Tech Guru
Resources

Your WISP: what's required, and how to get started.

Every tax and accounting firm is required to have a written information security plan. Here is what goes in it, why most of them fail, and how to start this week.

Brand-toned imagery representing a written information security plan for an accounting firm

A WISP is a written information security plan: the document that says who is responsible for protecting client data in your firm, what protections are in place, and what happens when something goes wrong. It is not optional. Under the FTC Safeguards Rule (16 CFR Part 314), an accountant or tax preparation service in the business of completing income tax returns is a financial institution, and financial institutions must maintain a written information security program.

The IRS expects the same thing. Its Protect Your Clients, Protect Yourself guidance points preparers to Publication 4557, Safeguarding Taxpayer Data, and the Security Summit publishes Publication 5708, a plain-language WISP template for tax and accounting practices. The expectation even shows up in PTIN paperwork: Form W-12, the PTIN application and renewal, includes a Data Security Responsibilities item where you attest that you are aware preparers are required by law to create and maintain a written information security plan.

So the question is not whether your firm needs a WISP. It is whether the one you have, or the one you are about to write, would hold up when a regulator, a cyber insurer, or a breach forces someone to read it.

What has to be in it

The required elements live in 16 CFR 314.4. In plain language:

  • A qualified individual. One named person who owns the program. You can use an outside provider for the work, but your firm keeps responsibility and oversight.
  • A risk assessment. Identify where client data lives, what threatens it, and whether your current controls are enough. Revisit it periodically.
  • Specific safeguards. Access limited to what each person needs, an inventory of data and systems, encryption in transit and at rest, multi-factor authentication, secure disposal of data you no longer need, change management, and monitoring of user activity.
  • Testing. Verify the safeguards actually work, through continuous monitoring or scheduled penetration testing and vulnerability assessments.
  • Training. Staff awareness training that stays current, plus qualified people running security.
  • Vendor oversight. Choose service providers that can protect client data, hold them to it by contract, and reassess them periodically.
  • An incident response plan. A written plan for what your firm does when a security event hits, who does it, and how you communicate. The rule also requires reporting certain events involving at least 500 consumers to the FTC within 30 days of discovery.
  • Ongoing evaluation and reporting. Adjust the program as your firm changes, with at least annual written reporting to leadership.

One nuance for small firms: under 16 CFR 314.6, firms holding information on fewer than 5,000 consumers are exempt from a few items, including the written form of the risk assessment, the scheduled testing regime, the written incident response plan, and the annual report. The safeguards themselves, MFA and encryption included, still apply to everyone.

Why most WISPs fail

Not for lack of paper. The failure pattern is always the same: a template gets filled in under deadline pressure, signed, and filed. Nobody maps it to the firm's actual systems. The named qualified individual changes jobs and the document never hears about it. MFA is “required” on page six and disabled on half the logins. A WISP that does not match reality is worse than uncomfortable in an audit or after a breach; it is written evidence that your firm knew what to do and did not do it. The fix is not a better document. It is enforcement: configure your systems so the policies run whether or not anyone remembers them. If the WISP says MFA is required, the tenant should refuse a login without it. If it says data is disposed of on schedule, retention policies should do the disposing.

How to get started this week

You do not need a six-month project to make real progress. Four steps fit inside a working week. First, pick the person who will own the program and write their name down; an unowned WISP is already failing. Second, list every system that touches client data, including the portal nobody remembers buying and the ones only one partner uses. That list becomes your risk assessment and your vendor oversight file. Third, turn on MFA everywhere the list allows, because it is the highest-value control on the sheet and the rule expects it anyway. Fourth, draft the plan itself; the template below gives you the structure so you are editing instead of staring at a blank page.

If you would rather not run this alone, this is the core of what Tech Guru does for accounting firms: we write the WISP, aligned to the FTC Safeguards Rule and IRS Publication 4557, and then configure your systems so the plan is enforced, not shelved. The document and the configuration come from the same hands, which is why they match.

This article and the template below are educational content, not legal advice. Have your attorney review your firm-specific WISP language before you adopt it.

Free template

Download our WISP template

A Word document structured around the Safeguards Rule elements above, written for accounting firms. Tell us who you are and the download starts immediately.

Your details go only to our team and are handled under our privacy statement.

Want the WISP written and enforced for you?

Book a discovery call and we will write your WISP, then configure your systems so the plan actually runs.

Talk to a guru now

No long-term contract. No hour caps. No minimums. 60-day cancellation any time. We earn it every month.  ·  (800) 692-6096