Blog

How much is an IRS WISP? The true cost of compliance

Learn the true cost of a Written Information Security Plan (WISP), from DIY options to professional services.

minute read

Last Updated January 8, 2025

Category Cybersecurity

A concerned-looking man and woman look at a laptop while the man talks on the phone, asking, "How much is a WISP?"

Share

When firms ask about the cost of a Written Information Security Plan (WISP), they’re often focused solely on the dollar amount. However, the true cost of developing and maintaining a WISP extends far beyond monetary investment.

In this post, we’ll break down the components required to create and maintain an effective, compliant WISP.

How much does a WISP cost?

The first thing to understand is the sheer intricacies of an IRS-compliant WISP…and why it has to be so complex.

  • Because you need to be prepared for security incidents: The document’s goal is to help firms “identify actions to take in the event of a security incident, data loss or theft” (IRS.gov). Its aim isn’t to complicate your job; it’s to protect it.
  • Because you need to account for your business’s unique vulnerabilities: The sample IRS WISP is a starting point that “can be scaled for a company’s size, scope of activities, complexity and customer data sensitivity.” Your specific requirements may differ from what the IRS has in their sample because no two companies are exactly alike.
  • Because vulnerabilities change all the time: Hackers change their tactics, and security documentation must keep up. That’s why the IRS amended its WISP how-to in August 2024 to include additional requirements. It’s also why annual WISP reviews are mandatory.

Effective WISP creation involves legal, IT, security, and auditing professionals. It’s far more than a form to fill out; it requires a deep understanding of your business’s specific needs and risks and the exact measures you’ve taken to avoid those risks.

Core cost components of a WISP

Let’s consider the substantial effort, expertise, and time that goes into crafting an effective WISP:

1. Professional services and expertise

  • Development costs: Professional WISP creation costs vary significantly based on your firm’s size, complexity, and specific security needs. They cover everything from initial assessment to policy development and implementation.
  • Consulting fees: Security consultants provide specialized assessments and recommendations tailored to your industry’s unique vulnerabilities and compliance requirements.
  • Legal review: A legal review ensures your WISP meets all regulatory requirements and provides adequate protection against liability, helping prevent costly compliance issues.
  • Ongoing support: Regular maintenance and expert guidance keep your WISP current and effective as regulations and security threats evolve.

2. Technology infrastructure

  • Security software: Essential security tools including monitoring systems, encryption software, and access controls form the technical foundation of your WISP implementation and protect sensitive data.
  • Documentation systems: A documentation platform manages all WISP policies and procedures while tracking changes and ensuring stakeholder access to current policies.
  • Training platforms: Security awareness training platforms deliver and track essential education resources, ensuring employees can properly implement security protocols.
  • Incident response tools: Security incident detection and management systems enable quick identification and response to potential security threats.

3. Internal resource allocation

  • Staff time: Initial WISP development requires a minimum of 15-20 hours from key personnel for assessment, planning, and implementation phases.
  • Training costs: Employee training involves both initial and ongoing investments to maintain security awareness and ensure proper implementation of procedures.
  • Documentation efforts: Designated staff members must continuously create and maintain WISP documentation to keep policies current and well-communicated.
  • Management oversight: Leadership must regularly review and approve security policies and incident responses to ensure proper governance.

4. Ongoing maintenance

  • Annual updates: Security personnel must regularly update policies to address evolving threats and regulations, maintaining program effectiveness.
  • Compliance monitoring: A combination of automated monitoring and manual review processes helps prevent compliance violations and security breaches.
  • Training updates: Regular training sessions and refresher courses keep your team current with security best practices and emerging threats.
  • Incident response planning: Teams must regularly update response procedures and conduct practice scenarios to ensure effective incident handling.

“All security measures included in this WISP shall be reviewed annually, beginning [annual calendar
review date] to ensure that the policies contained in the WISP are adequate and meet all applicable
federal and state regulations.” Publication 5708, IRS.gov

WISP creation steps

Creating a WISP involves several intricate steps beyond the literal written security plan. The process includes:

  1. Identifying sensitive data
  2. Crafting security policies
  3. Defining employee roles and responsibilities
  4. Implementing training programs
  5. And more (as detailed above!)

Each of these steps requires significant time, expertise, and precision. This process cannot be rushed or skimped on, as any inaccuracies or omissions can lead to severe penalties.

Crafting a WISP isn’t easy

The cost of a WISP isn’t just how much the document costs to put together, it’s the total amount of security and infrastructure required to make sure what you’re putting on that paper is accurate.

It requires specialized knowledge and a detailed understanding of your firm’s data security needs. While you can attempt to do it on your own, it’s a herculean task that can leave you feeling lost and overwhelmed.

Make it easier with a WISP template

But there’s good news. Whether you’re just getting started with your WISP, or you’re in need of a review, there are free templates available. Templates are a valuable resource for understanding the requirements of a WISP and can serve as a guide as you embark on this journey.

Learn more about templates and creating your own WISP here.

Make the right WISP investment

When asking, “How much is a WISP?” consider every monetary factor—including the cost of your time, effort and expertise. A well-crafted WISP protects your firm’s reputation and helps maintain client trust. While creating one requires significant effort, it’s an essential investment in your firm’s security infrastructure.

Ready to become IRS-compliant and get your WISP created? Contact us today.

And for more educational content delivered right to your inbox, subscribe to our blog.

Subscribe to our blog

Get Rightworks articles delivered straight to your inbox.
Privacy(Required)