What is a Written Information Security Plan (WISP)?

A WISP is a written document describing the administrative, technical, and physical safeguards your firm uses to protect client and taxpayer information. It identifies a security coordinator, documents risk assessments, describes employee training, and explains how you respond to incidents.

Who is required to have a WISP?

Any 'financial institution' under GLBA — including tax preparers, CPA firms, enrolled agents, bookkeepers, payroll providers, and many small-business advisors — must maintain a WISP under the FTC Safeguards Rule. PTIN holders attest to having one each year at renewal.

Is a WISP the same as a security policy?

No. A security policy states a rule (for example, 'all laptops are encrypted'). A WISP is the broader program document that contains policies, the risk assessment, the incident response plan, vendor controls, and the annual review. A policy is a part of a WISP.

How long should a WISP be?

Most small-firm WISPs run 15–40 pages. Length is not the goal — completeness is. A good WISP covers every element of 16 CFR § 314.4 and the IRS Pub 5708 outline, with enough detail that a new hire could follow it.

How often must a WISP be reviewed?

At least annually, and any time there is a material change — new software, a new office, a breach, a new employee role, or new regulation. The annual review should be documented; auditors look for the review report, not just the WISP itself.

Can I use a free WISP template?

Yes, as a starting point. The IRS publishes a sample WISP in Publication 5708 and WISPWolf provides a free starter template. A template must be customized to your firm — generic templates fail audits because they do not reflect your actual systems, vendors, and people.

Is a WISP legally required, or just recommended?

It is legally required for firms covered by the FTC Safeguards Rule, which implements the Gramm-Leach-Bliley Act. Several states (Massachusetts, New York, others) have parallel requirements. The IRS treats absence of a WISP as a violation of Circular 230 due diligence.

What is a Written Information Security Plan (WISP)?

A WISP is a written document describing the administrative, technical, and physical safeguards your firm uses to protect client and taxpayer information. It identifies a security coordinator, documents risk assessments, describes employee training, and explains how you respond to incidents.

Who is required to have a WISP?

Any 'financial institution' under GLBA — including tax preparers, CPA firms, enrolled agents, bookkeepers, payroll providers, and many small-business advisors — must maintain a WISP under the FTC Safeguards Rule. PTIN holders attest to having one each year at renewal.

Is a WISP the same as a security policy?

No. A security policy states a rule (for example, 'all laptops are encrypted'). A WISP is the broader program document that contains policies, the risk assessment, the incident response plan, vendor controls, and the annual review. A policy is a part of a WISP.

How long should a WISP be?

Most small-firm WISPs run 15–40 pages. Length is not the goal — completeness is. A good WISP covers every element of 16 CFR § 314.4 and the IRS Pub 5708 outline, with enough detail that a new hire could follow it.

How often must a WISP be reviewed?

At least annually, and any time there is a material change — new software, a new office, a breach, a new employee role, or new regulation. The annual review should be documented; auditors look for the review report, not just the WISP itself.

Can I use a free WISP template?

Yes, as a starting point. The IRS publishes a sample WISP in Publication 5708 and WISPWolf provides a free starter template. A template must be customized to your firm — generic templates fail audits because they do not reflect your actual systems, vendors, and people.

Is a WISP legally required, or just recommended?

It is legally required for firms covered by the FTC Safeguards Rule, which implements the Gramm-Leach-Bliley Act. Several states (Massachusetts, New York, others) have parallel requirements. The IRS treats absence of a WISP as a violation of Circular 230 due diligence.

Written Information Security Plan (WISP): The Complete Guide

Short answer

A Written Information Security Plan (WISP) is a formal, written document that describes how your firm protects sensitive client information. For tax, accounting, and financial-services firms it is required by the FTC Safeguards Rule (16 CFR Part 314) and is the document the IRS expects you to maintain under Publication 5708 and Publication 4557.

In a hurry? Get your free Compliance Score, then come back to this guide.

Take the Free Quiz View Sample WISP

What a WISP actually is

A Written Information Security Plan — almost always shortened to WISP — is the document that proves your firm has thought through, written down, and operationalized how it protects sensitive client information. It is not a marketing page on your website. It is not a folder of vendor invoices. It is a single, governed document (with supporting appendices) that a regulator, insurer, or new employee can read and understand.

For tax, accounting, and financial-services firms, the WISP is the central artifact that ties together five obligations: the FTC Safeguards Rule, the Gramm-Leach-Bliley Act, IRS Publication 5708, IRS Publication 4557, and — for PTIN holders — the annual attestation on Form W-12.

Who needs a WISP

The short list of firms required to maintain a WISP includes paid tax return preparers, CPA firms, enrolled agents, bookkeepers, payroll companies, financial planners, and any small business that "engages in financial activities" under GLBA. See our WISP guide for bookkeepers and enrolled agents for how non-PTIN roles inherit the same obligations.

Solo practitioners are not exempt. A one-person tax practice with a single laptop still needs a documented WISP — the document scales down, but the obligation does not disappear.

