IRS Publication 5708 Sample WISP: 2026 Guide for Tax Pros

What Is IRS Publication 5708 and Why Does It Matter?

IRS Publication 5708, titled Creating a Written Information Security Plan for Your Tax & Accounting Practice, is the official sample Written Information Security Plan (WISP) template published by the IRS Security Summit — a collaborative initiative between the IRS, all 50 state revenue agencies, and the private-sector tax industry. The publication gives tax professionals a structured, fill-in-the-blank starting point for building the data security plan now required under federal law.

If you prepare federal or state tax returns professionally and handle client data — Social Security numbers, income figures, bank account details — you are legally required to maintain a WISP under the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission (FTC) Safeguards Rule. The FTC finalized updated requirements in 2023, explicitly extending coverage to tax preparation businesses of every size.

The FTC Safeguards Rule now mandates that all covered financial institutions — which explicitly includes tax preparation businesses — develop, implement, and maintain a written information security program. IRS Publication 5708 is the practical answer to that mandate. It does not replace the need for a customized security plan, but it gives you every required section in draft form so you are not starting from a blank page.

This guide breaks down exactly what the IRS Publication 5708 sample WISP contains, who is required to use it, how to customize it for your practice, and what additional controls you need to make your program complete and defensible in the event of an IRS inquiry or FTC enforcement action.

Tax Preparers: A High-Value Target for Cybercriminals

Tax professionals occupy a uniquely exposed position in the cybersecurity environment. A single client file contains everything an identity thief needs: full legal name, Social Security number, date of birth, employer information, bank account and routing numbers, and prior-year return data. A mid-size tax practice with 500 clients holds the equivalent of 500 complete identity theft starter kits.

The IRS identity theft statistics reinforce this exposure. The agency's Identity Theft Tax Refund Fraud program flagged over 1 million suspicious returns in a recent filing season, and the majority of fraudulent filings trace back to compromised preparer credentials or client data stolen from tax firms — not individual taxpayers. Cyberattacks on tax firms have increased steadily year over year, with phishing attacks targeting tax professionals spiking sharply during January through April when credential harvesting yields the highest return for attackers.

The threat profile for tax practices includes ransomware that encrypts client files and demands payment before filing deadlines, business email compromise (BEC) scams that redirect client refunds or payments, and credential stuffing attacks against IRS e-Services portals using passwords reused from other breached accounts. The IRS Publication 5708 sample WISP was designed specifically to help practices build defenses against exactly these attack types — but only if the template is properly completed and the controls it describes are actually implemented.

What IRS Publication 5708 Contains: A Section-by-Section Breakdown

The IRS Publication 5708 sample WISP is organized around the six core elements required by the FTC Safeguards Rule. Understanding each section helps you see exactly what you need to customize — and where the generic language leaves gaps you must fill with practice-specific detail.

1. Designated Security Coordinator

The first section requires you to name a specific individual as your firm's Information Security Program Coordinator. For a solo practice, that is you. For a multi-preparer firm, this should be a named partner or senior employee with the authority to implement security policies. The publication provides draft language; you insert the name, title, and contact information. The FTC Safeguards Rule requires this individual to report regularly to the firm's board or senior leadership — for small firms, document how you fulfill this oversight obligation even if you are the only principal.

2. Information and Systems Inventory

This section documents every system, device, and application that stores, processes, or transmits client data. The IRS Publication 5708 sample WISP includes a template inventory table covering workstations, laptops, mobile devices, servers, cloud storage, and tax preparation software. You must list every asset — including home computers used for remote work. An incomplete inventory is one of the most common gaps auditors find in tax practitioner WISPs, and it creates a cascading problem: controls you haven't documented for assets you haven't listed provide zero compliance protection.

3. Risk Assessment

Arguably the most substantive section, the risk assessment requires you to identify threats to client data and evaluate your current controls against those threats. The sample WISP provides a structured risk matrix covering insider threats, external cyberattacks, physical theft, and natural disasters. A thorough asset and risk assessment is the foundation everything else in your WISP is built on — the controls you select should directly address the risks you have identified here. The NIST SP 800-30 risk assessment framework provides additional methodology if your practice wants a more rigorous process than the IRS template offers.

4. Employee Training and Awareness

The training section requires you to document how and when employees receive security awareness training. At minimum, the IRS expects annual training covering phishing recognition, password hygiene, and data handling procedures. Your WISP must go beyond simply stating that training occurs — it must document the training platform, topics covered, and employee acknowledgment. Security awareness training for tax firms should be treated as a year-round program, not a one-time annual checkbox, because phishing campaigns targeting preparers run continuously throughout the year.

