A Comprehensive Guide to WISP Requirements for Accountants
Table of Contents
What Is a WISP?
A WISP (Written Information Security Plan) is a document that outlines how your business identifies, assesses, and manages cybersecurity risks to protect sensitive client information.
For accounting firms and tax preparers, having a WISP is a legal requirement under federal law and the foundation of responsible data stewardship.
Your WISP functions as a strategic roadmap for how your organization handles data security, answering:
- Who’s responsible for data security?
- What data security safeguards are in place?
- How are employees trained about the latest security practices?
- What happens if (or when) there is a cyber incident?
A well-constructed WISP signals to clients, regulators, and insurers that your firm takes data protection seriously.
History of the WISP
The WISP, as we know it today, has evolved over the decades in response to growing federal concern about the security of sensitive personal and financial data.
Here’s a brief timeline of key regulatory milestones:
- 1996: The Health Insurance Portability and Accountability Act (HIPAA) established the standard for security policies and procedures, requiring covered entities to implement formal information security programs.
- 1999: The Gramm-Leach-Bliley Act (GLBA) required financial institutions to protect consumer financial data, creating the foundation for the FTC Safeguards Rule.
- 2003: The Federal Trade Commission (FTC) introduced the Safeguards Rule, mandating that financial institutions develop and implement comprehensive information security programs.
- Throughout the 2000s and 2010s: States began introducing their own data security regulations, creating an increasingly layered compliance environment for accounting professionals.
- 2021: The FTC amended the Safeguards Rule to account for evolving cyberthreats and modern data environments.
- 2023: The IRS began requiring tax practitioners to confirm they have a WISP in place as part of the PTIN (Preparer Tax Identification Number) annual renewal process.
- 2024: The Safeguards Rule’s data breach and security incident reporting requirements went into effect, adding new notification obligations for covered firms.
IRS Compliance Standards
The IRS has made its expectations clear: tax professionals who handle federal tax information (FTI) must maintain a formal security plan. This requirement applies to any preparer who renews a PTIN, i.e., a large share of accounting professionals.
When completing IRS Form W-12 for PTIN renewal, Question 11 asks you to confirm that a WISP is in place. Answering yes when no plan exists constitutes perjury. The consequences can include PTIN revocation, license suspension, and civil penalties.
Beyond the annual certification, the IRS publishes Publication 4557, which outlines what your security plan must address.
This document is the clearest roadmap available for tax preparers navigating WISP compliance.
IRS Publication 4557: 6 Core Requirements for Tax Preparers
“Safeguarding Taxpayer Data,” IRS Publication 4557, outlines the specific safeguards tax preparers must implement.
Here are the six core requirements and what each means for your firm:
1. Designate a qualified individual.
Your firm must assign a specific person to oversee the information security program. This individual, often called the Data Security Coordinator, is responsible for assessing risks, implementing controls, and managing ongoing compliance. For small firms, this is often the owner. Larger firms may designate an operations or IT lead. The key is that someone is explicitly accountable.
2. Conduct a risk assessment.
You must formally identify the types of client data you collect and process, then assess where and how that data could be compromised.
This includes evaluating:
- Internal risks (employee error, unauthorized access)
- External risks (phishing, malware)
- Environmental risks (physical theft of devices)
Your risk assessment must be documented and updated regularly.
3. Design and implement a safeguards program.
Based on your risk assessment, you must put controls in place to address identified vulnerabilities:
- Technical controls (firewalls, encryption, multifactor authentication)
- Physical controls (locked cabinets, screen locks)
- Administrative controls (access policies, termination procedures)
All controls must be documented in your WISP.
4. Oversee service providers.
If you work with third-party vendors who access, store, or transmit taxpayer data, you’re responsible for confirming that those vendors maintain appropriate security standards.
Your WISP must document how you evaluate and monitor vendor security, and your vendor contracts should include data protection requirements.
5. Develop a response plan for security incidents.
Every firm needs a documented process for responding to a data breach or cyberattack. Your incident response plan must identify who is notified (internally and externally), what steps are taken to contain the incident, and how affected clients are informed.
The IRS also requires notification to the IRS Stakeholder Liaison in the event of a breach involving taxpayer data.
6. Regularly evaluate and adjust the program.
Your WISP is a living document. IRS 4557 requires that you review and update your plan at least annually, and any time your business changes in ways that affect your data security posture—new employees, new technology, new client types, or after any security incident.
