IRS Publication 5708 WISP Template: Tax Pro's Guide

What Is IRS Publication 5708 and Who Needs It?

Federal law requires every professional tax preparer in the United States to maintain a Written Information Security Plan (WISP)—a formal, documented strategy for protecting sensitive taxpayer data. To help practitioners meet this obligation without hiring a law firm or a security consultant, the Security Summit—a public-private partnership between the IRS, state tax agencies, and the tax software industry—published IRS Publication 5708, Creating a Written Information Security Plan for Your Tax & Accounting Practice.

The requirement flows from the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission (FTC) Safeguards Rule, which classify tax preparers as "financial institutions" for data security purposes. The IRS reinforces this in IRS Publication 4557, Safeguarding Taxpayer Data, which outlines baseline security expectations and explicitly cross-references the WISP requirement. Non-compliance exposes your practice to FTC enforcement actions, state penalties, and—most damaging—the reputational fallout of a taxpayer data breach.

The IRS Publication 5708 WISP template was intentionally written in plain language, making it practical for sole practitioners and small accounting firms that do not have in-house information security staff. Whether you operate a one-person practice or a regional CPA firm, the template gives you a fillable framework you can adapt to your actual systems, staff, and client base. Building a sound understanding of cybersecurity for tax professionals starts here.

What the IRS Publication 5708 WISP Template Covers

The Security Summit designed the IRS Publication 5708 WISP template around five core security areas that every tax practice must address, regardless of size. Think of the document as a structured questionnaire: it prompts you to inventory your systems, identify risks, select safeguards, and document your decisions. The template does not prescribe a single correct answer—it guides you to document the right answers for your practice.

Here is what each major section addresses:

• Designated Security Coordinator: You must name one individual—even in a solo practice, that person is you—who is accountable for the WISP. This person owns the plan, conducts annual reviews, and serves as the point of contact for security incidents.
• Risk Assessment: The template walks you through identifying the types of taxpayer data you collect, the systems that store or transmit it, and the realistic threats those systems face. This is not a hypothetical exercise—it shapes every safeguard you subsequently choose.
• Technical Safeguards: From two-factor authentication for tax software to disk encryption and firewall configuration, the template itemizes controls and asks you to document whether each is in place or has a compensating measure.
• Physical Safeguards: Office access controls, clean-desk policies, and secure document disposal are all addressed—frequently overlooked areas where tax offices face genuine exposure.
• Service Provider Management: If you use cloud storage, payroll processors, or any third party that touches taxpayer data, the WISP requires you to document those vendors and confirm they maintain their own security practices.
• Employee Training: The plan must reflect how and when staff are trained on security policies, phishing recognition, and data handling procedures.
• Data Theft Response Plan: This subsection directs you to document the steps you will take immediately after discovering a breach, including how to contact your IRS Stakeholder Liaison.

Each section includes fillable prompts, checkboxes, and sample policy language. You are not starting from a blank page—you are customizing a professionally structured document.

Tailoring the IRS Publication 5708 WISP Template to Your Firm's Size

One of the most valuable aspects of the IRS Publication 5708 WISP template is its explicit acknowledgment that there is no one-size-fits-all security plan. The Security Summit built the document so that a sole practitioner and a ten-partner accounting firm can both use it—but produce appropriately different outputs.

For sole practitioners, the WISP can remain relatively concise. If you work from a single workstation, use one cloud-based tax platform, and have no employees, your risk surface is limited. Your WISP still needs every required section, but the answers will be brief. The template's sample language is already written with smaller practices in mind.

For firms with two to ten staff members, the plan grows more detailed. You now have multiple endpoints to secure, employees who need formal training documentation, and likely several service provider relationships to catalog. Pay particular attention to the employee training and access control sections—staff turnover is one of the most common causes of data exposure in small tax offices.

For firms with more than ten employees, the template serves as a foundation, but you will almost certainly need to supplement it. At this scale, role-based access controls, formal onboarding and offboarding procedures, and network segmentation deserve their own policy documents that your WISP can reference. Review our WISP checklist for CPA firms to confirm you have addressed the additional requirements larger practices face under the FTC Safeguards Rule.