How IRS Pub 5708, Pub 4557, FTC Safeguards, and GLBA fit together

These four documents are layered, not redundant:

GLBA (1999) — the federal statute that defines who is a "financial institution" and triggers safeguarding duties.
FTC Safeguards Rule, 16 CFR Part 314 — the implementing regulation. Lists the nine required elements of an information security program. See our GLBA Safeguards Rule guide and the FTC Safeguards checklist.
IRS Publication 4557 — plain-English IRS guidance for tax preparers on safeguarding taxpayer data. Background reading in our Pub 4557 guide.
IRS Publication 5708 — the WISP template. Fillable structure tailored to tax practices. Walkthrough in our Pub 5708 guide.

A current WISP must satisfy all four. The 2026 WISP requirements page summarizes which elements changed most recently.

WISP vs WISP policy vs security plan vs information security program

The terminology overlaps in confusing ways. Here is how the words actually relate:

WISP / Written Information Security Plan — the umbrella document.
WISP policy — a single rule inside the WISP (acceptable use, password, encryption).
WISP plan — informal synonym for WISP; same thing.
Security plan — generic term; in tax context it usually means the WISP.
Written Information Security Program — the operational, living version of the WISP: the document plus the activities (training, reviews, monitoring) that bring it to life. The FTC Safeguards Rule technically requires a "comprehensive, written information security program," which is why the words are interchangeable in regulatory text.

Our companion written information security program guide covers the program side; this page covers the document side.

Sample WISP structure

The eleven-section structure most aligned with Pub 5708 and 16 CFR § 314.4:

Purpose, scope, and definitions
Roles and responsibilities — including the Qualified Individual
Risk assessment methodology and current findings
Administrative safeguards — policies, training, hiring
Technical safeguards — MFA, encryption, EDR, patching, backups
Physical safeguards — office, paper, devices
Vendor and service-provider oversight
Incident response plan
Employee training program
Continuous monitoring and testing
Annual review and approval

Our full WISP template article walks through each section with sample language, and the WISP template landing page compares free vs paid options.

Common WISP mistakes

Treating the WISP as a one-time PDF. The Safeguards Rule requires the program to evolve — see why a one-time WISP fails.
No documented risk assessment. Use our risk assessment template.
Missing incident response plan. The incident response plan template closes this gap.
No annual review report. See the annual review checklist.
Vendor list without written diligence. Insurers and the FTC both ask for written vendor controls.
Generic template without firm-specific systems. Auditors recognize unedited templates instantly.

Evidence and documentation

A WISP without supporting evidence is just a document. Keep, in a single secure location:

Signed acknowledgement of the WISP by every employee
Training completion records (at hire and annually)
Most recent risk assessment with dates
Vendor list with current SOC 2 / security attestations
Patching, MFA, encryption, and backup status reports
Annual review minutes and approval by the Qualified Individual
For firms over 5,000 customers: annual report to the governing body

For cyber-insurance purposes the same evidence answers the questionnaire — see the cyber insurance application checklist.

Frequently asked questions

Open the FAQ section above each question for the full answer.

Educational content, not legal advice. Confirm your obligations with qualified counsel or your IRS Stakeholder Liaison.

Free Compliance Score

See where your WISP stands today

Take the 15-question quiz to identify gaps against IRS Pub 5708 and the FTC Safeguards Rule — or grab the free starter kit.

Take the Free Quiz Download Free IRS WISP Template

References

Sources & References

Primary regulatory and standards sources used throughout WISPWolf's compliance guidance.

About the author

Alfonso Lovo

Founder, Wolf Tech IT Solutions · Creator of WISPWolf

Alfonso Lovo is a cybersecurity consultant, systems administrator, university professor, and founder of WISPWolf. He has spent nearly two decades helping organizations improve cybersecurity, compliance, and operational resilience. WISPWolf was created to help tax professionals and small businesses meet FTC Safeguards Rule and IRS Written Information Security Plan (WISP) requirements.

▸Read full bio & credentials

20+ years of IT and business technology experience
Former Systems Administrator, Florida International University
University Business Professor
Cybersecurity & compliance consultant
FTC Safeguards Rule & IRS Pub 5708 specialist
Small business technology advisor

Alfonso founded Wolf Tech IT Solutions to help small businesses translate cybersecurity frameworks into practical day-to-day operations. He built WISPWolf after watching tax and accounting firms struggle with one-time WISP documents that went stale within weeks of being signed.

LinkedIn WISPWolf Wolf Tech IT Solutions

Reviewed by the WISPWolf Compliance Team against IRS Publication 5708 and the FTC Safeguards Rule (16 CFR Part 314).

Free Compliance Starter Kit

Get the free WISPWolf Compliance Starter Kit

Download the starter kit and identify your compliance gaps. Includes an IRS WISP starter template (not a completed customized WISP), FTC Safeguards Rule checklist, GLBA checklist, risk assessment worksheet, cyber insurance guide, and tax preparer compliance checklist.

Get Your Compliance Score Download the Free Starter Kit See what's inside

Free WISP Compliance Score

Get Your Free WISP Compliance Score

See how your firm's security practices compare to FTC Safeguards Rule and IRS WISP expectations. Answer 15 questions and get a personalized scorecard in minutes.

Start Free Assessment IRS Audit Readiness Guide Book a Consultation

IRS Pub 5708 Compliant · FTC Safeguards Rule · AES-256 Encrypted · No Credit Card Required

Related guides

Templates