The FTC Safeguards Rule for Accounting Firms
Most conversations about WISP requirements focus exclusively on the IRS, but accounting firms are also subject to the FTC Safeguards Rule under the Gramm-Leach-Bliley Act.
The Safeguards Rule carries its own compliance obligations that go beyond what the IRS requires. The Safeguards Rule applies to any financial institution that is not subject to the jurisdiction of another federal regulator.
For accounting firms that provide tax preparation, financial planning, or advisory services, the FTC is the relevant regulator.
Under the updated 2021 Safeguards Rule, covered firms must:
- Designate a qualified individual to oversee the information security program.
- Conduct a written risk assessment.
- Implement safeguards to control identified risks, including access controls, encryption, multifactor authentication, and secure data disposal.
- Regularly monitor and test the effectiveness of those safeguards.
- Train employees on security awareness and their specific responsibilities.
- Oversee service providers through written contracts that require appropriate safeguards.
- Develop a written incident response plan.
- Report annually to the board of directors or senior leadership on the status of the program.
The 2024 amendments added a specific breach notification requirement: firms must notify the FTC within 30 days of discovering a breach affecting 500 or more customers.
This reporting obligation makes incident response planning even more critical.
For accounting firms, the practical effect is that your WISP must satisfy both the IRS’s guidance from Publication 4557 and the FTC’s Safeguards Rule.
Fortunately, a well-designed WISP can address both simultaneously. The requirements are largely aligned, and where they differ, the FTC’s standards are typically more detailed.
Why Having a WISP Is Important
A WISP matters for several critical reasons beyond regulatory compliance:
- Legal compliance: WISPs aren’t optional for tax professionals. When renewing your PTIN on IRS Form W-12, Question 11 requires you to confirm that a WISP is in place. Falsely stating you have one constitutes perjury and could result in license revocation or PTIN termination.
- Business continuity: With a proper WISP, your firm knows exactly how to respond to potential breaches, minimizing damage and recovery time.
- Insurance and liability protection: Having a WISP in place helps protect your business if you need to make an insurance claim after a data breach. Some insurers have refused to pay claims when the insured party had no WISP in place.
- Client trust: Your clients trust you with their most sensitive financial information. A WISP ensures you have proper safeguards in place to protect that data and demonstrates your commitment to their security.
- Vendor accountability: A written security plan gives you a framework for evaluating and monitoring the third-party providers who access your systems and client data.
Key Components of a WISP
According to IRS Publication 5708, a comprehensive Written Information Security Plan includes these foundational components:
1. Objective, purpose, and scope
State why you’re creating the plan, identify any legal obligations driving it, and describe what taxpayer information your security processes are designed to protect.
2. Designated responsible individuals
Identify the Data Security Coordinator (DSC) and Public Information Officer (PIO) for your firm. Define their responsibilities clearly:
- A Data Security Coordinator oversees information security processes, from securing data and remediating vulnerabilities to training staff on cybersecurity best practices.
- A Public Information Officer serves as the single point of contact for all outward communications related to a data breach incident.
3. Risk assessment
Document the types of information your office handles and how that information could be threatened—internally, externally, or through accidental disclosure or deletion. Include how you plan to monitor and test for these risks on an ongoing basis.
4. Hardware inventory
List every device that stores or processes personally identifiable information (PII), including the type of information stored on each device and its physical location.
5. Data encryption and access control
Document the technical controls your firm uses to protect data at rest and in transit. This section must cover:
- Encryption standards for stored files and transmitted data.
- Multifactor authentication requirements for all systems accessing taxpayer data.
- User access controls and the principle of least privilege (staff can access only what they need).
- Remote access protocols for staff working outside the office.
- Password policies and standards.
This is one of the areas where technology providers can add significant value. Cloud platforms that host your accounting software often include built-in encryption, access logging, and multifactor authentication—controls your WISP can reference directly.
6. Security safeguards
Document the full range of safety measures and policies in place, from multifactor authentication to remote access protocols. Attach your Incident Response Plan, Data Breach Response Plan, and Breach Notification Plan. Include a Draft Employee Code of Conduct that covers training procedures and the steps your firm takes when an employee separates or is terminated.
7. Implementation clause
Confirm that your WISP is implemented in compliance with the FTC’s GLBA and Safeguards Rule, plus any state-specific regulations that apply to your firm.
