Written Information Security Plan Template (WISP) for Tax Firms

A Written Information Security Plan, or WISP, is the single document that proves a tax practice has thought about, documented, and operationalized the federal information-security obligations it owes its clients. Every paid preparer, every CPA firm, every enrolled agent, and every bookkeeper falls under the same framework: the GLBA Safeguards Rule, the FTC's implementing regulation at 16 CFR Part 314, and the IRS-specific layer in IRS Publication 5708. The WISP is where all three converge.

This template walks through the eleven sections a defensible WISP contains, in the order regulators and cyber insurance underwriters expect to see them. Use it as a structure to fill in with your firm's specifics — names, systems, vendors, dates — not as a finished document to paste in. The most common WISP audit finding in 2026 is exactly that: a template with placeholder text still in it.

Why this structure

The eleven sections below map one-to-one to the nine elements of the FTC Safeguards Rule plus two IRS-specific items from Pub 5708 (e-Services protection and the EFIN safeguard log). When an examiner walks through your WISP, they should be able to find every element by its heading without searching. Auditors, insurance underwriters, and the IRS Stakeholder Liaison all read in this order. See the GLBA Safeguards Rule pillar guide for the underlying regulatory text.

Section 1 — Introduction and scope

State, in two paragraphs, what your firm does, what data it handles, who the WISP protects (clients and employees), and the legal authorities it implements (GLBA, FTC Safeguards Rule, IRS Pub 5708 and Pub 4557, applicable state laws). Name the effective date and the next scheduled review. Cite Pub 4557 as the foundational reference.

Section 2 — Designation of the Qualified Individual

Section 314.4(a) requires the designation of one person responsible for overseeing, implementing, and enforcing the security program. Name them by name and title. State the reporting line — to the owner, the partner group, or the board. For a solo preparer, the Qualified Individual is the preparer.

Section 3 — Risk assessment

Reference the most recent written risk assessment by date and attach it as Appendix A. The WISP body summarizes the top three to five identified risks and the safeguards mapped to each. The full assessment lives in the appendix. The risk assessment template covers the six-step methodology.

Section 4 — Information inventory

List the categories of customer information the firm collects, the systems where each is stored, and the retention period for each. For most tax firms this includes SSNs, ITINs, bank account information, wage data, dependents' SSNs, driver's license numbers, and prior-year returns. The inventory drives every downstream safeguard.

Section 5 — Administrative safeguards

Document the policies that govern people and process:

• Acceptable use policy
• Password policy (length, MFA factor, rotation rules)
• Background screening for new hires
• Security awareness training at onboarding and annually
• Role-based access control and least privilege
• Departure checklist (credential revocation, mailbox preservation, badge return, MFA token disenrollment)
• Vendor risk management — see Section 9

Section 6 — Technical safeguards

This section is the most-read by underwriters. Cover, in named-vendor specificity:

• Multi-factor authentication on every system holding customer information (authenticator app or FIDO2; avoid SMS where possible)
• Encryption at rest on every workstation, laptop, and mobile device (BitLocker, FileVault, or equivalent)
• Encryption in transit (TLS 1.2+, secure file-transfer for client documents, no plain email for sensitive data)
• Endpoint detection and response (EDR) on every endpoint
• Mail-filtering and anti-phishing controls on the email tenant
• Patching cadence for OS, browsers, tax software, and third-party apps
• Network segmentation between guest and production
• Backups (frequency, retention, off-site or immutable storage, last successful restore test)
• Monitoring and logging — see the M365 automation guide

Section 7 — Physical safeguards

Locks, doors, cabinets, badges, alarm systems, paper shredding, secure media destruction, off-site storage controls. Document where keys and badges are tracked and who has access to the server room or wiring closet. Photograph the locked file room and attach as an appendix if it helps document compliance.

Section 8 — Training

Identify the curriculum, the cadence, who delivers it, and how completion is tracked. The Safeguards Rule expects training to be role-appropriate — the partner group's training is not identical to the preparer pool's training. Document the most recent training date and the platform used.

Section 9 — Vendor and service-provider oversight

For every vendor with access to customer information — tax software, document management, payroll, cloud storage, IT MSP, e-signature, secure file transfer — document:

• Vendor name and service description
• What customer information they access or store
• Security attestation (SOC 2 report, ISO 27001, or vendor questionnaire)
• Contractual data-protection terms
• Date of last review

Vendor oversight is the second-most-common audit finding (after placeholder template text). Underwriters and FTC examiners read this section closely.

Section 10 — Incident response and breach notification

Cross-reference your incident response plan and the breach response checklist. The WISP itself should contain the high-level summary: who declares an incident, who calls the cyber insurance carrier and outside counsel, when the IRS Stakeholder Liaison is notified, when the FTC's 30-day portal applies, and how affected individuals are notified.

Section 11 — Monitoring, testing, and annual review

Describe continuous monitoring (M365 alerts, EDR alerts, log review cadence) and the alternative — annual penetration testing plus biannual vulnerability assessments — required by the Safeguards Rule for firms not running continuous monitoring. Document the annual review process, the report to the governing body, and the change log. The annual review checklist covers the operational mechanics.

IRS-specific appendices

Pub 5708 expects two additional items that are not in the generic Safeguards Rule structure:

• e-Services account control log — who has e-Services credentials, what MFA factor each uses, when each was last reviewed.
• EFIN safeguard log — weekly review of EFIN usage statistics during filing season, with sign-off.

These are quick to maintain and routinely requested by the IRS Stakeholder Liaison after an incident.

Required appendices

• Appendix A — Risk Assessment (see template)
• Appendix B — Incident Response Plan (see template)
• Appendix C — Vendor inventory and SOC 2 / attestation summary
• Appendix D — Training roster and dates
• Appendix E — Annual review report to the governing body
• Appendix F — IRS-specific logs (e-Services, EFIN)
• Appendix G — Change log

Signature page

The signature page is dated, signed by the Qualified Individual, and acknowledged by the governing body. Update both signatures at every annual review. The signature is not a formality — it is the artifact that proves the WISP is current.

Three things this template cannot do for you

It cannot complete your risk assessment. Every firm has its own threat profile, vendor list, and historical incident pattern. The assessment must be specific to your environment.

It cannot substitute for tested controls. A WISP that says "we have MFA" while three users still have SMS-only fallback is not accurate. The annual review reconciles documented controls with actual controls.

It cannot keep itself current. The most expensive WISP failure mode is the document that was perfect on the day it was signed and 18 months out of date by the time it mattered. The "one-time WISP" article explains why static templates are now the leading audit finding.

How this template aligns with the 2026 landscape

The 2026 environment has tightened in three ways relevant to this template: the IRS now samples PTIN attestations and requests the WISP; the FTC 30-day breach notification rule is fully enforceable; and cyber insurance underwriters now request the actual WISP and the date of the most recent annual review as part of the renewal application. The structure above is designed to satisfy all three. See the 2026 WISP requirements guide for the year-over-year changes.

Bottom line

The WISP is not a paperwork exercise. It is the document that decides whether your firm gets through a PTIN audit, a Safeguards Rule examination, a cyber insurance renewal, and — eventually — an incident. Use this eleven-section structure as your skeleton, attach the appendices, and schedule the annual review. Pair the WISP with the risk assessment and the IRP templates, and you have the complete program regulators and insurers are looking for.