Written Information Security Plan: the complete guide
Everything you need to know about WISPs. What they are, why the law requires them, what must be included, and exactly how to create one for your tax practice. This is the most comprehensive WISP resource available for tax professionals.
Definition
What is a Written Information Security Plan?
A Written Information Security Plan (WISP) is a formal, documented program that describes how an organization protects sensitive information from unauthorized access, use, disclosure, alteration, or destruction. For tax professionals, it specifically addresses how your practice safeguards taxpayer data throughout its lifecycle, from the moment a client shares their Social Security number to the day you securely destroy their records.
A WISP is not just a policy document or a list of software tools. It is a comprehensive security program that encompasses your risk assessment process, the administrative and technical and physical controls you have implemented, your employee training program, your incident response procedures, and your approach to ongoing monitoring and improvement.
The concept originates from the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to protect customer information. Because the IRS and the FTC classify tax return preparers as financial institutions, every tax professional with a PTIN is legally required to maintain a WISP. This obligation exists regardless of your practice size, whether you are a solo preparer working from a home office or a national firm with hundreds of employees.
The IRS has been increasingly clear about this requirement. IRS Publication 4557 provides the primary guidance, while the FTC Safeguards Rule (16 CFR Part 314) provides the specific technical and administrative standards your WISP must address. Together, these documents form the regulatory framework that every tax practice WISP must satisfy.
Legal Framework
The laws that require your WISP
Your WISP obligation comes from multiple overlapping federal and state regulations. Understanding where the requirements originate helps you build a plan that satisfies all of them simultaneously.
IRS Publication 4557
The IRS's primary guidance document for tax professionals on safeguarding taxpayer data. It explicitly requires a Written Information Security Plan and outlines what the plan must address, including risk assessment, safeguards, employee training, incident response, and annual review. This is the document most directly applicable to tax preparers.
Gramm-Leach-Bliley Act (GLBA)
Federal legislation that requires financial institutions to explain how they share and protect customer information. Tax preparers are classified as financial institutions under GLBA because they handle sensitive financial data. The law mandates a written security program that is appropriate to the size and complexity of the institution.
FTC Safeguards Rule (16 CFR Part 314)
The implementing regulation of the GLBA's security provisions. The 2023 amendments significantly expanded the requirements to include specific technical controls: encryption for data at rest and in transit, multi-factor authentication, access controls, a designated qualified individual, and regular testing and monitoring of safeguards.
State Data Protection Laws
In addition to federal requirements, most states have enacted their own data protection and breach notification statutes. Many states, including Massachusetts (201 CMR 17.00), New York (SHIELD Act), and California (CCPA/CPRA), explicitly require written information security programs for businesses that handle personal information of their residents.
Required Components
The 9 components every WISP must include
A compliant WISP addresses nine key areas. Omitting any one of these sections could leave a gap that regulators or auditors will identify. Here is what each section must cover.
Designated Security Officer
Your WISP must name a specific individual responsible for overseeing the security program. For solo practitioners, this is you. For firms, it is typically a partner, the office manager, or a dedicated IT security professional. The FTC Safeguards Rule now requires this person to be a "qualified individual" with sufficient knowledge and authority to implement the program.
Comprehensive Risk Assessment
Document a thorough evaluation of all reasonably foreseeable internal and external risks to the confidentiality, integrity, and availability of taxpayer information. This means walking through every process, system, and physical location where data is handled and identifying what could go wrong at each point. Rate risks by likelihood and impact, and map each one to a specific safeguard.
Administrative Safeguards
These are the policies, procedures, and management controls that govern how your organization handles data security. They include access policies, employee screening procedures, separation of duties, vendor management, data classification, and business continuity planning. Administrative safeguards are the rules your people follow.
Technical Safeguards
Technical safeguards are the technology controls that protect data in your systems. The FTC Safeguards Rule now mandates encryption for data at rest and in transit, multi-factor authentication, access controls based on least privilege, continuous monitoring and logging, secure development practices, and regular vulnerability testing. Document every tool, configuration, and protocol.
Physical Safeguards
Physical security controls protect the tangible assets that store or process taxpayer data. This includes locked offices, restricted server room access, visitor management, clean desk policies, secure document disposal (cross-cut shredding), and proper handling of portable media like USB drives and laptops.
Employee Training Program
All employees with access to taxpayer data must receive security awareness training upon hire and at least annually thereafter. Training must cover phishing recognition, password security, social engineering, secure data handling, physical security procedures, and how to report suspected incidents. Document all training with dates, topics, and attendee signatures.
Incident Response Plan
Your WISP must include a step-by-step plan for responding to security incidents and data breaches. This covers incident detection and classification, roles and responsibilities of response team members, containment and eradication procedures, evidence preservation, notification to the IRS and affected individuals, state attorney general notification, and post-incident review.
Data Retention and Disposal
Define how long you retain taxpayer data and the methods you use to securely destroy it when retention periods expire. Paper records must be cross-cut shredded. Electronic records must be wiped using methods that prevent recovery, such as cryptographic erasure or physical destruction of media. Document your retention schedule and disposal procedures.
Annual Review and Continuous Improvement
Your WISP is not a static document. You must review and update it at least annually, or whenever there is a material change in your business operations, staffing, technology, or threat landscape. Each review should be dated and documented. Track changes over time to demonstrate to regulators that you actively maintain your security program.
Getting Started
How to create your WISP
Follow these six steps to build a WISP that meets all regulatory requirements and actually protects your practice.
Start with a proven template
Writing a WISP from scratch is time-consuming and error-prone. Start with a professionally developed template that already includes the required structure, language, and sections. Our free 2025 WISP template is designed specifically for tax professionals and covers all IRS Publication 4557 and FTC Safeguards Rule requirements.
Inventory your data and systems
Before you can assess risks, you need to know where taxpayer data exists. Create a data inventory listing every system, application, device, and physical location where client information is stored, processed, or transmitted. Include cloud services, email accounts, mobile devices, paper files, and any third-party vendors who access your data.
Conduct your risk assessment
For each item in your data inventory, identify the threats it faces and the existing controls that mitigate those threats. Rate each risk and determine whether additional safeguards are needed. Be specific and practical. A risk assessment that says "we face cyber threats" is useless. One that says "unpatched workstations in the front office are vulnerable to known exploits" is actionable.
Document your safeguards
For each risk you identified, describe the specific safeguard that addresses it. Name the products, tools, configurations, and policies you use. Vague language will not satisfy auditors. Instead of "we encrypt data," write "all workstations use BitLocker full-disk encryption, email is transmitted over TLS 1.2+, and client portal uploads use AES-256 encryption at rest."
Write your incident response plan
Define exactly what happens when a security incident occurs. Who is the first responder? How is the incident classified? What systems are isolated? Who contacts the IRS? Who notifies clients? What are the state notification deadlines? Run a tabletop exercise with your team to test the plan before you need it for real.
Train, sign, and schedule
Conduct your initial security training session with all staff. Have everyone read the WISP and sign an acknowledgment. Set calendar reminders for quarterly phishing simulations, annual training renewals, and your annual WISP review. Store all signed documents where you can produce them if the IRS requests them.
Avoid These
Common WISP mistakes
Get your free WISP template
Our 2025 WISP template includes all nine required sections, is fully customizable to your practice, and meets every IRS and FTC requirement. Download it now and have your Written Information Security Plan ready in under two hours.
No credit card required. Instant download.