Complete WISP Checklist: 12 Components with Actionable Steps
Use this grid to confirm your WISP covers every required element. Each component includes the specific actions your firm needs to take.
| # | Component | What it is | What to do |
|---|---|---|---|
| 1 | Program Objective and Scope | States why the plan exists and what data it covers. | Cite IRS 4557, FTC Safeguards Rule, and applicable state laws. Define what data and systems are in scope. |
| 2 | Designated Coordinator | The person accountable for your security program. | Name a Data Security Coordinator and a Public Information Officer. Document responsibilities and backups. |
| 3 | Written Risk Assessment | A documented evaluation of where client data could be compromised. | Identify all data types and threats. Assign a risk level to each and schedule your next review. |
| 4 | Hardware and Software Inventory | A record of every device and platform that holds client data. | Log each device by type, location, and data stored. Include cloud platforms. Update when anything changes. |
| 5 | Access Controls | Policies governing who can access client data and when. | Enable MFA on all systems. Apply least-privilege access. Document how access is granted and revoked. |
| 6 | Data Encryption | Standards for protecting data at rest and in transit. | Encrypt stored data and use TLS/SSL for transmission. Document standards and key management responsibility. |
| 7 | Secure Data Disposal | The process for permanently destroying data no longer needed. | Define retention periods. Document destruction methods and maintain a disposal log. |
| 8 | Employee Training Program | Recurring training so staff understand their security responsibilities. | Train at hire and annually. Cover phishing, passwords, and incident reporting. Log completion dates. |
| 9 | Vendor Oversight | The process for vetting third parties who access your data. | Request SOC 2 reports. Include data protection language in contracts. Reassess vendors annually. |
| 10 | Incident Response Plan | A tested playbook for responding to a breach. | Document containment steps, notification parties, and staff roles. Test the plan annually. |
| 11 | Physical Security Controls | Policies for physical access to devices and offices. | Document office controls and clean desk policies. Address device policies for remote workers. |
| 12 | Implementation and Compliance Statement | Formal confirmation the plan meets regulatory requirements. | Confirm alignment with IRS 4557, FTC Safeguards Rule, and state laws. Include signature lines. |
Annual WISP Review Checklist
Your WISP is not a one-time document. Both the IRS and the FTC require that you review and update your plan at least once per year, and any time a significant change affects your data environment.
Use this checklist to structure your annual review:
| Category | Question | Done? |
|---|---|---|
| Review your risk assessment | Have any new data types or client categories been added to your practice? | |
| Have new cyberthreats emerged that weren’t addressed in the previous assessment? | ||
| Did you experience any security incidents or near-misses in the past year? | ||
| Have any previously identified risks been adequately mitigated? | ||
| Update your hardware and software inventory | Have any new devices been added to the firm? | |
| Have any devices been retired, lost, or stolen? | ||
| Have you added new software platforms or cloud services? | ||
| Are all inventoried devices still covered by the documented security controls? | ||
| Review access controls | Are all active user accounts still associated with current employees? | |
| Have departing employees had their access revoked promptly? | ||
| Are access privileges still appropriate for each user’s current role? | ||
| Is multifactor authentication enabled on all required systems? | ||
| Confirm employee training completion | Have all current employees completed their annual security awareness training? | |
| Have new hires received training within their first 30 days? | ||
| Does the training content reflect current threats and firm policies? | ||
| Review and test your incident response plan | Has the plan been tested through a tabletop exercise or drill? | |
| Are all contact lists and notification procedures current? | ||
| Do staff know their specific roles in the event of a breach? | ||
| Does the plan reflect any changes to IRS or FTC notification requirements? | ||
| Reassess your vendors | Have you requested updated security documentation from key vendors? | |
| Have any vendors changed their security posture or experienced breaches? | ||
| Do all vendor contracts include current data protection language? | ||
| Have you added any new vendors who now need to be assessed? | ||
| Confirm regulatory compliance | Have there been any changes to IRS Publication 4557 guidance? | |
| Have any FTC Safeguards Rule amendments taken effect? | ||
| Have state regulations applicable to your firm changed? | ||
| Is your WISP dated and signed for the current review cycle? |
4 WISP Best Practices
No two WISPs will, or should, look exactly alike. The contents of your plan depend on your firm’s size and complexity, the sensitivity of the data you handle, and the specific regulations that apply to you.
That said, these four practices make WISP creation more manageable for any firm:
1. Designate a qualified individual first
Before writing a single word of your plan, assign someone to manage your WISP’s creation, implementation, ongoing maintenance, and any associated costs. This person can be internal or external to your business, but must be comfortable coordinating risk assessments, confirming third-party vendor security compliance, and managing staff training.
