5 steps for creating a written information security plan

All firms that have PTINs must have written information security plans (WISPs) that meet legal requirements. Find out how to create one for your firm.

minute read

Last Updated May 17, 2024

Category Cybersecurity

Two men stand together looking at a laptop.


It’s very simple: If your firm wants to renew its Preparer Tax Identification Number (PTIN), you must affirm to the IRS that you have a written information security plan, or WISP. No WISP, no PTIN. Given the threat of cyberattacks on accounting firms, your firm should have a WISP in place, anyway.  

One study revealed that 61% of firms would not survive for more than a week after a ransomware attack. And yet the same study showed that 14% of firms do not have an incident response plan, which is not a WISP on its own, but can and should be a component of one. Accounting firms cannot afford to have weak cybersecurity measures in place. And aside from being an IRS requirement, creating a written information security plan helps firms understand where their security vulnerabilities lie.  

But writing an effective WISP that passes legal muster isn’t necessarily simple. Creating an effective security plan involves bringing in professional IT help, as well as making a deep dive into your firm’s data and security infrastructure. It also requires a level of legal expertise many firm leaders might not have. Options for assistance are available to firm leaders who need help coming up with a WISP. But those who choose to go it alone need to know that there are five essential steps that can’t be skipped. 

The 5 essentials of a written information security plan  

A man in a blue blazer sits in front of a laptop as he makes notes so he can get started creating his written information security plan.
It’s practically impossible, and probably illegal, to write a WISP without following these steps.

Why is getting a WISP right so important for a firm? For one thing, a WISP can and should serve as an actual guide to your cybersecurity capabilities. But perhaps more to the point, it’s not just a useless government document. If you want to renew your PTIN, you are required to state on Question 11 of IRS form W-12 that you understand that you must have a WISP in place as a paid tax preparer. 

If you don’t have a WISP and say you do, you’re committing perjury and could lose your license. You could also have your PTIN terminated. Writing a WISP requires a level of technical and legal expertise most accountants don’t have. One cybersecurity expert spent a full 40-hour week creating a WISP for a four-person firm. So, developing a WISP without help is not advisable.  

However, if you want to try it, here are five steps you need to take.  

1. Get an IT person involved 

If your firm has to comply with the FTC Safeguards Rule, as most firms do, then you’re supposed to have a dedicated person in place to oversee your cybersecurity program. That person can be an internal IT hire, a contractor, a consultant or an expert from a cloud provider. In any case, you’ll need to have a capable expert in charge of security.  

Outside of the FTC Safeguards Rule requirement, it’s not an absolute legal necessity to have an IT person available to create a WISP. But trying to create a WISP without IT help would be like an IT expert doing complex tax work; it’s just something that requires expertise in the field. It’s almost impossible to develop a WISP without someone to guide you through the technical language and machinations involved in creating a plan.  

2. List all your security software and services 

This might not be as simple as it seems. You might not even know what’s in place. You need to take stock of all your security applications, from antivirus to multifactor authentication. There are a couple of things that could come to light in this process. One, you’re not sure exactly how you’re protecting your data. And two, you don’t have enough protection in place.

For instance, do you use an anti-phishing toolbar? Would you know if you did? If you don’t, you should. The same goes for multifactor authentication (MFA), a technology the IRS says firms should have in place as part of the agency’s “Security Six” cybersecurity protections. The deep dive into your security infrastructure is likely to be both time-consuming and revealing, but it’s non-negotiable for meeting basic security requirements.  

3. Know the data disclosure laws in the states where you operate 

Each state has its own laws about disclosing data breaches. You need to understand the laws in each state where you serve clients. If you do experience a data breach and clients lose data, you’ll need to disclose information about the breach according to the laws of where the client operates, not where you operate.  

You must show in your WISP that you’re able to comply with data disclosure laws both in your own state and in others where you do business. That level of expertise will likely elude most accounting professionals, who might know tax codes in different states but are unlikely to be familiar with data-related laws. In fact, even a lot of IT experts won’t have that depth of knowledge.  

4. Create an inventory of all the places where you have client data stored 

This is not the same requirement as listing your security applications and services. What you need here is to disclose every location where you’re storing client data. That means looking into every computer, server, thumb drive, external hard drive and file cabinet—yes, paper counts—and listing which ones contain client data. Email counts, too, as do any software-as-a-service applications and simple cloud services where you might be storing client data.  

You have to show in your WISP that you can protect client data wherever it is stored. If you have paper files in a cabinet, you need to prove that you can protect them from, say, a cleaning contractor who might clean your office at night, thereby having access to client data.  

Demonstrating the ability to protect client data in electronic formats will prove to be even more complex and difficult. If you’re storing data in multiple places and formats, this could be a time-consuming chore prone to errors.  

5. Use a template to write your plan 

Like getting an IT person involved, this isn’t a legal requirement for writing a WISP. But starting a plan from scratch is an overwhelming task even for most security experts. Using a template to create a WISP can cut a 40-hour process in half. That’s still a lot of time to spend on anything. But the difference between spending a work week on developing a WISP and spending, say, 20 hours is still significant.

But even the presence of a template doesn’t make creating a plan easy. It just makes it a little easier. The requirements of developing a plan are still complex, and non-IT professionals will likely need help getting a WISP right.  

Remember, when you tell the IRS you have a WISP when renewing your PTIN, you commit to having a plan that meets legal requirements and doesn’t contain errors or inaccuracies.  

Get the help you need to successfully complete a written information security plan

You can go a long way toward getting your written information security plan in place by running applications and data in the cloud. And the right cloud partner can even provide the IT expertise you need to develop a WISP. Plus, working in the cloud makes completing a WISP much easier. Your cloud partner will always know what your security infrastructure includes and where your data resides.  

If you need a WISP—and you do if you want to renew your PTIN—you won’t regret completing one with a cloud partner.

Learn how Rightworks can help you write your WISP today.

Subscribe to our blog

Get Rightworks articles delivered straight to your inbox.