IRS WISP requirements explained in plain English
The IRS requires every tax professional to maintain a Written Information Security Plan. This guide breaks down exactly what a WISP is, who needs one, what it must include, and how to create yours.
The Basics
What is a WISP?
A Written Information Security Plan (WISP) is a formal document that describes how your tax practice protects sensitive taxpayer information. It outlines the administrative, technical, and physical safeguards you have in place to prevent unauthorized access, use, or disclosure of client data.
The requirement comes directly from IRS Publication 4557 (“Safeguarding Taxpayer Data”), which references the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule (16 CFR Part 314). Under these regulations, tax return preparers are classified as “financial institutions” and must implement a comprehensive information security program.
Your WISP is not a one-time checkbox. It is a living document that must be reviewed and updated at least annually, reflecting changes in your technology, staffing, and the threat landscape. The IRS has made it clear that simply having antivirus software installed is not sufficient. You must document your security practices in writing and be able to produce this documentation if audited.
Applicability
Who needs a WISP?
If you handle taxpayer information in any capacity, you almost certainly need a WISP. Here is the definitive list of professionals who are required to maintain one.
Important note: Practice size does not matter. Whether you are a solo preparer working from home or a firm with 200 employees, the WISP requirement applies equally. The scope and complexity of your WISP will scale with your practice, but the obligation is the same.
Required Components
The 9 key sections every WISP must include
IRS Publication 4557 and the FTC Safeguards Rule outline specific areas your WISP must address. Here is a detailed breakdown of each required section.
Designated Security Officer
Every practice must name one person responsible for overseeing the security program. For solo practitioners, this is you. For firms, it is typically a partner or office manager. This person is accountable for implementing, monitoring, and updating the WISP.
Risk Assessment
You must identify and evaluate all reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of taxpayer information. This includes threats like phishing, ransomware, unauthorized access, and physical theft.
Safeguards Implementation
Based on your risk assessment, document the administrative, technical, and physical safeguards you have put in place. This covers everything from software security tools and encryption to locked filing cabinets and visitor policies.
Employee Management and Training
Document your process for screening employees who will have access to taxpayer data, and describe your security awareness training program. Every staff member must receive training upon hiring and at least annually thereafter.
Information Systems Management
Detail how you manage the technology systems that store, process, or transmit taxpayer data. This includes your approach to software updates, patch management, access controls, password policies, and multi-factor authentication.
Detecting and Managing System Failures
Describe the tools and processes you use to detect unauthorized activity or system failures. This covers antivirus software, intrusion detection, log monitoring, and how you respond when something goes wrong.
Data Disposal and Retention
Establish policies for how long you retain taxpayer data and how you securely dispose of it when retention periods expire. Paper records must be shredded. Electronic records must be wiped or destroyed using approved methods.
Incident Response Plan
Create a documented step-by-step plan for responding to a data breach or security incident. Your plan must include how to contain the breach, notify affected parties, report to the IRS and relevant agencies, and remediate the vulnerability.
Annual Review and Update
Your WISP is a living document. You must review and update it at least annually, or whenever there is a material change in your business operations, technology, or threat landscape. Document each review with dates and findings.
Non-Compliance Risks
What happens without a WISP?
IRS Penalties
The IRS can impose civil penalties under IRC Section 6713 of up to $1,000 per return (maximum $50,000 per calendar year) for unauthorized disclosure or use of taxpayer information.
FTC Enforcement
The FTC Safeguards Rule applies to tax preparers as financial institutions. Violations can result in enforcement actions, consent orders, and fines that can reach into the millions for large-scale non-compliance.
State Attorney General Actions
Most states have data breach notification laws. Failure to protect taxpayer data and properly notify after a breach can trigger state-level investigations, lawsuits, and additional penalties.
Client Lawsuits and Lost Business
A data breach without documented security practices makes your firm extremely vulnerable to malpractice and negligence lawsuits. Client trust, once broken, is rarely recovered.
Getting Started
How to create your WISP
Building a WISP from scratch can feel overwhelming, but it does not have to be. Follow these steps to create a compliant plan efficiently.
Step 1: Start with a template
Do not write your WISP from a blank page. Use a professionally developed template that already includes the required sections and language. Our free 2025 WISP template is designed specifically for tax professionals and covers all IRS Publication 4557 requirements.
Step 2: Conduct your risk assessment
Walk through your office, both physical and digital. Identify every place taxpayer data is stored, every person who accesses it, and every way it moves in and out of your practice. Document the risks at each point and rate them by likelihood and potential impact.
Step 3: Document your safeguards
For each risk you identified, document the specific safeguard that addresses it. Be concrete: name the software you use, describe the policy, reference the configuration setting. Vague statements like “we use encryption” are not sufficient; specify what is encrypted, with what tool, and how keys are managed.
Step 4: Train your team and sign off
Once your WISP is complete, every employee must read it and acknowledge in writing that they understand their responsibilities. Schedule your first training session, document attendance, and set a calendar reminder for your annual review.
Get your WISP started today
Download our free IRS-compliant WISP template or schedule a consultation with our cybersecurity team to get personalized help building your security plan.