What a WISP Template Download Gives You — and Who Needs One
If you prepare tax returns, handle payroll, or manage any client financial data, you are legally required to maintain a Written Information Security Plan (WISP). The IRS, the Federal Trade Commission (FTC), and most state data protection laws mandate that tax professionals document exactly how they safeguard sensitive taxpayer information. A WISP template download gives you a pre-structured document that meets IRS Publication 4557 requirements and FTC Safeguards Rule obligations — so you are not building your security policy from scratch.
Rather than spending hours researching federal standards, you start with a professionally designed framework and customize it to reflect your practice's actual tools, procedures, and personnel. The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule applies to all financial institutions — a category that explicitly includes tax preparers. If you file 11 or more returns per year, you must maintain a documented security plan. Failure to comply can result in FTC enforcement actions, state penalties, and significant liability if a breach occurs.
Beyond the legal requirement, a well-executed WISP is your first line of defense against the phishing attacks, ransomware, and identity theft schemes that increasingly target tax professionals. For a broader overview of the obligations that frame your WISP requirements, see our guide on cybersecurity for tax professionals and CPA firms.
Tax Professional Cybersecurity By The Numbers
IBM Cost of a Data Breach Report 2024
IRS Publication 4557 threshold
Per violation under the Safeguards Rule
2026 Filing Season Compliance Deadline
The IRS now requires a written data security plan as part of PTIN renewal. Tax preparers who cannot produce a current WISP during a Form 4557 review or FTC audit risk PTIN suspension, enforcement actions, and loss of e-file privileges ahead of the 2026 filing season.
Why the IRS and FTC Require a WISP
The legal foundation for the WISP requirement sits on two pillars. The first is the IRS Publication 4557, "Safeguarding Taxpayer Data," which sets the baseline administrative, technical, and physical safeguards expected of any professional preparer. The second is the FTC Safeguards Rule, amended in 2021 and fully enforced since June 2023, which treats tax and accounting practices as "financial institutions" under GLBA.
Under the amended Safeguards Rule, every covered firm must designate a Qualified Individual responsible for information security, perform written risk assessments, encrypt customer data in transit and at rest, implement multi-factor authentication, and report qualifying security events to the FTC within 30 days. These are not suggestions — they are enforceable obligations with real penalties. For the full breakdown of each requirement, review our guide to the FTC Safeguards Rule for tax preparers.
A WISP is how you prove compliance. When an auditor, insurer, or client asks how you protect taxpayer data, the WISP is the document that answers the question. Without one, you are exposed on three fronts: regulatory penalties, civil liability following a breach, and denial of cyber insurance claims.
Who Must Have a WISP
- CPAs and enrolled agents handling individual or business returns
- Independent tax preparers with an active PTIN filing 11 or more returns annually
- Bookkeeping and payroll firms that store client financial records
- Accounting firms of any size, from solo practitioners to multi-office partnerships
- Virtual and remote tax practices using cloud-based tax software
What This Means
If you hold an active PTIN and prepare returns for compensation, the IRS and FTC consider you a financial institution under GLBA. A WISP is not optional paperwork — it is the document that proves you meet federal safeguarding standards and keeps your PTIN, e-file privileges, and cyber insurance intact.
What a Compliant WISP Template Must Include
A template download only delivers value if it reflects the actual structure the IRS and FTC expect. At a minimum, a compliant WISP addresses administrative, technical, and physical safeguards, and assigns clear ownership for each control. The template should walk you through every section with prompts you can complete, not leave you guessing about what regulators want to see.
Our 2026 WISP template for tax preparers was built against IRS Publication 4557, IRS Publication 5708, and the amended FTC Safeguards Rule, then cross-referenced with NIST SP 800-171 control families for defensible depth. Here are the sections every legitimate template must contain.
Sections Every Compliant WISP Must Contain
- Designation of a Qualified Individual responsible for the security program
- Scope statement identifying all systems, locations, and data types covered
- Written risk assessment covering internal and external threats to taxpayer data
- Access control policy with role-based permissions and least-privilege defaults
- Multi-factor authentication requirements for all systems handling client data
- Encryption standards for data at rest and data in transit
- Employee security awareness training schedule and documentation
- Vendor and service provider oversight procedures
- Incident response plan with breach notification timelines
- Annual review and update procedures with sign-off log
- Physical security controls for paper records and office equipment
- Data retention and secure disposal procedures
How to Customize the Template for Your Practice
Downloading a WISP template is step one. Regulators expect the document to describe your firm — not a generic accounting office. An unedited template pulled off the internet is worse than having none at all, because it shows auditors you treated compliance as a checkbox. Customization is where a template becomes a defensible plan.
Work through the document section by section and replace every placeholder with specific details about your tools, staff, and workflows. Name the tax software you use, identify where client files are stored, list the employees with access, and describe how you train new hires. If you use cloud-based tax preparation software, document the vendor's security certifications and your MFA configuration.
Customize Your WISP in Six Steps
Inventory Your Data and Systems
List every device, application, and storage location that touches taxpayer information — including personal devices, cloud drives, email, and paper files.
Assign the Qualified Individual
Name the person (by title and role) responsible for the security program. In solo practices, this is usually the owner. In larger firms, it may be an IT lead or outsourced security provider.
Document Your Existing Controls
Record your current endpoint protection, firewall, MFA, backup, and encryption tools. Be specific — cite product names, versions, and configurations.
