should look the same. Anything missing one of these eleven sections is incomplete:

1. Purpose, scope, and definitions — what the document covers and the data types in scope.
2. Roles and responsibilities — the Qualified Individual under 16 CFR § 314.4(a) plus owners of each control.
3. Risk assessment — methodology, threat list, current findings. See the risk assessment template.
4. Administrative safeguards — policies, training, hiring screening, disciplinary process.
5. Technical safeguards — MFA, encryption, EDR, patching, backups, logging.
6. Physical safeguards — office access, paper, secure disposal.
7. Vendor and service-provider oversight — written diligence, contract clauses, ongoing review.
8. Incident response plan — see the incident response template.
9. Employee training — at hire and annually, with records.
10. Continuous monitoring and testing — penetration test or vulnerability scan cadence.
11. Annual review and approval — documented, signed by the Qualified Individual.

For a section-by-section walkthrough with sample language, see the eleven-section WISP template article.

Why generic WISP templates are not enough

Auditors and insurance underwriters can recognize an unedited template within thirty seconds: the placeholder names, the missing vendor list, the generic incident contacts. A template fails for the same reasons a generic résumé fails — it does not describe your firm.

• The FTC Safeguards Rule requires a risk assessment specific to your data and systems.
• IRS Pub 5708 expects the WISP to name your actual tax software, e-Services credentials, and EFIN safeguards.
• GLBA expects vendor oversight tied to your real service providers.
• Cyber insurers ask for evidence — see the cyber insurance application checklist.

The deeper context is in our Written Information Security Plan pillar guide and the explanation of the GLBA Safeguards Rule.

WISP templates by firm type

Sole-proprietor tax preparers

A solo preparer with one laptop and a cloud tax suite needs the same eleven sections, written briefly. The free IRS WISP template is well suited as a starting point.

CPA and EA firms

Multi-employee firms add formal roles, training records, and an annual review process. See the annual WISP review checklist for what to maintain.

Bookkeepers and payroll providers

Non-PTIN roles still inherit GLBA. The bookkeeper and enrolled agent WISP guide covers the differences.

Small businesses outside tax

Any firm meeting the GLBA "financial institution" definition — financial planners, debt counselors, settlement agents — should use the same template adapted to their own data types.

How to customize a WISP template

1. Start with a structured template aligned to IRS Publication 5708.
2. Run a documented risk assessment.
3. Fill in real names — Qualified Individual, vendors, software, locations.
4. Add the incident response plan as an appendix or integrated section.
5. Schedule the annual review and document it the first time.
6. Collect signed acknowledgements from every employee.

WISP examples

The most reliable public WISP example is Appendix B of IRS Pub 5708. WISPWolf publishes a structured 11-section example via the sample WISP page and a downloadable starter in the Compliance Starter Kit.

Educational content, not legal advice. A template must be customized to your firm's actual systems, vendors, and risk profile.