5. Service Provider Oversight

If you use any third-party vendors who access, store, or process client data — cloud backup providers, remote support technicians, payroll software vendors — you must document those relationships and confirm those vendors maintain their own security programs. The sample WISP includes a vendor management table with fields for vendor name, data type accessed, and contract security requirements. Most practices find this section the most time-consuming to complete because the average tax firm uses 8–15 third-party services that touch client data in some form.

6. Incident Response Plan

The final major section covers what you will do when — not if — a security incident occurs. This includes breach detection procedures, notification obligations under your state's data breach law, IRS reporting requirements, and steps to contain and recover from an attack. See our guide on ransomware protection for tax practices for detailed recovery strategies that belong in this section.

Who Is Legally Required to Have a WISP?

The short answer: every paid tax preparer. The legal framework rests on three overlapping requirements that collectively make a Written Information Security Plan mandatory for any professional who handles taxpayer data.

Gramm-Leach-Bliley Act (GLBA): The GLBA classifies tax preparers as financial institutions subject to its data security provisions. This has been federal law since 1999, but enforcement against small tax practices intensified after the FTC finalized the updated Safeguards Rule in 2023.

FTC Safeguards Rule (16 CFR Part 314): The updated rule, effective June 9, 2023, requires covered financial institutions — including tax preparation businesses — to designate a qualified individual to oversee the security program, conduct a written risk assessment, implement specific technical safeguards, and maintain a written security plan. Violations carry civil penalties up to $100,000 per violation under Section 5 of the FTC Act, with each day of non-compliance potentially constituting a separate violation.

IRS Publication 4557: While not a law itself, IRS Publication 4557 translates the GLBA and FTC requirements into specific guidance for tax professionals. It explicitly states that all tax preparers handling 11 or more returns must have a WISP. The IRS uses Publication 4557 as a compliance checklist during its Electronic Return Originator (ERO) reviews.

If you hold a Preparer Tax Identification Number (PTIN) and prepare returns for compensation, these requirements apply regardless of firm size. A solo preparer working from a home office has the same legal obligation as a 50-person accounting firm — though the scale and complexity of the required program differs. The full WISP requirements for tax professionals are detailed in our dedicated guide. For questions specific to PTIN holders, see our PTIN WISP requirements resource.

Common Gaps in the IRS Sample WISP Template

The IRS Publication 5708 sample WISP is an excellent starting point, but it has deliberate gaps — by design, a template cannot address the specific technology, staffing, and risk profile of every practice. Filling these gaps is where practitioners most often fall short, and where enforcement exposure is highest.

Generic Controls Without Specificity

The template uses placeholder language like "we use appropriate encryption" and "employees receive regular training." Neither statement would satisfy an FTC examiner or an IRS ERO reviewer. Your completed WISP must name the specific software you use — for example, "BitLocker for full-disk encryption on all Windows workstations" — the specific Multi-Factor Authentication (MFA) method you have implemented, and the exact training platform employees use with training dates documented. Vague language in a WISP offers no more legal protection than having no WISP at all, because it demonstrates the plan was never operationalized.

Incomplete Vendor Management

Most tax preparers use five to fifteen third-party services that touch client data — tax software, cloud storage, remote access tools, client document portals, and payment processors. The IRS Publication 5708 sample WISP's vendor section often gets left half-complete. You need a full vendor list with the data each vendor accesses and evidence that each vendor maintains their own security program, typically a SOC 2 Type II report or equivalent attestation. The absence of documented vendor oversight has been cited in FTC enforcement actions as a standalone Safeguards Rule violation.

No Multi-Factor Authentication Policy

MFA is now a baseline requirement under both the FTC Safeguards Rule and IRS guidance. Your WISP must explicitly state that MFA is required for all remote access, all cloud services containing client data, and all tax software accounts. The IRS e-Services portal requires MFA — but IRS-mandated MFA for one system does not satisfy the broader requirement to document MFA across your entire technology stack. Our guide on IRS data safeguarding requirements covers MFA policy language you can adapt directly.

Insufficient Incident Response Procedures

The sample WISP's incident response section provides a general framework but does not specify the IRS's reporting requirements. Under IRS Publication 4557, tax professionals must report data thefts to the IRS immediately using Form 14242 for suspicious activity or by contacting the IRS Stakeholder Liaison. Your state may also have breach notification requirements with specific timelines — often 30 to 72 hours. These must be named explicitly in your WISP, not left as generic placeholders. A WISP that says "notify affected parties in a timely manner" is functionally non-compliant if a breach occurs and you cannot demonstrate you followed a documented process.

