What Is a WISP? The IRS Requirement Every Tax Preparer Now Has to Meet

Published on
June 28, 2026
Share

Quick answer: A WISP is a Written Information Security Plan that documents how a tax preparer protects client data. Since 2024, IRS treats it as a federal requirement for every paid tax preparer, enrolled agent, and CPA firm that handles taxpayer data. The legal authority is FTC Safeguards Rule under Gramm-Leach Bliley Act, and practical impact is that not having one can cost you up to $50,000 per violation plus loss of your PTIN.

What is a WISP

A WISP is a written document that lays out administrative, technical, and physical safeguards your firm uses to protect client information. It is not a technology product. It is a policy document, like an employee handbook, that you write once, keep in a known location, update annually, and produce on request.

Three things define a real WISP:

  1. It is written. Not "we know how we handle data." Not "we're careful." Documented in a single file, with date of last review.
  2. It is specific to your firm. Generic templates filled with placeholder text do not satisfy rule. The plan has to describe your actual systems, your actual employees, and your actual data flows.
  3. It is current. A WISP signed in 2019 does not meet 2024 standard. Annual review is required.

The document itself is usually 10 to 25 pages. The work to write one for first time is real but not heroic  most solo and small firms can complete it in a weekend with right structure.

Do I need a WISP?

The question of whether rule applies trips up more practitioners than rule itself. Here is test:

Question If Yes
Do you prepare federal tax returns for compensation? The rule applies.
Do you hold a PTIN? The rule applies.
Are you an enrolled agent, CPA, or attorney handling tax matters? The rule applies.
Do you only provide bookkeeping without preparing tax returns? The rule may not apply (depending on your services).
Are you a W-2 employee at a larger firm? Your employer needs the WISP. You typically do not need a separate one.

The "bookkeeping only" carve-out is narrower than people think. If you bookkeep AND prepare any tax filings, including sales tax or 1099s, you are back inside rule. The FTC interprets "financial institution" broadly. When in doubt, write WISP. It costs you a weekend and removes question.

The authoritative IRS guidance on this is Publication 5708 (Creating a Written Information Security Plan for Your Tax & Accounting Practice), published specifically for tax professionals.

The 2024 change that everyone missed

The FTC Safeguards Rule was originally published in 2003. For two decades it was loosely enforced and most small tax practices ignored it. That changed.

In late 2023, FTC finalized updates to Safeguards Rule (16 CFR Part 314) that took full effect in 2024. The update did three things:

  1. Expanded what counts as a "covered financial institution." Tax preparers were always nominally included. The 2024 update made inclusion explicit and enforceable for sole proprietors with no employees.
  2. Added 9 specific required elements to security plan, replacing prior general "reasonable security" language with a checklist that can be audited.
  3. Created a notification requirement for security events affecting 500 or more consumers. This is a separate breach reporting obligation tied to same rule.

The IRS used FTC update as basis for treating WISP as a hard requirement during PTIN renewal. The Form W-12 PTIN application now includes a data security attestation. Lying on that form is its own problem separate from underlying compliance failure.

The 9 elements your WISP has to cover

This is FTC-mandated structure. Every WISP that satisfies rule covers all nine elements. Use this as table of contents when you write yours.

# Required Element What It Means in Your Document
1 Designated Qualified Individual Identify the person responsible for the WISP. In a solo practice, this is typically you.
2 Written Risk Assessment Document risks such as phishing, lost devices, malicious insiders, and vendor breaches.
3 Safeguards for Identified Risks Map every identified risk to a specific control, such as MFA, encryption, or vendor due diligence.
4 Regular Testing and Monitoring Explain how safeguards are verified through penetration testing, access reviews, or monitoring.
5 Security Awareness Training Document ongoing cybersecurity training for yourself or your staff.
6 Service Provider Oversight Maintain a list of vendors handling client data and document how each provider is evaluated.
7 Written Incident Response Plan Define the response process, including contacts, notifications, and recovery procedures.
8 Written Annual Report Prepare an annual summary describing the status and effectiveness of the security program.
9 Notification of Qualifying Events Document the process for notifying the FTC of qualifying breaches affecting 500 or more consumers.

The full regulatory text is in 16 CFR Part 314. The IRS interpretation specific to tax practices is in Publication 4557 (Safeguarding Taxpayer Data).

What happens if you do not have one

This is section that does not exist in existing top-ranking content, and reason it does not exist is that consequences are spread across three different statutes and agencies. Here is consolidated picture:

Failure Mode Statute / Authority Maximum Penalty
No WISP in place FTC Safeguards Rule under GLBA Section 501 Up to $50,000 per violation
Data breach without an incident response plan FTC enforcement action Civil penalties and possible consent decree
False security attestation on PTIN application IRS Circular 230 PTIN revocation and disciplinary action under Circular 230
Failure to report a qualifying breach within 30 days FTC Safeguards Rule Additional FTC enforcement exposure
Violation of state-level data protection laws Applicable state laws (for example, NY SHIELD or MA 201 CMR 17) Varies by jurisdiction, commonly between $5,000 and $25,000 per violation

In practice, most common enforcement action against small firms is not a $50,000 fine. It is combination of (a) a breach happening, (b) clients suing, and (c) lack of a documented WISP being used in litigation as evidence of negligence. The WISP is your defense exhibit when something goes wrong, not just a compliance checkbox.