Regardless of firm size, the FTC requires that your security program be appropriate for the sensitivity of the data you handle, not just its volume. If you specialize in high-net-worth clients, business tax returns, or payroll services, your risk assessment should reflect the heightened sensitivity of that data—and your safeguards should match.

The Data Theft Response Plan: Your Most Time-Sensitive Section

Of all the sections in the IRS Publication 5708 WISP template, the data theft response plan demands the most immediate attention when something goes wrong. Tax preparers who discover a breach have a narrow window to act: IRS Stakeholder Liaisons expect prompt notification, state laws may impose 72-hour reporting deadlines to affected individuals, and delayed action amplifies both the financial and reputational damage.

Your response plan should answer four questions before an incident ever occurs:

1. Who is your IRS Stakeholder Liaison? Every state has one. The IRS publishes a contact directory—find your liaison now and record their direct line in the WISP, not buried in a bookmark folder you may not be able to access during a crisis.
2. What data was exposed, and where? This is why the risk assessment section matters so much. If you have already inventoried every location where taxpayer data lives, you can rapidly assess the scope of any breach rather than guessing under pressure.
3. Who else must be notified? Depending on your state, a breach affecting client Social Security numbers or financial account information may trigger mandatory notification to the state attorney general, affected clients, and potentially credit bureaus. Your response plan should list these obligations explicitly.
4. How will you contain and recover? Document the immediate steps: isolating compromised systems, revoking affected credentials, engaging your IT provider or managed security service, and preserving evidence for forensic review.

A well-documented response plan is not just good practice—it is evidence of reasonable care if your practice ever faces regulatory scrutiny. Pairing your WISP with a tested ransomware protection strategy for your tax practice significantly reduces the likelihood you will ever need to execute this plan.

Common WISP Gaps That Leave Tax Practices Exposed

After working with tax and accounting firms across the country, the same documentation gaps appear repeatedly. Most are not the result of negligence—they reflect a document completed once and never revisited. The IRS Publication 5708 WISP template is only as effective as the discipline behind it.

Gap 1: Treating the WISP as a one-time task. The FTC Safeguards Rule explicitly requires annual testing and review of your security program. If your WISP has a creation date but no revision history, it is likely out of compliance. Set an annual review date—many practitioners align it with the end of filing season.

Gap 2: Missing or incomplete service provider documentation. Tax offices routinely add new software tools—e-signature platforms, document portals, payroll integrations—without updating the WISP. Every new vendor that touches taxpayer data needs to appear in your service provider section before they go live, not after.

Gap 3: No evidence of employee training. Telling staff about security policies verbally is not sufficient documentation. The WISP must reflect that training occurred, who attended, and what was covered. Formal security awareness training for tax firms generates the attendance records and content logs your WISP needs to reference.

Gap 4: Weak or missing MFA documentation. The IRS has made Multi-Factor Authentication (MFA) an explicit requirement for accessing tax software and client portals. Your WISP should document not only that MFA is enabled, but which systems it covers and the authentication method used. Our guide on two-factor authentication for tax software walks through implementation specifics.

Gap 5: No physical security provisions. Digital safeguards get most of the attention, but the template also covers physical access controls—locking filing cabinets, clean-desk policies, visitor logs, and secure document disposal. These sections are frequently left blank.

A formal tax safeguard compliance review can identify which of these gaps apply to your practice and prioritize remediation before a breach or audit exposes them first.

Where to Get the Template and What to Do Next

The IRS Publication 5708 WISP template is available at no cost directly from the IRS. Download IRS Publication 5708 as a PDF from IRS.gov. For additional context on your compliance obligations and data handling requirements, also download IRS Publication 4557 and IRS Publication 5293, the Data Security Resource Guide for Tax Professionals—all three documents are designed to work together.

Once you have the template, the NIST Small Business Information Security guide provides a risk management framework that aligns well with the risk assessment section of your WISP and helps you evaluate safeguard options systematically. For guidance on storing and distributing the finalized WISP securely to remote staff, explore options for a secure client portal for your tax practice.

If you need help completing the template, identifying gaps in your current security posture, or verifying that your WISP meets the current FTC and IRS requirements, Bellator Cyber Guard offers a structured WISP assessment for tax and accounting practices. Our team works exclusively with financial and tax professionals and understands the specific data environments—and the specific threat actors—that target this industry.