What Is a WISP? The IRS Requirement Every Tax Preparer Now Has to Meet
Quick answer: A WISP is a Written Information Security Plan that documents how a tax preparer protects client data. Since 2024, IRS treats it as a federal requirement for every paid tax preparer, enrolled agent, and CPA firm that handles taxpayer data. The legal authority is FTC Safeguards Rule under Gramm-Leach Bliley Act, and practical impact is that not having one can cost you up to $50,000 per violation plus loss of your PTIN.
What is a WISP
A WISP is a written document that lays out administrative, technical, and physical safeguards your firm uses to protect client information. It is not a technology product. It is a policy document, like an employee handbook, that you write once, keep in a known location, update annually, and produce on request.
Three things define a real WISP:
- It is written. Not "we know how we handle data." Not "we're careful." Documented in a single file, with date of last review.
- It is specific to your firm. Generic templates filled with placeholder text do not satisfy rule. The plan has to describe your actual systems, your actual employees, and your actual data flows.
- It is current. A WISP signed in 2019 does not meet 2024 standard. Annual review is required.
The document itself is usually 10 to 25 pages. The work to write one for first time is real but not heroic most solo and small firms can complete it in a weekend with right structure.
Do I need a WISP?
The question of whether rule applies trips up more practitioners than rule itself. Here is test:
The "bookkeeping only" carve-out is narrower than people think. If you bookkeep AND prepare any tax filings, including sales tax or 1099s, you are back inside rule. The FTC interprets "financial institution" broadly. When in doubt, write WISP. It costs you a weekend and removes question.
The authoritative IRS guidance on this is Publication 5708 (Creating a Written Information Security Plan for Your Tax & Accounting Practice), published specifically for tax professionals.
The 2024 change that everyone missed
The FTC Safeguards Rule was originally published in 2003. For two decades it was loosely enforced and most small tax practices ignored it. That changed.
In late 2023, FTC finalized updates to Safeguards Rule (16 CFR Part 314) that took full effect in 2024. The update did three things:
- Expanded what counts as a "covered financial institution." Tax preparers were always nominally included. The 2024 update made inclusion explicit and enforceable for sole proprietors with no employees.
- Added 9 specific required elements to security plan, replacing prior general "reasonable security" language with a checklist that can be audited.
- Created a notification requirement for security events affecting 500 or more consumers. This is a separate breach reporting obligation tied to same rule.
The IRS used FTC update as basis for treating WISP as a hard requirement during PTIN renewal. The Form W-12 PTIN application now includes a data security attestation. Lying on that form is its own problem separate from underlying compliance failure.
The 9 elements your WISP has to cover
This is FTC-mandated structure. Every WISP that satisfies rule covers all nine elements. Use this as table of contents when you write yours.
The full regulatory text is in 16 CFR Part 314. The IRS interpretation specific to tax practices is in Publication 4557 (Safeguarding Taxpayer Data).
What happens if you do not have one
This is section that does not exist in existing top-ranking content, and reason it does not exist is that consequences are spread across three different statutes and agencies. Here is consolidated picture:
In practice, most common enforcement action against small firms is not a $50,000 fine. It is combination of (a) a breach happening, (b) clients suing, and (c) lack of a documented WISP being used in litigation as evidence of negligence. The WISP is your defense exhibit when something goes wrong, not just a compliance checkbox.
The FTC has been signaling more aggressive Safeguards Rule enforcement since 2024. The agency's news and enforcement releases are worth subscribing to if you want to track what cases get brought.
How to write a WISP without paying a consultant
Three paths. Pick one that matches your situation.
Path 1: Use IRS template (free, 2 to 4 hours)
The IRS published a fillable template inside Publication 5708. It is same template agency uses to demonstrate compliance during PTIN renewal interviews. It is generic but covers all 9 elements. For a sole proprietor or small firm with simple operations, this is right starting point.
