Written Information Security Plan Template for Tax Pros

What Is a Written Information Security Plan and Who Needs One?

A written information security plan (WISP) is a formal, documented policy that describes how your firm collects, stores, protects, and disposes of sensitive client data. For tax professionals, it is not a best practice — it is a legal requirement. Under the FTC Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and IRS Publication 4557, every paid tax preparer who files returns for clients must maintain a written information security plan tailored to their firm's size and complexity.

The IRS reinforced this mandate in Publication 5708, which includes a sample WISP written specifically for sole proprietors and small tax practices. If your practice handles even a single client's tax return, you are legally obligated to have a WISP in place — and since 2023, you must also affirmatively confirm that you have a data security plan when you renew your Preparer Tax Identification Number (PTIN).

Many tax professionals are unaware of this requirement until they face a data breach — at which point the absence of a documented plan compounds both the regulatory and reputational damage. Our cybersecurity guide for accounting and CPA firms covers the broader security environment; this article focuses specifically on building a compliant WISP from scratch using a written information security plan template you can adapt today.

What Your WISP Must Cover: IRS and FTC Requirements

The FTC Safeguards Rule (16 CFR Part 314), updated in 2022 and fully enforced since June 2023, sets specific administrative, technical, and physical safeguards that your written information security plan must address. The IRS mirrors these requirements through Publication 4557 and reinforces them annually in its "Taxes-Security-Together" Checklist.

A compliant WISP must address all of the following elements:

• Designated coordinator: Name one qualified individual responsible for implementing and maintaining the WISP. For solo practices, this is typically the owner.
• Risk assessment: Identify all reasonably foreseeable internal and external risks to client data — including employee error, system failure, and external attacks.
• Safeguards program: Document the specific controls you have in place to mitigate identified risks, covering both technical tools and procedural policies.
• Service provider oversight: List all third-party vendors who handle client data (cloud storage, tax software providers, payroll services) and confirm they maintain adequate safeguards.
• Incident response plan: Define the steps your firm will take in a data breach, including client notification procedures and IRS reporting obligations.
• Employee training: Document how and how often staff receive security awareness training.
• Physical safeguards: Address access controls for physical files, office security, and device disposal.
• Annual review: Require, at minimum, an annual evaluation of the WISP's effectiveness, with updates whenever material changes occur.

The IRS explicitly states that a WISP should be proportionate to the size of your practice. A solo preparer's plan will look different from that of a 20-person CPA firm — but both must address every element above. Review our IRS Publication 4557 requirements breakdown for a section-by-section compliance reference, and see our Pub 4557 compliance overview for how these pieces fit together.

WISP Template: Core Sections With Language You Can Adapt

The following written information security plan template structure reflects the IRS Publication 5708 sample WISP format, adapted for small and mid-size tax practices. Customize each section with your firm's specific details — a copy-paste template that names a fictional firm protects no one.

Section 1 — Policy Statement and Scope

"[Firm Name] is committed to protecting the confidentiality, integrity, and availability of all client Personally Identifiable Information (PII) in our possession. This Written Information Security Plan applies to all employees, contractors, and service providers who access, store, transmit, or dispose of client data on behalf of [Firm Name]."

Section 2 — WISP Coordinator

"The WISP Coordinator for [Firm Name] is [Full Name], [Title]. The coordinator is responsible for implementing this plan, training employees, managing vendor compliance, and leading incident response."

Section 3 — Data Inventory and Classification

List all systems and locations that hold client data. Classify data as High Sensitivity (SSNs, EINs, financial account numbers), Moderate Sensitivity (contact information, employment records), or Low Sensitivity (publicly available information). This classification drives your control requirements and maps directly to NIST SP 800-171 Rev. 3 data categorization guidance.

Section 4 — Risk Assessment Summary

Document threats identified during your assessment. Structure each entry as: Threat → Likelihood (High/Medium/Low) → Impact (High/Medium/Low) → Current Controls → Residual Risk. Update this table whenever your technology stack or staffing changes.

Section 5 — Safeguards in Place

This is the operational core of your WISP. Document controls across three domains:

• Administrative: Hiring practices, access provisioning and revocation, password policy, acceptable use policy, and annual training requirements.
• Technical: Multi-factor authentication (MFA) on all accounts holding client data, encrypted storage (AES-256 minimum), Endpoint Detection and Response (EDR) software, email phishing filters, automated patch management, and encrypted backups tested quarterly.
• Physical: Office access controls, locked storage for paper files, screen privacy filters in client-facing areas, secure shredding, and certified destruction for decommissioned drives.

Need help mapping each control to the rule? Our guide on how to create a WISP walks through the operational details, and you can start from our free 2026 WISP template for tax preparers.

