Written Information Security Plan Template for Tax Pros

What Is a Written Information Security Plan and Who Needs One?

A Written Information Security Plan (WISP) is a formal, documented policy that describes how your firm collects, stores, protects, and disposes of sensitive client data. For tax professionals, it is not a best practice — it is a legal requirement.

Under the FTC Gramm-Leach-Bliley Act Safeguards Rule and IRS Publication 4557, every tax preparer who files returns for clients must maintain a written information security plan tailored to their firm's size and complexity. The IRS reinforced this mandate in its Publication 5708, which includes a sample WISP specifically written for sole proprietors and small tax practices.

If your practice handles even a single client's tax return, you are legally obligated to have a WISP in place. Many tax professionals are unaware of this requirement until they face a data breach — at which point the absence of a documented plan compounds both the regulatory and reputational damage. Our cybersecurity for tax professionals guide covers the broader security environment; this article focuses specifically on building a compliant WISP from scratch.

What Your WISP Must Cover: IRS and FTC Requirements

The FTC Safeguards Rule (16 CFR Part 314), updated in 2023 and fully enforced since June 2023, sets specific administrative, technical, and physical safeguards that your written information security plan must address. The IRS mirrors these requirements through Publication 4557 and reinforces them annually in its "Taxes-Security-Together" Checklist.

A compliant WISP must address all of the following elements:

• Designated coordinator: Name one individual responsible for implementing and maintaining the WISP. For solo practices, this is typically the owner.
• Risk assessment: Identify all reasonably foreseeable internal and external risks to the security of client data — including employee error, system failure, and external attacks.
• Safeguards program: Document the specific controls you have in place to mitigate identified risks, covering both technical tools and procedural policies.
• Service provider oversight: List all third-party vendors who handle client data (cloud storage, tax software providers, payroll services) and confirm they maintain adequate safeguards.
• Incident response plan: Define the steps your firm will take in the event of a data breach, including client notification procedures and IRS reporting obligations.
• Employee training: Document how and how often staff receive security awareness training.
• Physical safeguards: Address access controls for physical files, office security, and device disposal.
• Annual review: Require at minimum an annual evaluation of the WISP's effectiveness and update it when material changes occur.

The IRS explicitly states that a WISP should be proportionate to the size of your practice. A solo preparer's plan will look different from that of a 20-person CPA firm — but both must address every element above. Review our IRS Publication 4557 requirements 2026 breakdown for a section-by-section compliance reference.

WISP Template: Core Sections with Language You Can Adapt

The following template structure reflects the IRS Publication 5708 sample WISP format, adapted for small and mid-size tax practices. Customize each section with your firm's specific details.

Section 1 — Policy Statement and Scope

"[Firm Name] is committed to protecting the confidentiality, integrity, and availability of all client Personally Identifiable Information (PII) in our possession. This Written Information Security Plan applies to all employees, contractors, and service providers who access, store, transmit, or dispose of client data on behalf of [Firm Name]."

Section 2 — WISP Coordinator

"The WISP Coordinator for [Firm Name] is [Full Name], [Title]. The coordinator is responsible for implementing this plan, training employees, managing vendor compliance, and leading incident response."

Section 3 — Data Inventory and Classification

List all systems and locations that hold client data. Classify data as: High Sensitivity (SSNs, EINs, financial account numbers), Moderate Sensitivity (contact information, employment records), or Low Sensitivity (publicly available information). This classification drives your control requirements and maps directly to NIST SP 800-171 Rev. 3 data categorization guidance.

Section 4 — Risk Assessment Summary

Document threats identified during your assessment. Structure each entry as: Threat → Likelihood (High/Medium/Low) → Impact (High/Medium/Low) → Current Controls → Residual Risk. Update this table whenever your technology stack or staffing changes.

Section 5 — Safeguards in Place

This is the operational core of your WISP. Document controls across three domains:

• Administrative: Hiring practices, access provisioning and revocation, password policy, acceptable use policy, annual training requirements
• Technical: MFA on all accounts holding client data, encrypted storage (AES-256 minimum), endpoint detection and response software, email phishing filters, automated patch management, encrypted backups tested quarterly
• Physical: Office access controls, locked storage for paper files, screen privacy filters in client-facing areas, secure shredding policy for paper documents, certified destruction for decommissioned drives

For a detailed review of each control category aligned to IRS requirements, see our WISP checklist for CPA firms.

Incident Response Plan: What to Include in Your WISP

The incident response section of your written information security plan is where most templates fall short. Generic language like "we will respond to incidents promptly" does not satisfy the IRS or the FTC Safeguards Rule. Your plan must specify concrete actions, timelines, and responsible parties.

