Written Information Security Plan

 A Written Information Security Plan (WISP)is a federally required document that outlines how your tax or accounting firm protects sensitive taxpayer information. Every tax professional whether you’re a CPA, EA, bookkeeper, or preparer with a PTIN, is legally required to maintain a current WISP under IRS Publication 4557 and the FTC Safeguards Rule.

A Written Information Security Plan (WISP)is a federally required document that outlines how your tax or accounting firm protects sensitive taxpayer information. Every tax professional whether you’re a CPA, EA, bookkeeper, or preparer with a PTIN, is legally required to maintain a current WISP under IRS Publication 4557 and the FTC Safeguards Rule

A WISP is more than a policy document. It is your firm’s official, written proof that you have strong administrative, technical, and physical safeguards in place to prevent identity theft, unauthorized access, and data breaches.

Why the IRS Requires a WISP

Tax professionals are classified as financial institutions under the Gramm‑Leach‑Bliley Act (GLBA). Because you handle highly sensitive taxpayer data, the IRS and FTC require you to maintain a WISP that documents:

o  How your firm prevents security incidents

o  How you detect threats

o  How you respond to breaches

o  How you secure, store, and dispose of taxpayer records

Starting in 2023, the IRS added a direct requirement to PTIN renewal applications, asking you to certify that your firm has a written security plan in place. False certification can be treated as perjury on a federal form.

What Your WISP Must Include

A compliant WISP typically covers:

Administrative Safeguards

o  Assigned security coordinator

o  Employee training

o  Access control policies

o  Data handling procedures

Technical Safeguards

o Security Services

Protec Your Firm with a Fully Compliant WISP

A strong Written Information Security Plan helps your firm:

o  Meet IRS and FTC legal requirements

o  Reduce cyber‑risk

o  Avoid fines, penalties, and investigations

o  Strengthen client trust

o  Improve overall security posture

Whether you’re a solo practitioner or a multi‑staff CPA firm, a WISP is your front‑line defense against data breaches and identity theft.