Incident Response Plan: What to Include in Your WISP

The incident response section of your written information security plan is where most templates fall short. Generic language like "we will respond to incidents promptly" does not satisfy the IRS or the FTC Safeguards Rule. Your plan must specify concrete actions, timelines, and responsible parties.

A compliant incident response section should include:

• Detection triggers: How will you know a breach occurred? List the monitoring tools or alerts that would flag unauthorized access.
• Containment steps: Who has authority to disconnect systems, revoke credentials, or shut down access during an active incident?
• IRS notification: Report confirmed data theft to the IRS and your local Stakeholder Liaison within 24 hours.
• State notification: Most states have separate breach notification laws with deadlines of 30–72 hours. List the applicable state law and deadline for your jurisdiction.
• Client notification: Prepare a template letter naming what data was potentially exposed, when the breach occurred, and what steps you have taken.
• Post-incident review: Document a mandatory review within 30 days of any confirmed breach to identify root cause and update controls.

Align your incident response procedures with the NIST SP 800-61 incident response framework — Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-Incident Activity — for a structure that satisfies both IRS and FTC reviewers. Because phishing is the leading entry vector for tax-sector breaches, review our guide on what phishing is and how it works to understand the detection and prevention controls worth documenting here.

Vendor and Third-Party Oversight Requirements

Many tax firms store client data with third-party providers — cloud-based tax software, document management platforms, payroll processors, or IT support vendors. Under the FTC Safeguards Rule, you are responsible for ensuring these vendors maintain adequate security, and your WISP must document how you oversee them.

Your WISP's vendor section should include a complete inventory of every service provider with access to client PII, documented confirmation (via contract, SOC 2 Type II report, or attestation letter) that each vendor maintains appropriate safeguards, your process for reviewing vendor security at least annually or when onboarding a new vendor, and procedures for terminating vendor access when a contract ends.

When evaluating cloud storage specifically, verify your provider's compliance posture before relying on it for client data. Our analysis of securing tax client portals and sensitive data covers what to look for in vendor agreements and security certifications. A vendor who cannot provide a SOC 2 Type II report or equivalent third-party security attestation should be treated as a high-risk relationship and documented as such in your WISP's risk register.

Common WISP Mistakes That Create Compliance Gaps

Having a WISP on file is not the same as having a compliant one. IRS reviews of tax professionals following data breaches frequently reveal the same recurring gaps. Avoid these mistakes before they cost you.

Treating the WISP as a One-Time Document

A WISP written in 2021 and never updated does not reflect your current technology, staff, or threats. The FTC Safeguards Rule explicitly requires your program to evolve with your business. Every time you add a software tool, hire or terminate an employee, or change a vendor, your WISP should be reviewed and updated.

Copying a Template Without Customization

The IRS Publication 5708 sample WISP is a starting point, not a finished product. A plan that names a fictional firm, references software you do not use, or lists a coordinator who no longer works at your practice provides no actual protection — and signals to regulators that you have not taken the requirement seriously.

Omitting the Risk Assessment

Many firms document their controls without documenting the risks those controls are designed to mitigate. Without a risk assessment, you cannot demonstrate that your safeguards are proportionate to actual threats — a core FTC requirement.

Failing to Train Employees

Your WISP must describe your training program, but the training itself must actually happen. Documented, dated training records are evidence of compliance; undocumented verbal instructions are not. Explore security awareness training for tax firms to build a program worth documenting.

No Defined Breach Response Timeline

Vague language about "notifying affected parties in a timely manner" will not satisfy the IRS 24-hour reporting window or most state breach notification laws. Your WISP must specify timelines by name. For a pre-filing review against IRS requirements, see our tax safeguard compliance guide for Publication 4557.

Maintaining and Updating Your WISP Year Over Year

A written information security plan is a living document. The FTC Safeguards Rule requires you to evaluate and adjust your information security program in light of any relevant changes — and the IRS expects the same.

Outside the required annual review, the following events should trigger an immediate WISP update:

• Adding or removing a tax software platform or cloud storage provider
• Hiring, terminating, or changing the role of the WISP coordinator
• Experiencing a confirmed or suspected data breach or security incident
• Onboarding a new service provider with access to client data
• Moving to a new office or switching to remote or hybrid work
• Any regulatory change affecting your data protection obligations

Your annual review should be a formal, documented process — not a quick read-through. Assign the WISP coordinator to complete a written review checklist, sign and date it, and attach it to the WISP as an appendix. This review record becomes part of your compliance documentation. For ransomware-specific considerations — an escalating threat for tax firms — see our guide on small business ransomware protection, which covers backup validation and recovery procedures worth incorporating into your WISP's technical safeguards section. If you are still standardizing logins, our walkthrough on how to set up two-factor authentication is a fast first win.