2. Use a template
Starting a plan from scratch can be overwhelming and expensive, even for most security experts. Lean on trusted templates to serve as your starting guide, then customize them for your firm’s specific situation.
3. Schedule regular reviews
Your WISP isn’t a one-time document. It must be reviewed annually, at minimum, to confirm it meets current regulations and addresses evolving threats. Build the review into your firm’s calendar rather than waiting until PTIN renewal to check the box.
4. Draw on your technology providers
Your technology providers can make WISP implementation significantly easier. Instead of tracking down certifications yourself, ask them to share documentation about their security controls that support your compliance requirements. When evaluating potential partners, confirm that they:
- Understand regulatory requirements for financial services and the accounting profession.
- Can clearly explain how their solutions address WISP requirements.
- Provide SOC 2 reports or equivalent documentation on request.
- Maintain security standards aligned with NIST or similar frameworks.
Frequently Asked Questions
What are the WISP requirements for accountants under IRS rules?
The IRS requires tax preparers who hold a PTIN to have a Written Information Security Plan in place. When renewing your PTIN on IRS Form W-12, Question 11 asks you to certify that a WISP exists. IRS Publication 4557 outlines six core requirements: designating a qualified individual, conducting a risk assessment, implementing a safeguards program, overseeing service providers, developing an incident response plan, and regularly reviewing and updating the program.
Is a WISP required by law for tax preparers?
Yes. Tax preparers must certify they have a WISP as part of annual PTIN renewal. Falsely certifying constitutes perjury and can result in PTIN revocation and license suspension. Accounting firms that qualify as financial institutions under the Gramm-Leach-Bliley Act are also subject to the FTC Safeguards Rule, which independently requires a formal written information security program.
What does IRS Publication 4557 require for a WISP?
IRS Publication 4557 requires tax preparers to designate a qualified individual, conduct a written risk assessment, design and implement safeguards, oversee third-party service providers, develop an incident response plan, and regularly evaluate and update the program. These six requirements form the compliance baseline for any tax preparer WISP.
How often does a WISP need to be updated?
Both the IRS and the FTC Safeguards Rule require annual review and updates. You should also revise the plan any time your business changes in ways that affect your data security posture: new employees, new technology, new client types, or after any security incident.
What is the FTC Safeguards Rule and does it apply to accounting firms?
The FTC Safeguards Rule is a federal regulation under the Gramm-Leach-Bliley Act requiring financial institutions to implement a comprehensive information security program. Accounting firms that provide tax preparation, financial planning, or advisory services generally qualify and must comply. The requirements overlap significantly with IRS Publication 4557.
What happens if a tax preparer doesn’t have a WISP?
Operating without a WISP exposes your firm to PTIN revocation, civil penalties, denied insurance claims after a breach, and significant damage to client relationships. Certifying on IRS Form W-12 that you have a WISP when you don’t constitutes perjury.
Can a small accounting firm use a WISP template?
Yes, and most should. A well-designed template that addresses IRS Publication 4557 and the FTC Safeguards Rule gives you a documented structure to customize for your firm. Templates work best when you adapt them to reflect your actual policies, personnel, and technology rather than filing them unchanged.
What should be in an incident response plan within a WISP?
Your incident response plan must define what constitutes a breach, document the containment and investigation process, identify all required notification parties (clients, IRS Stakeholder Liaison, FTC if 500 or more are affected, state regulators), and assign specific roles to staff. Test the plan through tabletop exercises at least annually.
Do cloud-based accounting platforms help with WISP compliance?
Yes, significantly. Cloud platforms often include built-in controls (encryption, multifactor authentication, access logging, automated backups) that directly address WISP requirements. Ask your technology providers for SOC 2 reports and security documentation you can reference in your plan.
Does a WISP need to cover remote workers?
Yes. Your WISP must address remote access protocols, virtual private network (VPN) requirements, device policies for laptops and mobile devices used outside the office, and screen lock requirements. Failure to address remote work scenarios creates a significant compliance gap for most modern accounting firms.
Get Help Writing Your Security Plan
The right WISP doesn’t just satisfy a regulatory requirement; it helps you identify where your business may be vulnerable to a cyberattack and gives you a plan for what to do when threats materialize.
Download our free WISP template to begin building your firm’s comprehensive security plan. And if you want expert guidance on your security strategy, vulnerability assessment, and WISP creation, we’re here to help.