Missing Remote Work Policies

Post-2020, the IRS expects WISPs to address remote access explicitly. If any preparer, staff member, or contractor accesses client data from outside the office — even occasionally — your WISP must document the required controls: VPN use, prohibition of public Wi-Fi without a VPN, full-disk encryption on remote devices, and screen lock requirements. This section is frequently absent from plans built on older templates.

Technical Security Controls Your WISP Must Document

The IRS Publication 5708 sample WISP identifies the categories of technical controls your program must address, but you are responsible for documenting what those controls actually look like in your practice. Regulators do not want to see "we use antivirus" — they want specifics. The controls below must appear by name in your completed WISP.

Encryption Standards

Document encryption for data at rest — full-disk encryption on all workstations and storage devices using a named tool (BitLocker, FileVault, VeraCrypt) — and data in transit using Transport Layer Security (TLS) 1.2 or higher for all client portal communications and email. The distinction between hashing and encryption matters here: password storage and data protection require different approaches, and your WISP should reflect that you understand the difference when describing how client data is protected in your tax software's database.

Access Controls and Least Privilege

Your WISP must document how user accounts are managed — including how quickly accounts are disabled when an employee leaves, the principle of least privilege (employees access only data necessary for their role), and how administrative privileges are restricted. This section should also address password policy: minimum 12-character length, complexity requirements, prohibition of password reuse, and mandatory use of a password manager. Weak access controls are the leading initial access vector in tax firm breaches — a single compromised credential with unrestricted access can expose every client file in your system.

Multi-Factor Authentication

Name every system where MFA is enforced: IRS e-Services, all tax preparation software accounts, cloud storage services, remote desktop or VPN access, and any client-facing portals. If any system does not support MFA, document that as an identified risk and describe compensating controls in place until the gap is remediated. The IRS now explicitly flags absent MFA documentation as a deficiency during ERO reviews.

Backup and Recovery

The FTC Safeguards Rule requires a written data backup and recovery plan. Document your backup frequency (daily minimum for active client data), backup storage location (offsite or cloud-based, separate from your primary network), retention period, and how frequently you test restores. A tested, offsite backup is your most effective recovery tool in a ransomware incident — without it, the only alternative is paying a ransom with no guarantee of data recovery. Document that you test restores at least quarterly, not just that backups run.

Network Security

Your WISP should document firewall configuration, Wi-Fi security standards (WPA3 or WPA2-Enterprise for office networks, prohibition of client data access on public Wi-Fi without a VPN), and network segmentation if your office network hosts devices beyond work computers. Our guide on firewall setup for tax offices covers the specific configurations the IRS expects to see documented. If you use a VPN for remote access, document the VPN vendor, protocol, and which employees are required to use it.

Endpoint Protection

The IRS expects documented Endpoint Detection and Response (EDR) — not just traditional antivirus. Antivirus for tax professionals has evolved significantly: legacy signature-based antivirus does not detect modern fileless malware, ransomware delivered through trusted tools, or the driver-based EDR bypass techniques increasingly used in targeted attacks against small professional service firms. Your WISP should name the specific endpoint protection solution deployed and confirm it covers all devices in your inventory.

FTC Safeguards Rule Enforcement and What Non-Compliance Costs

The FTC has increased enforcement of the Safeguards Rule significantly since its 2023 updates. While most publicized cases involve larger financial institutions, the FTC has explicitly stated that tax preparation businesses of all sizes are covered — and state attorneys general have been equally active in pursuing smaller firms under state data protection laws.

The non-compliance exposure for a tax practice operates on multiple tracks simultaneously. At the federal level, FTC civil penalties run up to $100,000 per violation under Section 5 of the FTC Act, with each day of non-compliance potentially constituting a separate violation. A practice that operates without a WISP for 90 days could theoretically face $9 million in exposure — though actual penalties in small firm cases have been substantially lower, the liability ceiling remains that high.

At the IRS level, the agency can suspend or revoke your Electronic Filing Identification Number (EFIN) if you fail to maintain adequate data security, effectively shutting down your e-filing capability during tax season. EFIN suspension is an existential threat to a tax practice — it is not a fine, it is a complete loss of the ability to file returns electronically for clients. The FTC Safeguards Rule and its implications for tax preparers are detailed in our dedicated resource, alongside the IRS enforcement mechanisms that operate in parallel.

All 50 states have breach notification laws. Failure to notify within required timeframes — often 30 to 72 hours — carries separate civil penalties on top of any federal action. States including California, New York, and Illinois have private rights of action under consumer protection statutes, meaning clients whose data is compromised can bring negligence claims directly. The reputational cost of a breach that becomes public, even a small one, can permanently damage a practice built over decades. Review the FTC's official Safeguards Rule guidance alongside the IRS publication for a complete picture of your obligations. For an end-to-end view of your tax practice security obligations, review our WISP checklist for CPA firms and the full written information security plan guide.