A compliant incident response section should include:

• Detection triggers: How will you know a breach occurred? List the monitoring tools or alerts that would flag unauthorized access.
• Containment steps: Who has authority to disconnect systems, revoke credentials, or shut down access during an active incident?
• IRS notification: Report confirmed data theft to the IRS via the IRS tax preparer fraud reporting page and your local IRS Stakeholder Liaison within 24 hours.
• State notification: Most states have separate breach notification laws with deadlines of 30-72 hours. List the applicable state law and deadline for your jurisdiction.
• Client notification: Prepare a template letter notifying affected clients. Include what data was potentially exposed, when the breach occurred, and what steps you have taken.
• Post-incident review: Document a mandatory review within 30 days of any confirmed breach to identify root cause and update controls.

Align your incident response procedures with the NIST incident response framework — Preparation, Detection and Analysis, Containment, Eradication, Recovery, and Post-Incident Activity — for a structure that satisfies both IRS and FTC reviewers.

For firms concerned about phishing as an entry vector (the leading cause of tax-sector breaches per the Verizon DBIR), review our dedicated guide on phishing attacks on tax professionals to understand what detection and prevention controls to document in this section.

Vendor and Third-Party Oversight Requirements

Many tax firms store client data with third-party providers — cloud-based tax software, document management platforms, payroll processors, or IT support vendors. Under the FTC Safeguards Rule, you are responsible for ensuring these vendors maintain adequate security, and your WISP must document how you oversee them.

Your WISP's vendor section should include:

• A complete inventory of every service provider with access to client PII
• Documented confirmation (via contract, SOC 2 Type II report, or attestation letter) that each vendor maintains appropriate safeguards
• Your process for reviewing vendor security at least annually, or when onboarding a new vendor
• Procedures for terminating vendor access when a contract ends

When evaluating cloud storage specifically, verify your provider's compliance posture before relying on it for client data. Our analysis of whether cloud storage is IRS compliant covers what to look for in vendor agreements and security certifications.

A vendor who cannot provide a SOC 2 Type II report or equivalent third-party security attestation should be treated as a high-risk relationship and documented as such in your WISP's risk register.

Common WISP Mistakes That Create Compliance Gaps

Having a WISP on file is not the same as having a compliant one. IRS audits of tax professionals following data breaches frequently reveal the same set of recurring gaps. Avoid these mistakes before they cost you.

Treating the WISP as a One-Time Document

A WISP that was written in 2021 and never updated does not reflect your current technology, staff, or threat environment. The FTC Safeguards Rule explicitly requires your program to evolve with your business. Every time you add a new software tool, hire or terminate an employee, or change a vendor, your WISP should be reviewed and updated.

Copying a Template Without Customization

The IRS Publication 5708 sample WISP is a starting point, not a finished product. A WISP that names a fictional firm, references software you do not use, or lists a coordinator who no longer works at your practice provides no actual protection — and signals to regulators that you have not taken the requirement seriously.

Omitting the Risk Assessment

Many firms document their controls without documenting the risks those controls are designed to mitigate. Without a risk assessment, you cannot demonstrate that your safeguards are proportionate to actual threats — which is a core FTC requirement.

Failing to Train Employees

Your WISP must describe your training program, but the training itself must actually happen. Documented, dated training records are evidence of compliance. Undocumented verbal instructions are not. Explore security awareness training for tax firms to build a program worth documenting.

No Defined Breach Response Timeline

Vague language about "notifying affected parties in a timely manner" will not satisfy the IRS 24-hour reporting window or most state breach notification laws. Your WISP must specify timelines by name.

For a complete pre-filing review of your WISP against IRS requirements, see our tax safeguard compliance 4557 guide.

Maintaining and Updating Your WISP Year Over Year

A written information security plan is a living document. The FTC Safeguards Rule requires you to evaluate and adjust your information security program in light of any relevant changes — and the IRS expects the same. Here is what should trigger an immediate WISP update, outside of the required annual review:

• Adding or removing a tax software platform or cloud storage provider
• Hiring, terminating, or changing the role of the WISP coordinator
• Experiencing a confirmed or suspected data breach or security incident
• Onboarding a new service provider with access to client data
• Moving to a new office location or switching to remote or hybrid work
• Any regulatory change affecting your data protection obligations

Your annual review should be a formal, documented process — not a quick read-through. Assign the WISP coordinator to complete a written review checklist, sign and date it, and attach it to the WISP as an appendix. This review record becomes part of your compliance documentation.

For ransomware-specific considerations — an escalating threat for tax firms — see our guide on ransomware protection for tax practices, which covers backup validation and recovery procedures worth incorporating into your WISP's technical safeguards section.