Complete the Risk Assessment
Identify internal threats (untrained staff, weak passwords) and external threats (phishing, ransomware, supply-chain attacks). Rank each by likelihood and impact.
Fill Compliance Gaps
Where your current controls fall short of the template's requirements, document a remediation plan with deadlines and responsible parties.
Train Staff and Obtain Sign-Off
Review the finished WISP with every employee, collect signed acknowledgments, and schedule the annual update. Store the signed copy where auditors can access it.
Need a Ready-to-Use WISP Built for 2026?
Skip the guesswork. Our WISP template is aligned with IRS Publication 4557, FTC Safeguards Rule, and the 2026 PTIN renewal requirements — and includes the risk assessment worksheets most templates leave out.
Common Mistakes That Invalidate a WISP
Most WISPs that fail an audit do so for the same handful of reasons. The document exists, but it does not match reality, or it has not been updated since the firm downloaded it. Regulators and cyber insurers have seen every shortcut, and they are trained to spot a template that has not been customized.
The most frequent failures we see when reviewing client documents are boilerplate risk assessments that do not name actual threats, missing multi-factor authentication policies, no vendor oversight language for cloud tax software, and incident response sections that have never been tested. A WISP also loses credibility the moment it names a Qualified Individual who no longer works at the firm, or references tools the practice stopped using years ago.
Red Flags Auditors Look For
- Template placeholder text still present (brackets, "[Firm Name]", lorem ipsum)
- No evidence of annual review — missing signatures, outdated dates, stale staff lists
- Risk assessment that is not specific to the practice's actual threats
- No documented breach notification procedure referencing the 30-day FTC reporting window
- Vendor oversight section that does not name the firm's actual tax software, cloud storage, or managed service provider
If any of these apply to your current document, it is time to rebuild. A fresh start with a template that reflects 2026 requirements is far faster than patching a document that was never compliant to begin with. For a detailed walk-through, see how to create a WISP from scratch.
Pairing Your WISP With Real Security Controls
A WISP is a policy document. It describes what your firm does to protect taxpayer data, but the document itself does not stop an attack. The security controls named inside it — endpoint protection, MFA, encrypted backups, email filtering, employee training — are what actually keep client data out of criminal hands. Regulators and insurers increasingly ask for proof that the controls described in the WISP are running in production, not just documented on paper.
Tax firms are an attractive target because a single compromised workstation can expose hundreds of Social Security numbers, bank routing details, and W-2s. The 2024 Verizon Data Breach Investigations Report found that over 68% of breaches involved a human element, with phishing and stolen credentials leading the entry vectors. Document every control in your WISP, then confirm each one is active: endpoint protection built for tax professionals, ransomware protection, staff security awareness training, and documented encryption for client tax documents.
How Often You Must Update Your WISP
The FTC Safeguards Rule and IRS Publication 4557 both require ongoing maintenance, not a one-time filing. At minimum, review your WISP annually and after any material change to your practice — new software, new employees, office relocations, a merger, or a security incident. Cyber insurance carriers now request the most recent version of your WISP during policy renewal, and stale documents routinely trigger coverage disputes after a claim.
Treat the annual review as a formal event. Schedule it, assign it to the Qualified Individual, document what changed, and collect fresh signatures from staff. Store the signed copy somewhere accessible — a locked file cabinet, an encrypted shared drive, or a compliance portal. If you cannot produce the current version within minutes of an auditor's request, the document fails its purpose.
Get Your IRS-Compliant WISP Template
Bellator Cyber Guard has helped thousands of tax professionals meet IRS Publication 4557, FTC Safeguards Rule, and PTIN renewal requirements. Download the 2026 template or book a strategy call to have our team build a custom plan for your firm.
Frequently Asked Questions About WISP Templates
No. A template gives you the structure required by IRS Publication 4557 and the FTC Safeguards Rule, but the document only becomes compliant after you customize it with your practice's actual tools, staff, risk assessment, and incident response procedures. An unedited template will fail an audit.
Yes. Any preparer filing 11 or more returns per year with an active PTIN is considered a financial institution under GLBA and must maintain a written security plan. Solo practices face the same WISP requirement as multi-partner firms.
The IRS now asks preparers to confirm a data security plan is in place as part of PTIN renewal. Preparers who cannot produce a current WISP risk PTIN suspension, loss of e-file privileges, and FTC enforcement actions with civil penalties of up to $100,000 per violation under the amended Safeguards Rule.
Most solo and small firms complete customization in 4 to 8 hours once they have inventoried their systems and named a Qualified Individual. Larger practices with multiple offices or complex cloud environments typically budget a full day or engage a managed security provider to complete it.
Review and update your WISP at least annually, plus any time your firm adds new software, hires or loses staff, changes office locations, or experiences a security incident. Document each review with a signed sign-off log so auditors and insurers can confirm the plan is current.
No. A WISP is a compliance document and a blueprint for your security program. Cyber insurance covers the financial fallout of a breach — forensics, legal defense, notification costs, and ransomware payments. Carriers now require a current WISP as a condition of coverage, so the two work together rather than as substitutes.
No. Software vendors can supply security documentation about their platform, but the WISP must describe your firm's administrative, technical, and physical safeguards. You are the financial institution under GLBA, so the responsibility to author and maintain the WISP sits with your practice.
Publication 4557 sets the baseline safeguards tax professionals must implement to protect taxpayer data. Publication 5708 provides a sample WISP template and worked example that preparers can adapt. Our Publication 5708 sample WISP guide walks through each section in detail.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.