Annual WISP Review Is a Legal Requirement — Not a Suggestion

The FTC Safeguards Rule explicitly requires covered institutions to review and update their information security program in response to material changes to operations or business arrangements, or any other circumstance that you have reason to believe may have a material impact on your information security program. For tax practices, that trigger fires constantly: new tax software subscriptions, staff turnover, new remote work arrangements, new cloud storage tools, and the IRS's own annual updates to Publication 5708.

In practice, annual review means more than opening the document once a year. A defensible annual review includes walking through your asset inventory to confirm it still reflects every device and service in use, verifying that all vendor attestations (SOC 2 reports, security questionnaires) are current, testing your incident response procedures through a tabletop exercise, confirming that training records align with the training section of the WISP, and documenting any changes made as a result of the review. The IRS Security Summit resource page publishes updated guidance annually, including revised versions of Publication 5708 — check it each time you conduct your WISP review.

The documentation from your annual review is what you produce during an IRS ERO review or FTC inquiry to demonstrate that your program is active, not static. A WISP with a 2023 date and no evidence of subsequent review signals to an examiner that the document was created once for compliance theater and never operationalized. That is worse than a simple gap — it demonstrates a pattern of non-compliance.

Beyond the Template: Making Your WISP a Working Security Program

A filed WISP that no one reads is still a compliance risk. The IRS and FTC are not just looking for a document — they want evidence that your security program is actually implemented and followed. Here is how to turn the IRS Publication 5708 sample WISP from a static document into an active security program.

Conduct a Tabletop Exercise Before Tax Season

Walk your team through a simulated incident — a phishing email that led to a credential compromise, or a laptop reported stolen. Do this as a planned exercise, not a real response. The goal is to verify that everyone knows their role in the incident response plan before an actual event forces the issue. Document that you conducted the exercise and note any process gaps it revealed. A 90-minute tabletop exercise before January 15 is one of the highest-value security activities a tax practice can perform.

Tie Training Records to Your WISP

Your WISP states that employees receive annual training. Your training records prove it. Keep a training log — dates, topics covered, and employee signatures — that directly corresponds to your WISP's training section. This is the evidence you will produce during an IRS ERO review or FTC inquiry. A statement in your WISP about training without corresponding records provides no legal protection — it actually demonstrates that the plan is aspirational rather than operational.

Audit Your Vendor List Annually

Software subscriptions and cloud services change frequently. Every time you add a new tool that touches client data — a new document portal, a cloud backup service, an AI-assisted tax tool — update your WISP's vendor section before deploying the tool in a client-data environment. Maintaining alignment between your actual technology stack and your documented one is an ongoing responsibility, not a once-per-year task.

For practitioners who want a professionally developed WISP that goes beyond the IRS template, see our free WISP template for 2026, our IRS WISP example guide showing how practices of different sizes structure their plans, and the all-in-one compliance package for firms that need a complete security program rather than a standalone document.

IRS Publication 5708 and the Broader Tax Security Framework

IRS Publication 5708 does not exist in isolation. It is one component of a broader tax professional security framework that the IRS Security Summit has built over several years. Understanding where it sits in relation to other requirements helps you avoid treating WISP compliance as a standalone task.

IRS Publication 4557 is the overarching guide to safeguarding taxpayer data — it sets out what controls the IRS expects and uses as the basis for ERO reviews. Publication 5708 is the sample WISP template that satisfies Publication 4557's WISP requirement. The two documents should be read together: 4557 tells you what the IRS expects, 5708 gives you the template to document how you meet those expectations.

Beyond these two publications, tax practices with more than 5,000 records may also need to meet the FTC Safeguards Rule's additional requirements for larger institutions, including annual penetration testing and vulnerability assessments. Firms in states with their own data protection frameworks — California (CCPA/CPRA), New York (SHIELD Act), Massachusetts (201 CMR 17.00) — must ensure their WISP satisfies both federal and state requirements simultaneously. Our accounting and CPA cybersecurity services page outlines how Bellator Cyber Guard helps firms navigate these overlapping frameworks.

For tax practices that also handle any health-related financial data — medical deductions, Health Savings Account (HSA) records, or insurance reimbursement documentation — there may be additional obligations under HIPAA's Security Rule (45 CFR Part 164) that intersect with your WISP requirements. Our resource on HIPAA cybersecurity requirements addresses this intersection.