The work is reading template, deleting sections that do not apply, and filling in specifics for your firm. The hardest sections are #2 (risk assessment) and #6 (service provider oversight) because they require you to inventory your actual systems and vendors.
Path 2: Use a paid template ($150 to $500, 1 to 2 hours)
Vendors like Tech 4 Accountants, Right Networks, and various state CPA society offerings sell pre-built WISP templates for tax practices. They are more polished than IRS version and often include risk assessment worksheets and incident response runbooks.
The right choice if you want document to look professional and you bill at $200+ per hour. The math works out faster than IRS template path.
Path 3: Hire a consultant ($1,500 to $5,000, 2 to 6 weeks)
A specialist writes WISP, runs a real risk assessment, and tests your systems. Right call for multi-partner firms, firms with employees, or firms with complex tech stacks (multiple SaaS tools, on-premise servers, remote employees). Also right if you have already had a security incident and need a defensible plan reviewed by a professional.
The work consultant does is same work you would do in Path 1. You are paying for time savings and third-party validation, not for proprietary content.

What WISP does not cover (and why this matters)
A WISP is a security policy document. It is not:
- A cybersecurity tool. You still need MFA, encryption, antivirus, backups. The WISP describes tools, it does not replace them.
- A privacy policy. Privacy policies govern what you do with client data. A WISP governs how you protect it. Most firms need both.
- A SOC 2 report. SOC 2 is a separate audit framework targeting service organizations. Tax firms generally do not need SOC 2 unless they sell services to enterprise clients who require it.
- A backup or disaster recovery plan. Backups are part of safeguards described in WISP, but WISP itself is just documentation.
The technical standards informing WISP content come from NIST SP 800-171, which is federal baseline for protecting controlled unclassified information. You do not need to implement NIST 800-171 in full, but framework is source for most of what a competent WISP risk assessment looks like.
Frequently asked questions
What is difference between a WISP and an information security policy?
They are same document under different names. "WISP" is term IRS and FTC use for tax practices. "Information security policy" is term used in broader corporate compliance. The required elements are same.
Do enrolled agents need a WISP?
Yes. Any paid preparer holding a PTIN is subject to FTC Safeguards Rule and IRS data security requirements. Enrolled agents, CPAs, attorneys, and unenrolled preparers all fall within rule.
How often does a WISP need to be updated?
Annually at minimum, plus immediately after any material change to your systems, vendors, or employees. The annual report (element #8 in FTC framework) is formal review step.
Can I use same WISP across multiple firm locations?
Only if locations operate as a single legal entity with shared systems and policies. If they are separate legal entities or operate independently, each needs its own WISP. The risk assessment will be different even if safeguards template is shared.
Does my accounting automation software count toward my WISP?
No, and this is worth saying clearly. A WISP is a policy document. Tools like accounting automation software (including Finlens) are part of safeguards you describe in document, but software does not write policy and cannot satisfy rule on its own. The vendor oversight section of your WISP should list every SaaS tool that touches client data and describe how you vetted vendor's own security posture.
What if I have employees? Does WISP get more complex?
Yes. The security awareness training element (#5) becomes meaningful, and designated qualified individual (#1) usually shifts from owner to a named operations or IT lead. Firms with 5+ employees should consider Path 3 (consultant) for first version.
How do I prove I have a WISP if asked?
Produce document with most recent annual review date signed. The IRS does not require submission of WISP, but does ask for attestation of its existence on Form W-12 (PTIN application). Keep signed document accessible.
A WISP is one of few compliance documents where work is genuinely smaller than anxiety around it. Read IRS Publication 5708, block a weekend, write document, and put a calendar reminder for annual review. The cost of doing this is one weekend. The cost of not doing it is exposure to a $50,000 per-violation penalty, PTIN revocation, and a missing defense exhibit if something goes wrong.
If you want background on broader compliance and operational stack that supports a defensible tax practice, best practice management software comparison and tax client portal software guide cover tooling side of same problem.