The FTC has been signaling more aggressive Safeguards Rule enforcement since 2024. The agency's news and enforcement releases are worth subscribing to if you want to track what cases get brought.

How to write a WISP without paying a consultant

Three paths. Pick one that matches your situation.

Path 1: Use IRS template (free, 2 to 4 hours)

The IRS published a fillable template inside Publication 5708. It is same template agency uses to demonstrate compliance during PTIN renewal interviews. It is generic but covers all 9 elements. For a sole proprietor or small firm with simple operations, this is right starting point.

The work is reading template, deleting sections that do not apply, and filling in specifics for your firm. The hardest sections are #2 (risk assessment) and #6 (service provider oversight) because they require you to inventory your actual systems and vendors.

Path 2: Use a paid template ($150 to $500, 1 to 2 hours)

Vendors like Tech 4 Accountants, Right Networks, and various state CPA society offerings sell pre-built WISP templates for tax practices. They are more polished than IRS version and often include risk assessment worksheets and incident response runbooks.

The right choice if you want document to look professional and you bill at $200+ per hour. The math works out faster than IRS template path.

Path 3: Hire a consultant ($1,500 to $5,000, 2 to 6 weeks)

A specialist writes WISP, runs a real risk assessment, and tests your systems. Right call for multi-partner firms, firms with employees, or firms with complex tech stacks (multiple SaaS tools, on-premise servers, remote employees). Also right if you have already had a security incident and need a defensible plan reviewed by a professional.

The work consultant does is same work you would do in Path 1. You are paying for time savings and third-party validation, not for proprietary content.

What WISP does not cover (and why this matters)

A WISP is a security policy document. It is not:

  • A cybersecurity tool. You still need MFA, encryption, antivirus, backups. The WISP describes tools, it does not replace them.
  • A privacy policy. Privacy policies govern what you do with client data. A WISP governs how you protect it. Most firms need both.
  • A SOC 2 report. SOC 2 is a separate audit framework targeting service organizations. Tax firms generally do not need SOC 2 unless they sell services to enterprise clients who require it.
  • A backup or disaster recovery plan. Backups are part of safeguards described in WISP, but WISP itself is just documentation.

The technical standards informing WISP content come from NIST SP 800-171, which is federal baseline for protecting controlled unclassified information. You do not need to implement NIST 800-171 in full, but framework is source for most of what a competent WISP risk assessment looks like.

Frequently asked questions

What is difference between a WISP and an information security policy?

They are same document under different names. "WISP" is term IRS and FTC use for tax practices. "Information security policy" is term used in broader corporate compliance. The required elements are same.

Do enrolled agents need a WISP?

Yes. Any paid preparer holding a PTIN is subject to FTC Safeguards Rule and IRS data security requirements. Enrolled agents, CPAs, attorneys, and unenrolled preparers all fall within rule.

How often does a WISP need to be updated?

Annually at minimum, plus immediately after any material change to your systems, vendors, or employees. The annual report (element #8 in FTC framework) is formal review step.

Can I use same WISP across multiple firm locations?

Only if locations operate as a single legal entity with shared systems and policies. If they are separate legal entities or operate independently, each needs its own WISP. The risk assessment will be different even if safeguards template is shared.

Does my accounting automation software count toward my WISP?

No, and this is worth saying clearly. A WISP is a policy document. Tools like accounting automation software (including Finlens) are part of safeguards you describe in document, but software does not write policy and cannot satisfy rule on its own. The vendor oversight section of your WISP should list every SaaS tool that touches client data and describe how you vetted vendor's own security posture.

What if I have employees? Does WISP get more complex?

Yes. The security awareness training element (#5) becomes meaningful, and designated qualified individual (#1) usually shifts from owner to a named operations or IT lead. Firms with 5+ employees should consider Path 3 (consultant) for first version.

How do I prove I have a WISP if asked?

Produce document with most recent annual review date signed. The IRS does not require submission of WISP, but does ask for attestation of its existence on Form W-12 (PTIN application). Keep signed document accessible.

A WISP is one of few compliance documents where work is genuinely smaller than anxiety around it. Read IRS Publication 5708, block a weekend, write document, and put a calendar reminder for annual review. The cost of doing this is one weekend. The cost of not doing it is exposure to a $50,000 per-violation penalty, PTIN revocation, and a missing defense exhibit if something goes wrong.

If you want background on broader compliance and operational stack that supports a defensible tax practice, best practice management software comparison and tax client portal software guide cover tooling side of same problem.

On this page