How to Write a WISP That Actually Holds Up

Most WISPs in circulation are PDFs from 2018 with the firm name swapped in. Here is what a real Written Information Security Plan looks like, section by section.

What a WISP is, and what it is not

A Written Information Security Plan is the document that describes how your firm protects client data. It is required by IRS Publication 4557, by the FTC Safeguards Rule, and by most state-level financial privacy laws. It is also the single most-faked compliance artifact in the tax industry.

A real WISP is operational. It names people, lists systems, documents controls, and is signed annually. It is the playbook a junior employee could read on day one to understand how the firm protects client information.

A fake WISP is a generic template downloaded off a forum, with a firm name pasted into the header and no further customization. It satisfies a checkbox, not a regulator. If a reviewer asked the office manager what the WISP says about offboarding, and they could not answer, the document is fake regardless of how many pages it has.

The 8 sections every real WISP contains

A defensible WISP has eight sections. You can add more, but you cannot defend a WISP that is missing any of these.

1. Purpose and scope

A short paragraph stating that the document describes the firm's program for protecting customer information, naming the legal frameworks it satisfies (IRS Pub 4557, FTC Safeguards Rule, applicable state laws), and stating who the plan covers (every employee, contractor, intern, and vendor with access to client data).

2. The qualified individual

One named person responsible for the program. Title, phone, email. For a small firm, this is usually the owner or a managed security provider operating under a service agreement. This section also names the backup contact in case the qualified individual is unavailable.

3. Information inventory

A list of every category of client data the firm holds (Social Security numbers, bank accounts, prior-year returns, W-2s, supporting documents) and where each lives (tax software, document portal, on-premise server, cloud storage, paper files). The inventory should be specific enough that you could draw a data map from it.

4. Risk assessment

A documented review of the threats your firm faces (phishing, ransomware, vendor compromise, insider error, physical theft), the likelihood of each, and the controls in place to address each. Updated when something material changes, at minimum once per year.

5. Safeguards

The longest section. It describes the technical and administrative controls in place. At minimum:

• Access controls (who can see what, how access is granted and revoked)
• Authentication (MFA on every system, password rules, session timeouts)
• Encryption (at rest, in transit, on portable devices)
• Endpoint protection (EDR on every device that touches client data)
• Email security (anti-phishing, impersonation protection, MFA)
• Network controls (firewall, segmentation, secure Wi-Fi)
• Backup and recovery (frequency, encryption, restore testing)
• Physical security (locks on rooms holding paper files or servers)
• Disposal (how client data is destroyed when no longer needed)

6. Vendor management

A list of every vendor with access to client data, the type of access they have, and the security agreement on file. SOC 2 Type II is the floor for any vendor holding client data. Vendors without one should be flagged for replacement.

7. Training and awareness

How and how often staff are trained on security. Frequency, topics, completion records. The standard is at least annual security awareness training for every employee, with quarterly phishing simulations and remediation for anyone who fails.

8. Incident response plan

A short, written plan covering: how an incident is reported internally, who responds, the IRS Stakeholder Liaison contact, the cyber insurance contact, the legal contact, the timeline for client notification, the state-level notification requirements that apply to your client base, and where the post-incident review is documented.

The qualified individual decision

For a solo or small firm, the question is whether the owner serves as the qualified individual or whether the role is outsourced.

Owner as qualified individual works if the owner is willing to take on personal responsibility for the program, has the time to maintain it, and is comfortable being the named contact in an enforcement action. The advantage is no extra fee. The disadvantage is that a single missed control becomes the owner's personal liability.

Outsourced qualified individual works if the firm prefers to shift the operational and liability burden to a managed provider. The provider becomes the named individual under contract, runs the controls, and produces the artifacts. The firm pays a recurring fee and signs off on the annual review. Most firms above three employees move to this model within their first year of formal compliance.

There is no third option. Pretending you have a qualified individual when nobody is actually doing the work is the most common compliance failure in the industry. It is also the easiest one for a regulator to find.

Vendor inventory: the part most firms skip

Pull a piece of paper. Write down every system or service that touches client data. The list is usually longer than firm owners expect:

• Tax preparation software
• Practice management system
• Document portal or secure file transfer
• Cloud storage (Google Drive, OneDrive, Dropbox)
• Email provider
• Payroll software (yours and any client's that you access)
• QuickBooks or accounting software
• E-signature service
• Secure-email gateway
• Backup provider
• Bookkeeping app integrations
• Any seasonal contractor's personal devices

Each one is a separate vendor relationship that needs a security agreement and a SOC 2 (or equivalent) on file. Firms typically discover three to five vendors they had not thought of when they do this exercise.

The annual review and signature

The WISP is dated. It is signed by the qualified individual and the firm owner. It is reviewed every 12 months at minimum, and the review is documented (a one-page memo confirming the plan still reflects how the firm operates is enough).

A WISP older than 12 months without a review note is treated by the IRS and FTC as evidence that no real program is in place. The signature and date are not a formality. They are the proof that the document is alive.

The 5 most common mistakes

After reviewing hundreds of small-firm WISPs, the failure modes are predictable.

1. Generic template, never customized. The firm name appears in three places. Everything else is boilerplate.
2. No qualified individual named, or the named person no longer works at the firm.
3. Vendor list missing. The plan claims vendor oversight but produces no list.
4. No incident response plan, or one that names the wrong contacts.
5. No training records. The plan requires annual training; the firm cannot prove a single employee completed any.

Each of these makes the document indefensible. Each of these is also fixable in a week, with the right template and the right discipline.

What to do this week

If your current WISP has any of the five mistakes above, replace it. A real WISP for a small firm runs 8 to 15 pages, takes about a day to write, and stays current with quarterly check-ins. The hardest part is the vendor inventory, and it is hardest because it is honest.

If you want a WISP template that is actually shaped like what the IRS and FTC expect, including the evidence checklist most generic plans leave out, we will send you ours. It is the same template we use with our managed-security clients.

Book a 15-minute WISP and security review